Skip to content

Init Sample: Create .NET vulnerable dependencies sample repository #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Init Sample: Create .NET vulnerable dependencies sample repository #2

wants to merge 2 commits into from

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Aug 26, 2025
edited
Loading

This PR transforms the repository into a complete sample demonstrating vulnerable dependencies in a .NET solution with Central Package Management (CPM).

What's Added

Solution Structure:

  • Created a .NET 8 solution with three distinct project types:
    • VulnerableWebApi - ASP.NET Core Web API with JWT authentication and JSON handling
    • VulnerableLibrary - Class library with logging and token processing capabilities
    • VulnerableConsole - Console application with database connectivity

Central Package Management:

  • Implemented CPM using Directory.Packages.props for centralized version control
  • All package versions are managed in a single location across all projects

Vulnerable Dependencies:
The sample includes intentionally vulnerable packages to demonstrate security scanning:

Package Version Severity Project
Newtonsoft.Json 10.0.1 High VulnerableWebApi
Microsoft.Data.SqlClient 1.0.19239.1 High/Moderate VulnerableConsole
System.IdentityModel.Tokens.Jwt 5.1.0 Moderate VulnerableLibrary
Microsoft.AspNetCore.Authentication.JwtBearer 3.1.0 Moderate VulnerableWebApi

Security Warnings Generated:
Building the solution produces 12+ vulnerability warnings (NU1902/NU1903), demonstrating how .NET's built-in security scanning detects vulnerable packages during restore and build operations.

Sample Code:
Each project includes realistic code that uses the vulnerable dependencies:

  • JWT token authentication and processing
  • JSON serialization/deserialization
  • Database connection handling
  • Structured logging with NLog

Documentation:
Comprehensive README.md covering:

  • Vulnerability details with CVE links
  • Educational use cases (security training, tool testing, DevOps pipeline testing)
  • Build and run instructions
  • Remediation guidance

This sample serves as an educational tool for understanding dependency vulnerabilities and testing security scanning tools in .NET environments.

Fixes #1.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@Copilot Copilot SWE Agent
Copy link
Contributor Author

Copilot AI commented Aug 26, 2025

@felickz 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs.

I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review.

@Copilot Copilot AI changed the title [WIP] Init Sample Init Sample: Create .NET vulnerable dependencies sample repository Aug 26, 2025
@Copilot Copilot AI requested a review from felickz August 26, 2025 17:48
Copilot finished work on behalf of felickz August 26, 2025 17:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@felickz felickz Awaiting requested review from felickz

Assignees

@felickz felickz

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Init Sample

2 participants

@Copilot @felickz