v3.03 release

.azuredevops/pipelines/build-dcr-func.yml

@@ -10,9 +10,12 @@ trigger:
   - develop
   - main
   - releases/*  
-
+
+variables:
+  - group: PT-Pipeline-Common
+
 pool:
-  vmImage: windows-latest
+  vmImage: $(Pipeline_Host_Image)
 
 steps:
   - task: UseDotNet@2

.azuredevops/pipelines/build-dh-func.yml

@@ -9,10 +9,13 @@ schedules:
 trigger:
   - develop
   - main
-  - releases/*  
+  - releases/* 
+
+variables:
+  - group: PT-Pipeline-Common   
 
 pool:
-  vmImage: windows-latest
+  vmImage: $(Pipeline_Host_Image)
 
 steps:
   - task: UseDotNet@2

.azuredevops/pipelines/dotnet.yml

@@ -12,8 +12,11 @@ resources:
 trigger:
   - develop  
 
+variables:
+  - group: PT-Pipeline-Common
+
 pool:
-  vmImage: windows-2019
+  vmImage: $(Pipeline_Host_Image)
 
 steps:
 

.github/workflows/codeql-analysis.yml

@@ -55,11 +55,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -70,7 +70,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell
     # 📚 https://git.io/JvXDl
@@ -84,4 +84,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3

.github/workflows/dotnet.yml

@@ -38,7 +38,7 @@ jobs:
 
     steps:
     - name: Checkout Data Recipient
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
       with:
         path: ./mock-data-recipient
 
@@ -196,4 +196,3 @@ jobs:
       with:
         name: integration-test-artifacts
         path: ${{ github.workspace }}/mock-data-recipient/Source/DockerCompose/_temp/mock-register/tmp
-

.github/workflows/test-report.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
 
     - name: Publish Unit Test Report
       uses: dorny/test-reporter@v1
@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
 
     - name: Publish Integration Test Report
       uses: dorny/test-reporter@v1
@@ -39,7 +39,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
 
     - name: Publish e2e Test Report
       uses: dorny/test-reporter@v1

CHANGELOG.md

@@ -5,6 +5,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+## [3.0.3] - 2025-12-03
+### Fixed
+- Upgrade multiple packages to address vulnerabilities
+- Fixed issue where SSA response could not be processed due to quotes in the response
+- Fix casing for the claims and other elements in JWT
+
 ## [3.0.2] - 2025-08-06
 ### Fixed
 - Fixed issue where some claims in the PAR request were not sent in lowercase.

Source/CDR.DCR/CDR.DCR.csproj

@@ -14,7 +14,7 @@
 	  <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.22.0" />
 	  <PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="1.17.4" />
 	  <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http.AspNetCore" Version="1.3.2" />
-	  <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Storage.Queues" Version="5.4.0" />
+	  <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Storage.Queues" Version="5.5.3" />
 	  <PackageReference Include="Microsoft.Data.SqlClient" Version="5.2.2" />
   </ItemGroup>
   <ItemGroup>

Source/CDR.DCR/DCROptions.cs

@@ -2,7 +2,6 @@
 {
     public class DcrOptions
     {
-        public string AzureWebJobsStorage { get; set; }
         public string StorageConnectionString { get; set; }
         public string FUNCTIONS_WORKER_RUNTIME { get; set; }
         public string DataRecipient_DB_ConnectionString { get; set; }

Source/CDR.DCR/Properties/serviceDependencies.json

@@ -4,8 +4,8 @@
       "type": "appInsights"
     },
     "storage1": {
-      "type": "storage",
-      "connectionId": "AzureWebJobsStorage"
+        "type": "storage",
+        "connectionId": "StorageConnectionString"
     }
   }
 }

Source/CDR.DCR/Properties/serviceDependencies.local.json

@@ -1,8 +1,8 @@
 {
   "dependencies": {
     "storage1": {
-      "type": "storage.emulator",
-      "connectionId": "AzureWebJobsStorage"
+        "type": "storage.emulator",
+        "connectionId": "StorageConnectionString"
     }
   }
 }

Source/CDR.DCR/appsettings.docker.json

@@ -1,5 +1,4 @@
 {
-  "AzureWebJobsStorage": "UseDevelopmentStorage=true",
   "StorageConnectionString": "UseDevelopmentStorage=true",
   "FUNCTIONS_WORKER_RUNTIME": "dotnet-isolated",
   "DataRecipient_DB_ConnectionString": "Server=(localdb)\\MSSQLLocalDB;Database=cdr-mdr;Integrated Security=true",

Source/CDR.DCR/local.settings.json

@@ -1,7 +1,6 @@
 {
   "IsEncrypted": false,
   "Values": {
-    "AzureWebJobsStorage": "UseDevelopmentStorage=true",
     "StorageConnectionString": "UseDevelopmentStorage=true",
     "FUNCTIONS_WORKER_RUNTIME": "dotnet-isolated",
     "DataRecipient_DB_ConnectionString": "Server=(localdb)\\MSSQLLocalDB;Database=cdr-mdr;Integrated Security=true",

Source/CDR.DataRecipient.E2ETests/CDR.DataRecipient.E2ETests.csproj

@@ -21,17 +21,17 @@
     </Content>
   </ItemGroup>
   <ItemGroup>
-    <PackageReference Include="Azure.Identity" Version="1.12.0" />
+    <PackageReference Include="Azure.Identity" Version="1.17.0" />
     <PackageReference Include="FluentAssertions" Version="6.12.0" />
     <PackageReference Include="Microsoft.Data.SqlClient" Version="5.2.2" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.10.0" />
     <PackageReference Include="Microsoft.Playwright" Version="1.43.0" />
-    <PackageReference Include="xunit" Version="2.9.0" />
+    <PackageReference Include="xunit" Version="2.9.3" />
     <PackageReference Include="xunit.runner.visualstudio" Version="2.8.2">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>
-    <PackageReference Include="coverlet.collector" Version="6.0.2">
+    <PackageReference Include="coverlet.collector" Version="6.0.4">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>

Source/CDR.DataRecipient.IntegrationTests/CDR.DataRecipient.IntegrationTests.csproj

@@ -11,20 +11,20 @@
     <None Remove="appsettings.Release.json" />
   </ItemGroup>
   <ItemGroup>
-    <PackageReference Include="Azure.Identity" Version="1.12.0" />
+    <PackageReference Include="Azure.Identity" Version="1.17.0" />
     <PackageReference Include="FluentAssertions" Version="6.12.0" />
-    <PackageReference Include="jose-jwt" Version="5.0.0" />
+    <PackageReference Include="jose-jwt" Version="5.2.0" />
     <PackageReference Include="Microsoft.Data.SqlClient" Version="5.2.2" />
     <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="8.0.0" />
     <PackageReference Include="Moq" Version="4.20.70" />
     <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.0.0" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.10.0" />
-    <PackageReference Include="xunit" Version="2.9.0" />
+    <PackageReference Include="xunit" Version="2.9.3" />
     <PackageReference Include="xunit.runner.visualstudio" Version="2.8.2">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>
-    <PackageReference Include="coverlet.collector" Version="6.0.2">
+    <PackageReference Include="coverlet.collector" Version="6.0.4">
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>

Source/CDR.DataRecipient.Repository.SQL/CDR.DataRecipient.Repository.SQL.csproj

@@ -19,7 +19,7 @@
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
     <PackageReference Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
-    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.4" />
     <PackageReference Include="SonarAnalyzer.CSharp" Version="9.32.0.97167">
         <PrivateAssets>all</PrivateAssets>
         <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>

Source/CDR.DataRecipient.SDK/CDR.DataRecipient.SDK.csproj

@@ -7,12 +7,12 @@
 	<GenerateDocumentationFile>True</GenerateDocumentationFile>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="jose-jwt" Version="5.0.0" />
+    <PackageReference Include="jose-jwt" Version="5.2.0" />
     <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.0.0" />
     <PackageReference Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
     <PackageReference Include="Microsoft.Extensions.Configuration.Binder" Version="8.0.2" />
     <PackageReference Include="Microsoft.Extensions.Logging" Version="8.0.0" />
-    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.4" />
     <PackageReference Include="SonarAnalyzer.CSharp" Version="9.32.0.97167">
         <PrivateAssets>all</PrivateAssets>
         <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>

Source/CDR.DataRecipient.SDK/Models/Certificate.cs

@@ -1,4 +1,4 @@
-using System.Net;
+using System;
 using System.Net.Http;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading.Tasks;
@@ -15,11 +15,14 @@
 
         public string Password { get; set; }
 
+        public string KVSecretsStorePath { get; set; }
+
         public X509Certificate2 X509Certificate
         {
             get
             {
-                if (this._certificate != null)
+                // if we already have a cert return it. But for KVSecretsStorePath we always fetch a new one incase cert was updated.
+                if (this._certificate != null && string.IsNullOrEmpty(this.KVSecretsStorePath))
                 {
                     return this._certificate;
                 }
@@ -28,12 +31,20 @@
                 {
                     this._certificate = new X509Certificate2(this.Path, this.Password, X509KeyStorageFlags.Exportable);
                 }
-
-                if (!string.IsNullOrEmpty(this.Url) && !string.IsNullOrEmpty(this.Password))
+                else if (!string.IsNullOrEmpty(this.Url) && !string.IsNullOrEmpty(this.Password))
                 {
                     // Retrieve the raw bytes from the URL value.
                     this._certificate = new X509Certificate2(DownloadData(this.Url), this.Password, X509KeyStorageFlags.Exportable);
                 }
+                else if (!string.IsNullOrEmpty(this.KVSecretsStorePath))
+                {
+                    var certString = System.IO.File.ReadAllText(this.KVSecretsStorePath);
+
+                    // The cert loaded into the volume by secrets-store-csi-driver-provider-azure is in base64
+                    var certBytes = Convert.FromBase64String(certString);
+
+                    this._certificate = new X509Certificate2(certBytes, string.Empty, X509KeyStorageFlags.Exportable);
+                }
 
                 return this._certificate;
             }

Source/CDR.DataRecipient.SDK/Services/Register/InfosecService.cs

@@ -48,15 +48,30 @@ public async Task<Response<OidcDiscovery>> GetOidcDiscovery(string registerOidcC
 
             this.Logger.LogDebug($"Request received to {nameof(InfosecService)}.{nameof(this.GetOidcDiscovery)}.");
 
+            this.Logger.LogDebug($"Attempting register oidc config.");
+
+            this.Logger.LogDebug("Oidc uri: {Uri}.", registerOidcConfigEndpoint);
+
             var client = this.GetHttpClient();
             var configResponse = await client.GetAsync(this.EnsureValidEndpoint(registerOidcConfigEndpoint));
 
-            oidcResponse.StatusCode = configResponse.StatusCode;
+            this.Logger.LogDebug($"Oidc config call completed.");
+
+            if (configResponse == null)
+            {
+                this.Logger.LogDebug($"Oidc config response is null");
+            }
 
-            if (configResponse.IsSuccessStatusCode)
+            if (configResponse != null)
             {
-                var body = await configResponse.Content.ReadAsStringAsync();
-                oidcResponse.Data = Newtonsoft.Json.JsonConvert.DeserializeObject<OidcDiscovery>(body);
+                this.Logger.LogDebug("Oidc response: {StatusCode}.", configResponse.StatusCode);
+                oidcResponse.StatusCode = configResponse.StatusCode;
+
+                if (configResponse.IsSuccessStatusCode)
+                {
+                    var body = await configResponse.Content.ReadAsStringAsync();
+                    oidcResponse.Data = Newtonsoft.Json.JsonConvert.DeserializeObject<OidcDiscovery>(body);
+                }
             }
 
             return oidcResponse;

Source/CDR.DataRecipient.SDK/Services/Register/SsaService.cs

@@ -45,6 +45,8 @@ public async Task<Response<string>> GetSoftwareStatementAssertion(
             var response = await client.GetAsync(this.EnsureValidEndpoint(ssaEndpoint));
             var body = await response.Content.ReadAsStringAsync();
 
+            body = body.Replace("\"", string.Empty);
+
             this.Logger.LogDebug("Get SSA Response: {StatusCode}.  Body: {Body}", response.StatusCode, body);
 
             ssaResponse.StatusCode = response.StatusCode;

Source/CDR.DataRecipient.Web/CDR.DataRecipient.Web.csproj

@@ -18,7 +18,7 @@
     </Content>
   </ItemGroup>
   <ItemGroup>
-    <PackageReference Include="Azure.Identity" Version="1.12.0" />
+    <PackageReference Include="Azure.Identity" Version="1.17.0" />
     <PackageReference Include="Microsoft.Data.SqlClient" Version="5.2.2" />
     <PackageReference Include="Microsoft.FeatureManagement.AspNetCore" Version="3.4.0" />
     <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="8.0.0" />
@@ -27,7 +27,7 @@
     <PackageReference Include="Serilog.Enrichers.Process" Version="3.0.0" />
     <PackageReference Include="Serilog.Enrichers.Thread" Version="4.0.0" />
     <PackageReference Include="Serilog.Settings.Configuration" Version="8.0.2" />
-    <PackageReference Include="Serilog.Sinks.Console" Version="6.0.0" />
+    <PackageReference Include="Serilog.Sinks.Console" Version="6.1.1" />
     <PackageReference Include="Serilog.Sinks.File" Version="6.0.0" />
     <PackageReference Include="Serilog.Sinks.MSSqlServer" Version="7.0.0" />
     <PackageReference Include="Swashbuckle.AspNetCore.SwaggerUI" Version="6.6.2" />

Source/CDR.DataRecipient.Web/appsettings.json

@@ -33,7 +33,9 @@
       "clientCertificate": {
         "path": "Certificates/client.pfx",
         "password": "#M0ckDataRecipient#",
-        "url": ""
+        "url": "",
+        "kvSecretsStorePath":""
+
       },
       "signingCertificate": {
         "Path": "Certificates/jwks.pfx",

Source/CDR.DiscoverDataHolders/CDR.DiscoverDataHolders.csproj

@@ -11,7 +11,7 @@
   </PropertyGroup>
   <ItemGroup>
 	  <FrameworkReference Include="Microsoft.AspNetCore.App" />
-	  <PackageReference Include="Azure.Storage.Queues" Version="12.19.0" />
+	  <PackageReference Include="Azure.Storage.Queues" Version="12.24.0" />
 	  <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.22.0" />
 	  <PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="1.17.4" />
 	  <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http.AspNetCore" Version="1.3.2" />

Source/CDR.DiscoverDataHolders/DHOptions.cs

@@ -4,7 +4,6 @@ public class DHOptions
     {
         public string DataRecipient_DB_ConnectionString { get; set; }
         public string DataRecipient_Logging_DB_ConnectionString { get; set; }
-        public string AzureWebJobsStorage { get; set; }
         public string StorageConnectionString { get; set; }
         public string FUNCTIONS_WORKER_RUNTIME { get; set; }
         public string Register_Token_Endpoint { get; set; }

Source/CDR.DiscoverDataHolders/Properties/serviceDependencies.json

@@ -4,8 +4,8 @@
       "type": "appInsights"
     },
     "storage1": {
-      "type": "storage",
-      "connectionId": "AzureWebJobsStorage"
+        "type": "storage",
+        "connectionId": "StorageConnectionString"
     }
   }
 }