Consider upgrading vulnerable Microsoft.Build.Tasks.Core dependency #1544
Description
Usage Information
Nuke 9.0.4 / .NET SDK 9.0.300 / .NET 9
Description
The last Nuke release (9.0.4) depends on Microsoft.Build.Tasks.Core 17.12.6:
Line 67 in da2ea1f
A security advisory has recently been published about this version: GHSA-h4j7-5rxr-p4wc
This results in NuGet audit warnings or errors for projects using Nuke, e.g.
NU1901: Warning As Error: Package 'Microsoft.Build.Tasks.Core' 17.12.6 has a known low severity vulnerability, GHSA-h4j7-5rxr-p4wc
Consider upgrading the vulnerable dependency, so that upcoming Nuke versions don't require workarounds for NuGet security audits.
Reproduction Steps
Create a .NET project and add a package reference to Nuke.Common version 9.0.4.
Configure the project to run NuGet security vulnerability audits on all (direct + transitive) dependencies, and all severity levels, by adding the following to the .csproj:
<NugetAudit>true</NugetAudit>
<NugetAuditMode>all</NugetAuditMode>
<NugetAuditLevel>low</NugetAuditLevel>Build the project and observe any NuGet audit warnings.
Expected Behavior
No NuGet audit warnings or errors are introduced.
Actual Behavior
NuGet audit warnings or errors are present, e.g.:
warning NU1901: Package 'Microsoft.Build.Tasks.Core' 17.12.6 has a known low severity vulnerability, GHSA-h4j7-5rxr-p4wc
The vulnerable dependency is introduced via Nuke.ProjectModel:
> dotnet nuget why Microsoft.Build.Tasks.Core
Project 'ReproBuild' has the following dependency graph(s) for 'Microsoft.Build.Tasks.Core':
[net9.0]
│
└─ Nuke.Common (v9.0.4)
├─ Nuke.Build (v9.0.4)
│ └─ Nuke.ProjectModel (v9.0.4)
│ └─ Microsoft.Build.Tasks.Core (v17.12.6)
└─ Nuke.ProjectModel (v9.0.4)
└─ Microsoft.Build.Tasks.Core (v17.12.6)Regression?
No response
Known Workarounds
No response
Could you help with a pull-request?
Yes