Fixed vulnerability CVE-2023-29337.

ernstc · ernstc · commit 28d34cdd4b2f · 2023-07-05T18:34:38.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,9 @@
+## July 2023 Release (version 2.0.1)
+
+This release fixes the vulnerability CVE-2023-29337.
+
+---
+
 ## October 2022 Release (version 2.0.0)
 
 This release enables the use of different kinds of repositories and enables to configure each solution to use a different kind of repository. 
diff --git a/VisualStudioSolutionSecrets.Tests/VisualStudioSolutionSecrets.Tests.csproj b/VisualStudioSolutionSecrets.Tests/VisualStudioSolutionSecrets.Tests.csproj
@@ -133,14 +133,14 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.3.2" />
-    <PackageReference Include="Moq" Version="4.18.2" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.6.3" />
+    <PackageReference Include="Moq" Version="4.18.4" />
     <PackageReference Include="xunit" Version="2.4.2" />
     <PackageReference Include="xunit.runner.visualstudio" Version="2.4.5">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>
-    <PackageReference Include="coverlet.collector" Version="3.1.2">
+    <PackageReference Include="coverlet.collector" Version="6.0.0">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>
diff --git a/VisualStudioSolutionSecrets/Program.cs b/VisualStudioSolutionSecrets/Program.cs
@@ -57,19 +57,22 @@ protected int OnExecute(CommandLineApplication app)
         private static string GetVersion()
         {
             var assembly = typeof(Versions).Assembly;
-            var version = assembly?.GetCustomAttribute<AssemblyInformationalVersionAttribute>()?.InformationalVersion;
             var copyright = assembly?.GetCustomAttribute<AssemblyCopyrightAttribute>()?.Copyright;
             string platform;
 #if NET7_0
-            platform = " (.NET 7.0)";
+            platform = ".NET 7.0";
 #elif NET6_0
-            platform = " (.NET 6.0)";
+            platform = ".NET 6.0";
 #elif NETCOREAPP3_1
-            platform = " (.Net Core 3.1)";
+            platform = ".Net Core 3.1";
 #else
             platform = String.Empty;
 #endif
-            return $"vs-secrets {version}\n{copyright}{platform}";
+            string details = Versions.CommitHash != null 
+                ? $" ({platform}, commit {Versions.CommitHash})" 
+                : $" ({platform})";
+
+            return $"vs-secrets {Versions.CurrentVersion}{details}\n{copyright}";
         }
 
 
diff --git a/VisualStudioSolutionSecrets/Versions.cs b/VisualStudioSolutionSecrets/Versions.cs
@@ -18,6 +18,7 @@ public static class Versions
 
 
         public static string? VersionString { get; }
+        public static string? CommitHash { get; }
         public static Version? CurrentVersion { get; }
 
 
@@ -27,8 +28,11 @@ static Versions()
                 .GetCustomAttribute<AssemblyInformationalVersionAttribute>()?
                 .InformationalVersion;
 
-            VersionString = version ?? "unknown";
-            CurrentVersion = String.IsNullOrEmpty(version) ? new Version() : new Version(version.Split('-')[0]);
+            string[]? versionParts = version?.Split('+');
+
+            VersionString = versionParts?.Length > 0 ? versionParts[0] : "unknown";
+            CurrentVersion = String.IsNullOrEmpty(version) ? new Version() : new Version(VersionString.Split('-')[0]);
+            CommitHash = versionParts?.Length > 1 ? versionParts[1].Substring(0, 8) : null;
         }
 
 
diff --git a/VisualStudioSolutionSecrets/VisualStudioSolutionSecrets.csproj b/VisualStudioSolutionSecrets/VisualStudioSolutionSecrets.csproj
@@ -16,14 +16,14 @@
     <RepositoryType>git</RepositoryType>
     <Title>Visual Studio Solution Secrets</Title>
     <Description>Tool for synchronizing Visual Studio solution secrets across different development machines.</Description>
-    <Copyright>Copyright (c) 2022 Ernesto Cianciotta</Copyright>
+    <Copyright>Copyright (c) 2023 Ernesto Cianciotta</Copyright>
     <PackageTags>visualstudio;vs;secrets;secrets-management;dotnet;dotnet-core;aspnet-core;.net;tools;csharp;vb;fsharp;cpp;github;azure;key-vault</PackageTags>
     <PackageOutputPath>./nupkg</PackageOutputPath>
     <PackageLicenseExpression>MIT</PackageLicenseExpression>
     <PackageReadmeFile>README.md</PackageReadmeFile>
     <PackageIcon>Icon.png</PackageIcon>
     <PackageProjectUrl>https://devnotes.ernstc.net/visual-studio-solution-secrets-v2</PackageProjectUrl>
-    <Version>2.0.0</Version>
+    <Version>2.0.1</Version>
   </PropertyGroup>
 
   <PropertyGroup>
@@ -57,10 +57,10 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Azure.Identity" Version="1.7.0" />
-    <PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.4.0" />
-    <PackageReference Include="McMaster.Extensions.CommandLineUtils" Version="4.0.1" />
-    <PackageReference Include="NuGet.Protocol" Version="6.3.1" />
+    <PackageReference Include="Azure.Identity" Version="1.9.0" />
+    <PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.5.0" />
+    <PackageReference Include="McMaster.Extensions.CommandLineUtils" Version="4.0.2" />
+    <PackageReference Include="NuGet.Protocol" Version="6.6.1" />
   </ItemGroup>
 
   <ItemGroup>
