Microsoft.Azure.Cosmos references many out of support and vulnerable package versions.

[ericstj]

Describe the bug
Microsoft.Azure.Cosmos references many packages which are out of support and vulnerable.

To Reproduce
Create a new project with the latest .NET 9.0 preview SDK which includes NuGet audit for security vulnerabilities. Add a reference to <PackageReference Include="Microsoft.Azure.Cosmos" Version="3.43.0"/> and restore the project.

Expected behavior
No warnings when restoring.

Actual behavior
The following warnings occur:

    C:\scratch\azureCosmos\azureCosmos.csproj : warning NU1903: Package 'Newtonsoft.Json' 10.0.2 has a known high severity vulnerability, https://github.com/advisories/GHSA-5crp-9r3c-p9vr
    C:\scratch\azureCosmos\azureCosmos.csproj : warning NU1903: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57
    C:\scratch\azureCosmos\azureCosmos.csproj : warning NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj

Environment summary
SDK Version: 3.43.0
.NET SDK: 9.0.0-preview.7.24405.7
OS Version: Windows 11 23H2

Additional context
See https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages
https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/

### Tasks
- [ ] https://github.com/Azure/azure-cosmos-dotnet-v3/pull/4790
- [ ] https://github.com/Azure/azure-cosmos-dotnet-v3/pull/4775
- [ ] https://github.com/Azure/azure-cosmos-dotnet-v3/pull/4756
- [ ] https://github.com/Azure/azure-cosmos-dotnet-v3/pull/4693
- [ ] https://github.com/Azure/azure-cosmos-dotnet-v3/pull/4694
- [ ] https://github.com/Azure/azure-cosmos-dotnet-v3/pull/4676

[Pilchie]

We cannot update the dependency on Newtonsoft.Json, because there are no patched versions without breaking changes, and we can't force that breaking change on our customers :(

For System.Net.Http and System.Text.RegularExpressions, we should investigate the path they are coming in through and either update an intermediate dependency, or consider pinning to a higher version.

Tagging also @kirankumarkolli and @kundadebdatta.

[kirankumarkolli]

'System.Text.RegularExpressions' seems like a transitive dependency through 'Newtonsoft.Json'
Unsure of source of System.Net.Http dependency (we do use HttpClient but not explicitly listed in package spec.

'Newtonsoft.Json' 10.0.2 vulnerability is address through a code fix, unfortunately upgrading to the suggested version is a breaking change.

Except 'Newtonsoft.Json' we can at-least fix others as new dependencies directly to override.

@ericstj thoughts on how to way to let analyzer to suppress for Newtonsoft.Json?

[ericstj]

You can update the other dependencies, NETStandard.Library and System.Text.RegularExpressions. (Try out dotnet nuget why for diagnosing these and read https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/ cc @zivkan)

FWIW many of your customers are going to be in this same predicament since they'll see this vulnerability warning for Newtonsoft. Don't you have a major version where you can choose to update Newtonsoft? Also - have you reached out to @JamesNK to see if he'd be able to produce a 10.0.4 build that has a fix for the CVE without other breaking changes?

[kirankumarkolli]

Thank you other dependencies are addressed will ship part of next release.

Our next major version will remove dependency on Newstonsoft and just use STJ as default serializer.
Will follow-up with James.

[ericstj]

STJ is going to have the same problem if you stay on older versions of it: dotnet/runtime#104619

[bartelink]

I believe the STJ in here is inherited via Azure.Core, which currently is a 6.x min (which is not on the official list of versions covered by that cited issue? (Of course your overall point is not necessarily invalidated by that)