fix(seed): remediate 35 csharp-seed container CVEs

[github-actions]

Description

Linear ticket: Refs grype scan 2026-05-06 for csharp-seed

Remediates the 35 vulnerabilities (3 Critical, 4 High, 19 Medium, 9 Low) reported by the 2026-05-06 grype scan against the csharp-seed Docker container.

The container is docker/seed/Dockerfile.csharp — used by seed tests for the C# generator, not the published csharp-sdk generator itself, so no generator changelog entry is required.

Changes Made

OS-level (apt) — added an apt-get install --only-upgrade layer to pull patched debs from noble-updates:

• curl, libcurl3t64-gnutls, libcurl4t64 → 8.5.0-2ubuntu10.9 (CVE-2026-{5545,6253,6429,7168,4873,5773,6276})
• libnghttp2-14 → 1.59.0-1ubuntu0.3 (CVE-2026-27135)
• libcap2 → 1:2.66-5ubuntu2.4 (CVE-2026-4878)
• sed → 4.9-2ubuntu0.24.04.1 (CVE-2026-5958)

NuGet — pin bumps to fixed versions:

• Portable.System.DateTimeOnly 8.0.2 → 9.0.1 (matches what generated SDKs use)
• System.Text.Json 8.0.5 → 10.0.5 (also fixes a pre-existing transitive downgrade vs WireMock.Net's Scriban dependency)
• Microsoft.Extensions.Logging.Abstractions 8.0.2 → 10.0.0 (also fixes a transitive downgrade vs OpenTelemetry / Grpc.Net.ClientFactory)

NuGet — explicit overrides (evict vulnerable transitive versions from the warmed cache):

• Microsoft.AspNetCore.Http → 2.3.9 (GHSA-hxrm-9w7p-39cc)
• Microsoft.AspNetCore.Server.Kestrel.Core → 2.3.8 (GHSA-5rrx-jjjq-q2r5 / CVE-2025-55315)
• OpenTelemetry / OpenTelemetry.Api / OpenTelemetry.Exporter.OpenTelemetryProtocol → 1.15.3 (GHSA-q834-8qmm-v933, GHSA-g94r-2vxg-569j, GHSA-mr8r-92fq-pj8p, GHSA-4625-4j76-fww9)
• System.Text.Encodings.Web → 10.0.5 (GHSA-ghhp-997w-qr28; without this, the 4.7.2 nupkg is still pulled transitively and its netstandard1.0 fallback DLL has FileVersion 4.6.29812.01, which grype keeps reporting)
• System.Formats.Asn1 → 10.0.5 (GHSA-447r-wph3-92pm)

The existing System.Net.Http [4.3.4,) constraint and the resolution of System.Security.Cryptography.Xml already cover the remaining advisories from the original scan.

Also deleted the .github/grype-scans/scan-csharp-seed-20260506.md scaffold file.

• Updated README.md generator (if applicable) — N/A, container-only change

Testing

Built locally and re-scanned with grype:

docker build -f docker/seed/Dockerfile.csharp -t csharp-seed:after .
grype csharp-seed:after

After the fix, all 35 dotnet + OS findings reported in the original scan are gone. The remaining entries grype shows locally are OS CVEs that have no FIXED-IN entry in the Ubuntu repos yet (i.e. nothing to upgrade to) and were not part of the original 35-vuln scan since the scanner only reports findings with Status: fixed.

• Unit tests added/updated — N/A, infrastructure-only change
• Manual testing completed (build + grype rescan)

cc @davidkonigsberg

Link to Devin session: https://app.devin.ai/sessions/45bde98fe8aa4250bc7b18727caed287

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[github-actions]

SDK Generation Benchmark Results

Comparing PR branch against median of 5 nightly run(s) on main (latest: 2026-04-23T04:59:11Z).

Full benchmark table (click to expand)

Generator	Spec	main (generator)	main (E2E)	PR (generator)	Delta
csharp-sdk	square	56s (n=5)	86s (n=5)	75s	+19s (+33.9%)

main (generator): generator-only time via --skip-scripts (includes Docker image build, container startup, IR parsing, and code generation — this is the same Docker-based flow customers use via fern generate). main (E2E): full customer-observable time including build/test scripts (nightly baseline, informational). Delta is computed against generator-only baseline.
⚠️ = generation exited with a non-zero exit code (timing may not reflect a successful run).
Baseline from nightly runs on main (latest: 2026-04-23T04:59:11Z). Trigger benchmark-baseline to refresh.
Last updated: 2026-05-06 14:09 UTC