build error with nuget audit

[WeihanLi]

Not sure if it's a bug or by design

Got an error when updating to .NET 9 Preview 6, I use <TreatWarningsAsErrors>true</TreatWarningsAsErrors> for my project

error NU1903: Warning As Error: Package 'System.Formats.Asn1' 6.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm

While I do not have a direct dependency on this package reference

my project is here:
https://github.com/WeihanLi/dotnet-exec/blob/61089e6cba8faa823c57654e321dedc6870a6ba1/src/ReferenceResolver/ReferenceResolver.csproj

Is this new behavior for transitive dependency? Is there a feature switch to disable?
Should I add the package dependency to override the version with vulnerability to fix this?
While I do not want to have this dependency maintained in my project, it may cause conflict when upgrading dependencies and may be confusing for the downstream users.

[airzym]

I'm also running into a similar issue.

The issue for the CVE states that the fix should be to update the SDK and runtime. However despite updating the SDK this hasn't resolved the issue for myself.

Im building my solution using SDK 8.0.7, and my vulnerability scanning is still flagging the following:

pkg:nuget/System.Formats.Asn1@8.0.0.0 (CVE-2024-38095)

I can see in the deps.json file the following:

"System.Formats.Asn1": "8.0.0.0"

[dotnet-policy-service]

Thanks for creating this issue! We believe this issue is related to NuGet tooling, which is maintained by the NuGet team. Thus, we closed this one and encourage you to raise this issue in the NuGet repository instead. Don’t forget to check out NuGet’s contributing guide before submitting an issue!

If you believe this issue was closed out of error, please comment to let us know.

Happy Coding!

[WeihanLi]

Could we transfer the issue to nuget instead of just closing

[baronfel]

not easily, no - the NuGet repos are on a different GitHub organization, and GitHub only allows transfers across organizations.

[filzrev]

Is there a feature switch to disable?

On TreatWarningsAsErrors enabled environment.
It can be suppressed by adding following setting.

<WarningsNotAsErrors>$(WarningsNotAsErrors);NU1903</WarningsNotAsErrors>

---

I've confirmed dependencies with following command.

dotnet nuget why ReferenceResolver.csproj System.Formats.Asn1

And gets following results.

  [net6.0]
  [net8.0]
   │
   └─ NuGet.Protocol (v6.10.1)
      └─ NuGet.Packaging (v6.10.1)
         └─ System.Security.Cryptography.Pkcs (v6.0.4)
            └─ System.Formats.Asn1 (v6.0.0)

It seems transitive package reference is coming from System.Security.Cryptography.Pkcs (v6.0.4) package.
Until this package is updated.
It needs explicitly override System.Formats.Asn1 version. or need to suppress NU1903 warning.

[filzrev]

Is this new behavior for transitive dependency? Is there a feature switch to disable?

I've found document about behavior changes on .NET 9 Preview 6 release note.
https://github.com/dotnet/core/blob/main/release-notes/9.0/preview/preview6/sdk.md#nugetaudit-now-raises-warnings-for-vulnerabilities-in-transitive-dependencies