Enable NuGetAudit

[AndriySvyryd]

Filed #34649

[AndriySvyryd]

@ViktorHofer @joperezr Any tips on how to avoid the new warnings becoming errors?

[ericstj]

Here's the set of warnings:

``` C:\src\dotnet\efcore\src\EFCore.Design\EFCore.Design.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-rxg9-xrhp-64gj C:\src\dotnet\efcore\test\ef.Tests\ef.Tests.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-rxg9-xrhp-64gj C:\src\dotnet\efcore\test\ef.Tests\ef.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.SqlServer.HierarchyId.Tests\EFCore.SqlServer.HierarchyId.Tests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.SqlServer.FunctionalTests\EFCore.SqlServer.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.VisualBasic.FunctionalTests\EFCore.VisualBasic.FunctionalTests.vbproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.SqlServer.FunctionalTests\EFCore.SqlServer.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.VisualBasic.FunctionalTests\EFCore.VisualBasic.FunctionalTests.vbproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.InMemory.FunctionalTests\EFCore.InMemory.FunctionalTests.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-rxg9-xrhp-64gj C:\src\dotnet\efcore\test\EFCore.InMemory.FunctionalTests\EFCore.InMemory.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.FSharp.FunctionalTests\EFCore.FSharp.FunctionalTests.fsproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.FSharp.FunctionalTests\EFCore.FSharp.FunctionalTests.fsproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.AspNet.InMemory.FunctionalTests\EFCore.AspNet.InMemory.FunctionalTests.csproj : error NU1902: Warning As Error: Package 'IdentityServer4' 4.1.2 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-55p7-v223-x366 C:\src\dotnet\efcore\test\EFCore.AspNet.InMemory.FunctionalTests\EFCore.AspNet.InMemory.FunctionalTests.csproj : error NU1902: Warning As Error: Package 'IdentityServer4' 4.1.2 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-ff4q-64jc-gx98 C:\src\dotnet\efcore\test\EFCore.AspNet.InMemory.FunctionalTests\EFCore.AspNet.InMemory.FunctionalTests.csproj : error NU1902: Warning As Error: Package 'Microsoft.IdentityModel.JsonWebTokens' 5.6.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 C:\src\dotnet\efcore\test\EFCore.AspNet.InMemory.FunctionalTests\EFCore.AspNet.InMemory.FunctionalTests.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-rxg9-xrhp-64gj C:\src\dotnet\efcore\test\EFCore.AspNet.InMemory.FunctionalTests\EFCore.AspNet.InMemory.FunctionalTests.csproj : error NU1902: Warning As Error: Package 'System.IdentityModel.Tokens.Jwt' 5.6.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 C:\src\dotnet\efcore\test\EFCore.AspNet.InMemory.FunctionalTests\EFCore.AspNet.InMemory.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.AspNet.Specification.Tests\EFCore.AspNet.Specification.Tests.csproj : error NU1902: Warning As Error: Package 'IdentityServer4' 4.1.2 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-55p7-v223-x366 C:\src\dotnet\efcore\test\EFCore.AspNet.Specification.Tests\EFCore.AspNet.Specification.Tests.csproj : error NU1902: Warning As Error: Package 'IdentityServer4' 4.1.2 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-ff4q-64jc-gx98 C:\src\dotnet\efcore\test\EFCore.AspNet.Specification.Tests\EFCore.AspNet.Specification.Tests.csproj : error NU1902: Warning As Error: Package 'Microsoft.IdentityModel.JsonWebTokens' 5.6.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 C:\src\dotnet\efcore\test\EFCore.AspNet.Specification.Tests\EFCore.AspNet.Specification.Tests.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-rxg9-xrhp-64gj C:\src\dotnet\efcore\test\EFCore.AspNet.Specification.Tests\EFCore.AspNet.Specification.Tests.csproj : error NU1902: Warning As Error: Package 'System.IdentityModel.Tokens.Jwt' 5.6.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 C:\src\dotnet\efcore\test\EFCore.AspNet.Specification.Tests\EFCore.AspNet.Specification.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\src\EFCore.Cosmos\EFCore.Cosmos.csproj : error NU1903: Warning As Error: Package 'Newtonsoft.Json' 10.0.2 has a known high severity vulnerability, https://github.com/advisories/GHSA-5crp-9r3c-p9vr C:\src\dotnet\efcore\src\EFCore.Cosmos\EFCore.Cosmos.csproj : error NU1903: Warning As Error: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57 C:\src\dotnet\efcore\src\EFCore.Cosmos\EFCore.Cosmos.csproj : error NU1903: Warning As Error: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj C:\src\dotnet\efcore\test\EFCore.Cosmos.FunctionalTests\EFCore.Cosmos.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.CrossStore.FunctionalTests\EFCore.CrossStore.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.CrossStore.FunctionalTests\EFCore.CrossStore.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.AspNet.SqlServer.FunctionalTests\EFCore.AspNet.SqlServer.FunctionalTests.csproj : error NU1902: Warning As Error: Package 'IdentityServer4' 4.1.2 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-55p7-v223-x366 C:\src\dotnet\efcore\test\EFCore.AspNet.SqlServer.FunctionalTests\EFCore.AspNet.SqlServer.FunctionalTests.csproj : error NU1902: Warning As Error: Package 'IdentityServer4' 4.1.2 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-ff4q-64jc-gx98 C:\src\dotnet\efcore\test\EFCore.AspNet.SqlServer.FunctionalTests\EFCore.AspNet.SqlServer.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.AspNet.SqlServer.FunctionalTests\EFCore.AspNet.SqlServer.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.Design.Tests\EFCore.Design.Tests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.Design.Tests\EFCore.Design.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.Cosmos.Tests\EFCore.Cosmos.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.Sqlite.Tests\EFCore.Sqlite.Tests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.Sqlite.Tests\EFCore.Sqlite.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.AspNet.Sqlite.FunctionalTests\EFCore.AspNet.Sqlite.FunctionalTests.csproj : error NU1902: Warning As Error: Package 'IdentityServer4' 4.1.2 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-55p7-v223-x366 C:\src\dotnet\efcore\test\EFCore.AspNet.Sqlite.FunctionalTests\EFCore.AspNet.Sqlite.FunctionalTests.csproj : error NU1902: Warning As Error: Package 'IdentityServer4' 4.1.2 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-ff4q-64jc-gx98 C:\src\dotnet\efcore\test\EFCore.AspNet.Sqlite.FunctionalTests\EFCore.AspNet.Sqlite.FunctionalTests.csproj : error NU1902: Warning As Error: Package 'Microsoft.IdentityModel.JsonWebTokens' 5.6.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 C:\src\dotnet\efcore\test\EFCore.AspNet.Sqlite.FunctionalTests\EFCore.AspNet.Sqlite.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.AspNet.Sqlite.FunctionalTests\EFCore.AspNet.Sqlite.FunctionalTests.csproj : error NU1902: Warning As Error: Package 'System.IdentityModel.Tokens.Jwt' 5.6.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 C:\src\dotnet\efcore\test\EFCore.AspNet.Sqlite.FunctionalTests\EFCore.AspNet.Sqlite.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.Sqlite.FunctionalTests\EFCore.Sqlite.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.Sqlite.FunctionalTests\EFCore.Sqlite.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.Analyzers.Tests\EFCore.Analyzers.Tests.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-rxg9-xrhp-64gj C:\src\dotnet\efcore\test\EFCore.Analyzers.Tests\EFCore.Analyzers.Tests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 5.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.Analyzers.Tests\EFCore.Analyzers.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.Tests\EFCore.Tests.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-rxg9-xrhp-64gj C:\src\dotnet\efcore\test\EFCore.Tests\EFCore.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.SqlServer.Tests\EFCore.SqlServer.Tests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.SqlServer.Tests\EFCore.SqlServer.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.Specification.Tests\EFCore.Specification.Tests.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-rxg9-xrhp-64gj C:\src\dotnet\efcore\test\EFCore.Specification.Tests\EFCore.Specification.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.Relational.Tests\EFCore.Relational.Tests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.Relational.Tests\EFCore.Relational.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.InMemory.Tests\EFCore.InMemory.Tests.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-rxg9-xrhp-64gj C:\src\dotnet\efcore\test\EFCore.InMemory.Tests\EFCore.InMemory.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.OData.FunctionalTests\EFCore.OData.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.OData.FunctionalTests\EFCore.OData.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\src\EFCore.Tasks\EFCore.Tasks.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.Relational.Specification.Tests\EFCore.Relational.Specification.Tests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.Relational.Specification.Tests\EFCore.Relational.Specification.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.Proxies.Tests\EFCore.Proxies.Tests.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-rxg9-xrhp-64gj C:\src\dotnet\efcore\test\EFCore.Proxies.Tests\EFCore.Proxies.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\src\ef\ef.csproj : error NU1903: Warning As Error: Package 'Microsoft.NETCore.App' 2.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7mfr-774f-w5r9 ```

The first one you already fixed in 9.0 with #34636

For the others we can work through them - they'll probably have some common solutions. For things you can't solve we can suppress at the reference site with an exclusion: https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages#excluding-advisories

[ericstj]

I was able to address all the advisories here, have a look at https://github.com/dotnet/efcore/compare/NuGetAudit...ericstj-NuGetAudit?expand=1

I suppressed EF.csproj one, since it's explicitly targeting netcoreapp2.0 and I don't know why. Seems you could retarget to a newer framework since it's an app, but I'm sure about the use case.

One case that was problematic was IdentityServer4 -> all versions are vulnerable and the owner redirects to https://www.nuget.org/packages/Duende.IdentityServer.EntityFramework which will fix all the advisories but requires a license fee for production software.

Instead of switching to that I made the updates to the tests to fix as much as possible and suppress that which we can't fix.

[AndriySvyryd]

@ericstj Thanks. I incorporated your changes into #34666