dependabot-go_modules 0.143.6 → 0.144.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6f7da85db7e862802674637b2eb899ef4152e6689f21cf02c11e58413575e54a
-  data.tar.gz: 2893d638801caff1e75ea27fd8d54e11f64aea4cb4430ca1ae035662ed3a6d36
+  metadata.gz: 2505607e3f2717b5a8cb513b12801baa4ff1ff575e1a3a54ae21724ab1f1353d
+  data.tar.gz: fbac460701747cdeacd631163234633ea5d8e5779d3c8dc78e66f2721166d18d
 SHA512:
-  metadata.gz: 6a600a27b41908437b8b4e6c0859843b4315f12d4a42eccb1d95f2fb471089ebf718ca508e368be9d09eaba53586e63254085738a6aa59641b28331db3b4cdd4
-  data.tar.gz: 9243bdb791e8c652c78a12993ef6e5611ca5738a2e20f0885fd51456d5be5c42c463fa73e4dd99db4496f6ec7d915e956aee94d759b272584ad1bf641a3933c9
+  metadata.gz: 5ea7b06a9c99783e6cc6301ceda812b728b929a1a5fc5909c6654f1b1f17c030d630a5c0e6307a39cd5f0647bb2866e6261e95e9e79d2d279f009abf803e72e9
+  data.tar.gz: 18b9e5f44a0f99612f53579abadc77b25b71621dfea5867b1b59f7452657e65c100990ae12ebc0b9ff27f19803260cfb667d9cd9194acb41f8fdb92f9351f786

data/lib/dependabot/go_modules/file_parser.rb

@@ -4,6 +4,7 @@ require "open3"
 require "dependabot/dependency"
 require "dependabot/file_parsers/base/dependency_set"
 require "dependabot/go_modules/path_converter"
+require "dependabot/go_modules/replace_stubber"
 require "dependabot/errors"
 require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
@@ -17,7 +18,7 @@ module Dependabot
         dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
         required_packages.each do |dep|
-          dependency_set << dependency_from_details(dep) unless dep["Indirect"]
+          dependency_set << dependency_from_details(dep) unless skip_dependency?(dep)
         end
 
         dependency_set.dependencies
@@ -109,11 +110,8 @@ module Dependabot
             # we can use in their place. Using generated paths is safer as it
             # means we don't need to worry about references to parent
             # directories, etc.
-            (JSON.parse(stdout)["Replace"] || []).
-              map { |r| r["New"]["Path"] }.
-              compact.
-              select { |p| p.start_with?(".") || p.start_with?("/") }.
-              map { |p| [p, "./" + Digest::SHA2.hexdigest(p)] }
+            manifest = JSON.parse(stdout)
+            ReplaceStubber.new(repo_contents_path).stub_paths(manifest, go_mod.directory)
           end
       end
 
@@ -163,6 +161,17 @@ module Dependabot
 
         raw_version.match(GIT_VERSION_REGEX).named_captures.fetch("sha")
       end
+
+      def skip_dependency?(dep)
+        return true if dep["Indirect"]
+
+        begin
+          path_uri = URI.parse("https://#{dep['Path']}")
+          !path_uri.host.include?(".")
+        rescue URI::InvalidURIError
+          false
+        end
+      end
     end
   end
 end

data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb

@@ -4,6 +4,7 @@ require "dependabot/shared_helpers"
 require "dependabot/errors"
 require "dependabot/go_modules/file_updater"
 require "dependabot/go_modules/native_helpers"
+require "dependabot/go_modules/replace_stubber"
 require "dependabot/go_modules/resolvability_errors"
 
 module Dependabot
@@ -222,37 +223,8 @@ module Dependabot
         # process afterwards.
         def replace_directive_substitutions(manifest)
           @replace_directive_substitutions ||=
-            (manifest["Replace"] || []).
-            map { |r| r["New"]["Path"] }.
-            compact.
-            select { |p| stub_replace_path?(p) }.
-            map { |p| [p, "./" + Digest::SHA2.hexdigest(p)] }.
-            to_h
-        end
-
-        # returns true if the provided path should be replaced with a stub
-        def stub_replace_path?(path)
-          return true if absolute_path?(path)
-          return false unless relative_replacement_path?(path)
-
-          resolved_path = module_pathname.join(path).realpath
-          inside_repo_contents_path = resolved_path.to_s.start_with?(repo_contents_path.to_s)
-          !inside_repo_contents_path
-        rescue Errno::ENOENT
-          true
-        end
-
-        def absolute_path?(path)
-          path.start_with?("/")
-        end
-
-        def relative_replacement_path?(path)
-          # https://golang.org/ref/mod#go-mod-file-replace
-          path.start_with?("./") || path.start_with?("../")
-        end
-
-        def module_pathname
-          @module_pathname ||= Pathname.new(repo_contents_path).join(directory.sub(%r{^/}, ""))
+            Dependabot::GoModules::ReplaceStubber.new(repo_contents_path).
+            stub_paths(manifest, directory)
         end
 
         def substitute_all(substitutions)

data/lib/dependabot/go_modules/replace_stubber.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module Dependabot
+  module GoModules
+    # Given a go.mod file, find all `replace` directives pointing to a path
+    # on the local filesystem outside of the current checkout, and return a hash
+    # mapping the original path to a hash of the path.
+    #
+    # This lets us substitute all parts of the go.mod that are dependent on
+    # the layout of the filesystem with a structure we can reproduce (i.e.
+    # no paths such as ../../../foo), run the Go tooling, then reverse the
+    # process afterwards.
+    class ReplaceStubber
+      def initialize(repo_contents_path)
+        @repo_contents_path = repo_contents_path
+      end
+
+      def stub_paths(manifest, directory)
+        (manifest["Replace"] || []).
+          map { |r| r["New"]["Path"] }.
+          compact.
+          select { |p| stub_replace_path?(p, directory) }.
+          map { |p| [p, "./" + Digest::SHA2.hexdigest(p)] }.
+          to_h
+      end
+
+      private
+
+      def stub_replace_path?(path, directory)
+        return true if absolute_path?(path)
+        return false unless relative_replacement_path?(path)
+        return true if @repo_contents_path.nil?
+
+        resolved_path = module_pathname(directory).join(path).realpath
+        inside_repo_contents_path = resolved_path.to_s.start_with?(@repo_contents_path.to_s)
+        !inside_repo_contents_path
+      rescue Errno::ENOENT
+        true
+      end
+
+      def absolute_path?(path)
+        path.start_with?("/")
+      end
+
+      def relative_replacement_path?(path)
+        # https://golang.org/ref/mod#go-mod-file-replace
+        path.start_with?("./") || path.start_with?("../")
+      end
+
+      def module_pathname(directory)
+        @module_pathname ||= Pathname.new(@repo_contents_path).join(directory.sub(%r{^/}, ""))
+      end
+    end
+  end
+end

data/lib/dependabot/go_modules/update_checker.rb

@@ -16,7 +16,8 @@ module Dependabot
         /no go-import meta tags/,
         # Package url 404s
         /404 Not Found/,
-        /Repository not found/
+        /Repository not found/,
+        /unrecognized import path/
       ].freeze
 
       def latest_resolvable_version

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-go_modules
 version: !ruby/object:Gem::Version
-  version: 0.143.6
+  version: 0.144.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-04-30 00:00:00.000000000 Z
+date: 2021-05-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.143.6
+        version: 0.144.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.143.6
+        version: 0.144.0
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -202,6 +202,7 @@ files:
 - lib/dependabot/go_modules/metadata_finder.rb
 - lib/dependabot/go_modules/native_helpers.rb
 - lib/dependabot/go_modules/path_converter.rb
+- lib/dependabot/go_modules/replace_stubber.rb
 - lib/dependabot/go_modules/requirement.rb
 - lib/dependabot/go_modules/resolvability_errors.rb
 - lib/dependabot/go_modules/update_checker.rb