Publishing a C# project as "self-contained" adds numerous dependencies in the *.deps.json file with versions that do not always represent the version in use.
For example, a C# Asp.Net project (.net 6.0) with the dependency to "System.Net.Http" version 4.3.4 creates a deps.json file where the reference is to the System.Private.Uri.dll of version "6.0.0.0", but refers to version 4.3.0 for "runtime.any.System.Runtime/4.3.0" (and others).
If you include the deps.json file in a Docker image and check that image for vulnerabilities, Docker Scout (version 1.3) detects 3 vulnerabilities for System.Private.Uri.dll version 4.3.0.
Apart from the mention in the *.deps.json file, the version would never be used. (The version of System.Private.Uri included in the release folder is version "6.0.0.0")
Please correct me if I am wrong: I think the result is a false positive.
Docker Scout version 1.2.2 and "dotnet list xxx.sln package --vulnerable --include-transitive --source https://api.nuget.org/v3/index.json" have not detected any vulnerability here.
Attached you finde an example of the deps.json file: WebApplication1.deps.json
Update: Steps to reproduce
Create an image with the WebApplication1.deps.json file:
Dockerfile:
FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base
COPY WebApplication1.deps.json .
Image creation:
docker build -t testimage:latest -f .\Dockerfile .
Run docker scout cli for that image returns the System.Private.Uri.dll vulnerabilities
Publishing a C# project as "self-contained" adds numerous dependencies in the *.deps.json file with versions that do not always represent the version in use.
For example, a C# Asp.Net project (.net 6.0) with the dependency to "System.Net.Http" version 4.3.4 creates a deps.json file where the reference is to the System.Private.Uri.dll of version "6.0.0.0", but refers to version 4.3.0 for "runtime.any.System.Runtime/4.3.0" (and others).
If you include the deps.json file in a Docker image and check that image for vulnerabilities, Docker Scout (version 1.3) detects 3 vulnerabilities for System.Private.Uri.dll version 4.3.0.
Apart from the mention in the *.deps.json file, the version would never be used. (The version of System.Private.Uri included in the release folder is version "6.0.0.0")
Please correct me if I am wrong: I think the result is a false positive.
Docker Scout version 1.2.2 and "dotnet list xxx.sln package --vulnerable --include-transitive --source https://api.nuget.org/v3/index.json" have not detected any vulnerability here.
Attached you finde an example of the deps.json file: WebApplication1.deps.json
Update: Steps to reproduce
Create an image with the WebApplication1.deps.json file:
Dockerfile:
Image creation:
docker build -t testimage:latest -f .\Dockerfile .Run docker scout cli for that image returns the System.Private.Uri.dll vulnerabilities