[GHSA-6q8c-85p2-954c] In Progress Telerik UI for WPF versions prior to 2024 Q3 ...

[LanceMcCarthy]

This Pull Request replaces #5087

[JonathanLEvans]

Hi @LanceMcCarthy, I am unable to find any of the listed packages in https://www.nuget.org/. Could you provides to them?

[LanceMcCarthy]

@JonathanLEvans That is correct, they are not public nuget.org packages (they are only provided via our NuGet Feed (https://nuget.telerik.com). It is an authenticated feed, when the developer passes credentials with the HTTP request (using packageSourceCredentials) and the server determines what packages they have the license to access/download.

This topic is something I was going to bring up to the .NET team via Microsoft MVP back channels, there should probably be an easier way for you to automatically validate the package, possible through a private proxy that I can arrange with your team. However, this is a longer term thing that likely needs agreement and configuration. For now, I need to manually go through all the items and list them for you.

[LanceMcCarthy]

@JonathanLEvans Here is a real world example where Dependabot will make the identification.

• The developer lists our feed, next to nuget.org, in their nuget config file => https://github.com/LanceMcCarthy/.../NuGet.Config
• Dependabot doesn't care what the source is for the package, it only identifies a PackageReference inside the csproj, for example => https://github.com/LanceMcCarthy/..../MyWpfApp.csproj#L108

The main argument here is that it should matter where the packages come from. It is still a PackageReference dependency in the project. The GitHub repo should still get a match on the vulnerable package version by Dependabot because it only searches the project's PackageReference list.

Ultimately, there doesn't even have to be a server-based feed like nuget.org. The NuGet package manager (and dotnet) supports using a local package source (a folder with .nupkg files in it). In this scenario, the project still has the same PackageReference in the dependencies list (and will get the same Dependabot hit).

Example

Here's a short walkthrough of a common multi-source scenario.

In the nuget.config, there are three sources defined; NuGetOrg, TelerikServer, and MyLocalPackages.

<configuration>
  <packageSources>
    <add key="NuGetOrg" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
    <add key="TelerikServer" value="https://nuget.telerik.com/v3/index.json" protocolVersion="3"/>
    <add key="MyLocalPackages" value="\local-folder\my-packages" />
  </packageSources>
  ...
</configuration>

In the project's csproj file, there exists a PackageReference list. This is source-agnostic.

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net9.0</TargetFramework>
  </PropertyGroup>

  <!-- Packages can come from any source, public, private, or local -->
  <ItemGroup>
    <!-- This get restored from nuget.org -->
    <PackageReference Include="Newtonsoft.Json" Version="13.03" />
    <PackageReference Include="CommonHelpers" Version="1.4.0" />

    <!-- This gets restored from nuget.telerik.com -->
    <PackageReference Include="Telerik.UI.for.Wpf" Version="2024.4.1106" />

    <!-- This gets restored from a local folder source -->
    <PackageReference Include="MyApp.ClassLibrary" Version="1.0.0" />
  </ItemGroup>
</Project>

[edit] Clarified further with expanded example. Spelling corrections.