DotNetNuke fails in the development environment due to several package vulnerabilities
rajkumar-rangaraj opened this issue · comments
Bug Report
Symptom
Describe the bug
A clear and concise description of what the bug is.
Run dotnet nuke
generates below error message and stops the execution.
╬═══════════════════════════════════════
║ GenerateNetFxTransientDependencies
╬══════════════════════════════
19:01:43 [INF] > "C:\Program Files\dotnet\dotnet.exe" restore C:\repo\opentelemetry-dotnet-instrumentation\src\OpenTelemetry.AutoInstrumentation\OpenTelemetry.AutoInstrumentation.csproj
19:01:44 [DBG] Determining projects to restore...
19:01:46 [DBG] Restored C:\repo\opentelemetry-dotnet-instrumentation\src\SourceGenerators\SourceGenerators.csproj (in 531 ms).
19:01:50 [ERR] C:\repo\opentelemetry-dotnet-instrumentation\src\OpenTelemetry.AutoInstrumentation\OpenTelemetry.AutoInstrumentation.csproj : error NU1902: Warning As Error: Package 'SharpCompress' 0.23.0 has a known moderate severity vulnerability, GHSA-jp7f-grcv-6mjf
19:01:50 [ERR] C:\repo\opentelemetry-dotnet-instrumentation\src\OpenTelemetry.AutoInstrumentation\OpenTelemetry.AutoInstrumentation.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, GHSA-rxg9-xrhp-64gj
19:01:51 [DBG] Failed to restore C:\repo\opentelemetry-dotnet-instrumentation\src\OpenTelemetry.AutoInstrumentation\OpenTelemetry.AutoInstrumentation.csproj (in 5.53 sec).
19:01:51 [ERR] Target GenerateNetFxTransientDependencies has thrown an exception
Nuke.Common.Tooling.ProcessException: Process 'dotnet.exe' exited with code 1.
"C:\Program Files\dotnet\dotnet.exe" restore C:\repo\opentelemetry-dotnet-instrumentation\src\OpenTelemetry.AutoInstrumentation\OpenTelemetry.AutoInstrumentation.csproj
@ C:\repo\opentelemetry-dotnet-instrumentation
Standard output:
Determining projects to restore...
Restored C:\repo\opentelemetry-dotnet-instrumentation\src\SourceGenerators\SourceGenerators.csproj (in 531 ms).
C:\repo\opentelemetry-dotnet-instrumentation\src\OpenTelemetry.AutoInstrumentation\OpenTelemetry.AutoInstrumentation.csproj : error NU1902: Warning As Error: Package 'SharpCompress' 0.23.0 has a known moderate severity vulnerability, GHSA-jp7f-grcv-6mjf
C:\repo\opentelemetry-dotnet-instrumentation\src\OpenTelemetry.AutoInstrumentation\OpenTelemetry.AutoInstrumentation.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, GHSA-rxg9-xrhp-64gj
Failed to restore C:\repo\opentelemetry-dotnet-instrumentation\src\OpenTelemetry.AutoInstrumentation\OpenTelemetry.AutoInstrumentation.csproj (in 5.53 sec).
at Nuke.Common.Tooling.ProcessExtensions.AssertZeroExitCode(IProcess process) in //source/Nuke.Tooling/ProcessExtensions.cs:line 39
at Nuke.Common.Tooling.ProcessTasks.DefaultExitHandler(ToolSettings toolSettings, IProcess process) in //source/Nuke.Tooling/ProcessTasks.cs:line 257
at Nuke.Common.Tools.DotNet.DotNetTasks.DotNetRestore(DotNetRestoreSettings toolSettings) in //source/Nuke.Common/Tools/DotNet/DotNet.Generated.cs:line 334
at Nuke.Common.Tools.DotNet.DotNetTasks.DotNetRestore(Configure1 configurator) in /_/source/Nuke.Common/Tools/DotNet/DotNet.Generated.cs:line 364 at Build.<get_GenerateNetFxTransientDependencies>b__163_2() in C:\repo\opentelemetry-dotnet-instrumentation\build\Build.Steps.Windows.cs:line 183 at Nuke.Common.Execution.BuildExecutor.<>c.<Execute>b__4_2(Action x) in /_/source/Nuke.Build/Execution/BuildExecutor.cs:line 119 at System.Collections.Generic.List
1.ForEach(Action1 action) at Nuke.Common.Execution.BuildExecutor.Execute(NukeBuild build, ExecutableTarget target, IReadOnlyCollection
1 previouslyExecutedTargets, Boolean failureMode) in //source/Nuke.Build/Execution/BuildExecutor.cs:line 119
╬══════════════════════
║ Errors & Warnings
╬═════════════
[ERR] GenerateNetFxTransie: C:\repo\opentelemetry-dotnet-instrumentation\src\OpenTelemetry.AutoInstrumentation\OpenTelemetry.AutoInstrumentation.csproj : error NU1902: Warning As Error: Package 'SharpCompress' 0.23.0 has a known moderate severity vulnerability, GHSA-jp7f-grcv-6mjf
[ERR] GenerateNetFxTransie: C:\repo\opentelemetry-dotnet-instrumentation\src\OpenTelemetry.AutoInstrumentation\OpenTelemetry.AutoInstrumentation.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, GHSA-rxg9-xrhp-64gj
[ERR] GenerateNetFxTransie: Target GenerateNetFxTransientDependencies has thrown an exception
Expected behavior
A clear and concise description of what you expected to happen.
We may need to upgrade the version of these packages.
Runtime environment (please complete the following information):
- OpenTelemetry Automatic Instrumentation version: [e.g. 1.0.0]
- OS: [e.g. Windows Server 2012 R2 ] Windows
- .NET version: [e.g. .NET Framework 4.6.2, .NET Core 2.1]
IMO it is related to the .NET8 release. Should be fixed by #2996. See https://github.com/open-telemetry/opentelemetry-dotnet-instrumentation/pull/2996/files#r1353034900