dependabot-core 0.76.1

data/lib/dependabot/file_updaters/base.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Dependabot
+  module FileUpdaters
+    class Base
+      attr_reader :dependencies, :dependency_files, :credentials
+
+      def self.updated_files_regex
+        raise NotImplementedError
+      end
+
+      def initialize(dependencies:, dependency_files:, credentials:)
+        @dependencies = dependencies
+        @dependency_files = dependency_files
+        @credentials = credentials
+
+        check_required_files
+      end
+
+      def updated_dependency_files
+        raise NotImplementedError
+      end
+
+      private
+
+      def check_required_files
+        raise NotImplementedError
+      end
+
+      def get_original_file(filename)
+        dependency_files.find { |f| f.name == filename }
+      end
+
+      def file_changed?(file)
+        dependencies.any? { |dep| requirement_changed?(file, dep) }
+      end
+
+      def requirement_changed?(file, dependency)
+        changed_requirements =
+          dependency.requirements - dependency.previous_requirements
+
+        changed_requirements.any? { |f| f[:file] == file.name }
+      end
+
+      def updated_file(file:, content:)
+        updated_file = file.dup
+        updated_file.content = content
+        updated_file
+      end
+    end
+  end
+end

data/lib/dependabot/file_updaters/docker/docker.rb

@@ -0,0 +1,133 @@
+# frozen_string_literal: true
+
+require "dependabot/file_updaters/base"
+require "dependabot/errors"
+
+module Dependabot
+  module FileUpdaters
+    module Docker
+      class Docker < Dependabot::FileUpdaters::Base
+        FROM_REGEX = /[Ff][Rr][Oo][Mm]/.freeze
+
+        def self.updated_files_regex
+          [/dockerfile/]
+        end
+
+        def updated_dependency_files
+          updated_files = []
+
+          dependency_files.each do |file|
+            next unless requirement_changed?(file, dependency)
+
+            updated_files <<
+              updated_file(
+                file: file,
+                content: updated_dockerfile_content(file)
+              )
+          end
+
+          updated_files.reject! { |f| dependency_files.include?(f) }
+          raise "No files changed!" if updated_files.none?
+
+          updated_files
+        end
+
+        private
+
+        def dependency
+          # Dockerfiles will only ever be updating a single dependency
+          dependencies.first
+        end
+
+        def check_required_files
+          # Just check if there are any files at all.
+          return if dependency_files.any?
+
+          raise "No Dockerfile!"
+        end
+
+        def updated_dockerfile_content(file)
+          updated_content =
+            if specified_with_digest?(file)
+              update_digest_and_tag(file)
+            else
+              update_tag(file)
+            end
+
+          raise "Expected content to change!" if updated_content == file.content
+
+          updated_content
+        end
+
+        def update_digest_and_tag(file)
+          old_declaration_regex = /^#{FROM_REGEX}\s+.*@#{old_digest(file)}/
+
+          file.content.gsub(old_declaration_regex) do |old_dec|
+            old_dec.
+              gsub("@#{old_digest(file)}", "@#{new_digest(file)}").
+              gsub(":#{dependency.previous_version}",
+                   ":#{dependency.version}")
+          end
+        end
+
+        def update_tag(file)
+          return unless old_tag(file)
+
+          old_declaration =
+            if private_registry_url(file) then "#{private_registry_url(file)}/"
+            else ""
+            end
+          old_declaration += "#{dependency.name}:#{old_tag(file)}"
+          escaped_declaration = Regexp.escape(old_declaration)
+
+          old_declaration_regex = /^#{FROM_REGEX}\s+#{escaped_declaration}/
+
+          file.content.gsub(old_declaration_regex) do |old_dec|
+            old_dec.gsub(":#{old_tag(file)}", ":#{new_tag(file)}")
+          end
+        end
+
+        def specified_with_digest?(file)
+          dependency.
+            requirements.
+            find { |r| r[:file] == file.name }.
+            fetch(:source)[:digest]
+        end
+
+        def new_digest(file)
+          return unless specified_with_digest?(file)
+
+          dependency.requirements.
+            find { |r| r[:file] == file.name }.
+            fetch(:source).fetch(:digest)
+        end
+
+        def old_digest(file)
+          return unless specified_with_digest?(file)
+
+          dependency.previous_requirements.
+            find { |r| r[:file] == file.name }.
+            fetch(:source).fetch(:digest)
+        end
+
+        def new_tag(file)
+          dependency.requirements.
+            find { |r| r[:file] == file.name }.
+            fetch(:source)[:tag]
+        end
+
+        def old_tag(file)
+          dependency.previous_requirements.
+            find { |r| r[:file] == file.name }.
+            fetch(:source)[:tag]
+        end
+
+        def private_registry_url(file)
+          dependency.requirements.
+            find { |r| r[:file] == file.name }.
+            fetch(:source)[:registry]
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_updaters/dotnet/nuget.rb

@@ -0,0 +1,151 @@
+# frozen_string_literal: true
+
+require "dependabot/file_updaters/base"
+
+module Dependabot
+  module FileUpdaters
+    module Dotnet
+      class Nuget < Dependabot::FileUpdaters::Base
+        require_relative "nuget/packages_config_declaration_finder"
+        require_relative "nuget/project_file_declaration_finder"
+        require_relative "nuget/property_value_updater"
+
+        def self.updated_files_regex
+          [
+            %r{^[^/]*\.[a-z]{2}proj$},
+            /^packages\.config$/i
+          ]
+        end
+
+        def updated_dependency_files
+          updated_files = dependency_files.dup
+
+          # Loop through each of the changed requirements, applying changes to
+          # all files for that change. Note that the logic is different here
+          # to other languages because donet has property inheritance across
+          # files
+          dependencies.each do |dependency|
+            updated_files = update_files_for_dependency(
+              files: updated_files,
+              dependency: dependency
+            )
+          end
+
+          updated_files.reject! { |f| dependency_files.include?(f) }
+
+          raise "No files changed!" if updated_files.none?
+
+          updated_files
+        end
+
+        private
+
+        def project_files
+          dependency_files.select { |df| df.name.match?(/\.[a-z]{2}proj$/) }
+        end
+
+        def packages_config_files
+          dependency_files.select do |f|
+            f.name.split("/").last.casecmp("packages.config").zero?
+          end
+        end
+
+        def check_required_files
+          return if project_files.any? || packages_config_files.any?
+
+          raise "No project file or packages.config!"
+        end
+
+        def update_files_for_dependency(files:, dependency:)
+          # The UpdateChecker ensures the order of requirements is preserved
+          # when updating, so we can zip them together in new/old pairs.
+          reqs = dependency.requirements.zip(dependency.previous_requirements).
+                 reject { |new_req, old_req| new_req == old_req }
+
+          # Loop through each changed requirement and update the files
+          reqs.each do |new_req, old_req|
+            raise "Bad req match" unless new_req[:file] == old_req[:file]
+            next if new_req[:requirement] == old_req[:requirement]
+
+            file = files.find { |f| f.name == new_req.fetch(:file) }
+
+            files =
+              if new_req.dig(:metadata, :property_name)
+                update_property_value(files, file, new_req)
+              else
+                update_declaration(files, dependency, file, old_req, new_req)
+              end
+          end
+
+          files
+        end
+
+        def update_property_value(files, file, req)
+          files = files.dup
+          property_name = req.fetch(:metadata).fetch(:property_name)
+
+          PropertyValueUpdater.
+            new(dependency_files: files).
+            update_files_for_property_change(
+              property_name: property_name,
+              updated_value: req.fetch(:requirement),
+              callsite_file: file
+            )
+        end
+
+        def update_declaration(files, dependency, file, old_req, new_req)
+          files = files.dup
+
+          updated_content = file.content
+
+          original_declarations(dependency, old_req).each do |old_dec|
+            updated_content = updated_content.gsub(
+              old_dec,
+              updated_declaration(old_dec, old_req, new_req)
+            )
+          end
+
+          raise "Expected content to change!" if updated_content == file.content
+
+          files[files.index(file)] =
+            updated_file(file: file, content: updated_content)
+          files
+        end
+
+        def original_declarations(dependency, requirement)
+          declaration_finder(dependency, requirement).declaration_strings
+        end
+
+        def declaration_finder(dependency, requirement)
+          @declaration_finders ||= {}
+
+          requirement_fn = requirement.fetch(:file)
+          @declaration_finders[dependency.hash + requirement.hash] ||=
+            if requirement_fn.split("/").last.casecmp("packages.config").zero?
+              PackagesConfigDeclarationFinder.new(
+                dependency_name: dependency.name,
+                declaring_requirement: requirement,
+                packages_config:
+                  packages_config_files.find { |f| f.name == requirement_fn }
+              )
+            else
+              ProjectFileDeclarationFinder.new(
+                dependency_name: dependency.name,
+                declaring_requirement: requirement,
+                dependency_files: dependency_files
+              )
+            end
+        end
+
+        def updated_declaration(old_declaration, previous_req, requirement)
+          original_req_string = previous_req.fetch(:requirement)
+
+          old_declaration.gsub(
+            original_req_string,
+            requirement.fetch(:requirement)
+          )
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_updaters/dotnet/nuget/packages_config_declaration_finder.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+require "dependabot/file_updaters/dotnet/nuget"
+
+module Dependabot
+  module FileUpdaters
+    module Dotnet
+      class Nuget
+        class PackagesConfigDeclarationFinder
+          DECLARATION_REGEX =
+            %r{<package [^>]*?/>|
+               <package [^>]*?[^/]>.*?</package>}mx.freeze
+
+          attr_reader :dependency_name, :declaring_requirement,
+                      :packages_config
+
+          def initialize(dependency_name:, packages_config:,
+                         declaring_requirement:)
+            @dependency_name        = dependency_name
+            @packages_config        = packages_config
+            @declaring_requirement  = declaring_requirement
+
+            if declaring_requirement[:file].split("/").last.
+               casecmp("packages.config").zero?
+              return
+            end
+
+            raise "Requirement not from packages.config!"
+          end
+
+          def declaration_strings
+            @declaration_strings ||= fetch_declaration_strings
+          end
+
+          def declaration_nodes
+            declaration_strings.map do |declaration_string|
+              Nokogiri::XML(declaration_string)
+            end
+          end
+
+          private
+
+          def fetch_declaration_strings
+            deep_find_declarations(packages_config.content).select do |nd|
+              node = Nokogiri::XML(nd)
+              node.remove_namespaces!
+              node = node.at_xpath("/package")
+
+              node_name = node.attribute("id")&.value&.strip ||
+                          node.at_xpath("./id")&.content&.strip
+              next false unless node_name == dependency_name
+
+              node_requirement = node.attribute("version")&.value&.strip ||
+                                 node.at_xpath("./version")&.content&.strip
+              node_requirement == declaring_requirement.fetch(:requirement)
+            end
+          end
+
+          def deep_find_declarations(string)
+            string.scan(DECLARATION_REGEX).flat_map do |matching_node|
+              [matching_node, *deep_find_declarations(matching_node[0..-2])]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_updaters/dotnet/nuget/project_file_declaration_finder.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+require "dependabot/file_updaters/dotnet/nuget"
+
+module Dependabot
+  module FileUpdaters
+    module Dotnet
+      class Nuget
+        class ProjectFileDeclarationFinder
+          DECLARATION_REGEX =
+            %r{
+              <PackageReference [^>]*?/>|
+              <PackageReference [^>]*?[^/]>.*?</PackageReference>|
+              <Dependency [^>]*?/>|
+              <Dependency [^>]*?[^/]>.*?</Dependency>|
+              <DevelopmentDependency [^>]*?/>|
+              <DevelopmentDependency [^>]*?[^/]>.*?</DevelopmentDependency>
+            }mx.freeze
+
+          attr_reader :dependency_name, :declaring_requirement,
+                      :dependency_files
+
+          def initialize(dependency_name:, dependency_files:,
+                         declaring_requirement:)
+            @dependency_name       = dependency_name
+            @dependency_files      = dependency_files
+            @declaring_requirement = declaring_requirement
+          end
+
+          def declaration_strings
+            @declaration_strings ||= fetch_declaration_strings
+          end
+
+          def declaration_nodes
+            declaration_strings.map do |declaration_string|
+              Nokogiri::XML(declaration_string)
+            end
+          end
+
+          private
+
+          def fetch_declaration_strings
+            deep_find_declarations(declaring_file.content).select do |nd|
+              node = Nokogiri::XML(nd)
+              node.remove_namespaces!
+              node = node.at_xpath("/PackageReference") ||
+                     node.at_xpath("/Dependency") ||
+                     node.at_xpath("/DevelopmentDependency")
+
+              node_name = node.attribute("Include")&.value&.strip ||
+                          node.at_xpath("./Include")&.content&.strip
+              next false unless node_name == dependency_name
+
+              node_requirement = node.attribute("Version")&.value&.strip ||
+                                 node.at_xpath("./Version")&.content&.strip
+              node_requirement == declaring_requirement.fetch(:requirement)
+            end
+          end
+
+          def deep_find_declarations(string)
+            string.scan(DECLARATION_REGEX).flat_map do |matching_node|
+              [matching_node, *deep_find_declarations(matching_node[0..-2])]
+            end
+          end
+
+          def declaring_file
+            filename = declaring_requirement.fetch(:file)
+            declaring_file = dependency_files.find { |f| f.name == filename }
+            return declaring_file if declaring_file
+
+            raise "No file found with name #{filename}!"
+          end
+        end
+      end
+    end
+  end
+end