Fix warning "Component Governance detected 5 security related alerts at or above 'High' severity."

[wtgodbe]

Part of #22240

Happens during component detection. Whole warning text:

##[warning]Component Governance detected 5 security related alerts at or above 'High' severity. Microsoft’s Open Source policy requires that all high and critical security vulnerabilities found by this task be addressed by upgrading vulnerable components. Vulnerabilities in indirect dependencies should be addressed by upgrading the root dependency.

[dougbu]

@mkArtakMSFT are these the type of warnings you often handle?

Current table looks like

[INFO] __________________________________________________________________________________________________________________ 
[INFO] |Security Alerts                                                                                                 | 
[INFO] |________________________________________________________________________________________________________________| 
[INFO] |Alert title                             |Affected component                      |Severity                      | 
[INFO] |________________________________________|________________________________________|______________________________| 
[INFO] |CVE-2019-10744                          |lodash 4.17.11                          |Critical                      | 
[INFO] |________________________________________|________________________________________|______________________________| 
[INFO] |CVE-2020-0603                           |Microsoft.AspNetCore.Http.Connections 1.0.1|Critical                      | 
[INFO] |________________________________________|________________________________________|______________________________| 
[INFO] |CVE-2020-0605                           |Microsoft.WindowsDesktop.App.Ref 3.0.0  |Critical                      | 
[INFO] |________________________________________|________________________________________|______________________________| 
[INFO] |CVE-2019-5448                           |yarn 1.15.2                             |High                          | 
[INFO] |________________________________________|________________________________________|______________________________| 
[INFO] |WS-2020-0070                            |lodash 4.17.15                          |High                          | 
[INFO] |________________________________________|________________________________________|______________________________| 
[INFO] |WS-2020-0070                            |lodash 4.17.14                          |High                          | 
[INFO] |________________________________________|________________________________________|______________________________| 
[INFO] |WS-2020-0070                            |lodash 4.17.11                          |High                          | 
[INFO] |________________________________________|________________________________________|______________________________| 

[dougbu]

@Pilchie who should this issue be assigned to❔

[Pilchie]

Going to start with @mkArtakMSFT.

[mkArtakMSFT]

Will look into this today.

[mkArtakMSFT]

I've looked through this list.
Dismissed the Http.Connections one as it was only referred from a test code, so is not really a vulnerability.
For the Desktop one - It's referenced from a ref package: /s/.packages/microsoft.windowsdesktop.app.ref/3.1.0/microsoft.windowsdesktop.app.ref.3.1.0.nupkg, which I don't have context about. I am not familiar with that package, so can't comment. @dougbu can this specific reference be updated, this is the recommendation in the alert:

"Upgrade to version Microsoft.WindowsDesktop.App - 3.0.2,3.1.1"

As for the rest - those are npm packages, which we should update not one by one, but all at one - in the SPA project templates. Will try to squeeze this work in preview7.

[dougbu]

The reference to the 3.1.0 version of aspnetcore/x64 in our global.json file brings in that version of Microsoft.WindowsDesktop.App.Ref. @pranavkm added this in 592dfe1. He mentioned this was needed because "dotnet-serve doesn't roll forward to a 5.0 runtime" in #22296.

Since this global.json entry and the aspnetcore/x86 one are used only when running the dotnet-server tool, moving to 3.1.4 should have no downside. Right @pranavkm❔

But, @pranavkm could this pull in just the .NET runtime instead and do we really need the x86 copy❔ That is,

      "dotnet/x64": [
        "2.1.11",
        "3.1.4",
        "$(MicrosoftNETCoreAppInternalPackageVersion)"
      ],

I ask because these additional runtimes worsen our disk space issues and increase the chances of failed runtime downloads i.e reduce build reliability.

[pranavkm]

Since this global.json entry and the aspnetcore/x86 one are used only when running the dotnet-server tool, moving to 3.1.4 should have no downside

The roll forward should work for patch versions, just not a 5.0 preview runtime.

do we really need the x86 copy

Perhaps not It's only needed to run the WASM template tests, so if we aren't running the tests in x86, we should be good.

could this pull in just the .NET runtime instead

It's a web application that targets the ASP.NET 3.1 runtime, I don't think having the .NET Core runtime would suffice.

[dougbu]

One type of warning addressed in 4096bb8