Merge branch 'main' into signing_with_cosign

ThomsonTan · web-flow · commit 045e95497a17 · 2024-10-09T16:02:33.000-07:00
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -18,7 +18,7 @@ jobs:
           close-pr-message: 'Closed as inactive. Feel free to reopen if this PR is still being worked on.'
           operations-per-run: 400
           days-before-pr-stale: 7
-          days-before-issue-stale: 600
+          days-before-issue-stale: 450
           days-before-pr-close: 7
           days-before-issue-close: 7
           exempt-all-issue-milestones: true
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -3,8 +3,10 @@
   <PropertyGroup>
     <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
     <OTelLatestStableVer>1.9.0</OTelLatestStableVer>
+
+    <!-- Mitigate https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485. -->
     <SystemTextEncodingsWebOutOfBandMinimumCoreAppVer>8.0.0</SystemTextEncodingsWebOutOfBandMinimumCoreAppVer>
-    <SystemTextJsonOutOfBandMinimumCoreAppVer>8.0.4</SystemTextJsonOutOfBandMinimumCoreAppVer>
+    <SystemTextJsonOutOfBandMinimumCoreAppVer>8.0.5</SystemTextJsonOutOfBandMinimumCoreAppVer>
   </PropertyGroup>
 
   <!--
@@ -59,6 +61,11 @@
   </ItemGroup>
 
   <ItemGroup>
+    <!--
+        Note: See TargetFrameworksRequiringSystemTextJsonDirectReference for the
+        list of targets where System.Text.Json direct reference is applied.
+    -->
+
     <!--
         We use conservative versions of these packages for older runtimes where
         an upgrade might introduce breaking changes. For example see:
@@ -67,7 +74,7 @@
     <PackageVersion Include="System.Text.Encodings.Web" Version="4.7.2" />
     <PackageVersion Include="System.Text.Json" Version="4.7.2" />
 
-    <!-- Bump System.Text.Json on NETCoreApp targets to mitigate https://github.com/advisories/GHSA-hh2w-p6rv-4g7w. -->
+    <!-- Newer NETCoreApp runtimes need to be redirected to safe versions. -->
     <PackageVersion Update="System.Text.Encodings.Web" Version="$(SystemTextEncodingsWebOutOfBandMinimumCoreAppVer)" Condition="'$(TargetFrameworkIdentifier)' == '.NETCoreApp'" />
     <PackageVersion Update="System.Text.Json" Version="$(SystemTextJsonOutOfBandMinimumCoreAppVer)" Condition="'$(TargetFrameworkIdentifier)' == '.NETCoreApp'" />
   </ItemGroup>
diff --git a/src/OpenTelemetry.Exporter.Console/CHANGELOG.md b/src/OpenTelemetry.Exporter.Console/CHANGELOG.md
@@ -7,9 +7,11 @@ Notes](../../RELEASENOTES.md).
 ## Unreleased
 
 * Added direct reference to `System.Text.Json` for the `net8.0` target with
-  minimum version of `8.0.4` in response to
-  [CVE-2024-30105](https://github.com/advisories/GHSA-hh2w-p6rv-4g7w).
-  ([#5874](https://github.com/open-telemetry/opentelemetry-dotnet/pull/5874))
+  minimum version of `8.0.5` in response to
+  [CVE-2024-30105](https://github.com/advisories/GHSA-hh2w-p6rv-4g7w) &
+  [CVE-2024-43485](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485).
+  ([#5874](https://github.com/open-telemetry/opentelemetry-dotnet/pull/5874),
+  [#5891](https://github.com/open-telemetry/opentelemetry-dotnet/pull/5891))
 
 ## 1.10.0-beta.1
 
diff --git a/src/OpenTelemetry.Exporter.Zipkin/CHANGELOG.md b/src/OpenTelemetry.Exporter.Zipkin/CHANGELOG.md
@@ -7,9 +7,11 @@ Notes](../../RELEASENOTES.md).
 ## Unreleased
 
 * Added direct reference to `System.Text.Json` for the `net8.0` target with
-  minimum version of `8.0.4` in response to
-  [CVE-2024-30105](https://github.com/advisories/GHSA-hh2w-p6rv-4g7w).
-  ([#5874](https://github.com/open-telemetry/opentelemetry-dotnet/pull/5874))
+  minimum version of `8.0.5` in response to
+  [CVE-2024-30105](https://github.com/advisories/GHSA-hh2w-p6rv-4g7w) &
+  [CVE-2024-43485](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485).
+  ([#5874](https://github.com/open-telemetry/opentelemetry-dotnet/pull/5874),
+  [#5891](https://github.com/open-telemetry/opentelemetry-dotnet/pull/5891))
 
 ## 1.10.0-beta.1
 
diff --git a/src/OpenTelemetry/Internal/SelfDiagnosticsConfigParser.cs b/src/OpenTelemetry/Internal/SelfDiagnosticsConfigParser.cs
@@ -66,10 +66,21 @@ public bool TryGetConfiguration(
                 this.configBuffer = buffer;
             }
 
-            // TODO: Fix CA2022 - Avoid inexact read with 'System.IO.FileStream.Read(byte[], int, int)'
-            // Added _ = as a workaround to suppress the warning
-            _ = file.Read(buffer, 0, buffer.Length);
-            string configJson = Encoding.UTF8.GetString(buffer);
+            int bytesRead = 0;
+            int totalBytesRead = 0;
+
+            while (totalBytesRead < buffer.Length)
+            {
+                bytesRead = file.Read(buffer, totalBytesRead, buffer.Length - totalBytesRead);
+                if (bytesRead == 0)
+                {
+                    break;
+                }
+
+                totalBytesRead += bytesRead;
+            }
+
+            string configJson = Encoding.UTF8.GetString(buffer, 0, totalBytesRead);
 
             if (!TryParseLogDirectory(configJson, out logDirectory))
             {
diff --git a/test/OpenTelemetry.Tests/Internal/SelfDiagnosticsEventListenerTest.cs b/test/OpenTelemetry.Tests/Internal/SelfDiagnosticsEventListenerTest.cs
@@ -125,8 +125,20 @@ public void SelfDiagnosticsEventListener_EmitEvent_OmitAsConfigured()
         using FileStream file = File.Open(LOGFILEPATH, FileMode.Open, FileAccess.Read, FileShare.ReadWrite | FileShare.Delete);
         var buffer = new byte[256];
 
-        // Suppress CA2022 error: Avoid inexact read with 'System.IO.FileStream.Read(byte[], int, int)'
-        _ = file.Read(buffer, 0, buffer.Length);
+        int bytesRead = 0;
+        int totalBytesRead = 0;
+
+        while (totalBytesRead < buffer.Length)
+        {
+            bytesRead = file.Read(buffer, totalBytesRead, buffer.Length - totalBytesRead);
+            if (bytesRead == 0)
+            {
+                break;
+            }
+
+            totalBytesRead += bytesRead;
+        }
+
         Assert.Equal('\0', (char)buffer[0]);
     }
 
@@ -259,9 +271,21 @@ private static void AssertFileOutput(string filePath, string eventMessage)
         using FileStream file = File.Open(filePath, FileMode.Open, FileAccess.Read, FileShare.ReadWrite | FileShare.Delete);
         var buffer = new byte[256];
 
-        // Suppress CA2022 error: Avoid inexact read with 'System.IO.FileStream.Read(byte[], int, int)'
-        _ = file.Read(buffer, 0, buffer.Length);
-        string logLine = Encoding.UTF8.GetString(buffer);
+        int bytesRead = 0;
+        int totalBytesRead = 0;
+
+        while (totalBytesRead < buffer.Length)
+        {
+            bytesRead = file.Read(buffer, totalBytesRead, buffer.Length - totalBytesRead);
+            if (bytesRead == 0)
+            {
+                break;
+            }
+
+            totalBytesRead += bytesRead;
+        }
+
+        string logLine = Encoding.UTF8.GetString(buffer, 0, totalBytesRead);
         string logMessage = ParseLogMessage(logLine);
         Assert.StartsWith(eventMessage, logMessage);
     }
