Bug: c# Project reports CVE when no version is selected for nuget package

[Geertkok1]

Expected Behavior

When no version of a nuget packages is mentioned in the .csproj file it will pull the most recent version of the package during the build/compile.

So it should only report a CVE if the most recent version contains one

Actual Behavior

For example: With the System.Net.Http it reports a CVE in a project that does not mention a version in the .csproj file.

Steps to Reproduce

Create a c# project and add the following line to the .csproj file:
<Reference Include="System.Net.Http" />

Then scan it with depscan v6

Additional Information

This CVE was not detected in depscan v5. We have only seen it appear with depscan v6

[prabhu]

This is a feature of cdxgen where the version will be detected and set from the environment. The generated SBOM should have information along with the evidence

[prabhu]

Interesting. Can you upload the sbom you get?

[Geertkok1]

As requested here is the part of the SBOM that shows the System.Net.HTTP:
{ "group":"", "name":"System.Net.Http", "version":"", "purl":"pkg:nuget/System.Net.Http", "type":"library", "bom-ref":"pkg:nuget/System.Net.Http", "evidence":{ "identity":[ { "field":"purl", "confidence":0.3, "methods":[ { "technique":"manifest-analysis", "confidence":0.3, "value":"Projectname/Projectname.csproj" } ], "concludedValue":"Projectname/Projectname.csproj" } ] }

If the whole SBOM is necessary I will need to check internally to see if that can be shares due to the sensitivity of the data.

[prabhu]

Appears like a vdb regression.

vdb --search pkg:nuget/System.Net.Http

             ___
  /\  ._  ._  | |_  ._ _   _. _|_
 /--\ |_) |_) | | | | (/_ (_|  |_
      |   |

                                                                                                                                      VDB Results
┏━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CVE           ┃ Locators                  ┃ Fix Version ┃ Description                                                                                                                                                           ┃ Affected Symbols                                   ┃
┡━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ CVE-2018-8292 │ pkg:nuget/System.Net.Http │ 4.3.4       │ ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓ │                                                    │
│               │                           │             │ ┃                                                                 .NET Core Information Disclosure                                                                  ┃ │                                                    │
│               │                           │             │ ┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛ │                                                    │
│               │                           │             │                                                                                                                                                                       │                                                    │
│               │                           │             │ An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information        │                                                    │
│               │                           │             │ Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.                                                             │                                                    │
└───────────────┴───────────────────────────┴─────────────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────────────────────────────────────────────────┘

[prabhu]

#471

By default, versionless purls will be ignored. Pass --fuzzy-search to get more hits including false positives.

❯ uv run depscan --purl pkg:nuget/System.Net.Http                                                                                                                                                                                                                                (base)

  _|  _  ._   _  _  _. ._
 (_| (/_ |_) _> (_ (_| | |
         |

[13:19:38] INFO     No vulnerabilities found for project type 'nuget'!
(owasp-depscan) prabhu@mpro ~/work/owasp/dep-scan (fix/issue-465) [1]
❯ uv run depscan --purl pkg:nuget/System.Net.Http@4.3.3                                                                                                                                                                                                                          (base)

  _|  _  ._   _  _  _. ._
 (_| (/_ |_) _> (_ (_| | |
         |



                                                                                                                            Vulnerability Disclosure Report

The table below lists all vulnerabilities identified in this project. Review and triage the information to identify any critical vulnerabilities.

                                                           Dependency Scan Results (NUGET)
╔════════════════════════════════════════════════════════════════════════╤══════════════════╤════════════════════════╤══════════════════╤════════════╗
║ CVE                                                                    │ Insights         │ Fix Version            │ Severity         │      Score ║
╟────────────────────────────────────────────────────────────────────────┼──────────────────┼────────────────────────┼──────────────────┼────────────╢
║ System.Net.Http@4.3.3 ⬅ CVE-2018-8292                                  │                  │ 4.3.4                  │ HIGH             │        7.5 ║
╚════════════════════════════════════════════════════════════════════════╧══════════════════╧════════════════════════╧══════════════════╧════════════╝
                                                               Vulnerabilities count: 1

╭────────────── Recommendation ───────────────╮
│ ✅ No package requires immediate attention. │
╰─────────────────────────────────────────────╯
(owasp-depscan) prabhu@mpro ~/work/owasp/dep-scan (fix/issue-465) [1]
❯ uv run depscan --purl pkg:nuget/System.Net.Http --fuzzy-search                                                                                                                                                                                                                 (base)

  _|  _  ._   _  _  _. ._
 (_| (/_ |_) _> (_ (_| | |
         |



                                                                                                                            Vulnerability Disclosure Report

The table below lists all vulnerabilities identified in this project. Review and triage the information to identify any critical vulnerabilities.

                                                           Dependency Scan Results (NUGET)
╔═══════════════════════════════════════════════════════════════════════════════════╤════════════════╤════════════════════╤═══════════════╤══════════╗
║ CVE                                                                               │ Insights       │ Fix Version        │ Severity      │    Score ║
╟───────────────────────────────────────────────────────────────────────────────────┼────────────────┼────────────────────┼───────────────┼──────────╢
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2025-55315                               │                │ 17.2.22            │ CRITICAL      │      9.9 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2025-26682                               │                │                    │ HIGH          │      7.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2025-24070                               │                │                    │ HIGH          │      7.0 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2024-21404                               │                │                    │ HIGH          │      7.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2024-21386                               │                │                    │ HIGH          │      7.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2023-44487                               │                │                    │ HIGH          │      7.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2023-38180                               │                │                    │ HIGH          │      7.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2023-36558                               │                │                    │ MEDIUM        │      6.2 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2023-36038                               │                │                    │ HIGH          │      8.2 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2023-35391                               │                │                    │ MEDIUM        │      6.2 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2021-43877                               │                │                    │ HIGH          │      8.8 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2021-34532                               │                │                    │ MEDIUM        │      5.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2021-1723                                │                │                    │ HIGH          │      7.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2020-1597                                │                │                    │ HIGH          │      7.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2020-1161                                │                │                    │ HIGH          │      7.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2020-1045                                │                │                    │ HIGH          │      7.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2020-0603                                │                │                    │ HIGH          │      8.8 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2020-0602                                │                │                    │ HIGH          │      7.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2019-1302                                │                │                    │ HIGH          │      8.8 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2019-1075                                │                │                    │ MEDIUM        │      6.1 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2019-0982                                │                │                    │ HIGH          │      7.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2019-0815                                │                │                    │ HIGH          │      7.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2019-0564                                │                │                    │ HIGH          │      7.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2019-0548                                │                │                    │ HIGH          │      7.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2018-8416                                │                │                    │ MEDIUM        │      6.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2018-8409                                │                │                    │ HIGH          │      7.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2018-8356                                │                │                    │ MEDIUM        │      5.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2018-8292                                │                │                    │ HIGH          │      7.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2018-8171                                │                │                    │ HIGH          │      7.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2018-0875                                │                │                    │ HIGH          │      7.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2018-0808                                │                │                    │ HIGH          │      7.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2018-0787                                │                │                    │ HIGH          │      8.8 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2018-0785                                │                │                    │ MEDIUM        │      6.5 ║
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2018-0784                                │                │                    │ HIGH          │      8.8 ║
╟───────────────────────────────────────────────────────────────────────────────────┼────────────────┼────────────────────┼───────────────┼──────────╢
║ pkg:generic/microsoft/asp.net_core ⬅ CVE-2018-8292                                │                │ 17.2.22            │ HIGH          │      7.5 ║
╚═══════════════════════════════════════════════════════════════════════════════════╧════════════════╧════════════════════╧═══════════════╧══════════╝
                                                              Vulnerabilities count: 35

╭────────────── Recommendation ───────────────╮
│ ✅ No package requires immediate attention. │
╰─────────────────────────────────────────────╯

[Geertkok1]

@prabhu dep-scan 6.1.0 has fixed this issue the false positive CVE is no longer found!