Dependency Security Updates (#2878)

- Update vulnerable SIL.XForge dependencies - Move tests to reduce dependencies - Update vulnerable SIL.XForge.Scripture dependencies - Update test dependencies
sillsdev · Dec 2, 2024 · 661951c · 661951c
1 parent 0a643ce
commit 661951c
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 23 deletions.
diff --git a/src/SIL.XForge.Scripture/SIL.XForge.Scripture.csproj b/src/SIL.XForge.Scripture/SIL.XForge.Scripture.csproj
@@ -33,7 +33,7 @@
     <PackageReference Include="Microsoft.Extensions.Http.Polly" Version="8.0.7" />
     <PackageReference Include="Microsoft.FeatureManagement.AspNetCore" Version="3.4.0" />
     <PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.21.0" />
-    <PackageReference Include="NPOI" Version="2.7.1" />
+    <PackageReference Include="NPOI" Version="2.7.2" />
     <!-- When using a new major or minor version of ParatextData, update where dependencies.yml copies the
          InternetSettings.xml file. Also update server config scriptureforge.org_v2.yml. -->
     <PackageReference Include="ParatextData" Version="9.5.0.5" />
@@ -42,6 +42,12 @@
     <PackageReference Include="Swashbuckle.AspNetCore.Newtonsoft" Version="6.6.2" />
     <PackageReference Include="System.Text.Encoding.CodePages" Version="8.0.0" />
   </ItemGroup>
+  <!-- Override vulnerable versions of ParatextData dependencies -->
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Windows.Compatibility" Version="6.0.6" />
+    <PackageReference Include="System.Data.SqlClient" Version="4.8.6" />
+    <PackageReference Include="System.IO.Packaging" Version="6.0.1" />
+  </ItemGroup>
   <ItemGroup>
     <!-- Don't publish the SPA source files, but do show them in the project files list -->
     <Content Remove="$(SpaRoot)**" />

diff --git a/src/SIL.XForge/SIL.XForge.csproj b/src/SIL.XForge/SIL.XForge.csproj
@@ -15,9 +15,14 @@
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.7" />
     <PackageReference Include="Microsoft.AspNetCore.SpaServices.Extensions" Version="8.0.7" />
     <PackageReference Include="MongoDB.Driver" Version="2.27.0" />
-    <PackageReference Include="MailKit" Version="4.7.0" />
+    <PackageReference Include="MailKit" Version="4.8.0" />
     <PackageReference Include="idunno.Authentication.Basic" Version="2.3.1" />
     <PackageReference Include="AbrarJahin.DiffMatchPatch" Version="0.1.0" />
     <PackageReference Include="SIL.Core" Version="13.0.1" />
   </ItemGroup>
+  <!-- Override vulnerable versions of dependencies -->
+  <ItemGroup>
+    <PackageReference Include="System.Text.Json" Version="8.0.5" />
+    <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
+  </ItemGroup>
 </Project>
diff --git a/test/SIL.XForge.Scripture.Tests/SIL.XForge.Scripture.Tests.csproj b/test/SIL.XForge.Scripture.Tests/SIL.XForge.Scripture.Tests.csproj
@@ -19,10 +19,10 @@
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
     </PackageReference>
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.10.0" />
-    <PackageReference Include="NSubstitute" Version="5.1.0" />
-    <PackageReference Include="NUnit" Version="4.1.0" />
-    <PackageReference Include="NUnit3TestAdapter" Version="4.5.0" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
+    <PackageReference Include="NSubstitute" Version="5.3.0" />
+    <PackageReference Include="NUnit" Version="4.2.2" />
+    <PackageReference Include="NUnit3TestAdapter" Version="4.6.0" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="..\..\src\SIL.XForge.Scripture\SIL.XForge.Scripture.csproj" />

diff --git a/....Tests/Services/FileSystemServiceTests.cs → ....Tests/Services/FileSystemServiceTests.cs b/....Tests/Services/FileSystemServiceTests.cs → ....Tests/Services/FileSystemServiceTests.cs
@@ -4,8 +4,9 @@
 using NUnit.Framework;
 using Paratext.Data.ProjectComments;
 using Paratext.Data.Users;
+using SIL.XForge.Services;
 
-namespace SIL.XForge.Services;
+namespace SIL.XForge.Scripture.Services;
 
 [TestFixture]
 public class FileSystemServiceTests
@@ -15,7 +16,7 @@ public void WriteXmlFile_WritesBom()
     {
         var env = new TestEnvironment();
         using MemoryStream stream = new MemoryStream();
-        CommentList data = new CommentList();
+        CommentList data = [];
 
         // SUT
         env.Service.WriteXmlFile(stream, data);
@@ -37,13 +38,13 @@ public void WriteXmlFile_WritesAnEmptyCommentList()
     {
         var env = new TestEnvironment();
         using MemoryStream stream = new MemoryStream();
-        CommentList data = new CommentList();
+        CommentList data = [];
         string xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n";
         xml += "<CommentList />";
 
         // Get the XML as a byte array with BOM
         Encoding encoding = new UTF8Encoding(true);
-        byte[] expected = encoding.GetPreamble().Concat(encoding.GetBytes(xml)).ToArray();
+        byte[] expected = [.. encoding.GetPreamble().Concat(encoding.GetBytes(xml))];
 
         // SUT
         env.Service.WriteXmlFile(stream, data);
@@ -72,9 +73,9 @@ public void WriteXmlFile_WritesComments()
         const bool hideInTextWindow = false;
         const string contents = "Plain Text";
 
-        // Setup the Comment List
-        CommentList data = new CommentList
-        {
+        // Set up the Comment List
+        CommentList data =
+        [
             new Comment(new DummyParatextUser(user))
             {
                 Thread = thread,
@@ -89,7 +90,7 @@ public void WriteXmlFile_WritesComments()
                 ReplyToUser = string.Empty,
                 HideInTextWindow = false,
             },
-        };
+        ];
         data.First().AddTextToContent(contents, false);
 
         // Setup the XML data for comparison
@@ -115,7 +116,7 @@ public void WriteXmlFile_WritesComments()
 
         // Get the XML as a byte array with BOM
         Encoding encoding = new UTF8Encoding(true);
-        byte[] expected = encoding.GetPreamble().Concat(encoding.GetBytes(xml)).ToArray();
+        byte[] expected = [.. encoding.GetPreamble().Concat(encoding.GetBytes(xml))];
 
         // SUT
         env.Service.WriteXmlFile(stream, data);
@@ -125,8 +126,6 @@ public void WriteXmlFile_WritesComments()
 
     private class TestEnvironment
     {
-        public TestEnvironment() => Service = new FileSystemService();
-
-        public IFileSystemService Service { get; }
+        public IFileSystemService Service { get; } = new FileSystemService();
     }
 }
diff --git a/test/SIL.XForge.Tests/SIL.XForge.Tests.csproj b/test/SIL.XForge.Tests/SIL.XForge.Tests.csproj
@@ -20,11 +20,10 @@
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
     </PackageReference>
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.10.0" />
-    <PackageReference Include="NSubstitute" Version="5.1.0" />
-    <PackageReference Include="NUnit" Version="4.1.0" />
-    <PackageReference Include="NUnit3TestAdapter" Version="4.5.0" />
-    <PackageReference Include="ParatextData" Version="9.5.0.5" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
+    <PackageReference Include="NSubstitute" Version="5.3.0" />
+    <PackageReference Include="NUnit" Version="4.2.2" />
+    <PackageReference Include="NUnit3TestAdapter" Version="4.6.0" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="..\..\src\SIL.XForge\SIL.XForge.csproj" />