Update vulnerable package references (#1118)

* Update vulnerable package references

* Update the readme

Author: MichaelSimons

README.md

@@ -99,15 +99,19 @@ a new targeting pack is needed, please [open a new issue](#filing-issues) to dis
 ## Vulnerable Packages
 
 CVEs may exist for reference packages included in this repo. If they are mitigated by a newer version, the
-newer version should be added, the vulnerable version should be removed, and references to the vulnerable
-package within other reference packages should be upgraded. A comment should be added to indicate when
-packages were manually upgraded.
+newer version should be added, the vulnerable version should be removed (only if there are no product repo 
+references to it), and references to the vulnerable package within other reference packages should be upgraded.
+A comment should be added to indicate when packages were manually upgraded in both the csproj and nuspec files.
 
 ``` xml
-    <!-- Manually updated version from 4.3.0 to address CVE-2017-0247 -->
+    <!-- Manual upgrade from 4.3.0 to address CVE-2017-0247 -->
     <PackageReference Include="System.Net.Security" Version="4.3.1" />
 ```
 
+All packages that contain a manually upgraded reference must be added to the eng/build.props as a
+DependencyPackageProjects in order to prevent the n-1 version from getting loaded which would still
+reference the vulnerable version.
+
 ## Filing Issues
 
 This repo does not accept issues. Please file issues in

eng/Build.props

@@ -22,6 +22,22 @@
       Format:
       <DependencyPackageProjects Include="$(RepoRoot)src\referencePackages\src\**\Microsoft.Extensions.Options.5.0.0.csproj" />
     -->
+
+    <DependencyPackageProjects Include="$(RepoRoot)src\referencePackages\src\**\System.Text.Json.6.0.10.csproj" />
+
+    <DependencyPackageProjects Include="$(RepoRoot)src\referencePackages\src\**\Microsoft.Extensions.DependencyModel.6.0.10.csproj" />
+    <DependencyPackageProjects Include="$(RepoRoot)src\referencePackages\src\**\System.Security.Cryptography.Cng.5.0.0.csproj" />
+    <DependencyPackageProjects Include="$(RepoRoot)src\referencePackages\src\**\System.Security.Cryptography.Pkcs.6.0.4.csproj" />
+    <DependencyPackageProjects Include="$(RepoRoot)src\referencePackages\src\**\System.Security.Cryptography.Pkcs.7.0.2.csproj" />
+    <DependencyPackageProjects Include="$(RepoRoot)src\referencePackages\src\**\System.Security.Cryptography.Pkcs.8.0.0.csproj" />
+    <DependencyPackageProjects Include="$(RepoRoot)src\referencePackages\src\**\System.Security.Cryptography.Xml.6.0.1.csproj" />
+    <DependencyPackageProjects Include="$(RepoRoot)src\referencePackages\src\**\System.Security.Cryptography.Xml.7.0.1.csproj" />
+    <DependencyPackageProjects Include="$(RepoRoot)src\referencePackages\src\**\Microsoft.Build.17.3.4.csproj" />
+    <DependencyPackageProjects Include="$(RepoRoot)src\referencePackages\src\**\Microsoft.Build.Tasks.Core.17.4.0.csproj" />
+    <DependencyPackageProjects Include="$(RepoRoot)src\referencePackages\src\**\NuGet.Protocol.6.8.1.csproj" />
+    <DependencyPackageProjects Include="$(RepoRoot)src\referencePackages\src\**\NuGet.Protocol.6.11.0.csproj" />
+    <DependencyPackageProjects Include="$(RepoRoot)src\referencePackages\src\**\NuGet.Protocol.6.12.1.csproj" />
+
   </ItemGroup>
 
   <ItemGroup Condition="'$(BuildDependencyPackageProjects)' == 'true'">
@@ -40,6 +56,21 @@
     <Copy Condition="'$(LocalNuGetPackageCacheDirectory)' != ''"
           SourceFiles="@(DependencyPackageProjects->'$(ArtifactsShippingPackagesDir)%(FileName).nupkg')"
           DestinationFolder="$(LocalNuGetPackageCacheDirectory)" />
+
+    <!--
+      When building in the VMR, any dependencyPackageProjects that existing in the ReferencePackagesDir
+      must be cleaned up. This can happen when manually updating packages to address vulnerable references.
+      In this case the ReferencePackagesDir contains the unpatched versions. This will note be needed when
+      the need for DependencyPackageProjects is removed as part of https://github.com/dotnet/source-build/issues/1690.
+    -->
+    <ItemGroup>
+      <FilesToDelete Condition="'$(VmrReferencePackagesDir)' != ''"
+                     Include="@(DependencyPackageProjects->'$(VmrReferencePackagesDir)%(FileName).nupkg')"/>
+    </ItemGroup>
+    <Message Condition="'$(VmrReferencePackagesDir)' != ''"
+             Text="Deleting Files @(FilesToDelete)" />
+    <Delete Condition="'$(VmrReferencePackagesDir)' != ''"
+            Files="@(FilesToDelete)" />
   </Target>
 
   <ItemGroup Condition="'$(GeneratePackageSource)' != 'true' and '$(BuildDependencyPackageProjects)' != 'true' and '$(Test)' != 'true'">

eng/DotNetBuild.props

@@ -26,7 +26,7 @@
          and because this target executes before Execute, the build will infinitely recurse. This probably could be fixed in other ways, but
          given that SBRP is slated at some point to get proper support for project refs as a replacement for this invocation, this isn't really worth doing. -->
     <Exec
-      Command="./build.sh --configuration $(Configuration) /bl:$(ArtifactsDir)sourcebuild-dependency-projects.binlog /p:LocalNuGetPackageCacheDirectory=$(LocalNuGetPackageCacheDirectory) /p:SourceBuildOutputDir=$(SourceBuildOutputDir) /p:BuildDependencyPackageProjects=true /p:SetUpSourceBuildIntermediateNupkgCache=true /p:DotNetBuildOrchestrator=$(DotNetBuildOrchestrator) /p:DotNetBuildSourceOnly=true /p:DotNetBuildInnerRepo=true /p:MicrosoftNetCoreIlasmPackageRuntimeId=$(MicrosoftNetCoreIlasmPackageRuntimeId) $(_AdditionalDependencyProjectsBuildArgs)"
+      Command="./build.sh --configuration $(Configuration) /bl:$(ArtifactsDir)sourcebuild-dependency-projects.binlog /p:LocalNuGetPackageCacheDirectory=$(LocalNuGetPackageCacheDirectory) /p:VmrReferencePackagesDir=$(VmrReferencePackagesDir) /p:SourceBuildOutputDir=$(SourceBuildOutputDir) /p:BuildDependencyPackageProjects=true /p:SetUpSourceBuildIntermediateNupkgCache=true /p:DotNetBuildOrchestrator=$(DotNetBuildOrchestrator) /p:DotNetBuildSourceOnly=true /p:DotNetBuildInnerRepo=true /p:MicrosoftNetCoreIlasmPackageRuntimeId=$(MicrosoftNetCoreIlasmPackageRuntimeId) $(_AdditionalDependencyProjectsBuildArgs)"
       WorkingDirectory="$(InnerSourceBuildRepoRoot)"
       EnvironmentVariables="@(InnerBuildEnv)" />
   </Target>

src/referencePackages/src/microsoft.build.tasks.core/17.4.0/Microsoft.Build.Tasks.Core.17.4.0.csproj

@@ -13,8 +13,9 @@
     <PackageReference Include="System.Collections.Immutable" Version="6.0.0" />
     <PackageReference Include="System.Reflection.Metadata" Version="6.0.0" />
     <PackageReference Include="System.Resources.Extensions" Version="6.0.0" />
-    <PackageReference Include="System.Security.Cryptography.Pkcs" Version="6.0.1" />
-    <!-- Manually updated version from 6.0.0 to address CVE-2021-43877 -->
+    <!-- Manual upgrade from 6.0.1 to address CVE-2023-29331 -->
+    <PackageReference Include="System.Security.Cryptography.Pkcs" Version="6.0.4" />
+    <!-- Manual upgrade from 6.0.0 to address CVE-2021-43877 -->
     <PackageReference Include="System.Security.Cryptography.Xml" Version="6.0.1" />
     <PackageReference Include="System.Security.Permissions" Version="6.0.0" />
     <PackageReference Include="System.Threading.Tasks.Dataflow" Version="6.0.0" />
@@ -29,8 +30,9 @@
     <PackageReference Include="System.Collections.Immutable" Version="6.0.0" />
     <PackageReference Include="System.Reflection.Metadata" Version="6.0.0" />
     <PackageReference Include="System.Resources.Extensions" Version="6.0.0" />
-    <PackageReference Include="System.Security.Cryptography.Pkcs" Version="6.0.1" />
-    <!-- Manually updated version from 6.0.0 to address CVE-2021-43877 -->
+    <!-- Manual upgrade from 6.0.1 to address CVE-2023-29331 -->
+    <PackageReference Include="System.Security.Cryptography.Pkcs" Version="6.0.4" />
+    <!-- Manual upgrade from 6.0.0 to address CVE-2021-43877 -->
     <PackageReference Include="System.Security.Cryptography.Xml" Version="6.0.1" />
     <PackageReference Include="System.Security.Permissions" Version="6.0.0" />
     <PackageReference Include="System.Threading.Tasks.Dataflow" Version="6.0.0" />

src/referencePackages/src/microsoft.build.tasks.core/17.4.0/microsoft.build.tasks.core.nuspec

@@ -23,7 +23,8 @@
         <dependency id="System.Collections.Immutable" version="6.0.0" exclude="Build,Analyzers" />
         <dependency id="System.Reflection.Metadata" version="6.0.0" exclude="Build,Analyzers" />
         <dependency id="System.Resources.Extensions" version="6.0.0" exclude="Build,Analyzers" />
-        <dependency id="System.Security.Cryptography.Pkcs" version="6.0.1" exclude="Build,Analyzers" />
+        <!-- Manual upgrade from 6.0.1 to address CVE-2023-29331 -->
+        <dependency id="System.Security.Cryptography.Pkcs" version="6.0.4" exclude="Build,Analyzers" />
         <dependency id="System.Security.Cryptography.Xml" version="6.0.1" exclude="Build,Analyzers" />
         <dependency id="System.Security.Permissions" version="6.0.0" exclude="Build,Analyzers" />
         <dependency id="System.Threading.Tasks.Dataflow" version="6.0.0" exclude="Build,Analyzers" />
@@ -37,7 +38,8 @@
         <dependency id="System.Collections.Immutable" version="6.0.0" exclude="Build,Analyzers" />
         <dependency id="System.Reflection.Metadata" version="6.0.0" exclude="Build,Analyzers" />
         <dependency id="System.Resources.Extensions" version="6.0.0" exclude="Build,Analyzers" />
-        <dependency id="System.Security.Cryptography.Pkcs" version="6.0.1" exclude="Build,Analyzers" />
+        <!-- Manual upgrade from 6.0.1 to address CVE-2023-29331 -->
+        <dependency id="System.Security.Cryptography.Pkcs" version="6.0.4" exclude="Build,Analyzers" />
         <dependency id="System.Security.Cryptography.Xml" version="6.0.1" exclude="Build,Analyzers" />
         <dependency id="System.Security.Permissions" version="6.0.0" exclude="Build,Analyzers" />
         <dependency id="System.Threading.Tasks.Dataflow" version="6.0.0" exclude="Build,Analyzers" />

src/referencePackages/src/microsoft.build/17.3.4/Microsoft.Build.17.3.4.csproj

@@ -14,7 +14,8 @@
     <PackageReference Include="System.Reflection.MetadataLoadContext" Version="6.0.0" />
     <PackageReference Include="System.Security.Principal.Windows" Version="5.0.0" />
     <PackageReference Include="System.Text.Encoding.CodePages" Version="6.0.0" />
-    <PackageReference Include="System.Text.Json" Version="6.0.0" />
+    <!-- Manual upgrade from 6.0.0 to address CVE-2024-43485 -->
+    <PackageReference Include="System.Text.Json" Version="6.0.10" />
     <PackageReference Include="System.Threading.Tasks.Dataflow" Version="6.0.0" />
   </ItemGroup>
 

src/referencePackages/src/microsoft.build/17.3.4/microsoft.build.nuspec

@@ -24,7 +24,8 @@
         <dependency id="System.Reflection.MetadataLoadContext" version="6.0.0" exclude="Build,Analyzers" />
         <dependency id="System.Security.Principal.Windows" version="5.0.0" exclude="Build,Analyzers" />
         <dependency id="System.Text.Encoding.CodePages" version="6.0.0" exclude="Build,Analyzers" />
-        <dependency id="System.Text.Json" version="6.0.0" exclude="Build,Analyzers" />
+        <!-- Manual upgrade from 6.0.0 to address CVE-2024-43485 -->
+        <dependency id="System.Text.Json" version="6.0.10" exclude="Build,Analyzers" />
         <dependency id="System.Threading.Tasks.Dataflow" version="6.0.0" exclude="Build,Analyzers" />
       </group>
     </dependencies>

src/referencePackages/src/microsoft.extensions.dependencymodel/6.0.0/Microsoft.Extensions.DependencyModel.6.0.0.csproj

@@ -9,7 +9,8 @@
   <ItemGroup Condition="'$(TargetFramework)' == 'netstandard2.0'">
     <PackageReference Include="System.Runtime.CompilerServices.Unsafe" Version="6.0.0" />
     <PackageReference Include="System.Text.Encodings.Web" Version="6.0.0" />
-    <PackageReference Include="System.Text.Json" Version="6.0.0" />
+    <!-- Manual upgrade from 6.0.0 to address CVE-2024-43485 -->
+    <PackageReference Include="System.Text.Json" Version="6.0.10" />
     <PackageReference Include="System.Buffers" Version="4.5.1" />
     <PackageReference Include="System.Memory" Version="4.5.4" />
   </ItemGroup>

src/referencePackages/src/microsoft.extensions.dependencymodel/6.0.0/microsoft.extensions.dependencymodel.nuspec

@@ -19,7 +19,8 @@ Microsoft.Extensions.DependencyModel.DependencyContext</description>
       <group targetFramework=".NETStandard2.0">
         <dependency id="System.Runtime.CompilerServices.Unsafe" version="6.0.0" exclude="Build,Analyzers" />
         <dependency id="System.Text.Encodings.Web" version="6.0.0" exclude="Build,Analyzers" />
-        <dependency id="System.Text.Json" version="6.0.0" exclude="Build,Analyzers" />
+        <!-- Manual upgrade from 6.0.0 to address CVE-2024-43485 -->
+        <dependency id="System.Text.Json" version="6.0.10" exclude="Build,Analyzers" />
         <dependency id="System.Buffers" version="4.5.1" exclude="Build,Analyzers" />
         <dependency id="System.Memory" version="4.5.4" exclude="Build,Analyzers" />
       </group>

src/referencePackages/src/nuget.protocol/6.11.0/NuGet.Protocol.6.11.0.csproj

@@ -12,7 +12,8 @@
 
   <ItemGroup Condition="'$(TargetFramework)' == 'netstandard2.0'">
     <PackageReference Include="NuGet.Packaging" Version="6.11.0" />
-    <PackageReference Include="System.Text.Json" Version="7.0.3" />
+    <!-- Manual upgrade from 7.0.3 to address CVE-2024-30105 -->
+    <PackageReference Include="System.Text.Json" Version="8.0.5" />
   </ItemGroup>
 
 </Project>

src/referencePackages/src/nuget.protocol/6.11.0/nuget.protocol.nuspec

@@ -19,7 +19,8 @@
       </group>
       <group targetFramework=".NETStandard2.0">
         <dependency id="NuGet.Packaging" version="6.11.0" exclude="Build,Analyzers" />
-        <dependency id="System.Text.Json" version="7.0.3" exclude="Build,Analyzers" />
+        <!-- Manual upgrade from 7.0.3 to address CVE-2024-30105 -->
+        <dependency id="System.Text.Json" version="8.0.5" exclude="Build,Analyzers" />
       </group>
     </dependencies>
   </metadata>

src/referencePackages/src/nuget.protocol/6.12.1/NuGet.Protocol.6.12.1.csproj

@@ -12,7 +12,8 @@
 
   <ItemGroup Condition="'$(TargetFramework)' == 'netstandard2.0'">
     <PackageReference Include="NuGet.Packaging" Version="6.12.1" />
-    <PackageReference Include="System.Text.Json" Version="8.0.4" />
+    <!-- Manual upgrade from 8.0.4 to address CVE-2024-43485 -->
+    <PackageReference Include="System.Text.Json" Version="8.0.5" />
   </ItemGroup>
 
 </Project>

src/referencePackages/src/nuget.protocol/6.12.1/nuget.protocol.nuspec

@@ -19,7 +19,8 @@
       </group>
       <group targetFramework=".NETStandard2.0">
         <dependency id="NuGet.Packaging" version="6.12.1" exclude="Build,Analyzers" />
-        <dependency id="System.Text.Json" version="8.0.4" exclude="Build,Analyzers" />
+        <!-- Manual upgrade from 8.0.4 to address CVE-2024-43485 -->
+        <dependency id="System.Text.Json" version="8.0.5" exclude="Build,Analyzers" />
       </group>
     </dependencies>
   </metadata>

src/referencePackages/src/nuget.protocol/6.8.1/NuGet.Protocol.6.8.1.csproj

@@ -12,7 +12,8 @@
 
   <ItemGroup Condition="'$(TargetFramework)' == 'netstandard2.0'">
     <PackageReference Include="NuGet.Packaging" Version="6.8.1" />
-    <PackageReference Include="System.Text.Json" Version="7.0.3" />
+    <!-- Manual upgrade from 7.0.3 to address CVE-2024-30105 -->
+    <PackageReference Include="System.Text.Json" Version="8.0.5" />
   </ItemGroup>
 
 </Project>

src/referencePackages/src/nuget.protocol/6.8.1/nuget.protocol.nuspec

@@ -19,7 +19,8 @@
       </group>
       <group targetFramework=".NETStandard2.0">
         <dependency id="NuGet.Packaging" version="6.8.1" exclude="Build,Analyzers" />
-        <dependency id="System.Text.Json" version="7.0.3" exclude="Build,Analyzers" />
+        <!-- Manual upgrade from 7.0.3 to address CVE-2024-30105 -->
+        <dependency id="System.Text.Json" version="8.0.5" exclude="Build,Analyzers" />
       </group>
     </dependencies>
   </metadata>

src/referencePackages/src/system.security.cryptography.cng/5.0.0/System.Security.Cryptography.Cng.5.0.0.csproj

@@ -6,7 +6,8 @@
   </PropertyGroup>
 
   <ItemGroup Condition="'$(TargetFramework)' == 'netcoreapp3.0'">
-    <PackageReference Include="System.Formats.Asn1" Version="5.0.0" />
+    <!-- Manual upgrade from 5.0.0 to address CVE-2024-38095 -->
+    <PackageReference Include="System.Formats.Asn1" Version="6.0.1" />
   </ItemGroup>
 
   <ItemGroup Condition="'$(TargetFramework)' == 'netstandard1.3'">

src/referencePackages/src/system.security.cryptography.cng/5.0.0/system.security.cryptography.cng.nuspec

@@ -25,7 +25,8 @@ When using NuGet 3.x this package requires at least version 3.4.</description>
     <repository type="git" url="git://github.com/dotnet/runtime" commit="cf258a14b70ad9069470a108f13765e0e5988f51" />
     <dependencies>
       <group targetFramework=".NETCoreApp3.0">
-        <dependency id="System.Formats.Asn1" version="5.0.0" exclude="Compile" />
+        <!-- Manual upgrade from 5.0.0 to address CVE-2024-38095 -->
+        <dependency id="System.Formats.Asn1" version="6.0.1" exclude="Compile" />
       </group>
       <group targetFramework=".NETStandard1.3">
         <dependency id="System.IO" version="4.3.0" />