dependabot-dep 0.90.0

data/lib/dependabot/dep/path_converter.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+require "excon"
+require "nokogiri"
+
+require "dependabot/shared_helpers"
+require "dependabot/source"
+require "dependabot/dep/native_helpers"
+
+module Dependabot
+  module Dep
+    module PathConverter
+      def self.git_url_for_path(path)
+        # Save a query by manually converting golang.org/x names
+        import_path = path.gsub(%r{^golang\.org/x}, "github.com/golang")
+
+        SharedHelpers.run_helper_subprocess(
+          command: NativeHelpers.helper_path,
+          function: "getVcsRemoteForImport",
+          args: { import: import_path }
+        )
+      end
+
+      # Used in dependabot-backend, which doesn't have access to any Go
+      # helpers.
+      # TODO: remove the need for this.
+      def self.git_url_for_path_without_go_helper(path)
+        # Save a query by manually converting golang.org/x names
+        tmp_path = path.gsub(%r{^golang\.org/x}, "github.com/golang")
+
+        # Currently, Dependabot::Source.new will return `nil` if it can't
+        # find a git SCH associated with a path. If it is ever extended to
+        # handle non-git sources we'll need to add an additional check here.
+        return Source.from_url(tmp_path).url if Source.from_url(tmp_path)
+        return "https://#{tmp_path}" if tmp_path.end_with?(".git")
+        return unless (metadata_response = fetch_path_metadata(path))
+
+        # Look for a GitHub, Bitbucket or GitLab URL in the response
+        metadata_response.scan(Dependabot::Source::SOURCE_REGEX) do
+          source_url = Regexp.last_match.to_s
+          return Source.from_url(source_url).url
+        end
+
+        # If none are found, parse the response and return the go-import path
+        doc = Nokogiri::XML(metadata_response)
+        doc.remove_namespaces!
+        import_details =
+          doc.xpath("//meta").
+          find { |n| n.attributes["name"]&.value == "go-import" }&.
+          attributes&.fetch("content")&.value&.split(/\s+/)
+        return unless import_details && import_details[1] == "git"
+
+        import_details[2]
+      end
+
+      def self.fetch_path_metadata(path)
+        # TODO: This is not robust! Instead, we should shell out to Go and
+        # use https://github.com/Masterminds/vcs.
+        response = Excon.get(
+          "https://#{path}?go-get=1",
+          idempotent: true,
+          **SharedHelpers.excon_defaults
+        )
+
+        return unless response.status == 200
+
+        response.body
+      end
+      private_class_method :fetch_path_metadata
+    end
+  end
+end

data/lib/dependabot/dep/requirement.rb

@@ -0,0 +1,152 @@
+# frozen_string_literal: true
+
+################################################################################
+# For more details on Go version constraints, see:                             #
+# - https://github.com/Masterminds/semver                                      #
+# - https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md               #
+################################################################################
+
+require "dependabot/dep/version"
+require "dependabot/utils"
+
+module Dependabot
+  module Dep
+    class Requirement < Gem::Requirement
+      WILDCARD_REGEX = /(?:\.|^)[xX*]/.freeze
+      OR_SEPARATOR = /(?<=[a-zA-Z0-9*])\s*\|{2}/.freeze
+
+      # Override the version pattern to allow a 'v' prefix
+      quoted = OPS.keys.map { |k| Regexp.quote(k) }.join("|")
+      version_pattern = "v?#{Dep::Version::VERSION_PATTERN}"
+
+      PATTERN_RAW = "\\s*(#{quoted})?\\s*(#{version_pattern})\\s*"
+      PATTERN = /\A#{PATTERN_RAW}\z/.freeze
+
+      # Use Dep::Version rather than Gem::Version to ensure that
+      # pre-release versions aren't transformed.
+      def self.parse(obj)
+        return ["=", Dep::Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
+
+        unless (matches = PATTERN.match(obj.to_s))
+          msg = "Illformed requirement [#{obj.inspect}]"
+          raise BadRequirementError, msg
+        end
+
+        return DefaultRequirement if matches[1] == ">=" && matches[2] == "0"
+
+        [matches[1] || "=", Dep::Version.new(matches[2])]
+      end
+
+      # Returns an array of requirements. At least one requirement from the
+      # returned array must be satisfied for a version to be valid.
+      def self.requirements_array(requirement_string)
+        return [new(nil)] if requirement_string.nil?
+
+        requirement_string.strip.split(OR_SEPARATOR).map do |req_string|
+          new(req_string)
+        end
+      end
+
+      def initialize(*requirements)
+        requirements = requirements.flatten.flat_map do |req_string|
+          req_string.split(",").map do |r|
+            convert_go_constraint_to_ruby_constraint(r.strip)
+          end
+        end
+
+        super(requirements)
+      end
+
+      private
+
+      def convert_go_constraint_to_ruby_constraint(req_string)
+        req_string = req_string
+        req_string = convert_wildcard_characters(req_string)
+
+        if req_string.match?(WILDCARD_REGEX)
+          ruby_range(req_string.gsub(WILDCARD_REGEX, "").gsub(/^[^\d]/, ""))
+        elsif req_string.match?(/^~[^>]/) then convert_tilde_req(req_string)
+        elsif req_string.include?(" - ") then convert_hyphen_req(req_string)
+        elsif req_string.match?(/^[\dv^]/) then convert_caret_req(req_string)
+        elsif req_string.match?(/[<=>]/) then req_string
+        else ruby_range(req_string)
+        end
+      end
+
+      def convert_wildcard_characters(req_string)
+        if req_string.match?(/^[\dv^>~]/)
+          replace_wildcard_in_lower_bound(req_string)
+        elsif req_string.start_with?("<")
+          parts = req_string.split(".")
+          parts.map.with_index do |part, index|
+            next "0" if part.match?(WILDCARD_REGEX)
+            next part.to_i + 1 if parts[index + 1]&.match?(WILDCARD_REGEX)
+
+            part
+          end.join(".")
+        else
+          req_string
+        end
+      end
+
+      def replace_wildcard_in_lower_bound(req_string)
+        after_wildcard = false
+
+        if req_string.start_with?("~")
+          req_string = req_string.gsub(/(?:(?:\.|^)[xX*])(\.[xX*])+/, "")
+        end
+
+        req_string.split(".").
+          map do |part|
+            part.split("-").map.with_index do |p, i|
+              # Before we hit a wildcard we just return the existing part
+              next p unless p.match?(WILDCARD_REGEX) || after_wildcard
+
+              # On or after a wildcard we replace the version part with zero
+              after_wildcard = true
+              i.zero? ? "0" : "a"
+            end.join("-")
+          end.join(".")
+      end
+
+      def convert_tilde_req(req_string)
+        version = req_string.gsub(/^~/, "")
+        parts = version.split(".")
+        parts << "0" if parts.count < 3
+        "~> #{parts.join('.')}"
+      end
+
+      def convert_hyphen_req(req_string)
+        lower_bound, upper_bound = req_string.split(/\s+-\s+/)
+        [">= #{lower_bound}", "<= #{upper_bound}"]
+      end
+
+      def ruby_range(req_string)
+        parts = req_string.split(".")
+
+        # If we have three or more parts then this is an exact match
+        return req_string if parts.count >= 3
+
+        # If we have no parts then the version is completely unlocked
+        return ">= 0" if parts.count.zero?
+
+        # If we have fewer than three parts we do a partial match
+        parts << "0"
+        "~> #{parts.join('.')}"
+      end
+
+      # Note: Dep's caret notation implementation doesn't distinguish between
+      # pre and post-1.0.0 requirements (unlike in JS)
+      def convert_caret_req(req_string)
+        version = req_string.gsub(/^\^?v?/, "")
+        parts = version.split(".")
+        upper_bound = [parts.first.to_i + 1, 0, 0, "a"].map(&:to_s).join(".")
+
+        [">= #{version}", "< #{upper_bound}"]
+      end
+    end
+  end
+end
+
+Dependabot::Utils.
+  register_requirement_class("dep", Dependabot::Dep::Requirement)

data/lib/dependabot/dep/update_checker.rb

@@ -0,0 +1,312 @@
+# frozen_string_literal: true
+
+require "toml-rb"
+require "dependabot/update_checkers"
+require "dependabot/update_checkers/base"
+
+module Dependabot
+  module Dep
+    class UpdateChecker < Dependabot::UpdateCheckers::Base
+      require_relative "update_checker/file_preparer"
+      require_relative "update_checker/latest_version_finder"
+      require_relative "update_checker/requirements_updater"
+      require_relative "update_checker/version_resolver"
+
+      def latest_version
+        @latest_version ||=
+          LatestVersionFinder.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            credentials: credentials,
+            ignored_versions: ignored_versions
+          ).latest_version
+      end
+
+      def latest_resolvable_version
+        @latest_resolvable_version ||=
+          if modules_dependency?
+            latest_version
+          elsif git_dependency?
+            latest_resolvable_version_for_git_dependency
+          else
+            latest_resolvable_released_version(unlock_requirement: true)
+          end
+      end
+
+      def latest_resolvable_version_with_no_unlock
+        @latest_resolvable_version_with_no_unlock ||=
+          if git_dependency?
+            latest_resolvable_commit_with_unchanged_git_source
+          else
+            latest_resolvable_released_version(unlock_requirement: false)
+          end
+      end
+
+      def updated_requirements
+        @updated_requirements ||=
+          RequirementsUpdater.new(
+            requirements: dependency.requirements,
+            updated_source: updated_source,
+            update_strategy: requirements_update_strategy,
+            latest_version: latest_version&.to_s,
+            latest_resolvable_version: latest_resolvable_version&.to_s
+          ).updated_requirements
+      end
+
+      def requirements_update_strategy
+        # If passed in as an option (in the base class) honour that option
+        if @requirements_update_strategy
+          return @requirements_update_strategy.to_sym
+        end
+
+        # Otherwise, widen ranges for libraries and bump versions for apps
+        library? ? :widen_ranges : :bump_versions
+      end
+
+      private
+
+      def latest_version_resolvable_with_full_unlock?
+        # Full unlock checks aren't implemented for Go (yet)
+        false
+      end
+
+      def updated_dependencies_after_full_unlock
+        raise NotImplementedError
+      end
+
+      # Override the base class's check for whether this is a git dependency,
+      # since not all dep git dependencies have a SHA version (sometimes their
+      # version is the tag)
+      def existing_version_is_sha?
+        git_dependency?
+      end
+
+      def library?
+        dependency_files.none? { |f| f.type == "package_main" }
+      end
+
+      # rubocop:disable Metrics/CyclomaticComplexity
+      # rubocop:disable Metrics/PerceivedComplexity
+      def latest_resolvable_version_for_git_dependency
+        return latest_version if modules_dependency?
+
+        latest_release =
+          begin
+            latest_resolvable_released_version(unlock_requirement: true)
+          rescue SharedHelpers::HelperSubprocessFailed => error
+            raise unless error.message.include?("Solving failure")
+          end
+
+        # If there's a resolvable release that includes the current pinned
+        # ref or that the current branch is behind, we switch to that release.
+        return latest_release if git_branch_or_ref_in_release?(latest_release)
+
+        # Otherwise, if the gem isn't pinned, the latest version is just the
+        # latest commit for the specified branch.
+        unless git_commit_checker.pinned?
+          return latest_resolvable_commit_with_unchanged_git_source
+        end
+
+        # If the dependency is pinned to a tag that looks like a version then
+        # we want to update that tag.
+        if git_commit_checker.pinned_ref_looks_like_version? &&
+           latest_git_tag_is_resolvable?
+          new_tag = git_commit_checker.local_tag_for_latest_version
+          return version_from_tag(new_tag)
+        end
+
+        # If the dependency is pinned to a tag that doesn't look like a
+        # version then there's nothing we can do.
+        nil
+      end
+      # rubocop:enable Metrics/CyclomaticComplexity
+      # rubocop:enable Metrics/PerceivedComplexity
+
+      def version_from_tag(tag)
+        # To compare with the current version we either use the commit SHA
+        # (if that's what the parser picked up) of the tag name.
+        if dependency.version&.match?(/^[0-9a-f]{40}$/)
+          return tag&.fetch(:commit_sha)
+        end
+
+        tag&.fetch(:tag)
+      end
+
+      def latest_resolvable_commit_with_unchanged_git_source
+        if @commit_lookup_attempted
+          return @latest_resolvable_commit_with_unchanged_git_source
+        end
+
+        @commit_lookup_attempted = true
+        @latest_resolvable_commit_with_unchanged_git_source ||=
+          begin
+            prepared_files = FilePreparer.new(
+              dependency_files: dependency_files,
+              dependency: dependency,
+              unlock_requirement: false,
+              remove_git_source: false,
+              latest_allowable_version: latest_version
+            ).prepared_dependency_files
+
+            VersionResolver.new(
+              dependency: dependency,
+              dependency_files: prepared_files,
+              credentials: credentials
+            ).latest_resolvable_version
+          end
+      rescue SharedHelpers::HelperSubprocessFailed => error
+        # This should rescue resolvability errors in future
+        raise unless error.message.include?("Solving failure")
+      end
+
+      def latest_resolvable_released_version(unlock_requirement:)
+        @latest_resolvable_released_version ||= {}
+        @latest_resolvable_released_version[unlock_requirement] ||=
+          begin
+            prepared_files = FilePreparer.new(
+              dependency_files: dependency_files,
+              dependency: dependency,
+              unlock_requirement: unlock_requirement,
+              remove_git_source: git_dependency?,
+              latest_allowable_version: latest_version
+            ).prepared_dependency_files
+
+            VersionResolver.new(
+              dependency: dependency,
+              dependency_files: prepared_files,
+              credentials: credentials
+            ).latest_resolvable_version
+          end
+      end
+
+      def latest_git_tag_is_resolvable?
+        return @git_tag_resolvable if @latest_git_tag_is_resolvable_checked
+
+        @latest_git_tag_is_resolvable_checked = true
+
+        return false if git_commit_checker.local_tag_for_latest_version.nil?
+
+        replacement_tag = git_commit_checker.local_tag_for_latest_version
+
+        prepared_files = FilePreparer.new(
+          dependency: dependency,
+          dependency_files: dependency_files,
+          unlock_requirement: false,
+          remove_git_source: false,
+          replacement_git_pin: replacement_tag.fetch(:tag)
+        ).prepared_dependency_files
+
+        VersionResolver.new(
+          dependency: dependency,
+          dependency_files: prepared_files,
+          credentials: credentials
+        ).latest_resolvable_version
+
+        @git_tag_resolvable = true
+      rescue SharedHelpers::HelperSubprocessFailed => error
+        # This should rescue resolvability errors in future
+        raise unless error.message.include?("Solving failure")
+
+        @git_tag_resolvable = false
+      end
+
+      def updated_source
+        # Never need to update source, unless a git_dependency
+        return dependency_source_details unless git_dependency?
+
+        # Source becomes `nil` if switching to default rubygems
+        return default_source if should_switch_source_from_ref_to_release?
+
+        # Update the git tag if updating a pinned version
+        if git_commit_checker.pinned_ref_looks_like_version? &&
+           latest_git_tag_is_resolvable?
+          new_tag = git_commit_checker.local_tag_for_latest_version
+          return dependency_source_details.merge(ref: new_tag.fetch(:tag))
+        end
+
+        # Otherwise return the original source
+        dependency_source_details
+      end
+
+      def dependency_source_details
+        sources =
+          dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
+
+        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
+
+        sources.first
+      end
+
+      def should_switch_source_from_ref_to_release?
+        return false unless git_dependency?
+        return false if latest_resolvable_version_for_git_dependency.nil?
+
+        Gem::Version.correct?(latest_resolvable_version_for_git_dependency)
+      end
+
+      def modules_dependency?
+        # If dep is being used then we use that to determine the latest
+        # version we can update to (since it will have resolvability
+        # requirements, whereas Go modules won't)
+        !dependency_in_gopkg_lock?
+      end
+
+      def dependency_in_gopkg_lock?
+        lockfile = dependency_files.find { |f| f.name == "Gopkg.lock" }
+        return false unless lockfile
+
+        parsed_file(lockfile).fetch("projects", []).any? do |details|
+          details.fetch("name") == dependency.name
+        end
+      end
+
+      def git_dependency?
+        git_commit_checker.git_dependency?
+      end
+
+      def default_source
+        if modules_dependency?
+          return { type: "default", source: dependency.name }
+        end
+
+        original_declaration =
+          parsed_file(manifest).
+          values_at(*Dep::FileParser::REQUIREMENT_TYPES).
+          flatten.compact.
+          find { |d| d["name"] == dependency.name }
+
+        {
+          type: "default",
+          source:
+            original_declaration&.fetch("source", nil) || dependency.name
+        }
+      end
+
+      def git_branch_or_ref_in_release?(release)
+        return false unless release
+
+        git_commit_checker.branch_or_ref_in_release?(release)
+      end
+
+      def parsed_file(file)
+        @parsed_file ||= {}
+        @parsed_file[file.name] ||= TomlRB.parse(file.content)
+      end
+
+      def manifest
+        @manifest ||= dependency_files.find { |f| f.name == "Gopkg.toml" }
+      end
+
+      def git_commit_checker
+        @git_commit_checker ||=
+          GitCommitChecker.new(
+            dependency: dependency,
+            credentials: credentials,
+            ignored_versions: ignored_versions
+          )
+      end
+    end
+  end
+end
+
+Dependabot::UpdateCheckers.register("dep", Dependabot::Dep::UpdateChecker)