NU1903 is logged twice

Question

NU1903 is logged twice

ViktorHofer opened this issue 18 days ago · comments

C:\Users\vihofer\Downloads\testapp>..\dotnet-sdk-9.0.100-preview.7.24358.3-win-x64\dotnet.exe build
Restore succeeded with 2 warning(s) in 0.3s
    C:\Users\vihofer\Downloads\testapp\testapp.csproj : warning NU1903: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57
    C:\Users\vihofer\Downloads\testapp\testapp.csproj : warning NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj
You are using a preview version of .NET. See: https://aka.ms/dotnet-support-policy
  testapp succeeded with 2 warning(s) (0.3s) → bin\Debug\netstandard1.6\testapp.dll
    C:\Users\vihofer\Downloads\testapp\testapp.csproj : warning NU1903: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57
    C:\Users\vihofer\Downloads\testapp\testapp.csproj : warning NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj

I assume the warning is logged both during restore and during the build target.

dotnet-policy-service · Answer 1 · Mon Jul 08 2024 23:52:00 GMT+0800 (China Standard Time)

Issue is missing Type label, remember to add a Type label

Nikolche Kolev · Answer 2 · Tue Jul 09 2024 04:45:01 GMT+0800 (China Standard Time)

For hotseat:

Does this happen every time?
Does this happen with dotnet restore or with dotnet build only?
What about nuget.exe/msbuild?

A binlog might help us narrow down where the 2nd warning is coming from.

Viktor Hofer · Answer 3 · Tue Jul 09 2024 04:52:57 GMT+0800 (China Standard Time)

This happens when doing a dotnet build which implicitly and incrementally performs a restore. It doesn't happen when only doing a dotnet restore as then, only the Restore target is called, but not the Build target.

Here's a sample:

app.csproj

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>netstandard1.6</TargetFramework>
  </PropertyGroup>

</Project>

Invoke dotnet build on it (with a nightly P7 SDK -> https://github.com/dotnet/sdk/blob/main/documentation/package-table.md) and you will see the warning logged twice.

Nikolche Kolev · Answer 4 · Tue Jul 09 2024 05:08:21 GMT+0800 (China Standard Time)

I'm guessing the 2nd warning is somehow replayed by the SDK then? Might be an SDK bug.

Donnie Goodson · Answer 5 · Tue Jul 09 2024 06:10:23 GMT+0800 (China Standard Time)

For hotseat:

Does this happen every time?

Does this happen with dotnet restore or with dotnet build only?

What about nuget.exe/msbuild?

A binlog might help us narrow down where the 2nd warning is coming from.

Yes, everytime with dotnet build
No, dotnet restore only reports the error once
No, nuget.exe restore does not show any vulnerability warnings. msbuild /t:restore only shows 1 warning.

Donnie Goodson · Answer 6 · Tue Jul 09 2024 06:11:11 GMT+0800 (China Standard Time)

I also reproduced this with .NET SDK 8.0.400-preview.0.24324.5

Nikolche Kolev · Answer 7 · Tue Jul 16 2024 04:36:56 GMT+0800 (China Standard Time)

Team Triage: Since the replaying of the warnings is happening at build time as confirmed by both Donie and Viktor, we'll move this to the .NET SDK.