dependabot-go_modules 0.154.5 → 0.156.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b6fabe025492fdf05d0ee350bfa88b816a14a37d6f983f2cfc0d7cf86530fbec
4
- data.tar.gz: 79da77d67d26a2f6e05df6fd7a018fba037088718c427dab4baca361822cb9f0
3
+ metadata.gz: 0cf4cb9c65086abbdbcef71e3368aa73246f50e83a071dba3e7ff7bceb3765a5
4
+ data.tar.gz: ceddec4c42fade0a394bc58d5c06330d5768a3ac86a9680125e64fedca5a44b4
5
5
  SHA512:
6
- metadata.gz: 40d6a7b816b14956aab89c5064a19cbc17409a45415b54e20c94afbe82a85e3c73549f125081424232f101dc7a0c3e05babd54dcf6f8bca86762b0f956556570
7
- data.tar.gz: 5945a8bfd6c32350fa146c31b2d6ec2947cf5a9ba60ad8c3c57f01311e8f322486e1e71ce812cbf9c27f071272e19165d4d612e9e5a37130dd91cac46bd45b48
6
+ metadata.gz: c7a3d45c7cb3206d9e0084344f24ab828302b05768afdc1917a2a0a94d85227fb3f207137067e71d012308963499c6ce9d71be39950e4b2fdf08f5f34171059a
7
+ data.tar.gz: b2f75dfa968f8728e0b40f0408f9fcf53b62d9379ec53afdb4488cdce863dced0869a65faef2467e37ccb8d6542e8c2df0073f6f024d42cf3535338d444904f8
@@ -24,14 +24,7 @@ module Dependabot
24
24
  return version_class.new(dependency.version)
25
25
  end
26
26
 
27
- @latest_resolvable_version ||=
28
- LatestVersionFinder.new(
29
- dependency: dependency,
30
- dependency_files: dependency_files,
31
- credentials: credentials,
32
- ignored_versions: ignored_versions,
33
- raise_on_ignored: raise_on_ignored
34
- ).latest_version
27
+ latest_version_finder.latest_version
35
28
  end
36
29
 
37
30
  # This is currently used to short-circuit latest_resolvable_version,
@@ -41,6 +34,22 @@ module Dependabot
41
34
  latest_resolvable_version
42
35
  end
43
36
 
37
+ def lowest_resolvable_security_fix_version
38
+ raise "Dependency not vulnerable!" unless vulnerable?
39
+
40
+ unless dependency.top_level?
41
+ return unless dependency.version
42
+
43
+ return version_class.new(dependency.version)
44
+ end
45
+
46
+ lowest_security_fix_version
47
+ end
48
+
49
+ def lowest_security_fix_version
50
+ latest_version_finder.lowest_security_fix_version
51
+ end
52
+
44
53
  def latest_resolvable_version_with_no_unlock
45
54
  # Irrelevant, since Go modules uses a single dependency file
46
55
  nil
@@ -54,6 +63,18 @@ module Dependabot
54
63
 
55
64
  private
56
65
 
66
+ def latest_version_finder
67
+ @latest_version_finder ||=
68
+ LatestVersionFinder.new(
69
+ dependency: dependency,
70
+ dependency_files: dependency_files,
71
+ credentials: credentials,
72
+ ignored_versions: ignored_versions,
73
+ security_advisories: security_advisories,
74
+ raise_on_ignored: raise_on_ignored
75
+ )
76
+ end
77
+
57
78
  def latest_version_resolvable_with_full_unlock?
58
79
  # Full unlock checks aren't implemented for Go (yet)
59
80
  false
@@ -24,11 +24,12 @@ module Dependabot
24
24
  PSEUDO_VERSION_REGEX = /\b\d{14}-[0-9a-f]{12}$/.freeze
25
25
 
26
26
  def initialize(dependency:, dependency_files:, credentials:,
27
- ignored_versions:, raise_on_ignored: false)
27
+ ignored_versions:, security_advisories:, raise_on_ignored: false)
28
28
  @dependency = dependency
29
29
  @dependency_files = dependency_files
30
30
  @credentials = credentials
31
31
  @ignored_versions = ignored_versions
32
+ @security_advisories = security_advisories
32
33
  @raise_on_ignored = raise_on_ignored
33
34
  end
34
35
 
@@ -36,9 +37,13 @@ module Dependabot
36
37
  @latest_version ||= fetch_latest_version
37
38
  end
38
39
 
40
+ def lowest_security_fix_version
41
+ @lowest_security_fix_version ||= fetch_lowest_security_fix_version
42
+ end
43
+
39
44
  private
40
45
 
41
- attr_reader :dependency, :dependency_files, :credentials, :ignored_versions
46
+ attr_reader :dependency, :dependency_files, :credentials, :ignored_versions, :security_advisories
42
47
 
43
48
  def fetch_latest_version
44
49
  return dependency.version if dependency.version =~ PSEUDO_VERSION_REGEX
@@ -50,6 +55,19 @@ module Dependabot
50
55
  candidate_versions.max
51
56
  end
52
57
 
58
+ def fetch_lowest_security_fix_version
59
+ return dependency.version if dependency.version =~ PSEUDO_VERSION_REGEX
60
+
61
+ relevant_versions = available_versions
62
+ relevant_versions = filter_prerelease_versions(relevant_versions)
63
+ relevant_versions = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(relevant_versions,
64
+ security_advisories)
65
+ relevant_versions = filter_ignored_versions(relevant_versions)
66
+ relevant_versions = filter_lower_versions(relevant_versions)
67
+
68
+ relevant_versions.min
69
+ end
70
+
53
71
  def available_versions
54
72
  SharedHelpers.in_a_temporary_directory do
55
73
  SharedHelpers.with_git_configured(credentials: credentials) do
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-go_modules
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.154.5
4
+ version: 0.156.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-06-22 00:00:00.000000000 Z
11
+ date: 2021-06-25 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.154.5
19
+ version: 0.156.2
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.154.5
26
+ version: 0.156.2
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: byebug
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -100,14 +100,14 @@ dependencies:
100
100
  requirements:
101
101
  - - "~>"
102
102
  - !ruby/object:Gem::Version
103
- version: 1.16.0
103
+ version: 1.17.0
104
104
  type: :development
105
105
  prerelease: false
106
106
  version_requirements: !ruby/object:Gem::Requirement
107
107
  requirements:
108
108
  - - "~>"
109
109
  - !ruby/object:Gem::Version
110
- version: 1.16.0
110
+ version: 1.17.0
111
111
  - !ruby/object:Gem::Dependency
112
112
  name: simplecov
113
113
  requirement: !ruby/object:Gem::Requirement