Skip to content

False positive - 'Vulnerable package' is not the package version resolved #19435

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
phil000 opened this issue Apr 30, 2025 · 2 comments
Closed

False positive - 'Vulnerable package' is not the package version resolved #19435

phil000 opened this issue Apr 30, 2025 · 2 comments
Labels
false-positive

Comments

@phil000
Copy link

phil000 commented Apr 30, 2025
edited
Loading

Description of the false positive

We are using .NET and C# and Github Advanced Security through Azure Devops.

We have various package references to things that in-turn reference 'System.Text.Encodings.Web'.

So we have a number of possible references to 'System.Text.Encodings.Web' but ultimately that is resolved to 6.0.0

We do not directly reference 'System.Text.Encodings.Web' at all.

e.g. Our transitive references to 'System.Text.Encodings.Web':

1. "Microsoft.ApplicationInsights.AspNetCore" --> "System.Text.Encodings.Web": "4.7.2"
2. "Azure.Core" --> "System.Text.Encodings.Web": "6.0.0"
3. "Microsoft.AspNetCore.Http.Abstractions" --> "System.Text.Encodings.Web": "4.5.0"  (vulnerable)
4. "Microsoft.AspNetCore.WebUtilities" --> "System.Text.Encodings.Web": "4.5.0"  (vulnerable)
5. "Microsoft.Data.SqlClient" --> "System.Text.Encodings.Web": "6.0.0"

e.g. The ultimate 'resolved' reference:

"System.Text.Encodings.Web": {
        "type": "Transitive",
        "resolved": "6.0.0",
        "contentHash": "Vg8eB5Tawm1IFqj4TVK1czJX89rhFxJo9ELqc/Eiq0eXy13RK00eubyU6TJE6y+GQXjyV5gSfiewDUZjQgSE0w==",
        "dependencies": {
          "System.Runtime.CompilerServices.Unsafe": "6.0.0"
        }
      },

There are various references to the package but the ultimate resolved reference is to v 6.0.0 which is not vulnerable.

Code samples or links to source code

N/A

URL to the alert on GitHub code scanning (optional)
@hvitved
Copy link
Contributor

hvitved commented May 1, 2025

Hi

Could you please clarify which CodeQL query gives rise to this alert? It sounds to me more like this is perhaps a Dependabot alert?

@phil000
Copy link
Author

phil000 commented May 1, 2025

Yes, this isn't a code scanning issue, it is a dependency scanning issue.

I will close this and look for where else this can be reported.

@phil000 phil000 closed this as completed May 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
false-positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hvitved @phil000