[elastic. azure, gcp] Mitigate STJ vulnerabilities (#2198)

open-telemetry · Oct 9, 2024 · 5127c95 · 5127c95
1 parent 2f0ee5a
commit 5127c95
Show file tree

Hide file tree

Showing 7 changed files with 23 additions and 11 deletions.
diff --git a/build/Common.targets b/build/Common.targets
@@ -10,7 +10,7 @@
  -->
  <PackageReference Include="System.Text.Encodings.Web"
  Version="$(SystemTextEncodingsWebMinimumOutOfBandPkgVer)"
- Condition="'$(SystemTextJsonMinimumRequiredPkgVer)' == '4.7.2' AND '$(TargetFrameworkIdentifier)' != '.NETCoreApp'" />
+ Condition="($(SystemTextJsonMinimumRequiredPkgVer.StartsWith('[4.7.2')) OR '$(SystemTextJsonMinimumRequiredPkgVer)' == '4.7.2') AND '$(TargetFrameworkIdentifier)' != '.NETCoreApp'" />
  <PackageReference Include="System.Text.Json"
  Version="$(SystemTextJsonMinimumRequiredPkgVer)"
  Condition="'$(TargetFrameworkIdentifier)' != '.NETCoreApp'" />

diff --git a/src/OpenTelemetry.Instrumentation.ElasticsearchClient/CHANGELOG.md b/src/OpenTelemetry.Instrumentation.ElasticsearchClient/CHANGELOG.md
@@ -15,6 +15,11 @@
 * Updated OpenTelemetry core component version(s) to `1.9.0`.
  ([#1888](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/1888))
 
+* Lowered the `System.Text.Json` reference to `4.7.2` for `net462` and
+ `netstandard2.0` targets in response to
+ [CVE-2024-43485](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485).
+ ([#2198](https://github.com/open-telemetry/opentelemetry-dotnet/pull/2198))
+
 ## 1.0.0-beta.5
 
 Released 2023-Oct-24

diff --git a/...trumentation.ElasticsearchClient/OpenTelemetry.Instrumentation.ElasticsearchClient.csproj b/...trumentation.ElasticsearchClient/OpenTelemetry.Instrumentation.ElasticsearchClient.csproj
@@ -7,17 +7,17 @@
  <Description>Elasticsearch instrumentation for OpenTelemetry .NET.</Description>
  <PackageTags>$(PackageTags);distributed-tracing</PackageTags>
  <MinVerTagPrefix>Instrumentation.ElasticsearchClient-</MinVerTagPrefix>
+ <SystemTextJsonMinimumRequiredPkgVer>$(SystemTextJsonMinimumOutOfBandPkgVer)</SystemTextJsonMinimumRequiredPkgVer>
  </PropertyGroup>
 
- <!-- Do not run Package Baseline Validation as this package has never released a stable version.
+ <!-- Do not run Package Baseline Validation as this package has never released a stable version.
  Remove this property once we have released a stable version and add PackageValidationBaselineVersion property. -->
  <PropertyGroup>
  <DisablePackageBaselineValidation>true</DisablePackageBaselineValidation>
  </PropertyGroup>
 
  <ItemGroup>
  <PackageReference Include="OpenTelemetry" Version="$(OpenTelemetryCoreLatestVersion)" />
- <PackageReference Include="System.Text.Json" Version="6.0.4" />
  </ItemGroup>
 
  <ItemGroup>

diff --git a/src/OpenTelemetry.Resources.Azure/CHANGELOG.md b/src/OpenTelemetry.Resources.Azure/CHANGELOG.md
@@ -5,6 +5,11 @@
 * Drop support for .NET 6 as this target is no longer supported and add .NET 8 target.
  ([#2165](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/2165))
 
+* Added direct reference to `System.Text.Json` for the `net8.0` target with
+ minimum version of `8.0.5` in response to
+ [CVE-2024-43485](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485).
+ ([#2198](https://github.com/open-telemetry/opentelemetry-dotnet/pull/2198))
+
 ## 1.0.0-beta.9
 
 Released 2024-Sep-24

diff --git a/src/OpenTelemetry.Resources.Azure/OpenTelemetry.Resources.Azure.csproj b/src/OpenTelemetry.Resources.Azure/OpenTelemetry.Resources.Azure.csproj
@@ -5,6 +5,7 @@
  <Description>OpenTelemetry Resource Detectors for Azure cloud environments.</Description>
  <PackageTags>$(PackageTags);ResourceDetector</PackageTags>
  <MinVerTagPrefix>Resources.Azure-</MinVerTagPrefix>
+ <SystemTextJsonMinimumRequiredPkgVer>$(SystemTextJsonMinimumOutOfBandPkgVer)</SystemTextJsonMinimumRequiredPkgVer>
  </PropertyGroup>
 
  <!-- Do not run Package Baseline Validation as this package has never released a stable version.
@@ -15,9 +16,6 @@
 
  <ItemGroup>
  <PackageReference Include="OpenTelemetry" Version="$(OpenTelemetryCoreLatestVersion)" />
- <PackageReference Include="System.Text.Json" Version="4.7.2" />
- <!-- System.Text.Encodings.Web is indirect reference. It is needed to upgrade it directly to avoid https://github.com/advisories/GHSA-ghhp-997w-qr28 -->
- <PackageReference Include="System.Text.Encodings.Web" Version="4.7.2" />
  </ItemGroup>
 
  <ItemGroup>

diff --git a/src/OpenTelemetry.Resources.Gcp/CHANGELOG.md b/src/OpenTelemetry.Resources.Gcp/CHANGELOG.md
@@ -6,7 +6,13 @@
  is accessible via `AddGcpDetector` extension method on `ResourceBuilder`.
  ([#1691](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/1691))
 
-For more details, please refer to the [README](README.md).
-
 * Updated OpenTelemetry core component version(s) to `1.9.0`.
  ([#1888](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/1888))
+
+* Drop support for .NET 6 as this target is no longer supported and add .NET 8 target.
+ ([#2167](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/2167))
+
+* Added direct reference to `System.Text.Json` for the `net8.0` target with
+ minimum version of `8.0.5` in response to
+ [CVE-2024-43485](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485).
+ ([#2198](https://github.com/open-telemetry/opentelemetry-dotnet/pull/2198))
diff --git a/src/OpenTelemetry.Resources.Gcp/OpenTelemetry.Resources.Gcp.csproj b/src/OpenTelemetry.Resources.Gcp/OpenTelemetry.Resources.Gcp.csproj
@@ -5,6 +5,7 @@
  <Description>OpenTelemetry Resource Detectors for Google Cloud Platform environments.</Description>
  <PackageTags>$(PackageTags);ResourceDetector</PackageTags>
  <MinVerTagPrefix>Resources.Gcp-</MinVerTagPrefix>
+ <SystemTextJsonMinimumRequiredPkgVer>$(SystemTextJsonMinimumOutOfBandPkgVer)</SystemTextJsonMinimumRequiredPkgVer>
  </PropertyGroup>
 
  <!-- Do not run Package Baseline Validation as this package has never released a stable version.
@@ -16,9 +17,6 @@
  <ItemGroup>
  <PackageReference Include="Google.Api.Gax" Version="4.8.0" />
  <PackageReference Include="OpenTelemetry" Version="$(OpenTelemetryCoreLatestVersion)" />
- <PackageReference Include="System.Text.Json" Version="4.7.2" />
- <!-- System.Text.Encodings.Web is indirect reference. It is needed to upgrade it directly to avoid https://github.com/advisories/GHSA-ghhp-997w-qr28 -->
- <PackageReference Include="System.Text.Encodings.Web" Version="4.7.2" />
  </ItemGroup>
 
  <ItemGroup>