CodeQL documentation

Using a package with a known vulnerability

ID: cs/use-of-vulnerable-package
Kind: problem
Severity: error
Precision: high
Tags:
   - security
   - external/cwe/cwe-937

Click to see the query in the CodeQL repository

Using a package with a known vulnerability is a security risk that could leave the software vulnerable to attack.

This query reads the packages imported by the project build files and .config files, and checks them against a list of packages with known vulnerabilities.

Recommendation

Upgrade the package to the recommended version using, for example, the NuGet package manager, or by editing the project files directly.

Example

The following example shows a C# project file referencing package System.Net.Http version 4.3.1, which is vulnerable to CVE-2018-8292.

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>netcoreapp2.0</TargetFramework>
    <AssemblyName>Semmle.Autobuild</AssemblyName>
    <RootNamespace>Semmle.Autobuild</RootNamespace>
    <OutputType>Exe</OutputType>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Microsoft.Build" Version="15.8.166" />
    <PackageReference Include="System.Net.Http" Version="4.3.1" />
  </ItemGroup>

</Project>

The project file can be fixed by changing the version of the package to 4.3.4.

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>netcoreapp2.0</TargetFramework>
    <AssemblyName>Semmle.Autobuild</AssemblyName>
    <RootNamespace>Semmle.Autobuild</RootNamespace>
    <OutputType>Exe</OutputType>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Microsoft.Build" Version="15.8.166" />
    <PackageReference Include="System.Net.Http" Version="4.3.4" />
  </ItemGroup>

</Project>

References