Merge pull request #292 from microsoft/security/stj-vulnerability

fix: warning suppression for STJ CVE
microsoft · Jul 10, 2024 · a4fdaae · a4fdaae
2 parents 0bc980f + 85455d9
commit a4fdaae
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 8 deletions.
diff --git a/src/http/httpClient/Microsoft.Kiota.Http.HttpClientLibrary.csproj b/src/http/httpClient/Microsoft.Kiota.Http.HttpClientLibrary.csproj
@@ -10,9 +10,13 @@
   </PropertyGroup>
 
   <!-- NET 5 target to be removed on next major version-->
-  <ItemGroup Condition="'$(TargetFramework)' == 'net5.0' or '$(TargetFramework)'== 'netStandard2.0' or '$(TargetFramework)' == 'netStandard2.1' or '$(TargetFramework)' == 'net462'">
+  <ItemGroup
+    Condition="'$(TargetFramework)' == 'net5.0' or '$(TargetFramework)'== 'netStandard2.0' or '$(TargetFramework)' == 'netStandard2.1' or '$(TargetFramework)' == 'net462'">
     <PackageReference Include="System.Diagnostics.DiagnosticSource" Version="[6.0,9.0)" />
-    <PackageReference Include="System.Text.Json" Version="[6.0,9.0)" />
+    <!-- suppressed because of this CVE https://github.com/advisories/GHSA-hh2w-p6rv-4g7w 
+     The target application is the one which will resolve the correct version
+     when the version range is updated to > 8.0.4 in the future, remove the nowarn suppression -->
+    <PackageReference Include="System.Text.Json" Version="[6.0,9.0)" NoWarn="NU1903" />
   </ItemGroup>
 
   <ItemGroup Condition="'$(TargetFramework)' == 'net462'">
@@ -21,6 +25,7 @@
 
   <ItemGroup>
     <ProjectReference Include="..\..\abstractions\Microsoft.Kiota.Abstractions.csproj" />
-    <ProjectReference Include="..\..\generated\KiotaGenerated.csproj" OutputItemType="Analyzer" ReferenceOutputAssembly="false" />
+    <ProjectReference Include="..\..\generated\KiotaGenerated.csproj" OutputItemType="Analyzer"
+      ReferenceOutputAssembly="false" />
   </ItemGroup>
-</Project>
+</Project>
diff --git a/src/serialization/json/Microsoft.Kiota.Serialization.Json.csproj b/src/serialization/json/Microsoft.Kiota.Serialization.Json.csproj
@@ -7,15 +7,20 @@
     <!-- NET 5 target to be removed on next major version-->
     <TargetFrameworks>netstandard2.0;netstandard2.1;net5.0;net6.0;net8.0</TargetFrameworks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
-    <NoWarn>$(NoWarn);CS1591</NoWarn> <!-- Ignore warning from code generated by source generators from System.Text.Json-->
+    <NoWarn>$(NoWarn);CS1591</NoWarn> <!-- Ignore warning from code generated by source generators
+    from System.Text.Json-->
   </PropertyGroup>
 
   <!-- NET 5 target to be removed on next major version-->
-  <ItemGroup Condition="'$(TargetFramework)' == 'net5.0' or '$(TargetFramework)'== 'netStandard2.0' or '$(TargetFramework)' == 'netStandard2.1'">
-    <PackageReference Include="System.Text.Json" Version="[6.0,9.0)" />
+  <ItemGroup
+    Condition="'$(TargetFramework)' == 'net5.0' or '$(TargetFramework)'== 'netStandard2.0' or '$(TargetFramework)' == 'netStandard2.1'">
+    <!-- suppressed because of this CVE https://github.com/advisories/GHSA-hh2w-p6rv-4g7w
+     The target application is the one which will resolve the correct version
+     when the version range is updated to > 8.0.4 in the future, remove the nowarn suppression -->
+    <PackageReference Include="System.Text.Json" Version="[6.0,9.0)" NoWarn="NU1903" />
   </ItemGroup>
 
   <ItemGroup>
     <ProjectReference Include="..\..\abstractions\Microsoft.Kiota.Abstractions.csproj" />
   </ItemGroup>
-</Project>
+</Project>