.NET SDK images have (false positive) .NET CVEs #5325
Comments
richlander
changed the title
|
Related: dotnet/sdk#30659 |
|
Any tentative date when these images will be available to download that has no vulnerabilities? |
|
The May images should have a marked improvement. |
|
Sorry not sure If I understand. IF you do not know the tentative date, can you able to confirm this is will be available to download in beginning or mid or end of the May month? |
|
I know the date. It's always patch Tuesday. We just scanned the May images. It appears that we're down to just one false positive that we'll need to fix in the following month. Here is the latest fix: dotnet/roslyn#73283. |
|
The 8.0.205 release which will be released on patch Tuesday is down to two false positives. 8.0.300 will which will co-release with VS 17.10 will be down to one. |
|
Tuesday - 05/07 ? |
Patch Tuesday is always the second Tuesday of the month. For May, it is the 14th.
The last vulnerability that is fixed by dotnet/roslyn#73283 is: |
|
Thanks for the clarification. One last question please (I hope) |
No. See my earlier response at #5325 (comment) |
|
What I understand is with this statement "8.0.300 will which will co-release with VS 17.10 will be down to one." There will be one false positive vulnerability in 8.0.300 release. Correct? Which will be addressed in June? |
Yes
That is what we are working towards. |
|
Thanks a lot. Once last question please. Which false positive vulnerability that will be remediated in June? CVE name? |
Please see my earlier response. |
|
look like this one : CVE-2023-29331 |
|
That is the one Michael mentioned: #5325 (comment) |
This should never happen. The scanners are reporting false positives (in part) due to stale dependencies.
This has been reported multiple times. I'm starting a new tracking issue. There are lots of scanners. I'm using Docker Scout because it is easy for me to use. Nice product!
.NET SDK 8.0.203 image:
There are a mixture of .NET SDK, PowerShell (due to .NET dependencies), and Debian CVEs.
.NET SDK 8.0.300-preview.24201.7 (from https://github.com/dotnet/installer?tab=readme-ov-file#table):
A number of the (false positive) .NET CVEs are resolved in 8.0.300, which should be released in May.
Outstanding issues:
/usr/share/dotnet/sdk/8.0.300-preview.24201.7/DotnetTools/dotnet-watch/8.0.300-preview.24201.10/tools/net8.0/any/BuildHost-netcore/Microsoft.CodeAnalysis.Workspaces.MSBuild.BuildHost.deps.json/usr/share/powershell/.store/powershell.linux.x64/7.4.1/powershell.linux.x64/7.4.1/tools/net8.0/any/Modules/Microsoft.PowerShell.PSResourceGet/dependencies/NuGet.Packaging.dll/usr/share/powershell/.store/powershell.linux.x64/7.4.1/powershell.linux.x64/7.4.1/tools/net8.0/any/Modules/Microsoft.PowerShell.PSResourceGet/_manifest/spdx_2.2/manifest.spdx.json/usr/share/powershell/.store/powershell.linux.x64/7.4.1/powershell.linux.x64/7.4.1/tools/net8.0/any/Modules/PSReadLine/_manifest/spdx_2.2/manifest.spdx.jsonThe remaining Debian issues are low severity and have a mix of fix available and not at the time of writing:
The CVE with a fix available should be resolved the next time we rebuild our Debian images.
The text was updated successfully, but these errors were encountered: