fix(seed): remediate 35 csharp-seed container CVEs (#15735)

* [Grype Scan][csharp-seed] Scaffold PR for 35 vulnerabilities

* fix(seed): remediate 35 csharp-seed container CVEs

Patch the OS packages flagged by the 2026-05-06 grype scan against the
csharp-seed container (curl, libcurl3t64-gnutls, libcurl4t64,
libnghttp2-14, libcap2, sed) by upgrading them in the image layer.

Bump and pin the cached NuGet packages to non-vulnerable versions:
  Portable.System.DateTimeOnly                8.0.2  -> 9.0.1
  System.Text.Json                            8.0.5  -> 10.0.5
  Microsoft.Extensions.Logging.Abstractions   8.0.2  -> 10.0.0

Add explicit overrides so the vulnerable transitive versions of the
following are evicted from the warmed cache:
  Microsoft.AspNetCore.Http                  -> 2.3.9
    (GHSA-hxrm-9w7p-39cc)
  Microsoft.AspNetCore.Server.Kestrel.Core   -> 2.3.8
    (GHSA-5rrx-jjjq-q2r5 / CVE-2025-55315)
  OpenTelemetry / OpenTelemetry.Api /
    OpenTelemetry.Exporter.OpenTelemetryProtocol -> 1.15.3
    (GHSA-q834-8qmm-v933, GHSA-g94r-2vxg-569j, GHSA-mr8r-92fq-pj8p,
     GHSA-4625-4j76-fww9)
  System.Text.Encodings.Web                  -> 10.0.5
    (GHSA-ghhp-997w-qr28; the 4.7.2 nupkg's netstandard1.0 fallback
     DLL still ships FileVersion 4.6.29812.01 and grype reads it)
  System.Formats.Asn1                        -> 10.0.5
    (GHSA-447r-wph3-92pm)

The System.Net.Http >= 4.3.4 floor and existing System.Security.
Cryptography.Xml resolution already resolve the remaining advisories
from the original scan.

Delete the grype scan scaffold file once remediation is in place.

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

Author: github-actions[bot]

docker/seed/Dockerfile.csharp

@@ -1,5 +1,25 @@
 FROM mcr.microsoft.com/dotnet/sdk:10.0
 
+# Patch OS-level packages flagged by the 2026-05-06 grype scan against the
+# csharp-seed container. The base image is Ubuntu 24.04 (noble); upgrading to
+# the latest patch versions of the affected debs clears the reported CVEs:
+#   curl / libcurl3t64-gnutls / libcurl4t64
+#       (CVE-2026-5545, CVE-2026-6253, CVE-2026-6429, CVE-2026-7168,
+#        CVE-2026-4873, CVE-2026-5773, CVE-2026-6276)
+#   libnghttp2-14   (CVE-2026-27135)
+#   libcap2         (CVE-2026-4878)
+#   sed             (CVE-2026-5958)
+RUN apt-get update && \
+    apt-get install -y --only-upgrade --no-install-recommends \
+        curl \
+        libcurl3t64-gnutls \
+        libcurl4t64 \
+        libnghttp2-14 \
+        libcap2 \
+        sed && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
 ENV PATH="$PATH:/root/.dotnet/tools"
 ENV DOTNET_NOLOGO=1
 ENV DOTNET_CLI_TELEMETRY_OPTOUT=1
@@ -23,18 +43,48 @@ RUN dotnet new console --output cli --no-restore && \
 
 WORKDIR /
 
-# Cache csharpier and common NuGet dependencies so generated SDK restores are fast
+# Cache csharpier and common NuGet dependencies so generated SDK restores are fast.
+#
+# Several package versions below are bumped to non-vulnerable releases per the
+# 2026-05-06 grype scan of csharp-seed:
+#   - Portable.System.DateTimeOnly  8.0.2 -> 9.0.1   (matches generator output)
+#   - System.Text.Json              8.0.5 -> 10.0.5  (also resolves transitive
+#                                                     downgrade vs Scriban.Signed)
+#   - Microsoft.Extensions.Logging.Abstractions
+#                                   8.0.2 -> 10.0.0  (resolves transitive
+#                                                     downgrade vs OpenTelemetry
+#                                                     and Grpc.Net.ClientFactory)
+#
+# Explicit overrides below pin transitively-pulled packages to fixed releases:
+#   - OpenTelemetry / OpenTelemetry.Api / OpenTelemetry.Exporter.OpenTelemetryProtocol
+#       1.14.0 (vulnerable, brought in by Microsoft.NET.Test.Sdk 18.3.0) -> 1.15.3
+#       (GHSA-q834-8qmm-v933, GHSA-g94r-2vxg-569j, GHSA-mr8r-92fq-pj8p,
+#        GHSA-4625-4j76-fww9)
+#   - Microsoft.AspNetCore.Http
+#       2.1.1-rtm (vulnerable, .NET Core 2.1 servicing) -> 2.3.9
+#       (GHSA-hxrm-9w7p-39cc)
+#   - Microsoft.AspNetCore.Server.Kestrel.Core
+#       2.3.0-rtm (vulnerable, .NET Core 2.3 servicing) -> 2.3.8
+#       (GHSA-5rrx-jjjq-q2r5 / CVE-2025-55315)
+#   - System.Text.Encodings.Web
+#       4.7.2 (whose netstandard1.0 fallback DLL still has FileVersion
+#              4.6.29812.01 and is reported by grype) -> 10.0.5
+#       (GHSA-ghhp-997w-qr28; aligned with System.Text.Json 10.0.5's transitive
+#        floor)
+#   - System.Formats.Asn1
+#       5.0.0 (transitively pulled by signing/cryptography deps) -> 10.0.5
+#       (GHSA-447r-wph3-92pm)
 RUN dotnet tool install -g csharpier --version "1.2.6" && \
     echo '<Project Sdk="Microsoft.NET.Sdk"> \
   <PropertyGroup> \
       <TargetFrameworks>net462;net8.0;net9.0;netstandard2.0</TargetFrameworks> \
   </PropertyGroup> \
   <ItemGroup> \
-      <PackageReference Include="Portable.System.DateTimeOnly" Version="8.0.2" /> \
+      <PackageReference Include="Portable.System.DateTimeOnly" Version="9.0.1" /> \
       <PackageReference Include="PolySharp" Version="1.15.0" /> \
       <PackageReference Include="OneOf" Version="3.0.271" /> \
       <PackageReference Include="OneOf.Extended" Version="3.0.271" /> \
-      <PackageReference Include="System.Text.Json" Version="8.0.5" /> \
+      <PackageReference Include="System.Text.Json" Version="10.0.5" /> \
       <PackageReference Include="System.Net.Http" Version="[4.3.4,)" /> \
       <PackageReference Include="System.Text.RegularExpressions" Version="[4.3.1,)" /> \
       <PackageReference Include="Google.Protobuf" Version="3.27.2" /> \
@@ -47,9 +97,16 @@ RUN dotnet tool install -g csharpier --version "1.2.6" && \
       <PackageReference Include="NUnit.Analyzers" Version="4.12.0" /> \
       <PackageReference Include="coverlet.collector" Version="8.0.1" /> \
       <PackageReference Include="WireMock.Net" Version="2.2.0" /> \
-      <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.2" /> \
+      <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0" /> \
       <PackageReference Include="Microsoft.IO.RecyclableMemoryStream" Version="3.0.1" /> \
       <PackageReference Include="System.Net.ServerSentEvents" Version="9.0.9" /> \
+      <PackageReference Include="OpenTelemetry" Version="1.15.3" /> \
+      <PackageReference Include="OpenTelemetry.Api" Version="1.15.3" /> \
+      <PackageReference Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.15.3" /> \
+      <PackageReference Include="Microsoft.AspNetCore.Http" Version="2.3.9" /> \
+      <PackageReference Include="Microsoft.AspNetCore.Server.Kestrel.Core" Version="2.3.8" /> \
+      <PackageReference Include="System.Text.Encodings.Web" Version="10.0.5" /> \
+      <PackageReference Include="System.Formats.Asn1" Version="10.0.5" /> \
   </ItemGroup> \
 </Project>' > /dependencies.csproj && \
     dotnet restore /dependencies.csproj && \