dependabot-go_modules 0.143.2 → 0.144.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a16d13912a07809eb337181e582a45bc828aa24c8fe8da113fad6d241387abf3
-  data.tar.gz: c3835c430ff96912a51332a1bd30ff6bd21e1072f0ccd59eb471ae63b0b8e653
+  metadata.gz: 2505607e3f2717b5a8cb513b12801baa4ff1ff575e1a3a54ae21724ab1f1353d
+  data.tar.gz: fbac460701747cdeacd631163234633ea5d8e5779d3c8dc78e66f2721166d18d
 SHA512:
-  metadata.gz: 75134c41a657013f42ec22494d6c73612af31862fef6afcba0e8d744f015482adbfd6f23d44772db0ed4370acd41d55f6952f22de1bb880db1233c76349bcb45
-  data.tar.gz: 3795a50e41ad2108ca1a0ab06d3a307b4b819ed175a7b5a7afe5edd708c6950fff410ae17c53b06b96e06c82efdfa678ba1a2587a24c36a327a2d8c91a1389c6
+  metadata.gz: 5ea7b06a9c99783e6cc6301ceda812b728b929a1a5fc5909c6654f1b1f17c030d630a5c0e6307a39cd5f0647bb2866e6261e95e9e79d2d279f009abf803e72e9
+  data.tar.gz: 18b9e5f44a0f99612f53579abadc77b25b71621dfea5867b1b59f7452657e65c100990ae12ebc0b9ff27f19803260cfb667d9cd9194acb41f8fdb92f9351f786

data/helpers/Makefile

@@ -3,7 +3,7 @@
 all: darwin linux
 
 darwin:
-	GO111MODULE=on GOOS=darwin GOARCH=amd64 go build -o go-helpers.darwin64 .
+	GOOS=darwin GOARCH=amd64 go build -o go-helpers.darwin64 .
 
 linux:
-	GO111MODULE=on GOOS=linux GOARCH=amd64  go build -o go-helpers.linux64 .
+	GOOS=linux GOARCH=amd64  go build -o go-helpers.linux64 .

data/helpers/build

@@ -23,5 +23,5 @@ cd $helpers_dir
 os="$(uname -s | tr '[:upper:]' '[:lower:]')"
 echo "building $install_dir/bin/helper"
 
-GO111MODULE=on GOOS="$os" GOARCH=amd64 go build -o "$install_dir/bin/helper" .
-go clean -cache -modcache
+GOOS="$os" GOARCH=amd64 go build -o "$install_dir/bin/helper" .
+go clean -cache -modcache

data/helpers/go.mod

@@ -1,16 +1,9 @@
 module github.com/dependabot/dependabot-core/go_modules/helpers
 
-go 1.13
+go 1.16
 
 require (
 	github.com/Masterminds/vcs v1.13.1
-	github.com/dependabot/dependabot-core/go_modules/helpers/updater v0.0.0
 	github.com/dependabot/gomodules-extracted v1.2.0
 	golang.org/x/mod v0.4.2
 )
-
-replace github.com/dependabot/dependabot-core/go_modules/helpers/importresolver => ./importresolver
-
-replace github.com/dependabot/dependabot-core/go_modules/helpers/updater => ./updater
-
-replace github.com/dependabot/dependabot-core/go_modules/helpers/updatechecker => ./updatechecker

data/helpers/go.sum

@@ -1,6 +1,5 @@
 github.com/Masterminds/vcs v1.13.1 h1:NL3G1X7/7xduQtA2sJLpVpfHTNBALVNSjob6KEjPXNQ=
 github.com/Masterminds/vcs v1.13.1/go.mod h1:N09YCmOQr6RLxC6UNHzuVwAdodYbbnycGHSmwVJjcKA=
-github.com/dependabot/gomodules-extracted v0.0.0-20181020215834-1b2f850478a3/go.mod h1:+dRXSrUymjpT4yzKtn1QmeknT1S/yAHRr35en18dHp8=
 github.com/dependabot/gomodules-extracted v1.2.0 h1:K/gTyOyhasOt4cjULvOPNiD3MAFGytp4F7e39aB+0Y0=
 github.com/dependabot/gomodules-extracted v1.2.0/go.mod h1:3NWkH8KcZVDM87JuZI8hCZzYbjfUSz98EZI53qjgMgY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=

data/helpers/main.go

@@ -46,7 +46,7 @@ func main() {
 		parseArgs(helperParams.Args, &args)
 		funcOut, funcErr = importresolver.VCSRemoteForImport(&args)
 	default:
-		abort(fmt.Errorf("Unrecognised function '%s'", helperParams.Function))
+		abort(fmt.Errorf("unrecognised function '%s'", helperParams.Function))
 	}
 
 	if funcErr != nil {

data/helpers/updater/helpers.go

@@ -6,7 +6,11 @@ import (
 	"golang.org/x/mod/modfile"
 )
 
-// Private methods lifted from the `modfile` package
+// Private methods lifted from the `modfile` package.
+// Last synced: 4/28/2021 from:
+// https://github.com/golang/mod/blob/858fdbee9c245c8109c359106e89c6b8d321f19c/modfile/rule.go
+
+var slashSlash = []byte("//")
 
 // setIndirect sets line to have (or not have) a "// indirect" comment.
 func setIndirect(line *modfile.Line, indirect bool) {
@@ -20,13 +24,17 @@ func setIndirect(line *modfile.Line, indirect bool) {
 			line.Suffix = []modfile.Comment{{Token: "// indirect", Suffix: true}}
 			return
 		}
-		// Insert at beginning of existing comment.
+
 		com := &line.Suffix[0]
-		space := " "
-		if len(com.Token) > 2 && com.Token[2] == ' ' || com.Token[2] == '\t' {
-			space = ""
+		text := strings.TrimSpace(strings.TrimPrefix(com.Token, string(slashSlash)))
+		if text == "" {
+			// Empty comment.
+			com.Token = "// indirect"
+			return
 		}
-		com.Token = "// indirect;" + space + com.Token[2:]
+
+		// Insert at beginning of existing comment.
+		com.Token = "// indirect; " + text
 		return
 	}
 
@@ -52,6 +60,6 @@ func isIndirect(line *modfile.Line) bool {
 	if len(line.Suffix) == 0 {
 		return false
 	}
-	f := strings.Fields(line.Suffix[0].Token)
-	return (len(f) == 2 && f[1] == "indirect" || len(f) > 2 && f[1] == "indirect;") && f[0] == "//"
+	f := strings.Fields(strings.TrimPrefix(line.Suffix[0].Token, string(slashSlash)))
+	return (len(f) == 1 && f[0] == "indirect" || len(f) > 1 && f[0] == "indirect;")
 }

data/helpers/updater/main.go

@@ -28,7 +28,9 @@ func UpdateDependencyFile(args *Args) (interface{}, error) {
 	}
 
 	for _, dep := range args.Dependencies {
-		f.AddRequire(dep.Name, dep.Version)
+		if err := f.AddRequire(dep.Name, dep.Version); err != nil {
+			return nil, err
+		}
 	}
 
 	for _, r := range f.Require {

data/lib/dependabot/go_modules/file_parser.rb

@@ -4,6 +4,7 @@ require "open3"
 require "dependabot/dependency"
 require "dependabot/file_parsers/base/dependency_set"
 require "dependabot/go_modules/path_converter"
+require "dependabot/go_modules/replace_stubber"
 require "dependabot/errors"
 require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
@@ -17,7 +18,7 @@ module Dependabot
         dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
         required_packages.each do |dep|
-          dependency_set << dependency_from_details(dep) unless dep["Indirect"]
+          dependency_set << dependency_from_details(dep) unless skip_dependency?(dep)
         end
 
         dependency_set.dependencies
@@ -109,11 +110,8 @@ module Dependabot
             # we can use in their place. Using generated paths is safer as it
             # means we don't need to worry about references to parent
             # directories, etc.
-            (JSON.parse(stdout)["Replace"] || []).
-              map { |r| r["New"]["Path"] }.
-              compact.
-              select { |p| p.start_with?(".") || p.start_with?("/") }.
-              map { |p| [p, "./" + Digest::SHA2.hexdigest(p)] }
+            manifest = JSON.parse(stdout)
+            ReplaceStubber.new(repo_contents_path).stub_paths(manifest, go_mod.directory)
           end
       end
 
@@ -163,6 +161,17 @@ module Dependabot
 
         raw_version.match(GIT_VERSION_REGEX).named_captures.fetch("sha")
       end
+
+      def skip_dependency?(dep)
+        return true if dep["Indirect"]
+
+        begin
+          path_uri = URI.parse("https://#{dep['Path']}")
+          !path_uri.host.include?(".")
+        rescue URI::InvalidURIError
+          false
+        end
+      end
     end
   end
 end

data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb

@@ -4,6 +4,7 @@ require "dependabot/shared_helpers"
 require "dependabot/errors"
 require "dependabot/go_modules/file_updater"
 require "dependabot/go_modules/native_helpers"
+require "dependabot/go_modules/replace_stubber"
 require "dependabot/go_modules/resolvability_errors"
 
 module Dependabot
@@ -222,37 +223,8 @@ module Dependabot
         # process afterwards.
         def replace_directive_substitutions(manifest)
           @replace_directive_substitutions ||=
-            (manifest["Replace"] || []).
-            map { |r| r["New"]["Path"] }.
-            compact.
-            select { |p| stub_replace_path?(p) }.
-            map { |p| [p, "./" + Digest::SHA2.hexdigest(p)] }.
-            to_h
-        end
-
-        # returns true if the provided path should be replaced with a stub
-        def stub_replace_path?(path)
-          return true if absolute_path?(path)
-          return false unless relative_replacement_path?(path)
-
-          resolved_path = module_pathname.join(path).realpath
-          inside_repo_contents_path = resolved_path.to_s.start_with?(repo_contents_path.to_s)
-          !inside_repo_contents_path
-        rescue Errno::ENOENT
-          true
-        end
-
-        def absolute_path?(path)
-          path.start_with?("/")
-        end
-
-        def relative_replacement_path?(path)
-          # https://golang.org/ref/mod#go-mod-file-replace
-          path.start_with?("./") || path.start_with?("../")
-        end
-
-        def module_pathname
-          @module_pathname ||= Pathname.new(repo_contents_path).join(directory.sub(%r{^/}, ""))
+            Dependabot::GoModules::ReplaceStubber.new(repo_contents_path).
+            stub_paths(manifest, directory)
         end
 
         def substitute_all(substitutions)

data/lib/dependabot/go_modules/replace_stubber.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module Dependabot
+  module GoModules
+    # Given a go.mod file, find all `replace` directives pointing to a path
+    # on the local filesystem outside of the current checkout, and return a hash
+    # mapping the original path to a hash of the path.
+    #
+    # This lets us substitute all parts of the go.mod that are dependent on
+    # the layout of the filesystem with a structure we can reproduce (i.e.
+    # no paths such as ../../../foo), run the Go tooling, then reverse the
+    # process afterwards.
+    class ReplaceStubber
+      def initialize(repo_contents_path)
+        @repo_contents_path = repo_contents_path
+      end
+
+      def stub_paths(manifest, directory)
+        (manifest["Replace"] || []).
+          map { |r| r["New"]["Path"] }.
+          compact.
+          select { |p| stub_replace_path?(p, directory) }.
+          map { |p| [p, "./" + Digest::SHA2.hexdigest(p)] }.
+          to_h
+      end
+
+      private
+
+      def stub_replace_path?(path, directory)
+        return true if absolute_path?(path)
+        return false unless relative_replacement_path?(path)
+        return true if @repo_contents_path.nil?
+
+        resolved_path = module_pathname(directory).join(path).realpath
+        inside_repo_contents_path = resolved_path.to_s.start_with?(@repo_contents_path.to_s)
+        !inside_repo_contents_path
+      rescue Errno::ENOENT
+        true
+      end
+
+      def absolute_path?(path)
+        path.start_with?("/")
+      end
+
+      def relative_replacement_path?(path)
+        # https://golang.org/ref/mod#go-mod-file-replace
+        path.start_with?("./") || path.start_with?("../")
+      end
+
+      def module_pathname(directory)
+        @module_pathname ||= Pathname.new(@repo_contents_path).join(directory.sub(%r{^/}, ""))
+      end
+    end
+  end
+end

data/lib/dependabot/go_modules/update_checker.rb

@@ -16,7 +16,8 @@ module Dependabot
         /no go-import meta tags/,
         # Package url 404s
         /404 Not Found/,
-        /Repository not found/
+        /Repository not found/,
+        /unrecognized import path/
       ].freeze
 
       def latest_resolvable_version
@@ -24,7 +25,7 @@ module Dependabot
         #
         # To update indirect dependencies we'll need to promote the indirect
         # dependency to the go.mod file forcing the resolver to pick this
-        # version (possibly as # indirect)
+        # version (possibly as `// indirect`)
         unless dependency.top_level?
           return unless dependency.version
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-go_modules
 version: !ruby/object:Gem::Version
-  version: 0.143.2
+  version: 0.144.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-04-23 00:00:00.000000000 Z
+date: 2021-05-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.143.2
+        version: 0.144.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.143.2
+        version: 0.144.0
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -192,8 +192,6 @@ files:
 - helpers/importresolver/main.go
 - helpers/main.go
 - helpers/updatechecker/main.go
-- helpers/updater/go.mod
-- helpers/updater/go.sum
 - helpers/updater/helpers.go
 - helpers/updater/main.go
 - lib/dependabot/go_modules.rb
@@ -204,6 +202,7 @@ files:
 - lib/dependabot/go_modules/metadata_finder.rb
 - lib/dependabot/go_modules/native_helpers.rb
 - lib/dependabot/go_modules/path_converter.rb
+- lib/dependabot/go_modules/replace_stubber.rb
 - lib/dependabot/go_modules/requirement.rb
 - lib/dependabot/go_modules/resolvability_errors.rb
 - lib/dependabot/go_modules/update_checker.rb

data/helpers/updater/go.mod

@@ -1,3 +0,0 @@
-module github.com/dependabot/dependabot-core/helpers/go/updater
-
-require github.com/dependabot/gomodules-extracted v0.0.0-20181020215834-1b2f850478a3

data/helpers/updater/go.sum

@@ -1,2 +0,0 @@
-github.com/dependabot/gomodules-extracted v0.0.0-20181020215834-1b2f850478a3 h1:Xj2leY0FVyZuo+p59vkIWG3dIqo+QtjskT5O1iTiywA=
-github.com/dependabot/gomodules-extracted v0.0.0-20181020215834-1b2f850478a3/go.mod h1:+dRXSrUymjpT4yzKtn1QmeknT1S/yAHRr35en18dHp8=