Enable NuGetAudit

Contributes to dotnet/arcade#15019

Also remove the unnecessary `SystemFormatsAsn1Version` property.

Directory.Build.props

@@ -24,6 +24,9 @@
     <TemplateEnginePublicKey>0024000004800000940000000602000000240000525341310004000001000100f33a29044fa9d740c9b3213a93e57c84b472c84e0b8a0e1ae48e67a9f8f6de9d5f7f3d52ac23e48ac51801f1dc950abe901da34d2a9e3baadb141a17c77ef3c565dd5ee5054b91cf63bb3c6ab83f72ab3aafe93d0fc3c2348b764fafb0b1c0733de51459aeab46580384bf9d74c4e28164b7cde247f891ba07891c9d872ad2bb</TemplateEnginePublicKey>
     <DynamicProxyGenAssembly2PublicKey>0024000004800000940000000602000000240000525341310004000001000100c547cac37abd99c8db225ef2f6c8a3602f3b3606cc9891605d02baa56104f4cfc0734aa39b93bf7852f7d9266654753cc297e7d2edfe0bac1cdcf9f717241550e0a7b191195b7667bb4f64bcb8e2121380fd1d9d46ad2d92d2d15605093924cceaf74c4861eff62abf69b9291ed0a340e113be11e6a7d3113e92484cf7045cc7</DynamicProxyGenAssembly2PublicKey>
 
+    <!-- Only upgrade NuGetAudit warnings to errors for official builds. -->
+    <WarningsNotAsErrors Condition="'$(OfficialBuild)' != 'true'">$(WarningsNotAsErrors);NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>
+
     <EnableAnalyzers>true</EnableAnalyzers>
     <!-- Disable analyzers in sourcebuild -->
     <EnableAnalyzers Condition="'$(DotNetBuildSourceOnly)' == 'true'">false</EnableAnalyzers>

Directory.Packages.props

@@ -27,8 +27,9 @@
     <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.0" />
     <PackageVersion Include="Microsoft.Extensions.Logging.Console" Version="8.0.0" />
     <PackageVersion Include="Microsoft.Extensions.Logging" Version="8.0.0" />
-    <PackageVersion Include="Microsoft.IO.Redist" Version="6.0.1" />
-    <PackageVersion Include="System.Formats.Asn1" Version="$(SystemFormatsAsn1Version)" />
+    <PackageVersion Include="Microsoft.IO.Redist" Version="6.0.1" /> <!-- Pin transitive dependency to avoid vulnerable 6.0.0 version. -->
+    <PackageVersion Include="System.Formats.Asn1" Version="8.0.1" /> <!-- Pin transitive dependency to avoid vulnerable 8.0.0 version. -->
+    <PackageVersion Include="System.Text.Json" Version="8.0.4" /> <!-- Pin transitive dependency to avoid vulnerable 8.0.0 version. -->
   </ItemGroup>
 
   <!-- External dependencies -->
@@ -45,7 +46,7 @@
     <PackageVersion Include="xunit.extensibility.execution" Version="$(XUnitVersion)" />
   </ItemGroup>
 
-  <!-- DotNetBuild overrides -->
+  <!-- DotNetBuild overrides needed until https://github.com/dotnet/source-build/issues/4467 is implemented. -->
   <ItemGroup>
     <PackageVersion Update="Microsoft.Build.Framework" Version="$(MicrosoftBuildFrameworkVersion)" Condition="'$(MicrosoftBuildFrameworkVersion)' != ''" />
     <PackageVersion Update="Microsoft.Build.Utilities.Core" Version="$(MicrosoftBuildUtilitiesCoreVersion)" Condition="'$(MicrosoftBuildUtilitiesCoreVersion)' != ''" />
@@ -57,6 +58,8 @@
     <PackageVersion Update="NuGet.Configuration" Version="$(NuGetConfigurationVersion)" Condition="'$(NuGetConfigurationVersion)' != ''" />
     <PackageVersion Update="NuGet.Credentials" Version="$(NuGetCredentialsVersion)" Condition="'$(NuGetCredentialsVersion)' != ''" />
     <PackageVersion Update="NuGet.Protocol" Version="$(NuGetProtocolVersion)" Condition="'$(NuGetProtocolVersion)' != ''" />
+    <PackageVersion Update="System.Formats.Asn1" Version="$(SystemFormatsAsn1Version)" Condition="'$(SystemFormatsAsn1Version)' != ''" />
+    <PackageVersion Update="System.Text.Json" Version="$(SystemTextJsonVersoin)" Condition="'$(SystemTextJsonVersion)' != ''" />
   </ItemGroup>
 
 </Project>

NuGet.config

@@ -2,31 +2,16 @@
 <configuration>
   <packageSources>
     <clear />
-    <!--Begin: Package sources managed by Dependency Flow automation. Do not edit the sources below.-->
-    <!--  Begin: Package sources from dotnet-runtime -->
-    <add key="darc-int-dotnet-runtime-2aade6b" value="https://pkgs.dev.azure.com/dnceng/internal/_packaging/darc-int-dotnet-runtime-2aade6be/nuget/v3/index.json" />
-    <add key="darc-int-dotnet-runtime-2aade6b-5" value="https://pkgs.dev.azure.com/dnceng/internal/_packaging/darc-int-dotnet-runtime-2aade6be-5/nuget/v3/index.json" />
-    <add key="darc-int-dotnet-runtime-2aade6b-3" value="https://pkgs.dev.azure.com/dnceng/internal/_packaging/darc-int-dotnet-runtime-2aade6be-3/nuget/v3/index.json" />
-    <add key="darc-int-dotnet-runtime-2aade6b-2" value="https://pkgs.dev.azure.com/dnceng/internal/_packaging/darc-int-dotnet-runtime-2aade6be-2/nuget/v3/index.json" />
-    <add key="darc-int-dotnet-runtime-2aade6b-1" value="https://pkgs.dev.azure.com/dnceng/internal/_packaging/darc-int-dotnet-runtime-2aade6be-1/nuget/v3/index.json" />
-    <!--  End: Package sources from dotnet-runtime -->
-    <!--End: Package sources managed by Dependency Flow automation. Do not edit the sources above.-->
     <add key="dotnet-public" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json" />
     <add key="dotnet-eng" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json" />
     <add key="dotnet-tools" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-tools/nuget/v3/index.json" />
     <add key="dotnet-libraries" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-libraries/nuget/v3/index.json" />
     <add key="dotnet9" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet9/nuget/v3/index.json" />
     <add key="dotnet9-transport" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet9-transport/nuget/v3/index.json" />
   </packageSources>
-  <disabledPackageSources>
-    <!--Begin: Package sources managed by Dependency Flow automation. Do not edit the sources below.-->
-    <!--  Begin: Package sources from dotnet-runtime -->
-    <add key="darc-int-dotnet-runtime-2aade6b-1" value="true" />
-    <add key="darc-int-dotnet-runtime-2aade6b-2" value="true" />
-    <add key="darc-int-dotnet-runtime-2aade6b-3" value="true" />
-    <add key="darc-int-dotnet-runtime-2aade6b-5" value="true" />
-    <add key="darc-int-dotnet-runtime-2aade6b" value="true" />
-    <!--  End: Package sources from dotnet-runtime -->
-    <!--End: Package sources managed by Dependency Flow automation. Do not edit the sources above.-->
-  </disabledPackageSources>
+  <auditSources>
+    <clear />
+    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
+  </auditSources>
+  <disabledPackageSources />
 </configuration>

eng/Versions.props

@@ -16,8 +16,4 @@
     <!-- Command-line-api dependencies -->
     <SystemCommandLinePackageVersion>2.0.0-beta4.24324.3</SystemCommandLinePackageVersion>
   </PropertyGroup>
-  <PropertyGroup>
-    <!-- Non-maestro versions -->
-    <SystemFormatsAsn1Version>8.0.1</SystemFormatsAsn1Version>
-  </PropertyGroup>
 </Project>