Add workflow to scan for vulnerable dependencies (#1563)

* Add workflow to scan for vulnerable dependencies

* Adapt for breaking change in Consul v1.7.14.8

Author: bart-vmware

.github/workflows/Steeltoe.All.yml

@@ -6,7 +6,6 @@ on:
     branches:
     - main
     - '[0-9]+.x'
-    - 'release/*'
   pull_request:
 
 concurrency:

.github/workflows/package.yml

@@ -6,7 +6,6 @@ on:
     branches:
     - main
     - '[0-9]+.x'
-    - 'release/*'
   pull_request:
   release:
     types:

.github/workflows/scan-vulnerable-dependencies.yml

@@ -0,0 +1,41 @@
+name: Scan vulnerable dependencies
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+    - main
+    - '[0-9]+.x'
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+env:
+  DOTNET_CLI_TELEMETRY_OPTOUT: 1
+  DOTNET_NOLOGO: true
+  SOLUTION_FILE: 'src/Steeltoe.All.sln'
+
+jobs:
+  scan:
+    name: Scan
+    timeout-minutes: 15
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Setup .NET
+      uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: |
+          8.0.*
+          9.0.*
+
+    - name: Git checkout
+      uses: actions/checkout@v4
+
+    - name: Report vulnerable dependencies
+      run: dotnet restore ${{ env.SOLUTION_FILE }} --verbosity minimal /p:NuGetAudit=true /p:NuGetAuditMode=all /p:NuGetAuditLevel=low /p:TreatWarningsAsErrors=True

.github/workflows/sonarcube.yml

@@ -6,7 +6,6 @@ on:
     branches:
     - main
     - '[0-9]+.x'
-    - 'release/*'
   pull_request:
     types: [opened, synchronize, reopened]
 

.github/workflows/verify-code-style.yml

@@ -6,7 +6,6 @@ on:
     branches:
     - main
     - '[0-9]+.x'
-    - 'release/*'
   pull_request:
 
 concurrency:

src/Discovery/src/Consul/ConsulDiscoveryClient.cs

@@ -3,6 +3,7 @@
 // See the LICENSE file in the project root for more information.
 
 using Consul;
+using Consul.Filtering;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
@@ -130,7 +131,7 @@ public async Task<IList<IServiceInstance>> GetAllInstancesAsync(QueryOptions que
 
         if (options.Enabled)
         {
-            ISet<string> serviceIds = await GetServiceIdsAsync(queryOptions, cancellationToken);
+            ISet<string> serviceIds = await GetServiceIdsAsync(null, null, queryOptions, cancellationToken);
 
             foreach (string serviceId in serviceIds)
             {
@@ -144,22 +145,28 @@ public async Task<IList<IServiceInstance>> GetAllInstancesAsync(QueryOptions que
     /// <inheritdoc />
     public Task<ISet<string>> GetServiceIdsAsync(CancellationToken cancellationToken)
     {
-        return GetServiceIdsAsync(QueryOptions.Default, cancellationToken);
+        return GetServiceIdsAsync(null, null, QueryOptions.Default, cancellationToken);
     }
 
     /// <summary>
     /// Gets all registered service IDs from the Consul catalog.
     /// </summary>
+    /// <param name="dataCenter">
+    /// Specifies the datacenter to query.
+    /// </param>
+    /// <param name="filter">
+    /// Specifies the expression used to filter the queries results prior to returning the data.
+    /// </param>
     /// <param name="queryOptions">
-    /// Any Consul query options to use.
+    /// Options to parameterize the Consul query.
     /// </param>
     /// <param name="cancellationToken">
     /// The token to monitor for cancellation requests.
     /// </param>
     /// <returns>
     /// The list of service IDs.
     /// </returns>
-    public async Task<ISet<string>> GetServiceIdsAsync(QueryOptions queryOptions, CancellationToken cancellationToken)
+    public async Task<ISet<string>> GetServiceIdsAsync(string? dataCenter, Filter? filter, QueryOptions queryOptions, CancellationToken cancellationToken)
     {
         ArgumentNullException.ThrowIfNull(queryOptions);
 
@@ -170,7 +177,7 @@ public async Task<ISet<string>> GetServiceIdsAsync(QueryOptions queryOptions, Ca
             return new HashSet<string>();
         }
 
-        QueryResult<Dictionary<string, string[]>> result = await _client.Catalog.Services(queryOptions, cancellationToken);
+        QueryResult<Dictionary<string, string[]>> result = await _client.Catalog.Services(dataCenter, filter, queryOptions, cancellationToken);
         return result.Response.Keys.ToHashSet();
     }
 

src/Discovery/src/Consul/ConsulHealthContributor.cs

@@ -67,7 +67,7 @@ internal Task<string> GetLeaderStatusAsync(CancellationToken cancellationToken)
 
     internal async Task<Dictionary<string, string[]>> GetCatalogServicesAsync(CancellationToken cancellationToken)
     {
-        QueryResult<Dictionary<string, string[]>> result = await _client.Catalog.Services(QueryOptions.Default, cancellationToken);
+        QueryResult<Dictionary<string, string[]>> result = await _client.Catalog.Services(cancellationToken);
         return result.Response;
     }
 }

src/Discovery/src/Consul/PublicAPI.Unshipped.txt

@@ -104,7 +104,7 @@ Steeltoe.Discovery.Consul.ConsulDiscoveryClient.GetAllInstancesAsync(Consul.Quer
 Steeltoe.Discovery.Consul.ConsulDiscoveryClient.GetInstancesAsync(string! serviceId, Consul.QueryOptions! queryOptions, System.Threading.CancellationToken cancellationToken) -> System.Threading.Tasks.Task<System.Collections.Generic.IList<Steeltoe.Common.Discovery.IServiceInstance!>!>!
 Steeltoe.Discovery.Consul.ConsulDiscoveryClient.GetInstancesAsync(string! serviceId, System.Threading.CancellationToken cancellationToken) -> System.Threading.Tasks.Task<System.Collections.Generic.IList<Steeltoe.Common.Discovery.IServiceInstance!>!>!
 Steeltoe.Discovery.Consul.ConsulDiscoveryClient.GetLocalServiceInstance() -> Steeltoe.Common.Discovery.IServiceInstance?
-Steeltoe.Discovery.Consul.ConsulDiscoveryClient.GetServiceIdsAsync(Consul.QueryOptions! queryOptions, System.Threading.CancellationToken cancellationToken) -> System.Threading.Tasks.Task<System.Collections.Generic.ISet<string!>!>!
+Steeltoe.Discovery.Consul.ConsulDiscoveryClient.GetServiceIdsAsync(string? dataCenter, Consul.Filtering.Filter? filter, Consul.QueryOptions! queryOptions, System.Threading.CancellationToken cancellationToken) -> System.Threading.Tasks.Task<System.Collections.Generic.ISet<string!>!>!
 Steeltoe.Discovery.Consul.ConsulDiscoveryClient.GetServiceIdsAsync(System.Threading.CancellationToken cancellationToken) -> System.Threading.Tasks.Task<System.Collections.Generic.ISet<string!>!>!
 Steeltoe.Discovery.Consul.ConsulDiscoveryClient.ShutdownAsync(System.Threading.CancellationToken cancellationToken) -> System.Threading.Tasks.Task!
 Steeltoe.Discovery.Consul.ConsulServiceCollectionExtensions

src/Discovery/test/Consul.Test/Discovery/ConsulDiscoveryClientTest.cs

@@ -124,14 +124,14 @@ public async Task GetServicesAsync_ReturnsExpected()
         };
 
         var catalogMoq = new Mock<ICatalogEndpoint>();
-        catalogMoq.Setup(endpoint => endpoint.Services(QueryOptions.Default, It.IsAny<CancellationToken>())).Returns(Task.FromResult(queryResult));
+        catalogMoq.Setup(endpoint => endpoint.Services(null, null, QueryOptions.Default, It.IsAny<CancellationToken>())).Returns(Task.FromResult(queryResult));
 
         var clientMoq = new Mock<IConsulClient>();
         clientMoq.Setup(client => client.Catalog).Returns(catalogMoq.Object);
 
         TestOptionsMonitor<ConsulDiscoveryOptions> optionsMonitor = TestOptionsMonitor.Create(options);
         var discoveryClient = new ConsulDiscoveryClient(clientMoq.Object, optionsMonitor, NullLoggerFactory.Instance);
-        ISet<string> serviceIds = await discoveryClient.GetServiceIdsAsync(QueryOptions.Default, TestContext.Current.CancellationToken);
+        ISet<string> serviceIds = await discoveryClient.GetServiceIdsAsync(TestContext.Current.CancellationToken);
 
         serviceIds.Should().HaveCount(2);
         serviceIds.Should().Contain("foo");
@@ -196,7 +196,7 @@ public async Task GetAllInstances_ReturnsExpected()
         };
 
         var catalogMoq = new Mock<ICatalogEndpoint>();
-        catalogMoq.Setup(endpoint => endpoint.Services(QueryOptions.Default, It.IsAny<CancellationToken>())).Returns(Task.FromResult(queryResult1));
+        catalogMoq.Setup(endpoint => endpoint.Services(null, null, QueryOptions.Default, It.IsAny<CancellationToken>())).Returns(Task.FromResult(queryResult1));
 
         var clientMoq = new Mock<IConsulClient>();
         clientMoq.Setup(client => client.Catalog).Returns(catalogMoq.Object);

src/Discovery/test/Consul.Test/Discovery/ConsulHealthContributorTest.cs

@@ -50,7 +50,7 @@ public async Task GetCatalogServicesAsync_ReturnsExpected()
         };
 
         var catalogMoq = new Mock<ICatalogEndpoint>();
-        catalogMoq.Setup(endpoint => endpoint.Services(QueryOptions.Default, It.IsAny<CancellationToken>())).Returns(Task.FromResult(queryResult));
+        catalogMoq.Setup(endpoint => endpoint.Services(It.IsAny<CancellationToken>())).Returns(Task.FromResult(queryResult));
 
         var clientMoq = new Mock<IConsulClient>();
         clientMoq.Setup(client => client.Catalog).Returns(catalogMoq.Object);
@@ -89,7 +89,7 @@ public async Task Health_ReturnsExpected()
         statusMoq.Setup(endpoint => endpoint.Leader(It.IsAny<CancellationToken>())).Returns(Task.FromResult("the-status"));
 
         var catalogMoq = new Mock<ICatalogEndpoint>();
-        catalogMoq.Setup(endpoint => endpoint.Services(QueryOptions.Default, It.IsAny<CancellationToken>())).Returns(Task.FromResult(queryResult));
+        catalogMoq.Setup(endpoint => endpoint.Services(It.IsAny<CancellationToken>())).Returns(Task.FromResult(queryResult));
 
         var clientMoq = new Mock<IConsulClient>();
         clientMoq.Setup(client => client.Status).Returns(statusMoq.Object);