Update to .NET 8

.devcontainer/devcontainer.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://raw.githubusercontent.com/devcontainers/spec/main/schemas/devContainer.base.schema.json",
   "name": "Component Detection",
-  "image": "mcr.microsoft.com/vscode/devcontainers/dotnet:6.0",
+  "image": "mcr.microsoft.com/vscode/devcontainers/dotnet:8.0",
   "runArgs": ["--init"],
   "extensions": [
     "eamodio.gitlens",

.editorconfig

@@ -679,6 +679,25 @@ dotnet_diagnostic.CA1848.severity = suggestion
 # JSON002: Probable JSON string detected
 dotnet_diagnostic.JSON002.severity = suggestion
 
+# IDE0290: Use primary constructor
+dotnet_diagnostic.IDE0290.severity = suggestion
+
+# IDE0305: Simplify collection initialization
+dotnet_diagnostic.IDE0305.severity = suggestion
+
+# SYSLIB1045: Convert to 'GeneratedRegexAttribute'.
+dotnet_diagnostic.SYSLIB1045.severity = suggestion
+
+# CA1859: Use concrete types when possible for improved performance
+dotnet_diagnostic.CA1859.severity = suggestion
+
+# CA1851: Possible multiple enumerations of 'IEnumerable' collection
+dotnet_diagnostic.CA1851.severity = suggestion
+
+# CA1861: Avoid constant arrays as arguments
+dotnet_diagnostic.CA1861.severity = suggestion
+
+
 # Workaround for https://github.com/dotnet/roslyn-analyzers/issues/5628
 [Program.cs]
 dotnet_diagnostic.ca1812.severity = none

.github/workflows/codeql-analysis.yml

@@ -26,12 +26,13 @@ jobs:
           fetch-depth: 0
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
+      uses: github/codeql-action/init@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
       with:
         languages: 'csharp'
+        debug: true
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
+      uses: github/codeql-action/autobuild@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
+      uses: github/codeql-action/analyze@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8

.github/workflows/ossf-scorecard.yml

@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
+        uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
         with:
           sarif_file: results.sarif

.github/workflows/smoke-test.yml

@@ -26,7 +26,7 @@ jobs:
             { name: "Go", repo: "kubernetes/kubernetes" },
             { name: "Maven", repo: "apache/kafka" },
             { name: "NPM", repo: "axios/axios" },
-            { name: "NuGet", repo: "Radarr/Radarr" },
+            { name: "NuGet", repo: "dotnet/aspire" },
             { name: "Pip", repo: "django/django" },
             { name: "Pnpm", repo: "pnpm/pnpm" },
             { name: "Poetry", repo: "Textualize/rich" },
@@ -41,9 +41,6 @@ jobs:
       - name: Checkout Component Detection
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
-      - name: Setup .NET
-        uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0
-
       - name: Install Apache Ivy
         run: curl https://downloads.apache.org/ant/ivy/2.5.2/apache-ivy-2.5.2-bin.tar.gz | tar xOz apache-ivy-2.5.2/ivy-2.5.2.jar > /usr/share/ant/lib/ivy.jar
 
@@ -53,10 +50,21 @@ jobs:
           repository: ${{ matrix.language.repo }}
           path: smoke-test-repo
 
+      - name: Setup .NET
+        uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0
+        with:
+          dotnet-version: '8.0.x'
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        if: ${{ matrix.language.name == 'Pip'}}
+        with:
+          python-version: '3.10' 
+
       - name: Restore Smoke Test NuGet Packages
         if: ${{ matrix.language.name == 'NuGet'}}
-        working-directory: smoke-test-repo/src
-        run: dotnet restore
+        working-directory: smoke-test-repo
+        run: dotnet restore Aspire.sln
 
       - name: Run Smoke Test
         working-directory: src/Microsoft.ComponentDetection

Directory.Build.props

@@ -1,7 +1,7 @@
 <Project>
 
   <PropertyGroup Label="Build">
-    <TargetFramework>net6.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
     <LangVersion>latest</LangVersion>
     <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
     <EnforceCodeStyleInBuild>true</EnforceCodeStyleInBuild>

Directory.Packages.props

@@ -7,50 +7,50 @@
   </ItemDefinitionGroup>
   <ItemGroup>
     <PackageVersion Include="CommandLineParser" Version="2.9.1" />
-    <PackageVersion Include="coverlet.collector" Version="6.0.0" />
+    <PackageVersion Include="coverlet.collector" Version="6.0.2" />
     <PackageVersion Include="coverlet.msbuild" Version="6.0.2" />
     <PackageVersion Include="Docker.DotNet" Version="3.125.15" />
     <PackageVersion Include="FluentAssertions" Version="6.12.0" />
-    <PackageVersion Include="FluentAssertions.Analyzers" Version="0.26.0" />
-    <PackageVersion Include="Microsoft.Extensions.Caching.Memory" Version="7.0.0" />
-    <PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="7.0.0" />
-    <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="7.0.0" />
-    <PackageVersion Include="Microsoft.Extensions.Http" Version="7.0.0" />
-    <PackageVersion Include="Microsoft.Extensions.Logging" Version="7.0.0" />
+    <PackageVersion Include="FluentAssertions.Analyzers" Version="0.32.0" />
+    <PackageVersion Include="Microsoft.Extensions.Caching.Memory" Version="8.0.0" />
+    <PackageVersion Include="Microsoft.Extensions.DependencyInjection" Version="8.0.0" />
+    <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="8.0.1" />
+    <PackageVersion Include="Microsoft.Extensions.Http" Version="8.0.0" />
+    <PackageVersion Include="Microsoft.Extensions.Logging" Version="8.0.0" />
     <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.10.0" />
     <PackageVersion Include="Microsoft.SourceLink.GitHub" Version="8.0.0" />
-    <PackageVersion Include="Microsoft.VisualStudio.Threading.Analyzers" Version="17.8.14" />
+    <PackageVersion Include="Microsoft.VisualStudio.Threading.Analyzers" Version="17.10.48" />
     <PackageVersion Include="DotNet.Glob" Version="2.1.1" />
-    <PackageVersion Include="MinVer" Version="4.3.0" />
+    <PackageVersion Include="MinVer" Version="5.0.0" />
     <PackageVersion Include="Moq" Version="4.18.4" />
     <PackageVersion Include="morelinq" Version="4.2.0" />
     <PackageVersion Include="MSTest.TestAdapter" Version="3.4.0" />
     <PackageVersion Include="MSTest.TestFramework" Version="3.4.0" />
     <PackageVersion Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageVersion Include="Newtonsoft.Json.Schema" Version="3.0.16" />
-    <PackageVersion Include="NuGet.ProjectModel" Version="6.9.1" />
-    <PackageVersion Include="NuGet.Versioning" Version="6.9.1" />
+    <PackageVersion Include="NuGet.ProjectModel" Version="6.10.0" />
+    <PackageVersion Include="NuGet.Versioning" Version="6.10.0" />
     <PackageVersion Include="packageurl-dotnet" Version="1.0.0" />
     <PackageVersion Include="Polly" Version="8.4.0" />
     <PackageVersion Include="SemanticVersioning" Version="2.0.2" />
     <PackageVersion Include="Serilog" Version="3.1.1" />
-    <PackageVersion Include="Serilog.Extensions.Logging" Version="7.0.0" />
+    <PackageVersion Include="Serilog.Extensions.Logging" Version="8.0.0" />
     <PackageVersion Include="Serilog.Sinks.Async" Version="1.5.0" />
     <PackageVersion Include="Serilog.Sinks.Console" Version="5.0.1" />
     <PackageVersion Include="Serilog.Sinks.File" Version="5.0.0" />
     <PackageVersion Include="Serilog.Sinks.Map" Version="1.0.2" />
-    <PackageVersion Include="Spectre.Console" Version="0.48.0" />
-    <PackageVersion Include="Spectre.Console.Cli" Version="0.48.0" />
+    <PackageVersion Include="Spectre.Console" Version="0.49.1" />
+    <PackageVersion Include="Spectre.Console.Cli" Version="0.49.1" />
     <PackageVersion Include="Spectre.Console.Cli.Extensions.DependencyInjection" Version="0.2.0" />
-    <PackageVersion Include="Spectre.Console.Testing" Version="0.48.0" />
+    <PackageVersion Include="Spectre.Console.Testing" Version="0.49.1" />
     <PackageVersion Include="StyleCop.Analyzers" Version="1.2.0-beta.556" />
     <PackageVersion Include="System.Memory" Version="4.5.5" />
-    <PackageVersion Include="System.Reactive" Version="6.0.0" />
+    <PackageVersion Include="System.Reactive" Version="6.0.1" />
     <PackageVersion Include="System.Runtime.Loader" Version="4.3.0" />
-    <PackageVersion Include="System.Text.Json" Version="6.0.9" />
-    <PackageVersion Include="System.Threading.Tasks.Dataflow" Version="7.0.0" />
+    <PackageVersion Include="System.Text.Json" Version="8.0.3" />
+    <PackageVersion Include="System.Threading.Tasks.Dataflow" Version="8.0.0" />
     <PackageVersion Include="Tomlyn.Signed" Version="0.17.0" />
-    <PackageVersion Include="yamldotnet" Version="13.7.1" />
+    <PackageVersion Include="yamldotnet" Version="15.1.6" />
     <PackageVersion Include="Faker.net" Version="2.0.163" />
     <PackageVersion Include="Valleysoft.DockerfileModel" Version="1.1.1" />
   </ItemGroup>

docs/detectors/pip.md

@@ -50,7 +50,7 @@ If no internet connection or a component cannot be found in PyPi, said component
 ## Environment Variables
 
 The environment variable `PyPiMaxCacheEntries` is used to control the size of the in-memory LRU cache that caches responses from PyPi.
-The default value is 128.
+The default value is 4096.
 
 The enviroment variable `PIP_INDEX_URL` is used to determine what package feed should be used for `pip install --report` detection.
-The default value will use the PyPi index unless pip defaults have been configured globally.
+The default value will use the PyPi index unless pip defaults have been configured globally.

global.json

@@ -1,6 +1,6 @@
 {
 	"sdk": {
-		"version": "6.0.422",
+		"version": "8.0.300",
 		"rollForward": "latestMinor"
 	}
 }

renovate.json

@@ -2,6 +2,8 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
     "config:base",
-    "helpers:pinGitHubActionDigests"
-  ]
-}
+    "helpers:pinGitHubActionDigests",
+    ":maintainLockFilesWeekly"
+  ],
+  "branchConcurrentLimit": 3
+}

src/Microsoft.ComponentDetection.Common/AsyncExecution.cs

@@ -21,10 +21,7 @@ public static class AsyncExecution
     /// <exception cref="TimeoutException">Thrown when the execution does not complete within the timeout.</exception>
     public static async Task<T> ExecuteWithTimeoutAsync<T>(Func<Task<T>> toExecute, TimeSpan timeout, CancellationToken cancellationToken)
     {
-        if (toExecute == null)
-        {
-            throw new ArgumentNullException(nameof(toExecute));
-        }
+        ArgumentNullException.ThrowIfNull(toExecute);
 
         var work = Task.Run(toExecute);
 
@@ -48,10 +45,7 @@ public static async Task<T> ExecuteWithTimeoutAsync<T>(Func<Task<T>> toExecute,
     /// <exception cref="TimeoutException">Thrown when the execution does not complete within the timeout.</exception>
     public static async Task ExecuteVoidWithTimeoutAsync(Action toExecute, TimeSpan timeout, CancellationToken cancellationToken)
     {
-        if (toExecute == null)
-        {
-            throw new ArgumentNullException(nameof(toExecute));
-        }
+        ArgumentNullException.ThrowIfNull(toExecute);
 
         var work = Task.Run(toExecute, cancellationToken);
         var completedInTime = await Task.Run(() => work.Wait(timeout));

src/Microsoft.ComponentDetection.Common/CommandLineInvocationService.cs

@@ -1,4 +1,4 @@
-namespace Microsoft.ComponentDetection.Common;
+namespace Microsoft.ComponentDetection.Common;
 
 using System;
 using System.Collections.Concurrent;
@@ -19,8 +19,8 @@ public class CommandLineInvocationService : ICommandLineInvocationService
     /// <inheritdoc/>
     public async Task<bool> CanCommandBeLocatedAsync(string command, IEnumerable<string> additionalCandidateCommands = null, DirectoryInfo workingDirectory = null, params string[] parameters)
     {
-        additionalCandidateCommands ??= Enumerable.Empty<string>();
-        parameters ??= Array.Empty<string>();
+        additionalCandidateCommands ??= [];
+        parameters ??= [];
         var allCommands = new[] { command }.Concat(additionalCandidateCommands);
         if (!this.commandLocatableCache.TryGetValue(command, out var validCommand))
         {
@@ -71,15 +71,16 @@ public async Task<CommandLineExecutionResult> ExecuteCommandAsync(string command
 
         var pathToRun = this.commandLocatableCache[command];
         var joinedParameters = string.Join(" ", parameters);
+        var commandForLogging = joinedParameters.RemoveSensitiveInformation();
         try
         {
             var result = await RunProcessAsync(pathToRun, joinedParameters, workingDirectory);
-            record.Track(result, pathToRun, joinedParameters);
+            record.Track(result, pathToRun, commandForLogging);
             return result;
         }
         catch (Exception ex)
         {
-            record.Track(ex, pathToRun, joinedParameters);
+            record.Track(ex, pathToRun, commandForLogging);
             throw;
         }
     }

src/Microsoft.ComponentDetection.Common/ComponentStreamEnumerable.cs

@@ -45,7 +45,7 @@ IEnumerator IEnumerable.GetEnumerator()
         return this.GetEnumerator();
     }
 
-    private Stream SafeOpenFile(FileInfo file)
+    private FileStream SafeOpenFile(FileInfo file)
     {
         try
         {

src/Microsoft.ComponentDetection.Common/DependencyGraph/ComponentRecorder.cs

@@ -16,7 +16,7 @@ namespace Microsoft.ComponentDetection.Common.DependencyGraph;
 
 public class ComponentRecorder : IComponentRecorder
 {
-    private readonly ConcurrentBag<SingleFileComponentRecorder> singleFileRecorders = new ConcurrentBag<SingleFileComponentRecorder>();
+    private readonly ConcurrentBag<SingleFileComponentRecorder> singleFileRecorders = [];
 
     private readonly bool enableManualTrackingOfExplicitReferences;
 
@@ -38,7 +38,7 @@ public IEnumerable<DetectedComponent> GetDetectedComponents()
         IEnumerable<DetectedComponent> detectedComponents;
         if (this.singleFileRecorders == null)
         {
-            return Enumerable.Empty<DetectedComponent>();
+            return [];
         }
 
         detectedComponents = this.singleFileRecorders
@@ -68,7 +68,7 @@ public IEnumerable<string> GetSkippedComponents()
     {
         if (this.singleFileRecorders == null)
         {
-            return Enumerable.Empty<string>();
+            return [];
         }
 
         return this.singleFileRecorders
@@ -162,18 +162,15 @@ public void RegisterUsage(
             bool? isDevelopmentDependency = null,
             DependencyScope? dependencyScope = null)
         {
-            if (detectedComponent == null)
-            {
-                throw new ArgumentNullException(paramName: nameof(detectedComponent));
-            }
+            ArgumentNullException.ThrowIfNull(detectedComponent);
 
             if (detectedComponent.Component == null)
             {
                 throw new ArgumentException(Resources.MissingComponentId);
             }
 
 #if DEBUG
-            if (detectedComponent.DependencyRoots?.Any() ?? false)
+            if (detectedComponent.DependencyRoots?.Count == 0)
             {
                 this.logger.LogWarning("Detector should not populate DetectedComponent.DependencyRoots!");
             }
@@ -195,10 +192,7 @@ public void RegisterUsage(
 
         public void RegisterPackageParseFailure(string skippedComponent)
         {
-            if (skippedComponent == null)
-            {
-                throw new ArgumentNullException(paramName: nameof(skippedComponent));
-            }
+            ArgumentNullException.ThrowIfNull(skippedComponent);
 
             _ = this.skippedComponentsInternal[skippedComponent] = default;
         }