Fix CVE issues (#3371)

Author: bachuv

samples/Directory.Packages.props

@@ -41,7 +41,7 @@
     <PackageVersion Update="Microsoft.Azure.WebJobs.Script.ExtensionsMetadataGenerator" Version="4.0.1" />
     <PackageVersion Update="Microsoft.Bcl.AsyncInterfaces" Version="10.0.1" />
     <PackageVersion Update="Microsoft.Extensions.Logging.Debug" Version="10.0.0" />
-    <PackageVersion Update="System.Drawing.Common" Version="6.0.0" />
+    <PackageVersion Update="System.Drawing.Common" Version="4.7.3" />
     <PackageVersion Update="System.Text.Json" Version="10.0.0" />
    </ItemGroup>
 

samples/durable-client-managed-identity/aspnetcore-app/ToDoList.csproj

@@ -8,6 +8,7 @@
   <!-- To specify a version in the package reference below, simply add `Version = ""`. -->
   <ItemGroup>
     <PackageReference Include="EntityFramework" />
+    <PackageReference Include="System.Drawing.Common" VersionOverride="6.0.0" />
     <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.DurableTask" />
     <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" >

samples/isolated-unit-tests/IsolatedUnitTest.csproj

@@ -9,6 +9,7 @@
   <ItemGroup>
     <FrameworkReference Include="Microsoft.AspNetCore.App" />
     <PackageReference Include="Microsoft.ApplicationInsights.WorkerService" />
+    <PackageReference Include="System.Drawing.Common" VersionOverride="6.0.0" />
     <PackageReference Include="Microsoft.Azure.Functions.Worker" />
     <PackageReference Include="Microsoft.Azure.Functions.Worker.ApplicationInsights" />
     <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http.AspNetCore" />

samples/todolist-aspnetcore/ToDoList.csproj

@@ -8,6 +8,7 @@
   <!-- To specify a version in the package reference below, simply add `Version = ""`. -->
   <ItemGroup>
     <PackageReference Include="EntityFramework" />
+    <PackageReference Include="System.Drawing.Common" VersionOverride="6.0.0" />
     <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.DurableTask" />
     <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design"  />
     <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" >

test/CodeGen.SourceGenerator.Test/DurableFunctions.TypedInterfaces.SourceGenerator.Test.csproj

@@ -19,6 +19,10 @@
     <PackageReference Include="Microsoft.Build.Framework" ExcludeAssets="runtime" />
     <PackageReference Include="Microsoft.Build.Locator" />
     <PackageReference Include="Microsoft.Build.Tasks.Core" ExcludeAssets="runtime" />
+    <!-- Microsoft.Build 17.8.43 transitively requires System.Drawing.Common >= 7.0.0,
+         which conflicts with the central pin of 4.7.3. Override here since this test
+         project does not ship to customers. -->
+    <PackageReference Include="System.Drawing.Common" VersionOverride="7.0.0" />
     <PackageReference Include="Microsoft.CodeAnalysis" />
     <PackageReference Include="Microsoft.CodeAnalysis.CSharp.Workspaces" />
     <PackageReference Include="Microsoft.CodeAnalysis.Workspaces.Common" />

test/Directory.Packages.props

@@ -10,10 +10,10 @@
     <PackageVersion Include="coverlet.collector" Version="6.0.0" />
     <PackageVersion Include="FluentAssertions" Version="4.19.4" />
     <PackageVersion Include="Microsoft.Azure.WebJobs.Logging.ApplicationInsights" Version="3.0.41" />
-    <PackageVersion Include="Microsoft.Build" Version="17.8.29" />
-    <PackageVersion Include="Microsoft.Build.Framework" Version="17.8.29" />
+    <PackageVersion Include="Microsoft.Build" Version="17.8.43" />
+    <PackageVersion Include="Microsoft.Build.Framework" Version="17.8.43" />
     <PackageVersion Include="Microsoft.Build.Locator" Version="1.4.1" />
-    <PackageVersion Include="Microsoft.Build.Tasks.Core" Version="17.8.29" />
+    <PackageVersion Include="Microsoft.Build.Tasks.Core" Version="17.8.43" />
     <PackageVersion Include="Microsoft.CodeAnalysis" Version="3.9.0" />
     <PackageVersion Include="Microsoft.CodeAnalysis.Workspaces.MSBuild" Version="3.9.0" />
     <PackageVersion Include="Microsoft.Diagnostics.Tracing.TraceEvent" Version="2.0.65" />
@@ -33,7 +33,7 @@
     <PackageVersion Update="Azure.Identity" Version="1.17.1" />
     <PackageVersion Update="Microsoft.Bcl.AsyncInterfaces" Version="10.0.1" />
     <PackageVersion Update="Microsoft.Extensions.Azure" Version="1.10.0" />
-    <PackageVersion Update="System.Drawing.Common" Version="7.0.0" />
+    <PackageVersion Update="System.Drawing.Common" Version="4.7.3" />
     <PackageVersion Update="System.Formats.Asn1" Version="8.0.1" />
     <PackageVersion Update="System.Text.Json" Version="10.0.0" />
   </ItemGroup>

test/SmokeTests/BackendSmokeTests/MSSQL/MSSQL.csproj

@@ -13,7 +13,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.NET.Sdk.Functions" Version="4.6.0" />
     <PackageReference Include="Microsoft.DurableTask.SqlServer.AzureFunctions" Version="1.5.1" />
-    <PackageReference Include="System.Drawing.Common" Version="7.0.0" />
+    <PackageReference Include="System.Drawing.Common" Version="4.7.3" />
   </ItemGroup>
   <ItemGroup>
     <None Update="host.json">

test/e2e/Apps/BasicDotNetIsolated/Directory.Build.targets

@@ -0,0 +1,19 @@
+<Project>
+  <!--
+    The Azure Functions Worker SDK auto-generates a WorkerExtensions.csproj under obj/ with hardcoded
+    PackageReference versions. This conflicts with Central Package Management (CPM), causing NU1008
+    errors and preventing the transitive pin of System.Drawing.Common (in test/Directory.Packages.props)
+    from taking effect. As a result, the vulnerable transitive version 4.7.0 from
+    Microsoft.DurableTask.SqlServer.AzureFunctions remains unpatched (CVE-2021-24112).
+
+    This targets file disables CPM for the generated project and injects a direct PackageReference
+    to override the vulnerable transitive dependency.
+  -->
+  <PropertyGroup Condition="'$(AssemblyName)' == 'Microsoft.Azure.Functions.Worker.Extensions'">
+    <ManagePackageVersionsCentrally>false</ManagePackageVersionsCentrally>
+  </PropertyGroup>
+
+  <ItemGroup Condition="'$(AssemblyName)' == 'Microsoft.Azure.Functions.Worker.Extensions'">
+    <PackageReference Include="System.Drawing.Common" Version="4.7.3" />
+  </ItemGroup>
+</Project>

test/e2e/Apps/BasicDotNetIsolated/app.csproj

@@ -24,6 +24,7 @@
     <PackageReference Include="Microsoft.Azure.Functions.Worker.ApplicationInsights" />
     <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.DurableTask.SqlServer" />
     <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.DurableTask.AzureManaged" />
+    <PackageReference Include="System.Drawing.Common" VersionOverride="6.0.0" />
   </ItemGroup>
 
   <ItemGroup>

test/e2e/Apps/BasicJava/pom.xml

@@ -45,6 +45,13 @@
             <version>${durabletask.azure.functions}</version>
         </dependency>
 
+        <!-- Override transitive jackson-core to fix GHSA-72hv-8253-57qq (CVE in jackson-core < 2.18.6) -->
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-core</artifactId>
+            <version>2.18.6</version>
+        </dependency>
+
         <dependency>
             <groupId>com.google.code.gson</groupId>
             <artifactId>gson</artifactId>