dependabot-core 0.76.1

data/lib/dependabot/update_checkers/dotnet/nuget/requirements_updater.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+#######################################################################
+# For more details on Dotnet version constraints, see:                #
+# https://docs.microsoft.com/en-us/nuget/reference/package-versioning #
+#######################################################################
+
+require "dependabot/update_checkers/dotnet/nuget"
+require "dependabot/utils/dotnet/version"
+
+module Dependabot
+  module UpdateCheckers
+    module Dotnet
+      class Nuget
+        class RequirementsUpdater
+          VERSION_REGEX = /[0-9a-zA-Z]+(?:\.[a-zA-Z0-9\-]+)*/.freeze
+
+          def initialize(requirements:, latest_version:, source_details:)
+            @requirements = requirements
+            @source_details = source_details
+            return unless latest_version
+
+            @latest_version = version_class.new(latest_version)
+          end
+
+          def updated_requirements
+            return requirements unless latest_version
+
+            # Note: Order is important here. The FileUpdater needs the updated
+            # requirement at index `i` to correspond to the previous requirement
+            # at the same index.
+            requirements.map do |req|
+              next req if req.fetch(:requirement).nil?
+              next req if req.fetch(:requirement).include?(",")
+
+              new_req =
+                if req.fetch(:requirement).include?("*")
+                  update_wildcard_requirement(req.fetch(:requirement))
+                else
+                  # Since range requirements are excluded by the line above we
+                  # can just do a `gsub` on anything that looks like a version
+                  req[:requirement].gsub(VERSION_REGEX, latest_version.to_s)
+                end
+
+              next req if new_req == req.fetch(:requirement)
+
+              req.merge(requirement: new_req, source: updated_source)
+            end
+          end
+
+          private
+
+          attr_reader :requirements, :latest_version, :source_details
+
+          def version_class
+            Utils::Dotnet::Version
+          end
+
+          def update_wildcard_requirement(req_string)
+            precision = req_string.split("*").first.split(/\.|\-/).count
+            wilcard_section = req_string.partition(/(?=[.\-]\*)/).last
+
+            version_parts = latest_version.segments.first(precision)
+            version = version_parts.join(".")
+
+            version + wilcard_section
+          end
+
+          def updated_source
+            {
+              type: "nuget_repo",
+              url: source_details.fetch(:repo_url),
+              nuspec_url: source_details.fetch(:nuspec_url),
+              source_url: source_details.fetch(:source_url)
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/dotnet/nuget/version_finder.rb

@@ -0,0 +1,231 @@
+# frozen_string_literal: true
+
+require "excon"
+require "nokogiri"
+
+require "dependabot/utils/dotnet/version"
+require "dependabot/utils/dotnet/requirement"
+require "dependabot/update_checkers/dotnet/nuget"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module UpdateCheckers
+    module Dotnet
+      class Nuget
+        class VersionFinder
+          require_relative "repository_finder"
+
+          def initialize(dependency:, dependency_files:, credentials:,
+                         ignored_versions: [])
+            @dependency = dependency
+            @dependency_files = dependency_files
+            @credentials = credentials
+            @ignored_versions = ignored_versions
+          end
+
+          def latest_version_details
+            @latest_version_details ||=
+              begin
+                tmp_versions = versions
+                unless wants_prerelease?
+                  tmp_versions.reject! { |d| d.fetch(:version).prerelease? }
+                end
+                tmp_versions.reject! do |hash|
+                  ignore_reqs.any? { |r| r.satisfied_by?(hash.fetch(:version)) }
+                end
+                tmp_versions.max_by { |hash| hash.fetch(:version) }
+              end
+          end
+
+          def versions
+            available_v3_versions + available_v2_versions
+          end
+
+          attr_reader :dependency, :dependency_files, :credentials,
+                      :ignored_versions
+
+          private
+
+          def available_v3_versions
+            v3_nuget_listings.flat_map do |listing|
+              listing.
+                fetch("versions", []).
+                map do |v|
+                  nuspec_url =
+                    listing.fetch("listing_details").
+                    fetch(:versions_url).
+                    gsub(/index\.json$/, "#{v}/#{sanitized_name}.nuspec")
+
+                  {
+                    version: version_class.new(v),
+                    nuspec_url: nuspec_url,
+                    source_url: nil,
+                    repo_url:
+                      listing.fetch("listing_details").fetch(:repository_url)
+                  }
+                end
+            end
+          end
+
+          def available_v2_versions
+            v2_nuget_listings.flat_map do |listing|
+              body = listing.fetch("xml_body", [])
+              doc = Nokogiri::XML(body)
+              doc.remove_namespaces!
+
+              doc.xpath("/feed/entry").map do |entry|
+                listed = entry.at_xpath("./properties/Listed")&.content&.strip
+                next if listed&.casecmp("false")&.zero?
+
+                entry_details = dependency_details_from_v2_entry(entry)
+                entry_details.merge(
+                  repo_url: listing.fetch("listing_details").
+                            fetch(:repository_url)
+                )
+              end.compact
+            end
+          end
+
+          def dependency_details_from_v2_entry(entry)
+            version = entry.at_xpath("./properties/Version").content.strip
+            source_urls = []
+            [
+              entry.at_xpath("./properties/ProjectUrl").content,
+              entry.at_xpath("./properties/ReleaseNotes").content
+            ].join(" ").scan(Source::SOURCE_REGEX) do
+              source_urls << Regexp.last_match.to_s
+            end
+
+            source_url = source_urls.find { |url| Source.from_url(url) }
+            source_url = Source.from_url(source_url)&.url if source_url
+
+            {
+              version: version_class.new(version),
+              nuspec_url: nil,
+              source_url: source_url
+            }
+          end
+
+          def wants_prerelease?
+            if dependency.version &&
+               version_class.correct?(dependency.version) &&
+               version_class.new(dependency.version).prerelease?
+              return true
+            end
+
+            dependency.requirements.any? do |req|
+              reqs = (req.fetch(:requirement) || "").split(",").map(&:strip)
+              reqs.any? { |r| r.include?("-") }
+            end
+          end
+
+          def v3_nuget_listings
+            return @v3_nuget_listings unless @v3_nuget_listings.nil?
+
+            dependency_urls.
+              select { |details| details.fetch(:repository_type) == "v3" }.
+              map do |url_details|
+                versions = versions_for_v3_repository(url_details)
+                next unless versions
+
+                { "versions" => versions, "listing_details" => url_details }
+              end.compact
+          end
+
+          def v2_nuget_listings
+            return @v2_nuget_listings unless @v2_nuget_listings.nil?
+
+            dependency_urls.
+              select { |details| details.fetch(:repository_type) == "v2" }.
+              map do |url_details|
+                response = Excon.get(
+                  url_details[:versions_url],
+                  headers: url_details[:auth_header],
+                  idempotent: true,
+                  **excon_defaults
+                )
+                next unless response.status == 200
+
+                {
+                  "xml_body" => response.body,
+                  "listing_details" => url_details
+                }
+              end.compact
+          end
+
+          def versions_for_v3_repository(repository_details)
+            # If we have a search URL we use it (since it will exclude unlisted
+            # versions)
+            if repository_details[:search_url]
+              response = Excon.get(
+                repository_details[:search_url],
+                headers: repository_details[:auth_header],
+                idempotent: true,
+                **excon_defaults
+              )
+              return unless response.status == 200
+
+              JSON.parse(response.body).fetch("data").
+                find { |d| d.fetch("id").casecmp(sanitized_name).zero? }&.
+                fetch("versions")&.
+                map { |d| d.fetch("version") }
+            # Otherwise, use the versions URL
+            elsif repository_details[:versions_url]
+              response = Excon.get(
+                repository_details[:versions_url],
+                headers: repository_details[:auth_header],
+                idempotent: true,
+                **excon_defaults
+              )
+              return unless response.status == 200
+
+              JSON.parse(response.body).fetch("versions")
+            end
+          end
+
+          def dependency_urls
+            @dependency_urls ||=
+              RepositoryFinder.new(
+                dependency: dependency,
+                credentials: credentials,
+                config_file: nuget_config
+              ).dependency_urls
+          end
+
+          def ignore_reqs
+            ignored_versions.map { |req| requirement_class.new(req.split(",")) }
+          end
+
+          def nuget_config
+            @nuget_config ||=
+              dependency_files.find { |f| f.name.casecmp("nuget.config").zero? }
+          end
+
+          def sanitized_name
+            dependency.name.downcase
+          end
+
+          def version_class
+            Utils::Dotnet::Version
+          end
+
+          def requirement_class
+            Utils::Dotnet::Requirement
+          end
+
+          def excon_defaults
+            # For large JSON files we sometimes need a little longer than for
+            # other languages. For example, see:
+            # https://dotnet.myget.org/F/aspnetcore-dev/api/v3/query?
+            # q=microsoft.aspnetcore.mvc&prerelease=true
+            SharedHelpers.excon_defaults.merge(
+              connect_timeout: 10,
+              write_timeout: 10,
+              read_timeout: 10
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/elixir/hex.rb

@@ -0,0 +1,274 @@
+# frozen_string_literal: true
+
+require "excon"
+require "dependabot/git_commit_checker"
+require "dependabot/update_checkers/base"
+require "dependabot/shared_helpers"
+
+require "json"
+
+module Dependabot
+  module UpdateCheckers
+    module Elixir
+      class Hex < Dependabot::UpdateCheckers::Base
+        require_relative "hex/file_preparer"
+        require_relative "hex/requirements_updater"
+        require_relative "hex/version_resolver"
+
+        def latest_version
+          @latest_version ||=
+            if git_dependency?
+              latest_version_for_git_dependency
+            else
+              latest_release_from_hex_registry || latest_resolvable_version
+            end
+        end
+
+        def latest_resolvable_version
+          @latest_resolvable_version ||=
+            if git_dependency?
+              latest_resolvable_version_for_git_dependency
+            else
+              fetch_latest_resolvable_version(unlock_requirement: true)
+            end
+        end
+
+        def latest_resolvable_version_with_no_unlock
+          @latest_resolvable_version_with_no_unlock ||=
+            if git_dependency?
+              latest_resolvable_commit_with_unchanged_git_source
+            else
+              fetch_latest_resolvable_version(unlock_requirement: false)
+            end
+        end
+
+        def updated_requirements
+          RequirementsUpdater.new(
+            requirements: dependency.requirements,
+            updated_source: updated_source,
+            latest_resolvable_version: latest_resolvable_version&.to_s
+          ).updated_requirements
+        end
+
+        private
+
+        def latest_version_resolvable_with_full_unlock?
+          # Full unlock checks aren't implemented for Elixir (yet)
+          false
+        end
+
+        def updated_dependencies_after_full_unlock
+          raise NotImplementedError
+        end
+
+        def latest_version_for_git_dependency
+          latest_git_version_sha
+        end
+
+        def latest_resolvable_version_for_git_dependency
+          # If the gem isn't pinned, the latest version is just the latest
+          # commit for the specified branch.
+          unless git_commit_checker.pinned?
+            return latest_resolvable_commit_with_unchanged_git_source
+          end
+
+          # If the dependency is pinned to a tag that looks like a version then
+          # we want to update that tag. The latest version will then be the SHA
+          # of the latest tag that looks like a version.
+          if git_commit_checker.pinned_ref_looks_like_version? &&
+             latest_git_tag_is_resolvable?
+            new_tag = git_commit_checker.local_tag_for_latest_version
+            return new_tag.fetch(:commit_sha)
+          end
+
+          # If the dependency is pinned then there's nothing we can do.
+          dependency.version
+        end
+
+        def latest_resolvable_commit_with_unchanged_git_source
+          fetch_latest_resolvable_version(unlock_requirement: false)
+        rescue SharedHelpers::HelperSubprocessFailed,
+               Dependabot::DependencyFileNotResolvable => error
+          # Resolution may fail, as Elixir updates straight to the tip of the
+          # branch. Just return `nil` if it does (so no update).
+          return if error.message.include?("resolution failed")
+
+          raise error
+        end
+
+        def git_dependency?
+          git_commit_checker.git_dependency?
+        end
+
+        def latest_git_version_sha
+          # If the gem isn't pinned, the latest version is just the latest
+          # commit for the specified branch.
+          unless git_commit_checker.pinned?
+            return git_commit_checker.head_commit_for_current_branch
+          end
+
+          # If the dependency is pinned to a tag that looks like a version then
+          # we want to update that tag. The latest version will then be the SHA
+          # of the latest tag that looks like a version.
+          if git_commit_checker.pinned_ref_looks_like_version?
+            latest_tag = git_commit_checker.local_tag_for_latest_version
+            return latest_tag&.fetch(:commit_sha) || dependency.version
+          end
+
+          # If the dependency is pinned to a tag that doesn't look like a
+          # version then there's nothing we can do.
+          dependency.version
+        end
+
+        def latest_git_tag_is_resolvable?
+          return @git_tag_resolvable if @latest_git_tag_is_resolvable_checked
+
+          @latest_git_tag_is_resolvable_checked = true
+
+          return false if git_commit_checker.local_tag_for_latest_version.nil?
+
+          replacement_tag = git_commit_checker.local_tag_for_latest_version
+
+          prepared_files = FilePreparer.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            replacement_git_pin: replacement_tag.fetch(:tag)
+          ).prepared_dependency_files
+
+          resolver_result = VersionResolver.new(
+            dependency: dependency,
+            prepared_dependency_files: prepared_files,
+            original_dependency_files: dependency_files,
+            credentials: credentials
+          ).latest_resolvable_version
+
+          @git_tag_resolvable = !resolver_result.nil?
+        rescue SharedHelpers::HelperSubprocessFailed,
+               Dependabot::DependencyFileNotResolvable => error
+          raise error unless error.message.include?("resolution failed")
+
+          @git_tag_resolvable = false
+        end
+
+        def updated_source
+          # Never need to update source, unless a git_dependency
+          return dependency_source_details unless git_dependency?
+
+          # Update the git tag if updating a pinned version
+          if git_commit_checker.pinned_ref_looks_like_version? &&
+             latest_git_tag_is_resolvable?
+            new_tag = git_commit_checker.local_tag_for_latest_version
+            return dependency_source_details.merge(ref: new_tag.fetch(:tag))
+          end
+
+          # Otherwise return the original source
+          dependency_source_details
+        end
+
+        def dependency_source_details
+          sources =
+            dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
+
+          raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
+
+          sources.first
+        end
+
+        def fetch_latest_resolvable_version(unlock_requirement:)
+          @latest_resolvable_version_hash ||= {}
+          @latest_resolvable_version_hash[unlock_requirement] ||=
+            version_resolver(unlock_requirement: unlock_requirement).
+            latest_resolvable_version
+        end
+
+        def version_resolver(unlock_requirement:)
+          @version_resolver ||= {}
+          @version_resolver[unlock_requirement] ||=
+            begin
+              prepared_dependency_files = prepared_dependency_files(
+                unlock_requirement: unlock_requirement,
+                latest_allowable_version: latest_release_from_hex_registry
+              )
+
+              VersionResolver.new(
+                dependency: dependency,
+                prepared_dependency_files: prepared_dependency_files,
+                original_dependency_files: dependency_files,
+                credentials: credentials
+              )
+            end
+        end
+
+        def prepared_dependency_files(unlock_requirement:,
+                                      latest_allowable_version: nil)
+          FilePreparer.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            unlock_requirement: unlock_requirement,
+            latest_allowable_version: latest_allowable_version
+          ).prepared_dependency_files
+        end
+
+        def latest_release_from_hex_registry
+          @latest_release_from_hex_registry ||=
+            begin
+              versions = hex_registry_response&.fetch("releases", []) || []
+              versions =
+                versions.
+                select { |release| version_class.correct?(release["version"]) }.
+                map { |release| version_class.new(release["version"]) }
+
+              versions.reject!(&:prerelease?) unless wants_prerelease?
+              versions.reject! do |v|
+                ignore_reqs.any? { |r| r.satisfied_by?(v) }
+              end
+              versions.max
+            end
+        end
+
+        def hex_registry_response
+          return @hex_registry_response if @hex_registry_requested
+
+          @hex_registry_requested = true
+
+          response = Excon.get(
+            dependency_url,
+            idempotent: true,
+            **SharedHelpers.excon_defaults
+          )
+
+          return unless response.status == 200
+
+          @hex_registry_response = JSON.parse(response.body)
+        rescue Excon::Error::Socket, Excon::Error::Timeout
+          nil
+        end
+
+        def wants_prerelease?
+          current_version = dependency.version
+          if current_version &&
+             version_class.correct?(current_version) &&
+             version_class.new(current_version).prerelease?
+            return true
+          end
+
+          dependency.requirements.any? do |req|
+            req[:requirement]&.match?(/\d-[A-Za-z0-9]/)
+          end
+        end
+
+        def dependency_url
+          "https://hex.pm/api/packages/#{dependency.name}"
+        end
+
+        def git_commit_checker
+          @git_commit_checker ||=
+            GitCommitChecker.new(
+              dependency: dependency,
+              credentials: credentials
+            )
+        end
+      end
+    end
+  end
+end