From be70c8dfe9373f47d503f0db9ed3cf329506883f Mon Sep 17 00:00:00 2001
From: Mikel Blanchard <mblanchard@macrosssoftware.com>
Date: Wed, 9 Oct 2024 14:04:47 -0700
Subject: [PATCH 1/2] Mitigate STJ vulnerabilities in projects targeting 6.0.0.

---
 build/Common.props                            | 13 ++++++++----
 build/Common.targets                          | 20 +++++++++++++++++++
 .../CHANGELOG.md                              |  5 +++++
 ...OpenTelemetry.Exporter.OneCollector.csproj |  4 ++--
 src/OpenTelemetry.Resources.AWS/CHANGELOG.md  |  5 +++++
 .../OpenTelemetry.Resources.AWS.csproj        |  2 +-
 6 files changed, 42 insertions(+), 7 deletions(-)

diff --git a/build/Common.props b/build/Common.props
index 9a5fbde756..d224b292ad 100644
--- a/build/Common.props
+++ b/build/Common.props
@@ -35,8 +35,8 @@
     <MinVerPkgVer>[5.0.0,6.0)</MinVerPkgVer>
     <MicrosoftExtensionsConfigurationBinderPkgVer>[8.0.1,)</MicrosoftExtensionsConfigurationBinderPkgVer>
     <MicrosoftExtensionsHostingAbstractionsPkgVer>[2.1.0,5.0)</MicrosoftExtensionsHostingAbstractionsPkgVer>
-    <MicrosoftExtensionsConfigurationPkgVer>8.0.0</MicrosoftExtensionsConfigurationPkgVer>
-    <MicrosoftExtensionsOptionsPkgVer>8.0.0</MicrosoftExtensionsOptionsPkgVer>
+    <MicrosoftExtensionsConfigurationPkgVer>[8.0.0,)</MicrosoftExtensionsConfigurationPkgVer>
+    <MicrosoftExtensionsOptionsPkgVer>[8.0.0,)</MicrosoftExtensionsOptionsPkgVer>
     <MicrosoftNETFrameworkReferenceAssembliesPkgVer>[1.0.3,2.0)</MicrosoftNETFrameworkReferenceAssembliesPkgVer>
     <MicrosoftOwinPkgVer>[4.2.2,5.0)</MicrosoftOwinPkgVer>
     <MicrosoftPublicApiAnalyzersPkgVer>[3.11.0-beta1.23525.2]</MicrosoftPublicApiAnalyzersPkgVer>
@@ -49,8 +49,13 @@
     <CassandraCSharpDriverPkgVer>[3.16.0,4.0)</CassandraCSharpDriverPkgVer>
     <StyleCopAnalyzersPkgVer>[1.2.0-beta.556,2.0)</StyleCopAnalyzersPkgVer>
     <SystemNetHttp>[4.3.4,)</SystemNetHttp>
-    <SystemReflectionEmitLightweightPkgVer>4.7.0</SystemReflectionEmitLightweightPkgVer>
-    <SystemTextJsonPkgVer>[6.0.0,)</SystemTextJsonPkgVer>
+    <SystemReflectionEmitLightweightPkgVer>[4.7.0,)</SystemReflectionEmitLightweightPkgVer>
+
+    <!-- Note: Special handling is performed for System.Text.Json. -->
+    <SystemTextEncodingsWebMinimumOutOfBandPkgVer>[4.7.2,)</SystemTextEncodingsWebMinimumOutOfBandPkgVer>
+    <SystemTextJsonMinimumOutOfBandPkgVer>[4.7.2,)</SystemTextJsonMinimumOutOfBandPkgVer>
+    <SystemTextJsonLatestNet6OutOfBandPkgVer>[6.0.10,)</SystemTextJsonLatestNet6OutOfBandPkgVer>
+    <SystemTextJsonLatestNet8OutOfBandPkgVer>[8.0.5,)</SystemTextJsonLatestNet8OutOfBandPkgVer>
   </PropertyGroup>
 
   <ItemGroup>
diff --git a/build/Common.targets b/build/Common.targets
index faf2349bae..97495b2300 100644
--- a/build/Common.targets
+++ b/build/Common.targets
@@ -1,3 +1,23 @@
 <Project>
 
+  <ItemGroup Condition="'$(SystemTextJsonMinimumRequiredPkgVer)' != ''">
+    <!--
+        Note: System.Text.Encodings.Web is referenced when System.Text.Json is
+        using v4.7.2 because System.Text.Json v4.7.2 depends on
+        System.Text.Encodings.Web
+        >= v4.7.1 but System.Text.Encodings.Web needs to be at v4.7.2 to be
+        safe.
+    -->
+    <PackageReference Include="System.Text.Encodings.Web"
+                      Version="$(SystemTextEncodingsWebMinimumOutOfBandPkgVer)"
+                      Condition="'$(SystemTextJsonMinimumRequiredPkgVer)' == '4.7.2' AND '$(TargetFrameworkIdentifier)' != '.NETCoreApp'" />
+    <PackageReference Include="System.Text.Json"
+                      Version="$(SystemTextJsonMinimumRequiredPkgVer)"
+                      Condition="'$(TargetFrameworkIdentifier)' != '.NETCoreApp'" />
+
+    <PackageReference Include="System.Text.Json"
+                      Version="$(SystemTextJsonLatestNet8OutOfBandPkgVer)"
+                      Condition="'$(TargetFramework)' == 'net8.0'" />
+  </ItemGroup>
+
 </Project>
diff --git a/src/OpenTelemetry.Exporter.OneCollector/CHANGELOG.md b/src/OpenTelemetry.Exporter.OneCollector/CHANGELOG.md
index 79451efd20..1a970c0d17 100644
--- a/src/OpenTelemetry.Exporter.OneCollector/CHANGELOG.md
+++ b/src/OpenTelemetry.Exporter.OneCollector/CHANGELOG.md
@@ -5,6 +5,11 @@
 * Drop support for .NET 6 as this target is no longer supported.
   ([#2123](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/2123))
 
+* Bumped `System.Text.Json` reference to `6.0.10` for runtimes older than
+  `net8.0` and bumped to `8.0.5` on `net8.0` in response to
+  [CVE-2024-43485](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485).
+  ([#XXXX](https://github.com/open-telemetry/opentelemetry-dotnet/pull/XXXX))
+
 ## 1.10.0-alpha.1
 
 Released 2024-Sep-06
diff --git a/src/OpenTelemetry.Exporter.OneCollector/OpenTelemetry.Exporter.OneCollector.csproj b/src/OpenTelemetry.Exporter.OneCollector/OpenTelemetry.Exporter.OneCollector.csproj
index 111cb4960c..a1efbd7490 100644
--- a/src/OpenTelemetry.Exporter.OneCollector/OpenTelemetry.Exporter.OneCollector.csproj
+++ b/src/OpenTelemetry.Exporter.OneCollector/OpenTelemetry.Exporter.OneCollector.csproj
@@ -14,6 +14,7 @@
     in the future (hopefully .NET 9) see https://github.com/dotnet/runtime/issues/92509 -->
     <NoWarn>$(NoWarn);SYSLIB1100;SYSLIB1101</NoWarn>
     <PackageValidationBaselineVersion>1.9.2</PackageValidationBaselineVersion>
+    <SystemTextJsonMinimumRequiredPkgVer>$(SystemTextJsonLatestNet6OutOfBandPkgVer)</SystemTextJsonMinimumRequiredPkgVer>
   </PropertyGroup>
 
   <PropertyGroup>
@@ -23,12 +24,11 @@
 
   <ItemGroup>
     <PackageReference Include="OpenTelemetry" Version="$(OTelSdkVersion)" />
-    <PackageReference Include="System.Text.Json" Version="$(SystemTextJsonPkgVer)" Condition="'$(TargetFrameworkIdentifier)' != '.NETCoreApp'" />
     <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="$(MicrosoftExtensionsConfigurationBinderPkgVer)" />
   </ItemGroup>
 
   <ItemGroup>
-    <Reference Include="System.Net.Http" Condition="'$(TargetFramework)' == 'net462'" />
+    <Reference Include="System.Net.Http" Condition="'$(TargetFramework)' == '$(NetFrameworkMinimumSupportedVersion)'" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/OpenTelemetry.Resources.AWS/CHANGELOG.md b/src/OpenTelemetry.Resources.AWS/CHANGELOG.md
index 96cd089d1b..ea1cfe40d1 100644
--- a/src/OpenTelemetry.Resources.AWS/CHANGELOG.md
+++ b/src/OpenTelemetry.Resources.AWS/CHANGELOG.md
@@ -9,6 +9,11 @@
   and add .NET Standard 2.0 target.
   ([#2164](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/2164))
 
+* Bumped `System.Text.Json` reference to `6.0.10` for runtimes older than
+  `net8.0` and bumped to `8.0.5` on `net8.0` in response to
+  [CVE-2024-43485](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485).
+  ([#XXXX](https://github.com/open-telemetry/opentelemetry-dotnet/pull/XXXX))
+
 ## 1.5.0-beta.1
 
 Released 2024-Jun-04
diff --git a/src/OpenTelemetry.Resources.AWS/OpenTelemetry.Resources.AWS.csproj b/src/OpenTelemetry.Resources.AWS/OpenTelemetry.Resources.AWS.csproj
index acfae6f7c4..1484689837 100644
--- a/src/OpenTelemetry.Resources.AWS/OpenTelemetry.Resources.AWS.csproj
+++ b/src/OpenTelemetry.Resources.AWS/OpenTelemetry.Resources.AWS.csproj
@@ -6,6 +6,7 @@
     <TargetFrameworks Condition="$(OS) == 'Windows_NT'">$(TargetFrameworks);$(NetFrameworkMinimumSupportedVersion)</TargetFrameworks>
     <Description>OpenTelemetry Resource Detectors for AWS ElasticBeanstalk, EC2, ECS, EKS.</Description>
     <MinVerTagPrefix>Resources.AWS-</MinVerTagPrefix>
+    <SystemTextJsonMinimumRequiredPkgVer>$(SystemTextJsonLatestNet6OutOfBandPkgVer)</SystemTextJsonMinimumRequiredPkgVer>
   </PropertyGroup>
 
   <!-- Do not run Package Baseline Validation as this package has never released a stable version.
@@ -16,7 +17,6 @@
 
   <ItemGroup>
     <PackageReference Include="OpenTelemetry" Version="$(OpenTelemetryCoreLatestVersion)" />
-    <PackageReference Include="System.Text.Json" Version="$(SystemTextJsonPkgVer)" Condition="'$(TargetFrameworkIdentifier)' != '.NETCoreApp'" />
   </ItemGroup>
 
   <ItemGroup>

From 1686b0f43140f9467d0be957ff0692ab154584bf Mon Sep 17 00:00:00 2001
From: Mikel Blanchard <mblanchard@macrosssoftware.com>
Date: Wed, 9 Oct 2024 14:12:49 -0700
Subject: [PATCH 2/2] Patch CHANGELOGs.

---
 src/OpenTelemetry.Exporter.OneCollector/CHANGELOG.md | 2 +-
 src/OpenTelemetry.Resources.AWS/CHANGELOG.md         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/OpenTelemetry.Exporter.OneCollector/CHANGELOG.md b/src/OpenTelemetry.Exporter.OneCollector/CHANGELOG.md
index 1a970c0d17..7767c3de52 100644
--- a/src/OpenTelemetry.Exporter.OneCollector/CHANGELOG.md
+++ b/src/OpenTelemetry.Exporter.OneCollector/CHANGELOG.md
@@ -8,7 +8,7 @@
 * Bumped `System.Text.Json` reference to `6.0.10` for runtimes older than
   `net8.0` and bumped to `8.0.5` on `net8.0` in response to
   [CVE-2024-43485](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485).
-  ([#XXXX](https://github.com/open-telemetry/opentelemetry-dotnet/pull/XXXX))
+  ([#2196](https://github.com/open-telemetry/opentelemetry-dotnet/pull/2196))
 
 ## 1.10.0-alpha.1
 
diff --git a/src/OpenTelemetry.Resources.AWS/CHANGELOG.md b/src/OpenTelemetry.Resources.AWS/CHANGELOG.md
index ea1cfe40d1..d9887fb7ed 100644
--- a/src/OpenTelemetry.Resources.AWS/CHANGELOG.md
+++ b/src/OpenTelemetry.Resources.AWS/CHANGELOG.md
@@ -12,7 +12,7 @@
 * Bumped `System.Text.Json` reference to `6.0.10` for runtimes older than
   `net8.0` and bumped to `8.0.5` on `net8.0` in response to
   [CVE-2024-43485](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485).
-  ([#XXXX](https://github.com/open-telemetry/opentelemetry-dotnet/pull/XXXX))
+  ([#2196](https://github.com/open-telemetry/opentelemetry-dotnet/pull/2196))
 
 ## 1.5.0-beta.1