dependabot-core 0.76.1

data/lib/dependabot/update_checkers/go/dep/latest_version_finder.rb

@@ -0,0 +1,169 @@
+# frozen_string_literal: true
+
+require "excon"
+require "toml-rb"
+
+require "dependabot/source"
+require "dependabot/update_checkers/go/dep"
+require "dependabot/git_commit_checker"
+require "dependabot/utils/go/path_converter"
+
+module Dependabot
+  module UpdateCheckers
+    module Go
+      class Dep
+        class LatestVersionFinder
+          def initialize(dependency:, dependency_files:, credentials:,
+                         ignored_versions:)
+            @dependency       = dependency
+            @dependency_files = dependency_files
+            @credentials      = credentials
+            @ignored_versions = ignored_versions
+          end
+
+          def latest_version
+            @latest_version ||=
+              if git_dependency? then latest_version_for_git_dependency
+              else latest_release_tag_version
+              end
+          end
+
+          private
+
+          attr_reader :dependency, :dependency_files, :credentials,
+                      :ignored_versions
+
+          def latest_release_tag_version
+            if @latest_release_tag_lookup_attempted
+              return @latest_release_tag_version
+            end
+
+            @latest_release_tag_lookup_attempted = true
+
+            latest_release_str = fetch_latest_release_tag&.sub(/^v?/, "")
+            return unless latest_release_str
+            return unless version_class.correct?(latest_release_str)
+
+            @latest_release_tag_version =
+              version_class.new(latest_release_str)
+          end
+
+          def fetch_latest_release_tag
+            # If this is a git dependency then getting the latest tag is trivial
+            if git_dependency?
+              return git_commit_checker.
+                     local_tag_for_latest_version&.fetch(:tag)
+            end
+
+            # If not, we need to find the URL for the source code.
+            path = dependency.requirements.
+                   map { |r| r.dig(:source, :source) }.compact.first
+            path ||= dependency.name
+
+            source_url = git_source(path)
+            return unless source_url
+
+            # Given a source, we want to find the latest tag. Piggy-back off the
+            # logic in GitCommitChecker to do so.
+            git_dep = Dependency.new(
+              name: dependency.name,
+              version: dependency.version,
+              requirements: [{
+                file: "Gopkg.toml",
+                groups: [],
+                requirement: nil,
+                source: { type: "git", url: source_url }
+              }],
+              package_manager: dependency.package_manager
+            )
+
+            GitCommitChecker.
+              new(dependency: git_dep, credentials: credentials).
+              local_tag_for_latest_version&.fetch(:tag)
+          end
+
+          def latest_version_for_git_dependency
+            latest_release = latest_release_tag_version
+
+            # If there's been a release that includes the current pinned ref or
+            # that the current branch is behind, we switch to that release.
+            return latest_release if branch_or_ref_in_release?(latest_release)
+
+            # Otherwise, if the gem isn't pinned, the latest version is just the
+            # latest commit for the specified branch.
+            unless git_commit_checker.pinned?
+              return git_commit_checker.head_commit_for_current_branch
+            end
+
+            # If the dependency is pinned to a tag that looks like a version
+            # then we want to update that tag.
+            if git_commit_checker.pinned_ref_looks_like_version?
+              latest_tag = git_commit_checker.local_tag_for_latest_version
+              return version_from_tag(latest_tag)
+            end
+
+            # If the dependency is pinned to a tag that doesn't look like a
+            # version then there's nothing we can do.
+            nil
+          end
+
+          def git_source(path)
+            Dependabot::Utils::Go::PathConverter.git_url_for_path(path)
+          end
+
+          def version_from_tag(tag)
+            # To compare with the current version we either use the commit SHA
+            # (if that's what the parser picked up) of the tag name.
+            if dependency.version&.match?(/^[0-9a-f]{40}$/)
+              return tag&.fetch(:commit_sha)
+            end
+
+            tag&.fetch(:tag)
+          end
+
+          def branch_or_ref_in_release?(release)
+            return false unless release
+
+            git_commit_checker.branch_or_ref_in_release?(release)
+          end
+
+          def git_dependency?
+            git_commit_checker.git_dependency?
+          end
+
+          def git_commit_checker
+            @git_commit_checker ||=
+              GitCommitChecker.new(
+                dependency: dependency,
+                credentials: credentials,
+                ignored_versions: ignored_versions
+              )
+          end
+
+          def parsed_file(file)
+            @parsed_file ||= {}
+            @parsed_file[file.name] ||= TomlRB.parse(file.content)
+          end
+
+          def version_class
+            Utils.version_class_for_package_manager(dependency.package_manager)
+          end
+
+          def manifest
+            @manifest ||= dependency_files.find { |f| f.name == "Gopkg.toml" }
+            raise "No Gopkg.lock!" unless @manifest
+
+            @manifest
+          end
+
+          def lockfile
+            @lockfile = dependency_files.find { |f| f.name == "Gopkg.lock" }
+            raise "No Gopkg.lock!" unless @lockfile
+
+            @lockfile
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/go/dep/requirements_updater.rb

@@ -0,0 +1,223 @@
+# frozen_string_literal: true
+
+require "dependabot/update_checkers/go/dep"
+require "dependabot/utils/go/requirement"
+require "dependabot/utils/go/version"
+
+module Dependabot
+  module UpdateCheckers
+    module Go
+      class Dep
+        class RequirementsUpdater
+          class UnfixableRequirement < StandardError; end
+
+          VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-*]+)*/.freeze
+          ALLOWED_UPDATE_STRATEGIES = %i(widen_ranges bump_versions).freeze
+
+          def initialize(requirements:, updated_source:, update_strategy:,
+                         latest_version:, latest_resolvable_version:)
+            @requirements = requirements
+            @updated_source = updated_source
+            @update_strategy = update_strategy
+
+            check_update_strategy
+
+            if latest_version && version_class.correct?(latest_version)
+              @latest_version = version_class.new(latest_version)
+            end
+
+            return unless latest_resolvable_version
+            return unless version_class.correct?(latest_resolvable_version)
+
+            @latest_resolvable_version =
+              version_class.new(latest_resolvable_version)
+          end
+
+          def updated_requirements
+            requirements.map do |req|
+              req = req.merge(source: updated_source)
+              next req unless latest_resolvable_version
+              next initial_req_after_source_change(req) unless req[:requirement]
+
+              case update_strategy
+              when :widen_ranges then widen_requirement(req)
+              when :bump_versions then update_version(req)
+              else raise "Unexpected update strategy: #{update_strategy}"
+              end
+            end
+          end
+
+          private
+
+          attr_reader :requirements, :updated_source, :update_strategy,
+                      :latest_version, :latest_resolvable_version
+
+          def check_update_strategy
+            return if ALLOWED_UPDATE_STRATEGIES.include?(update_strategy)
+
+            raise "Unknown update strategy: #{update_strategy}"
+          end
+
+          def updating_from_git_to_version?
+            return false unless updated_source&.fetch(:type) == "default"
+
+            original_source = requirements.map { |r| r[:source] }.compact.first
+            original_source&.fetch(:type) == "git"
+          end
+
+          def initial_req_after_source_change(req)
+            return req unless updating_from_git_to_version?
+            return req unless req.fetch(:requirement).nil?
+
+            new_req =
+              if req.fetch(:file) == "go.mod"
+                "v#{latest_resolvable_version.to_s.gsub(/^v/, '')}"
+              else
+                "^#{latest_resolvable_version}"
+              end
+            req.merge(requirement: new_req)
+          end
+
+          def widen_requirement(req)
+            current_requirement = req[:requirement]
+            version = latest_resolvable_version
+
+            ruby_reqs = ruby_requirements(current_requirement)
+            return req if ruby_reqs.any? { |r| r.satisfied_by?(version) }
+
+            reqs = current_requirement.strip.split(",").map(&:strip)
+
+            updated_requirement =
+              if current_requirement.include?("||")
+                # Further widen the range by adding another OR condition
+                current_requirement + " || ^#{version}"
+              elsif reqs.any? { |r| r.match?(/(<|-\s)/) }
+                # Further widen the range by updating the upper bound
+                update_range_requirement(current_requirement)
+              else
+                # Convert existing requirement to a range
+                create_new_range_requirement(reqs)
+              end
+
+            req.merge(requirement: updated_requirement)
+          end
+
+          def update_version(req)
+            current_requirement = req[:requirement]
+            version = latest_resolvable_version
+
+            ruby_reqs = ruby_requirements(current_requirement)
+            reqs = current_requirement.strip.split(",").map(&:strip)
+
+            if ruby_reqs.any? { |r| r.satisfied_by?(version) } &&
+               current_requirement.match?(/(<|-\s|\|\|)/)
+              return req
+            end
+
+            updated_requirement =
+              if current_requirement.include?("||")
+                # Further widen the range by adding another OR condition
+                current_requirement + " || ^#{version}"
+              elsif reqs.any? { |r| r.match?(/(<|-\s)/) }
+                # Further widen the range by updating the upper bound
+                update_range_requirement(current_requirement)
+              else
+                update_version_requirement(reqs)
+              end
+
+            req.merge(requirement: updated_requirement)
+          end
+
+          def ruby_requirements(requirement_string)
+            requirement_class.requirements_array(requirement_string)
+          end
+
+          def update_range_requirement(req_string)
+            range_requirement = req_string.split(",").
+                                find { |r| r.match?(/<|(\s+-\s+)/) }
+
+            versions = range_requirement.scan(VERSION_REGEX)
+            upper_bound = versions.map { |v| version_class.new(v) }.max
+            new_upper_bound = update_greatest_version(
+              upper_bound,
+              latest_resolvable_version
+            )
+
+            req_string.sub(
+              upper_bound.to_s,
+              new_upper_bound.to_s
+            )
+          end
+
+          def create_new_range_requirement(string_reqs)
+            version = latest_resolvable_version
+
+            lower_bound =
+              string_reqs.
+              map { |req| requirement_class.new(req) }.
+              flat_map { |req| req.requirements.map(&:last) }.
+              min.to_s
+
+            upper_bound =
+              if string_reqs.first.start_with?("~") &&
+                 version.to_s.split(".").count > 1
+                create_upper_bound_for_tilda_req(string_reqs.first)
+              else
+                upper_bound_parts = [version.to_s.split(".").first.to_i + 1]
+                upper_bound_parts.
+                  fill("0", 1..(lower_bound.split(".").count - 1)).
+                  join(".")
+              end
+
+            ">= #{lower_bound}, < #{upper_bound}"
+          end
+
+          def update_version_requirement(string_reqs)
+            version = latest_resolvable_version.to_s.gsub(/^v/, "")
+            current_req = string_reqs.first
+
+            current_req.gsub(VERSION_REGEX, version)
+          end
+
+          def create_upper_bound_for_tilda_req(string_req)
+            tilda_version = requirement_class.new(string_req).
+                            requirements.map(&:last).
+                            min.to_s
+
+            upper_bound_parts = latest_resolvable_version.to_s.split(".")
+            upper_bound_parts.slice(0, tilda_version.to_s.split(".").count)
+            upper_bound_parts[-1] = "0"
+            upper_bound_parts[-2] = (upper_bound_parts[-2].to_i + 1).to_s
+
+            upper_bound_parts.join(".")
+          end
+
+          def update_greatest_version(old_version, version_to_be_permitted)
+            version = version_class.new(old_version)
+            version = version.release if version.prerelease?
+
+            index_to_update =
+              version.segments.map.with_index { |seg, i| seg.zero? ? 0 : i }.max
+
+            version.segments.map.with_index do |_, index|
+              if index < index_to_update
+                version_to_be_permitted.segments[index]
+              elsif index == index_to_update
+                version_to_be_permitted.segments[index] + 1
+              else 0
+              end
+            end.join(".")
+          end
+
+          def version_class
+            Utils::Go::Version
+          end
+
+          def requirement_class
+            Utils::Go::Requirement
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/go/dep/version_resolver.rb

@@ -0,0 +1,164 @@
+# frozen_string_literal: true
+
+require "toml-rb"
+require "dependabot/shared_helpers"
+require "dependabot/update_checkers/go/dep"
+require "dependabot/errors"
+
+module Dependabot
+  module UpdateCheckers
+    module Go
+      class Dep
+        class VersionResolver
+          NOT_FOUND_REGEX =
+            /failed to list versions for (?<repo_url>.*?):\s+/.freeze
+          INDEX_OUT_OF_RANGE_REGEX =
+            /panic: runtime error: index out of range.*findValidVersion/m.freeze
+
+          def initialize(dependency:, dependency_files:, credentials:)
+            @dependency = dependency
+            @dependency_files = dependency_files
+            @credentials = credentials
+          end
+
+          def latest_resolvable_version
+            if defined?(@latest_resolvable_version)
+              return @latest_resolvable_version
+            end
+
+            @latest_resolvable_version = fetch_latest_resolvable_version
+          end
+
+          private
+
+          attr_reader :dependency, :dependency_files, :credentials
+
+          def fetch_latest_resolvable_version
+            base_directory = File.join("src", "project",
+                                       dependency_files.first.directory)
+            base_parts = base_directory.split("/").length
+            updated_version =
+              SharedHelpers.in_a_temporary_directory(base_directory) do |dir|
+                write_temporary_dependency_files
+
+                SharedHelpers.with_git_configured(credentials: credentials) do
+                  # Shell out to dep, which handles everything for us, and does
+                  # so without doing an install (so it's fast).
+                  command = "dep ensure -update --no-vendor #{dependency.name}"
+                  dir_parts = dir.realpath.to_s.split("/")
+                  gopath = File.join(dir_parts[0..-(base_parts + 1)])
+                  run_shell_command(command, "GOPATH" => gopath)
+                end
+
+                new_lockfile_content = File.read("Gopkg.lock")
+
+                get_version_from_lockfile(new_lockfile_content)
+              end
+
+            updated_version
+          rescue SharedHelpers::HelperSubprocessFailed => error
+            handle_dep_errors(error)
+          end
+
+          def get_version_from_lockfile(lockfile_content)
+            package = TomlRB.parse(lockfile_content).fetch("projects").
+                      find { |p| p["name"] == dependency.name }
+
+            version = package["version"]
+
+            if version && version_class.correct?(version.sub(/^v?/, ""))
+              version_class.new(version.sub(/^v?/, ""))
+            elsif version
+              version
+            else
+              package.fetch("revision")
+            end
+          end
+
+          def handle_dep_errors(error)
+            if error.message.match?(NOT_FOUND_REGEX)
+              url = error.message.match(NOT_FOUND_REGEX).
+                    named_captures.fetch("repo_url")
+
+              raise Dependabot::GitDependenciesNotReachable, url
+            end
+
+            # A dep bug that probably isn't going to be fixed any time soon :-(
+            # - https://github.com/golang/dep/issues/1437
+            # - https://github.com/golang/dep/issues/649
+            # - https://github.com/golang/dep/issues/2041
+            # - https://twitter.com/miekg/status/996682296739745792
+            return if error.message.match?(INDEX_OUT_OF_RANGE_REGEX)
+
+            raise
+          end
+
+          def run_shell_command(command, env = {})
+            raw_response = nil
+            IO.popen(env, command, err: %i(child out)) do |process|
+              raw_response = process.read
+            end
+
+            # Raise an error with the output from the shell session if dep
+            # returns a non-zero status
+            return if $CHILD_STATUS.success?
+
+            raise SharedHelpers::HelperSubprocessFailed.new(
+              raw_response,
+              command
+            )
+          end
+
+          def write_temporary_dependency_files
+            dependency_files.each do |file|
+              path = file.name
+              FileUtils.mkdir_p(Pathname.new(path).dirname)
+              File.write(file.name, file.content)
+            end
+
+            File.write("hello.go", dummy_app_content)
+          end
+
+          def dummy_app_content
+            base = "package main\n\n"\
+                   "import \"fmt\"\n\n"
+
+            packages_to_import.each { |nm| base += "import \"#{nm}\"\n\n" }
+
+            base + "func main() {\n  fmt.Printf(\"hello, world\\n\")\n}"
+          end
+
+          def packages_to_import
+            return [] unless lockfile
+
+            parsed_lockfile = TomlRB.parse(lockfile.content)
+
+            # If the lockfile was created using dep v0.5.0+ then it will tell us
+            # exactly which packages to import
+            if parsed_lockfile.dig("solve-meta", "input-imports")
+              return parsed_lockfile.dig("solve-meta", "input-imports")
+            end
+
+            # Otherwise we have no way of knowing, so import everything in the
+            # lockfile that isn't marked as internal
+            parsed_lockfile.fetch("projects").flat_map do |dep|
+              dep["packages"].map do |package|
+                next if package.start_with?("internal")
+
+                package == "." ? dep["name"] : File.join(dep["name"], package)
+              end.compact
+            end
+          end
+
+          def lockfile
+            @lockfile = dependency_files.find { |f| f.name == "Gopkg.lock" }
+          end
+
+          def version_class
+            Utils.version_class_for_package_manager(dependency.package_manager)
+          end
+        end
+      end
+    end
+  end
+end