Tighten NuGet vulnerability analysis scan (#352)

- Tighten NuGet vulnerability analysis scan.
- Update packages.
- Remove unused .csproj settings.
- Add Husky pre-commit tooling.

.config/dotnet-tools.json

@@ -6,43 +6,57 @@
       "version": "5.1.250801",
       "commands": [
         "dotnet-format"
-      ]
+      ],
+      "rollForward": false
     },
     "dotnet-stryker": {
-      "version": "4.0.5",
+      "version": "4.0.6",
       "commands": [
         "dotnet-stryker"
-      ]
+      ],
+      "rollForward": false
     },
     "winsharpfuzz.commandline": {
       "version": "1.0.0",
       "commands": [
         "winsharpfuzz"
-      ]
+      ],
+      "rollForward": false
     },
     "winsharpfuzz.instrument": {
       "version": "1.0.0",
       "commands": [
         "winsharpfuzz-instrument"
-      ]
+      ],
+      "rollForward": false
     },
     "sharpfuzz.commandline": {
       "version": "2.1.1",
       "commands": [
         "sharpfuzz"
-      ]
+      ],
+      "rollForward": false
     },
     "dotnet-reportgenerator-globaltool": {
-      "version": "5.3.0",
+      "version": "5.3.6",
       "commands": [
         "reportgenerator"
-      ]
+      ],
+      "rollForward": false
     },
     "microsoft.sbom.dotnettool": {
       "version": "2.2.6",
       "commands": [
         "sbom-tool"
-      ]
+      ],
+      "rollForward": false
+    },
+    "husky": {
+      "version": "0.7.0",
+      "commands": [
+        "husky"
+      ],
+      "rollForward": false
     }
   }
 }

.github/workflows/main.yml

@@ -57,11 +57,12 @@ jobs:
 
     - name: Harden Runner
       if: ${{ matrix.os == 'ubuntu-latest' }}
-      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
+      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
       with:
         disable-sudo: true
         egress-policy: block
         allowed-endpoints: >
+          dotnetbuilds.azureedge.net:443
           aka.ms:443
           api.github.com:443
           api.nuget.org:443
@@ -133,7 +134,7 @@ jobs:
     - name: Install dependencies
       run: dotnet restore --locked-mode
 
-    - name: Restore local tools
+    - name: Restore local .NET tools
       run: dotnet tool restore
 
     - name: Add Problem Matcher for dotnet-format
@@ -268,7 +269,7 @@ jobs:
 
     - name: Create test summary
       if: ${{ matrix.os == 'ubuntu-latest' && github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' }}
-      uses: test-summary/action@032c8a9cec6aaa3c20228112cae6ca10a3b29336
+      uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86
       with:
         paths: '${{ github.workspace }}/reports/coverage/TestResults.xml'
         # output: '${{ github.workspace }}/${{ env.file_name }}'
@@ -333,7 +334,7 @@ jobs:
       runs-on: ubuntu-latest
       steps:
         - name: Harden Runner
-          uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
+          uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
           with:
             disable-sudo: true
             egress-policy: block
@@ -364,7 +365,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6
         with:
           disable-sudo: true
           egress-policy: audit

.husky/pre-commit

@@ -0,0 +1,22 @@
+#!/bin/sh
+. "$(dirname "$0")/_/husky.sh"
+
+## husky task runner examples -------------------
+## Note : for local installation use 'dotnet' prefix. e.g. 'dotnet husky'
+
+## run all tasks
+#husky run
+
+### run all tasks with group: 'group-name'
+#husky run --group group-name
+
+## run task with name: 'task-name'
+#husky run --name task-name
+
+## pass hook arguments to task
+#husky run --args "$1" "$2"
+
+## or put your custom commands -------------------
+#echo 'Husky.Net is awesome!'
+
+echo 'Hello from Husky!'

.husky/task-runner.json

@@ -0,0 +1,14 @@
+{
+   "$schema": "https://alirezanet.github.io/Husky.Net/schema.json",
+   "tasks": [
+      {
+         "name": "welcome-message-example",
+         "command": "bash",
+         "args": [ "-c", "echo Husky.Net is awesome!" ],
+         "windows": {
+            "command": "cmd",
+            "args": ["/c", "echo Husky.Net is awesome!" ]
+         }
+      }
+   ]
+}

Directory.Build.props

@@ -2,18 +2,16 @@
 
   <PropertyGroup>
     <TargetFramework>net8.0</TargetFramework>
-    <LangVersion>12.0</LangVersion>
-    <SourceRoot>$(MSBuildThisFileDirectory)</SourceRoot>    
+    <LangVersion>12.0</LangVersion>    
     <Nullable>enable</Nullable>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
-    <RestoreUseStaticGraphEvaluation>true</RestoreUseStaticGraphEvaluation>
-    <EnablePackageVulnerabilityAnalysis>true</EnablePackageVulnerabilityAnalysis>
+    <RestoreUseStaticGraphEvaluation>true</RestoreUseStaticGraphEvaluation>    
     <NuGetAudit>true</NuGetAudit>
     <NuGetAuditLevel>low</NuGetAuditLevel>
-    <NoWarn>$(NoWarn);1591;2003;RCS1036</NoWarn>
+    <NugetAuditMode>all</NugetAuditMode>
+    <NoWarn>$(NoWarn);1591</NoWarn>
     <IncludeSymbols>true</IncludeSymbols>
-    <EmbedUntrackedSources>true</EmbedUntrackedSources>    
-    <IncludePackageReferencesDuringMarkupCompilation>true</IncludePackageReferencesDuringMarkupCompilation>
+    <EmbedUntrackedSources>true</EmbedUntrackedSources>        
     <AllowedOutputExtensionsInPackageBuildOutputFolder>$(AllowedOutputExtensionsInPackageBuildOutputFolder);.pdb</AllowedOutputExtensionsInPackageBuildOutputFolder>
     <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
 
@@ -23,7 +21,7 @@
     <EnableTrimAnalyzer>true</EnableTrimAnalyzer>
     -->
   </PropertyGroup>
-
+    
   <!-- Common nuget package parameters and resources. -->
   <PropertyGroup>
     <PackageId>$(AssemblyName)</PackageId>

Directory.Packages.props

@@ -6,7 +6,7 @@
   <ItemGroup>
     <PackageVersion Include="BenchmarkDotNet" Version="0.13.12" />
     <PackageVersion Include="coverlet.collector" Version="6.0.2" />
-    <PackageVersion Include="dotNetRdf" Version="3.1.1" />
+    <PackageVersion Include="dotNetRdf" Version="3.2.0" />
     <PackageVersion Include="FsCheck.Xunit" Version="2.16.6" />
     <PackageVersion Include="JunitXml.TestLogger" Version="3.1.12" />
     <PackageVersion Include="LiquidTestReports.Markdown" Version="1.4.3-beta" />
@@ -26,9 +26,9 @@
     <PackageVersion Include="System.Security.Cryptography.ProtectedData" Version="8.0.0" />
     <PackageVersion Include="System.Text.Json" Version="8.0.3" />
     <PackageVersion Include="WinSharpFuzz" Version="1.0.0" />
-    <PackageVersion Include="xunit" Version="2.8.0" />
-    <PackageVersion Include="xunit.analyzers" Version="1.13.0" />
-    <PackageVersion Include="xunit.extensibility.execution" Version="2.8.0" />
-    <PackageVersion Include="xunit.runner.visualstudio" Version="2.8.0" />
+    <PackageVersion Include="xunit" Version="2.8.1" />
+    <PackageVersion Include="xunit.analyzers" Version="1.14.0" />
+    <PackageVersion Include="xunit.extensibility.execution" Version="2.8.1" />
+    <PackageVersion Include="xunit.runner.visualstudio" Version="2.8.1" />    
   </ItemGroup>
 </Project>

NuGet.config

@@ -19,8 +19,8 @@
 		<repository name="nuget.org" serviceIndex="https://api.nuget.org/v3/index.json">
 			<certificate fingerprint="5a2901d6ada3d18260b9c6dfe2133c95d74b9eef6ae0e5dc334c8454d1477df4" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
 			<certificate fingerprint="0E5F38F57DC1BCC806D8494F4F90FBCEDD988B46760709CBEEC6F4219AA6157D" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
-			<certificate fingerprint="1F4B311D9ACC115C8DC8018B5A49E00FCE6DA8E2855F9F014CA6F34570BC482D" hashAlgorithm="SHA256" allowUntrustedRoot="false=" />
-			<owners>Microsoft;9ee1;commandlineparser;DotLiquid;roastedamoeba;NightOwl888;FlorianRappl;wtfsck;zzzprojects;SharpDevelop;jedisct1;xoofx;ApacheLuceneNet;tssdotmsr;Microsoft;xunit;Coverlet;xUnit.net;dotnetfoundation;albi05;jd.cain.jr;joelhulen;aarnott;AndreyAkinshin;dotnetrdf;kurt;codito;kurtmkurtm;nsec;clairernovotny;Metalnem;sil-lsdev;sedatk;spectresystems;winsharpfuzz;</owners>
+			<certificate fingerprint="1F4B311D9ACC115C8DC8018B5A49E00FCE6DA8E2855F9F014CA6F34570BC482D" hashAlgorithm="SHA256" allowUntrustedRoot="false" />			
+			<owners>pshkarin;Microsoft;9ee1;commandlineparser;DotLiquid;roastedamoeba;NightOwl888;FlorianRappl;wtfsck;zzzprojects;SharpDevelop;jedisct1;xoofx;ApacheLuceneNet;tssdotmsr;Microsoft;xunit;Coverlet;xUnit.net;dotnetfoundation;albi05;jd.cain.jr;joelhulen;aarnott;AndreyAkinshin;dotnetrdf;kurt;codito;kurtmkurtm;nsec;clairernovotny;Metalnem;sil-lsdev;sedatk;spectresystems;winsharpfuzz;</owners>
 		</repository>
 	</trustedSigners>
 </configuration>

global.json

@@ -1,5 +1,5 @@
 {
   "sdk": {
-    "version": "8.0.300"    
+    "version": "8.0.302"    
   }
 }

test/Verifiable.Tests/Verifiable.Tests.csproj

@@ -19,7 +19,10 @@
     <PackageReference Include="FsCheck.Xunit" />
     <PackageReference Include="xunit" />
     <PackageReference Include="xunit.extensibility.execution" />
-    <PackageReference Include="xunit.analyzers" />    
+    <PackageReference Include="xunit.analyzers">
+      <PrivateAssets>all</PrivateAssets>
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+    </PackageReference>    
     <PackageReference Include="Microsoft.NET.Test.Sdk" />
     <PackageReference Include="Microsoft.CodeCoverage" />
     <PackageReference Include="LiquidTestReports.Markdown" />