Skip to content

dotnet publish -r win10-x64 restores vulnerable package #12240

New issue
New issue
Closed
dotnet/SqlClient
#1849
Closed
dotnet publish -r win10-x64 restores vulnerable package#12240
dotnet/SqlClient
#1849
Labels
Functionality:RestoreProduct:dotnet.exeResolution:NotABugThis issue appears to not be a bugStatus:No recent activityNo recent activity.Tenet:SecurityType:Bug
@mattiaskagstrom

Description

@mattiaskagstrom
mattiaskagstrom
opened on Nov 11, 2022

Issue copied from: dotnet/sdk#29028

Describe the bug
My organization blocks downloads of packages with known vulnerabilities.
The application is buildable and publishable, but as soon as you add -r win10-x64 it tries to restore runtime.win7.System.Private.Uri/4.3.0.
The package is blocked due to: dotnet/announcements#112

Running sdk 6.0.x on the build agents, and 7.0.0 locally

To Reproduce
The app has this csproj:

<PropertyGroup>
	<TargetFramework>net6.0</TargetFramework>
	<RollForward>LatestMinor</RollForward>
	<Nullable>enable</Nullable>
	<ImplicitUsings>enable</ImplicitUsings>
	<AspNetCoreHostingModel>InProcess</AspNetCoreHostingModel>
	<AspNetCoreModuleName>AspNetCoreModuleV2</AspNetCoreModuleName>
</PropertyGroup>

<ItemGroup>
	<PackageReference Include="Hangfire" Version="1.7.31" />
	<PackageReference Include="Microsoft.AspNetCore.Server.IIS" Version="2.2.6" />
	<PackageReference Include="Microsoft.EntityFrameworkCore" Version="7.0.0" />
	<PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="7.0.0" />
	<PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="7.0.0">
	  <PrivateAssets>all</PrivateAssets>
	  <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
	</PackageReference>
	<PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
	<PackageReference Include="NLog.Web.AspNetCore" Version="5.1.5" />
	<PackageReference Include="System.Data.SqlClient" Version="4.8.5" />
	<PackageReference Include="System.DirectoryServices.Protocols" Version="7.0.0" />
	<PackageReference Include="Trafikverket.PMSCore.Lib" Version="1.8.0.547" PrivateAssets="All" />
	<PackageReference Include="System.Text.Encodings.Web" Version="7.0.0" />
</ItemGroup>
#> dotnet publish -r win10-x64 MSBuild version 17.4.0+18d5aef85 for .NET Determining projects to restore... Failed to download package 'runtime.win7.System.Private.Uri.4.3.0' from 'https://********/nuget/Defa ultSafe/package/runtime.win7.System.Private.Uri/4.3.0'. Response status code does not indicate success: 400 (Bad Request).

Exceptions (if any)
Failed to download package 'runtime.win7.System.Private.Uri.4.3.0'

Further technical details
dotnet --info
.NET SDK:
Version: 7.0.100
Commit: e12b7af219

Runtime Environment:
OS Name: Windows
OS Version: 10.0.19042
OS Platform: Windows
RID: win10-x64
Base Path: C:\Program Files\dotnet\sdk\7.0.100\

Host:
Version: 7.0.0
Architecture: x64
Commit: d099f075e4

.NET SDKs installed:
5.0.102 [C:\Program Files\dotnet\sdk]
5.0.201 [C:\Program Files\dotnet\sdk]
5.0.202 [C:\Program Files\dotnet\sdk]
7.0.100 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
Microsoft.AspNetCore.App 5.0.2 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 5.0.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 5.0.17 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 6.0.11 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 7.0.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.NETCore.App 3.1.22 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 5.0.2 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 5.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 5.0.17 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 6.0.10 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 6.0.11 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 7.0.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.WindowsDesktop.App 3.1.22 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 5.0.2 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 5.0.5 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 5.0.17 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 6.0.10 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 6.0.11 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 7.0.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

Other architectures found:
x86 [C:\Program Files (x86)\dotnet]
registered at [HKLM\SOFTWARE\dotnet\Setup\InstalledVersions\x86\InstallLocation]

Environment variables:
Not set

global.json file:
Not found

Metadata

Metadata

Assignees

No one assigned

    Labels

    Functionality:RestoreProduct:dotnet.exeResolution:NotABugThis issue appears to not be a bugStatus:No recent activityNo recent activity.Tenet:SecurityType:Bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions