dotnet list package --include-transitive --vulnerable reports unrelated security issues

[majkel89]

I'm calling dotnet list package --include-transitive --vulnerable to get list of security issues both for direct and indirect dependencies.

In response I get this:

 > dotnet list package --include-transitive --vulnerable

The following sources were used:
   https://api.nuget.org/v3/index.json

Project `Api` has the following vulnerable packages
   [net6.0]: 
   Transitive Package                    Resolved   Severity   Advisory URL                                     
   > System.Net.Http                     4.3.0      High       https://github.com/advisories/GHSA-7jgj-8wvc-jh57
   > System.Text.Encodings.Web           4.5.0      Critical   https://github.com/advisories/GHSA-ghhp-997w-qr28
   > System.Text.RegularExpressions      4.3.0      Moderate   https://github.com/advisories/GHSA-cmhx-cq75-c4mj

The problems are not related to .NET 6.0 which I'm using.

Is this a bug or did I get it wrong ?

Contents of global.json file

{
  "sdk": {
    "version": "6.0.100",
    "rollForward": "latestFeature"
  }
}

Installed SDKs

 > dotnet --list-sdks                                   
2.1.816 [/usr/local/share/dotnet/sdk]
3.1.404 [/usr/local/share/dotnet/sdk]
3.1.407 [/usr/local/share/dotnet/sdk]
5.0.301 [/usr/local/share/dotnet/sdk]
6.0.100 [/usr/local/share/dotnet/sdk]
6.0.101 [/usr/local/share/dotnet/sdk]

System: MacOS 11.6 (Big Sur)

[majkel89]

I fixed the issue by adding references to buggy System libraries directly into project

  <!-- Referenced directly to resolve security issues -->
  <ItemGroup>
    <PackageReference Include="System.Net.Http" Version="4.3.4" />
    <PackageReference Include="System.Text.Encodings.Web" Version="6.0.0" />
    <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
  </ItemGroup>

[dominoFire]

Those transitive dependencies may be related to your installed PackageReferences.