[onecollector & resources.aws] Mitigate STJ vulnerabilities (open-telemetry#2196)

CodeBlanch · web-flow · commit 81bcef54b9c4 · 2024-10-09T14:20:45.000-07:00
diff --git a/build/Common.props b/build/Common.props
@@ -35,8 +35,8 @@
     <MinVerPkgVer>[5.0.0,6.0)</MinVerPkgVer>
     <MicrosoftExtensionsConfigurationBinderPkgVer>[8.0.1,)</MicrosoftExtensionsConfigurationBinderPkgVer>
     <MicrosoftExtensionsHostingAbstractionsPkgVer>[2.1.0,5.0)</MicrosoftExtensionsHostingAbstractionsPkgVer>
-    <MicrosoftExtensionsConfigurationPkgVer>8.0.0</MicrosoftExtensionsConfigurationPkgVer>
-    <MicrosoftExtensionsOptionsPkgVer>8.0.0</MicrosoftExtensionsOptionsPkgVer>
+    <MicrosoftExtensionsConfigurationPkgVer>[8.0.0,)</MicrosoftExtensionsConfigurationPkgVer>
+    <MicrosoftExtensionsOptionsPkgVer>[8.0.0,)</MicrosoftExtensionsOptionsPkgVer>
     <MicrosoftNETFrameworkReferenceAssembliesPkgVer>[1.0.3,2.0)</MicrosoftNETFrameworkReferenceAssembliesPkgVer>
     <MicrosoftOwinPkgVer>[4.2.2,5.0)</MicrosoftOwinPkgVer>
     <MicrosoftPublicApiAnalyzersPkgVer>[3.11.0-beta1.23525.2]</MicrosoftPublicApiAnalyzersPkgVer>
@@ -49,8 +49,13 @@
     <CassandraCSharpDriverPkgVer>[3.16.0,4.0)</CassandraCSharpDriverPkgVer>
     <StyleCopAnalyzersPkgVer>[1.2.0-beta.556,2.0)</StyleCopAnalyzersPkgVer>
     <SystemNetHttp>[4.3.4,)</SystemNetHttp>
-    <SystemReflectionEmitLightweightPkgVer>4.7.0</SystemReflectionEmitLightweightPkgVer>
-    <SystemTextJsonPkgVer>[6.0.0,)</SystemTextJsonPkgVer>
+    <SystemReflectionEmitLightweightPkgVer>[4.7.0,)</SystemReflectionEmitLightweightPkgVer>
+
+    <!-- Note: Special handling is performed for System.Text.Json. -->
+    <SystemTextEncodingsWebMinimumOutOfBandPkgVer>[4.7.2,)</SystemTextEncodingsWebMinimumOutOfBandPkgVer>
+    <SystemTextJsonMinimumOutOfBandPkgVer>[4.7.2,)</SystemTextJsonMinimumOutOfBandPkgVer>
+    <SystemTextJsonLatestNet6OutOfBandPkgVer>[6.0.10,)</SystemTextJsonLatestNet6OutOfBandPkgVer>
+    <SystemTextJsonLatestNet8OutOfBandPkgVer>[8.0.5,)</SystemTextJsonLatestNet8OutOfBandPkgVer>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/build/Common.targets b/build/Common.targets
@@ -1,3 +1,23 @@
 <Project>
 
+  <ItemGroup Condition="'$(SystemTextJsonMinimumRequiredPkgVer)' != ''">
+    <!--
+        Note: System.Text.Encodings.Web is referenced when System.Text.Json is
+        using v4.7.2 because System.Text.Json v4.7.2 depends on
+        System.Text.Encodings.Web
+        >= v4.7.1 but System.Text.Encodings.Web needs to be at v4.7.2 to be
+        safe.
+    -->
+    <PackageReference Include="System.Text.Encodings.Web"
+                      Version="$(SystemTextEncodingsWebMinimumOutOfBandPkgVer)"
+                      Condition="'$(SystemTextJsonMinimumRequiredPkgVer)' == '4.7.2' AND '$(TargetFrameworkIdentifier)' != '.NETCoreApp'" />
+    <PackageReference Include="System.Text.Json"
+                      Version="$(SystemTextJsonMinimumRequiredPkgVer)"
+                      Condition="'$(TargetFrameworkIdentifier)' != '.NETCoreApp'" />
+
+    <PackageReference Include="System.Text.Json"
+                      Version="$(SystemTextJsonLatestNet8OutOfBandPkgVer)"
+                      Condition="'$(TargetFramework)' == 'net8.0'" />
+  </ItemGroup>
+
 </Project>
diff --git a/src/OpenTelemetry.Exporter.OneCollector/CHANGELOG.md b/src/OpenTelemetry.Exporter.OneCollector/CHANGELOG.md
@@ -5,6 +5,11 @@
 * Drop support for .NET 6 as this target is no longer supported.
   ([#2123](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/2123))
 
+* Bumped `System.Text.Json` reference to `6.0.10` for runtimes older than
+  `net8.0` and bumped to `8.0.5` on `net8.0` in response to
+  [CVE-2024-43485](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485).
+  ([#2196](https://github.com/open-telemetry/opentelemetry-dotnet/pull/2196))
+
 ## 1.10.0-alpha.1
 
 Released 2024-Sep-06
diff --git a/src/OpenTelemetry.Exporter.OneCollector/OpenTelemetry.Exporter.OneCollector.csproj b/src/OpenTelemetry.Exporter.OneCollector/OpenTelemetry.Exporter.OneCollector.csproj
@@ -14,6 +14,7 @@
     in the future (hopefully .NET 9) see https://github.com/dotnet/runtime/issues/92509 -->
     <NoWarn>$(NoWarn);SYSLIB1100;SYSLIB1101</NoWarn>
     <PackageValidationBaselineVersion>1.9.2</PackageValidationBaselineVersion>
+    <SystemTextJsonMinimumRequiredPkgVer>$(SystemTextJsonLatestNet6OutOfBandPkgVer)</SystemTextJsonMinimumRequiredPkgVer>
   </PropertyGroup>
 
   <PropertyGroup>
@@ -23,12 +24,11 @@
 
   <ItemGroup>
     <PackageReference Include="OpenTelemetry" Version="$(OTelSdkVersion)" />
-    <PackageReference Include="System.Text.Json" Version="$(SystemTextJsonPkgVer)" Condition="'$(TargetFrameworkIdentifier)' != '.NETCoreApp'" />
     <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="$(MicrosoftExtensionsConfigurationBinderPkgVer)" />
   </ItemGroup>
 
   <ItemGroup>
-    <Reference Include="System.Net.Http" Condition="'$(TargetFramework)' == 'net462'" />
+    <Reference Include="System.Net.Http" Condition="'$(TargetFramework)' == '$(NetFrameworkMinimumSupportedVersion)'" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/OpenTelemetry.Resources.AWS/CHANGELOG.md b/src/OpenTelemetry.Resources.AWS/CHANGELOG.md
@@ -9,6 +9,11 @@
   and add .NET Standard 2.0 target.
   ([#2164](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/2164))
 
+* Bumped `System.Text.Json` reference to `6.0.10` for runtimes older than
+  `net8.0` and bumped to `8.0.5` on `net8.0` in response to
+  [CVE-2024-43485](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485).
+  ([#2196](https://github.com/open-telemetry/opentelemetry-dotnet/pull/2196))
+
 ## 1.5.0-beta.1
 
 Released 2024-Jun-04
diff --git a/src/OpenTelemetry.Resources.AWS/OpenTelemetry.Resources.AWS.csproj b/src/OpenTelemetry.Resources.AWS/OpenTelemetry.Resources.AWS.csproj
@@ -6,6 +6,7 @@
     <TargetFrameworks Condition="$(OS) == 'Windows_NT'">$(TargetFrameworks);$(NetFrameworkMinimumSupportedVersion)</TargetFrameworks>
     <Description>OpenTelemetry Resource Detectors for AWS ElasticBeanstalk, EC2, ECS, EKS.</Description>
     <MinVerTagPrefix>Resources.AWS-</MinVerTagPrefix>
+    <SystemTextJsonMinimumRequiredPkgVer>$(SystemTextJsonLatestNet6OutOfBandPkgVer)</SystemTextJsonMinimumRequiredPkgVer>
   </PropertyGroup>
 
   <!-- Do not run Package Baseline Validation as this package has never released a stable version.
@@ -16,7 +17,6 @@
 
   <ItemGroup>
     <PackageReference Include="OpenTelemetry" Version="$(OpenTelemetryCoreLatestVersion)" />
-    <PackageReference Include="System.Text.Json" Version="$(SystemTextJsonPkgVer)" Condition="'$(TargetFrameworkIdentifier)' != '.NETCoreApp'" />
   </ItemGroup>
 
   <ItemGroup>
