How to fix vulnerabilities found in DevOps container scans when they appear to come from dotnet-core runtime config files and not my actual project?

Question

So when running a Trivy container scan on my dockerised dotnet 6 app during my devops pipeline, many times I discover critical vulnerabilities which break the build and I am not sure how to fix as they do not relate to files or dependencies in my project, but from DevOps or dotnet runtime configs itself.

Here are 3 critical vulnerabilities which are inside the runtime configuration files I think, but we do not use starkbank-ecdsa anywhere, and the senior dev also has no idea why it is there either.

I can easily disable the scanning as I do when a deployment needs to happen, but this is not the ideal solution as I would rather have any issues fixed.

I have searched online but cant seem to find a straight forward answer to how I can fix these issues. Any help or some clarity on this would be greatly appreciated.

Answer 1

The package was indeed a transitive package which is why I couldn't find it at first. In case this helps anyone, I was able to find it within azure devops by adding the dotnet list package --include-transitive command into the pipeline.

I was then able to find the package and its reference and upgrade as required. Thank you to @Joachim Sauer for the clarity.