Build_Tarball_x64_Using_Previous Fedora38-Offline build tarball failed due to missing System.Security.Cryptography.Xml 4.7.0

[Winniexu01]

release/6.0.1xx build: https://dev.azure.com/dnceng/internal/_build/results?buildId=2434395&view=logs&j=263f9ea9-c321-5399-03ff-0f45cbcabede&t=6b551725-8a94-58fb-3f7b-abbe7b2d0aec

internal/release/6.0.1xx build: https://dev.azure.com/dnceng/internal/_build/results?buildId=2434428&view=logs&j=263f9ea9-c321-5399-03ff-0f45cbcabede&t=6b551725-8a94-58fb-3f7b-abbe7b2d0aec

System.Security.Cryptography.Xml 4.7.0 was not found

/tarball/src/arcade/artifacts/source-build/self/src/src/Microsoft.DotNet.Arcade.Sdk/Microsoft.DotNet.Arcade.Sdk.csproj : error NU1603: Microsoft.Build.Tasks.Core 17.0.1 depends on System.Security.Cryptography.Xml (>= 4.7.0) but System.Security.Cryptography.Xml 4.7.0 was not found. An approximate best match of System.Security.Cryptography.Xml 4.7.1 was resolved. [/tarball/src/arcade/artifacts/source-build/self/src/Arcade.sln]
##[error]/tarball/src/arcade/artifacts/source-build/self/src/src/Microsoft.DotNet.Arcade.Sdk/Microsoft.DotNet.Arcade.Sdk.csproj(0,0): error NU1603: (NETCORE_ENGINEERING_TELEMETRY=Restore) Microsoft.Build.Tasks.Core 17.0.1 depends on System.Security.Cryptography.Xml (>= 4.7.0) but System.Security.Cryptography.Xml 4.7.0 was not found. An approximate best match of System.Security.Cryptography.Xml 4.7.1 was resolved.

[MichaelSimons]

@ellahathaway - this appears to be a regression caused by dotnet/source-build-reference-packages@2cd14a0#diff-b3d10a56a9657cce54e0a187ba937fcd8d46d6f334105e408ec32a14d2a580da. Can you add 4.7.0 back quickly to unblock and then investigate? TIA.

[ellahathaway]

After further investigating the issue, it looks like the CG alert for System.Security.Cryptography.Xml 4.7.0 is only being reported as a vulnerability in 7.0. This was a mistake on my part, as I read the original issue description as having both CG alerts be present in both 6.0 and 7.0.

Microsoft.Build.Tasks.Core 17.0.1 is not an SBRP in 6.0. I suspect that we may need to add Microsoft.Build.Tasks.Core 17.0.1 as an SBRP in 6.0 and manually change it to reference System.Security.Cryptography.Xml 4.7.1 instead of System.Security.Cryptography.Xml 4.7.0. Trying to figure out where it's being referenced from.

[ellahathaway]

Figured it out. Arcade is using the 17.0.1 version of msbuild because it's defined as so in the PVP file. 17.0.1 comes from the previous version of msbuild that gets built, and msbuild 17.0.1 is using <PackageReference Update="System.Security.Cryptography.Xml" Version="4.7.0" />.

From what I can tell, there was a CG alert for this in msbuild, but it was fixed by dotnet/msbuild#9867. However, this change is not being pulled into installer, so the old version of msbuild is being consumed.

I think we have two paths forward here:

1. Update to the latest 6.0 version of mbuild which includes the CG fix. After this is done, we wait for a release so that we are consuming the n-1 version of msbuild in arcade. We then remove System.Security.Cryptography.Xml 4.7.0 from SBRP and add the new package versions to SBRP.
2. Leave this alone and remove System.Security.Cryptography.Xml 4.7.1 from SBRP since there isn't technically a CG alert for this dependency in 6.0, only 7.0.

Edit: Closing in favor of #4350

cc @dotnet/source-build-internal