From c4625ba28a898145877f03f79952e402da5af191 Mon Sep 17 00:00:00 2001
From: Scott Pouliot <spouliot@scppowdercoating.com>
Date: Sat, 13 Jun 2026 22:17:46 -0400
Subject: [PATCH] Security: document unpatched System.Security.Cryptography.Xml
 advisory
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

GHSA-37gx-xxp4-5rgx and GHSA-w3x6-4m5h-cxqf (XML signature vulns) affect
8.0.2 transitively. No patched version exists in the NuGet feed yet — 9.0.0
is also flagged. Tracked in Directory.Build.props for re-check when a fix ships.

System.Net.Http 4.1.0 and System.Security.Cryptography.X509Certificates 4.1.0
are false positives: same NCalc2 -> Antlr4 -> NETStandard.Library 1.6.0 chain
already documented; .NET 8 BCL provides the runtime versions.

Microsoft.Build / NuGet.* are build-tooling-only, not deployed to production.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 Directory.Build.props | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/Directory.Build.props b/Directory.Build.props
index 5733a78..4580fe7 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -8,4 +8,12 @@
     -->
     <NoWarn>$(NoWarn);NU1605</NoWarn>
   </PropertyGroup>
+
+  <!--
+    TRACKED: System.Security.Cryptography.Xml 8.0.2 has two High advisories (GHSA-37gx-xxp4-5rgx,
+    GHSA-w3x6-4m5h-cxqf — XML signature vulnerabilities). No patched version exists in the NuGet
+    feed as of 2026-06-14; 9.0.0 (the only higher version) is also flagged. Re-check when a
+    patched 8.x or 9.x build ships and pin here. Pulled in transitively by one of: Fido2, EPPlus,
+    Azure SDK, or VisualStudio.Web.CodeGeneration.Design.
+  -->
 </Project>