Azure Devops Advance Security not detecting latest vulnerabilities

Question

I have a C# Web-Api project with a vulnerability.

System.Data.SqlClient version 4.8.5

I can also see this vulnerability in https://github.com/advisories/GHSA-98g6-xh36-x2p7.

When I execute the Azure DevOps Advanced Security scan, I can see other vulnerabilities in the report, but not the one mentioned above

I tried changing the code , deliberately added new vulnerability just ensure the the scan is not getting cached , but to no avail.

Could you please help me understand why I'm not seeing this particular vulnerability?

Thanks

Answer 1

I have tested to add the package: System.Data.SqlClient version 4.8.5 to project and use the task: AdvancedSecurity-Dependency-Scanning@1 to detect the vulnerabilities.

It can show the latest detecting latest vulnerability of the System.Data.SqlClient 4.8.5.

Here is an example:

Add the package to the project:

<ItemGroup>
    <PackageReference Include="Microsoft.Azure.SignalR" Version="1.18.1" />
    <PackageReference Include="System.Data.SqlClient " Version="4.8.5" />
  </ItemGroup>
</Project>

Pipeline Result:

You can check the following points:

1.You can check if the correct version of the Nuget Package has been restored at the Nuget Restore step.

For example:

2.Refer to this ticket: Advanced Security isn't using the latest advisories

The trigger to submit a new artifact to our service is when there’s a new commit. Even if the component was found before, if a new vulnerability/CVE is identified, a new scan with a new commit must be submitted.

You can try to add a new commit to the branch being scanned in the repo and then you can run the Dependency Scanning again to check if it can get the latest vulnerabilities.