Packages: update to remove CVE dependencies (#2820)

NickCraver · mgravell · web-flow · commit 33358b7a41bb · 2024-11-27T07:34:23.000-05:00
* Packages: update to remove CVE dependencies

This bumps *testing* (not the core package) to net8.0 for an easier time maintaining and updates packages outside StackExchange.Redis except for `Microsoft.Bcl.AsyncInterfaces`. `Microsoft.Bcl.AsyncInterfaces` was bumped from 5.0.0 to 6.0.0 due to deprecation warnings, still maintaining widest compatibility we can.

* Fix .NET Framework test diff

* fix enum flags rendering; involves adding a net8.0 TFM, but that's LTS *anyway*, so: fine

also added appropriate [Obsolete] to respect transient net8.0 changes

---------

Co-authored-by: Marc Gravell &lt;marc.gravell@gmail.com&gt;
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -1,30 +1,32 @@
 <Project>
   <ItemGroup>
     <!-- Packages we depend on for StackExchange.Redis, upgrades can create binding redirect pain! -->
-    <PackageVersion Include="Microsoft.Bcl.AsyncInterfaces" Version="5.0.0" />
+    <PackageVersion Include="Microsoft.Bcl.AsyncInterfaces" Version="6.0.0" />
+    <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="6.0.0" />
     <PackageVersion Include="Pipelines.Sockets.Unofficial" Version="2.2.8" />
     <PackageVersion Include="System.Diagnostics.PerformanceCounter" Version="5.0.0" />
     <PackageVersion Include="System.Threading.Channels" Version="5.0.0" />
     <PackageVersion Include="System.Runtime.InteropServices.RuntimeInformation" Version="4.3.0" />
     <PackageVersion Include="System.IO.Compression" Version="4.3.0" />
     
     <!-- Packages only used in the solution, upgrade at will -->
-    <PackageVersion Include="BenchmarkDotNet" Version="0.13.1" />
+    <PackageVersion Include="BenchmarkDotNet" Version="0.14.0" />
     <PackageVersion Include="GitHubActionsTestLogger" Version="2.4.1" />
     <PackageVersion Include="Microsoft.CodeAnalysis.PublicApiAnalyzers" Version="3.3.4" />
-    <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="6.0.0" />
-    <PackageVersion Include="Microsoft.NETFramework.ReferenceAssemblies" Version="1.0.2" />
-    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.10.0" />
+    <PackageVersion Include="Microsoft.NETFramework.ReferenceAssemblies" Version="1.0.3" />
+    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
     <PackageVersion Include="Microsoft.SourceLink.GitHub" Version="8.0.0" />
-    <PackageVersion Include="Nerdbank.GitVersioning" Version="3.6.141" />
+    <PackageVersion Include="Nerdbank.GitVersioning" Version="3.6.146" />
     <PackageVersion Include="Newtonsoft.Json" Version="13.0.3" />
-    <PackageVersion Include="NSubstitute" Version="5.1.0" />
+    <PackageVersion Include="NSubstitute" Version="5.3.0" />
     <PackageVersion Include="StackExchange.Redis" Version="2.6.96" />
     <PackageVersion Include="StyleCop.Analyzers" Version="1.2.0-beta.556" />
+    <PackageVersion Include="System.Collections.Immutable" Version="9.0.0" />
+    <PackageVersion Include="System.Reflection.Metadata" Version="9.0.0" />    
     <!-- For binding redirect testing, main package gets this transitively -->
-    <PackageVersion Include="System.IO.Pipelines" Version="5.0.1" />
-    <PackageVersion Include="System.Runtime.Caching" Version="5.0.0" />
-    <PackageVersion Include="xunit" Version="2.9.0" />
+    <PackageVersion Include="System.IO.Pipelines" Version="9.0.0" />
+    <PackageVersion Include="System.Runtime.Caching" Version="9.0.0" />
+    <PackageVersion Include="xunit" Version="2.9.2" />
     <PackageVersion Include="xunit.runner.visualstudio" Version="2.8.2" />
   </ItemGroup>
 </Project>
diff --git a/src/StackExchange.Redis/ConfigurationOptions.cs b/src/StackExchange.Redis/ConfigurationOptions.cs
@@ -357,13 +357,17 @@ private static bool CheckTrustedIssuer(X509Certificate2 certificateToValidate, X
                     byte[] authorityData = authority.RawData;
                     foreach (var chainElement in chain.ChainElements)
                     {
-#if NET8_0_OR_GREATER
-#error TODO: use RawDataMemory (needs testing)
-#endif
                         using var chainCert = chainElement.Certificate;
-                        if (!found && chainCert.RawData.SequenceEqual(authorityData))
+                        if (!found)
                         {
-                            found = true;
+#if NET8_0_OR_GREATER
+                            if (chainCert.RawDataMemory.Span.SequenceEqual(authorityData))
+#else
+                            if (chainCert.RawData.SequenceEqual(authorityData))
+#endif
+                            {
+                                found = true;
+                            }
                         }
                     }
                     return found;
diff --git a/src/StackExchange.Redis/Enums/CommandFlags.cs b/src/StackExchange.Redis/Enums/CommandFlags.cs
@@ -34,36 +34,59 @@ public enum CommandFlags
         /// </summary>
         PreferMaster = 0,
 
+#if NET8_0_OR_GREATER
+        /// <summary>
+        /// This operation should be performed on the replica if it is available, but will be performed on
+        /// a primary if no replicas are available. Suitable for read operations only.
+        /// </summary>
+        [Obsolete("Starting with Redis version 5, Redis has moved to 'replica' terminology. Please use " + nameof(PreferReplica) + " instead, this will be removed in 3.0.")]
+        [Browsable(false), EditorBrowsable(EditorBrowsableState.Never)]
+        PreferSlave = 8,
+#endif
+
         /// <summary>
         /// This operation should only be performed on the primary.
         /// </summary>
         DemandMaster = 4,
 
+#if !NET8_0_OR_GREATER
         /// <summary>
         /// This operation should be performed on the replica if it is available, but will be performed on
         /// a primary if no replicas are available. Suitable for read operations only.
         /// </summary>
         [Obsolete("Starting with Redis version 5, Redis has moved to 'replica' terminology. Please use " + nameof(PreferReplica) + " instead, this will be removed in 3.0.")]
         [Browsable(false), EditorBrowsable(EditorBrowsableState.Never)]
         PreferSlave = 8,
+#endif
 
         /// <summary>
         /// This operation should be performed on the replica if it is available, but will be performed on
         /// a primary if no replicas are available. Suitable for read operations only.
         /// </summary>
         PreferReplica = 8, // note: we're using a 2-bit set here, which [Flags] formatting hates; position is doing the best we can for reasonable outcomes here
 
+#if NET8_0_OR_GREATER
+        /// <summary>
+        /// This operation should only be performed on a replica. Suitable for read operations only.
+        /// </summary>
+        [Obsolete("Starting with Redis version 5, Redis has moved to 'replica' terminology. Please use " + nameof(DemandReplica) + " instead, this will be removed in 3.0.")]
+        [Browsable(false), EditorBrowsable(EditorBrowsableState.Never)]
+        DemandSlave = 12,
+#endif
+
         /// <summary>
         /// This operation should only be performed on a replica. Suitable for read operations only.
         /// </summary>
         DemandReplica = 12, // note: we're using a 2-bit set here, which [Flags] formatting hates; position is doing the best we can for reasonable outcomes here
 
+#if !NET8_0_OR_GREATER
         /// <summary>
         /// This operation should only be performed on a replica. Suitable for read operations only.
         /// </summary>
         [Obsolete("Starting with Redis version 5, Redis has moved to 'replica' terminology. Please use " + nameof(DemandReplica) + " instead, this will be removed in 3.0.")]
         [Browsable(false), EditorBrowsable(EditorBrowsableState.Never)]
         DemandSlave = 12,
+#endif
 
         // 16: reserved for additional "demand/prefer" options
 
diff --git a/src/StackExchange.Redis/Exceptions.cs b/src/StackExchange.Redis/Exceptions.cs
@@ -1,4 +1,5 @@
 ﻿using System;
+using System.ComponentModel;
 using System.Runtime.Serialization;
 
 namespace StackExchange.Redis
@@ -22,6 +23,10 @@ public RedisCommandException(string message) : base(message) { }
         /// <param name="innerException">The inner exception.</param>
         public RedisCommandException(string message, Exception innerException) : base(message, innerException) { }
 
+#if NET8_0_OR_GREATER
+        [Obsolete(Obsoletions.LegacyFormatterImplMessage, DiagnosticId = Obsoletions.LegacyFormatterImplDiagId)]
+        [EditorBrowsable(EditorBrowsableState.Never)]
+#endif
         private RedisCommandException(SerializationInfo info, StreamingContext ctx) : base(info, ctx) { }
     }
 
@@ -46,6 +51,10 @@ public RedisTimeoutException(string message, CommandStatus commandStatus) : base
         /// </summary>
         public CommandStatus Commandstatus { get; }
 
+#if NET8_0_OR_GREATER
+        [Obsolete(Obsoletions.LegacyFormatterImplMessage, DiagnosticId = Obsoletions.LegacyFormatterImplDiagId)]
+        [EditorBrowsable(EditorBrowsableState.Never)]
+#endif
         private RedisTimeoutException(SerializationInfo info, StreamingContext ctx) : base(info, ctx)
         {
             Commandstatus = info.GetValue("commandStatus", typeof(CommandStatus)) as CommandStatus? ?? CommandStatus.Unknown;
@@ -56,6 +65,10 @@ private RedisTimeoutException(SerializationInfo info, StreamingContext ctx) : ba
         /// </summary>
         /// <param name="info">Serialization info.</param>
         /// <param name="context">Serialization context.</param>
+#if NET8_0_OR_GREATER
+        [Obsolete(Obsoletions.LegacyFormatterImplMessage, DiagnosticId = Obsoletions.LegacyFormatterImplDiagId)]
+        [EditorBrowsable(EditorBrowsableState.Never)]
+#endif
         public override void GetObjectData(SerializationInfo info, StreamingContext context)
         {
             base.GetObjectData(info, context);
@@ -107,6 +120,10 @@ public RedisConnectionException(ConnectionFailureType failureType, string messag
         /// </summary>
         public CommandStatus CommandStatus { get; }
 
+#if NET8_0_OR_GREATER
+        [Obsolete(Obsoletions.LegacyFormatterImplMessage, DiagnosticId = Obsoletions.LegacyFormatterImplDiagId)]
+        [EditorBrowsable(EditorBrowsableState.Never)]
+#endif
         private RedisConnectionException(SerializationInfo info, StreamingContext ctx) : base(info, ctx)
         {
             FailureType = (ConnectionFailureType)info.GetInt32("failureType");
@@ -118,6 +135,10 @@ private RedisConnectionException(SerializationInfo info, StreamingContext ctx) :
         /// </summary>
         /// <param name="info">Serialization info.</param>
         /// <param name="context">Serialization context.</param>
+#if NET8_0_OR_GREATER
+        [Obsolete(Obsoletions.LegacyFormatterImplMessage, DiagnosticId = Obsoletions.LegacyFormatterImplDiagId)]
+        [EditorBrowsable(EditorBrowsableState.Never)]
+#endif
         public override void GetObjectData(SerializationInfo info, StreamingContext context)
         {
             base.GetObjectData(info, context);
@@ -150,6 +171,10 @@ public RedisException(string message, Exception? innerException) : base(message,
         /// </summary>
         /// <param name="info">Serialization info.</param>
         /// <param name="ctx">Serialization context.</param>
+#if NET8_0_OR_GREATER
+        [Obsolete(Obsoletions.LegacyFormatterImplMessage, DiagnosticId = Obsoletions.LegacyFormatterImplDiagId)]
+        [EditorBrowsable(EditorBrowsableState.Never)]
+#endif
         protected RedisException(SerializationInfo info, StreamingContext ctx) : base(info, ctx) { }
     }
 
@@ -165,6 +190,10 @@ public sealed partial class RedisServerException : RedisException
         /// <param name="message">The message for the exception.</param>
         public RedisServerException(string message) : base(message) { }
 
+#if NET8_0_OR_GREATER
+        [Obsolete(Obsoletions.LegacyFormatterImplMessage, DiagnosticId = Obsoletions.LegacyFormatterImplDiagId)]
+        [EditorBrowsable(EditorBrowsableState.Never)]
+#endif
         private RedisServerException(SerializationInfo info, StreamingContext ctx) : base(info, ctx) { }
     }
 }
diff --git a/src/StackExchange.Redis/Obsoletions.cs b/src/StackExchange.Redis/Obsoletions.cs
@@ -0,0 +1,7 @@
+﻿namespace StackExchange.Redis;
+
+internal static class Obsoletions
+{
+    public const string LegacyFormatterImplMessage = "This API supports obsolete formatter-based serialization. It should not be called or extended by application code.";
+    public const string LegacyFormatterImplDiagId = "SYSLIB0051";
+}
diff --git a/src/StackExchange.Redis/PublicAPI/net8.0/PublicAPI.Shipped.txt b/src/StackExchange.Redis/PublicAPI/net8.0/PublicAPI.Shipped.txt
@@ -0,0 +1,3 @@
+﻿StackExchange.Redis.ConfigurationOptions.SslClientAuthenticationOptions.get -> System.Func<string!, System.Net.Security.SslClientAuthenticationOptions!>?
+StackExchange.Redis.ConfigurationOptions.SslClientAuthenticationOptions.set -> void
+System.Runtime.CompilerServices.IsExternalInit (forwarded, contained in System.Runtime)
diff --git a/src/StackExchange.Redis/StackExchange.Redis.csproj b/src/StackExchange.Redis/StackExchange.Redis.csproj
@@ -2,7 +2,7 @@
   <PropertyGroup>
     <Nullable>enable</Nullable>
     <!-- extend the default lib targets for the main lib; mostly because of "vectors" -->
-    <TargetFrameworks>net461;netstandard2.0;net472;netcoreapp3.1;net6.0</TargetFrameworks>
+    <TargetFrameworks>net461;netstandard2.0;net472;netcoreapp3.1;net6.0;net8.0</TargetFrameworks>
     <Description>High performance Redis client, incorporating both synchronous and asynchronous usage.</Description>
     <AssemblyName>StackExchange.Redis</AssemblyName>
     <AssemblyTitle>StackExchange.Redis</AssemblyTitle>
diff --git a/tests/BasicTest/BasicTest.csproj b/tests/BasicTest/BasicTest.csproj
@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <Description>StackExchange.Redis.BasicTest .NET Core</Description>
-    <TargetFrameworks>net472;net6.0</TargetFrameworks>
+    <TargetFrameworks>net472;net8.0</TargetFrameworks>
     <AssemblyName>BasicTest</AssemblyName>
     <OutputType>Exe</OutputType>
     <PackageId>BasicTest</PackageId>
@@ -11,6 +11,9 @@
 
   <ItemGroup>
     <PackageReference Include="BenchmarkDotNet" />
+    <PackageReference Include="System.Collections.Immutable" />
+    <PackageReference Include="System.Reflection.Metadata" />
+    
     <ProjectReference Include="..\..\src\StackExchange.Redis\StackExchange.Redis.csproj" />
   </ItemGroup>
 
diff --git a/tests/BasicTestBaseline/BasicTestBaseline.csproj b/tests/BasicTestBaseline/BasicTestBaseline.csproj
@@ -2,7 +2,7 @@
 
   <PropertyGroup>
     <Description>StackExchange.Redis.BasicTest .NET Core</Description>
-    <TargetFrameworks>net472;net6.0</TargetFrameworks>
+    <TargetFrameworks>net472;net8.0</TargetFrameworks>
     <AssemblyName>BasicTestBaseline</AssemblyName>
     <OutputType>Exe</OutputType>
     <PackageId>BasicTestBaseline</PackageId>
@@ -17,6 +17,8 @@
   <ItemGroup>
     <PackageReference Include="BenchmarkDotNet" />
     <PackageReference Include="StackExchange.Redis" />
+    <PackageReference Include="System.Collections.Immutable" />
+    <PackageReference Include="System.Reflection.Metadata" />
   </ItemGroup>
 
 </Project>
diff --git a/tests/ConsoleTest/ConsoleTest.csproj b/tests/ConsoleTest/ConsoleTest.csproj
@@ -1,7 +1,7 @@
 ﻿<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net6.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
     <OutputType>Exe</OutputType>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
diff --git a/tests/ConsoleTestBaseline/ConsoleTestBaseline.csproj b/tests/ConsoleTestBaseline/ConsoleTestBaseline.csproj
@@ -1,7 +1,7 @@
 ﻿<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net6.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
     <OutputType>Exe</OutputType>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
diff --git a/tests/StackExchange.Redis.Tests/ConfigTests.cs b/tests/StackExchange.Redis.Tests/ConfigTests.cs
@@ -92,15 +92,15 @@ public void ExpectedFields()
     [Fact]
     public void SslProtocols_SingleValue()
     {
-        var options = ConfigurationOptions.Parse("myhost,sslProtocols=Tls11");
-        Assert.Equal(SslProtocols.Tls11, options.SslProtocols.GetValueOrDefault());
+        var options = ConfigurationOptions.Parse("myhost,sslProtocols=Tls12");
+        Assert.Equal(SslProtocols.Tls12, options.SslProtocols.GetValueOrDefault());
     }
 
     [Fact]
     public void SslProtocols_MultipleValues()
     {
-        var options = ConfigurationOptions.Parse("myhost,sslProtocols=Tls11|Tls12");
-        Assert.Equal(SslProtocols.Tls11 | SslProtocols.Tls12, options.SslProtocols.GetValueOrDefault());
+        var options = ConfigurationOptions.Parse("myhost,sslProtocols=Tls12|Tls13");
+        Assert.Equal(SslProtocols.Tls12 | SslProtocols.Tls13, options.SslProtocols.GetValueOrDefault());
     }
 
     [Theory]
@@ -121,9 +121,9 @@ public void SslProtocols_UsingIntegerValue()
         // The below scenario is for cases where the *targeted*
         // .NET framework version (e.g. .NET 4.0) doesn't define an enum value (e.g. Tls11)
         // but the OS has been patched with support
-        const int integerValue = (int)(SslProtocols.Tls11 | SslProtocols.Tls12);
+        const int integerValue = (int)(SslProtocols.Tls12 | SslProtocols.Tls13);
         var options = ConfigurationOptions.Parse("myhost,sslProtocols=" + integerValue);
-        Assert.Equal(SslProtocols.Tls11 | SslProtocols.Tls12, options.SslProtocols.GetValueOrDefault());
+        Assert.Equal(SslProtocols.Tls12 | SslProtocols.Tls13, options.SslProtocols.GetValueOrDefault());
     }
 
     [Fact]
@@ -203,7 +203,7 @@ public void ConfigurationOptionsIPv6Parsing(string configString, AddressFamily f
     public void CanParseAndFormatUnixDomainSocket()
     {
         const string ConfigString = "!/some/path,allowAdmin=True";
-#if NET472
+#if NETFRAMEWORK
         var ex = Assert.Throws<PlatformNotSupportedException>(() => ConfigurationOptions.Parse(ConfigString));
         Assert.Equal("Unix domain sockets require .NET Core 3 or above", ex.Message);
 #else
@@ -793,6 +793,6 @@ public void CheckHighIntegrity(bool? assigned, bool expected, string cs)
         Assert.Equal(cs, clone.ToString());
 
         var parsed = ConfigurationOptions.Parse(cs);
-        Assert.Equal(expected, options.HighIntegrity);
+        Assert.Equal(expected, parsed.HighIntegrity);
     }
 }
diff --git a/tests/StackExchange.Redis.Tests/FormatTests.cs b/tests/StackExchange.Redis.Tests/FormatTests.cs
@@ -55,15 +55,21 @@ public void ParseEndPoint(string data, EndPoint expected, string? expectedFormat
 
     [Theory]
     [InlineData(CommandFlags.None, "None")]
-#if NET472
+#if NETFRAMEWORK
     [InlineData(CommandFlags.PreferReplica, "PreferMaster, PreferReplica")] // 2-bit flag is hit-and-miss
     [InlineData(CommandFlags.DemandReplica, "PreferMaster, DemandReplica")] // 2-bit flag is hit-and-miss
 #else
     [InlineData(CommandFlags.PreferReplica, "PreferReplica")] // 2-bit flag is hit-and-miss
     [InlineData(CommandFlags.DemandReplica, "DemandReplica")] // 2-bit flag is hit-and-miss
 #endif
+
+#if NET8_0_OR_GREATER
+    [InlineData(CommandFlags.PreferReplica | CommandFlags.FireAndForget, "FireAndForget, PreferReplica")] // 2-bit flag is hit-and-miss
+    [InlineData(CommandFlags.DemandReplica | CommandFlags.FireAndForget, "FireAndForget, DemandReplica")] // 2-bit flag is hit-and-miss
+#else
     [InlineData(CommandFlags.PreferReplica | CommandFlags.FireAndForget, "PreferMaster, FireAndForget, PreferReplica")] // 2-bit flag is hit-and-miss
     [InlineData(CommandFlags.DemandReplica | CommandFlags.FireAndForget, "PreferMaster, FireAndForget, DemandReplica")] // 2-bit flag is hit-and-miss
+#endif
     public void CommandFlagsFormatting(CommandFlags value, string expected)
         => Assert.Equal(expected, value.ToString());
 
diff --git a/tests/StackExchange.Redis.Tests/SSLTests.cs b/tests/StackExchange.Redis.Tests/SSLTests.cs
diff --git a/tests/StackExchange.Redis.Tests/ServerSnapshotTests.cs b/tests/StackExchange.Redis.Tests/ServerSnapshotTests.cs
diff --git a/tests/StackExchange.Redis.Tests/StackExchange.Redis.Tests.csproj b/tests/StackExchange.Redis.Tests/StackExchange.Redis.Tests.csproj
diff --git a/toys/TestConsole/TestConsole.csproj b/toys/TestConsole/TestConsole.csproj
diff --git a/toys/TestConsoleBaseline/TestConsoleBaseline.csproj b/toys/TestConsoleBaseline/TestConsoleBaseline.csproj

Original file line number	Diff line number	Diff line change
`@@ -357,13 +357,17 @@ private static bool CheckTrustedIssuer(X509Certificate2 certificateToValidate, X`
`357`	`357`	`byte[] authorityData = authority.RawData;`
`358`	`358`	`foreach (var chainElement in chain.ChainElements)`
`359`	`359`	`{`
`360`		`-#if NET8_0_OR_GREATER`
`361`		`-#error TODO: use RawDataMemory (needs testing)`
`362`		`-#endif`
`363`	`360`	`using var chainCert = chainElement.Certificate;`
`364`		`- if (!found && chainCert.RawData.SequenceEqual(authorityData))`
	`361`	`+ if (!found)`
`365`	`362`	`{`
`366`		`- found = true;`
	`363`	`+#if NET8_0_OR_GREATER`
	`364`	`+ if (chainCert.RawDataMemory.Span.SequenceEqual(authorityData))`
	`365`	`+#else`
	`366`	`+ if (chainCert.RawData.SequenceEqual(authorityData))`
	`367`	`+#endif`
	`368`	`+ {`
	`369`	`+ found = true;`
	`370`	`+ }`
`367`	`371`	`}`
`368`	`372`	`}`
`369`	`373`	`return found;`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+StackExchange.Redis.ConfigurationOptions.SslClientAuthenticationOptions.get -> System.Func<string!, System.Net.Security.SslClientAuthenticationOptions!>?`
	`2`	`+StackExchange.Redis.ConfigurationOptions.SslClientAuthenticationOptions.set -> void`
	`3`	`+System.Runtime.CompilerServices.IsExternalInit (forwarded, contained in System.Runtime)`