Open
Description
I'm using Central Package Management to manage my NuGet versions centrally, and also pin subdependencies to higher versions, for instance to mitigate vulnerable transitive dependencies.
I pinned System.IdentityModel.Tokens.Jwt because it had a vulnerability, which is used by Microsoft.IdentityModel.Protocols.OpenIdConnect, which is used by Microsoft.Data.SqlClient, which is used by Microsoft.EntityFrameworkCore.SqlServer which I directly reference.
<?xml version="1.0" encoding="utf-8"?>
<Project>
<!-- Central registry of all packages used in the project -->
<!-- See: https://devblogs.microsoft.com/nuget/introducing-central-package-management/ -->
<PropertyGroup>
<ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
<CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
</PropertyGroup>
<ItemGroup>
<PackageVersion Include="Microsoft.Data.SqlClient" Version="5.1.4" />
<PackageVersion Include="Microsoft.EntityFrameworkCore.SqlServer" Version="8.0.0" />
<PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="7.2.0" />
<PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="7.2.0" />
</ItemGroup>
</Project><Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Data.SqlClient" />
<PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" />
</ItemGroup>
</Project>I'm using the sbom-tool to generate my SBOM, and the scan manifest shows:
{
"locationsFoundAt": [
"/src/MyProject.Persistence/MyProject.Persistence.csproj"
],
"component": {
"name": "System.IdentityModel.Tokens.Jwt",
"version": "6.24.0",
"authors": null,
"type": "NuGet",
"id": "System.IdentityModel.Tokens.Jwt 6.24.0 - NuGet",
"packageUrl": {
"Scheme": "pkg",
"Type": "nuget",
"Namespace": null,
"Name": "System.IdentityModel.Tokens.Jwt",
"Version": "6.24.0",
"Qualifiers": null,
"Subpath": null
}
},
"detectorId": "NuGetProjectCentric",
"isDevelopmentDependency": null,
"dependencyScope": null,
"topLevelReferrers": [
{
"name": "Microsoft.Data.SqlClient",
"version": "5.1.4",
"authors": null,
"type": "NuGet",
"id": "Microsoft.Data.SqlClient 5.1.4 - NuGet",
"packageUrl": {
"Scheme": "pkg",
"Type": "nuget",
"Namespace": null,
"Name": "Microsoft.Data.SqlClient",
"Version": "5.1.4",
"Qualifiers": null,
"Subpath": null
}
},
{
"name": "Microsoft.EntityFrameworkCore.SqlServer",
"version": "8.0.0",
"authors": null,
"type": "NuGet",
"id": "Microsoft.EntityFrameworkCore.SqlServer 8.0.0 - NuGet",
"packageUrl": {
"Scheme": "pkg",
"Type": "nuget",
"Namespace": null,
"Name": "Microsoft.EntityFrameworkCore.SqlServer",
"Version": "8.0.0",
"Qualifiers": null,
"Subpath": null
}
}
],
"containerDetailIds": [],
"containerLayerIds": {}
},Interestingly, in a different project in the same solution the dependency version is correctly detected, but the project mentioned above also shows up here:
{
"locationsFoundAt": [
"/src/MyProject.Web/MyProject.Web.csproj",
"/tests/MyProject.Tests.Integration/MyProject.Tests.Integration.csproj",
"/src/MyProject.Persistence/MyProject.Persistence.csproj"
],
"component": {
"name": "System.IdentityModel.Tokens.Jwt",
"version": "7.2.0",
"authors": null,
"type": "NuGet",
"id": "System.IdentityModel.Tokens.Jwt 7.2.0 - NuGet",
"packageUrl": {
"Scheme": "pkg",
"Type": "nuget",
"Namespace": null,
"Name": "System.IdentityModel.Tokens.Jwt",
"Version": "7.2.0",
"Qualifiers": null,
"Subpath": null
}
}
}Metadata
Metadata
Assignees
Labels
Type
Projects
Status
Backlog