From 043bd4cde9ed62b36dca590939b7cb9eba115ede Mon Sep 17 00:00:00 2001
From: Joe DeCock <josephdecock@gmail.com>
Date: Wed, 18 Sep 2024 14:53:45 -0500
Subject: [PATCH] Update host dependencies past transitive security
 vulnerabilities

- Update Serilog to 8.0.2. This is needed for a transitive update for System.Text.Json.
- Pin versions of Azure.Identity (1.11.4), System.Formats.Asn1 (8.0.1), and Microsoft.Data.SqlClient (5.1.6). These are depended on by EF and Sql client packages, and there's no update to those packages available that wouldn't give us a vulnerable version. Hopefully someday those packages will update such that this is no longer needed.
---
 Directory.Build.targets                           | 13 ++++++++++++-
 hosts/AspNetIdentity/Host.AspNetIdentity.csproj   | 12 ++++++++++++
 hosts/Configuration/Host.Configuration.csproj     | 12 ++++++++++++
 hosts/EntityFramework/Host.EntityFramework.csproj | 12 ++++++++++++
 4 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/Directory.Build.targets b/Directory.Build.targets
index 1bb75290d..f6066beff 100644
--- a/Directory.Build.targets
+++ b/Directory.Build.targets
@@ -42,7 +42,7 @@
         <PackageReference Update="Microsoft.IdentityModel.JsonWebTokens" Version="$(WilsonVersion)"/>
         <PackageReference Update="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="$(WilsonVersion)"/>
         <PackageReference Update="System.IdentityModel.Tokens.Jwt" Version="$(WilsonVersion)"/>
-        <PackageReference Update="Serilog.AspNetCore" Version="8.0.0"/>
+        <PackageReference Update="Serilog.AspNetCore" Version="8.0.2"/>
 
         <!--microsoft asp.net core -->
         <PackageReference Update="Microsoft.AspNetCore.DataProtection.Abstractions" Version="$(FrameworkVersion)"/>
@@ -70,6 +70,17 @@
         <PackageReference Update="OpenTelemetry.Instrumentation.Http" Version="1.8.1" />
         <PackageReference Update="OpenTelemetry.Instrumentation.SqlClient" Version="1.8.0-beta.1" />
 
+        <!-- Transitive Dependencies -->
+        <!-- These packages are all transitive dependencies that would
+             otherwise resolve to a version with a security vulnerabilitiy. In future, we
+             would like to update Microsoft.Data.SqlClient and 
+             Microsoft.EntityFrameworkCore, and remove these explicit dependencies (assuming
+             that future versions of the intermediate dependencies that don't have this
+             problem exist someday). -->
+        <PackageReference Update="Azure.Identity" Version="1.11.4" />
+        <PackageReference Update="System.Formats.Asn1" Version="8.0.1" />
+        <PackageReference Update="Microsoft.Data.SqlClient" Version="5.1.6" />
+
     </ItemGroup>
 
     <Target Name="SetAssemblyVersion" AfterTargets="MinVer">
diff --git a/hosts/AspNetIdentity/Host.AspNetIdentity.csproj b/hosts/AspNetIdentity/Host.AspNetIdentity.csproj
index f414a5989..ad0e01b40 100644
--- a/hosts/AspNetIdentity/Host.AspNetIdentity.csproj
+++ b/hosts/AspNetIdentity/Host.AspNetIdentity.csproj
@@ -23,6 +23,18 @@
         <PackageReference Include="OpenTelemetry.Instrumentation.SqlClient" />
     </ItemGroup>
 
+    <ItemGroup>
+        <!-- The packages in this ItemGroup are all transitive dependencies that
+             would otherwise resolve to a version with a security vulnerabilitiy. 
+             In future, we would like to update Microsoft.Data.SqlClient and
+             Microsoft.EntityFrameworkCore, and remove these explicit dependencies
+             (assuming that future versions of the intermediate dependencies that
+             don't have this problem exist someday). -->
+        <PackageReference Include="Azure.Identity" />
+        <PackageReference Include="System.Formats.Asn1" />
+        <PackageReference Include="Microsoft.Data.SqlClient" />
+    </ItemGroup>
+
     <ItemGroup>
         <ProjectReference
             Include="..\..\src\AspNetIdentity\Duende.IdentityServer.AspNetIdentity.csproj" />
diff --git a/hosts/Configuration/Host.Configuration.csproj b/hosts/Configuration/Host.Configuration.csproj
index 8e0d65ac8..501e32ac1 100644
--- a/hosts/Configuration/Host.Configuration.csproj
+++ b/hosts/Configuration/Host.Configuration.csproj
@@ -36,6 +36,18 @@
         
     </ItemGroup>
 
+    <ItemGroup>
+        <!-- The packages in this ItemGroup are all transitive dependencies that
+             would otherwise resolve to a version with a security vulnerabilitiy. 
+             In future, we would like to update Microsoft.Data.SqlClient and
+             Microsoft.EntityFrameworkCore, and remove these explicit dependencies
+             (assuming that future versions of the intermediate dependencies that
+             don't have this problem exist someday). -->
+        <PackageReference Include="Azure.Identity" />
+        <PackageReference Include="System.Formats.Asn1" />
+        <PackageReference Include="Microsoft.Data.SqlClient" />
+    </ItemGroup>
+
     <ItemGroup>
         <ProjectReference Include="..\..\src\IdentityServer\Duende.IdentityServer.csproj" />
         <ProjectReference Include="..\..\src\Configuration\Duende.IdentityServer.Configuration.csproj" />
diff --git a/hosts/EntityFramework/Host.EntityFramework.csproj b/hosts/EntityFramework/Host.EntityFramework.csproj
index 1748e7cb8..aff303b6e 100644
--- a/hosts/EntityFramework/Host.EntityFramework.csproj
+++ b/hosts/EntityFramework/Host.EntityFramework.csproj
@@ -22,6 +22,18 @@
         <PackageReference Include="OpenTelemetry.Instrumentation.SqlClient" />
     </ItemGroup>
 
+    <ItemGroup>
+        <!-- The packages in this ItemGroup are all transitive dependencies that
+             would otherwise resolve to a version with a security vulnerabilitiy. 
+             In future, we would like to update Microsoft.Data.SqlClient and
+             Microsoft.EntityFrameworkCore, and remove these explicit dependencies
+             (assuming that future versions of the intermediate dependencies that
+             don't have this problem exist someday). -->
+        <PackageReference Include="Azure.Identity" />
+        <PackageReference Include="System.Formats.Asn1" />
+        <PackageReference Include="Microsoft.Data.SqlClient" />
+    </ItemGroup>
+
     <ItemGroup>
         <ProjectReference Include="..\..\src\Configuration\Duende.IdentityServer.Configuration.csproj" />
         <ProjectReference Include="..\..\src\Configuration.EntityFramework\Duende.IdentityServer.Configuration.EntityFramework.csproj" />