Skip to content

Bump System.Text.Json version due to CVE-2024-30105 #5744

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jul 11, 2024
Merged

Bump System.Text.Json version due to CVE-2024-30105 #5744

merged 5 commits into from
Jul 11, 2024

Conversation

@rajkumar-rangaraj
Copy link
Member

@rajkumar-rangaraj rajkumar-rangaraj commented Jul 9, 2024
edited
Loading

Discussion for this issue can be found at dotnet/runtime#104619

  • The test and example project references for System.Text.Json have been updated.
  • The Console and Zipkin exporters use a safe version (4.7.2) of System.Text.Json, so no update is needed there.

Merge requirement checklist

  • CONTRIBUTING guidelines followed (license requirements, nullable enabled, static analysis, etc.)
  • Unit tests added/updated
  • Appropriate CHANGELOG.md files updated for non-trivial changes
  • Changes in public API reviewed (if applicable)

@rajkumar-rangaraj rajkumar-rangaraj requested a review from a team July 9, 2024 23:35
@github-actions github-actions bot added infra Infra work - CI/CD, code coverage, linters dependencies Pull requests that update a dependency file documentation Documentation related pkg:OpenTelemetry.Exporter.Console Issues related to OpenTelemetry.Exporter.Console NuGet package pkg:OpenTelemetry.Exporter.Zipkin Issues related to OpenTelemetry.Exporter.Zipkin NuGet package labels Jul 9, 2024
cijothomas
cijothomas reviewed Jul 9, 2024
View reviewed changes
@codecov
Copy link

codecov bot commented Jul 9, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 86.19%. Comparing base (6250307) to head (f203db7).
Report is 278 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #5744      +/-   ##
==========================================
+ Coverage   83.38%   86.19%   +2.81%     
==========================================
  Files         297      254      -43     
  Lines       12531    11057    -1474     
==========================================
- Hits        10449     9531     -918     
+ Misses       2082     1526     -556
Flag Coverage Δ
unittests ?
unittests-Project-Experimental 86.12% <ø> (?)
unittests-Project-Stable 86.19% <ø> (?)
unittests-Solution 86.17% <ø> (?)
unittests-UnstableCoreLibraries-Experimental 85.86% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 197 files with indirect coverage changes

reyang
reyang reviewed Jul 9, 2024
View reviewed changes
reyang
reyang reviewed Jul 9, 2024
View reviewed changes
reyang
reyang reviewed Jul 9, 2024
View reviewed changes
@Kielek Kielek mentioned this pull request Jul 10, 2024
Merged
2 tasks
@stevejgordon stevejgordon mentioned this pull request Jul 10, 2024
Merged
3 tasks
@cremor
Copy link

cremor commented Jul 10, 2024

FYI: dotnet/runtime#104619 (comment)
Meaning: Maybe the version you are currently using isn't even vulnerable.

@rajkumar-rangaraj
Copy link
Member Author

rajkumar-rangaraj commented Jul 10, 2024

FYI: dotnet/runtime#104619 (comment) Meaning: Maybe the version you are currently using isn't even vulnerable.

Thanks @cremor 4.7.2 version is not vulnerable. I will change this PR to update the test and examples package.

@github-actions github-actions bot removed pkg:OpenTelemetry.Exporter.Console Issues related to OpenTelemetry.Exporter.Console NuGet package pkg:OpenTelemetry.Exporter.Zipkin Issues related to OpenTelemetry.Exporter.Zipkin NuGet package labels Jul 10, 2024
@rajkumar-rangaraj
Copy link
Member Author

rajkumar-rangaraj commented Jul 10, 2024

CI is reporting the below errors, but 4.7.2 is not vulnerable.

image

@cijothomas cijothomas closed this Jul 11, 2024
@cijothomas cijothomas reopened this Jul 11, 2024
@cijothomas
Copy link
Member

cijothomas commented Jul 11, 2024

@alanwest Could you help merge this? Blanch is on vacation, and this is pre-req to unblock any other PRs.

@cijothomas
Copy link
Member

cijothomas commented Jul 11, 2024

@alanwest Could you help merge this? Blanch is on vacation, and this is pre-req to unblock any other PRs.

Looks like Alan is also on vacation, so need someone from TC to merge. @reyang can you help?

@alanwest
Copy link
Member

alanwest commented Jul 11, 2024

I am out today, but could be available to merge this. Will be near a computer soonish. I see build failed though...

@cijothomas
Copy link
Member

cijothomas commented Jul 11, 2024

I am out today, but could be available to merge this. Will be near a computer soonish. I see build failed though...

Prior failure was due to nuget/ci bug that incorrectly detected 4.7.2 as vulnerable. I re-triggerred CI, hopefully it should pass!

@cijothomas
Copy link
Member

cijothomas commented Jul 11, 2024

CI is green now :)

@alanwest alanwest merged commit dbe2ce3 into open-telemetry:main Jul 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reyang reyang reyang left review comments

@alanwest alanwest alanwest approved these changes

@cijothomas cijothomas cijothomas approved these changes

@Kielek Kielek Kielek approved these changes

+2 more reviewers

@utpilla utpilla utpilla left review comments

@vishweshbankwar vishweshbankwar vishweshbankwar approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file documentation Documentation related infra Infra work - CI/CD, code coverage, linters

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@rajkumar-rangaraj @cremor @cijothomas @alanwest @Kielek @reyang @vishweshbankwar @utpilla