This was first reported by the dotnet/templating repo - https://dnceng.visualstudio.com/internal/_componentGovernance/dotnet-templating/alert/4732456?typeId=6669620. Their reference to SBRP is causing this CG issue to be reported. This is a bit of a red herring as this is a reference assembly. That being said, SBRP should not be causing CG issues in consuming product repos.
I would think all product reference to the vulnerable versions should be upgraded and then removed from SBRP. For System.Net.Http, SBRP contains the fixed version. Having SBRP tooling to identity unused packages fixed would be helpful here as there may already be no references to the vulnerable versions.
After fixing, please ensure CG is enabled in SBRP so these can be caught.
This was first reported by the dotnet/templating repo - https://dnceng.visualstudio.com/internal/_componentGovernance/dotnet-templating/alert/4732456?typeId=6669620. Their reference to SBRP is causing this CG issue to be reported. This is a bit of a red herring as this is a reference assembly. That being said, SBRP should not be causing CG issues in consuming product repos.
I would think all product reference to the vulnerable versions should be upgraded and then removed from SBRP. For System.Net.Http, SBRP contains the fixed version. Having SBRP tooling to identity unused packages fixed would be helpful here as there may already be no references to the vulnerable versions.
After fixing, please ensure CG is enabled in SBRP so these can be caught.