Fix Wave Analysis issues

src/Directory.Packages.props

@@ -8,9 +8,8 @@
         <PackageVersion Include="Microsoft.Data.SqlClient.SNI" Version="6.0.2" />
         <PackageVersion Include="System.Buffers" Version="4.5.1" />
         <PackageVersion Include="System.Memory" Version="4.5.5" />
-        <PackageVersion Include="System.Text.Encodings.Web" Version="8.0.0" />
-        <PackageVersion Include="System.Text.Json" Version="8.0.5" />
         <PackageVersion Include="System.Data.Common" Version="4.3.0" />
+        <PackageVersion Include="System.Text.Encodings.Web" Version="8.0.0" />
     </ItemGroup>
     <!-- NetFx and NetCore project dependencies -->
     <ItemGroup>
@@ -54,15 +53,17 @@
     <ItemGroup Condition="'$(TargetFramework)' == 'net9.0'">
         <PackageVersion Include="Microsoft.Bcl.Cryptography" Version="9.0.5" />
         <PackageVersion Include="Microsoft.Extensions.Caching.Memory" Version="9.0.5" />
-        <PackageVersion Include="System.Security.Cryptography.Pkcs" Version="9.0.5" />
-        <PackageVersion Include="System.Configuration.ConfigurationManager" Version="9.0.5" />
         <PackageVersion Include="Microsoft.Extensions.Hosting" Version="9.0.5" />
+        <PackageVersion Include="System.Configuration.ConfigurationManager" Version="9.0.5" />
+        <PackageVersion Include="System.Security.Cryptography.Pkcs" Version="9.0.5" />
+        <PackageVersion Include="System.Text.Json" Version="9.0.5" />
     </ItemGroup>
     <ItemGroup Condition="'$(TargetFramework)' != 'net9.0'">
         <PackageVersion Include="Microsoft.Bcl.Cryptography" Version="8.0.0" />
         <PackageVersion Include="Microsoft.Extensions.Caching.Memory" Version="8.0.1" />
-        <PackageVersion Include="System.Security.Cryptography.Pkcs" Version="8.0.1" />
-        <PackageVersion Include="System.Configuration.ConfigurationManager" Version="8.0.1" />
         <PackageVersion Include="Microsoft.Extensions.Hosting" Version="8.0.1" />
+        <PackageVersion Include="System.Configuration.ConfigurationManager" Version="8.0.1" />
+        <PackageVersion Include="System.Security.Cryptography.Pkcs" Version="8.0.1" />
+        <PackageVersion Include="System.Text.Json" Version="8.0.5" />
     </ItemGroup>
 </Project>

src/Microsoft.Data.SqlClient/netcore/ref/Microsoft.Data.SqlClient.csproj

@@ -32,15 +32,18 @@
     <Compile Include="..\..\ref\Microsoft.Data.SqlClient.Batch.NetCoreApp.cs" />
   </ItemGroup>
   <ItemGroup>
+    <PackageReference Include="Azure.Identity" />
+    <PackageReference Include="Microsoft.Bcl.Cryptography" />
     <PackageReference Include="Microsoft.Data.SqlClient.SNI.runtime" />
     <PackageReference Include="Microsoft.Extensions.Caching.Memory" />
-    <PackageReference Include="Microsoft.SqlServer.Server" />
-    <PackageReference Include="Azure.Identity" />
-    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" />
     <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" />
+    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" />
+    <PackageReference Include="Microsoft.SqlServer.Server" />
     <PackageReference Include="System.Configuration.ConfigurationManager" />
     <PackageReference Include="System.Security.Cryptography.Pkcs" />
-    <PackageReference Include="Microsoft.Bcl.Cryptography" />
+
+    <!-- Transitive dependencies that would otherwise bring in older, vulnerable versions. -->
+    <PackageReference Include="System.Text.Json" />
   </ItemGroup>
 
   <Import Project="$(ToolsDir)targets\ResolveContract.targets" Condition="'$(OSGroup)' == 'AnyOS' AND '$(TargetGroup)' != 'netcoreapp'" />

src/Microsoft.Data.SqlClient/netcore/src/Microsoft.Data.SqlClient.csproj

@@ -663,8 +663,8 @@
     <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\SqlInternalTransaction.cs">
       <Link>Microsoft\Data\SqlClient\SqlInternalTransaction.cs</Link>
     </Compile>
-    <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\SqlMetadataFactory.cs">
-      <Link>Microsoft\Data\SqlClient\SqlMetadataFactory.cs</Link>
+    <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\SqlMetaDataFactory.cs">
+      <Link>Microsoft\Data\SqlClient\SqlMetaDataFactory.cs</Link>
     </Compile>
     <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\SqlNotificationEventArgs.cs">
       <Link>Microsoft\Data\SqlClient\SqlNotificationEventArgs.cs</Link>
@@ -1036,18 +1036,20 @@
   </ItemGroup>
   <!-- Package References Etc -->
   <ItemGroup>
+    <PackageReference Include="Azure.Identity" />
+    <PackageReference Include="Microsoft.Bcl.Cryptography" />
     <PackageReference Include="Microsoft.Data.SqlClient.SNI.runtime" />
     <PackageReference Include="Microsoft.Extensions.Caching.Memory" />
-    <!-- Enable the project reference for debugging purposes. -->
-    <!-- <ProjectReference Include="$(SqlServerSourceCode)\Microsoft.SqlServer.Server.csproj" /> -->
-    <PackageReference Include="Microsoft.SqlServer.Server" />
-    <PackageReference Include="Azure.Identity" />
-    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" />
     <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" />
+    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" />
+    <PackageReference Include="Microsoft.SqlServer.Server" />
     <PackageReference Include="System.Configuration.ConfigurationManager" />
     <PackageReference Include="System.Security.Cryptography.Pkcs" />
-    <PackageReference Include="Microsoft.Bcl.Cryptography" />
+
+    <!-- Transitive dependencies that would otherwise bring in older, vulnerable versions. -->
+    <PackageReference Include="System.Text.Json" />
   </ItemGroup>
+
   <Import Project="$(ToolsDir)targets\GenerateThisAssemblyCs.targets" />
   <Import Project="$(ToolsDir)targets\ResolveContract.targets" Condition="'$(OSGroup)' == 'AnyOS'" />
   <Import Project="$(ToolsDir)targets\NotSupported.targets" Condition="'$(OSGroup)' == 'AnyOS'" />

src/Microsoft.Data.SqlClient/netfx/ref/Microsoft.Data.SqlClient.csproj

@@ -32,20 +32,20 @@
     <Reference Include="System.Transactions" />
   </ItemGroup>
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.Caching.Memory" />
-    <PackageReference Include="System.Text.Encodings.Web" />
+    <PackageReference Include="Azure.Identity" />
+    <PackageReference Include="Microsoft.Bcl.Cryptography" />
     <PackageReference Include="Microsoft.Data.SqlClient.SNI">
       <PrivateAssets>All</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
-    <PackageReference Include="Azure.Identity" />
-    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" />
+    <PackageReference Include="Microsoft.Extensions.Caching.Memory" />
     <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" />
+    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" />
     <PackageReference Include="System.Buffers" />
-    <PackageReference Include="System.Text.Json" />
     <PackageReference Include="System.Data.Common" />
     <PackageReference Include="System.Security.Cryptography.Pkcs" />
-    <PackageReference Include="Microsoft.Bcl.Cryptography" />
+    <PackageReference Include="System.Text.Encodings.Web" />
+    <PackageReference Include="System.Text.Json" />
   </ItemGroup>
   <Import Project="$(ToolsDir)targets\TrimDocsForIntelliSense.targets" />
 </Project>

src/Microsoft.Data.SqlClient/netfx/src/Microsoft.Data.SqlClient.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.Net.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <ProjectGuid>{407890AC-9876-4FEF-A6F1-F36A876BAADE}</ProjectGuid>
     <RootNamespace></RootNamespace>
@@ -12,9 +12,6 @@
     <DocumentationFile>$(OutputPath)\Microsoft.Data.SqlClient.xml</DocumentationFile>
     <IntermediateOutputPath>$(ObjPath)$(AssemblyName)\netfx\</IntermediateOutputPath>
     <Product>Framework $(BaseProduct)</Product>
-    <!-- ResolveComReferenceSilent suppresses warnings thrown due to the inclusion of mscoree.
-     We should remove ResolveComReferenceSilent as soon as we can remove the dependency on mscoree. -->
-    <ResolveComReferenceSilent>True</ResolveComReferenceSilent>
     <EnableDefaultCompileItems>false</EnableDefaultCompileItems>
     <ProduceReferenceAssembly>false</ProduceReferenceAssembly>
   </PropertyGroup>
@@ -61,7 +58,10 @@
     <TreatWarningsAsErrors>True</TreatWarningsAsErrors>
     <Utf8Output>True</Utf8Output>
     <ErrorReport>None</ErrorReport>
-    <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
+
+    <!-- This code analysis ruleset only exists with the .NET Framework toolset. -->
+    <CodeAnalysisRuleSet Condition="$(MSBuildRuntimeType) == 'Full'">MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
+
     <BuildProjectReferences>True</BuildProjectReferences>
     <GenerateAssemblyRefs>True</GenerateAssemblyRefs>
     <DefineConstants>$(DefineConstants);USEOFFSET;CODE_ANALYSIS_BASELINE;FEATURE_LEGACYSURFACEAREA;FEATURE_UTF32;FEATURE_UTF7;TRACE;</DefineConstants>
@@ -951,7 +951,7 @@
   </ItemGroup>
   <ItemGroup>
     <Compile Include="Microsoft\Data\Common\ConnectionString\DbConnectionOptions.netfx.cs" />
-    <Compile Include="Microsoft\Data\Common\DbConnectionString.cs" />
+    <Compile Include="Microsoft\Data\Common\DBConnectionString.cs" />
     <Compile Include="Microsoft\Data\SqlClient\SqlBulkCopy.cs" />
     <Compile Include="Microsoft\Data\SqlClient\SqlClientWrapperSmiStream.cs" />
     <Compile Include="Microsoft\Data\SqlClient\SqlClientWrapperSmiStreamChars.cs" />
@@ -1000,29 +1000,18 @@
     </EmbeddedResource>
   </ItemGroup>
   <ItemGroup>
-    <COMReference Include="mscoree">
-      <Guid>{5477469E-83B1-11D2-8B49-00A0C9B7C9C4}</Guid>
-      <VersionMajor>2</VersionMajor>
-      <VersionMinor>4</VersionMinor>
-      <Lcid>0</Lcid>
-      <WrapperTool>tlbimp</WrapperTool>
-      <Isolated>False</Isolated>
-      <EmbedInteropTypes>True</EmbedInteropTypes>
-    </COMReference>
-  </ItemGroup>
-  <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.Caching.Memory" />
-    <PackageReference Include="System.Text.Encodings.Web" />
+    <PackageReference Include="Azure.Identity" />
+    <PackageReference Include="Microsoft.Bcl.Cryptography" />
     <PackageReference Include="Microsoft.Data.SqlClient.SNI">
       <PrivateAssets>All</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
-    <PackageReference Include="Azure.Identity" />
-    <PackageReference Include="Microsoft.Bcl.Cryptography" />
-    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" />
+    <PackageReference Include="Microsoft.Extensions.Caching.Memory" />
     <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" />
+    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" />
     <PackageReference Include="System.Buffers" />
     <PackageReference Include="System.Security.Cryptography.Pkcs" />
+    <PackageReference Include="System.Text.Encodings.Web" />
     <PackageReference Include="System.Text.Json" />
   </ItemGroup>
   <Import Project="$(CommonSourceRoot)tools\targets\GenerateResourceStringsSource.targets" />

src/Microsoft.Data.SqlClient/tests/Directory.Packages.props

@@ -1,9 +1,21 @@
 <Project>
   <Import Project="..\..\Directory.Packages.props" />
-  <!-- Test Project Dependencies for NetFx only -->
+
+  <!-- Test Project Dependencies for all targets. -->
+  <ItemGroup>
+    <!--
+      Transitive dependencies with vulnerabilities, so we explicitly ask for
+      non-vulnerable versions.
+    -->
+    <PackageVersion Include="System.Formats.Asn1" Version="6.0.1" />
+  </ItemGroup>
+
+  <!-- Test Project Dependencies for NetFx only. -->
   <ItemGroup Condition="$(TargetFramework.StartsWith('net4'))">
     <PackageVersion Include="Microsoft.NETFramework.ReferenceAssemblies" Version="1.0.3" />
   </ItemGroup>
+
+  <!-- MDS Package Dependency -->
   <ItemGroup Condition="$(ReferenceType) == 'Package'">
     <PackageVersion Include="Microsoft.Data.SqlClient" Version="$(TestMicrosoftDataSqlClientVersion)" />
   </ItemGroup>

src/Microsoft.Data.SqlClient/tests/tools/Microsoft.Data.SqlClient.ExtUtilities/Microsoft.Data.SqlClient.ExtUtilities.csproj

@@ -6,6 +6,14 @@
   </PropertyGroup>
   <ItemGroup>
     <PackageReference Include="Microsoft.SqlServer.SqlManagementObjects" />
+
+    <!--
+      Transitive dependencies with vulnerabilities, so we explicitly ask for
+      non-vulnerable versions.
+    -->
+    <PackageReference Include="System.Formats.Asn1" />
+  </ItemGroup>
+  <ItemGroup>
     <ProjectReference Include="../Microsoft.Data.SqlClient.TestUtilities/Microsoft.Data.SqlClient.TestUtilities.csproj" />
   </ItemGroup>
 </Project>

tools/specs/Microsoft.Data.SqlClient.nuspec

@@ -51,6 +51,7 @@
         <dependency id="Microsoft.SqlServer.Server" version="1.0.0" />
         <dependency id="System.Configuration.ConfigurationManager" version="8.0.1" exclude="Compile" />
         <dependency id="System.Security.Cryptography.Pkcs" version="8.0.1" />
+        <dependency id="System.Text.Json" version="8.0.5" />
       </group>
       <group targetFramework="net9.0">
         <dependency id="Azure.Identity" version="1.13.2" />
@@ -62,6 +63,7 @@
         <dependency id="Microsoft.SqlServer.Server" version="1.0.0" />
         <dependency id="System.Configuration.ConfigurationManager" version="9.0.4" exclude="Compile" />
         <dependency id="System.Security.Cryptography.Pkcs" version="9.0.4" />
+        <dependency id="System.Text.Json" version="9.0.5" />
       </group>
       <group targetFramework="netstandard2.0">
         <dependency id="Azure.Identity" version="1.13.2" />
@@ -73,6 +75,7 @@
         <dependency id="Microsoft.SqlServer.Server" version="1.0.0" />
         <dependency id="System.Configuration.ConfigurationManager" version="9.0.4" exclude="Compile" />
         <dependency id="System.Security.Cryptography.Pkcs" version="9.0.4" />
+        <dependency id="System.Text.Json" version="9.0.5" />
       </group>
     </dependencies>
     <frameworkAssemblies>