Dependabot updates for week of 22 May 2023

.github/workflows/backend.yml

@@ -16,6 +16,8 @@ jobs:
       matrix:
         dotnet: ["6.0.x"]
     steps:
+      # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
+      # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
         uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
         with:
@@ -27,6 +29,8 @@ jobs:
             api.nuget.org:443
             codecov.io:443
             dc.services.visualstudio.com:443
+            deb.debian.org:80
+            dotnetbuilds.azureedge.net:443
             dotnetcli.azureedge.net:443
             github.com:443
             md-hdd-t032zjxllntc.z26.blob.storage.azure.net:443
@@ -46,7 +50,7 @@ jobs:
         run: dotnet test Backend.Tests/Backend.Tests.csproj
         shell: bash
       - name: Upload coverage report
-        uses: codecov/codecov-action@894ff025c7b54547a9a2a1e9f228beae737ad3c2 # v3.1.3
+        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
         with:
           files: Backend.Tests/coverage.cobertura.xml
           flags: backend
@@ -70,12 +74,15 @@ jobs:
       security-events: write # for github/codeql-action/autobuild to send a status report
     runs-on: ubuntu-20.04
     steps:
+      # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
+      # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
         uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
         with:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
+            *.blob.storage.azure.net:
             aka.ms:443
             api.github.com:443
             api.nuget.org:443
@@ -111,23 +118,26 @@ jobs:
     runs-on: ubuntu-22.04
     #    if: ${{ github.event.type }} == "PullRequest"
     steps:
-      # For subfolders, currently a full checkout is required.
-      # See: https://github.com/marketplace/actions/build-and-push-docker-images#path-context
+      # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
+      # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
         uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
         with:
           disable-sudo: true
+          disable-file-monitoring: true
           egress-policy: block
           allowed-endpoints: >
+            *.data.mcr.microsoft.com:443
             api.nuget.org:443
+            archive.ubuntu.com:80
             dc.services.visualstudio.com:443
             deb.debian.org:80
             github.com:443
-            docker.io:443
-            auth.docker.io:443
-            registry-1.docker.io:443
-            production.cloudflare.docker.com
-            security.debian.org
+            mcr.microsoft.com:443
+            security.ubuntu.com:80
+
+      # For subfolders, currently a full checkout is required.
+      # See: https://github.com/marketplace/actions/build-and-push-docker-images#path-context
       - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
         with:
           fetch-depth: 0

.github/workflows/codeql.yml

@@ -42,19 +42,21 @@ jobs:
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:
+      # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
+      # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
         uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
         with:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
             api.github.com:443
+            api.nuget.org:443
+            dc.services.visualstudio.com:443
             files.pythonhosted.org:443
             github.com:443
             objects.githubusercontent.com:443
             pypi.org:443
-            api.nuget.org:443
-            dc.services.visualstudio.com:443
       - name: Checkout repository
         uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
 

.github/workflows/combine_deploy_image.yml

@@ -13,6 +13,8 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
+      # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
+      # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
         uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
         with:

.github/workflows/database.yml

@@ -12,13 +12,14 @@ jobs:
     if: ${{ github.event.type }} == "PullRequest"
     runs-on: ubuntu-latest
     steps:
-      # For subfolders, currently a full checkout is required.
-      # See: https://github.com/marketplace/actions/build-and-push-docker-images#path-context
+      # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
+      # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
         uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
+      # For subfolders, currently a full checkout is required.
+      # See: https://github.com/marketplace/actions/build-and-push-docker-images#path-context
       - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
         with:
           fetch-depth: 0

.github/workflows/deploy_qa.yml

@@ -18,6 +18,8 @@ jobs:
     outputs:
       image_tag: ${{ steps.build_combine.outputs.image_tag }}
     steps:
+      # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
+      # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
         uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
         with:
@@ -26,7 +28,6 @@ jobs:
           allowed-endpoints: >
             ${{ secrets.AWS_ACCOUNT }}.dkr.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com
             api.ecr.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com:443
-            sts.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com:443
             api.github.com:443
             api.nuget.org:443
             archive.ubuntu.com:80
@@ -41,11 +42,12 @@ jobs:
             pipelines.actions.githubusercontent.com:443
             production.cloudflare.docker.com:443
             pypi.org:443
-            registry.npmjs.org:443
             registry-1.docker.io:443
+            registry.npmjs.org:443
             security.debian.org:80
             security.ubuntu.com:80
             storage.googleapis.com:443
+            sts.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com:443
             uploader.codecov.io:443
       - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
         with:
@@ -66,6 +68,8 @@ jobs:
       RM_PATTERN_2: \d+\.\d+\.\d+-[a-z]+\.\d+-master\.\d+
     runs-on: ubuntu-latest
     steps:
+      # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
+      # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
         uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
         with:

.github/workflows/deploy_release.yml

@@ -17,6 +17,8 @@ jobs:
     outputs:
       image_tag: ${{ steps.build_combine.outputs.image_tag }}
     steps:
+      # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
+      # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
         uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
         with:

.github/workflows/frontend.yml

@@ -16,6 +16,8 @@ jobs:
       matrix:
         node-version: [18]
     steps:
+      # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
+      # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
         uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
         with:
@@ -42,7 +44,7 @@ jobs:
         env:
           CI: true
       - name: Upload coverage report
-        uses: codecov/codecov-action@894ff025c7b54547a9a2a1e9f228beae737ad3c2 # v3.1.3
+        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
         with:
           files: coverage/clover.xml
           flags: frontend
@@ -56,6 +58,8 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event.type }} == "PullRequest"
     steps:
+      # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
+      # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
         uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
         with:

.github/workflows/maintenance.yml

@@ -12,8 +12,8 @@ jobs:
     if: ${{ github.event.type }} == "PullRequest"
     runs-on: ubuntu-latest
     steps:
-      # For subfolders, currently a full checkout is required.
-      # See: https://github.com/marketplace/actions/build-and-push-docker-images#path-context
+      # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
+      # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
         uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
         with:
@@ -28,6 +28,8 @@ jobs:
             pypi.org:443
             registry-1.docker.io:443
             security.ubuntu.com:80
+      # For subfolders, currently a full checkout is required.
+      # See: https://github.com/marketplace/actions/build-and-push-docker-images#path-context
       - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
         with:
           fetch-depth: 0

.github/workflows/pages.yml

@@ -14,6 +14,8 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
+      # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
+      # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
         uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
         with:

.github/workflows/python.yml

@@ -16,6 +16,8 @@ jobs:
       matrix:
         python-version: ["3.8", "3.9", "3.10"]
     steps:
+      # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
+      # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
         uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
         with:

.github/workflows/scorecards.yml

@@ -32,6 +32,8 @@ jobs:
       # actions: read
 
     steps:
+      # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
+      # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
         uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
         with:
@@ -40,16 +42,16 @@ jobs:
           allowed-endpoints: >
             api.github.com:443
             api.osv.dev:443
+            api.securityscorecards.dev
+            auth.docker.io:443
             bestpractices.coreinfrastructure.org:443
             fulcio.sigstore.dev:443
-            oauth2.sigstore.dev:443
             github.com:443
             index.docker.io:443
             mcr.microsoft.com:443
-            sigstore-tuf-root.storage.googleapis.com:443
-            auth.docker.io:443
+            oauth2.sigstore.dev:443
             rekor.sigstore.dev:443
-            api.securityscorecards.dev
+            sigstore-tuf-root.storage.googleapis.com:443
       - name: "Checkout code"
         uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
         with:

Backend.Tests/Backend.Tests.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk.Web">
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
     <IsPackable>false</IsPackable>
@@ -12,7 +12,7 @@
     <NoWarn>$(NoWarn);CA1816;CS1591</NoWarn>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.5.0" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.6.0" />
     <PackageReference Include="NUnit" Version="3.13.3" />
     <PackageReference Include="NUnit3TestAdapter" Version="4.4.2" />
     <PackageReference Include="coverlet.collector" Version="3.2.0"/>

Backend/Dockerfile

@@ -1,5 +1,5 @@
-# Docker multi-stage build using bitnami/dotnet-sdk:6.0.408-debian-11-r11
-FROM bitnami/dotnet-sdk@sha256:63cdc71743bb0bd48f34175eea4f78f54ac66acf4ddbbef566023486f6bd8acb AS builder
+# Docker multi-stage build using 6.0.408-jammy-amd64
+FROM mcr.microsoft.com/dotnet/sdk@sha256:7aec153ea5107c1a5977531448e5db564b7b5b2dea0446e2716d8fac15fc543b AS builder
 WORKDIR /app
 
 # Copy csproj and restore (fetch dependencies) as distinct layers.
@@ -10,8 +10,8 @@ RUN dotnet restore
 COPY . ./
 RUN dotnet publish -c Release -o build
 
-# Build runtime image.  Using bitnami/aspnet-core:6.0.16-debian-11-r11
-FROM bitnami/aspnet-core@sha256:d39190e77f114dfdb429333f0e329e6a3cc34ca3bcae45c112c33a057b92f69a
+# Build runtime image.  Using 6.0-jammy-amd64
+FROM mcr.microsoft.com/dotnet/aspnet@sha256:ec02fd792b4bad382893e4d9f8249228db2c764f01222c3f2f2afb9f43605a9b
 
 ENV ASPNETCORE_URLS=http://+:5000
 ENV COMBINE_IS_IN_CONTAINER=1

deploy/requirements.txt

@@ -4,13 +4,13 @@
 #
 #    pip-compile --resolver=backtracking requirements.in
 #
-ansible==7.5.0
+ansible==7.6.0
     # via -r requirements.in
-ansible-core==2.14.5
+ansible-core==2.14.6
     # via ansible
 cachetools==5.3.0
     # via google-auth
-certifi==2022.12.7
+certifi==2023.5.7
     # via
     #   kubernetes
     #   requests
@@ -22,7 +22,7 @@ cryptography==40.0.2
     # via
     #   ansible-core
     #   pyopenssl
-google-auth==2.17.3
+google-auth==2.18.1
     # via kubernetes
 idna==3.4
     # via requests
@@ -58,7 +58,7 @@ pyyaml==6.0
     #   -r requirements.in
     #   ansible-core
     #   kubernetes
-requests==2.29.0
+requests==2.31.0
     # via
     #   kubernetes
     #   requests-oauthlib
@@ -73,11 +73,12 @@ six==1.16.0
     #   google-auth
     #   kubernetes
     #   python-dateutil
-urllib3==1.26.15
+urllib3==1.26.16
     # via
+    #   google-auth
     #   kubernetes
     #   requests
-websocket-client==1.5.1
+websocket-client==1.5.2
     # via kubernetes
 
 # The following packages are considered to be unsafe in a requirements file: