[main] Resolve Component Governance alert for Newtonsoft.Json (Azur…

…e#6762) `Microsoft.Azure.Devices.Client` and `Microsoft.Azure.WebJobs` utilized a version of `Newtonsoft.Json` that "is vulnerable to insecure [defaults] due to improper handling of expressions with high nesting level". Pin version `13.0.1` of `Newtonsoft.Json`, which is no longer vulnerable to this. ## Azure IoT Edge PR checklist:
micahl · Nov 15, 2022 · 7e7636e · 7e7636e
1 parent 70b470f
commit 7e7636e
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 2 deletions.
diff --git a/...rosoft.Azure.WebJobs.Extensions.EdgeHub/Microsoft.Azure.WebJobs.Extensions.EdgeHub.csproj b/...rosoft.Azure.WebJobs.Extensions.EdgeHub/Microsoft.Azure.WebJobs.Extensions.EdgeHub.csproj
@@ -28,14 +28,21 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <None Include="..\..\..\..\..\LICENSE" Pack="true" PackagePath=""/>
-    <None Include="images\icon.png" Pack="true" PackagePath=""/>
+    <None Include="..\..\..\..\..\LICENSE" Pack="true" PackagePath="" />
+    <None Include="images\icon.png" Pack="true" PackagePath="" />
   </ItemGroup>
 
   <ItemGroup>
     <PackageReference Include="Microsoft.Azure.Devices.Client" Version="1.36.6" />
     <PackageReference Include="Microsoft.Azure.WebJobs" Version="3.0.27" />
     <PackageReference Include="System.Text.Encodings.Web" Version="4.7.2" />
+    <!--
+        Newtonsoft.Json < 13.0.1 has a vulnerability due to insecure defaults.
+        Use an explicit reference to ensure the transitive dependency through
+        Microsoft.Azure.Devices.Client and Microsoft.Azure.WebJobs is a safe
+        version.
+    -->
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
   </ItemGroup>
 
   <ItemGroup>

diff --git a/samples/dotnet/EdgeDownstreamDevice/EdgeDownstreamDevice.csproj b/samples/dotnet/EdgeDownstreamDevice/EdgeDownstreamDevice.csproj
@@ -10,5 +10,11 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.Azure.Devices.Client" Version="1.36.6" />
+    <!--
+        Newtonsoft.Json < 13.0.1 has a vulnerability due to insecure defaults.
+        Use an explicit reference to ensure the transitive dependency through
+        Microsoft.Azure.Devices.Client is a safe version.
+    -->
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
   </ItemGroup>
 </Project>
diff --git a/samples/dotnet/EdgeX509AuthDownstreamDevice/EdgeX509AuthDownstreamDevice.csproj b/samples/dotnet/EdgeX509AuthDownstreamDevice/EdgeX509AuthDownstreamDevice.csproj
@@ -10,6 +10,12 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.Azure.Devices.Client" Version="1.36.6" />
+    <!--
+        Newtonsoft.Json < 13.0.1 has a vulnerability due to insecure defaults.
+        Use an explicit reference to ensure the transitive dependency through
+        Microsoft.Azure.Devices.Client is a safe version.
+    -->
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
   </ItemGroup>
 
   <ItemGroup>