Introduction
Learn how to deal with NuGet packages with known vulnerabilities in Visual Studio projects targeting .NET Core.
In November 2023 (NuGet 6.8, Visual Studio 17.8, .NET SDK 8.0.100) announce a plethora of new features to help you be aware potential vulnerabilities in your projects, visualize the configuration of precautionary measures to keep your code safe, and maintain fine-grained control over your dependency sources.
Goal
Is the resolve all security issues from offending NuGet package and/or transitory NuGet packages. Below there are several methods to suppress these issues yet that is a decision each developer must consider based on found issues.
The author’s recommendation is not to suppress these issues, instead, determine the risk factor followed by making an informed decision to best serve against things like denial of attack and these issues may not be a concerned dependent on an organization security measures
Finding issues and resolutions
These features for most developers became noticeable with Visual Studio 2022 17.12, after opening a project that targets for instance System.Text.Json v7.0.0 through v8.0.5 a yellow caution icon is shown in Solution Explorer on the dependency tab.
To resolve the issue (at present time), upgrade to version 9.0.0. Why version 9 in this case? As shown below, there is no caution icon.
In other cases, the issue may come from a NuGet package using a Transitive Package.
Example, a project uses NuGet package Serilog.AspNetCore 7.0.0. Drilling down to the issue as shown below, System.Text.Json is a transitive-dependency which provides a link to explain the vulnerability. Well, we can not open the link here.
To learn more and have a working link to the issue, open the project folder and execute the following.
dotnet list package --include-transitive --vulnerable
Output with a clickable link to the issue.
Or for a tree view, dotnet why CLI.
dotnet nuget why SecretManagerExample1.csproj System.Text.Json
The first step to resolving the issue is to check for a newer version of the package. In this case under updates for Serilog.AspNetCore there is a newer version which resolved the vulnerability.
NuGet Package Manager
No upgrade package available
Step 1, contact the owner of the package asking when a new version of package will be available to patch the vulnerability by creating an issue on their GitHub repository.
In the meantime, decide if the package should be used or find a suitable replacement package.
If the vulnerability is a non-issue, rebuild the project, in the output window in Visual Studio search the issue which will have NUxxx as a warning.
Example
1>C:\OED\DotnetLand\VS2022\WebCodeSamples\SecretManagerExample1\SecretManagerExample1.csproj : warning NU1903: Package 'System.Text.Json' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w
In solution explorer, double click the project name and add <NoWarn>NU1903</NoWarn>
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net9.0</TargetFramework>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
<NoWarn>NU1903</NoWarn>
</PropertyGroup>
</Project>
Save the project file and no more warning.
In other cases, there may be multiple issues, use NoWarn and add other warnings separated with a semi-colon.
<NoWarn>NU1903;NU1701</NoWarn>
Or a blanket solution using SdkAnalysisLevel.
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net9.0</TargetFramework>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
<SdkAnalysisLevel>8.0.100</SdkAnalysisLevel>
</PropertyGroup>
</Project>
Or use NuGetAuditSuppress
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net9.0</TargetFramework>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
</PropertyGroup>
<ItemGroup>
<NuGetAuditSuppress Include="https://github.com/advisories/GHSA-hh2w-p6rv-4g7w" />
<NuGetAuditSuppress Include="https://github.com/advisories/GHSA-8g4q-xg66-9fp4" />
</ItemGroup>
</Project>
One of the above will suppress the issues but there is a need to eventually resolve the issues if they are valid security concerns for a developer's projects.
A developer can setup a reoccurring appointment, perhaps once a week reminding them to check for NuGet packages to resolve security issues with project names to check.
If there are many projects that have suppressions, get the following project and run it which will create a json file listing Visual Studio solutions with projects that has suppressions.
Usage:
Open Program.cs, set the path variable to a folder containing Visual Studio solutions.
Run the project, once finished, open the executable folder and open NoWarnings.json which will list projects with suppressions.
Sample entry
{
"Name": "C:\\DotnetLand\\VS2022\\WritingSqlTips\\WritingSqlTips.sln",
"Folder": "C:\\DotnetLand\\VS2022\\WritingSqlTips",
"FileName": "WritingSqlTips.sln",
"Projects": [
"DapperLibrary1.csproj",
"EnumHasConversionDapper.csproj",
"EnumWithSqlClient.csproj",
"SqlServerLibrary.csproj",
"SqlServerTableRulesApp.csproj"
]
}
Open each listed projects and see if there are new versions for packages. If there are, open the project file, comment out the suppressions, update the package, rebuild, did the yellow alert go away under dependency node of a project? If so, remove the suppression from the project file. If not, uncomment the suppression.
Summary
Information has been provided why there are yellow alert triangles next to dependency nodes of a project in Visual Studio 2022 and what choices there are to suppress and/or resolve the alerts.
Each developer must weigh security concerns and act accordingly.
Top comments (0)