From 0730934a29ad54b8909206bd2446cac864cec421 Mon Sep 17 00:00:00 2001 From: mehmet-yoti Date: Thu, 14 May 2026 17:27:51 +0100 Subject: [PATCH 1/5] SDK-2805 Phase 1: close transitive CVEs in example app dependency graphs Closes the Critical GHSA-ghhp-997w-qr28 (System.Text.Encodings.Web 4.5.0) in CoreExample/DigitalIdentity/DocScan and the High GHSA-cmhx-cq75-c4mj (System.Text.RegularExpressions 4.3.0) across all four examples. CoreExample & DigitalIdentityExample: - Drop Microsoft.AspNetCore.Hosting.Abstractions 2.2.0 and Microsoft.AspNetCore.StaticFiles 2.2.0 (in-box via Microsoft.NET.Sdk.Web) - Drop Microsoft.VisualStudio.Web.CodeGeneration.Design 3.1.4 and deprecated DotNetCliToolReference (scaffolding-only, not used at runtime) - Microsoft.CodeAnalysis.{Common,CSharp,CSharp.Workspaces} 4.9.2/4.2.0 -> 4.13.0 - Microsoft.VisualStudio.Azure.Containers.Tools.Targets 1.20.1/1.16.1 -> 1.23.0 DocScanExample: drop Microsoft.VisualStudio.Web.CodeGeneration.Design 3.1.4. AmlExample: Newtonsoft.Json 13.0.3 -> 13.0.4. All four examples: DotNetEnv 2.3.0 -> 3.2.0, plus explicit System.Text.RegularExpressions 4.3.1 to override the vulnerable 4.3.0 that DotNetEnv 3.2.0 still drags in transitively via Microsoft.Extensions.Configuration 1.1.2 -> NETStandard.Library 1.6.1. Verified: dotnet list package --vulnerable --include-transitive reports zero findings on all four example projects; all four build clean. --- src/Examples/Aml/AmlExample/AmlExample.csproj | 5 +++-- .../DigitalIdentityExample.csproj | 18 ++++++------------ .../DocScanExample/DocScanExample.csproj | 4 ++-- .../Profile/CoreExample/CoreExample.csproj | 18 ++++++------------ 4 files changed, 17 insertions(+), 28 deletions(-) diff --git a/src/Examples/Aml/AmlExample/AmlExample.csproj b/src/Examples/Aml/AmlExample/AmlExample.csproj index ab68935f..65b0d322 100644 --- a/src/Examples/Aml/AmlExample/AmlExample.csproj +++ b/src/Examples/Aml/AmlExample/AmlExample.csproj @@ -11,8 +11,9 @@ - - + + + diff --git a/src/Examples/DigitalIdentity/DigitalIdentity/DigitalIdentityExample.csproj b/src/Examples/DigitalIdentity/DigitalIdentity/DigitalIdentityExample.csproj index b24d78cf..512861eb 100644 --- a/src/Examples/DigitalIdentity/DigitalIdentity/DigitalIdentityExample.csproj +++ b/src/Examples/DigitalIdentity/DigitalIdentity/DigitalIdentityExample.csproj @@ -17,18 +17,12 @@ - - - - - - - - - - - - + + + + + + diff --git a/src/Examples/DocScan/DocScanExample/DocScanExample.csproj b/src/Examples/DocScan/DocScanExample/DocScanExample.csproj index 37004042..d89392d9 100644 --- a/src/Examples/DocScan/DocScanExample/DocScanExample.csproj +++ b/src/Examples/DocScan/DocScanExample/DocScanExample.csproj @@ -5,8 +5,8 @@ - - + + diff --git a/src/Examples/Profile/CoreExample/CoreExample.csproj b/src/Examples/Profile/CoreExample/CoreExample.csproj index e6566123..504a435b 100644 --- a/src/Examples/Profile/CoreExample/CoreExample.csproj +++ b/src/Examples/Profile/CoreExample/CoreExample.csproj @@ -14,18 +14,12 @@ - - - - - - - - - - - - + + + + + + From 3cf446378edcbb5c67bc0381ef36204d59caf284 Mon Sep 17 00:00:00 2001 From: mehmet-yoti Date: Thu, 14 May 2026 17:29:23 +0100 Subject: [PATCH 2/5] SDK-2805 Phase 2: core SDK hygiene bumps to close latent CVE surface No advisory currently reports against Yoti.Auth.csproj, but several pins are years out of date. Bumps: - Google.Protobuf 3.26.1 -> 3.30.2 (stay on 3.x; wire/API compatible with existing src/Yoti.Auth/ProtoBuf/**/*.cs, no regen needed) - JsonSubTypes 1.9.0 -> 2.0.1 - Newtonsoft.Json 13.0.3 -> 13.0.4 - NLog 5.0.1 -> 5.5.1 (latest 5.x; holding back from 6.x to keep legacy TFM support) - Portable.BouncyCastle 1.8.5 -> 1.9.0 (per-TFM gated: 1.9.0 dropped netstandard1.6, so we keep 1.8.5 for that legacy target only) - Microsoft.CodeAnalysis.NetAnalyzers 7.0.3 -> 9.0.0 (analyzer only) - System.Net.Http 4.3.4: gated to legacy TFMs only (net452/462/472/48 and netstandard1.6). On netstandard2.1/netcoreapp3.1/net6.0 the in-box BCL HttpClient is used; the NuGet shim is unnecessary and was causing potential assembly conflicts. Verified: all 8 TFMs build clean; dotnet list --vulnerable reports zero findings. --- src/Yoti.Auth/Yoti.Auth.csproj | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/src/Yoti.Auth/Yoti.Auth.csproj b/src/Yoti.Auth/Yoti.Auth.csproj index 31378ca5..b35f793c 100644 --- a/src/Yoti.Auth/Yoti.Auth.csproj +++ b/src/Yoti.Auth/Yoti.Auth.csproj @@ -37,18 +37,28 @@ - - - + + + all runtime; build; native; contentfiles; analyzers; buildtransitive - - + + + + + + + + + + + + + - From d9131c1b4f4d806d92a4c34e3f12344c49efaa2f Mon Sep 17 00:00:00 2001 From: mehmet-yoti Date: Thu, 14 May 2026 17:38:15 +0100 Subject: [PATCH 3/5] SDK-2805 Phase 3: bump coverlet.msbuild 6.0.2 -> 6.0.4 Conservative test-project bump. Attempted broader upgrades but reverted: - MSTest.{TestAdapter,TestFramework} 2.2.10 -> 3.6.4: surfaces 3 pre- existing test bugs around ThrowsExceptionAsync semantics. Out of scope for a security PR; MSTest 2.2.10 has no advisory. - Microsoft.NET.Test.Sdk 17.2.0 -> 17.13.0: requires MSTest 3.x. - Moq 4.18.1 -> 4.18.4 (within [4.18.4,4.20.0) range to avoid the 4.20+ SponsorLink telemetry): 4.18.4 introduces a regression in dynamic- argument serialization that breaks DocScanClientTests (OutOfMemoryException in JsonConvert.SerializeObject of a Moq-captured dynamic). Holding 4.18.1; no advisory against it. All 811 tests pass. --- test/Yoti.Auth.Tests/Yoti.Auth.Tests.csproj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/Yoti.Auth.Tests/Yoti.Auth.Tests.csproj b/test/Yoti.Auth.Tests/Yoti.Auth.Tests.csproj index 9f8e3811..c2d48b78 100644 --- a/test/Yoti.Auth.Tests/Yoti.Auth.Tests.csproj +++ b/test/Yoti.Auth.Tests/Yoti.Auth.Tests.csproj @@ -28,7 +28,7 @@ - + all runtime; build; native; contentfiles; analyzers; buildtransitive From 82ed952a38e49aa41c3a1895d743da33e9805076 Mon Sep 17 00:00:00 2001 From: mehmet-yoti Date: Thu, 14 May 2026 17:40:31 +0100 Subject: [PATCH 4/5] SDK-2805 Phase 4: pin System.Net.Http 4.3.4 in examples to close GHSA-7jgj-8wvc-jh57 After Phase 2 gated System.Net.Http 4.3.4 to legacy TFMs only in the core SDK, the four example apps re-surfaced the High advisory via DotNetEnv 3.2.0 -> Microsoft.Extensions.Configuration 1.1.2 -> NETStandard.Library 1.6.1 -> System.Net.Http 4.3.0 (the vulnerable pre-patch version). Adding an explicit PackageReference for 4.3.4 (the fixed shim) in each example forces NuGet to resolve the patched version transitively. Verified: dotnet list --vulnerable --include-transitive reports zero findings across all 6 projects (core, tests, 4 examples). All 811 tests pass; all 5 buildable projects compile clean. --- src/Examples/Aml/AmlExample/AmlExample.csproj | 1 + .../DigitalIdentity/DigitalIdentityExample.csproj | 1 + src/Examples/DocScan/DocScanExample/DocScanExample.csproj | 1 + src/Examples/Profile/CoreExample/CoreExample.csproj | 1 + 4 files changed, 4 insertions(+) diff --git a/src/Examples/Aml/AmlExample/AmlExample.csproj b/src/Examples/Aml/AmlExample/AmlExample.csproj index 65b0d322..e840e408 100644 --- a/src/Examples/Aml/AmlExample/AmlExample.csproj +++ b/src/Examples/Aml/AmlExample/AmlExample.csproj @@ -13,6 +13,7 @@ + diff --git a/src/Examples/DigitalIdentity/DigitalIdentity/DigitalIdentityExample.csproj b/src/Examples/DigitalIdentity/DigitalIdentity/DigitalIdentityExample.csproj index 512861eb..344bad9f 100644 --- a/src/Examples/DigitalIdentity/DigitalIdentity/DigitalIdentityExample.csproj +++ b/src/Examples/DigitalIdentity/DigitalIdentity/DigitalIdentityExample.csproj @@ -22,6 +22,7 @@ + diff --git a/src/Examples/DocScan/DocScanExample/DocScanExample.csproj b/src/Examples/DocScan/DocScanExample/DocScanExample.csproj index d89392d9..45791af8 100644 --- a/src/Examples/DocScan/DocScanExample/DocScanExample.csproj +++ b/src/Examples/DocScan/DocScanExample/DocScanExample.csproj @@ -6,6 +6,7 @@ + diff --git a/src/Examples/Profile/CoreExample/CoreExample.csproj b/src/Examples/Profile/CoreExample/CoreExample.csproj index 504a435b..660dc17e 100644 --- a/src/Examples/Profile/CoreExample/CoreExample.csproj +++ b/src/Examples/Profile/CoreExample/CoreExample.csproj @@ -19,6 +19,7 @@ + From 666426a664c9d6dd6f444dd4e849f79040dc7b7f Mon Sep 17 00:00:00 2001 From: mehmet-yoti Date: Thu, 11 Jun 2026 11:33:33 +0100 Subject: [PATCH 5/5] Replace Portable.BouncyCastle with BouncyCastle.Cryptography 2.6.2 Portable.BouncyCastle is unmaintained (last release 1.9.0, 2022) and has known CVEs. BouncyCastle.Cryptography is the official successor with the same Org.BouncyCastle.* namespace, so no using-directive changes are needed across the codebase. Also drops EOL target frameworks netstandard1.6 and net452, and removes the #if !NET452 conditional blocks in AnchorCertificateParser that guarded certificate disposal (now always active on remaining targets). The only API-level fix required: Asn1OctetString.GetInstance named parameters (obj/isExplicit) were renamed in 2.x; changed to positional. --- .../Anchors/AnchorCertificateParser.cs | 7 +----- src/Yoti.Auth/Yoti.Auth.csproj | 23 ++++--------------- 2 files changed, 5 insertions(+), 25 deletions(-) diff --git a/src/Yoti.Auth/Anchors/AnchorCertificateParser.cs b/src/Yoti.Auth/Anchors/AnchorCertificateParser.cs index 364ec3f2..91d4fc2e 100644 --- a/src/Yoti.Auth/Anchors/AnchorCertificateParser.cs +++ b/src/Yoti.Auth/Anchors/AnchorCertificateParser.cs @@ -22,11 +22,8 @@ public static AnchorVerifierSourceData GetTypesFromAnchor(ProtoBuf.Attribute.Anc var extensions = new List(); X509Certificate2 certificate = new X509Certificate2(byteString.ToByteArray()); - // certificate is only disposable in .NET 4.6+ -#if !NET452 using (certificate) { -#endif foreach (X509Extension x509Extension in certificate.Extensions.OfType()) { var extensionOid = x509Extension.Oid.Value; @@ -46,9 +43,7 @@ public static AnchorVerifierSourceData GetTypesFromAnchor(ProtoBuf.Attribute.Anc extensions = GetListOfStringsFromExtension(certificate, extensionOid); } -#if !NET452 } -#endif if (extensions.Count == 0) { return new AnchorVerifierSourceData(new HashSet { "" }, AnchorType.UNKNOWN); @@ -79,7 +74,7 @@ private static List GetListOfStringsFromExtension(X509Certificate2 certi foreach (object innerObj in obj) { Asn1TaggedObject seqObject = (Asn1TaggedObject)innerObj; - Asn1OctetString octetString = Asn1OctetString.GetInstance(obj: seqObject, isExplicit: false); + Asn1OctetString octetString = Asn1OctetString.GetInstance(seqObject, false); extensionStrings.Add(System.Text.Encoding.UTF8.GetString(octetString.GetOctets())); } diff --git a/src/Yoti.Auth/Yoti.Auth.csproj b/src/Yoti.Auth/Yoti.Auth.csproj index b35f793c..236b80f3 100644 --- a/src/Yoti.Auth/Yoti.Auth.csproj +++ b/src/Yoti.Auth/Yoti.Auth.csproj @@ -1,11 +1,9 @@  - netstandard1.6;netstandard2.1;netcoreapp3.1;net6.0;net452;net462;net472;net48; + netstandard2.1;netcoreapp3.1;net6.0;net462;net472;net48; Yoti.Auth Yoti - $(PackageTargetFallback);dnxcore50 - 1.6.1 false false false @@ -31,11 +29,6 @@ - - true - - - @@ -49,15 +42,11 @@ - - - - - - + + - + @@ -103,10 +92,6 @@ - - - -