[repo] Mitigate vulnerabilities in System.Text.Json 8.0.0 packages

[CodeBlanch]

Changes

• Mitigate vulnerabilities in System.Text.Json v8.0.0 - 8.0.3

Details

ConsoleExporter and ZipkinExporter use System.Text.Json (STJ) but don't have a reference to it for net8.0+ targets. What happens is they get STJ transitively via Microsoft.NETCore.App framework reference. The final version will depend on the runtime version deployed with the app.

The problem is STJ v8.0.0 - 8.0.3 have been deprecated due to a deserialization vulnerability.

The goal here is to redirect STJ to v8.0.4 for net8.0 targets. Older targets should stay on v4.7.2. Newer targets (net9.0) will continue to use the transitive reference.

Today:

1.9.0 stable:

Target	Direct reference(s)	Framework reference	Version	Vulnerable	Notes
net462	System.Text.Encodings.Web & System.Text.Json		v4.7.2	No
netstandard2.0	System.Text.Encodings.Web & System.Text.Json		v4.7.2	No
net6.0		System.Text.Json	Runtime version (6.0.0 - 6.0.9)	No	Version depends on patch level of runtime
net8.0		System.Text.Json	Runtime version (8.0.0 - 8.0.4)	When <= 8.0.3	Version depends on patch level of runtime

1.10.0-beta.1:

Target	Direct reference(s)	Framework reference	Version	Vulnerable	Notes
net462	System.Text.Encodings.Web & System.Text.Json		v4.7.2	No
netstandard2.0	System.Text.Encodings.Web & System.Text.Json		v4.7.2	No
net8.0		System.Text.Json	Runtime version (8.0.0 - 8.0.4)	When <= 8.0.3	Version depends on patch level of runtime
net9.0		System.Text.Json	Runtime version (9.0.0)	No	No patches yet for .NET 9

Going forward:

1.9.0 stable:

No hot patch currently planned. The vulnerability is about deserialization of untrusted input which neither ConsoleExporter nor ZipkinExporter is susceptible to. I'm approaching this as a low severity issue but some work needs to be done to agree on a severity and publish an advisory. If we determine there is a higher severity we will do a hot patch for 1.9.0, possibly other releases.

Next release of 1.10.0:

Target	Direct reference(s)	Framework reference	Version	Vulnerable	Notes
net462	System.Text.Encodings.Web & System.Text.Json		v4.7.2	No
netstandard2.0	System.Text.Encodings.Web & System.Text.Json		v4.7.2	No
net8.0	System.Text.Json		v8.0.4	No
net9.0		System.Text.Json	Runtime version (9.0.0)	No	No patches yet for .NET 9

Merge requirement checklist

• CONTRIBUTING guidelines followed (license requirements, nullable enabled, static analysis, etc.)
• Appropriate CHANGELOG.md files updated for non-trivial changes

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 86.32%. Comparing base (6250307) to head (d69aad3).
Report is 337 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5874      +/-   ##
==========================================
+ Coverage   83.38%   86.32%   +2.93%     
==========================================
  Files         297      257      -40     
  Lines       12531    11214    -1317     
==========================================
- Hits        10449     9680     -769     
+ Misses       2082     1534     -548     

Flag	Coverage Δ
unittests	?
unittests-Project-Experimental	86.14% <ø> (?)
unittests-Project-Stable	86.28% <ø> (?)
unittests-Solution	86.16% <ø> (?)
unittests-UnstableCoreLibraries-Experimental	85.68% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 234 files with indirect coverage changes

[reyang]

Several changes were made after my initial approval. The PR scope is now much bigger, I think we should focus on the mitigation and put everything else in other PRs.

[CodeBlanch]

@reyang I reverted some of the cleanup/re-org being done in Directory.Packages.props does that reduce the scope enough or you want more reduction?

[reyang]

@reyang I reverted some of the cleanup/re-org being done in Directory.Packages.props does that reduce the scope enough or you want more reduction?

Nope, I see a red flag #5874 (comment).

Red flag resolved.