Merge branch 'microsoft:main' into main

.github/workflows/build.yml

@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
 

.github/workflows/codeql-analysis.yml

@@ -21,17 +21,17 @@ jobs:
       security-events: write
 
     steps:
-    - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
       with:
           fetch-depth: 0
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1
+      uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
       with:
         languages: 'csharp'
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1
+      uses: github/codeql-action/autobuild@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1
+      uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5

.github/workflows/gen-docs.yml

@@ -16,7 +16,7 @@ jobs:
       contents: write  # for stefanzweifel/git-auto-commit-action to push code in repo
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
 

.github/workflows/ossf-scorecard.yml

@@ -32,12 +32,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1
+        uses: github/codeql-action/upload-sarif@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
         with:
           sarif_file: results.sarif

.github/workflows/release.yml

@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           fetch-depth: 0
 
@@ -36,7 +36,7 @@ jobs:
         run: dotnet publish --configuration Release --output ./bin --self-contained --runtime ${{ matrix.rid }} -p:PublishSingleFile=true -p:IncludeAllContentForSelfExtract=true -p:DebugType=None -p:PublishTrimmed=false ./src/Microsoft.ComponentDetection
 
       - name: Publish CLI tool
-        uses: shogo82148/actions-upload-release-asset@dbfb35b0d9069ff70bc1f9e47faba33ee30b2681 # v1.7.0
+        uses: shogo82148/actions-upload-release-asset@dccd6d23e64fd6a746dce6814c0bde0a04886085 # v1.7.2
         continue-on-error: true
         with:
           upload_url: ${{ github.event.release.upload_url }}

.github/workflows/smoke-test.yml

@@ -38,7 +38,7 @@ jobs:
     name: ${{ matrix.language.name }}
     steps:
       - name: Checkout Component Detection
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Setup .NET
         uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
@@ -47,7 +47,7 @@ jobs:
         run: curl https://downloads.apache.org/ant/ivy/2.5.2/apache-ivy-2.5.2-bin.tar.gz | tar xOz apache-ivy-2.5.2/ivy-2.5.2.jar > /usr/share/ant/lib/ivy.jar
 
       - name: Checkout Smoke Test Repo
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           repository: ${{ matrix.language.repo }}
           path: smoke-test-repo

.github/workflows/snapshot-publish.yml

@@ -21,7 +21,7 @@ jobs:
         os: [ubuntu-latest, windows-latest, macos-latest]
 
     steps:
-      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Setup .NET Core
         uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3

.github/workflows/snapshot-verify.yml

@@ -17,7 +17,7 @@ jobs:
         os: [ubuntu-latest, windows-latest, macos-latest]
 
     steps:
-      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
       - name: Make release snapshot output directory
         run: mkdir ${{ github.workspace }}/release-output

Directory.Packages.props

@@ -11,8 +11,7 @@
     <PackageVersion Include="coverlet.msbuild" Version="6.0.0" />
     <PackageVersion Include="Docker.DotNet" Version="3.125.15" />
     <PackageVersion Include="FluentAssertions" Version="6.12.0" />
-    <PackageVersion Include="FluentAssertions.Analyzers" Version="0.25.0" />
-    <PackageVersion Include="Microsoft.AspNet.WebApi.Client" Version="5.2.9" />
+    <PackageVersion Include="FluentAssertions.Analyzers" Version="0.26.0" />
     <PackageVersion Include="Microsoft.Extensions.Caching.Memory" Version="7.0.0" />
     <PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="7.0.0" />
     <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="7.0.0" />
@@ -24,15 +23,15 @@
     <PackageVersion Include="DotNet.Glob" Version="2.1.1" />
     <PackageVersion Include="MinVer" Version="4.3.0" />
     <PackageVersion Include="Moq" Version="4.18.4" />
-    <PackageVersion Include="morelinq" Version="3.4.2" />
+    <PackageVersion Include="morelinq" Version="4.0.0" />
     <PackageVersion Include="MSTest.TestAdapter" Version="3.1.1" />
     <PackageVersion Include="MSTest.TestFramework" Version="3.1.1" />
     <PackageVersion Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageVersion Include="Newtonsoft.Json.Schema" Version="3.0.15" />
     <PackageVersion Include="NuGet.ProjectModel" Version="6.7.0" />
     <PackageVersion Include="NuGet.Versioning" Version="6.7.0" />
     <PackageVersion Include="packageurl-dotnet" Version="1.0.0" />
-    <PackageVersion Include="Polly" Version="8.0.0" />
+    <PackageVersion Include="Polly" Version="8.1.0" />
     <PackageVersion Include="SemanticVersioning" Version="2.0.2" />
     <PackageVersion Include="Serilog" Version="3.0.1" />
     <PackageVersion Include="Serilog.Extensions.Logging" Version="7.0.0" />
@@ -42,7 +41,7 @@
     <PackageVersion Include="Serilog.Sinks.Map" Version="1.0.2" />
     <PackageVersion Include="Spectre.Console" Version="0.47.0" />
     <PackageVersion Include="Spectre.Console.Cli" Version="0.47.0" />
-    <PackageVersion Include="Spectre.Console.Cli.Extensions.DependencyInjection" Version="0.1.0" />
+    <PackageVersion Include="Spectre.Console.Cli.Extensions.DependencyInjection" Version="0.2.0" />
     <PackageVersion Include="Spectre.Console.Testing" Version="0.47.0" />
     <PackageVersion Include="StyleCop.Analyzers" Version="1.2.0-beta.507" />
     <PackageVersion Include="System.Memory" Version="4.5.5" />
@@ -51,8 +50,8 @@
     <PackageVersion Include="System.Text.Json" Version="6.0.8" />
     <PackageVersion Include="System.Threading.Tasks.Dataflow" Version="7.0.0" />
     <PackageVersion Include="Tomlyn.Signed" Version="0.16.2" />
-    <PackageVersion Include="yamldotnet" Version="13.5.2" />
+    <PackageVersion Include="yamldotnet" Version="13.7.1" />
     <PackageVersion Include="Faker.net" Version="2.0.154" />
     <PackageVersion Include="Valleysoft.DockerfileModel" Version="1.1.0" />
   </ItemGroup>
-</Project>
+</Project>

Dockerfile

@@ -10,7 +10,7 @@ RUN dotnet publish -c Release -o out \
     -p:PublishSingleFile=true \
     ./src/Microsoft.ComponentDetection
 
-FROM mcr.microsoft.com/dotnet/runtime-deps:6.0-cbl-mariner2.0@sha256:98e5a9a0d1f8b55564e7412702258996e420e6bc8dbc973a9d0caad0469e8824 AS runtime
+FROM mcr.microsoft.com/dotnet/runtime-deps:6.0-cbl-mariner2.0@sha256:8b045ea3a04beb743cf7dffc14ab79cc88f0623ca4943f4216e37d98a1bd266a AS runtime
 WORKDIR /app
 COPY --from=build /app/out ./
 

global.json

@@ -1,6 +1,6 @@
 {
 	"sdk": {
-		"version": "6.0.414",
+		"version": "6.0.416",
 		"rollForward": "latestMinor"
 	}
 }

src/Microsoft.ComponentDetection.Common/Microsoft.ComponentDetection.Common.csproj

@@ -2,7 +2,6 @@
 
     <ItemGroup>
         <PackageReference Include="Docker.DotNet" />
-        <PackageReference Include="Microsoft.AspNet.WebApi.Client" />
         <PackageReference Include="Microsoft.Extensions.Logging" />
         <PackageReference Include="System.Reactive" />
         <PackageReference Include="System.Threading.Tasks.Dataflow" />

test/Microsoft.ComponentDetection.Detectors.Tests/CondaLockComponentDetectorTests.cs

@@ -3,6 +3,7 @@ namespace Microsoft.ComponentDetection.Detectors.Tests;
 using System.Collections.Generic;
 using System.Linq;
 using System.Threading.Tasks;
+using FluentAssertions;
 using Microsoft.ComponentDetection.Contracts;
 using Microsoft.ComponentDetection.Contracts.TypedComponent;
 using Microsoft.ComponentDetection.Detectors.Poetry;
@@ -87,7 +88,7 @@ public async Task CondaComponentDetector_TestCondaLockFileAsync()
 
         var detectedComponents = componentRecorder.GetDetectedComponents();
 
-        Assert.AreEqual(ProcessingResultCode.Success, scanResult.ResultCode);
+        scanResult.ResultCode.Should().Be(ProcessingResultCode.Success);
 
         // packages from the conda section
         this.AssertCondaLockComponentNameAndVersion(detectedComponents, "conda-lock", "2.1.0");
@@ -97,26 +98,24 @@ public async Task CondaComponentDetector_TestCondaLockFileAsync()
         this.AssertPipComponentNameAndVersion(detectedComponents, "certifi", "2023.5.7");
         this.AssertPipComponentNameAndVersion(detectedComponents, "requests", "2.31.0");
 
-        Assert.AreEqual(4, detectedComponents.Count());
+        detectedComponents.Should().HaveCount(4);
     }
 
     private void AssertCondaLockComponentNameAndVersion(IEnumerable<DetectedComponent> detectedComponents, string name, string version)
     {
-        Assert.IsNotNull(
-            detectedComponents.SingleOrDefault(c =>
+        detectedComponents.SingleOrDefault(c =>
                 c.Component is CondaComponent component &&
                 component.Name.Equals(name) &&
-                component.Version.Equals(version)),
+                component.Version.Equals(version)).Should().NotBeNull(
             $"Component with name {name} and version {version} was not found");
     }
 
     private void AssertPipComponentNameAndVersion(IEnumerable<DetectedComponent> detectedComponents, string name, string version)
     {
-        Assert.IsNotNull(
-            detectedComponents.SingleOrDefault(c =>
+        detectedComponents.SingleOrDefault(c =>
                 c.Component is PipComponent component &&
                 component.Name.Equals(name) &&
-                component.Version.Equals(version)),
+                component.Version.Equals(version)).Should().NotBeNull(
             $"Component with name {name} and version {version} was not found");
     }
 }