From 5c539dda9fc6d182c8527cffaad5075750f928e5 Mon Sep 17 00:00:00 2001
From: TimothyMothra <tilee@microsoft.com>
Date: Fri, 4 Nov 2022 11:28:54 -0700
Subject: [PATCH 1/4] mitigate CVE-2021-24112

---
 .../PerformanceCollector/Perf.csproj                  | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/WEB/Src/PerformanceCollector/PerformanceCollector/Perf.csproj b/WEB/Src/PerformanceCollector/PerformanceCollector/Perf.csproj
index f8520a8f06..9d9c3732c5 100644
--- a/WEB/Src/PerformanceCollector/PerformanceCollector/Perf.csproj
+++ b/WEB/Src/PerformanceCollector/PerformanceCollector/Perf.csproj
@@ -30,6 +30,17 @@
   <ItemGroup Condition="'$(TargetFramework)' == 'netstandard2.0'">
     <PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="1.0.0" />
     <PackageReference Include="System.Diagnostics.PerformanceCounter" Version="4.7.0" />
+    
+    <!--
+    System.Drawing.Common 4.7.0 has a vulnerability https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24112
+    
+    This is an implicit dependency from System.Diagnostics.PerformanceCounter.
+    (System.Diagnostics.PerformanceCounter 4.7.0 > System.Configuration.ConfigurationManager 4.7.0 > System.Security.Permissions 4.7.0 > System.Windows.Extensions 4.7.0 > System.Drawing.Common 4.7.0)
+    
+    The recommended mitigation is to take an explicit dependency on System.Drawing.Common 4.7.2.
+    -->
+    <PackageReference Include="System.Drawing.Common" Version="4.7.2" />
+    
   </ItemGroup>
 
   <ItemGroup>

From af2cc37dfe3ebb4bb8661b8b5026a24015e8cc51 Mon Sep 17 00:00:00 2001
From: TimothyMothra <tilee@microsoft.com>
Date: Fri, 4 Nov 2022 11:37:05 -0700
Subject: [PATCH 2/4] changelog

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 85b5cb583e..bf804b23dc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,7 @@
 # Changelog
 
 ## VNext
+- [Upgrade System.Drawing.Common to version 4.7.2 to address CVE-2021-24112](https://github.com/microsoft/ApplicationInsights-dotnet/pull/2707)
 
 ## Version 2.22.0-beta1
 - Update endpoint redirect header name for QuickPulse module to v2

From 0f34f1d3bde8dba08a073ad0a99149da3c5a9189 Mon Sep 17 00:00:00 2001
From: TimothyMothra <tilee@microsoft.com>
Date: Fri, 4 Nov 2022 11:52:43 -0700
Subject: [PATCH 3/4] upgrade System.Diagnostics.PerformanceCounter instead

---
 CHANGELOG.md                                        |  2 +-
 .../PerformanceCollector/Perf.csproj                | 13 +------------
 2 files changed, 2 insertions(+), 13 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bf804b23dc..022726459d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,7 +1,7 @@
 # Changelog
 
 ## VNext
-- [Upgrade System.Drawing.Common to version 4.7.2 to address CVE-2021-24112](https://github.com/microsoft/ApplicationInsights-dotnet/pull/2707)
+- [Upgrade System.Diagnostics.PerformanceCounter to version 6.0.0 to address CVE-2021-24112](https://github.com/microsoft/ApplicationInsights-dotnet/pull/2707)
 
 ## Version 2.22.0-beta1
 - Update endpoint redirect header name for QuickPulse module to v2
diff --git a/WEB/Src/PerformanceCollector/PerformanceCollector/Perf.csproj b/WEB/Src/PerformanceCollector/PerformanceCollector/Perf.csproj
index 9d9c3732c5..5526b41b0c 100644
--- a/WEB/Src/PerformanceCollector/PerformanceCollector/Perf.csproj
+++ b/WEB/Src/PerformanceCollector/PerformanceCollector/Perf.csproj
@@ -29,18 +29,7 @@
 
   <ItemGroup Condition="'$(TargetFramework)' == 'netstandard2.0'">
     <PackageReference Include="Microsoft.Extensions.Caching.Memory" Version="1.0.0" />
-    <PackageReference Include="System.Diagnostics.PerformanceCounter" Version="4.7.0" />
-    
-    <!--
-    System.Drawing.Common 4.7.0 has a vulnerability https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24112
-    
-    This is an implicit dependency from System.Diagnostics.PerformanceCounter.
-    (System.Diagnostics.PerformanceCounter 4.7.0 > System.Configuration.ConfigurationManager 4.7.0 > System.Security.Permissions 4.7.0 > System.Windows.Extensions 4.7.0 > System.Drawing.Common 4.7.0)
-    
-    The recommended mitigation is to take an explicit dependency on System.Drawing.Common 4.7.2.
-    -->
-    <PackageReference Include="System.Drawing.Common" Version="4.7.2" />
-    
+    <PackageReference Include="System.Diagnostics.PerformanceCounter" Version="6.0.0" />
   </ItemGroup>
 
   <ItemGroup>

From 6115aa9b0713f21cd97232b114d2c36b8785abfc Mon Sep 17 00:00:00 2001
From: TimothyMothra <tilee@microsoft.com>
Date: Fri, 4 Nov 2022 11:58:20 -0700
Subject: [PATCH 4/4] testing fix to resolve conflict with Test project

---
 .../test/IntegrationTests.Tests/IntegrationTests.Tests.csproj   | 2 --
 1 file changed, 2 deletions(-)

diff --git a/NETCORE/test/IntegrationTests.Tests/IntegrationTests.Tests.csproj b/NETCORE/test/IntegrationTests.Tests/IntegrationTests.Tests.csproj
index ece3603b88..720b3a5b2d 100644
--- a/NETCORE/test/IntegrationTests.Tests/IntegrationTests.Tests.csproj
+++ b/NETCORE/test/IntegrationTests.Tests/IntegrationTests.Tests.csproj
@@ -23,8 +23,6 @@
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.9.4" />
 
     <ProjectReference Include="..\IntegrationTests.WebApp\IntegrationTests.WebApp.csproj" />
-
-    <PackageReference Include="System.Security.Permissions" Version="4.7.0" />
   </ItemGroup>
 
   <ItemGroup>