Missing dependencies in the nuget package?

[ghandmann]

Hi There,

i just wanted to try out the security-scanner to see what it finds and if i would like to incorporate it into my CI-Pipeline.

But i could not get it working with .net core 5 running on Linux (Ubuntu 20.10).

Output of dotnet --version:

$ dotnet --version
5.0.201

Output of dotnet tool install -g security-scan:

$ dotnet tool install -g security-scan
You can invoke the tool using the following command: security-scan
Tool 'security-scan' (version '5.1.0') was successfully installed.

Running the tool:

$ security-scan 
Error:
  An assembly specified in the application dependencies manifest (security-scan.deps.json) was not found:
    package: 'System.Globalization.Extensions', version: '4.3.0'
    path: 'runtimes/unix/lib/netstandard1.3/System.Globalization.Extensions.dll'

So to me it looks like, that the security-scan nuget package is missing some dependencies?

[JarLob]

Interesting... There are two versions of the tool https://www.nuget.org/packages/security-scan/ (5.0.1 is another bug, doh, need to fix in resources). Does it happen with both of them?

[relair]

I've just tried version 5.1.0 and got the same issue, version 5.0.0 seems to work though. Seems like new 5.1.0 version is faulty.

[ghandmann]

Indeed 5.0.0 does not have the reported issue.

$ dotnet tool install -g --version 5.0.0 security-scan
You can invoke the tool using the following command: security-scan
Tool 'security-scan' (version '5.0.0') was successfully installed.

$ security-scan 

╔═╗┌─┐┌─┐┬ ┬┬─┐┬┌┬┐┬ ┬  ╔═╗┌─┐┌┬┐┌─┐  ╔═╗┌─┐┌─┐┌┐┌
╚═╗├┤ │  │ │├┬┘│ │ └┬┘  ║  │ │ ││├┤   ╚═╗│  ├─┤│││
╚═╝└─┘└─┘└─┘┴└─┴ ┴  ┴   ╚═╝└─┘─┴┘└─┘  ╚═╝└─┘┴ ┴┘└┘

.NET tool version 5.0.0

Usage:

  security-scan <solution path>

[JarLob]

Looks like msbuid issue https://github.com/dotnet/msbuild/issues/6292 But some parts of the solution do not build with dotnet build. Meanwhile I have pushed an updated version https://www.nuget.org/packages/security-scan/5.1.1