Update host dependencies past transitive security vulnerabilities

- Update Serilog to 8.0.2. This is needed for a transitive update for System.Text.Json. - Pin versions of Azure.Identity (1.11.4), System.Formats.Asn1 (8.0.1), and Microsoft.Data.SqlClient (5.1.6). These are depended on by EF and Sql client packages, and there's no update to those packages available that wouldn't give us a vulnerable version. Hopefully someday those packages will update such that this is no longer needed.
DuendeSoftware · Sep 18, 2024 · 043bd4c · 043bd4c
1 parent d56da6c
commit 043bd4c
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 1 deletion.
diff --git a/Directory.Build.targets b/Directory.Build.targets
@@ -42,7 +42,7 @@
         <PackageReference Update="Microsoft.IdentityModel.JsonWebTokens" Version="$(WilsonVersion)"/>
         <PackageReference Update="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="$(WilsonVersion)"/>
         <PackageReference Update="System.IdentityModel.Tokens.Jwt" Version="$(WilsonVersion)"/>
-        <PackageReference Update="Serilog.AspNetCore" Version="8.0.0"/>
+        <PackageReference Update="Serilog.AspNetCore" Version="8.0.2"/>
 
         <!--microsoft asp.net core -->
         <PackageReference Update="Microsoft.AspNetCore.DataProtection.Abstractions" Version="$(FrameworkVersion)"/>
@@ -70,6 +70,17 @@
         <PackageReference Update="OpenTelemetry.Instrumentation.Http" Version="1.8.1" />
         <PackageReference Update="OpenTelemetry.Instrumentation.SqlClient" Version="1.8.0-beta.1" />
 
+        <!-- Transitive Dependencies -->
+        <!-- These packages are all transitive dependencies that would
+             otherwise resolve to a version with a security vulnerabilitiy. In future, we
+             would like to update Microsoft.Data.SqlClient and 
+             Microsoft.EntityFrameworkCore, and remove these explicit dependencies (assuming
+             that future versions of the intermediate dependencies that don't have this
+             problem exist someday). -->
+        <PackageReference Update="Azure.Identity" Version="1.11.4" />
+        <PackageReference Update="System.Formats.Asn1" Version="8.0.1" />
+        <PackageReference Update="Microsoft.Data.SqlClient" Version="5.1.6" />
+
     </ItemGroup>
 
     <Target Name="SetAssemblyVersion" AfterTargets="MinVer">

diff --git a/hosts/AspNetIdentity/Host.AspNetIdentity.csproj b/hosts/AspNetIdentity/Host.AspNetIdentity.csproj
@@ -23,6 +23,18 @@
         <PackageReference Include="OpenTelemetry.Instrumentation.SqlClient" />
     </ItemGroup>
 
+    <ItemGroup>
+        <!-- The packages in this ItemGroup are all transitive dependencies that
+             would otherwise resolve to a version with a security vulnerabilitiy. 
+             In future, we would like to update Microsoft.Data.SqlClient and
+             Microsoft.EntityFrameworkCore, and remove these explicit dependencies
+             (assuming that future versions of the intermediate dependencies that
+             don't have this problem exist someday). -->
+        <PackageReference Include="Azure.Identity" />
+        <PackageReference Include="System.Formats.Asn1" />
+        <PackageReference Include="Microsoft.Data.SqlClient" />
+    </ItemGroup>
+
     <ItemGroup>
         <ProjectReference
             Include="..\..\src\AspNetIdentity\Duende.IdentityServer.AspNetIdentity.csproj" />

diff --git a/hosts/Configuration/Host.Configuration.csproj b/hosts/Configuration/Host.Configuration.csproj
@@ -36,6 +36,18 @@
 
     </ItemGroup>
 
+    <ItemGroup>
+        <!-- The packages in this ItemGroup are all transitive dependencies that
+             would otherwise resolve to a version with a security vulnerabilitiy. 
+             In future, we would like to update Microsoft.Data.SqlClient and
+             Microsoft.EntityFrameworkCore, and remove these explicit dependencies
+             (assuming that future versions of the intermediate dependencies that
+             don't have this problem exist someday). -->
+        <PackageReference Include="Azure.Identity" />
+        <PackageReference Include="System.Formats.Asn1" />
+        <PackageReference Include="Microsoft.Data.SqlClient" />
+    </ItemGroup>
+
     <ItemGroup>
         <ProjectReference Include="..\..\src\IdentityServer\Duende.IdentityServer.csproj" />
         <ProjectReference Include="..\..\src\Configuration\Duende.IdentityServer.Configuration.csproj" />

diff --git a/hosts/EntityFramework/Host.EntityFramework.csproj b/hosts/EntityFramework/Host.EntityFramework.csproj
@@ -22,6 +22,18 @@
         <PackageReference Include="OpenTelemetry.Instrumentation.SqlClient" />
     </ItemGroup>
 
+    <ItemGroup>
+        <!-- The packages in this ItemGroup are all transitive dependencies that
+             would otherwise resolve to a version with a security vulnerabilitiy. 
+             In future, we would like to update Microsoft.Data.SqlClient and
+             Microsoft.EntityFrameworkCore, and remove these explicit dependencies
+             (assuming that future versions of the intermediate dependencies that
+             don't have this problem exist someday). -->
+        <PackageReference Include="Azure.Identity" />
+        <PackageReference Include="System.Formats.Asn1" />
+        <PackageReference Include="Microsoft.Data.SqlClient" />
+    </ItemGroup>
+
     <ItemGroup>
         <ProjectReference Include="..\..\src\Configuration\Duende.IdentityServer.Configuration.csproj" />
         <ProjectReference Include="..\..\src\Configuration.EntityFramework\Duende.IdentityServer.Configuration.EntityFramework.csproj" />