Update vulnerable package references #1118
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MichaelSimons
force-pushed
the
CG-fixes
branch
11 times, most recently
from
9fb039c to
bdaeffa
Compare
MichaelSimons
force-pushed
the
CG-fixes
branch
from
fdde72b to
4dd8844
Compare
mthalman
approved these changes
Jan 15, 2025
ellahathaway
approved these changes
Jan 15, 2025
Member
Author
|
/backport to release/9.0 |
Contributor
Contributor
|
@MichaelSimons backporting to "release/9.0" failed, the patch most likely resulted in conflicts: $ git am --3way --empty=keep --ignore-whitespace --keep-non-patch changes.patch
Applying: Update vulnerable package references
Using index info to reconstruct a base tree...
M eng/DotNetBuild.props
A src/referencePackages/src/nuget.protocol/6.12.1/NuGet.Protocol.6.12.1.csproj
A src/referencePackages/src/nuget.protocol/6.12.1/nuget.protocol.nuspec
M tests/SbrpTests/GenerateScriptTests.cs
Falling back to patching base and 3-way merge...
Auto-merging tests/SbrpTests/GenerateScriptTests.cs
Removing src/referencePackages/src/system.text.json/8.0.4/system.text.json.nuspec
Removing src/referencePackages/src/system.text.json/8.0.4/lib/netstandard2.0/System.Text.Json.cs
Removing src/referencePackages/src/system.text.json/8.0.4/lib/net8.0/System.Text.Json.cs
Removing src/referencePackages/src/system.text.json/8.0.4/lib/net7.0/System.Text.Json.cs
Removing src/referencePackages/src/system.text.json/8.0.4/lib/net6.0/System.Text.Json.cs
Removing src/referencePackages/src/system.text.json/8.0.4/System.Text.Json.8.0.4.csproj
Removing src/referencePackages/src/system.security.cryptography.pkcs/7.0.0/system.security.cryptography.pkcs.nuspec
Removing src/referencePackages/src/system.security.cryptography.pkcs/7.0.0/lib/netstandard2.1/System.Security.Cryptography.Pkcs.cs
Removing src/referencePackages/src/system.security.cryptography.pkcs/7.0.0/lib/netstandard2.0/System.Security.Cryptography.Pkcs.cs
Removing src/referencePackages/src/system.security.cryptography.pkcs/7.0.0/lib/net7.0/System.Security.Cryptography.Pkcs.cs
Removing src/referencePackages/src/system.security.cryptography.pkcs/7.0.0/lib/net6.0/System.Security.Cryptography.Pkcs.cs
Removing src/referencePackages/src/system.security.cryptography.pkcs/7.0.0/System.Security.Cryptography.Pkcs.7.0.0.csproj
Removing src/referencePackages/src/system.security.cryptography.pkcs/6.0.1/system.security.cryptography.pkcs.nuspec
Removing src/referencePackages/src/system.security.cryptography.pkcs/6.0.1/lib/netstandard2.1/System.Security.Cryptography.Pkcs.cs
Removing src/referencePackages/src/system.security.cryptography.pkcs/6.0.1/lib/netstandard2.0/System.Security.Cryptography.Pkcs.cs
Removing src/referencePackages/src/system.security.cryptography.pkcs/6.0.1/lib/net6.0/System.Security.Cryptography.Pkcs.cs
Removing src/referencePackages/src/system.security.cryptography.pkcs/6.0.1/System.Security.Cryptography.Pkcs.6.0.1.csproj
Auto-merging src/referencePackages/src/nuget.credentials/6.11.0/nuget.credentials.nuspec
CONFLICT (content): Merge conflict in src/referencePackages/src/nuget.credentials/6.11.0/nuget.credentials.nuspec
Auto-merging src/referencePackages/src/nuget.credentials/6.11.0/NuGet.Credentials.6.11.0.csproj
CONFLICT (content): Merge conflict in src/referencePackages/src/nuget.credentials/6.11.0/NuGet.Credentials.6.11.0.csproj
Auto-merging eng/DotNetBuild.props
CONFLICT (content): Merge conflict in eng/DotNetBuild.props
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0001 Update vulnerable package references
Error: The process '/usr/bin/git' failed with exit code 128Please backport manually! |
MichaelSimons
added a commit
to MichaelSimons/source-build-reference-packages
that referenced
this pull request
Jan 17, 2025
* Update vulnerable package references * Update the readme
MichaelSimons
added a commit
to MichaelSimons/source-build-reference-packages
that referenced
this pull request
Jan 17, 2025
* Update vulnerable package references * Update the readme
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Updated all SBRP references to the following vulnerable packages. I included comments to call out the manual updates and cited the related CVE. I deleted the packages that were no longer referenced by product repos as noted.
System.Formats.Asn1.8.0.0: still referenced by ? (I am still trying to track this down)
System.Formats.Asn1.7.0.0: still referenced by sourcelink
System.Formats.Asn1.5.0.0: still referenced by aspnetcore
System.Security.Cryptography.Pkcs.7.0.0: deleted
System.Security.Cryptography.Pkcs.6.0.1: deleted
System.Text.Json.8.0.4: deleted
System.Text.Json.7.0.3: still referenced by sourcelink
System.Text.Json.6.0.0: deleted - required adding System.Text.Json 6.0.10
I also had to update the tests to no longer test the generation of System.Security.Cryptography.Pkcs 7.0.2 since it now has manually updated code. I replaced it with another package that had no customizations.
I verified these changes in the context of a full source-build.