False Positive CVE-2025-26646 in msbuild

[mjwrona]

Trivy reports a false positive for CVE-2025-26646 / GHSA-h4j7-5rxr-p4wc

Command
trivy image mcr.microsoft.com/dotnet/sdk --scanners vuln --vuln-type library

Output

According to this discussion it's a false positive and 17.14.5 is not vulnerable
dotnet/msbuild#11846 (comment)

Nuget also does not report a vulnerability in 17.14.5
https://www.nuget.org/packages/Microsoft.Build.Tasks.Core/17.14.5

[DmitriyLewen]

We use GitHub database to get advisories.
Please suggest changes for this CVE here.

Regards, Dmitriy

[mjwrona]

According to msbuild, the github advisory is correct.
Trivy detects 17.14.5 as vulnerable even if it's not within the affected versions range.

[DmitriyLewen]

hm.. sorry, i incorrect checks fixed version.
I will take a look and write to you.

[DmitriyLewen]

I found problem - OSV file have >=17.13.9 < 17.14.8 affected range.
But GitHub UI doens't show this range.

I craeted github/advisory-database#5734

[lardon0]

Could this be also affecting version 17.11.31

According to this it should be fine.
dotnet/msbuild#11846 (comment)

nuget does not report a vulnerability
https://www.nuget.org/packages/Microsoft.Build.Tasks.Core/17.11.31

[DmitriyLewen]

I think GitHub think about- how they can specify the affected version(s) from the range (OSV format doesn't support this) instead of writing each affected version.

let's wait their answer (github/advisory-database#5734 (comment))