From fa3711b7ddac7cea6850a9c1c67beda1996aafc0 Mon Sep 17 00:00:00 2001
From: Jonathan Pryor <jonpryor@vt.edu>
Date: Thu, 17 Nov 2022 15:25:01 -0500
Subject: [PATCH] [build] Update NuGet package versions (#196)

Context: https://dev.azure.com/xamarin/public/_componentGovernance/115226/alert/3150206?typeId=5477311
Context: https://dev.azure.com/xamarin/public/_componentGovernance/115226/alert/6875331?typeId=5477311
Context: https://github.com/xamarin/java.interop/commit/53182615707bd4181564c0be388d3b09c1d11a20

[Component Governance][0] is a Microsoft internal tool which checks
for known security issues in product dependencies.  It is currently
reporting a defects in xamarin-android-tools due to use of older
`System.Net.Http` packages ([CVE-2018-8292][0]) and older
`System.Security.Cryptography.X509Certificates`
packages ([CVE-2017-11770][1]):

> **Location**
>
> * /s/packages/system.net.http/4.1.0/system.net.http.4.1.0.nupkg
> * /s/packages/system.net.http/4.1.0/system.net.http.nuspec
> * /s/packages/system.security.cryptography.x509certificates/4.1.0/system.security.cryptography.x509certificates.4.1.0.nupkg
> * /s/packages/system.security.cryptography.x509certificates/4.1.0/system.security.cryptography.x509certificates.nuspec

The "odd" thing is that xamarin-android-tools doesn't *use* either
of these dependencies!  They appear to be pulled in via package
dependencies.

Rework how we use `@(PackageReference)` so that
`Directory.Build.targets` uses [the `Update` attribute][2] to
centralize package version specification, except within
`MSBuildReferences.projitems` as it's `<Import/>`ed by xamarin-android.

Update most NuGet package versions to the latest versions provided by
`dotnet-public` or `dotnet-eng` (which may not be the latest versions
on NuGet.org).

While stable versions are generally preferred, we use
Microsoft.NET.Test.Sdk version 17.5.0-preview-20221003-04 to ensure
that we avoid Newtonsoft.Json 9.0.1 issues a'la
xamarin/java.interop@53182615.

NuGet Package Version Bumps:

  * Microsoft.Build                     : `16.10.0`   -> `17.3.2`
  * Microsoft.Build.Framework           : `16.10.0`   -> `17.3.2`
  * Microsoft.Build.Tasks.Core          : `16.10.0`   -> `17.3.2`
  * Microsoft.Build.Utilities.Core      : `16.10.0`   -> `17.3.2`
  * Microsoft.NET.Test.Sdk              : `16.5.0`    -> `17.5.0-preview-20221003-04`
  * nunit                               : `3.12.0`    -> `3.13.2`
  * NUnit3TestAdapter                   : `3.16.1`    -> `4.0.0`

[0]: https://nvd.nist.gov/vuln/detail/CVE-2018-8292
[1]: https://nvd.nist.gov/vuln/detail/CVE-2017-11770
[2]: https://learn.microsoft.com/en-us/visualstudio/msbuild/item-element-msbuild?view=vs-2022#attributes-and-elements
---
 Directory.Build.targets                                    | 7 ++++++-
 .../MSBuildReferences.projitems                            | 2 +-
 .../Xamarin.Android.Tools.AndroidSdk.csproj                | 2 +-
 .../Microsoft.Android.Build.BaseTasks-Tests.csproj         | 6 +++---
 .../Xamarin.Android.Tools.AndroidSdk-Tests.csproj          | 6 +++---
 5 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/Directory.Build.targets b/Directory.Build.targets
index 635c2cd..984d585 100644
--- a/Directory.Build.targets
+++ b/Directory.Build.targets
@@ -19,8 +19,13 @@
       Condition=" Exists('$([System.IO.Path]::GetDirectoryName($(MSBuildThisFileDirectory))).override.targets') "
   />
 
+  <!-- NuGet Dependencies -->
   <ItemGroup>
-    <PackageReference Update="Microsoft.SourceLink.GitHub" Version="1.1.1" />
+    <PackageReference Update="Microsoft.NET.Test.Sdk"                       Version="17.5.0-preview-20221003-04" />
+    <PackageReference Update="Microsoft.SourceLink.GitHub"                  Version="1.1.1" />
+    <PackageReference Update="Microsoft.VisualStudioEng.MicroBuild.Core"    Version="1.0.0" />
+    <PackageReference Update="nunit"                                        Version="3.13.2" />
+    <PackageReference Update="NUnit3TestAdapter"                            Version="4.0.0" />
   </ItemGroup>
 
 </Project>
diff --git a/src/Microsoft.Android.Build.BaseTasks/MSBuildReferences.projitems b/src/Microsoft.Android.Build.BaseTasks/MSBuildReferences.projitems
index 183fecd..a76b5a5 100644
--- a/src/Microsoft.Android.Build.BaseTasks/MSBuildReferences.projitems
+++ b/src/Microsoft.Android.Build.BaseTasks/MSBuildReferences.projitems
@@ -4,7 +4,7 @@
 <Project>
   <!--Import this file in projects needing to reference Microsoft.Build.*.dll -->
   <PropertyGroup>
-    <MSBuildPackageReferenceVersion>16.10.0</MSBuildPackageReferenceVersion>
+    <MSBuildPackageReferenceVersion>17.3.2</MSBuildPackageReferenceVersion>
     <LibZipSharpVersion Condition=" '$(LibZipSharpVersion)' == '' " >2.0.7</LibZipSharpVersion>
     <MonoUnixVersion>7.1.0-final.1.21458.1</MonoUnixVersion>
   </PropertyGroup>
diff --git a/src/Xamarin.Android.Tools.AndroidSdk/Xamarin.Android.Tools.AndroidSdk.csproj b/src/Xamarin.Android.Tools.AndroidSdk/Xamarin.Android.Tools.AndroidSdk.csproj
index eeef803..d37e9cb 100644
--- a/src/Xamarin.Android.Tools.AndroidSdk/Xamarin.Android.Tools.AndroidSdk.csproj
+++ b/src/Xamarin.Android.Tools.AndroidSdk/Xamarin.Android.Tools.AndroidSdk.csproj
@@ -26,7 +26,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.VisualStudioEng.MicroBuild.Core" Version="1.0.0">
+    <PackageReference Include="Microsoft.VisualStudioEng.MicroBuild.Core">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
     </PackageReference>
diff --git a/tests/Microsoft.Android.Build.BaseTasks-Tests/Microsoft.Android.Build.BaseTasks-Tests.csproj b/tests/Microsoft.Android.Build.BaseTasks-Tests/Microsoft.Android.Build.BaseTasks-Tests.csproj
index 80ecc3d..5220765 100644
--- a/tests/Microsoft.Android.Build.BaseTasks-Tests/Microsoft.Android.Build.BaseTasks-Tests.csproj
+++ b/tests/Microsoft.Android.Build.BaseTasks-Tests/Microsoft.Android.Build.BaseTasks-Tests.csproj
@@ -14,9 +14,9 @@
   <Import Project="..\..\src\Microsoft.Android.Build.BaseTasks\MSBuildReferences.projitems" />
 
   <ItemGroup>
-    <PackageReference Include="NUnit" Version="3.12.0" />
-    <PackageReference Include="NUnit3TestAdapter" Version="3.16.1" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.5.0"/>
+    <PackageReference Include="NUnit" />
+    <PackageReference Include="NUnit3TestAdapter" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/tests/Xamarin.Android.Tools.AndroidSdk-Tests/Xamarin.Android.Tools.AndroidSdk-Tests.csproj b/tests/Xamarin.Android.Tools.AndroidSdk-Tests/Xamarin.Android.Tools.AndroidSdk-Tests.csproj
index 722a491..19c4033 100644
--- a/tests/Xamarin.Android.Tools.AndroidSdk-Tests/Xamarin.Android.Tools.AndroidSdk-Tests.csproj
+++ b/tests/Xamarin.Android.Tools.AndroidSdk-Tests/Xamarin.Android.Tools.AndroidSdk-Tests.csproj
@@ -13,9 +13,9 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="NUnit" Version="3.12.0" />
-    <PackageReference Include="NUnit3TestAdapter" Version="3.16.1" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.5.0"/>
+    <PackageReference Include="NUnit" />
+    <PackageReference Include="NUnit3TestAdapter" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" />
   </ItemGroup>
 
   <ItemGroup>