Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-6q8c-85p2-954c] In Progress Telerik UI for WPF versions prior to 2024 Q3 ... #5094

Open
wants to merge 3 commits into
base: LanceMcCarthy/advisory-improvement-5094
Choose a base branch
from
Open

[GHSA-6q8c-85p2-954c] In Progress Telerik UI for WPF versions prior to 2024 Q3 ... #5094

wants to merge 3 commits into from
+357 −3

Conversation

LanceMcCarthy
Copy link

This Pull Request replaces #5087

@LanceMcCarthy LanceMcCarthy mentioned this pull request Dec 17, 2024
Closed
@github-actions github-actions bot changed the base branch from main to LanceMcCarthy/advisory-improvement-5094 December 17, 2024 17:22
@LanceMcCarthy LanceMcCarthy changed the title Improvement: GHSA 6q8c85p2954c [GHSA-6q8c-85p2-954c] In Progress Telerik UI for WPF versions prior to 2024 Q3 ... Dec 17, 2024
@JonathanLEvans
Copy link

Hi @LanceMcCarthy, I am unable to find any of the listed packages in https://www.nuget.org/. Could you provides to them?

@LanceMcCarthy
Copy link
Author

@JonathanLEvans That is correct, they are not public nuget.org packages (they are only provided via our NuGet Feed (https://nuget.telerik.com). It is an authenticated feed, when the developer passes credentials with the HTTP request (using packageSourceCredentials) and the server determines what packages they have the license to access/download.

This topic is something I was going to bring up to the .NET team via Microsoft MVP back channels, there should probably be an easier way for you to automatically validate the package, possible through a private proxy that I can arrange with your team. However, this is a longer term thing that likely needs agreement and configuration. For now, I need to manually go through all the items and list them for you.

@LanceMcCarthy
Copy link
Author

LanceMcCarthy commented Dec 17, 2024
edited
Loading

@JonathanLEvans Here is a real world example where Dependabot will make the identification.

The .NET developer lists our feed, next to nuget.org, in their nuget config file => https://github.com/LanceMcCarthy/.../NuGet.Config

Dependabot doesn't care what the origin was for the package, it only identifies the affected package name and version inside the csproj, for example => https://github.com/LanceMcCarthy/..../MyWpfApp.csproj#L108

Just because the package is not available on nuget.org, it is still available to project via another source. It is still a NuGet dependency. The GitHub user should be able to get the match on the vulnerable package version, then be shown the patched version.

Also, please note that there doesn't even have to be a server feed. NuGet support local package sources, in this case, the source code on GitHub would not be using a server-based source. The developer should still get an alert that the package reference needs to be updated.

[edit] fixed formatting and spelling

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@LanceMcCarthy @JonathanLEvans