Hi,
We have just switched to docker scout to scan our docker images.
We are seeing an issue which seems like issue 93 has returned.
I have made a repoduction repository, it seems to be an issue if there are multiple projects which use a directory.package.props file to manage dependecies. The reproduction also uses dotnet 8 with 10.x.x packages, but that might not be contributing to it.
The code is in this repo https://github.com/chestercodes/docker-scout-playground/tree/main/dependency-issue
There is one difference in that i am using a slightly different base image for the build part, which allows my company laptop to get around the VPN, but the sdk one should work as well.
The docker scout output for the version is included in the run script
The issue seems to stem from the deps file of the referenced project, in this case called other.csproj.
It is not present when the directory.package.props file is remove and the version is specified in each of the csproj files, there is a branch with this case
The differences can be seen in the docker scout invocation, the main branch shows 2 high vulns, which is incorrect, as the updated package is specified in the packages props file.
The branch built image shows no high vulns, which is correct.
Hi,
We have just switched to docker scout to scan our docker images.
We are seeing an issue which seems like issue 93 has returned.
I have made a repoduction repository, it seems to be an issue if there are multiple projects which use a directory.package.props file to manage dependecies. The reproduction also uses dotnet 8 with 10.x.x packages, but that might not be contributing to it.
The code is in this repo https://github.com/chestercodes/docker-scout-playground/tree/main/dependency-issue
There is one difference in that i am using a slightly different base image for the build part, which allows my company laptop to get around the VPN, but the sdk one should work as well.
The docker scout output for the version is included in the run script
The issue seems to stem from the deps file of the referenced project, in this case called other.csproj.
It is not present when the directory.package.props file is remove and the version is specified in each of the csproj files, there is a branch with this case
The differences can be seen in the docker scout invocation, the main branch shows 2 high vulns, which is incorrect, as the updated package is specified in the packages props file.
The branch built image shows no high vulns, which is correct.