Nuget package dependency - nearest wins in DevAudit

[svaivada-geotab]

When finding vulnerabilities DevAudit does not consider the nearest wins solution for nuget package dependency: https://docs.microsoft.com/en-us/nuget/concepts/dependency-resolution#nearest-wins

For example in a csproj file if I am referencing a Nuget package that has a dependency where the minimum version has a vulnerability DevAudit would always report the vulnerability ignoring nearest wins. According to the nearest wins solution this vulnerability should not happen if I am referencing a version of the dependency closer to the application.

Could there be a way for DevAudit to consider the nearest wins solution?

[svaivada-geotab]

Here is an example to make it more clear.
I have the following csproj file:

<PropertyGroup>
    <TargetFramework>netcoreapp3.1</TargetFramework>
</PropertyGroup>

<ItemGroup>
    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.2.0" />
    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
</ItemGroup>

Running DevAudit against this I get one vulnerability reported with NewtonSoft.Json 9.0.1:

Package Source Audit Results
============================
1 total vulnerability found in .NET Core package source audit. Total time for audit: 3240 ms.


[1/6] Newtonsoft.Json 9.0.1 [VULNERABLE]  1 known vulnerabilities,  1 affecting installed package version(s): [9.0.1]
--[1/1] 1 vulnerability found 
  --Description:
    --1 non-CVE vulnerability found.
      To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this information using your registered account
9.0.1
  --Id: sonatype-2021-0713
  --Reference: https://ossindex.sonatype.org/vulnerability/sonatype-2021-0713
  --Provided by: OSS Index

[2/6] Microsoft.NET.Test.Sdk 17.2.0 no known vulnerabilities.
[3/6] Newtonsoft.Json 13.0.1 no known vulnerabilities.
[4/6] Microsoft.TestPlatform.TestHost 17.2.0 no known vulnerabilities.
[5/6] Microsoft.CodeCoverage 17.2.0 no known vulnerabilities.
[6/6] Microsoft.TestPlatform.ObjectModel 17.2.0 no known vulnerabilities.

So because the minimum version of Newtonsoft.Json that the Microsoft.NET.Test.Sdk package can use has a vulnerability it is reported (which is Newtonsoft.Json 9.0.1 in this case). However the Newtonsoft.Json package version that would actually be used in the application is 13.0.1 according to the nearest wins solution. Note too that Newtonsoft.Json 13.0.1 has no vulnerabilities reported. So really the vulnerability in this example should not be reported.

[svaivada-geotab]

UPDATE: workaround for this

The csproj file provides the packages we need to build the project but it does not provide info on which versions of the dependencies we would actually be using based on how NuGet solves package dependencies.

So I found that a way to get around this is to instead have dev_audit scan the deps.json files which is updated post build. This will include all of the dependencies used in the project with the exact package versions being used. Thus changing the dev_audit to scan deps.json files actually reports that the vulnerability was fixed in the example above.

[mcallaghan-geotab]

@ken-duck - any recommendations for this problem?