Skip to content

Commit

Permalink
[build] Update NuGet package versions (#196)
Browse files Browse the repository at this point in the history 
Context: https://dev.azure.com/xamarin/public/_componentGovernance/115226/alert/3150206?typeId=5477311
Context: https://dev.azure.com/xamarin/public/_componentGovernance/115226/alert/6875331?typeId=5477311
Context: dotnet/java-interop@5318261

[Component Governance][0] is a Microsoft internal tool which checks
for known security issues in product dependencies.  It is currently
reporting a defects in xamarin-android-tools due to use of older
`System.Net.Http` packages ([CVE-2018-8292][0]) and older
`System.Security.Cryptography.X509Certificates`
packages ([CVE-2017-11770][1]):

> **Location**
>
> * /s/packages/system.net.http/4.1.0/system.net.http.4.1.0.nupkg
> * /s/packages/system.net.http/4.1.0/system.net.http.nuspec
> * /s/packages/system.security.cryptography.x509certificates/4.1.0/system.security.cryptography.x509certificates.4.1.0.nupkg
> * /s/packages/system.security.cryptography.x509certificates/4.1.0/system.security.cryptography.x509certificates.nuspec

The "odd" thing is that xamarin-android-tools doesn't *use* either
of these dependencies!  They appear to be pulled in via package
dependencies.

Rework how we use `@(PackageReference)` so that
`Directory.Build.targets` uses [the `Update` attribute][2] to
centralize package version specification, except within
`MSBuildReferences.projitems` as it's `<Import/>`ed by xamarin-android.

Update most NuGet package versions to the latest versions provided by
`dotnet-public` or `dotnet-eng` (which may not be the latest versions
on NuGet.org).

While stable versions are generally preferred, we use
Microsoft.NET.Test.Sdk version 17.5.0-preview-20221003-04 to ensure
that we avoid Newtonsoft.Json 9.0.1 issues a'la
dotnet/java-interop@53182615.

NuGet Package Version Bumps:

  * Microsoft.Build                     : `16.10.0`   -> `17.3.2`
  * Microsoft.Build.Framework           : `16.10.0`   -> `17.3.2`
  * Microsoft.Build.Tasks.Core          : `16.10.0`   -> `17.3.2`
  * Microsoft.Build.Utilities.Core      : `16.10.0`   -> `17.3.2`
  * Microsoft.NET.Test.Sdk              : `16.5.0`    -> `17.5.0-preview-20221003-04`
  * nunit                               : `3.12.0`    -> `3.13.2`
  * NUnit3TestAdapter                   : `3.16.1`    -> `4.0.0`

[0]: https://nvd.nist.gov/vuln/detail/CVE-2018-8292
[1]: https://nvd.nist.gov/vuln/detail/CVE-2017-11770
[2]: https://learn.microsoft.com/en-us/visualstudio/msbuild/item-element-msbuild?view=vs-2022#attributes-and-elements
  • Loading branch information
@jonpryor
jonpryor authored Nov 17, 2022
1 parent 59cac90 commit fa3711b
Show file tree
Hide file tree
Showing 5 changed files with 14 additions and 9 deletions.
7 changes: 6 additions & 1 deletion Directory.Build.targets
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,13 @@
Condition=" Exists('$([System.IO.Path]::GetDirectoryName($(MSBuildThisFileDirectory))).override.targets') "
/>

<!-- NuGet Dependencies -->
<ItemGroup>
<PackageReference Update="Microsoft.SourceLink.GitHub" Version="1.1.1" />
<PackageReference Update="Microsoft.NET.Test.Sdk" Version="17.5.0-preview-20221003-04" />
<PackageReference Update="Microsoft.SourceLink.GitHub" Version="1.1.1" />
<PackageReference Update="Microsoft.VisualStudioEng.MicroBuild.Core" Version="1.0.0" />
<PackageReference Update="nunit" Version="3.13.2" />
<PackageReference Update="NUnit3TestAdapter" Version="4.0.0" />
</ItemGroup>

</Project>
2 changes: 1 addition & 1 deletion src/Microsoft.Android.Build.BaseTasks/MSBuildReferences.projitems
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<Project>
<!--Import this file in projects needing to reference Microsoft.Build.*.dll -->
<PropertyGroup>
<MSBuildPackageReferenceVersion>16.10.0</MSBuildPackageReferenceVersion>
<MSBuildPackageReferenceVersion>17.3.2</MSBuildPackageReferenceVersion>
<LibZipSharpVersion Condition=" '$(LibZipSharpVersion)' == '' " >2.0.7</LibZipSharpVersion>
<MonoUnixVersion>7.1.0-final.1.21458.1</MonoUnixVersion>
</PropertyGroup>
Expand Down
2 changes: 1 addition & 1 deletion src/Xamarin.Android.Tools.AndroidSdk/Xamarin.Android.Tools.AndroidSdk.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
</PropertyGroup>

<ItemGroup>
<PackageReference Include="Microsoft.VisualStudioEng.MicroBuild.Core" Version="1.0.0">
<PackageReference Include="Microsoft.VisualStudioEng.MicroBuild.Core">
<PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
</PackageReference>
Expand Down
6 changes: 3 additions & 3 deletions tests/Microsoft.Android.Build.BaseTasks-Tests/Microsoft.Android.Build.BaseTasks-Tests.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,9 @@
<Import Project="..\..\src\Microsoft.Android.Build.BaseTasks\MSBuildReferences.projitems" />

<ItemGroup>
<PackageReference Include="NUnit" Version="3.12.0" />
<PackageReference Include="NUnit3TestAdapter" Version="3.16.1" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.5.0"/>
<PackageReference Include="NUnit" />
<PackageReference Include="NUnit3TestAdapter" />
<PackageReference Include="Microsoft.NET.Test.Sdk" />
</ItemGroup>

<ItemGroup>
Expand Down
6 changes: 3 additions & 3 deletions tests/Xamarin.Android.Tools.AndroidSdk-Tests/Xamarin.Android.Tools.AndroidSdk-Tests.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@
</PropertyGroup>

<ItemGroup>
<PackageReference Include="NUnit" Version="3.12.0" />
<PackageReference Include="NUnit3TestAdapter" Version="3.16.1" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.5.0"/>
<PackageReference Include="NUnit" />
<PackageReference Include="NUnit3TestAdapter" />
<PackageReference Include="Microsoft.NET.Test.Sdk" />
</ItemGroup>

<ItemGroup>
Expand Down

0 comments on commit fa3711b

Please sign in to comment.