dependabot-dep 0.90.0

data/lib/dependabot/dep/file_updater/lockfile_updater.rb

@@ -0,0 +1,220 @@
+# frozen_string_literal: true
+
+require "toml-rb"
+require "open3"
+require "dependabot/shared_helpers"
+require "dependabot/dependency_file"
+require "dependabot/dep/file_updater"
+require "dependabot/dep/file_parser"
+
+module Dependabot
+  module Dep
+    class FileUpdater
+      class LockfileUpdater
+        def initialize(dependencies:, dependency_files:, credentials:)
+          @dependencies = dependencies
+          @dependency_files = dependency_files
+          @credentials = credentials
+        end
+
+        def updated_lockfile_content
+          deps = dependencies.select { |d| appears_in_lockfile(d) }
+          return lockfile.content if deps.none?
+
+          base_directory = File.join("src", "project",
+                                     dependency_files.first.directory)
+          base_parts = base_directory.split("/").length
+          updated_content =
+            SharedHelpers.in_a_temporary_directory(base_directory) do |dir|
+              write_temporary_dependency_files
+
+              SharedHelpers.with_git_configured(credentials: credentials) do
+                # Shell out to dep, which handles everything for us.
+                # Note: We are currently doing a full install here (we're not
+                # passing no-vendor) because dep needs to generate the digests
+                # for each project.
+                command = "dep ensure -update #{deps.map(&:name).join(' ')}"
+                dir_parts = dir.realpath.to_s.split("/")
+                gopath = File.join(dir_parts[0..-(base_parts + 1)])
+                run_shell_command(command, "GOPATH" => gopath)
+              end
+
+              File.read("Gopkg.lock")
+            end
+
+          updated_content
+        end
+
+        private
+
+        attr_reader :dependencies, :dependency_files, :credentials
+
+        def run_shell_command(command, env = {})
+          start = Time.now
+          stdout, process = Open3.capture2e(env, command)
+          time_taken = start - Time.now
+
+          # Raise an error with the output from the shell session if dep
+          # returns a non-zero status
+          return if process.success?
+
+          raise SharedHelpers::HelperSubprocessFailed.new(
+            message: stdout,
+            error_context: {
+              command: command,
+              time_taken: time_taken,
+              process_exit_value: process.to_s
+            }
+          )
+        end
+
+        def write_temporary_dependency_files
+          File.write(lockfile.name, lockfile.content)
+
+          # Overwrite the manifest with our custom prepared one
+          File.write(prepared_manifest.name, prepared_manifest.content)
+
+          File.write("hello.go", dummy_app_content)
+        end
+
+        def prepared_manifest
+          DependencyFile.new(
+            name: manifest.name,
+            content: prepared_manifest_content
+          )
+        end
+
+        def prepared_manifest_content
+          parsed_manifest = TomlRB.parse(manifest.content)
+
+          parsed_manifest["override"] =
+            add_fsnotify_override(parsed_manifest["override"])
+
+          dependencies.each do |dep|
+            req = dep.requirements.find { |r| r[:file] == manifest.name }
+            next unless appears_in_lockfile(dep)
+
+            if req
+              update_constraint!(parsed_manifest, dep)
+            else
+              create_constraint!(parsed_manifest, dep)
+            end
+          end
+
+          TomlRB.dump(parsed_manifest)
+        end
+
+        # Used to lock the version when updating a top-level dependency
+        def update_constraint!(parsed_manifest, dep)
+          details =
+            parsed_manifest.
+            values_at(*Dep::FileParser::REQUIREMENT_TYPES).
+            flatten.compact.find { |d| d["name"] == dep.name }
+
+          req = dep.requirements.find { |r| r[:file] == manifest.name }
+
+          if req.fetch(:source).fetch(:type) == "git" && !details["branch"]
+            # Note: we don't try to update to a specific revision if the
+            # branch was previously specified because the change in
+            # specification type would be persisted in the lockfile
+            details["revision"] = dep.version if details["revision"]
+            details["version"] = dep.version if details["version"]
+          elsif req.fetch(:source).fetch(:type) == "default"
+            details.delete("branch")
+            details.delete("revision")
+            details["version"] = "=#{dep.version}"
+          end
+        end
+
+        # Used to lock the version when updating a subdependency
+        def create_constraint!(parsed_manifest, dep)
+          details = { "name" => dep.name }
+
+          # Fetch the details from the lockfile to check whether this
+          # sub-dependency needs a git revision or a version.
+          original_details =
+            parsed_file(lockfile).fetch("projects").
+            find { |p| p["name"] == dep.name }
+
+          if original_details["source"]
+            details["source"] = original_details["source"]
+          end
+
+          if original_details["version"]
+            details["version"] = dep.version
+          else
+            details["revision"] = dep.version
+          end
+
+          parsed_manifest["constraint"] ||= []
+          parsed_manifest["constraint"] << details
+        end
+
+        # Work around a dep bug that results in a panic
+        def add_fsnotify_override(overrides)
+          overrides ||= []
+          dep_name = "gopkg.in/fsnotify.v1"
+
+          override = overrides.find { |s| s["name"] == dep_name }
+          if override.nil?
+            override = { "name" => dep_name }
+            overrides << override
+          end
+
+          unless override["source"]
+            override["source"] = "gopkg.in/fsnotify/fsnotify.v1"
+          end
+
+          overrides
+        end
+
+        def dummy_app_content
+          base = "package main\n\n"\
+                 "import \"fmt\"\n\n"
+
+          packages_to_import.each { |nm| base += "import \"#{nm}\"\n\n" }
+
+          base + "func main() {\n  fmt.Printf(\"hello, world\\n\")\n}"
+        end
+
+        def packages_to_import
+          parsed_lockfile = TomlRB.parse(lockfile.content)
+
+          # If the lockfile was created using dep v0.5.0+ then it will tell us
+          # exactly which packages to import
+          if parsed_lockfile.dig("solve-meta", "input-imports")
+            return parsed_lockfile.dig("solve-meta", "input-imports")
+          end
+
+          # Otherwise we have no way of knowing, so import everything in the
+          # lockfile that isn't marked as internal
+          parsed_lockfile.fetch("projects").flat_map do |dep|
+            dep["packages"].map do |package|
+              next if package.start_with?("internal")
+
+              package == "." ? dep["name"] : File.join(dep["name"], package)
+            end.compact
+          end
+        end
+
+        def appears_in_lockfile(dep)
+          !parsed_file(lockfile)["projects"]&.
+            find { |p| p["name"] == dep.name }.nil?
+        end
+
+        def parsed_file(file)
+          @parsed_file ||= {}
+          @parsed_file[file.name] ||= TomlRB.parse(file.content)
+        end
+
+        def manifest
+          @manifest ||= dependency_files.find { |f| f.name == "Gopkg.toml" }
+        end
+
+        def lockfile
+          @lockfile ||= dependency_files.find { |f| f.name == "Gopkg.lock" }
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/dep/file_updater/manifest_updater.rb

@@ -0,0 +1,151 @@
+# frozen_string_literal: true
+
+require "dependabot/dep/file_updater"
+
+module Dependabot
+  module Dep
+    class FileUpdater
+      class ManifestUpdater
+        def initialize(dependencies:, manifest:)
+          @dependencies = dependencies
+          @manifest = manifest
+        end
+
+        def updated_manifest_content
+          dependencies.
+            select { |dep| requirement_changed?(manifest, dep) }.
+            reduce(manifest.content.dup) do |content, dep|
+              updated_content = content
+
+              updated_content = update_requirements(
+                content: updated_content,
+                filename: manifest.name,
+                dependency: dep
+              )
+              updated_content = update_git_pin(
+                content: updated_content,
+                filename: manifest.name,
+                dependency: dep
+              )
+
+              raise "Expected content to change!" if content == updated_content
+
+              updated_content
+            end
+        end
+
+        private
+
+        attr_reader :dependencies, :manifest
+
+        def requirement_changed?(file, dependency)
+          changed_requirements =
+            dependency.requirements - dependency.previous_requirements
+
+          changed_requirements.any? { |f| f[:file] == file.name }
+        end
+
+        def update_requirements(content:, filename:, dependency:)
+          updated_content = content.dup
+
+          # The UpdateChecker ensures the order of requirements is preserved
+          # when updating, so we can zip them together in new/old pairs.
+          reqs = dependency.requirements.
+                 zip(dependency.previous_requirements).
+                 reject { |new_req, old_req| new_req == old_req }
+
+          # Loop through each changed requirement
+          reqs.each do |new_req, old_req|
+            raise "Bad req match" unless new_req[:file] == old_req[:file]
+            next if new_req[:requirement] == old_req[:requirement]
+            next unless new_req[:file] == filename
+
+            updated_content = update_manifest_req(
+              content: updated_content,
+              dep: dependency,
+              old_req: old_req.fetch(:requirement),
+              new_req: new_req.fetch(:requirement)
+            )
+          end
+
+          updated_content
+        end
+
+        def update_git_pin(content:, filename:, dependency:)
+          updated_pin =
+            dependency.requirements.
+            find { |r| r[:file] == filename }&.
+            dig(:source, :ref)
+
+          old_pin =
+            dependency.previous_requirements.
+            find { |r| r[:file] == filename }&.
+            dig(:source, :ref)
+
+          return content unless old_pin
+
+          update_manifest_pin(
+            content: content,
+            dep: dependency,
+            old_pin: old_pin,
+            new_pin: updated_pin
+          )
+        end
+
+        # rubocop:disable Metrics/CyclomaticComplexity
+        # rubocop:disable Metrics/PerceivedComplexity
+        def update_manifest_req(content:, dep:, old_req:, new_req:)
+          declaration = content.scan(declaration_regex(dep)).
+                        find { |m| old_req.nil? || m.include?(old_req) }
+
+          return content unless declaration
+
+          if old_req && new_req
+            content.gsub(declaration) do |line|
+              line.gsub(old_req, new_req)
+            end
+          elsif old_req && new_req.nil?
+            content.gsub(declaration) do |line|
+              line.gsub(/\R+.*version\s*=.*/, "")
+            end
+          elsif old_req.nil? && new_req
+            content.gsub(declaration) do |line|
+              indent = line.match(/(?<indent>\s*)name/).
+                       named_captures.fetch("indent")
+              version_declaration = indent + "version = \"#{new_req}\""
+              line.gsub(/name\s*=.*/) { |nm_ln| nm_ln + version_declaration }
+            end
+          end
+        end
+        # rubocop:enable Metrics/CyclomaticComplexity
+        # rubocop:enable Metrics/PerceivedComplexity
+
+        def update_manifest_pin(content:, dep:, old_pin:, new_pin:)
+          declaration = content.scan(declaration_regex(dep)).
+                        find { |m| m.include?(old_pin) }
+
+          return content unless declaration
+
+          if old_pin && new_pin
+            content.gsub(declaration) do |line|
+              line.gsub(old_pin, new_pin)
+            end
+          elsif old_pin && new_pin.nil?
+            content.gsub(declaration) do |line|
+              line.gsub(/\R+.*(revision|branch)\s*=.*/, "")
+            end
+          end
+        end
+
+        def declaration_regex(dep)
+          /
+            (?<=\]\])
+            (?:(?!^\[).)*
+            name\s*=\s*["']#{Regexp.escape(dep.name)}["']
+            (?:(?!^\[).)*
+          /mx
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/dep/metadata_finder.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require "dependabot/metadata_finders"
+require "dependabot/metadata_finders/base"
+require "dependabot/dep/path_converter"
+
+module Dependabot
+  module Dep
+    class MetadataFinder < Dependabot::MetadataFinders::Base
+      private
+
+      def look_up_source
+        return look_up_git_dependency_source if git_dependency?
+
+        path_str = (specified_source_string || dependency.name)
+        url = Dependabot::Dep::PathConverter.
+              git_url_for_path_without_go_helper(path_str)
+        Source.from_url(url) if url
+      end
+
+      def git_dependency?
+        return false unless declared_source_details
+
+        dependency_type =
+          declared_source_details.fetch(:type, nil) ||
+          declared_source_details.fetch("type")
+
+        dependency_type == "git"
+      end
+
+      def look_up_git_dependency_source
+        specified_url =
+          declared_source_details.fetch(:url, nil) ||
+          declared_source_details.fetch("url")
+
+        Source.from_url(specified_url)
+      end
+
+      def specified_source_string
+        declared_source_details&.fetch(:source, nil) ||
+          declared_source_details&.fetch("source", nil)
+      end
+
+      def declared_source_details
+        sources = dependency.requirements.
+                  map { |r| r.fetch(:source) }.
+                  uniq.compact
+
+        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
+
+        sources.first
+      end
+    end
+  end
+end
+
+Dependabot::MetadataFinders.register("dep", Dependabot::Dep::MetadataFinder)

data/lib/dependabot/dep/native_helpers.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Dependabot
+  module Dep
+    module NativeHelpers
+      def self.helper_path
+        clean_path(File.join(native_helpers_root, "dep/bin/helper"))
+      end
+
+      def self.native_helpers_root
+        default_path = File.join(__dir__, "../../../helpers/install-dir")
+        ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", default_path)
+      end
+
+      def self.clean_path(path)
+        Pathname.new(path).cleanpath.to_path
+      end
+    end
+  end
+end