Github Advanced Security for Azure Devops is not detecting vulnerability

Question

What should I do when Github Advanced Security for Azure Devops is not a detecting vulnerability?

For example this one is not being detected.

I'm using several packages that have a dependency on version 1.7 of azure.identity. Microsoft.Azure.SignalR:

      "Microsoft.Azure.SignalR/1.18.1": {
    "dependencies": {
      "Azure.Identity": "1.7.0",
      "System.IdentityModel.Tokens.Jwt": "6.24.0"
    }

Microsoft.Extensions.Azure:

      "Microsoft.Extensions.Azure/1.6.0": {
    "dependencies": {
      "Azure.Core": "1.25.0",
      "Azure.Identity": "1.7.0",
      "Microsoft.Extensions.Options": "7.0.0"
    }

Why is Github / Azure devops not seeing it?

Answer 1

To test the issue, I added the same Package Reference as yours to my .csproj file.

  <ItemGroup>
    <PackageReference Include="Microsoft.Azure.SignalR" Version="1.18.1" />
    <PackageReference Include="Microsoft.Extensions.Azure" Version="1.6.0" />
  </ItemGroup>

Run the pipeline with the AdvancedSecurity-Dependency-Scanning@1 task.

Result: The CVE-2023-36414 is there for Azure.Identity 1.7.0.

After the above, I added another Package Reference Microsoft.Data.SqlClient 5.1.4 to my .csproj file. It has the dependence of Azure.Identity (>= 1.10.3).

<PackageReference Include="Microsoft.Data.SqlClient" Version="5.1.4" />

Test result:

The CVE-2023-36414 is not there anymore.

We can find CVE-2023-36414 in the closed filter.

So, the Azure.Identity package version is updated by another package.

You can also check the version of Azure.Identity you have restored the package in the restore task log: