dependabot-go_modules 0.154.4 → 0.156.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b007e81cb3dd5527c88244c40757d61800f54a147cf088ec45879f9fc2400fa2
4
- data.tar.gz: b0e050e5de0f6534786ca0265f94a1e1fb44dfa69e094260c8e0b27502458295
3
+ metadata.gz: 30f0deec86f27c89cbad75b98b2e89c36c33bb043d0243b409fcf431bc7ec616
4
+ data.tar.gz: a52106552bd11468b30974e275a04b439c2af370aba29816016f9596e7b6cfae
5
5
  SHA512:
6
- metadata.gz: b2e8cd36aa80ce6a7eb213bc78602905fd38d13fe54495219134777e15d76390e81745dc903d304d9d84b51bdc807112a6b04782a1707130067dd09d9cfeb1b4
7
- data.tar.gz: fce3fa4e3892cbfd9719cbcf70715e09f82c005e3392d0d7f733c1dc3bb25d5f35d68de09bc8a7573250d979fe5597b7331b1c4053c6ab9f34bb5ea6a5cd76a9
6
+ metadata.gz: 35f84b9793699f1d0963005261ef14f7813a8dfa174fd22bec26181d6dd8f97ede7a6ce7ae2eed44a419888969a1a554d774bbbb0de8c86cae1e1b54479c4f67
7
+ data.tar.gz: c4fb1f7d7958cccbb35a991ead1f021ff07f17114dbad14dcdce13f634fb066429fc576d6e708df8dae751fdf4310da47905461e6b0a49655099c13a84be5876
@@ -24,14 +24,7 @@ module Dependabot
24
24
  return version_class.new(dependency.version)
25
25
  end
26
26
 
27
- @latest_resolvable_version ||=
28
- LatestVersionFinder.new(
29
- dependency: dependency,
30
- dependency_files: dependency_files,
31
- credentials: credentials,
32
- ignored_versions: ignored_versions,
33
- raise_on_ignored: raise_on_ignored
34
- ).latest_version
27
+ latest_version_finder.latest_version
35
28
  end
36
29
 
37
30
  # This is currently used to short-circuit latest_resolvable_version,
@@ -41,6 +34,22 @@ module Dependabot
41
34
  latest_resolvable_version
42
35
  end
43
36
 
37
+ def lowest_resolvable_security_fix_version
38
+ raise "Dependency not vulnerable!" unless vulnerable?
39
+
40
+ unless dependency.top_level?
41
+ return unless dependency.version
42
+
43
+ return version_class.new(dependency.version)
44
+ end
45
+
46
+ lowest_security_fix_version
47
+ end
48
+
49
+ def lowest_security_fix_version
50
+ latest_version_finder.lowest_security_fix_version
51
+ end
52
+
44
53
  def latest_resolvable_version_with_no_unlock
45
54
  # Irrelevant, since Go modules uses a single dependency file
46
55
  nil
@@ -54,6 +63,18 @@ module Dependabot
54
63
 
55
64
  private
56
65
 
66
+ def latest_version_finder
67
+ @latest_version_finder ||=
68
+ LatestVersionFinder.new(
69
+ dependency: dependency,
70
+ dependency_files: dependency_files,
71
+ credentials: credentials,
72
+ ignored_versions: ignored_versions,
73
+ security_advisories: security_advisories,
74
+ raise_on_ignored: raise_on_ignored
75
+ )
76
+ end
77
+
57
78
  def latest_version_resolvable_with_full_unlock?
58
79
  # Full unlock checks aren't implemented for Go (yet)
59
80
  false
@@ -24,11 +24,12 @@ module Dependabot
24
24
  PSEUDO_VERSION_REGEX = /\b\d{14}-[0-9a-f]{12}$/.freeze
25
25
 
26
26
  def initialize(dependency:, dependency_files:, credentials:,
27
- ignored_versions:, raise_on_ignored: false)
27
+ ignored_versions:, security_advisories:, raise_on_ignored: false)
28
28
  @dependency = dependency
29
29
  @dependency_files = dependency_files
30
30
  @credentials = credentials
31
31
  @ignored_versions = ignored_versions
32
+ @security_advisories = security_advisories
32
33
  @raise_on_ignored = raise_on_ignored
33
34
  end
34
35
 
@@ -36,9 +37,13 @@ module Dependabot
36
37
  @latest_version ||= fetch_latest_version
37
38
  end
38
39
 
40
+ def lowest_security_fix_version
41
+ @lowest_security_fix_version ||= fetch_lowest_security_fix_version
42
+ end
43
+
39
44
  private
40
45
 
41
- attr_reader :dependency, :dependency_files, :credentials, :ignored_versions
46
+ attr_reader :dependency, :dependency_files, :credentials, :ignored_versions, :security_advisories
42
47
 
43
48
  def fetch_latest_version
44
49
  return dependency.version if dependency.version =~ PSEUDO_VERSION_REGEX
@@ -50,6 +55,19 @@ module Dependabot
50
55
  candidate_versions.max
51
56
  end
52
57
 
58
+ def fetch_lowest_security_fix_version
59
+ return dependency.version if dependency.version =~ PSEUDO_VERSION_REGEX
60
+
61
+ relevant_versions = available_versions
62
+ relevant_versions = filter_prerelease_versions(relevant_versions)
63
+ relevant_versions = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(relevant_versions,
64
+ security_advisories)
65
+ relevant_versions = filter_ignored_versions(relevant_versions)
66
+ relevant_versions = filter_lower_versions(relevant_versions)
67
+
68
+ relevant_versions.min
69
+ end
70
+
53
71
  def available_versions
54
72
  SharedHelpers.in_a_temporary_directory do
55
73
  SharedHelpers.with_git_configured(credentials: credentials) do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-go_modules
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.154.4
4
+ version: 0.156.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-06-22 00:00:00.000000000 Z
11
+ date: 2021-06-24 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.154.4
19
+ version: 0.156.1
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.154.4
26
+ version: 0.156.1
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: byebug
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -100,14 +100,14 @@ dependencies:
100
100
  requirements:
101
101
  - - "~>"
102
102
  - !ruby/object:Gem::Version
103
- version: 1.16.0
103
+ version: 1.17.0
104
104
  type: :development
105
105
  prerelease: false
106
106
  version_requirements: !ruby/object:Gem::Requirement
107
107
  requirements:
108
108
  - - "~>"
109
109
  - !ruby/object:Gem::Version
110
- version: 1.16.0
110
+ version: 1.17.0
111
111
  - !ruby/object:Gem::Dependency
112
112
  name: simplecov
113
113
  requirement: !ruby/object:Gem::Requirement