Visual Studio "preview install" should warn about packages with known vulnerabilities

Question

Visual Studio "preview install" should warn about packages with known vulnerabilities

zivkan opened this issue 18 days ago · comments

NuGet Product(s) Involved

Visual Studio Package Management UI

The Elevator Pitch

When installing packages in Visual Studio's package manager UI, (unless disabled) it will pop up a preview window telling you the list of packages that will be installed/upgraded. If this list contains packages with known vulnerabilities, it should tell you, before clicking the OK button to actually install the packages in the project.

Additional Context and Details

No response

dennis-garavsky · Answer 1 · Thu Jul 18 2024 01:48:53 GMT+0800 (China Standard Time)

Hello.

Prerequisites

I am using Microsoft Visual Studio Professional 2022 (64-bit) - Preview
Version 17.11.0 Preview 4.0 and the latest .NET 8.0.7 and .NET 9 Preview 6 SDK. Attached is also my dotnet --info output for your reference.

Problem

I am running into an issue that Solution Explorer (1) warns about a vulnerable package, then I navigate to the NuGet Package Manager and click "Show only vulnerable" (2), but it shows nothing. It is a confusing experience, because the original warning is non-actionable. I can only see the actual vulnerable packages in the Error List (3) only if I build the solution and enable "Treat warnings as errors" under the project Build settings, but not every developer enables these settings by default.

Alternatively, I can manually expand every package and its dependencies until I find the problematic transitive dependencies, which is far from optimal (System.Security.Cryptography.Pkcs > System.Formats.Asn1):

Expected Results

First, I do not expect warnings from Visual Studio or NuGet Package Manager/CLI in this case with GHSA-447r-wph3-92pm at all (looks like a false-positive), because the vulnerability relates to .NET Runtime itself (it must be a patched v8.0.7, which I already had installed and it must use a patched System.Formats.Asn1 version at runtime. OR at least the warning message should talk about the .NET Runtime update, because one may update the package, the scanner will be OK after that, but their runtime may still be vulnerable. Currently, these warnings may also confuse users and can even make them think bad about third-party component vendors, which may be not guilty at all (I am talking about general brand perception and reputation when it comes to security). We already received customer support questions about this behavior/false-positives and had to clarify it.
If the Solution Explorer signals about vulnerable packages (including transitive dependencies), then it must link to an actionable or non-empty list of issues regardless of the Build settings. It must also be easy to see problematic transitive dependencies in the Solution Explorer itself, without manual digging.

Thank you for your consideration.

Potentially related discussions

cremor · Answer 2 · Sat Jul 20 2024 16:18:02 GMT+0800 (China Standard Time)

@dennis-garavsky Your comment doesn't have any similarities with the initial comment in this issue. You should have created a new issue instead of commenting here.
That said, most of your points are addressed in https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/

cremor · Answer 3 · Sat Jul 20 2024 16:30:27 GMT+0800 (China Standard Time)

@zivkan Your issue seems to be a duplicate of #13141