Incorrect and duplicate versions detected of a component in the same project file when using central package management (NuGet) #970
Assignees
Labels
detector:nuget
The NuGet detector
status:waiting-on-response
Waiting on a response/more information from the user
type:bug
Bug fix of existing functionality
Comments
Sebazzz
changed the title
cobya
added
type:bug
|
We have the same issue. Does component gov not support central package management (NuGet)? |
|
Hello @Sebazzz I am not able to reproduce the issue. I tried your configuration using the latest version of component detection v4.2.1 and the right components are detected. I also tried running the latest version of the sbom-tool v2.2.3 and also the correct components were reported. csproj Directory.Packages.Props This is the manifest generated by sbom
|
cobya
added
the
status:waiting-on-response
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm using Central Package Management to manage my NuGet versions centrally, and also pin subdependencies to higher versions, for instance to mitigate vulnerable transitive dependencies.
I pinned
System.IdentityModel.Tokens.Jwtbecause it had a vulnerability, which is used byMicrosoft.IdentityModel.Protocols.OpenIdConnect, which is used byMicrosoft.Data.SqlClient, which is used byMicrosoft.EntityFrameworkCore.SqlServerwhich I directly reference.I'm using the
sbom-toolto generate my SBOM, and the scan manifest shows:{ "locationsFoundAt": [ "/src/MyProject.Persistence/MyProject.Persistence.csproj" ], "component": { "name": "System.IdentityModel.Tokens.Jwt", "version": "6.24.0", "authors": null, "type": "NuGet", "id": "System.IdentityModel.Tokens.Jwt 6.24.0 - NuGet", "packageUrl": { "Scheme": "pkg", "Type": "nuget", "Namespace": null, "Name": "System.IdentityModel.Tokens.Jwt", "Version": "6.24.0", "Qualifiers": null, "Subpath": null } }, "detectorId": "NuGetProjectCentric", "isDevelopmentDependency": null, "dependencyScope": null, "topLevelReferrers": [ { "name": "Microsoft.Data.SqlClient", "version": "5.1.4", "authors": null, "type": "NuGet", "id": "Microsoft.Data.SqlClient 5.1.4 - NuGet", "packageUrl": { "Scheme": "pkg", "Type": "nuget", "Namespace": null, "Name": "Microsoft.Data.SqlClient", "Version": "5.1.4", "Qualifiers": null, "Subpath": null } }, { "name": "Microsoft.EntityFrameworkCore.SqlServer", "version": "8.0.0", "authors": null, "type": "NuGet", "id": "Microsoft.EntityFrameworkCore.SqlServer 8.0.0 - NuGet", "packageUrl": { "Scheme": "pkg", "Type": "nuget", "Namespace": null, "Name": "Microsoft.EntityFrameworkCore.SqlServer", "Version": "8.0.0", "Qualifiers": null, "Subpath": null } } ], "containerDetailIds": [], "containerLayerIds": {} },Interestingly, in a different project in the same solution the dependency version is correctly detected, but the project mentioned above also shows up here:
{ "locationsFoundAt": [ "/src/MyProject.Web/MyProject.Web.csproj", "/tests/MyProject.Tests.Integration/MyProject.Tests.Integration.csproj", "/src/MyProject.Persistence/MyProject.Persistence.csproj" ], "component": { "name": "System.IdentityModel.Tokens.Jwt", "version": "7.2.0", "authors": null, "type": "NuGet", "id": "System.IdentityModel.Tokens.Jwt 7.2.0 - NuGet", "packageUrl": { "Scheme": "pkg", "Type": "nuget", "Namespace": null, "Name": "System.IdentityModel.Tokens.Jwt", "Version": "7.2.0", "Qualifiers": null, "Subpath": null } } }AB#2139506
The text was updated successfully, but these errors were encountered: