Skip to content

Use of vulnerable STJ 8.0.4 package in SBRP #4928

New issue
New issue
Closed
Closed
Use of vulnerable STJ 8.0.4 package in SBRP#4928
Assignees
MichaelSimons
Labels
area-sbrpSource build reference packagesops-monitorIssues created/handled by the source build monitor role
@mthalman

Description

@mthalman
mthalman
opened on Mar 3, 2025

Component detection has an alert (internal link) for System.Text.Json 8.0.4 in the SBRP repo.

The detected paths are:

/s/artifacts/bin/PackageSourceGenerator/nuget.protocol/6.12.1/nuget.protocol.6.12.1.csproj
/s/src/referencePackages/src/system.text.json/8.0.4/system.text.json.nuspec

This shows up for the Windows leg only, it seems. It's not clear why this is showing up since those paths are specified to be ignored: https://github.com/dotnet/source-build-reference-packages/blob/e136f061bbd92453c21393c907d5ff546e8f1a20/azure-pipelines/builds/ci.yml#L29-L33

Metadata

Metadata

Assignees

Labels

area-sbrpSource build reference packagesops-monitorIssues created/handled by the source build monitor role

Type

No type

Projects

.NET Source Build

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions