Upgrade Microsoft.AspNetCore.Hosting in Project

Question

I had a security scan saying that there was a vulnerability in Microsoft.AspNetCore.Hosting.1.0.2.nupkg

I don't see it when I look at the Manage Package solutions. Since I didn't see it, I tried to add an upgraded version and run the security scan again. But I still got a message about 1.0.2.nupkg.

Any ideas on how to solve this?

Update

Bright Ran-MSFT was correct that it was the ApplicationInsights. I was able to correct the issue by the following.

Fix

• Upgrade version of Microsoft.AspNetCore.Hosting to 2.1.0
• Upgrade version ofMicrosoft.AspNetCore.Server.IISIntegration to 2.1.0

Answer 1

This issue has been fixed on the higher version of Microsoft.AspNetCore.Hosting. https://github.com/microsoft/ApplicationInsights-dotnet/issues/1902

I tried to add an upgraded version and run the security scan again. But I still got a message about 1.0.2.nupkg.

This may be caused that there are cache of the package's old version existing on the hosted machine, and the security scan tool you are using can scan the cache of the packages.

You can try to check whether the security scan tool can list the paths of the packages it has scanned. Then you can try to find the path of the package Microsoft.AspNetCore.Hosting 1.0.2, and manually delete the cache from the path.

You also can try using the commands 'dotnet nuget locals --clear' or 'nuget locals -clear' to clear the caches.

To view more details, you can see "Managing the global packages, cache, and temp folders".