[APIPUB-80] Fixing vulnerabilities found with Docker Scout (Ed-Fi-Alliance-OSS#84)

Update nuget packages
Update System.Text.Json to version 8.0.5
Update .NET SDK alpine version to use Alpine 3.20
Update apk for openssl to use version 3.3.2 and remove vulnerability
Update apk for postgres client to use version 16

Author: jleiva-gap

src/Dockerfile

@@ -3,8 +3,8 @@
 # The Ed-Fi Alliance licenses this file to you under the Apache License, Version 2.0.
 # See the LICENSE and NOTICES files in the project root for more information.
 
-# Tag aspnet:8.0-alpine
-FROM mcr.microsoft.com/dotnet/aspnet@sha256:ba398f8c6a0469436cc115bfbd278002baf4ce9423b6d8a9e904da6adc31a23d
+# Tag aspnet:8.0-alpine3.20
+FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine3.20@sha256:b5b7dec8006fe016cc864f618cf60eab24fb7d7a28c8ecf4f6b90ceeaa5cf9f2
 LABEL maintainer="Ed-Fi Alliance, LLC and Contributors <techsupport@ed-fi.org>"
 
 ARG VERSION="1.2.1"
@@ -21,7 +21,8 @@ COPY ./Docker/plainTextNamedConnections.template.json /app/plainTextNamedConnect
 
 COPY ./Docker/run.sh /app/run.sh
 
-RUN apk --no-cache add unzip=~6 dos2unix=~7 bash=~5 gettext=~0 postgresql13-client=~13 icu=~74 curl=~8 && \
+RUN apk update && \
+    apk --no-cache add --upgrade unzip=~6 dos2unix=~7 bash=~5 gettext=~0 openssl=3.3.2-r0 postgresql16-client=~16 icu=~74 curl=~8 && \
     wget -nv -O /app/ApiPublisher.zip https://pkgs.dev.azure.com/ed-fi-alliance/Ed-Fi-Alliance-OSS/_apis/packaging/feeds/EdFi/nuget/packages/EdFi.ApiPublisher/versions/${VERSION}/content && \
     unzip /app/ApiPublisher.zip 'EdFi.ApiPublisher/**' -d /app/ && \
     mv /app/EdFi.ApiPublisher/* /app/ && \

src/EdFi.Tools.ApiPublisher.Cli/EdFi.Tools.ApiPublisher.Cli.csproj

@@ -7,20 +7,21 @@
     <NoWarn>NU5100, NU5124</NoWarn>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Autofac.Extensions.DependencyInjection" Version="9.0.0" />
-    <PackageReference Include="AWSSDK.CloudWatchLogs" Version="3.7.305.55" />
-    <PackageReference Include="AWSSDK.Core" Version="3.7.304.25" />
+    <PackageReference Include="Autofac.Extensions.DependencyInjection" Version="10.0.0" />
+    <PackageReference Include="AWSSDK.CloudWatchLogs" Version="3.7.403.21" />
+    <PackageReference Include="AWSSDK.Core" Version="3.7.400.35" />
     <PackageReference Include="Serilog.Enrichers.Thread" Version="4.0.0" />
-    <PackageReference Include="Serilog.Settings.Configuration" Version="8.0.1" />
-    <PackageReference Include="Serilog.Sinks.AwsCloudWatch" Version="4.2.29" />
+    <PackageReference Include="Serilog.Settings.Configuration" Version="8.0.4" />
+    <PackageReference Include="Serilog.Sinks.AwsCloudWatch" Version="4.3.37" />
     <PackageReference Include="Serilog.Sinks.File" Version="6.0.0" />
-    <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="8.0.1" />
+    <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="8.0.2" />
     <PackageReference Include="Microsoft.Extensions.Configuration.CommandLine" Version="8.0.0" />
     <PackageReference Include="Microsoft.Extensions.Configuration.EnvironmentVariables" Version="8.0.0" />
-    <PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="8.0.0" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="8.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="8.0.1" />
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="8.0.1" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
-    <PackageReference Include="System.Threading.Tasks.Dataflow" Version="8.0.0" />
+    <PackageReference Include="System.Text.Json" Version="8.0.5" />
+    <PackageReference Include="System.Threading.Tasks.Dataflow" Version="8.0.1" />
   </ItemGroup>
   <ItemGroup>
     <None Update="apiPublisherSettings.json">

src/EdFi.Tools.ApiPublisher.ConfigurationStore.Aws/EdFi.Tools.ApiPublisher.ConfigurationStore.Aws.csproj

@@ -4,10 +4,11 @@
     <LangVersion>10</LangVersion>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Amazon.Extensions.Configuration.SystemsManager" Version="6.2.0" />
+    <PackageReference Include="Amazon.Extensions.Configuration.SystemsManager" Version="6.2.2" />
     <PackageReference Include="AWSSDK.Extensions.NETCore.Setup" Version="3.7.301" />
-    <PackageReference Include="AWSSDK.SimpleSystemsManagement" Version="3.7.305.5" />
+    <PackageReference Include="AWSSDK.SimpleSystemsManagement" Version="3.7.402.14" />
     <PackageReference Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
+    <PackageReference Include="System.Text.Json" Version="8.0.5" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="..\EdFi.Tools.ApiPublisher.Connections.Api\EdFi.Tools.ApiPublisher.Connections.Api.csproj" />

src/EdFi.Tools.ApiPublisher.ConfigurationStore.Plaintext/EdFi.Tools.ApiPublisher.ConfigurationStore.Plaintext.csproj

@@ -3,6 +3,9 @@
     <TargetFramework>net8.0</TargetFramework>
     <ImplicitUsings>enable</ImplicitUsings>
   </PropertyGroup>
+  <ItemGroup>
+    <PackageReference Include="System.Text.Json" Version="8.0.5" />
+  </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="..\EdFi.Tools.ApiPublisher.Connections.Api\EdFi.Tools.ApiPublisher.Connections.Api.csproj" />
     <ProjectReference Include="..\EdFi.Tools.ApiPublisher.Core\EdFi.Tools.ApiPublisher.Core.csproj" />

src/EdFi.Tools.ApiPublisher.ConfigurationStore.PostgreSql/EdFi.Tools.ApiPublisher.ConfigurationStore.PostgreSql.csproj

@@ -4,9 +4,10 @@
     <LangVersion>10</LangVersion>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Npgsql" Version="8.0.3" />
+    <PackageReference Include="Npgsql" Version="8.0.5" />
     <PackageReference Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
     <PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" Version="8.0.0" />
+    <PackageReference Include="System.Text.Json" Version="8.0.5" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="..\EdFi.Tools.ApiPublisher.Connections.Api\EdFi.Tools.ApiPublisher.Connections.Api.csproj" />

src/EdFi.Tools.ApiPublisher.ConfigurationStore.SqlServer/EdFi.Tools.ApiPublisher.ConfigurationStore.SqlServer.csproj

@@ -4,11 +4,12 @@
     <LangVersion>10</LangVersion>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Azure.Identity" Version="1.12.0" />
-    <PackageReference Include="Microsoft.Data.SqlClient" Version="5.2.1" />
+    <PackageReference Include="Azure.Identity" Version="1.13.0" />
+    <PackageReference Include="Microsoft.Data.SqlClient" Version="5.2.2" />
     <PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" Version="8.0.0" />
-    <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="7.6.2" />
-    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="7.6.2" />
+    <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="8.1.2" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.1.2" />
+    <PackageReference Include="System.Text.Json" Version="8.0.5" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="..\EdFi.Tools.ApiPublisher.Connections.Api\EdFi.Tools.ApiPublisher.Connections.Api.csproj" />

src/EdFi.Tools.ApiPublisher.Connections.Api/EdFi.Tools.ApiPublisher.Connections.Api.csproj

@@ -5,18 +5,19 @@
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Autofac" Version="8.0.0" />
-    <PackageReference Include="Microsoft.CodeAnalysis" Version="4.10.0" />
-    <PackageReference Include="Microsoft.CodeAnalysis.CSharp.CodeStyle" Version="4.10.0">
+    <PackageReference Include="Autofac" Version="8.1.1" />
+    <PackageReference Include="Microsoft.CodeAnalysis" Version="4.11.0" />
+    <PackageReference Include="Microsoft.CodeAnalysis.CSharp.CodeStyle" Version="4.11.0">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>
-    <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="8.0.1" />
-    <PackageReference Include="Polly.RateLimiting" Version="8.4.1" />
+    <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="8.0.2" />
+    <PackageReference Include="Polly.RateLimiting" Version="8.4.2" />
     <PackageReference Include="SonarAnalyzer.CSharp" Version="9.32.0.97167">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>
+    <PackageReference Include="System.Text.Json" Version="8.0.5" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="..\EdFi.Tools.ApiPublisher.Core\EdFi.Tools.ApiPublisher.Core.csproj" />

src/EdFi.Tools.ApiPublisher.Connections.Api/Modules/EdFiApiAsSourceModule.cs

@@ -124,7 +124,7 @@ protected override void Load(ContainerBuilder builder)
         // API dependency metadata from Ed-Fi ODS API (using Source API)
         if (options.UseSourceDependencyMetadata)
         {
-            builder.RegisterType<EdFiApiGraphMLDependencyMetadataProvider>()
+            _ = builder.RegisterType<EdFiApiGraphMLDependencyMetadataProvider>()
                 .As<IGraphMLDependencyMetadataProvider>()
                 .WithParameter(
                     // Configure to use with Target API

src/EdFi.Tools.ApiPublisher.Connections.Api/Modules/EdFiApiAsTargetModule.cs

@@ -60,7 +60,7 @@ protected override void Load(ContainerBuilder builder)
         // API dependency metadata from Ed-Fi ODS API (using Target API)
         if (!options.UseSourceDependencyMetadata)
         {
-            builder.RegisterType<EdFiApiGraphMLDependencyMetadataProvider>()
+            _ = builder.RegisterType<EdFiApiGraphMLDependencyMetadataProvider>()
                 .As<IGraphMLDependencyMetadataProvider>()
                 .WithParameter(
                     // Configure to use with Target API

src/EdFi.Tools.ApiPublisher.Connections.Api/Processing/Source/Versioning/EdFiApiSourceCurrentChangeVersionProvider.cs

@@ -46,13 +46,12 @@ public EdFiApiSourceCurrentChangeVersionProvider(ISourceEdFiApiClientProvider so
 
         try
         {
-            long maxChangeVersion =
-
+            long maxChangeVersion
+            =
                 // Versions of Ed-Fi API through at least v3.4
                 (JObject.Parse(versionResponseText)["NewestChangeVersion"]
-
-                    // Enhancements/fixes applied introduced as part of API Publisher work
-                    ?? JObject.Parse(versionResponseText)["newestChangeVersion"]).Value<long>();
+               // Enhancements/fixes applied introduced as part of API Publisher work
+               ?? JObject.Parse(versionResponseText)["newestChangeVersion"]).Value<long>();
 
             return maxChangeVersion;
         }