.NET: Address vulnerability issue (previous net10 targets)

[rogerbarreto]

Motivation and Context

• Fixes .NET: Address Vulnerable Packages in Google Gemini Sample #2628

[Copilot]

Pull request overview

This PR addresses a security vulnerability (issue #2628) by adding multi-targeting support for .NET 8.0 and 9.0 frameworks to the Agent_With_GoogleGemini sample, and conditionally including the System.Net.Security package (version 4.3.2) for those older frameworks.

Key Changes:

• Added multi-targeting support for net8.0, net9.0, and net10.0 frameworks
• Added System.Net.Security version 4.3.2 to address security vulnerabilities in older .NET versions
• Suppressed NU1510 warning related to specific NET 10 SDK package PackageReference System.Net.Security will not be pruned error

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
dotnet/Directory.Packages.props	Added System.Net.Security version 4.3.2 package reference to centralized package management
dotnet/samples/GettingStarted/AgentProviders/Agent_With_GoogleGemini/Agent_With_GoogleGemini.csproj	Extended target frameworks to include net8.0 and net9.0, added conditional System.Net.Security package reference for non-net10.0 targets, and suppressed NU1510 warning

[stephentoub]

What is the underlying issue and how does this fix it?

[stephentoub]

I do not understand this change. There's no vulnerability in the sample. This is diverging from all the other samples purely to add a problem that it can then suppress. Any vulnerability here would be in the 3rd party package, and a proper fix should be there.

[rogerbarreto]

I do not understand this change. There's no vulnerability in the sample. This is diverging from all the other samples purely to add a problem that it can then suppress. Any vulnerability here would be in the 3rd party package, and a proper fix should be there.

I agree in part on this as we discussed on another parallel thread.

My understanding and justification for such is, that we currently support also NET 8, NET 9, and NET 10 targets, the fact that the Demo exposes some 3rd party vulnerabilities in the .NET 8 and .NET 9 in my perspective should be handled with the extra care from our side even this not being our issue.

If there's a workaround, I'm showing how it can be achieved in those versions, although I think a proper documentation explaining the reasoning behind why this is a bit different worth investing, I will add to the README a explanation as well as to the csproj.

cc @markwallace-microsoft