microsoft
diff --git a/‎.github/workflows/build.yml
+3-3 b/‎.github/workflows/build.yml
+3-3
diff --git a/‎.github/workflows/codeql-analysis.yml
+4-4 b/‎.github/workflows/codeql-analysis.yml
+4-4
diff --git a/‎.github/workflows/detector-version-bump-reminder.yml
+4-1 b/‎.github/workflows/detector-version-bump-reminder.yml
+4-1
diff --git a/‎.github/workflows/gen-docs.yml
+3-3 b/‎.github/workflows/gen-docs.yml
+3-3
diff --git a/‎.github/workflows/ossf-scorecard.yml
+1-1 b/‎.github/workflows/ossf-scorecard.yml
+1-1
diff --git a/‎.github/workflows/release-drafter.yml
+1-1 b/‎.github/workflows/release-drafter.yml
+1-1
diff --git a/‎.github/workflows/release.yml
+3-3 b/‎.github/workflows/release.yml
+3-3
diff --git a/‎.github/workflows/smoke-test.yml
+96 b/‎.github/workflows/smoke-test.yml
+96
diff --git a/‎.github/workflows/snapshot-publish.yml
+4-4 b/‎.github/workflows/snapshot-publish.yml
+4-4
diff --git a/‎.github/workflows/snapshot-verify.yml
+5-5 b/‎.github/workflows/snapshot-verify.yml
+5-5
diff --git a/‎Directory.Packages.props
+3-2 b/‎Directory.Packages.props
+3-2
diff --git a/‎docs/environment-variables.md
+1-1 b/‎docs/environment-variables.md
+1-1
diff --git a/‎renovate.json
+5-2 b/‎renovate.json
+5-2
diff --git a/‎src/Microsoft.ComponentDetection.Common/DockerService.cs
+8-8 b/‎src/Microsoft.ComponentDetection.Common/DockerService.cs
+8-8
@@ -17,15 +17,15 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
         with:
           fetch-depth: 0
 
       - name: Setup .NET
-        uses: actions/setup-dotnet@v3
+        uses: actions/setup-dotnet@607fce577a46308457984d59e4954e075820f10a # v3
 
       - name: Setup NuGet cache
-        uses: actions/cache@v3
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
         with:
           path: ~/.nuget/packages
           key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj', '**/*.props') }}
 
@@ -21,17 +21,17 @@ jobs:
       security-events: write
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
       with:
           fetch-depth: 0
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/[email protected].0
+      uses: github/codeql-action/init@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3
       with:
         languages: 'csharp'
 
     - name: Autobuild
-      uses: github/codeql-action/[email protected].0
+      uses: github/codeql-action/autobuild@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/[email protected].0
+      uses: github/codeql-action/analyze@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3
@@ -3,12 +3,15 @@ on:
   push:
     paths:
       - 'src/Microsoft.ComponentDetection.Detectors/**'
+      
+permissions:
+  pull-requests: write
 
 jobs:
   comment:
     runs-on: ubuntu-latest
     steps:
-      - uses: mshick/add-pr-comment@v2
+      - uses: mshick/add-pr-comment@918f1387735fff58f77804b013a95a4887ec4d85 # v2
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           message: |
 
@@ -16,12 +16,12 @@ jobs:
       contents: write  # for stefanzweifel/git-auto-commit-action to push code in repo
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
         with:
           fetch-depth: 0
 
       - name: Setup .NET Core
-        uses: actions/setup-dotnet@v3
+        uses: actions/setup-dotnet@607fce577a46308457984d59e4954e075820f10a # v3
 
       - name: Generate docs
         run: |
@@ -43,7 +43,7 @@ jobs:
           EOF
 
       - name: Commit
-        uses: stefanzweifel/git-auto-commit-action@v4
+        uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a # v4
         with:
           commit_message: 'Update docs'
           file_pattern: '*.md'
@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        uses: github/codeql-action/upload-sarif@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3
         with:
           sarif_file: results.sarif
@@ -16,7 +16,7 @@ jobs:
       pull-requests: read
     runs-on: ubuntu-latest
     steps:
-      - uses: release-drafter/release-drafter@v5
+      - uses: release-drafter/release-drafter@569eb7ee3a85817ab916c8f8ff03a5bd96c9c83e # v5
         with:
           disable-autolabeler: true
         env:
 
@@ -22,12 +22,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
         with:
           fetch-depth: 0
 
       - name: Setup .NET
-        uses: actions/setup-dotnet@v3
+        uses: actions/setup-dotnet@607fce577a46308457984d59e4954e075820f10a # v3
 
       - name: Restore packages
         run: dotnet restore
@@ -36,7 +36,7 @@ jobs:
         run: dotnet publish --configuration Release --output ./bin --self-contained --runtime ${{ matrix.rid }} -p:PublishSingleFile=true -p:IncludeAllContentForSelfExtract=true -p:DebugType=None -p:PublishTrimmed=false ./src/Microsoft.ComponentDetection
 
       - name: Publish CLI tool
-        uses: shogo82148/[email protected]
+        uses: shogo82148/actions-upload-release-asset@b016af922a61601d647ff60226adadbe146b7651 # v1.6.4
         with:
           upload_url: ${{ github.event.release.upload_url }}
           asset_path: ./bin/*
 
@@ -0,0 +1,96 @@
+name: Smoke Tests
+
+on:
+  push:
+  pull_request:
+  schedule:
+    - cron: "0 0 * * *" # every day at midnight
+
+jobs:
+  smoke-test:
+    runs-on: ["self-hosted", "1ES.Pool=1ES-OSE-GH-Pool"]
+    strategy:
+      matrix:
+        language:
+          [
+            { name: "CocoaPods", repo: "realm/realm-swift" },
+            { name: "Gradle", repo: "microsoft/ApplicationInsights-Java" },
+            { name: "Go", repo: "kubernetes/kubernetes" },
+            { name: "Maven", repo: "apache/kafka" },
+            { name: "NPM", repo: "axios/axios" },
+            { name: "NuGet", repo: "Radarr/Radarr" },
+            { name: "Pip", repo: "django/django" },
+            { name: "Pnpm", repo: "pnpm/pnpm" },
+            { name: "Poetry", repo: "Textualize/rich" },
+            { name: "Ruby", repo: "rails/rails" },
+            { name: "Rust", repo: "alacritty/alacritty" },
+            { name: "Yarn", repo: "gatsbyjs/gatsby" },
+          ]
+      fail-fast: false
+    name: ${{ matrix.language.name }}
+    steps:
+      - name: Checkout Component Detection
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@607fce577a46308457984d59e4954e075820f10a # v3.0.3
+
+      - name: Setup NuGet cache
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
+        with:
+          path: ~/.nuget/packages
+          key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj', '**/*.props') }}
+          restore-keys: ${{ runner.os }}-nuget-
+
+      - name: Install Apache Ivy
+        run: curl https://downloads.apache.org/ant/ivy/2.5.1/apache-ivy-2.5.1-bin.tar.gz | tar xOz apache-ivy-2.5.1/ivy-2.5.1.jar > /usr/share/ant/lib/ivy.jar
+
+      - name: Checkout Smoke Test Repo
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        with:
+          repository: ${{ matrix.language.repo }}
+          path: smoke-test-repo
+      
+      - name: Restore Smoke Test NuGet Packages
+        if: ${{ matrix.language.name == 'NuGet'}}
+        working-directory: smoke-test-repo/src
+        run: dotnet restore
+
+      - name: Run Smoke Test
+        working-directory: src/Microsoft.ComponentDetection
+        run: |
+          for i in $(seq 1 10); do
+              dotnet run -c Release -- scan --SourceDirectory ${{ github.workspace }}/smoke-test-repo --Verbosity Verbose || exit 1
+          done
+
+  create-issue:
+    runs-on: ubuntu-latest
+    needs: smoke-test
+    name: Create Issue
+    if: always() && github.event_name == 'schedule' && needs.smoke-test.result == 'failure'
+    permissions:
+      issues: write
+    steps:
+      - name: Create GitHub Issue
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
+        with:
+          script: |
+            const failed_tests = [];
+            const jobs = await github.rest.actions.listJobsForWorkflowRun({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              run_id: context.runId,
+            });
+            for (const job of jobs.data.jobs) {
+              if (job.status === 'completed' && job.conclusion === 'failure') {
+                failed_tests.push('* ' + job.name);
+              }
+            }
+            const issue_body = `# :x: Smoke Test Failure\nThe following smoke tests failed:\n\n${failed_tests.join('\n')}\n\n[View Run](${context.payload.repository.html_url}/actions/runs/${context.runId})\n\ncc: @microsoft/ose-component-detection-maintainers`;
+            await github.rest.issues.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title: 'Smoke Test Failure',
+              body: issue_body,
+              labels: ['bug']
+            })
@@ -18,13 +18,13 @@ jobs:
         os: [ubuntu-latest, windows-latest, macos-latest]
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
 
       - name: Setup .NET Core
-        uses: actions/setup-dotnet@v3
+        uses: actions/setup-dotnet@607fce577a46308457984d59e4954e075820f10a # v3
 
       - name: Setup NuGet cache
-        uses: actions/cache@v3
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
         with:
           path: ~/.nuget/packages
           key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj', '**/*.props') }}
@@ -55,7 +55,7 @@ jobs:
                                                  --DetectorArgs DockerReference=EnableIfDefaultOff,SPDX22SBOM=EnableIfDefaultOff
 
       - name: Upload output folder
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3
         with:
           name: release-snapshot-output-${{ matrix.os }}
           path: ${{ github.workspace }}/output
@@ -14,14 +14,14 @@ jobs:
         os: [ubuntu-latest, windows-latest, macos-latest]
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
 
       - name: Make release snapshot output directory
         run: mkdir ${{ github.workspace }}/release-output
 
       - name: Get latest release snapshot download url
         id: download-latest-release-snapshot
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
         with:
           result-encoding: string
           script: |
@@ -47,10 +47,10 @@ jobs:
           rm output.zip
 
       - name: Setup .NET Core
-        uses: actions/setup-dotnet@v3
+        uses: actions/setup-dotnet@607fce577a46308457984d59e4954e075820f10a # v3
 
       - name: Setup NuGet cache
-        uses: actions/cache@v3
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3
         with:
           path: ~/.nuget/packages
           key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj', '**/*.props') }}
@@ -98,7 +98,7 @@ jobs:
           ALLOWED_TIME_DRIFT_RATIO: ".75"
 
       - name: Upload logs
-        uses: actions/[email protected]
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         if: ${{ !cancelled() }}
         with:
           name: verify-snapshot-output-${{ matrix.os }}
 
@@ -31,15 +31,16 @@
     <PackageVersion Include="Polly" Version="7.2.3" />
     <PackageVersion Include="SemanticVersioning" Version="2.0.2" />
     <PackageVersion Include="Serilog" Version="2.12.0" />
-    <PackageVersion Include="Serilog.Extensions.Hosting" Version="5.0.1" />
-    <PackageVersion Include="Serilog.Extensions.Logging" Version="3.1.0" />
+    <PackageVersion Include="Serilog.Extensions.Hosting" Version="7.0.0" />
+    <PackageVersion Include="Serilog.Extensions.Logging" Version="7.0.0" />
     <PackageVersion Include="Serilog.Sinks.Async" Version="1.5.0" />
     <PackageVersion Include="Serilog.Sinks.Console" Version="4.1.0" />
     <PackageVersion Include="Serilog.Sinks.File" Version="5.0.0" />
     <PackageVersion Include="StyleCop.Analyzers" Version="1.2.0-beta.435" />
     <PackageVersion Include="System.Memory" Version="4.5.5" />
     <PackageVersion Include="System.Reactive" Version="5.0.0" />
     <PackageVersion Include="System.Runtime.Loader" Version="4.3.0" />
+    <PackageVersion Include="System.Text.Json" Version="6.0.7" />
     <PackageVersion Include="System.Threading.Tasks.Dataflow" Version="7.0.0" />
     <PackageVersion Include="Tomlyn.Signed" Version="0.16.2" />
     <PackageVersion Include="yamldotnet" Version="13.1.0" />
 
@@ -10,6 +10,6 @@ Otherwise, the Go detector uses go-cli command: `go list -m all` to discover Go
 ## `PyPiMaxCacheEntries`
 
 The environment variable `PyPiMaxCacheEntries` is used to control the size of the in-memory LRU cache that caches responses from PyPi.
-The default value is 128.
+The default value is 4096.
 
 [1]: https://go.dev/ref/mod#go-mod-graph
@@ -1,4 +1,7 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["config:base"]
-}
+  "extends": [
+    "config:base",
+    "helpers:pinGitHubActionDigests"
+  ]
+}
@@ -4,6 +4,7 @@ namespace Microsoft.ComponentDetection.Common;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
+using System.Text.Json;
 using System.Threading;
 using System.Threading.Tasks;
 using Docker.DotNet;
@@ -12,7 +13,6 @@ namespace Microsoft.ComponentDetection.Common;
 using Microsoft.ComponentDetection.Contracts;
 using Microsoft.ComponentDetection.Contracts.BcdeModels;
 using Microsoft.Extensions.Logging;
-using Newtonsoft.Json;
 
 public class DockerService : IDockerService
 {
@@ -52,7 +52,7 @@ public async Task<bool> CanRunLinuxContainersAsync(CancellationToken cancellatio
         try
         {
             var systemInfoResponse = await Client.System.GetSystemInfoAsync(cancellationToken);
-            record.SystemInfo = JsonConvert.SerializeObject(systemInfoResponse);
+            record.SystemInfo = JsonSerializer.Serialize(systemInfoResponse);
             return string.Equals(systemInfoResponse.OSType, "linux", StringComparison.OrdinalIgnoreCase);
         }
         catch (Exception e)
@@ -72,7 +72,7 @@ public async Task<bool> ImageExistsLocallyAsync(string image, CancellationToken
         try
         {
             var imageInspectResponse = await Client.Images.InspectImageAsync(image, cancellationToken);
-            record.ImageInspectResponse = JsonConvert.SerializeObject(imageInspectResponse);
+            record.ImageInspectResponse = JsonSerializer.Serialize(imageInspectResponse);
             return true;
         }
         catch (Exception e)
@@ -97,10 +97,10 @@ public async Task<bool> TryPullImageAsync(string image, CancellationToken cancel
             var createImageProgress = new List<string>();
             var progress = new Progress<JSONMessage>(message =>
             {
-                createImageProgress.Add(JsonConvert.SerializeObject(message));
+                createImageProgress.Add(JsonSerializer.Serialize(message));
             });
             await Client.Images.CreateImageAsync(parameters, null, progress, cancellationToken);
-            record.CreateImageProgress = JsonConvert.SerializeObject(createImageProgress);
+            record.CreateImageProgress = JsonSerializer.Serialize(createImageProgress);
             return true;
         }
         catch (Exception e)
@@ -119,7 +119,7 @@ public async Task<ContainerDetails> InspectImageAsync(string image, Cancellation
         try
         {
             var imageInspectResponse = await Client.Images.InspectImageAsync(image, cancellationToken);
-            record.ImageInspectResponse = JsonConvert.SerializeObject(imageInspectResponse);
+            record.ImageInspectResponse = JsonSerializer.Serialize(imageInspectResponse);
 
             var baseImageRef = string.Empty;
             var baseImageDigest = string.Empty;
@@ -162,11 +162,11 @@ public async Task<ContainerDetails> InspectImageAsync(string image, Cancellation
         using var record = new DockerServiceTelemetryRecord
         {
             Image = image,
-            Command = JsonConvert.SerializeObject(command),
+            Command = JsonSerializer.Serialize(command),
         };
         await this.TryPullImageAsync(image, cancellationToken);
         var container = await CreateContainerAsync(image, command, cancellationToken);
-        record.Container = JsonConvert.SerializeObject(container);
+        record.Container = JsonSerializer.Serialize(container);
         var stream = await AttachContainerAsync(container.ID, cancellationToken);
         await StartContainerAsync(container.ID, cancellationToken);
         var (stdout, stderr) = await stream.ReadOutputToEndAsync(cancellationToken);