[SDL] update packages (#2243)

Timothy Mothra · web-flow · commit 0a1ee470b236 · 2021-05-06T10:18:46.000-07:00
* update packages

* update test dependencies

* testing fix for version conflicts

* Update IntegrationTests.Tests.csproj

* cleanup

* cleanup
diff --git a/NETCORE/src/Microsoft.ApplicationInsights.AspNetCore/Microsoft.ApplicationInsights.AspNetCore.csproj b/NETCORE/src/Microsoft.ApplicationInsights.AspNetCore/Microsoft.ApplicationInsights.AspNetCore.csproj
@@ -37,6 +37,29 @@
     <PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="2.1.0" />
   </ItemGroup>
 
+  <ItemGroup Condition=" '$(TargetFramework)' == 'netstandard2.0' OR '$(TargetFramework)' == 'net461' ">
+    <!--
+    Microsoft.AspNetCore.Http has a vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1045
+    System.Text.Encodings.Web has a vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26701 
+    
+    These are both implicit dependencies from Microsoft.AspNetCore.Hosting.
+    (Microsoft.AspNetCore.Hosting > Microsoft.AspNetCore.Http)
+    (Microsoft.AspNetCore.Hosting > Microsoft.AspNetCore.Hosting.Abstractions > Microsoft.AspNetCore.Http.Abstractions > System.Text.Encodings.Web)
+    -->
+    
+    <!--
+    Taking a dependency on Microsoft.AspNetCore.Hosting v2.2.0 would resolve this issue, but would also break support for NetCore v2.1.
+    Instead I'm taking a direct dependency on the fixed version Microsoft.AspNetCore.Http.
+    We can remove this when NetCore v2.1 reaches EOL on August 21, 2021.
+    -->
+    <PackageReference Include="Microsoft.AspNetCore.Http" Version="2.1.22" />
+
+    <!-- 
+    We must take a temporary dependency on this newer version until Microsoft.AspNetCore.Hosting updates their dependencies.
+    -->
+    <PackageReference Include="System.Text.Encodings.Web" Version="4.5.1" />
+  </ItemGroup>
+
   <ItemGroup>
     <AdditionalFiles Include="$(PublicApiRoot)\$(AssemblyName).dll\$(TargetFramework)\PublicAPI.Shipped.txt" />
     <AdditionalFiles Include="$(PublicApiRoot)\$(AssemblyName).dll\$(TargetFramework)\PublicAPI.Unshipped.txt" />
diff --git a/NETCORE/test/IntegrationTests.Tests/IntegrationTests.Tests.csproj b/NETCORE/test/IntegrationTests.Tests/IntegrationTests.Tests.csproj
@@ -21,6 +21,9 @@
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.9.4" />
 
     <ProjectReference Include="..\IntegrationTests.WebApp\IntegrationTests.WebApp.csproj" />
+
+    <PackageReference Include="System.Runtime.CompilerServices.Unsafe" Version="5.0.0" />
+    <PackageReference Include="System.Security.Permissions" Version="4.7.0" />
   </ItemGroup>
 
   <ItemGroup>
@@ -38,7 +41,7 @@
   </ItemGroup>
 
   <ItemGroup Condition="'$(TargetFramework)' == 'netcoreapp2.1'">
-    <PackageReference Include="Microsoft.AspNetCore.App" />
+    <PackageReference Include="Microsoft.AspNetCore.App" Version="2.1.27" />
     <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="2.1.1" />
   </ItemGroup>
 
diff --git a/NETCORE/test/IntegrationTests.WebApp/IntegrationTests.WebApp.csproj b/NETCORE/test/IntegrationTests.WebApp/IntegrationTests.WebApp.csproj
@@ -9,8 +9,11 @@
   </ItemGroup>
 
   <ItemGroup Condition="'$(TargetFramework)' == 'netcoreapp2.1'">
-    <PackageReference Include="Microsoft.AspNetCore.App" />
+    <PackageReference Include="Microsoft.AspNetCore.App" Version="2.1.27" />
     <PackageReference Include="Microsoft.AspNetCore.Razor.Design" Version="2.1.2" PrivateAssets="All" />
+
+    <PackageReference Include="System.Runtime.CompilerServices.Unsafe" Version="5.0.0" />
+    <PackageReference Include="System.Security.Permissions" Version="4.7.0" />
   </ItemGroup>
 
 </Project>
