[build] Update NuGet package versions #196

jonpryor · 2022-10-28T00:40:12Z

Context: https://dev.azure.com/xamarin/public/_componentGovernance/115226/alert/3150206?typeId=5477311 Context: https://dev.azure.com/xamarin/public/_componentGovernance/115226/alert/6875331?typeId=5477311 Context: dotnet/java-interop@5318261

Component Governance is a Microsoft internal tool which checks for known security issues in product dependencies. It is currently reporting a defects in xamarin-android-tools due to use of older System.Net.Http packages (]CVE-2018-8292]0) and older System.Security.Cryptography.X509Certificates
packages (CVE-2017-11770):

Location

/s/packages/system.net.http/4.1.0/system.net.http.4.1.0.nupkg

/s/packages/system.net.http/4.1.0/system.net.http.nuspec

/s/packages/system.security.cryptography.x509certificates/4.1.0/system.security.cryptography.x509certificates.4.1.0.nupkg

/s/packages/system.security.cryptography.x509certificates/4.1.0/system.security.cryptography.x509certificates.nuspec

The "odd" thing is that xamarin-android-tools doesn't use either of these dependencies! They appear to be pulled in via package dependencies.

Rework how we use @(PackageReference) so that
Directory.Build.targets uses the Update attribute to centralize package version specification, except within MSBuildReferences.projitems as it's <Import/>ed by xamarin-android.

Update most NuGet package versions to the latest versions provided by dotnet-public or dotnet-eng (which may not be the latest versions on NuGet.org).

While stable versions are generally preferred, we use Microsoft.NET.Test.Sdk version 17.5.0-preview-20221003-04 to ensure that we avoid Newtonsoft.Json 9.0.1 issues a'la
dotnet/java-interop@53182615.

Context: dotnet/android-tools#196 Does It Build™?

jonpryor · 2022-10-28T00:42:32Z

DO NOT MERGE until dotnet/android#7501 is green

Context: dotnet/android-tools#196 Does It Build™?

Context: https://dev.azure.com/xamarin/public/_componentGovernance/115226/alert/3150206?typeId=5477311 Context: https://dev.azure.com/xamarin/public/_componentGovernance/115226/alert/6875331?typeId=5477311 Context: dotnet/java-interop@5318261 [Component Governance][0] is a Microsoft internal tool which checks for known security issues in product dependencies. It is currently reporting a defects in xamarin-android-tools due to use of older `System.Net.Http` packages (]CVE-2018-8292][0]) and older `System.Security.Cryptography.X509Certificates` packages ([CVE-2017-11770][1]): > **Location** > > * /s/packages/system.net.http/4.1.0/system.net.http.4.1.0.nupkg > * /s/packages/system.net.http/4.1.0/system.net.http.nuspec > * /s/packages/system.security.cryptography.x509certificates/4.1.0/system.security.cryptography.x509certificates.4.1.0.nupkg > * /s/packages/system.security.cryptography.x509certificates/4.1.0/system.security.cryptography.x509certificates.nuspec The "odd" thing is that xamarin-android-tools doesn't *use* either of these dependencies! They appear to be pulled in via package dependencies. Rework how we use `@(PackageReference)` so that `Directory.Build.targets` uses [the `Update` attribute][2] to centralize package version specification, except within `MSBuildReferences.projitems` as it's `<Import/>`ed by xamarin-android. Update most NuGet package versions to the latest versions provided by `dotnet-public` or `dotnet-eng` (which may not be the latest versions on NuGet.org). While stable versions are generally preferred, we use Microsoft.NET.Test.Sdk version 17.5.0-preview-20221003-04 to ensure that we avoid Newtonsoft.Json 9.0.1 issues a'la dotnet/java-interop@53182615. [0]: https://nvd.nist.gov/vuln/detail/CVE-2018-8292 [1]: https://nvd.nist.gov/vuln/detail/CVE-2017-11770 [2]: https://learn.microsoft.com/en-us/visualstudio/msbuild/item-element-msbuild?view=vs-2022#attributes-and-elements

Changes: dotnet/android-tools@29f11f2...47f95ab * dotnet/android-tools@47f95ab: Fix CS0121 ambiguity errors. (dotnet/android-tools#200) * dotnet/android-tools@76c076f: Add support for Project Specific RegisterTaskObject. (dotnet/android-tools#199) * dotnet/android-tools@9f02d77: Add reference to System.Security.Cryptography.Xml (dotnet/android-tools#198) * dotnet/android-tools@fa3711b: [build] Update NuGet package versions (dotnet/android-tools#196) * dotnet/android-tools@59cac90: Enable CodeQL (dotnet/android-tools#197) * dotnet/android-tools@9f56dec: Move from `netcoreapp3.1` to `net6.0` (dotnet/android-tools#195) * dotnet/android-tools@0be567a: Use Environment.SpecialFolder.UserProfile, not SpecialFolder.Personal (dotnet/android-tools#194)

Changes: dotnet/android-tools@29f11f2...099fd95 * dotnet/android-tools@099fd95: Add *Task.ProjectSpecificTaskObjectKey() for RegisterTaskObject() use (dotnet/android-tools#202) * dotnet/android-tools@ac9ea09: Revert IBuildEngine.ProjectFileOfTaskNode use. (dotnet/android-tools#201) * dotnet/android-tools@47f95ab: Fix CS0121 ambiguity errors. (dotnet/android-tools#200) * dotnet/android-tools@76c076f: Add support for Project Specific RegisterTaskObject. (dotnet/android-tools#199) * dotnet/android-tools@9f02d77: Add reference to System.Security.Cryptography.Xml (dotnet/android-tools#198) * dotnet/android-tools@fa3711b: [build] Update NuGet package versions (dotnet/android-tools#196) * dotnet/android-tools@59cac90: Enable CodeQL (dotnet/android-tools#197) * dotnet/android-tools@9f56dec: Move from `netcoreapp3.1` to `net6.0` (dotnet/android-tools#195) * dotnet/android-tools@0be567a: Use Environment.SpecialFolder.UserProfile, not SpecialFolder.Personal (dotnet/android-tools#194)

jonpryor added a commit to jonpryor/xamarin-android that referenced this pull request Oct 28, 2022

Try dotnet/android-tools#196

c7a730b

Context: dotnet/android-tools#196 Does It Build™?

jonpryor mentioned this pull request Oct 28, 2022

Try xamarin/xamarin-android-tools#196 dotnet/android#7501

Merged

jonpryor added a commit to jonpryor/xamarin-android that referenced this pull request Oct 28, 2022

Try dotnet/android-tools#196

71fa977

Context: dotnet/android-tools#196 Does It Build™?

jonpryor added a commit to jonpryor/xamarin-android that referenced this pull request Nov 7, 2022

Try dotnet/android-tools#196

0e6efa6

Context: dotnet/android-tools#196 Does It Build™?

jonpryor added a commit to jonpryor/xamarin-android that referenced this pull request Nov 9, 2022

Try dotnet/android-tools#196

c364cac

Context: dotnet/android-tools#196 Does It Build™?

jonpryor force-pushed the jonp-bump-nuget-versions-2022-10-27 branch from 298c5c5 to 12d754d Compare November 16, 2022 20:59

jonpryor merged commit fa3711b into dotnet:main Nov 17, 2022

jonpryor mentioned this pull request Jan 12, 2023

Bump to xamarin/xamarin-android-tools/main@47f95ab9 dotnet/java-interop#1073

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[build] Update NuGet package versions #196

[build] Update NuGet package versions #196

Uh oh!

jonpryor commented Oct 28, 2022

Uh oh!

jonpryor commented Oct 28, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

[build] Update NuGet package versions #196

[build] Update NuGet package versions #196

Uh oh!

Conversation

jonpryor commented Oct 28, 2022

Uh oh!

jonpryor commented Oct 28, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant