dependabot-core 0.76.1

data/lib/dependabot/file_parsers/dotnet/nuget/packages_config_parser.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+
+require "dependabot/dependency"
+require "dependabot/file_parsers/dotnet/nuget"
+
+# For details on packages.config files see:
+# https://docs.microsoft.com/en-us/nuget/reference/packages-config
+module Dependabot
+  module FileParsers
+    module Dotnet
+      class Nuget
+        class PackagesConfigParser
+          require "dependabot/file_parsers/base/dependency_set"
+
+          DEPENDENCY_SELECTOR = "packages > package"
+
+          def initialize(packages_config:)
+            @packages_config = packages_config
+          end
+
+          def dependency_set
+            dependency_set = Dependabot::FileParsers::Base::DependencySet.new
+
+            doc = Nokogiri::XML(packages_config.content)
+            doc.remove_namespaces!
+            doc.css(DEPENDENCY_SELECTOR).each do |dependency_node|
+              dependency_set <<
+                Dependency.new(
+                  name: dependency_name(dependency_node),
+                  version: dependency_version(dependency_node),
+                  package_manager: "nuget",
+                  requirements: [{
+                    requirement: dependency_version(dependency_node),
+                    file: packages_config.name,
+                    groups: [],
+                    source: nil
+                  }]
+                )
+            end
+
+            dependency_set
+          end
+
+          private
+
+          attr_reader :packages_config
+
+          def dependency_name(dependency_node)
+            dependency_node.attribute("id")&.value&.strip ||
+              dependency_node.at_xpath("./id")&.content&.strip
+          end
+
+          def dependency_version(dependency_node)
+            # Ranges and wildcards aren't allowed in a packages.config - the
+            # specified requirement is always an exact version.
+            dependency_node.attribute("version")&.value&.strip ||
+              dependency_node.at_xpath("./version")&.content&.strip
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_parsers/dotnet/nuget/project_file_parser.rb

@@ -0,0 +1,156 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+
+require "dependabot/dependency"
+require "dependabot/file_parsers/dotnet/nuget"
+
+# For details on how dotnet handles version constraints, see:
+# https://docs.microsoft.com/en-us/nuget/reference/package-versioning
+module Dependabot
+  module FileParsers
+    module Dotnet
+      class Nuget
+        class ProjectFileParser
+          require "dependabot/file_parsers/base/dependency_set"
+          require_relative "property_value_finder"
+
+          DEPENDENCY_SELECTOR = "ItemGroup > PackageReference, "\
+                                "ItemGroup > Dependency, "\
+                                "ItemGroup > DevelopmentDependency"
+
+          PROPERTY_REGEX      = /\$\((?<property>.*?)\)/.freeze
+
+          def initialize(dependency_files:)
+            @dependency_files = dependency_files
+          end
+
+          def dependency_set(project_file:)
+            dependency_set = Dependabot::FileParsers::Base::DependencySet.new
+
+            doc = Nokogiri::XML(project_file.content)
+            doc.remove_namespaces!
+            doc.css(DEPENDENCY_SELECTOR).each do |dependency_node|
+              name = dependency_name(dependency_node, project_file)
+              req = dependency_requirement(dependency_node, project_file)
+              version = dependency_version(dependency_node, project_file)
+              prop_name = req_property_name(dependency_node)
+
+              dependency =
+                build_dependency(name, req, version, prop_name, project_file)
+              dependency_set << dependency if dependency
+            end
+
+            dependency_set
+          end
+
+          private
+
+          attr_reader :dependency_files
+
+          def build_dependency(name, req, version, prop_name, project_file)
+            return unless name
+
+            # Exclude any dependencies specified using interpolation
+            return if [name, req, version].any? { |s| s&.include?("%(") }
+
+            requirement = {
+              requirement: req,
+              file: project_file.name,
+              groups: [],
+              source: nil
+            }
+
+            if prop_name
+              # Get the root property name unless no details could be found,
+              # in which case use the top-level name to ease debugging
+              root_prop_name = details_for_property(prop_name, project_file)&.
+                               fetch(:root_property_name) || prop_name
+              requirement[:metadata] = { property_name: root_prop_name }
+            end
+
+            Dependency.new(
+              name: name,
+              version: version,
+              package_manager: "nuget",
+              requirements: [requirement]
+            )
+          end
+
+          def dependency_name(dependency_node, project_file)
+            raw_name =
+              dependency_node.attribute("Include")&.value&.strip ||
+              dependency_node.at_xpath("./Include")&.content&.strip
+            return unless raw_name
+
+            evaluated_value(raw_name, project_file)
+          end
+
+          def dependency_requirement(dependency_node, project_file)
+            raw_requirement =
+              dependency_node.attribute("Version")&.value&.strip ||
+              dependency_node.at_xpath("./Version")&.content&.strip
+            return unless raw_requirement
+
+            evaluated_value(raw_requirement, project_file)
+          end
+
+          def dependency_version(dependency_node, project_file)
+            requirement = dependency_requirement(dependency_node, project_file)
+            return unless requirement
+
+            # Remove brackets if present
+            version = requirement.gsub(/[\(\)\[\]]/, "").strip
+
+            # We don't know the version for range requirements or wildcard
+            # requirements, so return `nil` for these.
+            return if version.include?(",") || version.include?("*") ||
+                      version == ""
+
+            version
+          end
+
+          def req_property_name(dependency_node)
+            raw_requirement =
+              dependency_node.attribute("Version")&.value&.strip ||
+              dependency_node.at_xpath("./Version")&.content&.strip
+            return unless raw_requirement
+
+            return unless raw_requirement.match?(PROPERTY_REGEX)
+
+            raw_requirement.
+              match(PROPERTY_REGEX).
+              named_captures.fetch("property")
+          end
+
+          def evaluated_value(value, project_file)
+            return value unless value.match?(PROPERTY_REGEX)
+
+            property_name = value.match(PROPERTY_REGEX).
+                            named_captures.fetch("property")
+            property_details = details_for_property(property_name, project_file)
+
+            # Don't halt parsing for a missing property value until we're
+            # confident we're fetching property values correctly
+            return value unless property_details&.fetch(:value)
+
+            value.gsub(PROPERTY_REGEX, property_details&.fetch(:value))
+          end
+
+          def details_for_property(property_name, project_file)
+            property_value_finder.
+              property_details(
+                property_name: property_name,
+                callsite_file: project_file
+              )
+          end
+
+          def property_value_finder
+            @property_value_finder ||=
+              PropertyValueFinder.new(dependency_files: dependency_files)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_parsers/dotnet/nuget/property_value_finder.rb

@@ -0,0 +1,131 @@
+# frozen_string_literal: true
+
+require "dependabot/file_fetchers/dotnet/nuget/import_paths_finder"
+require "dependabot/file_parsers/dotnet/nuget"
+
+# For docs, see:
+# - https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-properties
+# - https://docs.microsoft.com/en-us/visualstudio/msbuild/customize-your-build
+module Dependabot
+  module FileParsers
+    module Dotnet
+      class Nuget
+        class PropertyValueFinder
+          PROPERTY_REGEX = /\$\((?<property>.*?)\)/.freeze
+
+          def initialize(dependency_files:)
+            @dependency_files = dependency_files
+          end
+
+          def property_details(property_name:, callsite_file:, stack: [])
+            stack += [[property_name, callsite_file.name]]
+
+            node_details = deep_find_prop_node(
+              property: property_name,
+              file: callsite_file
+            )
+
+            node_details ||=
+              find_property_in_directory_build_props(
+                property: property_name,
+                callsite_file: callsite_file
+              )
+
+            return unless node_details
+            return node_details unless node_details[:value] =~ PROPERTY_REGEX
+
+            check_next_level_of_stack(node_details, stack)
+          end
+
+          def check_next_level_of_stack(node_details, stack)
+            property_name = node_details.fetch(:value).
+                            match(PROPERTY_REGEX).
+                            named_captures.fetch("property")
+            callsite_file = dependency_files.
+                            find { |f| f.name == node_details.fetch(:file) }
+
+            if stack.include?([property_name, callsite_file.name])
+              raise "Circular reference!"
+            end
+
+            property_details(
+              property_name: property_name,
+              callsite_file: callsite_file,
+              stack: stack
+            )
+          end
+
+          private
+
+          attr_reader :dependency_files
+
+          def deep_find_prop_node(property:, file:)
+            doc = Nokogiri::XML(file.content)
+            doc.remove_namespaces!
+            node = doc.at_xpath(property_xpath(property))
+
+            # If we found a value for the property, return it
+            if node
+              return node_details(file: file, node: node, property: property)
+            end
+
+            # Otherwise, we need to look in an imported file
+            import_path_finder =
+              FileFetchers::Dotnet::Nuget::ImportPathsFinder.
+              new(project_file: file)
+
+            import_paths = [
+              *import_path_finder.import_paths,
+              *import_path_finder.project_reference_paths
+            ]
+
+            file = import_paths.
+                   map { |p| dependency_files.find { |f| f.name == p } }.
+                   compact.
+                   find { |f| deep_find_prop_node(property: property, file: f) }
+
+            return unless file
+
+            deep_find_prop_node(property: property, file: file)
+          end
+
+          def find_property_in_directory_build_props(property:, callsite_file:)
+            file = buildfile_for_project(callsite_file)
+            return unless file
+
+            deep_find_prop_node(property: property, file: file)
+          end
+
+          def buildfile_for_project(project_file)
+            dir = File.dirname(project_file.name)
+
+            # Nuget walks up the directory structure looking for a
+            # Directory.Build.props file
+            possible_paths = dir.split("/").map.with_index do |_, i|
+              base = dir.split("/").first(i + 1).join("/")
+              Pathname.new(base + "/Directory.Build.props").cleanpath.to_path
+            end.reverse + ["Directory.Build.props"]
+
+            path = possible_paths.uniq.
+                   find { |p| dependency_files.find { |f| f.name == p } }
+
+            dependency_files.find { |f| f.name == path }
+          end
+
+          def property_xpath(property_name)
+            "/Project/PropertyGroup/#{property_name}"
+          end
+
+          def node_details(file:, node:, property:)
+            {
+              file: file.name,
+              node: node,
+              value: node.content.strip,
+              root_property_name: property
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_parsers/elixir/hex.rb

@@ -0,0 +1,134 @@
+# frozen_string_literal: true
+
+require "dependabot/dependency"
+require "dependabot/file_parsers/base"
+require "dependabot/file_fetchers/elixir/hex"
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+
+# For docs, see https://hexdocs.pm/mix/Mix.Tasks.Deps.html
+module Dependabot
+  module FileParsers
+    module Elixir
+      class Hex < Dependabot::FileParsers::Base
+        require "dependabot/file_parsers/base/dependency_set"
+
+        def parse
+          dependency_set = DependencySet.new
+
+          dependency_details.each do |dep|
+            git_dependency = dep["source"]&.fetch("type") == "git"
+
+            dependency_set <<
+              Dependency.new(
+                name: dep["name"],
+                version: git_dependency ? dep["checksum"] : dep["version"],
+                requirements: [{
+                  requirement: dep["requirement"],
+                  groups: dep["groups"],
+                  source: dep["source"] && symbolize_keys(dep["source"]),
+                  file: dep["from"]
+                }],
+                package_manager: "hex"
+              )
+          end
+
+          dependency_set.dependencies.sort_by(&:name)
+        end
+
+        private
+
+        def dependency_details
+          SharedHelpers.in_a_temporary_directory do
+            write_sanitized_mixfiles
+            write_supporting_files
+            File.write("mix.lock", lockfile.content) if lockfile
+            FileUtils.cp(elixir_helper_parse_deps_path, "parse_deps.exs")
+
+            SharedHelpers.run_helper_subprocess(
+              env: mix_env,
+              command: "mix run #{elixir_helper_path}",
+              function: "parse",
+              args: [Dir.pwd],
+              popen_opts: { err: %i(child out) }
+            )
+          end
+        rescue Dependabot::SharedHelpers::HelperSubprocessFailed => error
+          result_json =
+            error.message.lines.
+            drop_while { |l| !l.start_with?('{"result":') }.
+            join
+
+          if result_json.empty?
+            raise DependencyFileNotEvaluatable, error.message
+          end
+
+          JSON.parse(result_json).fetch("result")
+        end
+
+        def write_sanitized_mixfiles
+          mixfiles.each do |file|
+            path = file.name
+            FileUtils.mkdir_p(Pathname.new(path).dirname)
+            File.write(path, sanitize_mixfile(file.content))
+          end
+        end
+
+        def write_supporting_files
+          dependency_files.select(&:support_file).each do |file|
+            path = file.name
+            FileUtils.mkdir_p(Pathname.new(path).dirname)
+            File.write(path, file.content)
+          end
+        end
+
+        def sanitize_mixfile(content)
+          content.
+            gsub(/File\.read!\(.*?\)/, '"0.0.1"').
+            gsub(/File\.read\(.*?\)/, '{:ok, "0.0.1"}')
+        end
+
+        def mix_env
+          {
+            "MIX_EXS" => File.join(project_root, "helpers/elixir/mix.exs"),
+            "MIX_LOCK" => File.join(project_root, "helpers/elixir/mix.lock"),
+            "MIX_DEPS" => File.join(project_root, "helpers/elixir/deps"),
+            "MIX_QUIET" => "1"
+          }
+        end
+
+        def elixir_helper_path
+          File.join(project_root, "helpers/elixir/bin/run.exs")
+        end
+
+        def elixir_helper_parse_deps_path
+          File.join(project_root, "helpers/elixir/bin/parse_deps.exs")
+        end
+
+        def required_files
+          Dependabot::FileFetchers::Elixir::Hex.required_files
+        end
+
+        def check_required_files
+          raise "No mixfile!" if mixfiles.none?
+        end
+
+        def project_root
+          File.join(File.dirname(__FILE__), "../../../..")
+        end
+
+        def symbolize_keys(hash)
+          Hash[hash.keys.map { |k| [k.to_sym, hash[k]] }]
+        end
+
+        def mixfiles
+          dependency_files.select { |f| f.name.end_with?("mix.exs") }
+        end
+
+        def lockfile
+          @lockfile ||= get_original_file("mix.lock")
+        end
+      end
+    end
+  end
+end