[Update] System.Text.RegularExpressions version 4.3.1 - resolves tran…

…sitive vulnerability
STARIONGROUP · Aug 15, 2024 · 0316f32 · 0316f32
1 parent d822e5b
commit 0316f32
Show file tree

Hide file tree

Showing 16 changed files with 85 additions and 29 deletions.
diff --git a/.github/workflows/nuget-reference-check.yml b/.github/workflows/nuget-reference-check.yml
@@ -0,0 +1,50 @@
+name: "nuget package reference check"
+
+on:
+  push:
+  pull_request:
+  schedule:
+    - cron: '0 8 * * *'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        # We must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head.
+        fetch-depth: 2
+
+    - name: Setup .NET Environment
+      uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: 8.0.x
+
+    - name: add DevExpress nuget feed
+      run: dotnet nuget add source https://nuget.devexpress.com/api -n DXFeed -u DevExpress -p ${{ secrets.DEVEXPRESS_NUGET_KEY }} --store-password-in-clear-text
+
+    - name: Install dependencies
+      run: dotnet restore CDP4-SDK.sln
+
+    - name: Build
+      run: dotnet build CDP4-SDK.sln --no-restore /p:ContinuousIntegrationBuild=true
+
+    - name: Checking NuGet vulnerabilites
+      run: |
+        set -e
+        dotnet list CDP4-SDK.sln package --outdated --include-transitive
+
+        dotnet list CDP4-SDK.sln package --deprecated --include-transitive
+
+        dotnet list CDP4-SDK.sln package --vulnerable --include-transitive 2>&1 | tee vulnerabilities.log
+
+        echo "Analyze dotnet list package command log output..."
+        if grep -q -i "\bcritical\b\|\bhigh\b\|\bmoderate\b\|\blow\b" vulnerabilities.log; then
+            echo "Security Vulnerabilities found"
+            exit 1
+        else
+            echo "No Security Vulnerabilities found"
+            exit 0
+        fi
diff --git a/CDP4-SDK.sln b/CDP4-SDK.sln
@@ -50,8 +50,6 @@ EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{8B27CAF4-B780-43A8-B0CA-768A294C599C}"
 	ProjectSection(SolutionItems) = preProject
 		CDP4-SDK.sln.DotSettings = CDP4-SDK.sln.DotSettings
-		.github\workflows\codeql-analysis.yml = .github\workflows\codeql-analysis.yml
-		.github\workflows\CodeQuality.yml = .github\workflows\CodeQuality.yml
 		README.md = README.md
 	EndProjectSection
 EndProject
@@ -67,6 +65,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Github Actions", "Github Ac
 	ProjectSection(SolutionItems) = preProject
 		.github\workflows\codeql-analysis.yml = .github\workflows\codeql-analysis.yml
 		.github\workflows\CodeQuality.yml = .github\workflows\CodeQuality.yml
+		.github\workflows\nuget-reference-check.yml = .github\workflows\nuget-reference-check.yml
 	EndProjectSection
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "CDP4Web", "CDP4Web\CDP4Web.csproj", "{7192A78E-654C-4993-A9D7-A3EFE78DD66F}"

diff --git a/CDP4Common/CDP4Common.csproj b/CDP4Common/CDP4Common.csproj
@@ -4,7 +4,7 @@
     <TargetFrameworks>net48;netstandard2.0</TargetFrameworks>
     <Company>Starion Group S.A.</Company>
     <Title>CDP4Common Community Edition</Title>
-    <VersionPrefix>27.2.2</VersionPrefix>
+    <VersionPrefix>27.2.3</VersionPrefix>
     <Description>CDP4 Common Class Library that contains DTOs, POCOs</Description>
     <Copyright>Copyright © Starion Group S.A.</Copyright>
     <Authors>Sam, Merlin, Alex, Naron, Alexander, Yevhen, Nathanael, Ahmed</Authors>
@@ -20,7 +20,7 @@
     <PackageTags>CDP COMET ECSS-E-TM-10-25</PackageTags>
     <PackageLicenseExpression>LGPL-3.0-only</PackageLicenseExpression>
     <PackageReleaseNotes>
-        [Update] NLog version 5.3.3
+        [Update] System.Text.RegularExpressions version 4.3.1 - resolves transitive vulnerability
     </PackageReleaseNotes>
     <PackageReadmeFile>README.md</PackageReadmeFile>
   </PropertyGroup>
@@ -49,4 +49,8 @@
     <PackageReference Include="System.Xml.XmlSerializer" Version="4.3.0" />
   </ItemGroup>
 
+    <ItemGroup Label="override transitive vulnerable dependency">
+        <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
+    </ItemGroup>
+
 </Project>
diff --git a/CDP4Dal/CDP4Dal.csproj b/CDP4Dal/CDP4Dal.csproj
@@ -4,7 +4,7 @@
     <TargetFrameworks>net48;netstandard2.0</TargetFrameworks>
     <Company>Starion Group S.A.</Company>
     <Title>CDP4Dal Community Edition</Title>
-    <VersionPrefix>27.2.2</VersionPrefix>
+    <VersionPrefix>27.2.3</VersionPrefix>
     <Description>CDP4 Data Access Layer library, a consumer of an ECSS-E-TM-10-25 Annex C API</Description>
     <Copyright>Copyright © Starion Group S.A.</Copyright>
     <Authors>Sam, Merlin, Alex, Naron, Alexander, Yevhen, Nathanael, Ahmed</Authors>
@@ -20,7 +20,7 @@
     <PackageTags>CDP COMET ECSS-E-TM-10-25</PackageTags>
     <PackageLicenseExpression>LGPL-3.0-only</PackageLicenseExpression>
     <PackageReleaseNotes>
-        [Update] System.Reactive version 6.0.1
+        [BUMP] To CDP4Common 27.2.3
     </PackageReleaseNotes>
     <PackageReadmeFile>README.md</PackageReadmeFile>
   </PropertyGroup>

diff --git a/CDP4DalCommon/CDP4DalCommon.csproj b/CDP4DalCommon/CDP4DalCommon.csproj
@@ -5,7 +5,7 @@
       <Company>Starion Group S.A.</Company>
       <Language>latest</Language>
       <Title>CDP4DalCommon Community Edition</Title>
-      <VersionPrefix>27.2.2</VersionPrefix>
+      <VersionPrefix>27.2.3</VersionPrefix>
       <Description>CDP4 Common Class Library that contains common types for any CDP4 server and the CDP4Dal</Description>
       <Copyright>Copyright © Starion Group S.A.</Copyright>
       <Authors>Sam, Alex, Alexander, Nathanael, Antoine, Omar, Jaime</Authors>
@@ -21,7 +21,7 @@
       <PackageTags>CDP COMET ECSS-E-TM-10-25</PackageTags>
       <PackageLicenseExpression>LGPL-3.0-only</PackageLicenseExpression>
       <PackageReleaseNotes>
-          [BUMP] To CDP4Common 27.2.2
+          [BUMP] To CDP4Common 27.2.3
       </PackageReleaseNotes>
       <PackageReadmeFile>README.md</PackageReadmeFile>
       <GenerateDocumentationFile>true</GenerateDocumentationFile>

diff --git a/CDP4JsonFileDal.NetCore.Tests/CDP4JsonFileDal.NetCore.Tests.csproj b/CDP4JsonFileDal.NetCore.Tests/CDP4JsonFileDal.NetCore.Tests.csproj
@@ -16,6 +16,10 @@
           <ProjectReference Include="..\CDP4JsonFileDal\CDP4JsonFileDal.csproj" />
     </ItemGroup>
 
+    <ItemGroup Label="override transitive vulnerable dependency">
+        <PackageReference Include="System.Drawing.Common" Version="8.0.8" />
+    </ItemGroup>
+
     <ItemGroup>
         <PackageReference Include="JetBrains.dotMemoryUnit" Version="3.2.20220510" />
         <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.10.0" />

diff --git a/CDP4JsonFileDal/CDP4JsonFileDal.csproj b/CDP4JsonFileDal/CDP4JsonFileDal.csproj
@@ -4,7 +4,7 @@
     <TargetFrameworks>net48;netstandard2.0</TargetFrameworks>
     <Company>Starion Group S.A.</Company>
     <Title>CDP4JsonFileDal Community Edition</Title>
-    <VersionPrefix>27.2.2</VersionPrefix>
+    <VersionPrefix>27.2.3</VersionPrefix>
     <Description>CDP4 Json File Dal Plugin</Description>
     <Copyright>Copyright © Starion Group S.A.</Copyright>
     <Authors>Sam, Merlin, Alex, Naron, Alexander, Yevhen, Nathanael</Authors>
@@ -20,7 +20,7 @@
     <PackageTags>CDP COMET ECSS-E-TM-10-25</PackageTags>
     <PackageLicenseExpression>LGPL-3.0-only</PackageLicenseExpression>
     <PackageReleaseNotes>
-      [BUMP] To CDP4Common 27.2.2
+        [BUMP] To CDP4Common 27.2.3
     </PackageReleaseNotes>
     <PackageReadmeFile>README.md</PackageReadmeFile>
   </PropertyGroup>

diff --git a/CDP4JsonSerializer/CDP4JsonSerializer.csproj b/CDP4JsonSerializer/CDP4JsonSerializer.csproj
@@ -4,7 +4,7 @@
     <TargetFrameworks>net48;netstandard2.0</TargetFrameworks>
     <Company>Starion Group S.A.</Company>
     <Title>CDP4JsonSerializer Community Edition</Title>
-    <VersionPrefix>27.2.2</VersionPrefix>
+    <VersionPrefix>27.2.3</VersionPrefix>
     <Description>CDP4 JSON Serialization Library</Description>
     <Copyright>Copyright © Starion Group S.A.</Copyright>
     <Authors>Sam, Merlin, Alex, Naron, Alexander, Yevhen, Nathanael</Authors>
@@ -20,7 +20,7 @@
     <PackageTags>CDP COMET ECSS-E-TM-10-25 JSON</PackageTags>
     <PackageLicenseExpression>LGPL-3.0-only</PackageLicenseExpression>
     <PackageReleaseNotes>
-        [BUMP] To CDP4Common 27.2.2
+        [BUMP] To CDP4Common 27.2.3
     </PackageReleaseNotes>
     <PackageReadmeFile>README.md</PackageReadmeFile>
   </PropertyGroup>

diff --git a/CDP4MessagePackSerializer/CDP4MessagePackSerializer.csproj b/CDP4MessagePackSerializer/CDP4MessagePackSerializer.csproj
@@ -4,7 +4,7 @@
       <TargetFrameworks>net48;netstandard2.0</TargetFrameworks>
       <Company>Starion Group S.A.</Company>
       <Title>CDP4MessagePackSerializer Community Edition</Title>
-      <VersionPrefix>27.2.2</VersionPrefix>
+      <VersionPrefix>27.2.3</VersionPrefix>
       <Description>CDP4 MessagePack Serialization Library</Description>
       <Copyright>Copyright © Starion Group S.A.</Copyright>
       <Authors>Sam, Alex, Alexander, Nathanael, Antoine, Omar</Authors>
@@ -20,7 +20,7 @@
       <PackageTags>CDP COMET ECSS-E-TM-10-25 MessagePack</PackageTags>
       <PackageLicenseExpression>LGPL-3.0-only</PackageLicenseExpression>
       <PackageReleaseNotes>
-          [Update] MessagePack to version 2.5.172
+          [BUMP] To CDP4Common 27.2.3
       </PackageReleaseNotes>
       <PackageReadmeFile>README.md</PackageReadmeFile>
   </PropertyGroup>

diff --git a/CDP4Reporting/CDP4Reporting.csproj b/CDP4Reporting/CDP4Reporting.csproj
@@ -4,7 +4,7 @@
      <TargetFrameworks>netstandard2.0</TargetFrameworks>
      <Company>Starion Group S.A.</Company>
      <Title>CDP4Reporting Community Edition</Title>
-     <VersionPrefix>27.2.2</VersionPrefix>
+     <VersionPrefix>27.2.3</VersionPrefix>
      <Description>CDP4 Reporting</Description>
      <Copyright>Copyright © Starion Group S.A.</Copyright>
      <Authors>Sam, Alex, Alexander</Authors>
@@ -20,7 +20,7 @@
      <PackageTags>CDP COMET ECSS-E-TM-10-25</PackageTags>
      <PackageLicenseExpression>LGPL-3.0-only</PackageLicenseExpression>
      <PackageReleaseNotes>
-       [BUMP] To CDP4Common 27.2.2
+       [BUMP] To CDP4Common 27.2.3
      </PackageReleaseNotes>
      <LangVersion>latest</LangVersion>
      <PackageReadmeFile>README.md</PackageReadmeFile>

diff --git a/CDP4RequirementsVerification/CDP4RequirementsVerification.csproj b/CDP4RequirementsVerification/CDP4RequirementsVerification.csproj
@@ -4,7 +4,7 @@
     <TargetFrameworks>net48;netstandard2.0</TargetFrameworks>
     <Company>Starion Group S.A.</Company>
     <Title>CDP4RequirementsVerification Community Edition</Title>
-    <VersionPrefix>27.2.2</VersionPrefix>
+    <VersionPrefix>27.2.3</VersionPrefix>
     <Description>CDP4 Class Library that provides requirement verification</Description>
     <Copyright>Copyright © Starion Group S.A.</Copyright>
     <Authors>Sam, Alex, Alexander, Yevhen, Nathanael</Authors>
@@ -20,7 +20,7 @@
     <PackageTags>CDP COMET ECSS-E-TM-10-25</PackageTags>
     <PackageLicenseExpression>LGPL-3.0-only</PackageLicenseExpression>
     <PackageReleaseNotes>
-      [BUMP] To CDP4Common 27.2.2
+      [BUMP] To CDP4Common 27.2.3
     </PackageReleaseNotes>
     <PackageReadmeFile>README.md</PackageReadmeFile>
   </PropertyGroup>

diff --git a/CDP4Rules/CDP4Rules.csproj b/CDP4Rules/CDP4Rules.csproj
@@ -4,7 +4,7 @@
     <TargetFrameworks>net48;netstandard2.0</TargetFrameworks>
     <Company>Starion Group S.A.</Company>
     <Title>CDP4Rules Community Edition</Title>
-    <VersionPrefix>27.2.2</VersionPrefix>
+    <VersionPrefix>27.2.3</VersionPrefix>
     <Description>CDP4 Class Library that provides Model Analysis and Rule Checking</Description>
     <Copyright>Copyright © Starion Group S.A.</Copyright>
     <Authors>Sam, Alex, Alexander, Yevhen, Nathanael</Authors>
@@ -20,7 +20,7 @@
     <PackageTags>CDP COMET ECSS-E-TM-10-25</PackageTags>
     <PackageLicenseExpression>LGPL-3.0-only</PackageLicenseExpression>
     <PackageReleaseNotes>
-      [BUMP] To CDP4Common 27.2.2
+      [BUMP] To CDP4Common 27.2.3
     </PackageReleaseNotes>
     <PackageReadmeFile>README.md</PackageReadmeFile>
   </PropertyGroup>

diff --git a/CDP4ServicesDal/CDP4ServicesDal.csproj b/CDP4ServicesDal/CDP4ServicesDal.csproj
@@ -4,7 +4,7 @@
     <TargetFrameworks>net48;netstandard2.0</TargetFrameworks>
     <Company>Starion Group S.A.</Company>
     <Title>CDP4ServicesDal Community Edition</Title>
-    <VersionPrefix>27.2.2</VersionPrefix>
+    <VersionPrefix>27.2.3</VersionPrefix>
     <Description>CDP4ServicesDal Dal Plugin</Description>
     <Copyright>Copyright © Starion Group S.A.</Copyright>
     <Authors>Sam, Merlin, Alex, Naron, Alexander, Yevhen, Nathanael</Authors>
@@ -20,7 +20,7 @@
     <PackageTags>CDP COMET ECSS-E-TM-10-25</PackageTags>
     <PackageLicenseExpression>LGPL-3.0-only</PackageLicenseExpression>
     <PackageReleaseNotes>
-      [BUMP] To CDP4Common 27.2.2
+      [BUMP] To CDP4Common 27.2.3
     </PackageReleaseNotes>
     <PackageReadmeFile>README.md</PackageReadmeFile>
   </PropertyGroup>

diff --git a/CDP4ServicesMessaging/CDP4ServicesMessaging.csproj b/CDP4ServicesMessaging/CDP4ServicesMessaging.csproj
@@ -4,7 +4,7 @@
     <TargetFrameworks>netstandard2.0</TargetFrameworks>
     <Company>Starion Group S.A.</Company>
     <Title>CDP4Common Community Edition</Title>
-    <VersionPrefix>27.2.2</VersionPrefix>
+    <VersionPrefix>27.2.3</VersionPrefix>
     <Description>CDP4 Services Messaging is a Class Library that contains clients and messages class that can be used for inter services communication</Description>
     <Copyright>Copyright © Starion Group S.A.</Copyright>
     <Authors>Sam, Alex, Alexander, Nathanael, Antoine</Authors>
@@ -20,8 +20,7 @@
     <PackageTags>CDP COMET ECSS-E-TM-10-25</PackageTags>
     <PackageLicenseExpression>LGPL-3.0-only</PackageLicenseExpression>
     <PackageReleaseNotes>
-        [Update] Polly to version 8.4.1
-        [Update] Microsoft.Extensions.Configuration.Binder to version 8.0.2
+        [BUMP] To CDP4Common 27.2.3
     </PackageReleaseNotes>
     <PackageReadmeFile>README.md</PackageReadmeFile>
     <LangVersion>latest</LangVersion>

diff --git a/CDP4Web/CDP4Web.csproj b/CDP4Web/CDP4Web.csproj
@@ -5,7 +5,7 @@
         <LangVersion>latest</LangVersion>
         <Company>Starion Group S.A.</Company>
         <Title>CDP4Web Community Edition</Title>
-        <VersionPrefix>27.2.2</VersionPrefix>
+        <VersionPrefix>27.2.3</VersionPrefix>
         <Description>CDP4Web Dedicated Sdk for CDPServicesDal</Description>
         <Copyright>Copyright © Starion Group S.A.</Copyright>
         <Authors>Sam, Alex, Alexander, Nathanael, Antoine, Omar, Jaime</Authors>
@@ -21,7 +21,7 @@
         <PackageTags>CDP COMET ECSS-E-TM-10-25</PackageTags>
         <PackageLicenseExpression>LGPL-3.0-only</PackageLicenseExpression>
         <PackageReleaseNotes>
-            [Update] FluentResults to version 3.16.0
+            [BUMP] To CDP4Common 27.2.3
         </PackageReleaseNotes>
         <PackageReadmeFile>README.md</PackageReadmeFile>
     </PropertyGroup>

diff --git a/CDP4WspDal/CDP4WspDal.csproj b/CDP4WspDal/CDP4WspDal.csproj
@@ -4,7 +4,7 @@
     <TargetFrameworks>net48;netstandard2.0</TargetFrameworks>
     <Company>Starion Group S.A.</Company>
     <Title>CDP4WspDal Community Edition</Title>
-    <VersionPrefix>27.2.2</VersionPrefix>
+    <VersionPrefix>27.2.3</VersionPrefix>
     <Description>CDP4 WSP Dal Plugin</Description>
     <Copyright>Copyright © Starion Group S.A.</Copyright>
     <Authors>Sam, Merlin, Alex, Naron, Alexander, Yevhen, Nathanael</Authors>
@@ -20,7 +20,7 @@
     <PackageTags>CDP COMET ECSS-E-TM-10-25</PackageTags>
     <PackageLicenseExpression>LGPL-3.0-only</PackageLicenseExpression>
     <PackageReleaseNotes>
-      [BUMP] To CDP4Common 27.2.2
+      [BUMP] To CDP4Common 27.2.3
     </PackageReleaseNotes>
     <PackageReadmeFile>README.md</PackageReadmeFile>
   </PropertyGroup>