dependabot-go_modules 0.143.6 → 0.145.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6f7da85db7e862802674637b2eb899ef4152e6689f21cf02c11e58413575e54a
-  data.tar.gz: 2893d638801caff1e75ea27fd8d54e11f64aea4cb4430ca1ae035662ed3a6d36
+  metadata.gz: a6fd4162b73e9c156a4501a0cccbe80b70938f612b6cbfeacd1fd4bfca0b2dbc
+  data.tar.gz: 2a1685ffcadd0b1131f0419c83b0a5bdce3cdd8351b0440affdf09d09f650272
 SHA512:
-  metadata.gz: 6a600a27b41908437b8b4e6c0859843b4315f12d4a42eccb1d95f2fb471089ebf718ca508e368be9d09eaba53586e63254085738a6aa59641b28331db3b4cdd4
-  data.tar.gz: 9243bdb791e8c652c78a12993ef6e5611ca5738a2e20f0885fd51456d5be5c42c463fa73e4dd99db4496f6ec7d915e956aee94d759b272584ad1bf641a3933c9
+  metadata.gz: 4e56568eaa89b3ccbf6f5085665f90f0e463a5c3802e703119936a9d4a8ba6dd7b048ecafdd092ec4ca22b47340879111c15aaeab6c016a9b53bd3f5cda9b93e
+  data.tar.gz: 569c709ee4805cc17c21bd105268b1a7c215387133c964b13aada7f796f06444633e25ee82fb50e4368c464155c34e5e52e5b8aaa4c0c8ff16ef8eebecb549fd

data/helpers/go.mod

@@ -4,6 +4,6 @@ go 1.16
 
 require (
 	github.com/Masterminds/vcs v1.13.1
-	github.com/dependabot/gomodules-extracted v1.2.0
+	github.com/dependabot/gomodules-extracted v1.3.0
 	golang.org/x/mod v0.4.2
 )

data/helpers/go.sum

@@ -1,7 +1,7 @@
 github.com/Masterminds/vcs v1.13.1 h1:NL3G1X7/7xduQtA2sJLpVpfHTNBALVNSjob6KEjPXNQ=
 github.com/Masterminds/vcs v1.13.1/go.mod h1:N09YCmOQr6RLxC6UNHzuVwAdodYbbnycGHSmwVJjcKA=
-github.com/dependabot/gomodules-extracted v1.2.0 h1:K/gTyOyhasOt4cjULvOPNiD3MAFGytp4F7e39aB+0Y0=
-github.com/dependabot/gomodules-extracted v1.2.0/go.mod h1:3NWkH8KcZVDM87JuZI8hCZzYbjfUSz98EZI53qjgMgY=
+github.com/dependabot/gomodules-extracted v1.3.0 h1:Rsnl5uR+wjE+7ontePia/B3p48aBRsyEhyNrzCwbkaw=
+github.com/dependabot/gomodules-extracted v1.3.0/go.mod h1:cpzrmDX1COyhSDQXHfkRMw0STb0vmguBFqmrkr51h1I=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

data/helpers/main.go

@@ -33,10 +33,10 @@ func main() {
 		funcErr error
 	)
 	switch helperParams.Function {
-	case "getUpdatedVersion":
+	case "getVersions":
 		var args updatechecker.Args
 		parseArgs(helperParams.Args, &args)
-		funcOut, funcErr = updatechecker.GetUpdatedVersion(&args)
+		funcOut, funcErr = updatechecker.GetVersions(&args)
 	case "updateDependencyFile":
 		var args updater.Args
 		parseArgs(helperParams.Args, &args)

data/helpers/updatechecker/main.go

@@ -1,9 +1,9 @@
 package updatechecker
 
 import (
+	"context"
 	"errors"
 	"io/ioutil"
-	"regexp"
 
 	"github.com/dependabot/gomodules-extracted/cmd/go/_internal_/modfetch"
 	"github.com/dependabot/gomodules-extracted/cmd/go/_internal_/modload"
@@ -11,44 +11,27 @@ import (
 	"golang.org/x/mod/semver"
 )
 
-var (
-	pseudoVersionRegexp = regexp.MustCompile(`\b\d{14}-[0-9a-f]{12}$`)
-)
-
 type Dependency struct {
-	Name     string `json:"name"`
-	Version  string `json:"version"`
-	Indirect bool   `json:"indirect"`
-}
-
-type IgnoreRange struct {
-	MinVersionInclusive string `json:"min_version_inclusive"`
-	MaxVersionExclusive string `json:"max_version_exclusive"`
+	Name    string `json:"name"`
+	Version string `json:"version"`
 }
 
 type Args struct {
-	Dependency   *Dependency    `json:"dependency"`
-	IgnoreRanges []*IgnoreRange `json:"ignore_ranges"`
+	Dependency *Dependency `json:"dependency"`
 }
 
-func GetUpdatedVersion(args *Args) (interface{}, error) {
+// GetVersions returns a list of versions for the given dependency that
+// are within the same major version.
+func GetVersions(args *Args) (interface{}, error) {
 	if args.Dependency == nil {
 		return nil, errors.New("Expected args.dependency to not be nil")
 	}
 
 	currentVersion := args.Dependency.Version
-	currentPrerelease := semver.Prerelease(currentVersion)
-	if pseudoVersionRegexp.MatchString(currentPrerelease) {
-		return currentVersion, nil
-	}
-
-	modload.InitMod()
 
-	repo, err := modfetch.Lookup("direct", args.Dependency.Name)
-	if err != nil {
-		return nil, err
-	}
+	modload.LoadModFile(context.Background())
 
+	repo := modfetch.Lookup("direct", args.Dependency.Name)
 	versions, err := repo.Versions("")
 	if err != nil {
 		return nil, err
@@ -60,7 +43,8 @@ func GetUpdatedVersion(args *Args) (interface{}, error) {
 	}
 
 	currentMajor := semver.Major(currentVersion)
-	latestVersion := args.Dependency.Version
+
+	var candidateVersions []string
 
 Outer:
 	for _, v := range versions {
@@ -68,24 +52,16 @@ Outer:
 			continue
 		}
 
-		if semver.Compare(v, latestVersion) < 1 {
-			continue
-		}
-
-		if currentPrerelease == "" && semver.Prerelease(v) != "" {
-			continue
-		}
-
 		for _, exclude := range excludes {
 			if v == exclude {
 				continue Outer
 			}
 		}
 
-		latestVersion = v
+		candidateVersions = append(candidateVersions, v)
 	}
 
-	return latestVersion, nil
+	return candidateVersions, nil
 }
 
 func goModExcludes(dependency string) ([]string, error) {

data/lib/dependabot/go_modules/file_parser.rb

@@ -4,6 +4,7 @@ require "open3"
 require "dependabot/dependency"
 require "dependabot/file_parsers/base/dependency_set"
 require "dependabot/go_modules/path_converter"
+require "dependabot/go_modules/replace_stubber"
 require "dependabot/errors"
 require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
@@ -17,7 +18,7 @@ module Dependabot
         dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
         required_packages.each do |dep|
-          dependency_set << dependency_from_details(dep) unless dep["Indirect"]
+          dependency_set << dependency_from_details(dep) unless skip_dependency?(dep)
         end
 
         dependency_set.dependencies
@@ -109,11 +110,8 @@ module Dependabot
             # we can use in their place. Using generated paths is safer as it
             # means we don't need to worry about references to parent
             # directories, etc.
-            (JSON.parse(stdout)["Replace"] || []).
-              map { |r| r["New"]["Path"] }.
-              compact.
-              select { |p| p.start_with?(".") || p.start_with?("/") }.
-              map { |p| [p, "./" + Digest::SHA2.hexdigest(p)] }
+            manifest = JSON.parse(stdout)
+            ReplaceStubber.new(repo_contents_path).stub_paths(manifest, go_mod.directory)
           end
       end
 
@@ -163,6 +161,17 @@ module Dependabot
 
         raw_version.match(GIT_VERSION_REGEX).named_captures.fetch("sha")
       end
+
+      def skip_dependency?(dep)
+        return true if dep["Indirect"]
+
+        begin
+          path_uri = URI.parse("https://#{dep['Path']}")
+          !path_uri.host.include?(".")
+        rescue URI::InvalidURIError
+          false
+        end
+      end
     end
   end
 end

data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb

@@ -4,6 +4,7 @@ require "dependabot/shared_helpers"
 require "dependabot/errors"
 require "dependabot/go_modules/file_updater"
 require "dependabot/go_modules/native_helpers"
+require "dependabot/go_modules/replace_stubber"
 require "dependabot/go_modules/resolvability_errors"
 
 module Dependabot
@@ -38,10 +39,9 @@ module Dependabot
         ].freeze
 
         MODULE_PATH_MISMATCH_REGEXES = [
-          /go get: \S+ updating to\n\s+\S+\sparsing\sgo.mod:\n\s+module declares its path as: \S+\n\s+but was required as: \S+/,
           /go: ([^@\s]+)(?:@[^\s]+)?: .* has non-.* module path "(.*)" at/,
           /go: ([^@\s]+)(?:@[^\s]+)?: .* unexpected module path "(.*)"/,
-          /go: ([^@\s]+)(?:@[^\s]+)?: .* declares its path as: ([\S]*)/m
+          /go(?: get)?: ([^@\s]+)(?:@[^\s]+)?:? .* declares its path as: ([\S]*)/m
         ].freeze
 
         OUT_OF_DISK_REGEXES = [
@@ -222,37 +222,8 @@ module Dependabot
         # process afterwards.
         def replace_directive_substitutions(manifest)
           @replace_directive_substitutions ||=
-            (manifest["Replace"] || []).
-            map { |r| r["New"]["Path"] }.
-            compact.
-            select { |p| stub_replace_path?(p) }.
-            map { |p| [p, "./" + Digest::SHA2.hexdigest(p)] }.
-            to_h
-        end
-
-        # returns true if the provided path should be replaced with a stub
-        def stub_replace_path?(path)
-          return true if absolute_path?(path)
-          return false unless relative_replacement_path?(path)
-
-          resolved_path = module_pathname.join(path).realpath
-          inside_repo_contents_path = resolved_path.to_s.start_with?(repo_contents_path.to_s)
-          !inside_repo_contents_path
-        rescue Errno::ENOENT
-          true
-        end
-
-        def absolute_path?(path)
-          path.start_with?("/")
-        end
-
-        def relative_replacement_path?(path)
-          # https://golang.org/ref/mod#go-mod-file-replace
-          path.start_with?("./") || path.start_with?("../")
-        end
-
-        def module_pathname
-          @module_pathname ||= Pathname.new(repo_contents_path).join(directory.sub(%r{^/}, ""))
+            Dependabot::GoModules::ReplaceStubber.new(repo_contents_path).
+            stub_paths(manifest, directory)
         end
 
         def substitute_all(substitutions)
@@ -263,7 +234,7 @@ module Dependabot
           write_go_mod(body)
         end
 
-        def handle_subprocess_error(stderr)
+        def handle_subprocess_error(stderr) # rubocop:disable Metrics/AbcSize
           stderr = stderr.gsub(Dir.getwd, "")
 
           # Package version doesn't match the module major version

data/lib/dependabot/go_modules/replace_stubber.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module Dependabot
+  module GoModules
+    # Given a go.mod file, find all `replace` directives pointing to a path
+    # on the local filesystem outside of the current checkout, and return a hash
+    # mapping the original path to a hash of the path.
+    #
+    # This lets us substitute all parts of the go.mod that are dependent on
+    # the layout of the filesystem with a structure we can reproduce (i.e.
+    # no paths such as ../../../foo), run the Go tooling, then reverse the
+    # process afterwards.
+    class ReplaceStubber
+      def initialize(repo_contents_path)
+        @repo_contents_path = repo_contents_path
+      end
+
+      def stub_paths(manifest, directory)
+        (manifest["Replace"] || []).
+          map { |r| r["New"]["Path"] }.
+          compact.
+          select { |p| stub_replace_path?(p, directory) }.
+          map { |p| [p, "./" + Digest::SHA2.hexdigest(p)] }.
+          to_h
+      end
+
+      private
+
+      def stub_replace_path?(path, directory)
+        return true if absolute_path?(path)
+        return false unless relative_replacement_path?(path)
+        return true if @repo_contents_path.nil?
+
+        resolved_path = module_pathname(directory).join(path).realpath
+        inside_repo_contents_path = resolved_path.to_s.start_with?(@repo_contents_path.to_s)
+        !inside_repo_contents_path
+      rescue Errno::ENOENT
+        true
+      end
+
+      def absolute_path?(path)
+        path.start_with?("/")
+      end
+
+      def relative_replacement_path?(path)
+        # https://golang.org/ref/mod#go-mod-file-replace
+        path.start_with?("./") || path.start_with?("../")
+      end
+
+      def module_pathname(directory)
+        @module_pathname ||= Pathname.new(@repo_contents_path).join(directory.sub(%r{^/}, ""))
+      end
+    end
+  end
+end

data/lib/dependabot/go_modules/update_checker.rb

@@ -5,19 +5,12 @@ require "dependabot/update_checkers/base"
 require "dependabot/shared_helpers"
 require "dependabot/errors"
 require "dependabot/go_modules/native_helpers"
-require "dependabot/go_modules/resolvability_errors"
 require "dependabot/go_modules/version"
 
 module Dependabot
   module GoModules
     class UpdateChecker < Dependabot::UpdateCheckers::Base
-      RESOLVABILITY_ERROR_REGEXES = [
-        # Package url/proxy doesn't include any redirect meta tags
-        /no go-import meta tags/,
-        # Package url 404s
-        /404 Not Found/,
-        /Repository not found/
-      ].freeze
+      require_relative "update_checker/latest_version_finder"
 
       def latest_resolvable_version
         # We don't yet support updating indirect dependencies for go_modules
@@ -32,7 +25,13 @@ module Dependabot
         end
 
         @latest_resolvable_version ||=
-          version_class.new(find_latest_resolvable_version.gsub(/^v/, ""))
+          LatestVersionFinder.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            credentials: credentials,
+            ignored_versions: ignored_versions,
+            raise_on_ignored: raise_on_ignored
+          ).latest_version
       end
 
       # This is currently used to short-circuit latest_resolvable_version,
@@ -55,51 +54,6 @@ module Dependabot
 
       private
 
-      def find_latest_resolvable_version
-        SharedHelpers.in_a_temporary_directory do
-          SharedHelpers.with_git_configured(credentials: credentials) do
-            File.write("go.mod", go_mod.content)
-
-            # Turn off the module proxy for now, as it's causing issues with
-            # private git dependencies
-            env = { "GOPRIVATE" => "*" }
-
-            SharedHelpers.run_helper_subprocess(
-              command: NativeHelpers.helper_path,
-              env: env,
-              function: "getUpdatedVersion",
-              args: {
-                dependency: {
-                  name: dependency.name,
-                  version: "v" + dependency.version,
-                  indirect: dependency.requirements.empty?
-                }
-              }
-            )
-          end
-        end
-      rescue SharedHelpers::HelperSubprocessFailed => e
-        retry_count ||= 0
-        retry_count += 1
-        retry if transitory_failure?(e) && retry_count < 2
-
-        handle_subprocess_error(e)
-      end
-
-      def handle_subprocess_error(error)
-        if RESOLVABILITY_ERROR_REGEXES.any? { |rgx| error.message =~ rgx }
-          ResolvabilityErrors.handle(error.message, credentials: credentials)
-        end
-
-        raise
-      end
-
-      def transitory_failure?(error)
-        return true if error.message.include?("EOF")
-
-        error.message.include?("Internal Server Error")
-      end
-
       def latest_version_resolvable_with_full_unlock?
         # Full unlock checks aren't implemented for Go (yet)
         false
@@ -136,10 +90,6 @@ module Dependabot
         { type: "default", source: dependency.name }
       end
 
-      def go_mod
-        @go_mod ||= dependency_files.find { |f| f.name == "go.mod" }
-      end
-
       def git_commit_checker
         @git_commit_checker ||=
           GitCommitChecker.new(

data/lib/dependabot/go_modules/update_checker/latest_version_finder.rb

@@ -0,0 +1,150 @@
+# frozen_string_literal: true
+
+require "excon"
+
+require "dependabot/go_modules/update_checker"
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+require "dependabot/go_modules/requirement"
+require "dependabot/go_modules/resolvability_errors"
+
+module Dependabot
+  module GoModules
+    class UpdateChecker
+      class LatestVersionFinder
+        RESOLVABILITY_ERROR_REGEXES = [
+          # Package url/proxy doesn't include any redirect meta tags
+          /no go-import meta tags/,
+          # Package url 404s
+          /404 Not Found/,
+          /Repository not found/,
+          /unrecognized import path/
+        ].freeze
+        PSEUDO_VERSION_REGEX = /\b\d{14}-[0-9a-f]{12}$/.freeze
+
+        def initialize(dependency:, dependency_files:, credentials:,
+                       ignored_versions:, raise_on_ignored: false)
+          @dependency          = dependency
+          @dependency_files    = dependency_files
+          @credentials         = credentials
+          @ignored_versions    = ignored_versions
+          @raise_on_ignored    = raise_on_ignored
+        end
+
+        def latest_version
+          @latest_version ||= fetch_latest_version
+        end
+
+        private
+
+        attr_reader :dependency, :dependency_files, :credentials, :ignored_versions
+
+        def fetch_latest_version
+          return dependency.version if dependency.version =~ PSEUDO_VERSION_REGEX
+
+          candidate_versions = available_versions
+          candidate_versions = filter_prerelease_versions(candidate_versions)
+          candidate_versions = filter_lower_versions(candidate_versions)
+          candidate_versions = filter_ignored_versions(candidate_versions)
+
+          candidate_versions.max
+        end
+
+        def available_versions
+          SharedHelpers.in_a_temporary_directory do
+            SharedHelpers.with_git_configured(credentials: credentials) do
+              File.write("go.mod", go_mod.content)
+
+              # Turn off the module proxy for now, as it's causing issues with
+              # private git dependencies
+              env = { "GOPRIVATE" => "*" }
+
+              version_strings = SharedHelpers.run_helper_subprocess(
+                command: NativeHelpers.helper_path,
+                env: env,
+                function: "getVersions",
+                args: {
+                  dependency: {
+                    name: dependency.name,
+                    version: "v" + dependency.version
+                  }
+                }
+              )
+
+              return [version_class.new(dependency.version)] if version_strings.nil?
+
+              version_strings.select { |v| version_class.correct?(v) }.
+                map { |v| version_class.new(v) }
+            end
+          end
+        rescue SharedHelpers::HelperSubprocessFailed => e
+          retry_count ||= 0
+          retry_count += 1
+          retry if transitory_failure?(e) && retry_count < 2
+
+          handle_subprocess_error(e)
+        end
+
+        def handle_subprocess_error(error)
+          if RESOLVABILITY_ERROR_REGEXES.any? { |rgx| error.message =~ rgx }
+            ResolvabilityErrors.handle(error.message, credentials: credentials)
+          end
+
+          raise
+        end
+
+        def transitory_failure?(error)
+          return true if error.message.include?("EOF")
+
+          error.message.include?("Internal Server Error")
+        end
+
+        def go_mod
+          @go_mod ||= dependency_files.find { |f| f.name == "go.mod" }
+        end
+
+        def filter_prerelease_versions(versions_array)
+          return versions_array if wants_prerelease?
+
+          versions_array.reject(&:prerelease?)
+        end
+
+        def filter_lower_versions(versions_array)
+          versions_array.
+            select { |version| version >= version_class.new(dependency.version) }
+        end
+
+        def filter_ignored_versions(versions_array)
+          filtered = versions_array.
+                     reject { |v| ignore_requirements.any? { |r| r.satisfied_by?(v) } }
+          raise AllVersionsIgnored if @raise_on_ignored && filtered.empty? && versions_array.any?
+
+          filtered
+        end
+
+        def wants_prerelease?
+          @wants_prerelease ||=
+            begin
+              current_version = dependency.version
+              current_version && version_class.correct?(current_version) &&
+                version_class.new(current_version).prerelease?
+            end
+        end
+
+        def ignore_requirements
+          ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
+        end
+
+        def requirement_class
+          Utils.requirement_class_for_package_manager(
+            dependency.package_manager
+          )
+        end
+
+        def version_class
+          Utils.version_class_for_package_manager(dependency.package_manager)
+        end
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-go_modules
 version: !ruby/object:Gem::Version
-  version: 0.143.6
+  version: 0.145.3
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-04-30 00:00:00.000000000 Z
+date: 2021-05-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.143.6
+        version: 0.145.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.143.6
+        version: 0.145.3
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -100,14 +100,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.13.0
+        version: 1.14.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.13.0
+        version: 1.14.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -202,9 +202,11 @@ files:
 - lib/dependabot/go_modules/metadata_finder.rb
 - lib/dependabot/go_modules/native_helpers.rb
 - lib/dependabot/go_modules/path_converter.rb
+- lib/dependabot/go_modules/replace_stubber.rb
 - lib/dependabot/go_modules/requirement.rb
 - lib/dependabot/go_modules/resolvability_errors.rb
 - lib/dependabot/go_modules/update_checker.rb
+- lib/dependabot/go_modules/update_checker/latest_version_finder.rb
 - lib/dependabot/go_modules/version.rb
 homepage: https://github.com/dependabot/dependabot-core
 licenses: