Enable NugetAudit (open-telemetry#4342)

* Enable NugetAudit

* Bump .NET Auto to 1.12.0

* Fix NugetAudit issues

* NuGetAudit for  Nuke project

Author: Kielek

Common.props

@@ -3,6 +3,10 @@
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
     <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
+
+    <NuGetAudit>true</NuGetAudit>
+    <NuGetAuditMode>all</NuGetAuditMode>
+    <NuGetAuditLevel>low</NuGetAuditLevel>
   </PropertyGroup>
 
   <!-- StyleCop -->

build/Directory.Packages.props

@@ -4,6 +4,8 @@
   <ItemGroup>
     <PackageVersion Include="Mono.Cecil" Version="0.11.6" />
     <PackageVersion Include="Nuke.Common" Version="9.0.4" />
+    <!-- Microsoft.Build.Tasks.Core is an indirect reference from Nuke.Common. Fixes https://github.com/advisories/GHSA-h4j7-5rxr-p4wc -->
+    <PackageVersion Include="Microsoft.Build.Tasks.Core" Version="17.14.8" />
     <PackageVersion Include="Nuget.CommandLine" Version="6.14.0" />
   </ItemGroup>
 </Project>

build/_build.csproj

@@ -11,11 +11,16 @@
     <ImplicitUsings>enable</ImplicitUsings>
     <LangVersion>13.0</LangVersion>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+    <NuGetAudit>true</NuGetAudit>
+    <NuGetAuditMode>all</NuGetAuditMode>
+    <NuGetAuditLevel>low</NuGetAuditLevel>
   </PropertyGroup>
 
   <ItemGroup>
     <PackageReference Include="Mono.Cecil" />
     <PackageReference Include="Nuke.Common" />
+    <!-- Microsoft.Build.Tasks.Core is an indirect reference from Nuke.Common. Fixes https://github.com/advisories/GHSA-h4j7-5rxr-p4wc -->
+    <PackageReference Include="Microsoft.Build.Tasks.Core" />
     <PackageReference Include="Nuget.CommandLine" ExcludeAssets="all" />
   </ItemGroup>
   <ItemGroup>

test/test-applications/nuget-packages/TestApplication.NugetSample/TestApplication.NugetSample.csproj

@@ -4,14 +4,8 @@
     <OutputType>Exe</OutputType>
   </PropertyGroup>
 
-  <ItemGroup>
-    <!-- Tag v1.11.0 is not available on the main branch. It leads to create CI/local builds with 1.10.0-aplha.something version
-    These versions are wronlgy detected as vulnerable by NuGet Audit. It can be removed when we release next version from main. -->
-    <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-vc29-vg52-6643" />
-  </ItemGroup>
-
   <ItemGroup>
     <PackageReference Include="OpenTelemetry.AutoInstrumentation" Version="$(NuGetPackageVersion)" Condition=" '$(NuGetPackageVersion)' != '' " />
-    <PackageReference Include="OpenTelemetry.AutoInstrumentation" Version="1.11.0" Condition=" '$(NuGetPackageVersion)' == '' " />
+    <PackageReference Include="OpenTelemetry.AutoInstrumentation" Version="1.12.0" Condition=" '$(NuGetPackageVersion)' == '' " />
   </ItemGroup>
 </Project>

tools/DependencyListGenerator/DependencyListGenerator.csproj

@@ -11,6 +11,8 @@
   <ItemGroup>
     <PackageReference Include="McMaster.Extensions.CommandLineUtils" />
     <PackageReference Include="NuGet.ProjectModel" />
+    <!-- System.Security.Cryptography.Pkcs is an indirect reference from NuGet.ProjectModel. Fixes https://github.com/advisories/GHSA-447r-wph3-92pm -->
+    <PackageReference Include="System.Security.Cryptography.Pkcs" />
     <PackageReference Include="System.IO.Abstractions" />
   </ItemGroup>
 

tools/Directory.Packages.props

@@ -4,6 +4,8 @@
     <PackageVersion Include="McMaster.Extensions.CommandLineUtils" Version="4.1.1" />
     <PackageVersion Include="Microsoft.Build" Version="17.14.8" />
     <PackageVersion Include="NuGet.ProjectModel" Version="6.14.0" />
+    <!-- System.Security.Cryptography.Pkcs is an indirect reference from NuGet.ProjectModel. Fixes https://github.com/advisories/GHSA-447r-wph3-92pm -->
+    <PackageVersion Include="System.Security.Cryptography.Pkcs" Version="6.0.5"/>
     <PackageVersion Include="System.IO.Abstractions" Version="22.0.14" />
     <PackageVersion Include="Valleysoft.DockerfileModel" Version="1.2.0" />
     <PackageVersion Include="YamlDotNet" Version="16.3.0" />