Skip to content

[10.0-preview.3] NuGetAuditMode=direct flagging transient vulnerabilities #48391

New issue
New issue
Open
Open
[10.0-preview.3] NuGetAuditMode=direct flagging transient vulnerabilities#48391
Labels
Area-ILLinkuntriagedRequest triage from a team member
@martincostello

Description

@martincostello
martincostello
opened on Apr 11, 2025

Describe the bug

With version 10.0.100-preview.3.25201.16 of the .NET SDK, NuGetAuditMode=direct is flagging vulnerabilities in transient dependencies, which then breaks builds where TreatWarningsAsErrors=true.

To Reproduce

  1. Clone martincostello/sqllocaldb@ed47b64
  2. Run build.ps1 in the root of the repository

Exceptions (if any)

Packaging 1 NuGet package(s)...
  Determining projects to restore...
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : warning NU1902: Package 'Azure.Identity' 1.10.3 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-m5vv-6r4h-3vj9
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : warning NU1902: Package 'Azure.Identity' 1.10.3 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-wvxc-855f-jvrv
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : warning NU1902: Package 'Microsoft.Identity.Client' 4.56.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-m5vv-6r4h-3vj9
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : warning NU1901: Package 'Microsoft.Identity.Client' 4.56.0 has a known low severity vulnerability, https://github.com/advisories/GHSA-x674-v45j-fwxw
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : warning NU1902: Package 'Microsoft.IdentityModel.JsonWebTokens' 6.8.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : warning NU1902: Package 'System.IdentityModel.Tokens.Jwt' 6.8.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : warning NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj
  Restored /home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj (in 4.79 sec).
/usr/share/dotnet/sdk/10.0.100-preview.3.25201.[16](https://github.com/martincostello/sqllocaldb/actions/runs/14401045151/job/40386693894?pr=1168#step:4:17)/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.RuntimeIdentifierInference.targets(326,5): message NETSDK1057: You are using a preview version of .NET. See: https://aka.ms/dotnet-support-policy [/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj::TargetFramework=netstandard2.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Azure.Identity' 1.10.3 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-m5vv-6r4h-3vj9 [TargetFramework=netstandard2.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Azure.Identity' 1.10.3 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-wvxc-855f-jvrv [TargetFramework=netstandard2.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Microsoft.Identity.Client' 4.56.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-m5vv-6r4h-3vj9 [TargetFramework=netstandard2.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1901: Package 'Microsoft.Identity.Client' 4.56.0 has a known low severity vulnerability, https://github.com/advisories/GHSA-x674-v45j-fwxw [TargetFramework=netstandard2.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Microsoft.IdentityModel.JsonWebTokens' 6.8.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 [TargetFramework=netstandard2.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU[19](https://github.com/martincostello/sqllocaldb/actions/runs/14401045151/job/40386693894?pr=1168#step:4:20)02: Package 'System.IdentityModel.Tokens.Jwt' 6.8.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 [TargetFramework=netstandard2.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj [TargetFramework=netstandard2.0]
/usr/share/dotnet/sdk/10.0.100-preview.3.25201.16/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.RuntimeIdentifierInference.targets(326,5): message NETSDK1057: You are using a preview version of .NET. See: https://aka.ms/dotnet-support-policy [/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj::TargetFramework=net10.0]
/usr/share/dotnet/sdk/10.0.100-preview.3.25201.16/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.RuntimeIdentifierInference.targets(326,5): message NETSDK1057: You are using a preview version of .NET. See: https://aka.ms/dotnet-support-policy [/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj::TargetFramework=net8.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Azure.Identity' 1.10.3 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-m5vv-6r4h-3vj9 [TargetFramework=net10.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Azure.Identity' 1.10.3 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-wvxc-855f-jvrv [TargetFramework=net10.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Microsoft.Identity.Client' 4.56.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-m5vv-6r4h-3vj9 [TargetFramework=net10.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1901: Package 'Microsoft.Identity.Client' 4.56.0 has a known low severity vulnerability, https://github.com/advisories/GHSA-x674-v45j-fwxw [TargetFramework=net10.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Microsoft.IdentityModel.JsonWebTokens' 6.8.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 [TargetFramework=net10.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'System.IdentityModel.Tokens.Jwt' 6.8.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 [TargetFramework=net10.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj [TargetFramework=net10.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Azure.Identity' 1.10.3 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-m5vv-6r4h-3vj9 [TargetFramework=net8.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Azure.Identity' 1.10.3 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-wvxc-855f-jvrv [TargetFramework=net8.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Microsoft.Identity.Client' 4.56.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-m5vv-6r4h-3vj9 [TargetFramework=net8.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1901: Package 'Microsoft.Identity.Client' 4.56.0 has a known low severity vulnerability, https://github.com/advisories/GHSA-x674-v45j-fwxw [TargetFramework=net8.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Microsoft.IdentityModel.JsonWebTokens' 6.8.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 [TargetFramework=net8.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'System.IdentityModel.Tokens.Jwt' 6.8.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 [TargetFramework=net8.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj [TargetFramework=net8.0]
  MartinCostello.SqlLocalDb -> /home/runner/work/sqllocaldb/sqllocaldb/artifacts/bin/MartinCostello.SqlLocalDb/release_netstandard2.0/MartinCostello.SqlLocalDb.dll
  MartinCostello.SqlLocalDb -> /home/runner/work/sqllocaldb/sqllocaldb/artifacts/bin/MartinCostello.SqlLocalDb/release_net10.0/MartinCostello.SqlLocalDb.dll
  MartinCostello.SqlLocalDb -> /home/runner/work/sqllocaldb/sqllocaldb/artifacts/bin/MartinCostello.SqlLocalDb/release_net8.0/MartinCostello.SqlLocalDb.dll
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Azure.Identity' 1.10.3 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-m5vv-6r4h-3vj9 [TargetFramework=netstandard2.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Azure.Identity' 1.10.3 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-wvxc-855f-jvrv [TargetFramework=netstandard2.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Microsoft.Identity.Client' 4.56.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-m5vv-6r4h-3vj9 [TargetFramework=netstandard2.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1901: Package 'Microsoft.Identity.Client' 4.56.0 has a known low severity vulnerability, https://github.com/advisories/GHSA-x674-v45j-fwxw [TargetFramework=netstandard2.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Microsoft.IdentityModel.JsonWebTokens' 6.8.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 [TargetFramework=netstandard2.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'System.IdentityModel.Tokens.Jwt' 6.8.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 [TargetFramework=netstandard2.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj [TargetFramework=netstandard2.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Azure.Identity' 1.10.3 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-m5vv-6r4h-3vj9 [TargetFramework=net8.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Azure.Identity' 1.10.3 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-wvxc-855f-jvrv [TargetFramework=net8.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Microsoft.Identity.Client' 4.56.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-m5vv-6r4h-3vj9 [TargetFramework=net8.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1901: Package 'Microsoft.Identity.Client' 4.56.0 has a known low severity vulnerability, https://github.com/advisories/GHSA-x674-v45j-fwxw [TargetFramework=net8.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Microsoft.IdentityModel.JsonWebTokens' 6.8.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 [TargetFramework=net8.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'System.IdentityModel.Tokens.Jwt' 6.8.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 [TargetFramework=net8.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj [TargetFramework=net8.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Azure.Identity' 1.10.3 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-m5vv-6r4h-3vj9 [TargetFramework=net10.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Azure.Identity' 1.10.3 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-wvxc-855f-jvrv [TargetFramework=net10.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Microsoft.Identity.Client' 4.56.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-m5vv-6r4h-3vj9 [TargetFramework=net10.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1901: Package 'Microsoft.Identity.Client' 4.56.0 has a known low severity vulnerability, https://github.com/advisories/GHSA-x674-v45j-fwxw [TargetFramework=net10.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'Microsoft.IdentityModel.JsonWebTokens' 6.8.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 [TargetFramework=net10.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1902: Package 'System.IdentityModel.Tokens.Jwt' 6.8.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 [TargetFramework=net10.0]
/home/runner/work/sqllocaldb/sqllocaldb/src/SqlLocalDb/MartinCostello.SqlLocalDb.csproj : error NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj [TargetFramework=net10.0]
  Successfully created package '/home/runner/work/sqllocaldb/sqllocaldb/artifacts/package/release/MartinCostello.SqlLocalDb.4.0.0-pr.1168.[21](https://github.com/martincostello/sqllocaldb/actions/runs/14401045151/job/40386693894?pr=1168#step:4:22)16.nupkg'.
  Successfully created package '/home/runner/work/sqllocaldb/sqllocaldb/artifacts/package/release/MartinCostello.SqlLocalDb.4.0.0-pr.1168.2116.snupkg'.
  Could not resolve reference 'Microsoft.Identity.Client.dll' directly or transitively referenced by 'lib/netstandard2.0/MartinCostello.SqlLocalDb.dll' (/home/runner/work/sqllocaldb/sqllocaldb/artifacts/package/release/MartinCostello.SqlLocalDb.4.0.0-pr.1168.2116.nupkg) in any of the provided search directories.
  Could not resolve reference 'Microsoft.Identity.Client.dll' directly or transitively referenced by 'lib/netstandard2.0/MartinCostello.SqlLocalDb.dll' (/home/runner/work/sqllocaldb/sqllocaldb/artifacts/package/release/MartinCostello.SqlLocalDb.4.0.0-pr.1168.2116.nupkg) in any of the provided search directories.
  Could not resolve reference 'Microsoft.Identity.Client.dll' directly or transitively referenced by 'lib/netstandard2.0/MartinCostello.SqlLocalDb.dll' (/home/runner/.nuget/packages/martincostello.sqllocaldb/3.4.0/martincostello.sqllocaldb.3.4.0.nupkg) in any of the provided search directories.
  Could not resolve reference 'Microsoft.Identity.Client.dll' directly or transitively referenced by 'lib/netstandard2.0/MartinCostello.SqlLocalDb.dll' (/home/runner/work/sqllocaldb/sqllocaldb/artifacts/package/release/MartinCostello.SqlLocalDb.4.0.0-pr.1168.2116.nupkg) in any of the provided search directories.
Exception: /home/runner/work/sqllocaldb/sqllocaldb/build.ps1:78

Further technical details

.NET SDK version 10.0.100-preview.3.25201.16

Metadata

Metadata

Assignees

No one assigned

    Labels

    Area-ILLinkuntriagedRequest triage from a team member

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions