dependabot-go_modules 0.129.3 → 0.130.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/helpers/go.mod +1 -1
  3. data/helpers/go.sum +3 -2
  4. data/lib/dependabot/go_modules/file_parser.rb +1 -1
  5. data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb +20 -6
  6. data/lib/dependabot/go_modules/resolvability_errors.rb +34 -0
  7. data/lib/dependabot/go_modules/update_checker.rb +4 -2
  8. metadata +8 -7
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 53bdc10b2ee34e677da5df98559e3cc54eb18ce95f5a2f773499492e26f0edee
4
- data.tar.gz: 9417a94e65c0b2d2589a5074e49cdf8c778389cf6ffc67647414a069445c0f82
3
+ metadata.gz: d9e9240a82ac456bcacd30f6e62459b31859065103447b99da6bcdb486a9727f
4
+ data.tar.gz: 751cdf892e09ab083ee976030078ca3101f09e94555fd81432fb7e605a06da52
5
5
  SHA512:
6
- metadata.gz: '00558e919ce1329a7b4223ee1442c6f04bb9914673b4e22c21f18805aa85b7261be393a854d36458e5a5633a46f6c90bad870e008d5fce50e183dd78a4275e2d'
7
- data.tar.gz: 7b287dccd8110ec517e505afdf585355f7b780f376650a4202397bb8149cce8f9ec0edd66257c2b70a9b39bcc097f5d17993768fc439bdcb9ceafb796ff83616
6
+ metadata.gz: 8ada2eb18cfb2eb8d01e76ba3ca162a7a1c5998928e1e091444c0353438bc3840df98f7d0304f4d7bcf8b0e0ec3ae3b455d616bf204d9751bc881989b8bfbcb2
7
+ data.tar.gz: 3135e55982413ab84af432afd2cd47ade3b537c183152114d2e2d3f7bf1fe2d54e42df07ce58a4f1bce0d1faa986880025bed7bd4672a5544760a5b208ecbf8e
data/helpers/go.mod CHANGED
@@ -6,7 +6,7 @@ require (
6
6
  github.com/Masterminds/vcs v1.13.1
7
7
  github.com/dependabot/dependabot-core/go_modules/helpers/updater v0.0.0
8
8
  github.com/dependabot/gomodules-extracted v1.2.0
9
- golang.org/x/mod v0.4.0
9
+ golang.org/x/mod v0.4.1
10
10
  )
11
11
 
12
12
  replace github.com/dependabot/dependabot-core/go_modules/helpers/importresolver => ./importresolver
data/helpers/go.sum CHANGED
@@ -1,12 +1,13 @@
1
1
  github.com/Masterminds/vcs v1.13.1 h1:NL3G1X7/7xduQtA2sJLpVpfHTNBALVNSjob6KEjPXNQ=
2
2
  github.com/Masterminds/vcs v1.13.1/go.mod h1:N09YCmOQr6RLxC6UNHzuVwAdodYbbnycGHSmwVJjcKA=
3
+ github.com/dependabot/gomodules-extracted v0.0.0-20181020215834-1b2f850478a3/go.mod h1:+dRXSrUymjpT4yzKtn1QmeknT1S/yAHRr35en18dHp8=
3
4
  github.com/dependabot/gomodules-extracted v1.2.0 h1:K/gTyOyhasOt4cjULvOPNiD3MAFGytp4F7e39aB+0Y0=
4
5
  github.com/dependabot/gomodules-extracted v1.2.0/go.mod h1:3NWkH8KcZVDM87JuZI8hCZzYbjfUSz98EZI53qjgMgY=
5
6
  golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
6
7
  golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
7
8
  golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
8
- golang.org/x/mod v0.4.0 h1:8pl+sMODzuvGJkmj2W4kZihvVb5mKm8pB/X44PIQHv8=
9
- golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
9
+ golang.org/x/mod v0.4.1 h1:Kvvh58BN8Y9/lBi7hTekvtMpm07eUZ0ck5pRHpsMWrY=
10
+ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
10
11
  golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
11
12
  golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
12
13
  golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
data/lib/dependabot/go_modules/file_parser.rb CHANGED
@@ -77,7 +77,7 @@ module Dependabot
77
77
 
78
78
  stdout, stderr, status = Open3.capture3(env, command)
79
79
  handle_parser_error(path, stderr) unless status.success?
80
- JSON.parse(stdout)["Require"]
80
+ JSON.parse(stdout)["Require"] || []
81
81
  rescue Dependabot::DependencyFileNotResolvable
82
82
  # We sometimes see this error if a host times out.
83
83
  # In such cases, retrying (a maximum of 3 times) may fix it.
data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb CHANGED
@@ -4,6 +4,7 @@ require "dependabot/shared_helpers"
4
4
  require "dependabot/errors"
5
5
  require "dependabot/go_modules/file_updater"
6
6
  require "dependabot/go_modules/native_helpers"
7
+ require "dependabot/go_modules/resolvability_errors"
7
8
 
8
9
  module Dependabot
9
10
  module GoModules
@@ -14,19 +15,21 @@ module Dependabot
14
15
  ENVIRONMENT = { "GOPRIVATE" => "*" }.freeze
15
16
 
16
17
  RESOLVABILITY_ERROR_REGEXES = [
17
- # (Private) module could not be fetched
18
- /go: .*: git fetch .*: exit status 128/.freeze,
19
18
  # The checksum in go.sum does not match the dowloaded content
20
19
  /verifying .*: checksum mismatch/.freeze,
20
+ /go: .*: go.mod has post-v\d+ module path/
21
+ ].freeze
22
+
23
+ REPO_RESOLVABILITY_ERROR_REGEXES = [
24
+ # (Private) module could not be fetched
25
+ /go: .*: git fetch .*: exit status 128/.freeze,
21
26
  # (Private) module could not be found
22
27
  /cannot find module providing package/.freeze,
23
28
  # Package in module was likely renamed or removed
24
29
  /module .* found \(.*\), but does not contain package/m.freeze,
25
30
  # Package does not exist, has been pulled or cannot be reached due to
26
31
  # auth problems with either git or the go proxy
27
- /go: .*: unknown revision/m.freeze,
28
- # Package version doesn't match the module major version
29
- /go: .*: go.mod has post-v\d+ module path/m.freeze
32
+ /go: .*: unknown revision/m.freeze
30
33
  ].freeze
31
34
 
32
35
  MODULE_PATH_MISMATCH_REGEXES = [
@@ -263,13 +266,22 @@ module Dependabot
263
266
  write_go_mod(body)
264
267
  end
265
268
 
269
+ # rubocop:disable Metrics/AbcSize
270
+ # rubocop:disable Metrics/PerceivedComplexity
266
271
  def handle_subprocess_error(stderr)
267
272
  stderr = stderr.gsub(Dir.getwd, "")
268
273
 
274
+ # Package version doesn't match the module major version
269
275
  error_regex = RESOLVABILITY_ERROR_REGEXES.find { |r| stderr =~ r }
270
276
  if error_regex
271
277
  lines = stderr.lines.drop_while { |l| error_regex !~ l }
272
- raise Dependabot::DependencyFileNotResolvable.new, lines.join
278
+ raise Dependabot::DependencyFileNotResolvable, lines.join
279
+ end
280
+
281
+ repo_error_regex = REPO_RESOLVABILITY_ERROR_REGEXES.find { |r| stderr =~ r }
282
+ if repo_error_regex
283
+ lines = stderr.lines.drop_while { |l| repo_error_regex !~ l }
284
+ ResolvabilityErrors.handle(lines.join, credentials: credentials)
273
285
  end
274
286
 
275
287
  path_regex = MODULE_PATH_MISMATCH_REGEXES.find { |r| stderr =~ r }
@@ -289,6 +301,8 @@ module Dependabot
289
301
  msg = stderr.lines.last(10).join.strip
290
302
  raise Dependabot::DependabotError, msg
291
303
  end
304
+ # rubocop:enable Metrics/PerceivedComplexity
305
+ # rubocop:enable Metrics/AbcSize
292
306
 
293
307
  def go_mod_path
294
308
  return "go.mod" if directory == "/"
data/lib/dependabot/go_modules/resolvability_errors.rb ADDED
@@ -0,0 +1,34 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Dependabot
4
+ module GoModules
5
+ module ResolvabilityErrors
6
+ GITHUB_REPO_REGEX = %r{github.com/[^:@]*}.freeze
7
+
8
+ def self.handle(message, credentials:)
9
+ mod_path = message.scan(GITHUB_REPO_REGEX).first
10
+ raise Dependabot::DependencyFileNotResolvable, message unless mod_path
11
+
12
+ # Module not found on github.com - query for _any_ version to know if it
13
+ # doesn't exist (or is private) or we were just given a bad revision by this manifest
14
+ SharedHelpers.in_a_temporary_directory do
15
+ SharedHelpers.with_git_configured(credentials: credentials) do
16
+ File.write("go.mod", "module dummy\n")
17
+
18
+ env = { "GOPRIVATE" => "*" }
19
+ _, _, status = Open3.capture3(env, SharedHelpers.escape_command("go get #{mod_path}"))
20
+ raise Dependabot::DependencyFileNotResolvable, message if status.success?
21
+
22
+ mod_split = mod_path.split("/")
23
+ repo_path = if mod_split.size > 3
24
+ mod_split[0..2].join("/")
25
+ else
26
+ mod_path
27
+ end
28
+ raise Dependabot::GitDependenciesNotReachable, [repo_path]
29
+ end
30
+ end
31
+ end
32
+ end
33
+ end
34
+ end
data/lib/dependabot/go_modules/update_checker.rb CHANGED
@@ -5,6 +5,7 @@ require "dependabot/update_checkers/base"
5
5
  require "dependabot/shared_helpers"
6
6
  require "dependabot/errors"
7
7
  require "dependabot/go_modules/native_helpers"
8
+ require "dependabot/go_modules/resolvability_errors"
8
9
  require "dependabot/go_modules/version"
9
10
 
10
11
  module Dependabot
@@ -14,7 +15,8 @@ module Dependabot
14
15
  # Package url/proxy doesn't include any redirect meta tags
15
16
  /no go-import meta tags/,
16
17
  # Package url 404s
17
- /404 Not Found/
18
+ /404 Not Found/,
19
+ /Repository not found/
18
20
  ].freeze
19
21
 
20
22
  def latest_resolvable_version
@@ -86,7 +88,7 @@ module Dependabot
86
88
 
87
89
  def handle_subprocess_error(error)
88
90
  if RESOLVABILITY_ERROR_REGEXES.any? { |rgx| error.message =~ rgx }
89
- raise Dependabot::DependencyFileNotResolvable, error.message
91
+ ResolvabilityErrors.handle(error.message, credentials: credentials)
90
92
  end
91
93
 
92
94
  raise
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-go_modules
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.129.3
4
+ version: 0.130.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-01-05 00:00:00.000000000 Z
11
+ date: 2021-01-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.129.3
19
+ version: 0.130.2
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.129.3
26
+ version: 0.130.2
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: byebug
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -100,14 +100,14 @@ dependencies:
100
100
  requirements:
101
101
  - - "~>"
102
102
  - !ruby/object:Gem::Version
103
- version: 1.7.0
103
+ version: 1.8.0
104
104
  type: :development
105
105
  prerelease: false
106
106
  version_requirements: !ruby/object:Gem::Requirement
107
107
  requirements:
108
108
  - - "~>"
109
109
  - !ruby/object:Gem::Version
110
- version: 1.7.0
110
+ version: 1.8.0
111
111
  - !ruby/object:Gem::Dependency
112
112
  name: simplecov
113
113
  requirement: !ruby/object:Gem::Requirement
@@ -191,6 +191,7 @@ files:
191
191
  - lib/dependabot/go_modules/native_helpers.rb
192
192
  - lib/dependabot/go_modules/path_converter.rb
193
193
  - lib/dependabot/go_modules/requirement.rb
194
+ - lib/dependabot/go_modules/resolvability_errors.rb
194
195
  - lib/dependabot/go_modules/update_checker.rb
195
196
  - lib/dependabot/go_modules/version.rb
196
197
  homepage: https://github.com/dependabot/dependabot-core
@@ -212,7 +213,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
212
213
  - !ruby/object:Gem::Version
213
214
  version: 2.5.0
214
215
  requirements: []
215
- rubygems_version: 3.1.4
216
+ rubygems_version: 3.2.3
216
217
  signing_key:
217
218
  specification_version: 4
218
219
  summary: Go modules support for dependabot