Pin transitive dependencies to mitigate CVEs (#284)

Also:
- Increment package version number
- Fix build warnings found by updated dependency analyzers

Author: cgillum

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## v1.5.1 (Unreleased)
+
+### Updates
+
+* Updated repo to use central package management
+* Resolved multiple CVEs in dependencies
+
 ## v1.5.0
 
 ### Updates

Directory.Packages.props

@@ -16,6 +16,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution
 		CHANGELOG.md = CHANGELOG.md
 		src\common.props = src\common.props
 		Directory.Build.targets = Directory.Build.targets
+		Directory.Packages.props = Directory.Packages.props
 		nuget.config = nuget.config
 		README.md = README.md
 		sign.snk = sign.snk

DurableTask.SqlServer.sln

@@ -24,7 +24,15 @@
     <PackageReference Include="Microsoft.Azure.DurableTask.Core" />
     <PackageReference Include="Microsoft.Data.SqlClient" />
     <PackageReference Include="SemanticVersion" />
-    <PackageReference Include="System.Threading.Channels" />
+  </ItemGroup>
+
+  <!-- Transitive dependency pinning -->
+  <ItemGroup>
+    <PackageReference Include="Azure.Core" />
+    <PackageReference Include="Azure.Identity" />
+    <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" />
+    <PackageReference Include="System.Text.Json" />
   </ItemGroup>
 
 </Project>

src/DurableTask.SqlServer/DurableTask.SqlServer.csproj

@@ -17,7 +17,7 @@
   <PropertyGroup>
     <MajorVersion>1</MajorVersion>
     <MinorVersion>5</MinorVersion>
-    <PatchVersion>0</PatchVersion>
+    <PatchVersion>1</PatchVersion>
     <VersionPrefix>$(MajorVersion).$(MinorVersion).$(PatchVersion)</VersionPrefix>
     <VersionSuffix></VersionSuffix>
     <AssemblyVersion>$(MajorVersion).$(MinorVersion).0.0</AssemblyVersion>

src/DurableTask.SqlServer/Utils/AsyncQueue.cs

@@ -236,12 +236,12 @@ class TestFunctionTypeLocator : ITypeLocator
 
         class TestSettingsResolver : INameResolver, IConnectionInfoResolver
         {
-            readonly Dictionary<string, string> testSettings;
+            readonly Dictionary<string, string?> testSettings;
             IConfigurationRoot? config;
 
             public TestSettingsResolver()
             {
-                this.testSettings = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
+                this.testSettings = new Dictionary<string, string?>(StringComparer.OrdinalIgnoreCase);
             }
 
             public void AddSetting(string name, string value)

src/common.props

@@ -3,6 +3,7 @@
 
 namespace DurableTask.SqlServer.AzureFunctions.Tests
 {
+    using System.Threading.Tasks;
     using DurableTask.Core;
     using Microsoft.Azure.WebJobs.Extensions.DurableTask;
     using Microsoft.Azure.WebJobs.Host.Scale;
@@ -21,14 +22,14 @@ public TargetBasedScalingTests()
             SqlOrchestrationService? nullServiceArg = null; // not needed for this test
             this.metricsProviderMock = new Mock<SqlMetricsProvider>(
                 behavior: MockBehavior.Strict,
-                nullServiceArg);
+                nullServiceArg!);
         }
 
         [Theory]
         [InlineData(0)]
         [InlineData(10)]
         [InlineData(20)]
-        public async void TargetBasedScalingTest(int expectedTargetWorkerCount)
+        public async Task TargetBasedScalingTest(int expectedTargetWorkerCount)
         {
             var durabilityProviderMock = new Mock<DurabilityProvider>(
                 MockBehavior.Strict,

test/DurableTask.SqlServer.AzureFunctions.Tests/IntegrationTestBase.cs

@@ -505,7 +505,7 @@ async Task ValidateDatabaseSchemaAsync(TestDatabase database, string schemaName
                 schemaName);
             Assert.Equal(1, currentSchemaVersion.Major);
             Assert.Equal(5, currentSchemaVersion.Minor);
-            Assert.Equal(0, currentSchemaVersion.Patch);
+            Assert.Equal(1, currentSchemaVersion.Patch);
         }
 
         sealed class TestDatabase : IDisposable

test/DurableTask.SqlServer.AzureFunctions.Tests/TargetBasedScalingTests.cs

@@ -16,4 +16,11 @@
     <PackageReference Include="Microsoft.SqlServer.SqlManagementObjects" />
   </ItemGroup>
 
+  <!-- Transitive dependency pinning -->
+  <ItemGroup>
+    <PackageReference Include="Azure.Identity" />
+    <PackageReference Include="Azure.Core" />
+    <PackageReference Include="System.Text.Json" />
+  </ItemGroup>
+
 </Project>