dependabot-dep 0.90.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: ad3792a0b60d7e2a72c30da5a98570a58b8da9f6902dd13f03caf0ca2af76f36
+  data.tar.gz: f09e301e1c1b3800f7a674d85943c2c9848993fdc8e652425b60f23fe4d06bf5
+SHA512:
+  metadata.gz: bb482848e957c68149efc201af8cfa44862c2350e30f81bdd6f4324b62132bc48030c8c6368618608bb84389fc58ab9e4662cd89d26b1560cf83432b1e0f932c
+  data.tar.gz: 5467bdff0c0249674b448f3b6813a7d998e1d584186fbb4c9e71f636ca471916413169826e8e8c617b0f5349cd1b5461387345436449838c4a67d24644f83604

data/helpers/Makefile

@@ -0,0 +1,9 @@
+.PHONY = all
+
+all: darwin linux
+
+darwin:
+	GO111MODULE=on GOOS=darwin GOARCH=amd64 go build -o go-helpers.darwin64 .
+
+linux:
+	GO111MODULE=on GOOS=linux GOARCH=amd64  go build -o go-helpers.linux64 .

data/helpers/build

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -e
+
+install_dir=$1
+if [ -z "$install_dir" ]; then
+  echo "usage: $0 INSTALL_DIR"
+  exit 1
+fi
+
+if ! [[ "$install_dir" =~ ^/ ]]; then
+  echo "$install_dir must be an absolute path"
+  exit 1
+fi
+
+if [ ! -d "$install_dir/bin" ]; then
+  mkdir -p "$install_dir/bin"
+fi
+
+helpers_dir="$(dirname "${BASH_SOURCE[0]}")"
+cd $helpers_dir
+
+os="$(uname -s | tr '[:upper:]' '[:lower:]')"
+echo "building $install_dir/bin/helper"
+
+GO111MODULE=on GOOS="$os" GOARCH=amd64 go build -o "$install_dir/bin/helper" .

data/helpers/go.mod

@@ -0,0 +1,8 @@
+module github.com/dependabot/dependabot-core/helpers/go
+
+require (
+	github.com/Masterminds/vcs v1.12.0
+	github.com/dependabot/dependabot-core/helpers/go/importresolver v0.0.0
+)
+
+replace github.com/dependabot/dependabot-core/helpers/go/importresolver => ./importresolver

data/helpers/go.sum

@@ -0,0 +1,2 @@
+github.com/Masterminds/vcs v1.12.0 h1:bt9Hb4XlfmEfLnVA0MVz2NO0GFuMN5vX8iOWW38Xde4=
+github.com/Masterminds/vcs v1.12.0/go.mod h1:N09YCmOQr6RLxC6UNHzuVwAdodYbbnycGHSmwVJjcKA=

data/helpers/importresolver/go.mod

@@ -0,0 +1 @@
+module github.com/dependabot/dependabot-core/helpers/go/importresolver

data/helpers/importresolver/main.go

@@ -0,0 +1,34 @@
+package importresolver
+
+import (
+	"io/ioutil"
+	"strings"
+
+	"github.com/Masterminds/vcs"
+)
+
+type Args struct {
+	Import string
+}
+
+func VCSRemoteForImport(args *Args) (interface{}, error) {
+	remote := args.Import
+	scheme := strings.Split(remote, ":")[0]
+	switch scheme {
+	case "http", "https":
+	default:
+		remote = "https://" + remote
+	}
+
+	local, err := ioutil.TempDir("", "unused-vcs-local-dir")
+	if err != nil {
+		return nil, err
+	}
+
+	repo, err := vcs.NewRepo(remote, local)
+	if err != nil {
+		return nil, err
+	}
+
+	return repo.Remote(), nil
+}

data/helpers/main.go

@@ -0,0 +1,67 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"os"
+
+	"github.com/dependabot/dependabot-core/helpers/go/importresolver"
+)
+
+type HelperParams struct {
+	Function string          `json:"function"`
+	Args     json.RawMessage `json:"args"`
+}
+
+type Output struct {
+	Error  string      `json:"error,omitempty"`
+	Result interface{} `json:"result,omitempty"`
+}
+
+func main() {
+	d := json.NewDecoder(os.Stdin)
+	helperParams := &HelperParams{}
+	if err := d.Decode(helperParams); err != nil {
+		abort(err)
+	}
+
+	var (
+		funcOut interface{}
+		funcErr error
+	)
+	switch helperParams.Function {
+	case "getVcsRemoteForImport":
+		var args importresolver.Args
+		parseArgs(helperParams.Args, &args)
+		funcOut, funcErr = importresolver.VCSRemoteForImport(&args)
+	default:
+		abort(fmt.Errorf("Unrecognised function '%s'", helperParams.Function))
+	}
+
+	if funcErr != nil {
+		abort(funcErr)
+	}
+
+	output(&Output{Result: funcOut})
+}
+
+func parseArgs(data []byte, args interface{}) {
+	if err := json.Unmarshal(data, args); err != nil {
+		abort(err)
+	}
+}
+
+func output(o *Output) {
+	bytes, jsonErr := json.Marshal(o)
+	if jsonErr != nil {
+		log.Fatal(jsonErr)
+	}
+
+	os.Stdout.Write(bytes)
+}
+
+func abort(err error) {
+	output(&Output{Error: err.Error()})
+	os.Exit(1)
+}

data/lib/dependabot/dep.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+# These all need to be required so the various classes can be registered in a
+# lookup table of package manager names to concrete classes.
+require "dependabot/dep/file_fetcher"
+require "dependabot/dep/file_parser"
+require "dependabot/dep/update_checker"
+require "dependabot/dep/file_updater"
+require "dependabot/dep/metadata_finder"
+require "dependabot/dep/requirement"
+require "dependabot/dep/version"

data/lib/dependabot/dep/file_fetcher.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require "dependabot/file_fetchers"
+require "dependabot/file_fetchers/base"
+
+module Dependabot
+  module Dep
+    class FileFetcher < Dependabot::FileFetchers::Base
+      def self.required_files_in?(filenames)
+        (%w(Gopkg.toml Gopkg.lock) - filenames).empty?
+      end
+
+      def self.required_files_message
+        "Repo must contain a Gopkg.toml and Gopkg.lock."
+      end
+
+      private
+
+      def fetch_files
+        fetched_files = []
+        fetched_files << manifest if manifest
+        fetched_files << lockfile if lockfile
+
+        unless manifest
+          raise(
+            Dependabot::DependencyFileNotFound,
+            File.join(directory, "Gopkg.toml")
+          )
+        end
+
+        unless lockfile
+          raise(
+            Dependabot::DependencyFileNotFound,
+            File.join(directory, "Gopkg.lock")
+          )
+        end
+
+        # Fetch the main.go file if present, as this will later identify
+        # this repo as an app.
+        fetched_files << main if main
+        fetched_files
+      end
+
+      def manifest
+        @manifest ||= fetch_file_if_present("Gopkg.toml")
+      end
+
+      def lockfile
+        @lockfile ||= fetch_file_if_present("Gopkg.lock")
+      end
+
+      def main
+        return @main if @main
+
+        go_files = repo_contents.select { |f| f.name.end_with?(".go") }
+
+        go_files.each do |go_file|
+          file = fetch_file_from_host(go_file.name, type: "package_main")
+          next unless file.content.match?(/\s*package\s+main/)
+
+          return @main = file.tap { |f| f.support_file = true }
+        end
+
+        nil
+      end
+    end
+  end
+end
+
+Dependabot::FileFetchers.register("dep", Dependabot::Dep::FileFetcher)

data/lib/dependabot/dep/file_parser.rb

@@ -0,0 +1,189 @@
+# frozen_string_literal: true
+
+require "toml-rb"
+
+require "dependabot/errors"
+require "dependabot/dependency"
+require "dependabot/shared_helpers"
+require "dependabot/source"
+
+require "dependabot/file_parsers"
+require "dependabot/file_parsers/base"
+require "dependabot/dep/requirement"
+require "dependabot/dep/path_converter"
+
+# Relevant dep docs can be found at:
+# - https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md
+# - https://github.com/golang/dep/blob/master/docs/Gopkg.lock.md
+module Dependabot
+  module Dep
+    class FileParser < Dependabot::FileParsers::Base
+      require "dependabot/file_parsers/base/dependency_set"
+
+      REQUIREMENT_TYPES = %w(constraint override).freeze
+
+      def parse
+        dependency_set = DependencySet.new
+        dependency_set += manifest_dependencies
+        dependency_set += lockfile_dependencies
+        dependency_set.dependencies
+      end
+
+      private
+
+      def manifest_dependencies
+        dependency_set = DependencySet.new
+
+        REQUIREMENT_TYPES.each do |type|
+          parsed_file(manifest).fetch(type, []).each do |details|
+            next if lockfile && !appears_in_lockfile?(details.fetch("name"))
+            next if missing_version_in_manifest_and_lockfile(details)
+
+            dependency_set << Dependency.new(
+              name: details.fetch("name"),
+              version: version_from_declaration(details),
+              package_manager: "dep",
+              requirements: [{
+                requirement: requirement_from_declaration(details),
+                file: manifest.name,
+                groups: [],
+                source: source_from_declaration(details)
+              }]
+            )
+          end
+        end
+
+        dependency_set
+      end
+
+      def lockfile_dependencies
+        dependency_set = DependencySet.new
+
+        parsed_file(lockfile).fetch("projects", []).each do |details|
+          dependency_set << Dependency.new(
+            name: details.fetch("name"),
+            version: version_from_lockfile(details),
+            package_manager: "dep",
+            requirements: []
+          )
+        end
+
+        dependency_set
+      end
+
+      def version_from_lockfile(details)
+        details["version"]&.sub(/^v?/, "") || details.fetch("revision")
+      end
+
+      def requirement_from_declaration(declaration)
+        unless declaration.is_a?(Hash)
+          raise "Unexpected dependency declaration: #{declaration}"
+        end
+
+        return if git_declaration?(declaration)
+
+        declaration["version"]
+      end
+
+      def source_from_declaration(declaration)
+        source = declaration["source"] || declaration["name"]
+
+        git_source_url = git_source(source)
+
+        if git_source_url && git_declaration?(declaration)
+          {
+            type: "git",
+            url: git_source_url,
+            branch: declaration["branch"],
+            ref: declaration["revision"] || declaration["version"]
+          }
+        elsif git_declaration?(declaration)
+          raise "No git source for a git declaration!"
+        else
+          {
+            type: "default",
+            source: source
+          }
+        end
+      end
+
+      def version_from_declaration(declaration)
+        lockfile_details =
+          parsed_file(lockfile).fetch("projects", []).
+          find { |details| details["name"] == declaration.fetch("name") }
+
+        if source_from_declaration(declaration).fetch(:type) == "git"
+          lockfile_details["revision"] ||
+            version_from_lockfile(lockfile_details)
+        else
+          version_from_lockfile(lockfile_details)
+        end
+      end
+
+      def appears_in_lockfile?(dependency_name)
+        parsed_file(lockfile).fetch("projects", []).
+          any? { |details| details["name"] == dependency_name }
+      end
+
+      def git_declaration?(declaration)
+        return true if declaration["branch"] || declaration["revision"]
+        return false unless declaration["version"]
+        return false unless declaration["version"].match?(/^[A-Za-z0-9]/)
+
+        Dep::Requirement.new(declaration["version"])
+        false
+      rescue Gem::Requirement::BadRequirementError
+        true
+      end
+
+      def git_source(path)
+        Dependabot::Dep::PathConverter.git_url_for_path(path)
+      rescue Dependabot::SharedHelpers::HelperSubprocessFailed => error
+        if error.message == "Cannot detect VCS"
+          msg = error.message + " for #{path}"
+          raise Dependabot::DependencyFileNotResolvable, msg
+        end
+
+        if error.message.end_with?("Not Found")
+          msg = "#{path} returned a 404"
+          raise Dependabot::DependencyFileNotResolvable, msg
+        end
+
+        raise
+      end
+
+      def parsed_file(file)
+        @parsed_file ||= {}
+        @parsed_file[file.name] ||= TomlRB.parse(file.content)
+      rescue TomlRB::ParseError
+        raise Dependabot::DependencyFileNotParseable, file.path
+      end
+
+      def manifest
+        @manifest ||= get_original_file("Gopkg.toml")
+      end
+
+      def lockfile
+        @lockfile ||= get_original_file("Gopkg.lock")
+      end
+
+      def check_required_files
+        %w(Gopkg.toml Gopkg.lock).each do |filename|
+          raise "No #{filename}!" unless get_original_file(filename)
+        end
+      end
+
+      def missing_version_in_manifest_and_lockfile(declaration)
+        return false if git_declaration?(declaration)
+
+        lockfile_decl =
+          parsed_file(lockfile).
+          fetch("projects", []).
+          find { |details| details["name"] == declaration["name"] }
+        lockfile_decl&.fetch("version", nil).nil?
+      end
+    end
+  end
+end
+
+Dependabot::FileParsers.register("dep", Dependabot::Dep::FileParser)

data/lib/dependabot/dep/file_updater.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require "dependabot/shared_helpers"
+require "dependabot/file_updaters"
+require "dependabot/file_updaters/base"
+
+module Dependabot
+  module Dep
+    class FileUpdater < Dependabot::FileUpdaters::Base
+      require_relative "file_updater/manifest_updater"
+      require_relative "file_updater/lockfile_updater"
+
+      def self.updated_files_regex
+        [
+          /^Gopkg\.toml$/,
+          /^Gopkg\.lock$/,
+          /^go\.mod$/,
+          /^go\.sum$/
+        ]
+      end
+
+      def updated_dependency_files
+        updated_files = []
+
+        if manifest && file_changed?(manifest)
+          updated_files <<
+            updated_file(
+              file: manifest,
+              content: updated_manifest_content
+            )
+        end
+
+        if lockfile
+          updated_files <<
+            updated_file(file: lockfile, content: updated_lockfile_content)
+        end
+
+        raise "No files changed!" if updated_files.none?
+
+        updated_files
+      end
+
+      private
+
+      def check_required_files
+        return if get_original_file("Gopkg.toml")
+        return if get_original_file("go.mod")
+
+        raise "No Gopkg.toml or go.mod!"
+      end
+
+      def manifest
+        @manifest ||= get_original_file("Gopkg.toml")
+      end
+
+      def lockfile
+        @lockfile ||= get_original_file("Gopkg.lock")
+      end
+
+      def updated_manifest_content
+        ManifestUpdater.new(
+          dependencies: dependencies,
+          manifest: manifest
+        ).updated_manifest_content
+      end
+
+      def updated_lockfile_content
+        LockfileUpdater.new(
+          dependencies: dependencies,
+          dependency_files: dependency_files,
+          credentials: credentials
+        ).updated_lockfile_content
+      end
+    end
+  end
+end
+
+Dependabot::FileUpdaters.register("dep", Dependabot::Dep::FileUpdater)