Microsoft.Build.Tasks.CodeAnalysis.deps.json mentions a vulnerable version of Microsoft.Build.Tasks.Core

[ericstj]

Version Used:
dotnet 10.0-preview5

Steps to Reproduce:

1. Install dotnet 10.0 preview 5
2. Look for references to vulnerable versions of Microsoft.Build.Tasks.Core
3. sdk/10.0.100-preview.5.25277.114/Roslyn/Microsoft.Build.Tasks.CodeAnalysis.deps.json mentions version 17.11.4

Expected Behavior:
No vulnerable versions referenced (these can lead to security scanner false positives).

Actual Behavior:
Vulnerable version mentioned.

I suspect that this may go away when roslyn builds Microsoft.Build.Tasks.CodeAnalysis with the latest SDK since it should have dotnet/sdk#46218 cc @dsplaisted

Still I'd like us to track this issue and resolve once someone has confirmed. If it's not getting removed automatically it could be due to a problem with how the package is referenced (not appropriately excluded) or an issue with the SDK feature.

[rainersigwald]

In the short term we could also consider bumping that reference to 17.11.31, which is API-identical to that vulnerable version but is patched so won't trigger scanners/alerts.

[rainersigwald]

(Because I wasn't sure: this assembly actually has a perfectly legitimate reason to reference Microsoft.Build.Tasks.Core, because the Csc task used to be there so some interfaces it needs are there.)