Using a package with a known vulnerability is a security risk that could leave the software vulnerable to attack.

This query reads the packages imported by the project build files and .config files, and checks them against a list of packages with known vulnerabilities.

Upgrade the package to the recommended version using, for example, the NuGet package manager, or by editing the project files directly.

The following example shows a C# project file referencing package System.Net.Http version 4.3.1, which is vulnerable to CVE-2018-8292.

The project file can be fixed by changing the version of the package to 4.3.4.

OWASP: A9-Using Components with Known Vulnerabilities.