From 2f0ee5a2c66835a1deed80f44aa3ab03b10ac3d8 Mon Sep 17 00:00:00 2001
From: Mikel Blanchard <mblanchard@macrosssoftware.com>
Date: Wed, 9 Oct 2024 15:48:12 -0700
Subject: [PATCH] [extensions.aws & sampler.aws] Mitigate STJ vulnerabilities
 (#2197)

---
 src/OpenTelemetry.Exporter.OneCollector/CHANGELOG.md     | 5 +++--
 src/OpenTelemetry.Extensions.AWS/CHANGELOG.md            | 6 ++++++
 .../OpenTelemetry.Extensions.AWS.csproj                  | 2 +-
 src/OpenTelemetry.Resources.AWS/CHANGELOG.md             | 5 +++--
 src/OpenTelemetry.Sampler.AWS/CHANGELOG.md               | 9 +++++++++
 .../OpenTelemetry.Sampler.AWS.csproj                     | 7 +++++--
 .../OpenTelemetry.Instrumentation.Http.Tests.csproj      | 2 +-
 7 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/src/OpenTelemetry.Exporter.OneCollector/CHANGELOG.md b/src/OpenTelemetry.Exporter.OneCollector/CHANGELOG.md
index 7767c3de52..c07e8706eb 100644
--- a/src/OpenTelemetry.Exporter.OneCollector/CHANGELOG.md
+++ b/src/OpenTelemetry.Exporter.OneCollector/CHANGELOG.md
@@ -5,8 +5,9 @@
 * Drop support for .NET 6 as this target is no longer supported.
   ([#2123](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/2123))
 
-* Bumped `System.Text.Json` reference to `6.0.10` for runtimes older than
-  `net8.0` and bumped to `8.0.5` on `net8.0` in response to
+* Bumped the `System.Text.Json` reference to `6.0.10` for runtimes older than
+  `net8.0` and added a direct reference for `System.Text.Json` at `8.0.5` on
+  `net8.0` in response to
   [CVE-2024-43485](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485).
   ([#2196](https://github.com/open-telemetry/opentelemetry-dotnet/pull/2196))
 
diff --git a/src/OpenTelemetry.Extensions.AWS/CHANGELOG.md b/src/OpenTelemetry.Extensions.AWS/CHANGELOG.md
index a889ec48bb..f7bb4216b1 100644
--- a/src/OpenTelemetry.Extensions.AWS/CHANGELOG.md
+++ b/src/OpenTelemetry.Extensions.AWS/CHANGELOG.md
@@ -2,6 +2,12 @@
 
 ## Unreleased
 
+* Bumped the `System.Text.Json` reference to `6.0.10` for runtimes older than
+  `net8.0` and added a direct reference for `System.Text.Json` at `8.0.5` on
+  `net8.0` in response to
+  [CVE-2024-43485](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485).
+  ([#2197](https://github.com/open-telemetry/opentelemetry-dotnet/pull/2197))
+
 ## 1.3.0-beta.2
 
 Released 2024-Sep-24
diff --git a/src/OpenTelemetry.Extensions.AWS/OpenTelemetry.Extensions.AWS.csproj b/src/OpenTelemetry.Extensions.AWS/OpenTelemetry.Extensions.AWS.csproj
index cbee74c229..c37c68dd1d 100644
--- a/src/OpenTelemetry.Extensions.AWS/OpenTelemetry.Extensions.AWS.csproj
+++ b/src/OpenTelemetry.Extensions.AWS/OpenTelemetry.Extensions.AWS.csproj
@@ -6,6 +6,7 @@
     <TargetFrameworks Condition="$(OS) == 'Windows_NT'">$(TargetFrameworks);$(NetFrameworkMinimumSupportedVersion)</TargetFrameworks>
     <Description>OpenTelemetry extensions for AWS.</Description>
     <MinVerTagPrefix>Extensions.AWS-</MinVerTagPrefix>
+    <SystemTextJsonMinimumRequiredPkgVer>$(SystemTextJsonLatestNet6OutOfBandPkgVer)</SystemTextJsonMinimumRequiredPkgVer>
   </PropertyGroup>
 
   <!-- Do not run Package Baseline Validation as this package has never released a stable version.
@@ -16,7 +17,6 @@
 
   <ItemGroup>
     <PackageReference Include="OpenTelemetry" Version="$(OpenTelemetryCoreLatestVersion)" />
-    <PackageReference Include="System.Text.Json" Version="6.0.0" Condition="'$(TargetFrameworkIdentifier)' != '.NETCoreApp'" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/OpenTelemetry.Resources.AWS/CHANGELOG.md b/src/OpenTelemetry.Resources.AWS/CHANGELOG.md
index d9887fb7ed..87b46ae942 100644
--- a/src/OpenTelemetry.Resources.AWS/CHANGELOG.md
+++ b/src/OpenTelemetry.Resources.AWS/CHANGELOG.md
@@ -9,8 +9,9 @@
   and add .NET Standard 2.0 target.
   ([#2164](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/2164))
 
-* Bumped `System.Text.Json` reference to `6.0.10` for runtimes older than
-  `net8.0` and bumped to `8.0.5` on `net8.0` in response to
+* Bumped the `System.Text.Json` reference to `6.0.10` for runtimes older than
+  `net8.0` and added a direct reference for `System.Text.Json` at `8.0.5` on
+  `net8.0` in response to
   [CVE-2024-43485](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485).
   ([#2196](https://github.com/open-telemetry/opentelemetry-dotnet/pull/2196))
 
diff --git a/src/OpenTelemetry.Sampler.AWS/CHANGELOG.md b/src/OpenTelemetry.Sampler.AWS/CHANGELOG.md
index 01fdb8bef2..bbc198a12f 100644
--- a/src/OpenTelemetry.Sampler.AWS/CHANGELOG.md
+++ b/src/OpenTelemetry.Sampler.AWS/CHANGELOG.md
@@ -5,6 +5,15 @@
 * Drop support for .NET 6 as this target is no longer supported and add .NET 8 target.
   ([#2172](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/2172))
 
+* Bumped the `System.Text.Json` reference to `6.0.10` for runtimes older than
+  `net8.0` and added a direct reference for `System.Text.Json` at `8.0.5` on
+  `net8.0` in response to
+  [CVE-2024-43485](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485).
+  ([#2197](https://github.com/open-telemetry/opentelemetry-dotnet/pull/2197))
+
+* Removed the `System.Net.Http` package reference from all targets.
+  ([#2197](https://github.com/open-telemetry/opentelemetry-dotnet/pull/2197))
+
 ## 0.1.0-alpha.2
 
 Released 2024-Sep-09
diff --git a/src/OpenTelemetry.Sampler.AWS/OpenTelemetry.Sampler.AWS.csproj b/src/OpenTelemetry.Sampler.AWS/OpenTelemetry.Sampler.AWS.csproj
index 36abdc1fbc..dc886777ef 100644
--- a/src/OpenTelemetry.Sampler.AWS/OpenTelemetry.Sampler.AWS.csproj
+++ b/src/OpenTelemetry.Sampler.AWS/OpenTelemetry.Sampler.AWS.csproj
@@ -6,6 +6,7 @@
     <TargetFrameworks Condition="$(OS) == 'Windows_NT'">$(TargetFrameworks);$(NetFrameworkMinimumSupportedVersion)</TargetFrameworks>
     <Description>OpenTelemetry remote sampler for AWS X-Ray.</Description>
     <MinVerTagPrefix>Sampler.AWS-</MinVerTagPrefix>
+    <SystemTextJsonMinimumRequiredPkgVer>$(SystemTextJsonLatestNet6OutOfBandPkgVer)</SystemTextJsonMinimumRequiredPkgVer>
   </PropertyGroup>
 
   <!-- Do not run Package Baseline Validation as this package has never released a stable version.
@@ -16,8 +17,10 @@
 
   <ItemGroup>
     <PackageReference Include="OpenTelemetry" Version="$(OpenTelemetryCoreLatestVersion)" />
-    <PackageReference Include="System.Net.Http" Version="4.3.4" />
-    <PackageReference Include="System.Text.Json" Version="6.0.0" Condition="'$(TargetFrameworkIdentifier)' != '.NETCoreApp'" />
+  </ItemGroup>
+
+  <ItemGroup Condition="'$(TargetFramework)' == '$(NetFrameworkMinimumSupportedVersion)'">
+    <Reference Include="System.Net.Http" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/test/OpenTelemetry.Instrumentation.Http.Tests/OpenTelemetry.Instrumentation.Http.Tests.csproj b/test/OpenTelemetry.Instrumentation.Http.Tests/OpenTelemetry.Instrumentation.Http.Tests.csproj
index 14f4228107..c219109b35 100644
--- a/test/OpenTelemetry.Instrumentation.Http.Tests/OpenTelemetry.Instrumentation.Http.Tests.csproj
+++ b/test/OpenTelemetry.Instrumentation.Http.Tests/OpenTelemetry.Instrumentation.Http.Tests.csproj
@@ -19,7 +19,7 @@
 
   <ItemGroup>
     <PackageReference Include="OpenTelemetry.Exporter.InMemory" Version="$(OpenTelemetryExporterInMemoryPkgVer)" />
-    <PackageReference Include="System.Text.Json" Version="8.0.5" />
+    <PackageReference Include="System.Text.Json" Version="$(SystemTextJsonLatestNet8OutOfBandPkgVer)" />
   </ItemGroup>
 
   <ItemGroup>