Bump 3x vulnerable dependencies; drop net60 (#1688)

* Update GHA workflow to detect vulnerable dependencies

* Update GHA package workflow

* Target .NET 8 for Integration/Messaging/Stream

* Drop .NET 6

* Update to non-vulnerable OpenTelemetry 1.15.x version line

The following projects now target net8.0 instead of netstandard:
- Steeltoe.Management.OpenTelemetryBase
- Steeltoe.Management.TracingBase
- Steeltoe.Management.EndpointBase.csproj

This was done because OpenTelemetry packages on netstandard depend on 10.0 assemblies from System/Microsoft libraries

* Bump System/Microsoft dependencies to consistent 8.x release line, to avoid versioning conflicts and clean up leftovers from the time when netstandard matched netcore3.1

* Upgrade KubernetesClient to 19.0.2; retarget Common.Kubernetes, Configuration.KubernetesBase, and Discovery.Kubernetes to net8.0 only, because there no non-vulnerable version of KubernetesClient exists that targets netstandard

* Target net8.0 in addition to netstandard, to get the richer API surface of third-party dependencies in downstream dependencies that target net8.0

* Pin transitive System.Security.Cryptography.Xml to a patched 8.x release

* Pin transitive System.Net.Http and System.Text.RegularExpressions in HystrixBase

Author: bart-vmware

.github/workflows/package.yml

@@ -31,17 +31,19 @@ jobs:
 
     steps:
     - name: Setup .NET
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@v5
       with:
         dotnet-version: |
-          6.0.*
           8.0.*
+          10.0.*
 
     - name: Git checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
+      with:
+        persist-credentials: false
 
     - name: Restore packages
-      run: dotnet restore ${{ env.SOLUTION_FILE }} --verbosity minimal
+      run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release /p:NuGetAudit=false --verbosity minimal
 
     - name: Calculate package version (for release)
       if: ${{ github.event_name == 'release' }}
@@ -108,7 +110,7 @@ jobs:
       run: dotnet pack ${{ env.SOLUTION_FILE }} --no-build --configuration Release --output ${{ github.workspace }}/packages /p:VersionSuffix=${{ env.PACKAGE_VERSION_SUFFIX }}
 
     - name: Upload unsigned packages
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v7
       with:
         if-no-files-found: error
         name: unsigned-packages
@@ -126,21 +128,21 @@ jobs:
 
     steps:
     - name: Download unsigned packages
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@v8
       with:
         name: unsigned-packages
         path: packages
 
     - name: Setup .NET
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@v5
       with:
         dotnet-version: 8.0.*
 
     - name: Install code signing tool
       run: dotnet tool install --global sign --prerelease
 
     - name: Azure login
-      uses: azure/login@v2
+      uses: azure/login@v3
       with:
         client-id: ${{ secrets.AZURE_CLIENT_ID }}
         tenant-id: ${{ secrets.AZURE_TENANT_ID }}
@@ -159,7 +161,7 @@ jobs:
         --description-url 'https://steeltoe.io/'
 
     - name: Upload signed packages
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v7
       with:
         if-no-files-found: error
         name: signed-packages
@@ -179,22 +181,22 @@ jobs:
 
     steps:
     - name: Azure login
-      uses: azure/login@v2
+      uses: azure/login@v3
       with:
         client-id: ${{ secrets.AZURE_CLIENT_ID }}
         tenant-id: ${{ secrets.AZURE_TENANT_ID }}
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
     - name: Download signed packages
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@v8
       with:
         name: signed-packages
         path: packages
 
     - name: Setup .NET
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@v5
       with:
-        dotnet-version: 8.0.x
+        dotnet-version: 8.0.*
         source-url: ${{ vars.AZURE_ARTIFACTS_FEED_URL }}
       env:
         NUGET_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -223,12 +225,12 @@ jobs:
 
     steps:
     - name: Setup .NET
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@v5
       with:
-        dotnet-version: 8.0.x
+        dotnet-version: 8.0.*
 
     - name: Download signed packages
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@v8
       with:
         name: signed-packages
         path: packages
@@ -248,7 +250,9 @@ jobs:
 
     steps:
     - name: Git checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
+      with:
+        persist-credentials: true
 
     - name: Calculate next package version
       shell: pwsh

.github/workflows/scan-vulnerable-dependencies.yml

@@ -27,14 +27,31 @@ jobs:
 
     steps:
     - name: Setup .NET
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@v5
       with:
         dotnet-version: |
-          6.0.*
           8.0.*
+          10.0.*
 
     - name: Git checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
+      with:
+        persist-credentials: false
 
     - name: Report vulnerable dependencies
-      run: dotnet restore ${{ env.SOLUTION_FILE }} --verbosity minimal /p:NuGetAudit=true /p:NuGetAuditMode=all /p:NuGetAuditLevel=low /p:TreatWarningsAsErrors=True
+      shell: pwsh
+      run: |
+        $ErrorActionPreference = 'Stop'
+        $PSNativeCommandUseErrorActionPreference = $true
+
+        $output = dotnet list ${{ env.SOLUTION_FILE }} package --vulnerable --include-transitive --format json --output-version 1 2>&1
+        $text = ($output | Out-String).TrimEnd()
+        $json = $text | ConvertFrom-Json
+
+        foreach ($project in $json.projects) {
+          if ($project.frameworks) {
+            Write-Host 'Vulnerable package references were found.'
+            dotnet list ${{ env.SOLUTION_FILE }} package --vulnerable --include-transitive
+            exit 1
+          }
+        }

Directory.Build.props

@@ -0,0 +1,5 @@
+<Project>
+  <PropertyGroup>
+    <EnableUnsafeBinaryFormatterSerialization>true</EnableUnsafeBinaryFormatterSerialization>
+  </PropertyGroup>
+</Project>

azure-pipelines.yml

@@ -33,14 +33,14 @@ jobs:
   pool:
     vmImage: $(imageName)
   steps:
-  - task: UseDotNet@2
-    displayName: Install .NET 6
-    inputs:
-      version: 6.0.x
   - task: UseDotNet@2
     displayName: Install .NET 8
     inputs:
       version: 8.0.x
+  - task: UseDotNet@2
+    displayName: Install .NET 10
+    inputs:
+      version: 10.0.x
   - pwsh: |
       # https://github.com/dotnet/core/issues/4749#issuecomment-2329706172
       wget http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.24_amd64.deb
@@ -87,13 +87,6 @@ jobs:
       projects: '**/*.csproj'
       arguments: '--blame-hang-timeout 3m -f net8.0 --no-build -c $(buildConfiguration) -maxcpucount:1 $(skipFilter) --collect "XPlat Code Coverage" --settings coverlet.runsettings --logger trx --results-directory $(Build.SourcesDirectory)'
       publishTestResults: false
-  - task: DotNetCoreCLI@2
-    displayName: dotnet test 6.0
-    inputs:
-      command: test
-      projects: '**/*.csproj'
-      arguments: '--blame-hang-timeout 3m -f net6.0 --no-build -c $(buildConfiguration) -maxcpucount:1 $(skipFilter) --collect "XPlat Code Coverage" --settings coverlet.runsettings --logger trx --results-directory $(Build.SourcesDirectory)'
-      publishTestResults: false
   - task: CopyFiles@2
     condition: failed()
     inputs:

build/templates/component-build.yaml

@@ -16,14 +16,14 @@ jobs:
   pool:
     vmImage: ${{parameters.OS}}-latest
   steps:
-  - task: UseDotNet@2
-    displayName: Install .NET 6
-    inputs:
-      version: 6.0.x
   - task: UseDotNet@2
     displayName: Install .NET 8
     inputs:
       version: 8.0.x
+  - task: UseDotNet@2
+    displayName: Install .NET 10
+    inputs:
+      version: 10.0.x
   - task: DotNetCoreCLI@2
     displayName: dotnet restore
     inputs:
@@ -52,13 +52,6 @@ jobs:
       projects: $(SolutionFile)
       arguments: -f net8.0 ${{parameters.skipFilter}} $(CommonTestArgs)
       publishTestResults: false
-  - task: DotNetCoreCLI@2
-    displayName: dotnet test 6.0
-    inputs:
-      command: test
-      projects: $(SolutionFile)
-      arguments: -f net6.0 ${{parameters.skipFilter}} $(CommonTestArgs)
-      publishTestResults: false
   - task: CopyFiles@2
     condition: failed()
     inputs:

sharedproject.props

@@ -57,9 +57,4 @@
   <ItemGroup>
     <None Include="..\..\..\..\build\icon.png" Pack="true" PackagePath="\"/>
   </ItemGroup>
-
-  <ItemGroup>
-    <!-- All versions of Microsoft.Rest.ClientRuntime are vulnerable, but all higher versions of KubernetesClient without breaking changes depend on it. -->
-    <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-whph-446h-6m9v" />
-  </ItemGroup>
 </Project>

sharedtest.props

@@ -37,9 +37,4 @@
       <IncludeAssets>runtime; build; native; contentfiles; analyzers</IncludeAssets>
     </PackageReference>
   </ItemGroup>
-
-  <ItemGroup>
-    <!-- All versions of Microsoft.Rest.ClientRuntime are vulnerable, but all higher versions of KubernetesClient without breaking changes depend on it. -->
-    <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-whph-446h-6m9v" />
-  </ItemGroup>
 </Project>

src/Bootstrap/src/Autoconfig/Steeltoe.Bootstrap.Autoconfig.csproj

@@ -1,6 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
-    <TargetFrameworks>net8.0;net6.0</TargetFrameworks>
+    <TargetFrameworks>net8.0</TargetFrameworks>
     <RootNamespace>Steeltoe.Bootstrap.Autoconfig</RootNamespace>
     <Description>Package for automatically configuring Steeltoe packages that have separately been added to a project.</Description>
     <PackageTags>Autoconfiguration;automatic configuration;application bootstrapping</PackageTags>

src/Bootstrap/test/Autoconfig.Test/HostBuilderExtensionsTest.cs

@@ -302,7 +302,7 @@ public void TracingBase_IsAutowired()
         Assert.NotNull(host.Services.GetService<IDynamicMessageProcessor>());
 
         // confirm instrumentation(s) were added as expected
-        var instrumentations = tracerProvider.GetType().GetField("instrumentations", BindingFlags.NonPublic | BindingFlags.Instance).GetValue(tracerProvider) as List<object>;
+        var instrumentations = OpenTelemetrySdkReflection.GetTracerProviderInstrumentations(tracerProvider);
         Assert.NotNull(instrumentations);
         Assert.Single(instrumentations);
         Assert.Contains(instrumentations, obj => obj.GetType().Name.Contains("Http"));
@@ -325,7 +325,7 @@ public void TracingCore_IsAutowired()
         Assert.NotNull(host.Services.GetService<IDynamicMessageProcessor>());
 
         // confirm instrumentation(s) were added as expected
-        var instrumentations = tracerProvider.GetType().GetField("instrumentations", BindingFlags.NonPublic | BindingFlags.Instance).GetValue(tracerProvider) as List<object>;
+        var instrumentations = OpenTelemetrySdkReflection.GetTracerProviderInstrumentations(tracerProvider);
         Assert.NotNull(instrumentations);
         Assert.Equal(2, instrumentations.Count);
         Assert.Contains(instrumentations, obj => obj.GetType().Name.Contains("Http"));

src/Bootstrap/test/Autoconfig.Test/OpenTelemetrySdkReflection.cs

@@ -0,0 +1,24 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the Apache 2.0 License.
+// See the LICENSE file in the project root for more information.
+
+using OpenTelemetry.Trace;
+using System.Collections.Generic;
+using System.Reflection;
+
+namespace Steeltoe.Bootstrap.Autoconfig.Test;
+
+/// <summary>
+/// Reflection helpers for OpenTelemetry SDK internals used by tests.
+/// </summary>
+public static class OpenTelemetrySdkReflection
+{
+    public static List<object> GetTracerProviderInstrumentations(TracerProvider tracerProvider)
+    {
+        var property = tracerProvider?.GetType().GetProperty(
+            "Instrumentations",
+            BindingFlags.Public | BindingFlags.NonPublic | BindingFlags.Instance);
+
+        return property?.GetValue(tracerProvider) as List<object>;
+    }
+}