Investigate removing no longer necessary dependencies while investigating #2577 (#2578)

* Remove no longer necessary dependencies
while investigating  #2577
* Surgically re-injecting the dependency
* Fixing the CVE-2021-24112 in the sample apps by updating Redis
* Adding .NET 8 targets
* Suppressions for .NET 8

Author: jmprieur

Directory.Build.props

@@ -2,7 +2,7 @@
   <PropertyGroup>
     <!--This should be passed from the VSTS build-->
     <!-- This needs to be greater than or equal to the validation baseline version -->
-    <ClientSemVer Condition="'$(ClientSemVer)' == ''">2.7.0-localbuild</ClientSemVer>
+    <ClientSemVer Condition="'$(ClientSemVer)' == ''">2.15.4-localbuild</ClientSemVer>
     <!--This will generate AssemblyVersion, AssemblyFileVersion and AssemblyInformationVersion-->
     <Version>$(ClientSemVer)</Version>
 
@@ -86,9 +86,7 @@
     <MicrosoftGraphVersion>4.34.0</MicrosoftGraphVersion>
     <MicrosoftGraphBetaVersion>4.50.0-preview</MicrosoftGraphBetaVersion>
     <MicrosoftExtensionsHttpVersion>3.1.3</MicrosoftExtensionsHttpVersion>
-    <MicrosoftIdentityAbstractions>5.0.0</MicrosoftIdentityAbstractions>
-    <!--CVE-2021-24112-->
-    <SystemDrawingCommon>4.7.2</SystemDrawingCommon>
+    <MicrosoftIdentityAbstractions>5.0.0</MicrosoftIdentityAbstractions>    
   </PropertyGroup>
 
   <PropertyGroup Condition="'$(TargetFramework)' == 'net8.0'">
@@ -176,5 +174,7 @@
     <MicrosoftExtensionsLoggingVersion>3.1.30</MicrosoftExtensionsLoggingVersion>
     <MicrosoftExtensionsConfigurationBinderVersion>3.1.30</MicrosoftExtensionsConfigurationBinderVersion>
     <MicrosoftExtensionsDependencyInjectionVersion>3.1.30</MicrosoftExtensionsDependencyInjectionVersion>
+    <!--CVE-2021-24112 from ASpNetCore.Protection, and Redis-->
+    <SystemDrawingCommon>4.7.2</SystemDrawingCommon>
   </PropertyGroup>
 </Project>

src/Microsoft.Identity.Web.Certificateless/CompatibilitySuppressions.xml

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- https://learn.microsoft.com/en-us/dotnet/fundamentals/package-validation/diagnostic-ids -->
+<Suppressions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+  <Suppression>
+    <DiagnosticId>CP0002</DiagnosticId>
+    <Target>M:Microsoft.Identity.Web.AzureIdentityForKubernetesClientAssertion.#ctor</Target>
+    <Left>lib/netstandard2.0/Microsoft.Identity.Web.Certificateless.dll</Left>
+    <Right>lib/netstandard2.0/Microsoft.Identity.Web.Certificateless.dll</Right>
+    <IsBaselineSuppression>true</IsBaselineSuppression>
+  </Suppression>
+  <Suppression>
+    <DiagnosticId>CP0002</DiagnosticId>
+    <Target>M:Microsoft.Identity.Web.AzureIdentityForKubernetesClientAssertion.#ctor(System.String)</Target>
+    <Left>lib/netstandard2.0/Microsoft.Identity.Web.Certificateless.dll</Left>
+    <Right>lib/netstandard2.0/Microsoft.Identity.Web.Certificateless.dll</Right>
+    <IsBaselineSuppression>true</IsBaselineSuppression>
+  </Suppression>
+</Suppressions>

src/Microsoft.Identity.Web.TokenAcquisition/CompatibilitySuppressions.xml

@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- https://learn.microsoft.com/en-us/dotnet/fundamentals/package-validation/diagnostic-ids -->
+<Suppressions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+  <Suppression>
+    <DiagnosticId>CP0001</DiagnosticId>
+    <Target>T:Microsoft.Identity.Web.OpenIdConnectOptions</Target>
+    <Left>lib/netstandard2.0/Microsoft.Identity.Web.TokenAcquisition.dll</Left>
+    <Right>lib/netcoreapp3.1/Microsoft.Identity.Web.TokenAcquisition.dll</Right>
+  </Suppression>
+  <Suppression>
+    <DiagnosticId>CP0002</DiagnosticId>
+    <Target>M:Microsoft.Identity.Web.MicrosoftIdentityOptions.get_ErrorPath</Target>
+    <Left>lib/netstandard2.0/Microsoft.Identity.Web.TokenAcquisition.dll</Left>
+    <Right>lib/netcoreapp3.1/Microsoft.Identity.Web.TokenAcquisition.dll</Right>
+  </Suppression>
+  <Suppression>
+    <DiagnosticId>CP0002</DiagnosticId>
+    <Target>M:Microsoft.Identity.Web.MicrosoftIdentityOptions.get_ResetPasswordPath</Target>
+    <Left>lib/netstandard2.0/Microsoft.Identity.Web.TokenAcquisition.dll</Left>
+    <Right>lib/netcoreapp3.1/Microsoft.Identity.Web.TokenAcquisition.dll</Right>
+  </Suppression>
+  <Suppression>
+    <DiagnosticId>CP0006</DiagnosticId>
+    <Target>M:Microsoft.Identity.Web.ITokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeader(System.Collections.Generic.IEnumerable{System.String},Microsoft.Identity.Client.MsalUiRequiredException,System.String,Microsoft.AspNetCore.Http.HttpResponse)</Target>
+    <Left>lib/netstandard2.0/Microsoft.Identity.Web.TokenAcquisition.dll</Left>
+    <Right>lib/netcoreapp3.1/Microsoft.Identity.Web.TokenAcquisition.dll</Right>
+  </Suppression>
+  <Suppression>
+    <DiagnosticId>CP0006</DiagnosticId>
+    <Target>M:Microsoft.Identity.Web.ITokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeaderAsync(System.Collections.Generic.IEnumerable{System.String},Microsoft.Identity.Client.MsalUiRequiredException,Microsoft.AspNetCore.Http.HttpResponse)</Target>
+    <Left>lib/netstandard2.0/Microsoft.Identity.Web.TokenAcquisition.dll</Left>
+    <Right>lib/netcoreapp3.1/Microsoft.Identity.Web.TokenAcquisition.dll</Right>
+  </Suppression>
+  <Suppression>
+    <DiagnosticId>CP0007</DiagnosticId>
+    <Target>T:Microsoft.Identity.Web.MicrosoftIdentityOptions</Target>
+    <Left>lib/netstandard2.0/Microsoft.Identity.Web.TokenAcquisition.dll</Left>
+    <Right>lib/netcoreapp3.1/Microsoft.Identity.Web.TokenAcquisition.dll</Right>
+  </Suppression>
+</Suppressions>

src/Microsoft.Identity.Web.TokenCache/Microsoft.Identity.Web.TokenCache.csproj

@@ -9,7 +9,6 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.Identity.Client" Version="$(MicrosoftIdentityClientVersion)" />
-    <PackageReference Include="System.Drawing.Common" Version="$(SystemDrawingCommon)" />
   </ItemGroup>
 
   <ItemGroup Condition="'$(TargetFramework)' == 'net462' Or '$(TargetFramework)' == 'net6.0' Or '$(TargetFramework)' == 'net7.0' or '$(TargetFramework)' == 'net8.0'">
@@ -34,6 +33,7 @@
     <PackageReference Include="Microsoft.Extensions.Logging" Version="$(MicrosoftExtensionsLoggingVersion)" />
     <PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="$(MicrosoftAspNetCoreDataProtectionVersion)" />
     <PackageReference Include="System.Security.Cryptography.Pkcs" Version="$(SystemSecurityCryptographyPkcsVersion)" />
+    <PackageReference Include="System.Drawing.Common" Version="$(SystemDrawingCommon)" />
   </ItemGroup>
 
   <ItemGroup Condition="'$(TargetFrameworkIdentifier)' != '.NETCoreApp'">

src/Microsoft.Identity.Web/CompatibilitySuppressions.xml

@@ -3,7 +3,6 @@
 <Suppressions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
   <Suppression>
     <DiagnosticId>CP0002</DiagnosticId>
-    <!-- ISystemClock is Obsolete in net8 -->
     <Target>M:Microsoft.Identity.Web.AppServicesAuthenticationHandler.#ctor(Microsoft.Extensions.Options.IOptionsMonitor{Microsoft.Identity.Web.AppServicesAuthenticationOptions},Microsoft.Extensions.Logging.ILoggerFactory,System.Text.Encodings.Web.UrlEncoder,Microsoft.AspNetCore.Authentication.ISystemClock)</Target>
     <Left>lib/net7.0/Microsoft.Identity.Web.dll</Left>
     <Right>lib/net8.0/Microsoft.Identity.Web.dll</Right>

src/Microsoft.Identity.Web/Microsoft.Identity.Web.csproj

@@ -22,7 +22,6 @@
     <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="$(IdentityModelVersion)" />
     <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="$(IdentityModelVersion)" />
     <PackageReference Include="Microsoft.Extensions.Http" Version="$(MicrosoftExtensionsHttpVersion)" />
-    <PackageReference Include="System.Drawing.Common" Version="$(SystemDrawingCommon)" />
   </ItemGroup>
 
   <ItemGroup Condition="'$(TargetFrameworkIdentifier)' != '.NETCoreApp'">

tests/DevApps/B2CWebAppCallsWebApi/Client/TodoListClient.csproj

@@ -22,8 +22,7 @@
 
   <ItemGroup>
     <!--<PackageReference Include="Microsoft.AspNetCore.DataProtection.Abstractions" Version="3.1.1" />-->
-    <PackageReference Include="WindowsAzure.Storage" Version="9.3.3" />
-    <PackageReference Include="Newtonsoft.Json" Version="13.0.2" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
   </ItemGroup>
 
   <ItemGroup>

tests/DevApps/Directory.Build.props

@@ -1,11 +1,26 @@
 <Project>
 
   <PropertyGroup>
-     <TargetFrameworks Condition="'$(TargetNet8)' == 'True'">net6.0; net7.0; net8.0</TargetFrameworks>
-     <TargetFrameworks Condition="'$(TargetNet8)' != 'True'">net6.0; net7.0</TargetFrameworks>
-     <UseWip>true</UseWip>
-     <IsPackable>false</IsPackable>
-     <LangVersion>11</LangVersion>
+    <TargetFrameworks Condition="'$(TargetNet8)' == 'True'">net6.0; net7.0; net8.0</TargetFrameworks>
+    <TargetFrameworks Condition="'$(TargetNet8)' != 'True'">net6.0; net7.0</TargetFrameworks>
+    <UseWip>true</UseWip>
+    <IsPackable>false</IsPackable>
+    <LangVersion>11</LangVersion>
+  </PropertyGroup>
+
+  <PropertyGroup Condition="'$(TargetFramework)' == 'net6.0'">
+    <!--CVE-2021-24112 from ASpNetCore.Protection, and Redis-->
+    <SystemDrawingCommon>6.0.0</SystemDrawingCommon>
+  </PropertyGroup>
+
+  <PropertyGroup Condition="'$(TargetFramework)' == 'net7.0'">
+    <!--CVE-2021-24112 from ASpNetCore.Protection, and Redis-->
+    <SystemDrawingCommon>7.0.0</SystemDrawingCommon>
+  </PropertyGroup>
+
+  <PropertyGroup Condition="'$(TargetFramework)' == 'net8.0'">
+    <!--CVE-2021-24112 from ASpNetCore.Protection, and Redis-->
+    <SystemDrawingCommon>8.0.0-rc.2.23479.14</SystemDrawingCommon>
   </PropertyGroup>
 
 </Project>

tests/DevApps/WebAppCallsWebApiCallsGraph/Client/TodoListClient.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
     <UserSecretsId>aspnet-WebApp_OpenIDConnect_DotNet-81EA87AD-E64D-4755-A1CC-5EA47F49B5D0</UserSecretsId>
@@ -28,10 +28,9 @@
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
     <!--<PackageReference Include="Microsoft.AspNetCore.DataProtection.Abstractions" Version="3.1.1" />-->
-    <PackageReference Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="5.0.1" />
+    <PackageReference Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="7.0.13" />
     <PackageReference Include="StackExchange.Redis" Version="2.2.4" />
-    <!--CVE-2021-24112-->
-    <PackageReference Include="System.Drawing.Common" Version="5.0.3" />  
+    <PackageReference Include="System.Drawing.Common" Version="$(SystemDrawingCommon)" />
   </ItemGroup>
 
   <ItemGroup>

tests/DevApps/WebAppCallsWebApiCallsGraph/TodoListService/TodoListService.csproj

@@ -8,10 +8,8 @@
   <ItemGroup>
     <ProjectReference Include="..\..\..\..\src\Microsoft.Identity.Web.MicrosoftGraph\Microsoft.Identity.Web.MicrosoftGraph.csproj" />
     <ProjectReference Include="..\..\..\..\src\Microsoft.Identity.Web\Microsoft.Identity.Web.csproj" />
-    <PackageReference Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="5.0.1" />
-    <PackageReference Include="StackExchange.Redis" Version="2.2.4" />
-    <!--CVE-2021-24112-->
-    <PackageReference Include="System.Drawing.Common" Version="5.0.3" />
+    <PackageReference Include="Microsoft.Extensions.Caching.StackExchangeRedis" Version="7.0.13" />
+    <PackageReference Include="System.Drawing.Common" Version="$(SystemDrawingCommon)" />
   </ItemGroup>
 
 </Project>