Skip to content

Fix CVE vulnerabilities in transitive NuGet dependencies (#1204)#1205

Draft
pm7y wants to merge 1 commit intoOctopusDeploy:mainfrom
pm7y:fix-cves
Draft

Fix CVE vulnerabilities in transitive NuGet dependencies (#1204)#1205
pm7y wants to merge 1 commit intoOctopusDeploy:mainfrom
pm7y:fix-cves

Conversation

@pm7y
Copy link
Copy Markdown

@pm7y pm7y commented Mar 31, 2026
edited
Loading

Are you a customer of Octopus Deploy? Please contact our support team so we can triage your PR, so that we can make sure it's handled appropriately.

Background

#1204

The octopusdeploy/tentacle container image bundles transitive NuGet dependencies with known CVEs in /opt/octopus/tentacle/Tentacle.deps.json. These are flagged by container vulnerability scanners (Azure Defender for Cloud, Trivy, Snyk, etc.) and cannot be remediated by image consumers.

This PR pins 6 vulnerable transitive dependencies to their fixed versions by adding explicit PackageReference entries to Octopus.Tentacle.csproj.

Results

CVE Severity Package Before After
CVE-2024-38095 High System.Formats.Asn1 6.0.0 6.0.1
CVE-2023-29331 High System.Security.Cryptography.Pkcs 6.0.1 6.0.3
CVE-2017-11770 High System.Security.Cryptography.X509Certificates 4.1.0 4.3.2
CVE-2018-8292 Medium System.Net.Http 4.1.0 4.3.4
CVE-2019-0657, CVE-2019-0980, CVE-2019-0981 Medium System.Private.Uri 4.3.0 4.3.2
CVE-2019-0820 Medium System.Text.RegularExpressions 4.3.0 4.3.1

Before

Container vulnerability scanners flag 8 CVEs (3 High, 5 Medium) from /opt/octopus/tentacle/Tentacle.deps.json.

After

All 8 CVEs resolved. No functional changes — only transitive dependency version pins.

How to review this PR

This is a low-risk dependency pin change. The packages are already present as transitive dependencies; we are only overriding their versions to pick up security fixes.

Key points to verify:

  • System.Formats.Asn1 and System.Security.Cryptography.Pkcs are conditioned on '$(TargetFrameworkIdentifier)' != '.NETFramework' because they only target netstandard2.1/net6.0+ and would break the net48 build
  • The remaining 4 packages support all target frameworks and are unconditional
  • System.Security.Cryptography.X509Certificates is pinned to 4.3.2 (not the NVD-listed 4.1.2) because System.Net.Http 4.3.4 depends on >= 4.3.0

Quality ✔️
Build all target frameworks (net48, net8.0, net8.0-windows) and run the existing test suite.

Pre-requisites

  • I have read How we use GitHub Issues for help deciding when and where it's appropriate to make an issue.
  • I have considered informing or consulting the right people, according to the ownership map

@pm7y
Fix CVE vulnerabilities in transitive NuGet dependencies (OctopusDepl…
de909c6 
…oy#1204)

Pin vulnerable transitive dependencies to their fixed versions:
  - System.Formats.Asn1 6.0.0 -> 6.0.1 (CVE-2024-38095)
  - System.Security.Cryptography.Pkcs 6.0.1 -> 6.0.3 (CVE-2023-29331)
  - System.Security.Cryptography.X509Certificates 4.1.0 -> 4.3.2 (CVE-2017-11770)
  - System.Net.Http 4.1.0 -> 4.3.4 (CVE-2018-8292)
  - System.Private.Uri 4.3.0 -> 4.3.2 (CVE-2019-0657, CVE-2019-0980, CVE-2019-0981)
  - System.Text.RegularExpressions 4.3.0 -> 4.3.1 (CVE-2019-0820)
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Mar 31, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@pm7y pm7y mentioned this pull request Mar 31, 2026
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pm7y @CLAassistant