Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[dotnet] --deep mode on linux requires dotnet sdk 9.0 #1563

Closed
prabhu opened this issue Jan 15, 2025 · 6 comments · Fixed by #1572
Closed

[dotnet] --deep mode on linux requires dotnet sdk 9.0 #1563

prabhu opened this issue Jan 15, 2025 · 6 comments · Fixed by #1572

Comments

@prabhu
Copy link
Collaborator

prabhu commented Jan 15, 2025

Getting the below error with the ghcr.io/cyclonedx/cdxgen-debian-dotnet6:v11 image. Need to check if the settings we use for build is correct.

https://github.com/owasp-dep-scan/dosai/blob/c01cd33d493ebb50ecd5fe688379e7b4cd059906/.github/workflows/test.yml#L40

Executing /opt/cdxgen/node_modules/@cyclonedx/cdxgen-plugins-bin/plugins/dosai/dosai-linux-amd64 methods --path /app --o /app/deps.slices.json
 You must install or update .NET to run this application.

App: /opt/cdxgen/node_modules/.pnpm/@cyclonedx+cdxgen-plugins-bin@1.6.9/node_modules/@cyclonedx/cdxgen-plugins-bin/plugins/dosai/dosai-linux-amd64
Architecture: x64
Framework: 'Microsoft.NETCore.App', version '9.0.0' (x64)
.NET location: /usr/share/dotnet

The following frameworks were found:
  6.0.36 at [/usr/share/dotnet/shared/Microsoft.NETCore.App]

Learn about framework resolution:
https://aka.ms/dotnet/app-launch-failed

To install missing framework, download:
https://aka.ms/dotnet-core-applaunch?framework=Microsoft.NETCore.App&framework_version=9.0.0&arch=x64&rid=debian.12-x64

Slicing with dosai was unsuccessful. Check the errors reported in the logs above.
@prabhu
Copy link
Collaborator Author

prabhu commented Jan 15, 2025

@timmyteo Any thoughts?

@timmyteo
Copy link
Collaborator

Hi @prabhu - I think this may be caused by the recent Dosai dotnet 9 upgrade. I suspect that the dotnet 6 SDK is missing something that is needed in the runtime by a dotnet 9 application, for which Dosai is now asking for dotnet 9 runtime.

I think this is the correct dockerfile that would need an update to fix this? Or maybe a different/multiple docker files related to dotnet 6 SDK. I believe adding the dotnet 9 runtime to the dotnet 6 SDK image might fix this. So add the following command for apt-get to install: dotnet-runtime-9.0

@prabhu
Copy link
Collaborator Author

prabhu commented Jan 15, 2025

@timmyteo Is it possible to create a single static fat binary that includes the needed runtime bits?

@timmyteo
Copy link
Collaborator

Different dotnet runtime and SDK versions can exist on a machine simultaneously. So I believe it would work to have a single Docker image with dotnet sdk 6,7,8,9 all installed.

@prabhu
Copy link
Collaborator Author

prabhu commented Jan 15, 2025

@timmyteo That may not be possible. The OS version for dotnet 6,7,8 are old so may not have dotnet 9 packaged. Plus, if we have multiple versions of dotnet in the same image, then we need a file or setting to make cdxgen use the correct version to perform restore operations.

@prabhu
Copy link
Collaborator Author

prabhu commented Jan 15, 2025

owasp-dep-scan/dosai#23

@prabhu prabhu mentioned this issue Jan 16, 2025
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

dotnet framework deep improvements CycloneDX/cdxgen
2 participants
@prabhu @timmyteo