Yet another vulnerability from Magick.NET

Development Pipeline & Plugins
, ,
1

This is a reoccurring issue that results in this type of that prevents dotnet builds when Magick.NET finds a new security vulnerability. This is the error it usually gives:

[dotnet build] D:\TC\w\e48624391eef0fbf\UE5\Engine\Source\Programs\AutomationTool\AutomationUtils\AutomationUtils.Automation.csproj : 
	error NU1902: Warning As Error: Package 'Magick.NET-Q16-HDRI-AnyCPU' 14.9.1 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-q3hc-j9x5-mp9m 
	[D:\TC\w\e48624391eef0fbf\UE5\Engine\Source\Programs\Shared\EpicGames.ScriptBuild\EpicGames.ScriptBuild.csproj]
	
[dotnet build] D:\TC\w\e48624391eef0fbf\UE5\Engine\Source\Programs\AutomationTool\Gauntlet\Gauntlet.Automation.csproj : 
	error NU1902: Warning As Error: Package 'Magick.NET-Q16-HDRI-AnyCPU' 14.9.1 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-q3hc-j9x5-mp9m 
	[D:\TC\w\e48624391eef0fbf\UE5\Engine\Source\Programs\Shared\EpicGames.ScriptBuild\EpicGames.ScriptBuild.csproj]
 
[dotnet build] D:\TC\w\e48624391eef0fbf\UE5\Engine\Source\Programs\AutomationTool\AutomationUtils\AutomationUtils.Automation.csproj : 
	error NU1902: Warning As Error: Package 'Magick.NET-Q16-HDRI-AnyCPU' 14.9.1 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-q3hc-j9x5-mp9m 
	[D:\TC\w\e48624391eef0fbf\UE5\Engine\Source\Programs\Shared\EpicGames.ScriptBuild\EpicGames.ScriptBuild.csproj]
	
[dotnet build] D:\TC\w\e48624391eef0fbf\UE5\Engine\Source\Programs\AutomationTool\Gauntlet\Gauntlet.Automation.csproj : 
	error NU1902: Warning As Error: Package 'Magick.NET-Q16-HDRI-AnyCPU' 14.9.1 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-q3hc-j9x5-mp9m 
	[D:\TC\w\e48624391eef0fbf\UE5\Engine\Source\Programs\Shared\EpicGames.ScriptBuild\EpicGames.ScriptBuild.csproj]

The last time this happened it was mentioned here (with a fix): [Content removed]

I’ve also seen others ask about a permanent fix which was mentioned here a while back:

[Content removed]

That fix doesn’t seem to work anymore, as anytime they find a new vulnerability the issue happens again. This almost always results in a work stoppage for a few days with our automated testing.

So my questions are:

  1. Is the issue known yet for this occurrence?
  2. Will there ever be a permanent fix?

Thank you for your time.

2

Hello!

Version 5.7 has shipped with the fix. The fix is specific to the Development target as this is what our tools are using. The other targets (Release, Debug..) are not needed. What is the operation that generates the error?

Regards,

Martin

3

We’re now using this to supress this locally, without turning audits off completely:

--- a/Engine/Source/Programs/AutomationTool/AutomationTool.csproj
+++ b/Engine/Source/Programs/AutomationTool/AutomationTool.csproj
[Content removed]9 @@
 
   <ItemGroup>
     <PackageReference Include="AWSSDK.SecurityToken" Version="3.7.300.105" />
-    <PackageReference Include="Magick.NET-Q16-HDRI-AnyCPU" Version="14.9.1" />
+    <PackageReference Include="Magick.NET-Q16-HDRI-AnyCPU" Version="14.9.1">
+      <NoWarn>NU1901;NU1902</NoWarn>
+    </PackageReference>
     <PackageReference Include="Microsoft.Build" Version="17.11.48" ExcludeAssets="runtime" PrivateAssets="all">
       <IncludeAssets>compile; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
--- a/Engine/Source/Programs/AutomationTool/AutomationUtils/AutomationUtils.Automation.csproj
+++ b/Engine/Source/Programs/AutomationTool/AutomationUtils/AutomationUtils.Automation.csproj
[Content removed]9 @@
     <ProjectReference Include="..\..\UnrealBuildTool\UnrealBuildTool.csproj" PrivateAssets="All"><Private>true</Private></ProjectReference>
   </ItemGroup>
   <ItemGroup>
-    <PackageReference Include="Magick.NET-Q16-HDRI-AnyCPU" Version="14.9.1" PrivateAssets="all" />
+    <PackageReference Include="Magick.NET-Q16-HDRI-AnyCPU" Version="14.9.1" PrivateAssets="all">
+      <NoWarn>NU1901;NU1902</NoWarn>
+    </PackageReference>
     <PackageReference Include="System.Drawing.Common" Version="8.0.10" />
     <PackageReference Include="System.Net.Http" Version="4.3.4" />
 
--- a/Engine/Source/Programs/AutomationTool/Gauntlet/Gauntlet.Automation.csproj
+++ b/Engine/Source/Programs/AutomationTool/Gauntlet/Gauntlet.Automation.csproj
[Content removed]9 @@
     <ProjectReference Include="..\Android\Android.Automation.csproj" PrivateAssets="All"><Private>false</Private></ProjectReference>
   </ItemGroup>
   <ItemGroup>
-    <PackageReference Include="Magick.NET-Q16-HDRI-AnyCPU" Version="14.9.1" PrivateAssets="all" />
+    <PackageReference Include="Magick.NET-Q16-HDRI-AnyCPU" Version="14.9.1" PrivateAssets="all">
+      <NoWarn>NU1901;NU1902</NoWarn>
+    </PackageReference>
     <PackageReference Include="Microsoft.CSharp" Version="4.7.0" />
     <PackageReference Include="MySql.Data" Version="6.10.9" PrivateAssets="all" />
   </ItemGroup>
4

Are you compiling the entire solution? That would be the likely source of the error. If you are, you can save time and HDD space as this is not useful. You should only need to build the editor Development target for your project. The rest of the tools and exes are built when required by the different operation. The only exceptions are Lightmass and UnrealInsights. You are likely not using LM and Insights is not needed on build machines.

We are looking at turning off the NuGet audit for all targets except Analyze. The change should land in the Release5.7 in the coming days.

Regards,

Martin

5

This is a new advisory for <=14.9.1.

5.7 shipped with 14.9.1, and ue5-main is still currently pinned to that version.

Upstream has not yet pushed a new release.

6

Thanks!

We will use this workaround for the time being. Hopefully there might be a solution in the future that will prevent the issue.

Another workaround we found was to create a Directory.Build.props file and put in the root UE5 folder with this as the contents:

<Project>
  <PropertyGroup>
    <WarningsNotAsErrors>NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>
  </PropertyGroup>
  <PropertyGroup>
    <NuGetAudit>false</NuGetAudit>
  </PropertyGroup>
</Project>
7

Not the entire solution, no. The main problem with the error is it causes our automated builds to fail. Those just build editor, and development for all major platforms.

The code to suppress it works fine for now.

Thanks for the assistance!