dependabot-dep 0.90.0

data/lib/dependabot/dep/update_checker/version_resolver.rb

@@ -0,0 +1,166 @@
+# frozen_string_literal: true
+
+require "toml-rb"
+require "open3"
+require "dependabot/shared_helpers"
+require "dependabot/dep/update_checker"
+require "dependabot/errors"
+
+module Dependabot
+  module Dep
+    class UpdateChecker
+      class VersionResolver
+        NOT_FOUND_REGEX =
+          /failed to list versions for (?<repo_url>.*?):\s+/.freeze
+        INDEX_OUT_OF_RANGE_REGEX =
+          /panic: runtime error: index out of range.*findValidVersion/m.freeze
+
+        def initialize(dependency:, dependency_files:, credentials:)
+          @dependency = dependency
+          @dependency_files = dependency_files
+          @credentials = credentials
+        end
+
+        def latest_resolvable_version
+          if defined?(@latest_resolvable_version)
+            return @latest_resolvable_version
+          end
+
+          @latest_resolvable_version = fetch_latest_resolvable_version
+        end
+
+        private
+
+        attr_reader :dependency, :dependency_files, :credentials
+
+        def fetch_latest_resolvable_version
+          base_directory = File.join("src", "project",
+                                     dependency_files.first.directory)
+          base_parts = base_directory.split("/").length
+          updated_version =
+            SharedHelpers.in_a_temporary_directory(base_directory) do |dir|
+              write_temporary_dependency_files
+
+              SharedHelpers.with_git_configured(credentials: credentials) do
+                # Shell out to dep, which handles everything for us, and does
+                # so without doing an install (so it's fast).
+                command = "dep ensure -update --no-vendor #{dependency.name}"
+                dir_parts = dir.realpath.to_s.split("/")
+                gopath = File.join(dir_parts[0..-(base_parts + 1)])
+                run_shell_command(command, "GOPATH" => gopath)
+              end
+
+              new_lockfile_content = File.read("Gopkg.lock")
+
+              get_version_from_lockfile(new_lockfile_content)
+            end
+
+          updated_version
+        rescue SharedHelpers::HelperSubprocessFailed => error
+          handle_dep_errors(error)
+        end
+
+        def get_version_from_lockfile(lockfile_content)
+          package = TomlRB.parse(lockfile_content).fetch("projects").
+                    find { |p| p["name"] == dependency.name }
+
+          version = package["version"]
+
+          if version && version_class.correct?(version.sub(/^v?/, ""))
+            version_class.new(version.sub(/^v?/, ""))
+          elsif version
+            version
+          else
+            package.fetch("revision")
+          end
+        end
+
+        def handle_dep_errors(error)
+          if error.message.match?(NOT_FOUND_REGEX)
+            url = error.message.match(NOT_FOUND_REGEX).
+                  named_captures.fetch("repo_url")
+
+            raise Dependabot::GitDependenciesNotReachable, url
+          end
+
+          # A dep bug that probably isn't going to be fixed any time soon :-(
+          # - https://github.com/golang/dep/issues/1437
+          # - https://github.com/golang/dep/issues/649
+          # - https://github.com/golang/dep/issues/2041
+          # - https://twitter.com/miekg/status/996682296739745792
+          return if error.message.match?(INDEX_OUT_OF_RANGE_REGEX)
+
+          raise
+        end
+
+        def run_shell_command(command, env = {})
+          start = Time.now
+          stdout, process = Open3.capture2e(env, command)
+          time_taken = start - Time.now
+
+          # Raise an error with the output from the shell session if dep
+          # returns a non-zero status
+          return if process.success?
+
+          raise SharedHelpers::HelperSubprocessFailed.new(
+            message: stdout,
+            error_context: {
+              command: command,
+              time_taken: time_taken,
+              process_exit_value: process.to_s
+            }
+          )
+        end
+
+        def write_temporary_dependency_files
+          dependency_files.each do |file|
+            path = file.name
+            FileUtils.mkdir_p(Pathname.new(path).dirname)
+            File.write(file.name, file.content)
+          end
+
+          File.write("hello.go", dummy_app_content)
+        end
+
+        def dummy_app_content
+          base = "package main\n\n"\
+                 "import \"fmt\"\n\n"
+
+          packages_to_import.each { |nm| base += "import \"#{nm}\"\n\n" }
+
+          base + "func main() {\n  fmt.Printf(\"hello, world\\n\")\n}"
+        end
+
+        def packages_to_import
+          return [] unless lockfile
+
+          parsed_lockfile = TomlRB.parse(lockfile.content)
+
+          # If the lockfile was created using dep v0.5.0+ then it will tell us
+          # exactly which packages to import
+          if parsed_lockfile.dig("solve-meta", "input-imports")
+            return parsed_lockfile.dig("solve-meta", "input-imports")
+          end
+
+          # Otherwise we have no way of knowing, so import everything in the
+          # lockfile that isn't marked as internal
+          parsed_lockfile.fetch("projects").flat_map do |dep|
+            dep["packages"].map do |package|
+              next if package.start_with?("internal")
+
+              package == "." ? dep["name"] : File.join(dep["name"], package)
+            end.compact
+          end
+        end
+
+        def lockfile
+          @lockfile = dependency_files.find { |f| f.name == "Gopkg.lock" }
+        end
+
+        def version_class
+          Utils.version_class_for_package_manager(dependency.package_manager)
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/dep/version.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require "rubygems_version_patch"
+require "dependabot/utils"
+
+# Go pre-release versions use 1.0.1-rc1 syntax, which Gem::Version
+# converts into 1.0.1.pre.rc1. We override the `to_s` method to stop that
+# alteration.
+# Best docs are at https://github.com/Masterminds/semver
+
+module Dependabot
+  module Dep
+    class Version < Gem::Version
+      VERSION_PATTERN = '[0-9]+[0-9a-zA-Z]*(?>\.[0-9a-zA-Z]+)*' \
+                        '(-[0-9A-Za-z-]+(\.[0-9a-zA-Z-]+)*)?' \
+                        '(\+incompatible)?'
+      ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/.freeze
+
+      def self.correct?(version)
+        version = version.gsub(/^v/, "") if version.is_a?(String)
+        version = version.to_s.split("+").first if version.to_s.include?("+")
+        super(version)
+      end
+
+      def initialize(version)
+        @version_string = version.to_s.gsub(/^v/, "")
+        version = version.gsub(/^v/, "") if version.is_a?(String)
+        version = version.to_s.split("+").first if version.to_s.include?("+")
+        super
+      end
+
+      def inspect # :nodoc:
+        "#<#{self.class} #{@version_string.inspect}>"
+      end
+
+      def to_s
+        @version_string
+      end
+    end
+  end
+end
+
+Dependabot::Utils.register_version_class("dep", Dependabot::Dep::Version)

metadata

@@ -0,0 +1,192 @@
+--- !ruby/object:Gem::Specification
+name: dependabot-dep
+version: !ruby/object:Gem::Version
+  version: 0.90.0
+platform: ruby
+authors:
+- Dependabot
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-01-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: dependabot-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.90.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.90.0
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+- !ruby/object:Gem::Dependency
+  name: rspec-its
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: rspec_junit_formatter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.61'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.61'
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+description: Automated dependency management for Ruby, JavaScript, Python, PHP, Elixir,
+  Rust, Java, .NET, Elm and Go
+email: support@dependabot.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- helpers/Makefile
+- helpers/build
+- helpers/go.mod
+- helpers/go.sum
+- helpers/importresolver/go.mod
+- helpers/importresolver/main.go
+- helpers/main.go
+- lib/dependabot/dep.rb
+- lib/dependabot/dep/file_fetcher.rb
+- lib/dependabot/dep/file_parser.rb
+- lib/dependabot/dep/file_updater.rb
+- lib/dependabot/dep/file_updater/lockfile_updater.rb
+- lib/dependabot/dep/file_updater/manifest_updater.rb
+- lib/dependabot/dep/metadata_finder.rb
+- lib/dependabot/dep/native_helpers.rb
+- lib/dependabot/dep/path_converter.rb
+- lib/dependabot/dep/requirement.rb
+- lib/dependabot/dep/update_checker.rb
+- lib/dependabot/dep/update_checker/file_preparer.rb
+- lib/dependabot/dep/update_checker/latest_version_finder.rb
+- lib/dependabot/dep/update_checker/requirements_updater.rb
+- lib/dependabot/dep/update_checker/version_resolver.rb
+- lib/dependabot/dep/version.rb
+homepage: https://github.com/dependabot/dependabot-core
+licenses:
+- Nonstandard
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+requirements: []
+rubygems_version: 3.0.1
+signing_key: 
+specification_version: 4
+summary: Go dep support for dependabot-core
+test_files: []