NU1903 is logged twice
ViktorHofer opened this issue · comments
C:\Users\vihofer\Downloads\testapp>..\dotnet-sdk-9.0.100-preview.7.24358.3-win-x64\dotnet.exe build
Restore succeeded with 2 warning(s) in 0.3s
C:\Users\vihofer\Downloads\testapp\testapp.csproj : warning NU1903: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57
C:\Users\vihofer\Downloads\testapp\testapp.csproj : warning NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj
You are using a preview version of .NET. See: https://aka.ms/dotnet-support-policy
testapp succeeded with 2 warning(s) (0.3s) → bin\Debug\netstandard1.6\testapp.dll
C:\Users\vihofer\Downloads\testapp\testapp.csproj : warning NU1903: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57
C:\Users\vihofer\Downloads\testapp\testapp.csproj : warning NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj
I assume the warning is logged both during restore and during the build target.
Issue is missing Type label, remember to add a Type label
For hotseat:
- Does this happen every time?
- Does this happen with
dotnet restore
or with dotnet build only? - What about nuget.exe/msbuild?
A binlog might help us narrow down where the 2nd warning is coming from.
This happens when doing a dotnet build
which implicitly and incrementally performs a restore. It doesn't happen when only doing a dotnet restore
as then, only the Restore
target is called, but not the Build
target.
Here's a sample:
app.csproj
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>netstandard1.6</TargetFramework>
</PropertyGroup>
</Project>
Invoke dotnet build
on it (with a nightly P7 SDK -> https://github.com/dotnet/sdk/blob/main/documentation/package-table.md) and you will see the warning logged twice.
I'm guessing the 2nd warning is somehow replayed by the SDK then? Might be an SDK bug.
For hotseat:
- Does this happen every time?
- Does this happen with
dotnet restore
or with dotnet build only?- What about nuget.exe/msbuild?
A binlog might help us narrow down where the 2nd warning is coming from.
- Yes, everytime with
dotnet build
- No,
dotnet restore
only reports the error once - No,
nuget.exe restore
does not show any vulnerability warnings.msbuild /t:restore
only shows 1 warning.
I also reproduced this with .NET SDK 8.0.400-preview.0.24324.5
Team Triage: Since the replaying of the warnings is happening at build time as confirmed by both Donie and Viktor, we'll move this to the .NET SDK.