面向 .NET Core 2.1 的解决方案使用旧的 System.ServiceModel.Primitives 和 System.Private.ServiceModel 构建
[英]Solution targeting .NET Core 2.1 builds with old System.ServiceModel.Primitives and System.Private.ServiceModel
问题描述
I have a solution made up of projects targeting .NET Standard 2.0 and .NET Core 2.1.304.
我有一个由面向 .NET Standard 2.0 和 .NET Core 2.1.304 的项目组成的解决方案。 When built this solution utilizes old vulnerable versions of System.ServiceModel.Primitives and System.Private.ServiceModel ( CVE-2018-0786 ).构建时,此解决方案利用System.ServiceModel.Primitives和System.Private.ServiceModel ( CVE-2018-0786 ) 的旧易受攻击版本。
I am probably missing something obvious about the configuration of the overall solution or one of the projects that is causing the utilization of the old versions, but everything I know to check looks correct:我可能遗漏了一些明显的关于整体解决方案的配置或导致使用旧版本的项目之一,但我知道要检查的一切看起来都是正确的:
Global.json全局文件
{
"sdk": {
"version": "2.1.302"
}
}
Example .NET Core Project File .NET Core 项目文件示例
<PropertyGroup>
<TargetFramework>netcoreapp2.1</TargetFramework>
<Configurations>Debug;Dev;Qual;Release</Configurations>
<LangVersion>7.1</LangVersion>
</PropertyGroup>
Example .NET Standard Project File .NET 标准项目文件示例
<PropertyGroup>
<TargetFramework>netstandard2.0</TargetFramework>
<Configurations>Debug;Dev;Qual;Release</Configurations>
</PropertyGroup>
I have ensured all NuGet packages are up to date.我确保所有 NuGet 包都是最新的。 That said is it possible that one of my NuGet package references is causing a fallback to the old versions?也就是说,我的 NuGet 包引用之一是否可能导致回退到旧版本? What other configurations should I be checking?我应该检查哪些其他配置?
Interestingly when I build a different, but similarly configured solution (from what I can tell) that solution produces a build using the newer non vulnerable versions.有趣的是,当我构建一个不同但配置相似的解决方案(据我所知)时,该解决方案使用较新的非易受攻击版本生成构建。
1 个解决方案
解决方案1
2 已采纳 2018-09-04 15:35:23
You can use a tool such as dotnet-outdated to determine both your the versions of your dependencies and transitive dependencies in your project.您可以使用诸如dotnet-outdated 之类的工具来确定项目中依赖项和传递依赖项的版本。
Install via dotnet tool install --global dotnet-outdated on the powershell command line and run dotnet outdated -t -td 100 in your solution folder to see 100 levels of transitive dependencies.通过dotnet tool install --global dotnet-outdated在 powershell 命令行上dotnet tool install --global dotnet-outdated并在您的解决方案文件夹中运行dotnet outdated -t -td 100以查看 100 个级别的传递依赖项。
Your output will look something like the following您的输出将类似于以下内容
» MyProject
[.NETCoreApp,Version=v2.1]
System.Private.ServiceModel [T] 4.4.0 -> 4.5.3
System.ServiceModel.Primitives [T] 4.4.0 -> 4.5.3
You can then use the above stated out of date dependencies to track down which project(s) in your solution needs to be further investigated.然后,您可以使用上述过时的依赖项来跟踪解决方案中需要进一步调查的项目。
From there eliminate dependencies that are known to be safe, as they appear in other projects that don't have a dependency on the bad library (regardless of version).从那里消除已知安全的依赖项,因为它们出现在不依赖于坏库(无论版本如何)的其他项目中。 At this point it may be a matter of using nuget.org and investigating each suspect dependency to see what version of sub-dependencies it uses.在这一点上,可能需要使用nuget.org并调查每个可疑的依赖项以查看它使用的子依赖项的版本。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.