Update msbuild reference package to get clean on scanners #72812
Description
Install 7.0.420, 8.0.103, and 8.0.203 SDKs
findstr /I /S System.Security.Cryptography.xml *deps.json from the SDK folder
7.0.408-dev\Roslyn\Microsoft.Build.Tasks.CodeAnalysis.deps.json: "System.Security.Cryptography.Xml/4.7.0": {
8.0.103\Roslyn\Microsoft.Build.Tasks.CodeAnalysis.deps.json: "System.Security.Cryptography.Xml/4.7.0": {
8.0.203\Roslyn\Microsoft.Build.Tasks.CodeAnalysis.deps.json: "System.Security.Cryptography.Xml/6.0.0": {
The above versions had a known vulnerability. Even though the package isn't installed, we're trying to get clean on the scanners by updating where we can. Our focus is on 6.0.4xx, 7.0.4xx, and all 8 versions.
Looking at the deps.json, the value appears to come from these locations.
https://github.com/dotnet/roslyn/blob/release/dev17.7/eng/Versions.props#L37
https://github.com/dotnet/roslyn/blob/release/dev17.8/eng/Versions.props#L34
https://github.com/dotnet/roslyn/blob/release/dev17.9/eng/Versions.props#L34
MSBuild has an updated version of 17.3 (17.3.4) that you should be able to use in 17.9. For 17.7 and 17.8, can you update to 17.0 or 17.3 potentially?