Update .NET libraries which have security problems in transitive dependencies (#2967)

The existing versions of these libraries have dependencies on packages with known vulnerabilities.

Updating the ADO packages fixes the following:

- `Newtonsoft.Json` (High) GHSA-5crp-9r3c-p9vr
- `System.Data.SqlClient` (Moderate) GHSA-8g2p-5pqh-5jmc
- `System.Drawing.Common` (Critical) GHSA-rxg9-xrhp-64gj

Updating the Identity packages fixes the following:

- `System.Security.Cryptography.Xml` (Moderate) GHSA-2m65-m22p-9wjw

Updating the System.Text.RegularExpressions package fixed:

- `System.Text.RegularExpressions` (High) GHSA-cmhx-cq75-c4mj

Updating the System.Net.Http package (in test project) fixed:

- `System.Net.Http` (High) GHSA-7jgj-8wvc-jh57

Author: Porges

src/ApiService/ApiService/ApiService.csproj

@@ -37,15 +37,16 @@
     <PackageReference Include="Azure.Storage.Queues" Version="12.11.0" />
     <PackageReference Include="Azure.Storage.Blobs" Version="12.13.0" />
     <PackageReference Include="Microsoft.Graph" Version="4.37.0" />
-    <PackageReference Include="Microsoft.Identity.Client" Version="4.46.2" />
-    <PackageReference Include="Microsoft.Identity.Web.TokenCache" Version="1.23.1" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.52.0" />
+    <PackageReference Include="Microsoft.Identity.Web.TokenCache" Version="2.7.0" />
     <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="6.22.1" />
     <PackageReference Include="System.Linq.Async" Version="6.0.1" />
     <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.SignalRService" Version="1.7.0" />
+    <PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
     <PackageReference Include="TaskTupleAwaiter" Version="2.0.0" />
     <PackageReference Include="Scriban" Version="5.5.0" />
     <PackageReference Include="Octokit" Version="2.0.1" />
-    <PackageReference Include="Microsoft.TeamFoundationServer.Client" Version="19.209.0-preview" />
+    <PackageReference Include="Microsoft.TeamFoundationServer.Client" Version="19.219.0-preview" />
     <PackageReference Include="SmartAnalyzers.CSharpExtensions.Annotations" Version="4.2.7" />
   </ItemGroup>
   <ItemGroup>

src/ApiService/ApiService/onefuzzlib/ConfigOperations.cs

@@ -22,14 +22,13 @@ public ConfigOperations(ILogTracer log, IOnefuzzContext context, IMemoryCache ca
         _cache = cache;
     }
 
-    private sealed record InstanceConfigCacheKey();
-    private static readonly InstanceConfigCacheKey _key = new(); // singleton key
+    private static readonly object _instanceConfigCacheKey = new(); // singleton key; we only need hashcode/equality
     public Task<InstanceConfig> Fetch()
-        => _cache.GetOrCreateAsync(_key, async entry => {
+        => _cache.GetOrCreateAsync(_instanceConfigCacheKey, async entry => {
             entry = entry.SetAbsoluteExpiration(TimeSpan.FromMinutes(1)); // cached for 1 minute
             var key = _context.ServiceConfiguration.OneFuzzInstanceName ?? throw new Exception("Environment variable ONEFUZZ_INSTANCE_NAME is not set");
             return await GetEntityAsync(key, key);
-        });
+        })!; // NULLABLE: only this class inserts _instanceConfigCacheKey so it cannot be null
 
     public async Async.Task Save(InstanceConfig config, bool isNew = false, bool requireEtag = false) {
         var newConfig = config with { InstanceName = _context.ServiceConfiguration.OneFuzzInstanceName ?? throw new Exception("Environment variable ONEFUZZ_INSTANCE_NAME is not set") };
@@ -52,7 +51,7 @@ public async Async.Task Save(InstanceConfig config, bool isNew = false, bool req
         }
 
         if (r.IsOk) {
-            _ = _cache.Set(_key, newConfig);
+            _ = _cache.Set(_instanceConfigCacheKey, newConfig);
         }
 
         await _context.Events.SendEvent(new EventInstanceConfigUpdated(newConfig));

src/ApiService/ApiService/onefuzzlib/Creds.cs

@@ -95,14 +95,15 @@ public SubscriptionResource GetSubscriptionResource() {
         return ArmClient.GetSubscriptionResource(id);
     }
 
+    private static readonly object _baseRegionKey = new(); // we only need equality/hashcode
     public Async.Task<Region> GetBaseRegion() {
-        return _cache.GetOrCreateAsync(nameof(GetBaseRegion), async _ => {
+        return _cache.GetOrCreateAsync(_baseRegionKey, async _ => {
             var rg = await ArmClient.GetResourceGroupResource(GetResourceGroupResourceIdentifier()).GetAsync();
             if (rg.GetRawResponse().IsError) {
                 throw new Exception($"Failed to get base region due to [{rg.GetRawResponse().Status}] {rg.GetRawResponse().ReasonPhrase}");
             }
             return Region.Parse(rg.Value.Data.Location.Name);
-        });
+        })!; // NULLABLE: only this method inserts _baseRegionKey so it cannot be null
     }
 
     public Uri GetInstanceUrl() {
@@ -145,9 +146,10 @@ public async Async.Task<GenericResource> GetData(GenericResource resource) {
         return resource;
     }
 
+    private static readonly object _regionsKey = new(); // we only need equality/hashcode
     public Task<IReadOnlyList<Region>> GetRegions()
         => _cache.GetOrCreateAsync<IReadOnlyList<Region>>(
-            nameof(Creds) + "." + nameof(GetRegions),
+            _regionsKey,
             async entry => {
                 // cache for one day
                 entry.AbsoluteExpirationRelativeToNow = TimeSpan.FromDays(1);
@@ -156,8 +158,7 @@ public Task<IReadOnlyList<Region>> GetRegions()
                     .GetLocationsAsync()
                     .Select(x => Region.Parse(x.Name))
                     .ToListAsync();
-            });
-
+            })!; // NULLABLE: only this method inserts _regionsKey so it cannot be null
 }
 
 

src/ApiService/ApiService/onefuzzlib/LogAnalytics.cs

@@ -31,11 +31,12 @@ private AccessToken GetToken() {
         return _creds.GetIdentity().GetToken(new TokenRequestContext(scopes));
     }
 
+    private static readonly object _monitorSettingsKey = new(); // we only need equality/hashcode
     public Async.Task<MonitorSettings> GetMonitorSettings() =>
-        _cache.GetOrCreateAsync(nameof(GetMonitorSettings), entry => {
+        _cache.GetOrCreateAsync(_monitorSettingsKey, entry => {
             entry.AbsoluteExpirationRelativeToNow = TimeSpan.FromMinutes(1);
             return GetMonitorSettingsInternal();
-        });
+        })!; // NULLABLE: only this method inserts _monitorSettingsKey so it cannot be null
 
     public async Async.Task<MonitorSettings> GetMonitorSettingsInternal() {
         var token = GetToken();

src/ApiService/ApiService/onefuzzlib/Storage.cs

@@ -117,8 +117,9 @@ public ArmClient GetMgmtClient() {
         return _armClient;
     }
 
+    private static readonly object _corpusAccountsKey = new(); // we only need equality/hashcode
     public IReadOnlyList<ResourceIdentifier> CorpusAccounts() {
-        return _cache.GetOrCreate<IReadOnlyList<ResourceIdentifier>>("CorpusAccounts", cacheEntry => {
+        return _cache.GetOrCreate<IReadOnlyList<ResourceIdentifier>>(_corpusAccountsKey, cacheEntry => {
             var skip = GetFuncStorage();
             var results = new List<ResourceIdentifier> { GetFuzzStorage() };
 
@@ -147,7 +148,7 @@ public IReadOnlyList<ResourceIdentifier> CorpusAccounts() {
 
             _log.Info($"corpus accounts: {JsonSerializer.Serialize(results)}");
             return results;
-        });
+        })!; // NULLABLE: only this method inserts _corpusAccountsKey so it cannot be null
     }
 
     public ResourceIdentifier GetPrimaryAccount(StorageType storageType)
@@ -194,7 +195,7 @@ public Task<BlobServiceClient> GetBlobServiceClientForAccountName(string account
             var accountKey = await GetStorageAccountKey(accountName);
             var skc = new StorageSharedKeyCredential(accountName, accountKey);
             return new BlobServiceClient(GetBlobEndpoint(accountName), skc);
-        });
+        })!; // NULLABLE: only this method inserts BlobClientKey so result cannot be null
     }
 
     sealed record TableClientKey(string AccountName);
@@ -204,7 +205,7 @@ public Task<TableServiceClient> GetTableServiceClientForAccountName(string accou
             var accountKey = await GetStorageAccountKey(accountName);
             var skc = new TableSharedKeyCredential(accountName, accountKey);
             return new TableServiceClient(GetTableEndpoint(accountName), skc);
-        });
+        })!; // NULLABLE: only this method inserts TableClientKey so result cannot be null
 
     sealed record QueueClientKey(string AccountName);
     private static readonly QueueClientOptions _queueClientOptions = new() { MessageEncoding = QueueMessageEncoding.Base64 };
@@ -214,5 +215,5 @@ public Task<QueueServiceClient> GetQueueServiceClientForAccountName(string accou
             var accountKey = await GetStorageAccountKey(accountName);
             var skc = new StorageSharedKeyCredential(accountName, accountKey);
             return new QueueServiceClient(GetQueueEndpoint(accountName), skc, _queueClientOptions);
-        });
+        })!; // NULLABLE: only this method inserts QueueClientKey so result cannot be null
 }

src/ApiService/ApiService/onefuzzlib/VmssOperations.cs

@@ -212,7 +212,7 @@ private Task<string> GetInstanceIdForVmId(Guid scaleset, Guid vmId)
             } else {
                 return foundInstanceId;
             }
-        });
+        })!; // NULLABLE: only this method inserts InstanceIdKey so it cannot be null
 
     public async Async.Task<OneFuzzResult<VirtualMachineScaleSetVmResource>> GetInstanceVm(Guid name, Guid vmId) {
         _log.Info($"get instance ID for scaleset node: {name:Tag:VmssName}:{vmId:Tag:VmId}");
@@ -402,8 +402,9 @@ public IAsyncEnumerable<VirtualMachineScaleSetVmResource> ListVmss(Guid name)
             .GetVirtualMachineScaleSetVms()
             .SelectAwait(async vm => vm.HasData ? vm : await vm.GetAsync());
 
+    private sealed record AvailableSkusKey(Region region);
     public Async.Task<IReadOnlyList<string>> ListAvailableSkus(Region region)
-        => _cache.GetOrCreateAsync<IReadOnlyList<string>>($"compute-skus-{region}", async entry => {
+        => _cache.GetOrCreateAsync<IReadOnlyList<string>>(new AvailableSkusKey(region), async entry => {
             entry = entry.SetAbsoluteExpiration(TimeSpan.FromMinutes(10));
 
             var sub = _creds.GetSubscriptionResource();
@@ -428,7 +429,7 @@ public Async.Task<IReadOnlyList<string>> ListAvailableSkus(Region region)
             }
 
             return skuNames;
-        });
+        })!; // NULLABLE: only this method inserts AvailableSkusKey so it cannot be null
 
     private async Async.Task<HashSet<string>> ResolveInstanceIds(Guid scalesetId, IEnumerable<Node> nodes) {
 

src/ApiService/ApiService/onefuzzlib/notifications/Ado.cs

@@ -105,8 +105,8 @@ private static WorkItemTrackingHttpClient GetAdoClient(Uri baseUrl, string token
         return new WorkItemTrackingHttpClient(baseUrl, new VssBasicCredential("PAT", token));
     }
 
-    private static async Async.Task<Dictionary<string, WorkItemField>> GetValidFields(WorkItemTrackingHttpClient client, string? project) {
-        return (await client.GetFieldsAsync(project, expand: GetFieldsExpand.ExtensionFields))
+    private static async Async.Task<Dictionary<string, WorkItemField2>> GetValidFields(WorkItemTrackingHttpClient client, string? project) {
+        return (await client.GetWorkItemFieldsAsync(project, expand: GetFieldsExpand.ExtensionFields))
             .ToDictionary(field => field.ReferenceName.ToLowerInvariant());
     }