Medium and low level vulnerabilities patched (#3286)

* Pathched CVE-2018-8356. * Pathched CVE-2019-0657. * Pathched CVE-2019-0657, CVE-2019-0980 and CVE-2019-0981. * Package fixed. * Moved versions to arcade folder * Fix csproj formatting * Auto format csproj Co-authored-by: nohwnd <me@jakubjares.com>
microsoft · Jan 28, 2022 · 66d81fd · 66d81fd
1 parent 361bf62
commit 66d81fd
Show file tree

Hide file tree

Showing 7 changed files with 111 additions and 84 deletions.
diff --git a/eng/Versions.props b/eng/Versions.props
@@ -15,6 +15,8 @@
     <LibGit2SharpVersion>0.25.2</LibGit2SharpVersion>
     <log4netVersion>2.0.8</log4netVersion>
     <SystemNetHttpVersion>4.3.4</SystemNetHttpVersion>
+    <SystemServiceModelVersion>4.3.3</SystemServiceModelVersion>
+    <SystemUriVersion>4.3.2</SystemUriVersion>
     <MicrosoftAzureStorageBlobVersion>10.0.2</MicrosoftAzureStorageBlobVersion>
     <MicrosoftAzureKeyVaultVersion>3.0.0</MicrosoftAzureKeyVaultVersion>
     <MicrosoftAzureServicesAppAuthenticationVersion>1.3.1</MicrosoftAzureServicesAppAuthenticationVersion>

diff --git a/scripts/build/TestPlatform.Dependencies.props b/scripts/build/TestPlatform.Dependencies.props
@@ -37,10 +37,8 @@
     <TestPlatformMSDiaVersion>17.1.0-preview-2-31925-026</TestPlatformMSDiaVersion>
     <!-- Portable CPP test runner -->
     <TestPlatformRemoteExternalsVersion>17.1.0-preview-2-31925-026</TestPlatformRemoteExternalsVersion>
-
     <InteropExternalsVersion>17.1.0-preview-2-31925-026</InteropExternalsVersion>
     <MicrosoftFakesVersion>17.0.0-beta.21179.1</MicrosoftFakesVersion>
-
     <MicrosoftBuildPackageVersion>16.0.461</MicrosoftBuildPackageVersion>
     <MicrosoftBuildFrameworkPackageVersion>$(MicrosoftBuildPackageVersion)</MicrosoftBuildFrameworkPackageVersion>
     <MicrosoftBuildUtilitiesCorePackageVersion>$(MicrosoftBuildPackageVersion)</MicrosoftBuildUtilitiesCorePackageVersion>
@@ -49,14 +47,11 @@
     <MicrosoftExtensionsFileSystemGlobbingPackageVersion>1.1.1</MicrosoftExtensionsFileSystemGlobbingPackageVersion>
 
     <CoverletCoverageVersion>1.2.0</CoverletCoverageVersion>
-    <SystemNetHttpVersion>4.3.4</SystemNetHttpVersion>
+    <RoslynPublicApiAnalyzersVersion>3.3.4-beta1.21554.2</RoslynPublicApiAnalyzersVersion>
 
     <DependencyVersionsImported>true</DependencyVersionsImported>
-
-    <RoslynPublicApiAnalyzersVersion>3.3.4-beta1.21554.2</RoslynPublicApiAnalyzersVersion>
   </PropertyGroup>
 
   <Import Project="$(MSBuildThisFileDirectory)..\..\eng\Versions.props" />
   <Import Project="$(DotNetPackageVersionPropsPath)" Condition="'$(DotNetPackageVersionPropsPath)' != ''" />
-
 </Project>
diff --git a/scripts/verify-nupkgs.ps1 b/scripts/verify-nupkgs.ps1
@@ -16,7 +16,7 @@ function Verify-Nuget-Packages($packageDirectory, $version)
         "Microsoft.NET.Test.Sdk" = 27;
         "Microsoft.TestPlatform" = 590;
         "Microsoft.TestPlatform.Build" = 21;
-        "Microsoft.TestPlatform.CLI" = 404;
+        "Microsoft.TestPlatform.CLI" = 405;
         "Microsoft.TestPlatform.Extensions.TrxLogger" = 35;
         "Microsoft.TestPlatform.ObjectModel" = 238;
         "Microsoft.TestPlatform.AdapterUtilities" = 62;

diff --git a/src/Microsoft.TestPlatform.AdapterUtilities/Microsoft.TestPlatform.AdapterUtilities.csproj b/src/Microsoft.TestPlatform.AdapterUtilities/Microsoft.TestPlatform.AdapterUtilities.csproj
@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <TestPlatformRoot Condition="$(TestPlatformRoot) == ''">..\..\</TestPlatformRoot>
   </PropertyGroup>
@@ -37,21 +37,35 @@
   <ItemGroup Condition=" '$(TargetFramework)' == 'uap10.0' ">
     <PackageReference Include="Microsoft.NETCore.UniversalWindowsPlatform" Version="5.1.0" />
     <PackageReference Include="System.Net.Http" Version="$(SystemNetHttpVersion)" />
+
+    <!-- CVE-2018-8356 mitigation -->
+    <PackageReference Include="System.ServiceModel.Duplex" Version="$(SystemServiceModelVersion)" />
+    <PackageReference Include="System.ServiceModel.NetTcp" Version="$(SystemServiceModelVersion)" />
+    <PackageReference Include="System.ServiceModel.Primitives" Version="$(SystemServiceModelVersion)" />
+    <PackageReference Include="System.ServiceModel.Security" Version="$(SystemServiceModelVersion)" />
+    <PackageReference Include="System.Private.ServiceModel" Version="$(SystemServiceModelVersion)" />
+    <!-- / CVE-2018-8356 mitigation -->
+  </ItemGroup>
+
+  <ItemGroup>
+    <!-- CVE-2019-0657 mitigation -->
+    <PackageReference Include="System.Private.Uri" Version="$(SystemUriVersion)" />
+    <!-- / CVE-2019-0657 mitigation -->
   </ItemGroup>
 
   <ItemGroup>
     <EmbeddedResource Include="Resources\Resources.resx" />
     <!-- Disabled auto code generation to support net20
-    <Compile Update="Resources\Resources.Designer.cs">
-      <DesignTime>True</DesignTime>
-      <AutoGen>True</AutoGen>
-      <DependentUpon>Resources.resx</DependentUpon>
-    </Compile>
-    <EmbeddedResource Update="Resources\Resources.resx">
-      <Generator>ResXFileCodeGenerator</Generator>
-      <LastGenOutput>Resources.Designer.cs</LastGenOutput>
-    </EmbeddedResource>
-    -->
+		<Compile Update="Resources\Resources.Designer.cs">
+			<DesignTime>True</DesignTime>
+			<AutoGen>True</AutoGen>
+			<DependentUpon>Resources.resx</DependentUpon>
+		</Compile>
+		<EmbeddedResource Update="Resources\Resources.resx">
+			<Generator>ResXFileCodeGenerator</Generator>
+			<LastGenOutput>Resources.Designer.cs</LastGenOutput>
+		</EmbeddedResource>
+		-->
   </ItemGroup>
 
   <ItemGroup>

diff --git a/...soft.TestPlatform.PlatformAbstractions/Microsoft.TestPlatform.PlatformAbstractions.csproj b/...soft.TestPlatform.PlatformAbstractions/Microsoft.TestPlatform.PlatformAbstractions.csproj
@@ -1,66 +1,74 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project Sdk="Microsoft.NET.Sdk" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-	<PropertyGroup>
-		<TestPlatformRoot Condition="$(TestPlatformRoot) == ''">..\..\</TestPlatformRoot>
-	</PropertyGroup>
-	<Import Project="$(TestPlatformRoot)scripts/build/TestPlatform.Settings.targets" />
-	<PropertyGroup>
-		<AssemblyName>Microsoft.TestPlatform.PlatformAbstractions</AssemblyName>
-		<RootNamespace>Microsoft.TestPlatform.PlatformAbstractions</RootNamespace>
-		<TargetFrameworks>net45;net451;netcoreapp1.0;netcoreapp2.1;netstandard1.3;netstandard2.0</TargetFrameworks>
-		<TargetFrameworks Condition="'$(OS)' == 'Windows_NT'">$(TargetFrameworks);uap10.0;netstandard1.0</TargetFrameworks>
-		<TargetFrameworks Condition=" '$(DotNetBuildFromSource)' == 'true' ">net6.0</TargetFrameworks>
-		<EnableCodeAnalysis>true</EnableCodeAnalysis>
-		<IsTestProject>false</IsTestProject>
-		<!-- This causes a build error on netcoreapp1.0 -->
-		<NoWarn Condition="'$(TargetFramework)' != 'netcoreapp1.0'">NU1605</NoWarn>
-	</PropertyGroup>
+  <PropertyGroup>
+    <TestPlatformRoot Condition="$(TestPlatformRoot) == ''">..\..\</TestPlatformRoot>
+  </PropertyGroup>
+  <Import Project="$(TestPlatformRoot)scripts/build/TestPlatform.Settings.targets" />
+  <PropertyGroup>
+    <AssemblyName>Microsoft.TestPlatform.PlatformAbstractions</AssemblyName>
+    <RootNamespace>Microsoft.TestPlatform.PlatformAbstractions</RootNamespace>
+    <TargetFrameworks>net45;net451;netcoreapp1.0;netcoreapp2.1;netstandard1.3;netstandard2.0</TargetFrameworks>
+    <TargetFrameworks Condition="'$(OS)' == 'Windows_NT'">$(TargetFrameworks);uap10.0;netstandard1.0</TargetFrameworks>
+    <TargetFrameworks Condition=" '$(DotNetBuildFromSource)' == 'true' ">net6.0</TargetFrameworks>
+    <EnableCodeAnalysis>true</EnableCodeAnalysis>
+    <IsTestProject>false</IsTestProject>
+    <!-- This causes a build error on netcoreapp1.0 -->
+    <NoWarn Condition="'$(TargetFramework)' != 'netcoreapp1.0'">NU1605</NoWarn>
+  </PropertyGroup>
 
-	<PropertyGroup Condition="'$(TargetFramework)' == 'uap10.0'">
-		<CopyLocalLockFileAssemblies>false</CopyLocalLockFileAssemblies>
-		<NugetTargetMoniker>UAP,Version=v10.0</NugetTargetMoniker>
-		<TargetPlatformIdentifier>UAP</TargetPlatformIdentifier>
-		<TargetPlatformVersion>10.0.14393.0</TargetPlatformVersion>
-		<TargetPlatformMinVersion>10.0.10240.0</TargetPlatformMinVersion>
-		<TargetFrameworkIdentifier>.NETPortable</TargetFrameworkIdentifier>
-		<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
-		<DefineConstants>$(DefineConstants);WINDOWS_UWP</DefineConstants>
-	</PropertyGroup>
+  <PropertyGroup Condition="'$(TargetFramework)' == 'uap10.0'">
+    <CopyLocalLockFileAssemblies>false</CopyLocalLockFileAssemblies>
+    <NugetTargetMoniker>UAP,Version=v10.0</NugetTargetMoniker>
+    <TargetPlatformIdentifier>UAP</TargetPlatformIdentifier>
+    <TargetPlatformVersion>10.0.14393.0</TargetPlatformVersion>
+    <TargetPlatformMinVersion>10.0.10240.0</TargetPlatformMinVersion>
+    <TargetFrameworkIdentifier>.NETPortable</TargetFrameworkIdentifier>
+    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
+    <DefineConstants>$(DefineConstants);WINDOWS_UWP</DefineConstants>
+  </PropertyGroup>
 
-	<ItemGroup Condition=" '$(TargetFramework)' == 'netcoreapp2.1' OR '$(TargetFramework)' == 'netcoreapp1.0' ">
-		<PackageReference Include="System.Threading.Thread" Version="4.0.0" />
-		<PackageReference Include="System.Diagnostics.Process" Version="4.1.0" />
-		<PackageReference Include="System.Diagnostics.TextWriterTraceListener" Version="4.0.0" />
-		<PackageReference Include="System.Diagnostics.TraceSource" Version="4.0.0" />
-		<PackageReference Include="System.Runtime.InteropServices.RuntimeInformation" Version="4.0.0" />
-		<PackageReference Include="System.Runtime.Loader" Version="4.0.0" />
-		<PackageReference Include="System.Net.Http" Version="$(SystemNetHttpVersion)" />
-	</ItemGroup>
+  <ItemGroup Condition=" '$(TargetFramework)' == 'netcoreapp2.1' OR '$(TargetFramework)' == 'netcoreapp1.0' ">
+    <PackageReference Include="System.Threading.Thread" Version="4.0.0" />
+    <PackageReference Include="System.Diagnostics.Process" Version="4.1.0" />
+    <PackageReference Include="System.Diagnostics.TextWriterTraceListener" Version="4.0.0" />
+    <PackageReference Include="System.Diagnostics.TraceSource" Version="4.0.0" />
+    <PackageReference Include="System.Runtime.InteropServices.RuntimeInformation" Version="4.0.0" />
+    <PackageReference Include="System.Runtime.Loader" Version="4.0.0" />
+    <PackageReference Include="System.Net.Http" Version="$(SystemNetHttpVersion)" />
+  </ItemGroup>
 
-	<ItemGroup Condition=" '$(TargetFramework)' == 'net451' OR '$(TargetFramework)' == 'net45' ">
-		<PackageReference Include="Microsoft.Internal.Dia.Interop" Version="$(TestPlatformMSDiaVersion)" />
+  <ItemGroup Condition=" '$(TargetFramework)' == 'net451' OR '$(TargetFramework)' == 'net45' ">
+    <PackageReference Include="Microsoft.Internal.Dia.Interop" Version="$(TestPlatformMSDiaVersion)" />
 
-		<Reference Include="System.Configuration" />
-		<Reference Include="System" />
-		<Reference Include="Microsoft.CSharp" />
-	</ItemGroup>
+    <Reference Include="System.Configuration" />
+    <Reference Include="System" />
+    <Reference Include="Microsoft.CSharp" />
+  </ItemGroup>
 
-	<ItemGroup Condition=" '$(TargetFramework)' == 'uap10.0' ">
-		<PackageReference Include="Microsoft.NETCore.UniversalWindowsPlatform" Version="5.1.0" />
-		<PackageReference Include="System.Runtime.InteropServices.RuntimeInformation" Version="4.3.0" />
-		<PackageReference Include="System.Net.Http" Version="$(SystemNetHttpVersion)" />
-	</ItemGroup>
+  <ItemGroup Condition=" '$(TargetFramework)' == 'uap10.0' ">
+    <PackageReference Include="Microsoft.NETCore.UniversalWindowsPlatform" Version="5.1.0" />
+    <PackageReference Include="System.Runtime.InteropServices.RuntimeInformation" Version="4.3.0" />
+    <PackageReference Include="System.Net.Http" Version="$(SystemNetHttpVersion)" />
 
-	<ItemGroup>
-		<!-- API that is common to all frameworks that we build for. -->
-		<AdditionalFiles Include="PublicAPI/PublicAPI.Shipped.txt" />
-		<AdditionalFiles Include="PublicAPI/PublicAPI.Unshipped.txt" />
-		<!-- API that is common to all frameworks except for .NET Standard 1.0. -->
-		<AdditionalFiles Condition=" '$(TargetFramework)' != 'netstandard1.0' " Include="PublicAPI\net\PublicAPI.Shipped.txt" />
-		<AdditionalFiles Condition=" '$(TargetFramework)' != 'netstandard1.0' " Include="PublicAPI\net\PublicAPI.Unshipped.txt" />
-		<!-- Framework specific API -->
-		<AdditionalFiles Include="PublicAPI/$(TargetFramework)/PublicAPI.Shipped.txt" />
-		<AdditionalFiles Include="PublicAPI/$(TargetFramework)/PublicAPI.Unshipped.txt" />
-	</ItemGroup>
-	<Import Project="$(TestPlatformRoot)scripts\build\TestPlatform.targets" />
+    <!-- CVE-2018-8356 mitigation -->
+    <PackageReference Include="System.ServiceModel.Duplex" Version="$(SystemServiceModelVersion)" />
+    <PackageReference Include="System.ServiceModel.NetTcp" Version="$(SystemServiceModelVersion)" />
+    <PackageReference Include="System.ServiceModel.Primitives" Version="$(SystemServiceModelVersion)" />
+    <PackageReference Include="System.ServiceModel.Security" Version="$(SystemServiceModelVersion)" />
+    <PackageReference Include="System.Private.ServiceModel" Version="$(SystemServiceModelVersion)" />
+    <!-- / CVE-2018-8356 mitigation -->
+  </ItemGroup>
+
+  <ItemGroup>
+    <!-- API that is common to all frameworks that we build for. -->
+    <AdditionalFiles Include="PublicAPI/PublicAPI.Shipped.txt" />
+    <AdditionalFiles Include="PublicAPI/PublicAPI.Unshipped.txt" />
+    <!-- API that is common to all frameworks except for .NET Standard 1.0. -->
+    <AdditionalFiles Condition=" '$(TargetFramework)' != 'netstandard1.0' " Include="PublicAPI\net\PublicAPI.Shipped.txt" />
+    <AdditionalFiles Condition=" '$(TargetFramework)' != 'netstandard1.0' " Include="PublicAPI\net\PublicAPI.Unshipped.txt" />
+    <!-- Framework specific API -->
+    <AdditionalFiles Include="PublicAPI/$(TargetFramework)/PublicAPI.Shipped.txt" />
+    <AdditionalFiles Include="PublicAPI/$(TargetFramework)/PublicAPI.Unshipped.txt" />
+  </ItemGroup>
+  <Import Project="$(TestPlatformRoot)scripts\build\TestPlatform.targets" />
 </Project>
diff --git a/src/testhost.x86/testhost.x86.csproj b/src/testhost.x86/testhost.x86.csproj
@@ -25,10 +25,10 @@
   <ItemGroup>
     <None Include="app.config" />
   </ItemGroup>
-  <ItemGroup>
-    <PackageReference Include="System.Diagnostics.StackTrace" Condition="'$(TargetFramework)' == 'netcoreapp1.0'" Version="4.3.0" />
-    <PackageReference Include="System.Diagnostics.TraceSource" Condition="'$(TargetFramework)' == 'netcoreapp1.0'" Version="4.3.0" />
-    <PackageReference Include="System.Net.Http" Condition="'$(TargetFramework)' == 'netcoreapp1.0'" Version="$(SystemNetHttpVersion)" />
+  <ItemGroup Condition="'$(TargetFramework)' == 'netcoreapp1.0'">
+    <PackageReference Include="System.Diagnostics.StackTrace" Version="4.3.0" />
+    <PackageReference Include="System.Diagnostics.TraceSource" Version="4.3.0" />
+    <PackageReference Include="System.Net.Http" Version="$(SystemNetHttpVersion)" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="..\Microsoft.TestPlatform.CommunicationUtilities\Microsoft.TestPlatform.CommunicationUtilities.csproj" />
@@ -40,6 +40,10 @@
     <ProjectReference Include="..\Microsoft.TestPlatform.Common\Microsoft.TestPlatform.Common.csproj">
       <FromP2P>true</FromP2P>
     </ProjectReference>
+
+    <!-- CVE-2019-0657, CVE-2019-0980 and CVE-2019-0981 mitigation -->
+    <PackageReference Include="System.Private.Uri" Version="$(SystemUriVersion)" />
+    <!-- CVE-2019-0657, CVE-2019-0980 and CVE-2019-0981 mitigation -->
   </ItemGroup>
   <ItemGroup Condition=" $(TargetFramework.StartsWith('net4')) AND '$(OS)' != 'Windows_NT' ">
     <Reference Include="netstandard" />

diff --git a/src/testhost/testhost.csproj b/src/testhost/testhost.csproj
@@ -25,10 +25,10 @@
     <Compile Include="..\testhost.x86\TestHostTraceListener.cs" Link="TestHostTraceListener.cs" />
     <None Include="app.config" />
   </ItemGroup>
-  <ItemGroup>
-    <PackageReference Include="System.Diagnostics.StackTrace" Condition="'$(TargetFramework)' == 'netcoreapp1.0'" Version="4.3.0" />
-    <PackageReference Include="System.Diagnostics.TraceSource" Condition="'$(TargetFramework)' == 'netcoreapp1.0'" Version="4.3.0" />
-    <PackageReference Include="System.Net.Http" Condition="'$(TargetFramework)' == 'netcoreapp1.0'" Version="$(SystemNetHttpVersion)" />
+  <ItemGroup Condition="'$(TargetFramework)' == 'netcoreapp1.0'">
+    <PackageReference Include="System.Diagnostics.StackTrace" Version="4.3.0" />
+    <PackageReference Include="System.Diagnostics.TraceSource" Version="4.3.0" />
+    <PackageReference Include="System.Net.Http" Version="$(SystemNetHttpVersion)" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="..\Microsoft.TestPlatform.CommunicationUtilities\Microsoft.TestPlatform.CommunicationUtilities.csproj" />
@@ -40,6 +40,10 @@
     <ProjectReference Include="..\Microsoft.TestPlatform.Common\Microsoft.TestPlatform.Common.csproj">
       <FromP2P>true</FromP2P>
     </ProjectReference>
+
+    <!-- CVE-2019-0657, CVE-2019-0980 and CVE-2019-0981 mitigation -->
+    <PackageReference Include="System.Private.Uri" Version="$(SystemUriVersion)" />
+    <!-- CVE-2019-0657, CVE-2019-0980 and CVE-2019-0981 mitigation -->
   </ItemGroup>
   <ItemGroup Condition=" $(TargetFramework.StartsWith('net4')) AND '$(OS)' != 'Windows_NT' ">
     <Reference Include="netstandard" />