Update docker-creds-provider to address vulnerable system.text.json dependency.

.gitmodules

@@ -16,15 +16,12 @@
 [submodule "src/azure-activedirectory-identitymodel-extensions-for-dotnet"]
 	path = src/azure-activedirectory-identitymodel-extensions-for-dotnet
 	url = https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet.git
-[submodule "src/docker-creds-provider-2.2.0"]
-	path = src/docker-creds-provider-2.2.0
-	url = https://github.com/mthalman/docker-creds-provider
-[submodule "src/docker-creds-provider-2.2.1"]
-	path = src/docker-creds-provider-2.2.1
-	url = https://github.com/mthalman/docker-creds-provider
 [submodule "xunit"]
 	path = src/xunit
 	url = https://github.com/xunit/xunit
 [submodule "abstractions-xunit"]
 	path = src/abstractions-xunit
 	url = https://github.com/xunit/abstractions.xunit
+[submodule "src/docker-creds-provider"]
+	path = src/docker-creds-provider
+	url = https://github.com/mthalman/docker-creds-provider

Directory.Build.props

@@ -30,6 +30,10 @@
     <PatchesDir>$(ProjectDir)patches/</PatchesDir>
     <!-- if we're not currently building,  Visual Studio will still set this -->
     <SDK_VERSION Condition="'$(SDK_VERSION)' == ''">$(NETCoreSdkVersion)</SDK_VERSION>
+    <XPlatTasksDir>$(MSBuildThisFileDirectory)eng/tasks/Microsoft.DotNet.SourceBuild.Tasks.XPlat/</XPlatTasksDir>
+    <XPlatTasksBinDir>$(XPlatTasksDir)bin/$(Configuration)/</XPlatTasksBinDir>
+    <XPlatSourceBuildTasksAssembly>$(XPlatTasksBinDir)Microsoft.DotNet.SourceBuild.Tasks.XPlat.dll</XPlatSourceBuildTasksAssembly>
+    <SdkReferenceDir>$(DotNetCliToolDir)sdk/$(SDK_VERSION)/</SdkReferenceDir>
   </PropertyGroup>
 
   <!--

build.sh

@@ -13,4 +13,11 @@ while [[ -h $source ]]; do
 done
 
 scriptroot="$( cd -P "$( dirname "$source" )" && pwd )"
+
+sdkLine=$(grep -m 1 'dotnet' "$scriptroot/global.json")
+sdkPattern="\"dotnet\" *: *\"(.*)\""
+if [[ $sdkLine =~ $sdkPattern ]]; then
+  export SDK_VERSION=${BASH_REMATCH[1]}
+fi
+
 "$scriptroot/eng/common/build.sh" --build --restore "$@"

eng/Build.props

@@ -1,6 +1,9 @@
 <Project>
 
   <ItemGroup>
+    <ProjectToBuild Include="$(RepoRoot)eng\tasks\Microsoft.DotNet.SourceBuild.Tasks.XPlat\*.csproj">
+      <BuildInParallel>false</BuildInParallel>
+    </ProjectToBuild>
     <ProjectToBuild Include="$(RepoRoot)repo-projects\*.proj" />
   </ItemGroup>
 

eng/Version.Details.xml

@@ -1,6 +1,26 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Dependencies>
   <ToolsetDependencies>
+    <Dependency Name="Microsoft.Build" Version="17.8.5">
+      <Uri>https://github.com/dotnet/msbuild</Uri>
+      <Sha>b5265ef370a651f8c3458110b804e5cbf869eeb5</Sha>
+    </Dependency>
+    <!-- Intermediate is necessary for source build. -->
+    <Dependency Name="Microsoft.SourceBuild.Intermediate.msbuild" Version="17.8.5-preview-24055-02">
+      <Uri>https://github.com/dotnet/msbuild</Uri>
+      <Sha>b5265ef370a651f8c3458110b804e5cbf869eeb5</Sha>
+      <SourceBuild RepoName="msbuild" ManagedOnly="true" />
+    </Dependency>
+    <Dependency Name="System.Text.Json" Version="8.0.5">
+      <Uri>https://dev.azure.com/dnceng/internal/_git/dotnet-runtime</Uri>
+      <Sha>9cb3b725e3ad2b57ddc9fb2dd48d2d170563a8f5</Sha>
+    </Dependency>
+    <!-- Intermediate is necessary for source build. -->
+    <Dependency Name="Microsoft.SourceBuild.Intermediate.runtime" Version="8.0.11-servicing.24517.7">
+      <Uri>https://dev.azure.com/dnceng/internal/_git/dotnet-runtime</Uri>
+      <Sha>9cb3b725e3ad2b57ddc9fb2dd48d2d170563a8f5</Sha>
+      <SourceBuild RepoName="runtime" ManagedOnly="false" />
+    </Dependency>
     <Dependency Name="Microsoft.DotNet.Arcade.Sdk" Version="8.0.0-beta.24516.1">
       <Uri>https://github.com/dotnet/arcade</Uri>
       <Sha>f7fb1fec01b91be69e4dcc5290a0bff3f28e214f</Sha>

eng/Versions.props

@@ -8,4 +8,8 @@
     <PreReleaseVersionLabel>alpha</PreReleaseVersionLabel>
     <PreReleaseVersionIteration>1</PreReleaseVersionIteration>
   </PropertyGroup>
+
+  <PropertyGroup>
+    <MicrosoftBuildVersion>17.8.5</MicrosoftBuildVersion>
+  </PropertyGroup>
 </Project>

eng/tasks/Directory.Build.props

@@ -0,0 +1,26 @@
+<Project>
+  <Import Project="$([MSBuild]::GetPathOfFileAbove(Directory.Build.props, $(MSBuildThisFileDirectory)..))" />
+
+  <PropertyGroup>
+    <!-- Build all tasks as AnyCPU to match NuGet DLLs in the SDK: avoid warnings. -->
+    <Platform>AnyCPU</Platform>
+    <!--
+      Do not import the Arcade SDK for the local tooling projects. This lets us
+      build them with just the .NET SDK, simplifying the build.
+    -->
+    <SkipArcadeSdkImport>true</SkipArcadeSdkImport>
+  </PropertyGroup>
+
+  <!--
+    Use some assemblies from the SDK, instead of package references. This ensures they match what's
+    found when the task is loaded by the SDK's MSBuild.
+  -->
+  <ItemGroup>
+    <SdkAssembly Include="$(SdkReferenceDir)Newtonsoft.Json.dll" />
+
+    <SdkAssemblyReference
+      Include="@(SdkAssembly -> '%(FileName)')"
+      HintPath="$(SdkReferenceDir)%(Identity).dll" />
+  </ItemGroup>
+
+</Project>

eng/tasks/Microsoft.DotNet.SourceBuild.Tasks.XPlat/Microsoft.DotNet.SourceBuild.Tasks.XPlat.csproj

@@ -0,0 +1,26 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+    <OutputPath>$(XPlatTasksBinDir)</OutputPath>
+  </PropertyGroup>
+
+  <PropertyGroup>
+    <!-- Default assembly version causes CS7034. Assembly info is not necessary given this
+         msbuild task assembly is for build only purposes. -->
+    <GenerateAssemblyInfo>False</GenerateAssemblyInfo>
+    <Deterministic>False</Deterministic>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Build" Version="$(MicrosoftBuildVersion)" />
+    <PackageReference Include="Microsoft.Build.Framework" Version="$(MicrosoftBuildVersion)" />
+    <PackageReference Include="Microsoft.Build.Tasks.Core" Version="$(MicrosoftBuildVersion)" />
+    <PackageReference Include="Microsoft.Build.Utilities.Core" Version="$(MicrosoftBuildVersion)" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <Reference Include="@(SdkAssemblyReference)" />
+  </ItemGroup>
+
+</Project>

eng/tasks/Microsoft.DotNet.SourceBuild.Tasks.XPlat/UpdateJson.cs

@@ -0,0 +1,69 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+using System;
+using System.IO;
+using System.Linq;
+using Newtonsoft.Json;
+using Newtonsoft.Json.Linq;
+using Microsoft.Build.Framework;
+using Microsoft.Build.Utilities;
+
+namespace Microsoft.DotNet.Build.Tasks
+{
+    // Takes a path to a path to a json file and a
+    // string that represents a dotted path to an attribute
+    // and updates that attribute with the new value provided. 
+    public class UpdateJson : Task
+    {
+        [Required]
+        public string JsonFilePath { get; set; }
+
+        [Required]
+        public string PathToAttribute { get; set; }
+
+        [Required]
+        public string NewAttributeValue { get; set; }
+
+        public bool SkipUpdateIfMissingKey { get; set; }
+
+        public override bool Execute()
+        {
+            JObject jsonObj = JObject.Parse(File.ReadAllText(JsonFilePath));
+
+            string[] escapedPathToAttributeParts = PathToAttribute.Replace("\\.", "\x1F").Split('.');
+            for (int i = 0; i < escapedPathToAttributeParts.Length; ++i)
+            {
+                escapedPathToAttributeParts[i] = escapedPathToAttributeParts[i].Replace("\x1F", ".");
+            }
+            UpdateAttribute(jsonObj, escapedPathToAttributeParts, NewAttributeValue);
+
+            File.WriteAllText(JsonFilePath, jsonObj.ToString());
+            return true;
+        }
+
+        private void UpdateAttribute(JToken jsonObj, string[] path, string newValue)
+        {
+            string pathItem = path[0];
+            if (jsonObj[pathItem] == null)
+            {
+                string message = $"Path item [{nameof(PathToAttribute)}] not found in json file.";
+                if (SkipUpdateIfMissingKey)
+                {
+                    Log.LogMessage(MessageImportance.Low, $"Skipping update: {message} {pathItem}");
+                    return;
+                }
+                throw new ArgumentException(message, pathItem);
+            }
+
+            if (path.Length == 1) 
+            {
+                jsonObj[pathItem] = newValue;
+                return;
+            }
+
+            UpdateAttribute(jsonObj[pathItem], path.Skip(1).ToArray(), newValue);
+        }
+    }
+}

repo-projects/Directory.Build.targets

@@ -8,6 +8,7 @@
   </PropertyGroup>
 
   <UsingTask TaskName="Microsoft.DotNet.Arcade.Sdk.SourceBuild.AddSourceToNuGetConfig" AssemblyFile="$(ArcadeSdkBuildTasksAssembly)" />
+  <UsingTask TaskName="UpdateJson" AssemblyFile="$(XPlatSourceBuildTasksAssembly)" />
 
   <Target Name="BuildRepoReferences" Condition="'@(RepositoryReference)' != '' and '$(SkipRepoReferences)' != 'true'">
     <Message Importance="High" Text="Building dependencies [@(RepositoryReference)] needed by '$(RepositoryName)'." />

repo-projects/docker-creds-provider-2.2.0.proj → repo-projects/docker-creds-provider.proj

@@ -1,6 +1,6 @@
 <Project>
   <PropertyGroup>
-    <DockerCredsProviderPackageVersion>2.2.0</DockerCredsProviderPackageVersion>
+    <DockerCredsProviderPackageVersion>2.2.4</DockerCredsProviderPackageVersion>
   </PropertyGroup>
 
   <Import Project="docker-creds-provider.targets" />

repo-projects/docker-creds-provider.targets

@@ -6,6 +6,7 @@
   <Import Project="Sdk.props" Sdk="Microsoft.NET.Sdk" />
 
   <PropertyGroup>
+    <GlobalJsonFile>$(ProjectDirectory)/global.json</GlobalJsonFile>
     <PackagesOutput>$(ProjectDirectory)/src/Valleysoft.DockerCredsProvider/bin/$(Configuration)/</PackagesOutput>
   </PropertyGroup>