Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-6q8c-85p2-954c] In Progress Telerik UI for WPF versions prior to 2024 Q3 ... #5094

Conversation

LanceMcCarthy
Copy link

This Pull Request replaces #5087

@github-actions github-actions bot changed the base branch from main to LanceMcCarthy/advisory-improvement-5094 December 17, 2024 17:22
@LanceMcCarthy LanceMcCarthy changed the title Improvement: GHSA 6q8c85p2954c [GHSA-6q8c-85p2-954c] In Progress Telerik UI for WPF versions prior to 2024 Q3 ... Dec 17, 2024
@JonathanLEvans
Copy link

Hi @LanceMcCarthy, I am unable to find any of the listed packages in https://www.nuget.org/. Could you provides to them?

@LanceMcCarthy
Copy link
Author

@JonathanLEvans That is correct, they are not public nuget.org packages (they are only provided via our NuGet Feed (https://nuget.telerik.com). It is an authenticated feed, when the developer passes credentials with the HTTP request (using packageSourceCredentials) and the server determines what packages they have the license to access/download.

This topic is something I was going to bring up to the .NET team via Microsoft MVP back channels, there should probably be an easier way for you to automatically validate the package, possible through a private proxy that I can arrange with your team. However, this is a longer term thing that likely needs agreement and configuration. For now, I need to manually go through all the items and list them for you.

@LanceMcCarthy
Copy link
Author

LanceMcCarthy commented Dec 17, 2024

@JonathanLEvans Here is a real world example where Dependabot will make the identification.

The main argument here is that it should matter where the packages come from. It is still a PackageReference dependency in the project. The GitHub repo should still get a match on the vulnerable package version by Dependabot because it only searches the project's PackageReference list.

Ultimately, there doesn't even have to be a server-based feed like nuget.org. The NuGet package manager (and dotnet) supports using a local package source (a folder with .nupkg files in it). In this scenario, the project still has the same PackageReference in the dependencies list (and will get the same Dependabot hit).

Example

Here's a short walkthrough of a common multi-source scenario.

In the nuget.config, there are three sources defined; NuGetOrg, TelerikServer, and MyLocalPackages.

<configuration>
  <packageSources>
    <add key="NuGetOrg" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
    <add key="TelerikServer" value="https://nuget.telerik.com/v3/index.json" protocolVersion="3"/>
    <add key="MyLocalPackages" value="\local-folder\my-packages" />
  </packageSources>
  ...
</configuration>

In the project's csproj file, there exists a PackageReference list. This is source-agnostic.

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net9.0</TargetFramework>
  </PropertyGroup>

  <!-- Packages can come from any source, public, private, or local -->
  <ItemGroup>
    <!-- This get restored from nuget.org -->
    <PackageReference Include="Newtonsoft.Json" Version="13.03" />
    <PackageReference Include="CommonHelpers" Version="1.4.0" />

    <!-- This gets restored from nuget.telerik.com -->
    <PackageReference Include="Telerik.UI.for.Wpf" Version="2024.4.1106" />

    <!-- This gets restored from a local folder source -->
    <PackageReference Include="MyApp.ClassLibrary" Version="1.0.0" />
  </ItemGroup>
</Project>

[edit] Clarified further with expanded example. Spelling corrections.

Copy link

github-actions bot commented Jan 5, 2025

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

@github-actions github-actions bot added the Stale label Jan 5, 2025
@LanceMcCarthy
Copy link
Author

LanceMcCarthy commented Jan 6, 2025

Hi @JonathanLEvans do you have an update for us? As a reminder, here's short summary...

  • We publish a CVE for Telerik.x.y.z package
  • GitHub Advisory Database detects the CVE and creates a draft/unconfirmed Advisory
  • We open this PR to confirm the Advisory

Problem => This PR is being held up because that package name not on nuget.org.

I am requesting this be approved, regardless of where the package is hosted. Any project that is referencing such a PackageReference should be allowed to see the advisory, regardless if its source is nuget.org, nuget.telerik.com or a local folder source (all are valid NuGet package sources).

@github-actions github-actions bot removed the Stale label Jan 7, 2025
@JonathanLEvans
Copy link

Hi @LanceMcCarthy, I apologize for the delayed response. We are limited in the registries we support. We do not review advisories for packages in private registries.

You can create your vulnerability feed as part of your NuGet API (documented here: https://learn.microsoft.com/en-us/nuget/api/vulnerability-info)

@LanceMcCarthy LanceMcCarthy deleted the LanceMcCarthy-GHSA-6q8c-85p2-954c branch January 14, 2025 19:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants