We recently upgraded from v1.5 to v2.1.1. Our next nightly Jenkins report had 34 new vulnerabilities. On closer inspection, we saw that nearly all were false positives
due to misidentification of .NET Core libraries and related files.

CVE-2006-1315
Microsoft.ApplicationServer.ServiceModel.dll:0

CVE-2009-0280
packages/Swashbuckle.AspNetCore.1.0.0/lib/net451
packages/Swashbuckle.AspNetCore.1.0.0/lib/netstandard1.6
packages/Swashbuckle.AspNetCore.Swagger.1.0.0/lib/net451
packages/Swashbuckle.AspNetCore.Swagger.1.0.0/lib/netstandard1.6
packages/Swashbuckle.AspNetCore.SwaggerGen.1.0.0/lib/net451
packages/Swashbuckle.AspNetCore.SwaggerGen.1.0.0/lib/netstandard1.6
packages/Swashbuckle.AspNetCore.SwaggerUI.1.0.0/lib/net451
packages/Swashbuckle.AspNetCore.SwaggerUI.1.0.0/lib/netstandard1.6

CVE-2014-8117 & CVE-2014-9653
packages/Microsoft.Extensions.FileProviders.Abstractions.1.1.1/lib/netstandard1.0
packages/Microsoft.Extensions.FileProviders.Embedded.1.1.1/lib/net451
packages/Microsoft.Extensions.FileProviders.Embedded.1.1.1/lib/netstandard1.0
packages/Microsoft.Extensions.FileProviders.Embedded.1.1.1/lib/netstandard1.5
packages/System.IO.Compression.ZipFile.4.3.0/lib/net46
packages/System.IO.Compression.ZipFile.4.3.0/lib/netstandard1.3
packages/System.IO.Compression.ZipFile.4.3.0/ref/netstandard1.3

CVE-2014-9152
System.Runtime.InteropServices.RuntimeInformation.dll
System.Runtime.InteropServices.dll
System.Runtime.InteropServices.dll

CVE-2014-9652
packages/Microsoft.Extensions.FileProviders.Abstractions.1.1.1/lib/netstandard1.0
packages/Microsoft.Extensions.FileProviders.Embedded.1.1.1/lib/net451
packages/Microsoft.Extensions.FileProviders.Embedded.1.1.1/lib/netstandard1.0
packages/Microsoft.Extensions.FileProviders.Embedded.1.1.1/lib/netstandard1.5
packages/System.IO.Compression.ZipFile.4.3.0/lib/net46
packages/System.IO.Compression.ZipFile.4.3.0/lib/netstandard1.3
packages/System.IO.Compression.ZipFile.4.3.0/ref/netstandard1.3