Use of vulnerable STJ 8.0.4 package in SBRP #4928

mthalman · 2025-03-03T14:35:10Z

Component detection has an alert (internal link) for System.Text.Json 8.0.4 in the SBRP repo.

The detected paths are:

/s/artifacts/bin/PackageSourceGenerator/nuget.protocol/6.12.1/nuget.protocol.6.12.1.csproj
/s/src/referencePackages/src/system.text.json/8.0.4/system.text.json.nuspec

This shows up for the Windows leg only, it seems. It's not clear why this is showing up since those paths are specified to be ignored: https://github.com/dotnet/source-build-reference-packages/blob/e136f061bbd92453c21393c907d5ff546e8f1a20/azure-pipelines/builds/ci.yml#L29-L33

MichaelSimons · 2025-03-19T21:37:44Z

The CG alert has been resolved and the report is currently clean.

github-project-automation bot added this to .NET Source Build Mar 3, 2025

github-project-automation bot moved this to Backlog in .NET Source Build Mar 3, 2025

github-actions bot added the untriaged label Mar 3, 2025

mthalman added the ops-monitor Issues created/handled by the source build monitor role label Mar 3, 2025

MichaelSimons added area-sbrp Source build reference packages and removed untriaged labels Mar 6, 2025

MichaelSimons self-assigned this Mar 6, 2025

MichaelSimons moved this from Backlog to 10.0 Preview 3 in .NET Source Build Mar 6, 2025

MichaelSimons closed this as completed Mar 19, 2025

github-project-automation bot moved this from 10.0 Preview 3 to Done in .NET Source Build Mar 19, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use of vulnerable STJ 8.0.4 package in SBRP #4928

Use of vulnerable STJ 8.0.4 package in SBRP #4928

mthalman commented Mar 3, 2025 •

edited

Loading

MichaelSimons commented Mar 19, 2025

Use of vulnerable STJ 8.0.4 package in SBRP #4928

Use of vulnerable STJ 8.0.4 package in SBRP #4928

Comments

mthalman commented Mar 3, 2025 • edited Loading

MichaelSimons commented Mar 19, 2025

mthalman commented Mar 3, 2025 •

edited

Loading