RubyGems - dependabot-go_modules - Versions diffs - 0.215.0 → 0.216.0 - Mend

dependabot-go_modules 0.215.0 → 0.216.0

Files changed (12) hide show

checksums.yaml +4 -4
data/helpers/go.mod +1 -1
data/lib/dependabot/go_modules/file_fetcher.rb +11 -2
data/lib/dependabot/go_modules/file_parser.rb +9 -68
data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb +20 -5
data/lib/dependabot/go_modules/file_updater.rb +6 -1
data/lib/dependabot/go_modules/metadata_finder.rb +1 -38
data/lib/dependabot/go_modules/path_converter.rb +0 -50
data/lib/dependabot/go_modules/update_checker/latest_version_finder.rb +11 -5
data/lib/dependabot/go_modules/update_checker.rb +2 -35
data/lib/dependabot/go_modules/version.rb +2 -1
metadata +35 -32

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 911b1d3b5dfcb057ec0dea49f0f65d128720286a905a313a6cd1cfe5ab6a2695
-  data.tar.gz: 06db3d3b812b5f61ad29ddd388e57488cc07316953159c2b030b175bd0293a46
+  metadata.gz: 5ce14da8132843f24f4fe7252d3236184a8af451c2a8de9c53d7e64d69b6e694
+  data.tar.gz: d79638429d7815e7325bc3bf35c6acfbf932e1642fdd26232bd272a2a568c35e
 SHA512:
-  metadata.gz: d357876461478010bd2a37aaf5b8827e05c95ec6650c6252ccf78604d3c7d5942e72482ebc731ace633836d4990f6a6b6b79d4516a1d145d55aca8423c7b6ad0
-  data.tar.gz: 1e3d56283adf355baf4597641b61f6b3707ef6bb6774722e8ae99af7429a7451bc58f755fa87e9452e4f4efea2b3f19103023a055ac4dc6e095f1460b8b92dba
+  metadata.gz: 236a2b718e573f78f2c0a9388702a67ce8dc6e67390e9d11da0124cb527e9ce2d78918bdbb65ebd13c2d51963b46de821bb947e80e766f2bb95df1694ef622a0
+  data.tar.gz: b0ee24269dee9be22ad5f553f53afc93a9e5910f4a9b98cdc916351222035e8e4d711f5535be329cd9c7003863b12ba433c469b86c059fc309e63a9e202ea20e

data/helpers/go.mod CHANGED Viewed

@@ -1,5 +1,5 @@
 module github.com/dependabot/dependabot-core/go_modules/helpers
-go 1.19
+go 1.20
 require github.com/Masterminds/vcs v1.13.3

data/lib/dependabot/go_modules/file_fetcher.rb CHANGED Viewed

@@ -14,6 +14,17 @@ module Dependabot
         "Repo must contain a go.mod."
       end
+      def package_manager_version
+        return nil unless go_mod
+        {
+          ecosystem: "gomod",
+          package_managers: {
+            "gomod" => go_mod.content.match(/^go\s(\d+\.\d+)/)&.captures&.first || "unknown"
+          }
+        }
+      end
       private
       def fetch_files
@@ -32,10 +43,8 @@ module Dependabot
           end
           fetched_files = [go_mod]
           # Fetch the (optional) go.sum
           fetched_files << go_sum if go_sum
           fetched_files
         end
       end

data/lib/dependabot/go_modules/file_parser.rb CHANGED Viewed

@@ -12,8 +12,6 @@ require "dependabot/file_parsers/base"
 module Dependabot
   module GoModules
     class FileParser < Dependabot::FileParsers::Base
-      GIT_VERSION_REGEX = /^v\d+\.\d+\.\d+-.*-(?<sha>[0-9a-f]{12})$/
       def parse
         dependency_set = Dependabot::FileParsers::Base::DependencySet.new
@@ -35,16 +33,11 @@ module Dependabot
       end
       def dependency_from_details(details)
-        source =
-          if rev_identifier?(details) then git_source(details)
-          else
-            { type: "default", source: details["Path"] }
-          end
+        source = { type: "default", source: details["Path"] }
         version = details["Version"]&.sub(/^v?/, "")
         reqs = [{
-          requirement: rev_identifier?(details) ? nil : details["Version"],
+          requirement: details["Version"],
           file: go_mod.name,
           source: source,
           groups: []
@@ -53,7 +46,7 @@ module Dependabot
         Dependency.new(
           name: details["Path"],
           version: version,
-          requirements: details["Indirect"] || dependency_is_replaced(details) ? [] : reqs,
+          requirements: details["Indirect"] ? [] : reqs,
           package_manager: "go_modules"
         )
       end
@@ -115,54 +108,14 @@ module Dependabot
         raise Dependabot::DependencyFileNotParseable.new(go_mod.path, msg)
       end
-      def rev_identifier?(dep)
-        dep["Version"]&.match?(GIT_VERSION_REGEX)
-      end
-      def git_source(dep)
-        url = PathConverter.git_url_for_path(dep["Path"])
-        # Currently, we have no way of knowing whether the commit tagged
-        # is being used because a branch is being followed or because a
-        # particular ref is in use. We *assume* that a particular ref is in
-        # use (which means we'll only propose updates when its included in
-        # a release)
-        {
-          type: "git",
-          url: url || dep["Path"],
-          ref: git_revision(dep),
-          branch: nil
-        }
-      rescue Dependabot::SharedHelpers::HelperSubprocessFailed => e
-        if e.message == "Cannot detect VCS"
-          # if the dependency is locally replaced, this is not a fatal error
-          return { type: "default", source: dep["Path"] } if dependency_has_local_replacement(dep)
-          msg = e.message + " for #{dep['Path']}. Attempted to detect VCS " \
-                            "because the version looks like a git revision: " \
-                            "#{dep['Version']}"
-          raise Dependabot::DependencyFileNotResolvable, msg
-        end
-        raise
-      end
-      def git_revision(dep)
-        raw_version = dep.fetch("Version")
-        return raw_version unless raw_version.match?(GIT_VERSION_REGEX)
-        raw_version.match(GIT_VERSION_REGEX).named_captures.fetch("sha")
-      end
       def skip_dependency?(dep)
-        return true if dep["Indirect"]
+        # Updating replaced dependencies is not supported
+        return true if dependency_is_replaced(dep)
-        begin
-          path_uri = URI.parse("https://#{dep['Path']}")
-          !path_uri.host.include?(".")
-        rescue URI::InvalidURIError
-          false
-        end
+        path_uri = URI.parse("https://#{dep['Path']}")
+        !path_uri.host.include?(".")
+      rescue URI::InvalidURIError
+        false
       end
       def dependency_is_replaced(details)
@@ -182,18 +135,6 @@ module Dependabot
         end
         false
       end
-      def dependency_has_local_replacement(details)
-        if manifest["Replace"]
-          has_local_replacement = manifest["Replace"].find do |replace|
-            replace["New"]["Path"].start_with?("./", "../") &&
-              replace["Old"]["Path"] == details["Path"]
-          end
-          return true if has_local_replacement
-        end
-        false
-      end
     end
   end
 end

data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb CHANGED Viewed

@@ -2,6 +2,7 @@
 require "dependabot/shared_helpers"
 require "dependabot/errors"
+require "dependabot/logger"
 require "dependabot/go_modules/file_updater"
 require "dependabot/go_modules/native_helpers"
 require "dependabot/go_modules/replace_stubber"
@@ -14,12 +15,25 @@ module Dependabot
         RESOLVABILITY_ERROR_REGEXES = [
           # The checksum in go.sum does not match the downloaded content
           /verifying .*: checksum mismatch/,
-          /go(?: get)?: .*: go.mod has post-v\d+ module path/
+          /go(?: get)?: .*: go.mod has post-v\d+ module path/,
+          # The Go tool is suggesting the user should run go mod tidy
+          /go mod tidy/,
+          # Something wrong in the chain of go.mod/go.sum files
+          # These are often fixable with go mod tidy too.
+          /no required module provides package/,
+          /missing go\.sum entry for module providing package/,
+          /malformed module path/,
+          /used for two different module paths/,
+          # https://github.com/golang/go/issues/56494
+          /can't find reason for requirement on/,
+          # import path doesn't exist
+          /package \S+ is not in GOROOT/
         ].freeze
         REPO_RESOLVABILITY_ERROR_REGEXES = [
           /fatal: The remote end hung up unexpectedly/,
           /repository '.+' not found/,
+          %r{net/http: TLS handshake timeout},
           # (Private) module could not be fetched
           /go(?: get)?: .*: git (fetch|ls-remote) .*: exit status 128/m,
           # (Private) module could not be found
@@ -139,10 +153,11 @@ module Dependabot
           command = "go mod tidy -e"
           # we explicitly don't raise an error for 'go mod tidy' and silently
-          # continue here. `go mod tidy` shouldn't block updating versions
-          # because there are some edge cases where it's OK to fail (such as
-          # generated files not available yet to us).
-          Open3.capture3(environment, command)
+          # continue with an info log here. `go mod tidy` shouldn't block
+          # updating versions because there are some edge cases where it's OK to fail
+          # (such as generated files not available yet to us).
+          _, stderr, status = Open3.capture3(environment, command)
+          Dependabot.logger.info "Failed to `go mod tidy`: #{stderr}" unless status.success?
         end
         def run_go_vendor

data/lib/dependabot/go_modules/file_updater.rb CHANGED Viewed

@@ -28,7 +28,7 @@ module Dependabot
       def updated_dependency_files
         updated_files = []
-        if go_mod && file_changed?(go_mod)
+        if go_mod && dependency_changed?(go_mod)
           updated_files <<
             updated_file(
               file: go_mod,
@@ -56,6 +56,11 @@ module Dependabot
       private
+      def dependency_changed?(go_mod)
+        # file_changed? only checks for changed requirements. Need to check for indirect dep version changes too.
+        file_changed?(go_mod) || dependencies.any? { |dep| dep.previous_version != dep.version }
+      end
       def check_required_files
         return if go_mod

data/lib/dependabot/go_modules/metadata_finder.rb CHANGED Viewed

@@ -10,46 +10,9 @@ module Dependabot
       private
       def look_up_source
-        return look_up_git_dependency_source if git_dependency?
-        path_str = (specified_source_string || dependency.name)
-        url = Dependabot::GoModules::PathConverter.
-              git_url_for_path_without_go_helper(path_str)
+        url = Dependabot::GoModules::PathConverter.git_url_for_path(dependency.name)
         Source.from_url(url) if url
       end
-      def git_dependency?
-        return false unless declared_source_details
-        dependency_type =
-          declared_source_details.fetch(:type, nil) ||
-          declared_source_details.fetch("type")
-        dependency_type == "git"
-      end
-      def look_up_git_dependency_source
-        specified_url =
-          declared_source_details.fetch(:url, nil) ||
-          declared_source_details.fetch("url")
-        Source.from_url(specified_url)
-      end
-      def specified_source_string
-        declared_source_details&.fetch(:source, nil) ||
-          declared_source_details&.fetch("source", nil)
-      end
-      def declared_source_details
-        sources = dependency.requirements.
-                  map { |r| r.fetch(:source) }.
-                  uniq.compact
-        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
-        sources.first
-      end
     end
   end
 end

data/lib/dependabot/go_modules/path_converter.rb CHANGED Viewed

@@ -1,10 +1,5 @@
 # frozen_string_literal: true
-require "excon"
-require "nokogiri"
-require "dependabot/registry_client"
-require "dependabot/source"
 require "dependabot/go_modules/native_helpers"
 module Dependabot
@@ -20,51 +15,6 @@ module Dependabot
           args: { import: import_path }
         )
       end
-      # rubocop:disable Metrics/PerceivedComplexity
-      # Used in dependabot-backend, which doesn't have access to any Go
-      # helpers.
-      # TODO: remove the need for this.
-      def self.git_url_for_path_without_go_helper(path)
-        # Save a query by manually converting golang.org/x names
-        tmp_path = path.gsub(%r{^golang\.org/x}, "github.com/golang")
-        # Currently, Dependabot::Source.new will return `nil` if it can't
-        # find a git SCH associated with a path. If it is ever extended to
-        # handle non-git sources we'll need to add an additional check here.
-        return Source.from_url(tmp_path).url if Source.from_url(tmp_path)
-        return "https://#{tmp_path}" if tmp_path.end_with?(".git")
-        return unless (metadata_response = fetch_path_metadata(path))
-        # Look for a GitHub, Bitbucket or GitLab URL in the response
-        metadata_response.scan(Dependabot::Source::SOURCE_REGEX) do
-          source_url = Regexp.last_match.to_s
-          return Source.from_url(source_url).url
-        end
-        # If none are found, parse the response and return the go-import path
-        doc = Nokogiri::XML(metadata_response)
-        doc.remove_namespaces!
-        import_details =
-          doc.xpath("//meta").
-          find { |n| n.attributes["name"]&.value == "go-import" }&.
-          attributes&.fetch("content")&.value&.split(/\s+/)
-        return unless import_details && import_details[1] == "git"
-        import_details[2]
-      end
-      # rubocop:enable Metrics/PerceivedComplexity
-      def self.fetch_path_metadata(path)
-        # TODO: This is not robust! Instead, we should shell out to Go and
-        # use https://github.com/Masterminds/vcs.
-        response = Dependabot::RegistryClient.get(url: "https://#{path}?go-get=1")
-        return unless response.status == 200
-        response.body
-      end
-      private_class_method :fetch_path_metadata
     end
   end
 end

data/lib/dependabot/go_modules/update_checker/latest_version_finder.rb CHANGED Viewed

@@ -52,18 +52,16 @@ module Dependabot
         attr_reader :dependency, :dependency_files, :credentials, :ignored_versions, :security_advisories
         def fetch_latest_version
-          return dependency.version if PSEUDO_VERSION_REGEX.match?(dependency.version)
           candidate_versions = available_versions
           candidate_versions = filter_prerelease_versions(candidate_versions)
           candidate_versions = filter_ignored_versions(candidate_versions)
+          # Adding the psuedo-version to the list to avoid downgrades
+          candidate_versions << dependency.version if PSEUDO_VERSION_REGEX.match?(dependency.version)
           candidate_versions.max
         end
         def fetch_lowest_security_fix_version
-          return dependency.version if PSEUDO_VERSION_REGEX.match?(dependency.version)
           relevant_versions = available_versions
           relevant_versions = filter_prerelease_versions(relevant_versions)
           relevant_versions = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(relevant_versions,
@@ -75,6 +73,10 @@ module Dependabot
         end
         def available_versions
+          @available_versions ||= fetch_available_versions
+        end
+        def fetch_available_versions
           SharedHelpers.in_a_temporary_directory do
             SharedHelpers.with_git_configured(credentials: credentials) do
               manifest = parse_manifest
@@ -90,7 +92,11 @@ module Dependabot
               # Turn off the module proxy for private dependencies
               env = { "GOPRIVATE" => @goprivate }
-              versions_json = SharedHelpers.run_shell_command("go list -m -versions -json #{dependency.name}", env: env)
+              versions_json = SharedHelpers.run_shell_command(
+                "go list -m -versions -json #{dependency.name}",
+                fingerprint: "go list -m -versions -json <dependency_name>",
+                env: env
+              )
               version_strings = JSON.parse(versions_json)["Versions"]
               return [version_class.new(dependency.version)] if version_strings.nil?

data/lib/dependabot/go_modules/update_checker.rb CHANGED Viewed

@@ -13,17 +13,6 @@ module Dependabot
       require_relative "update_checker/latest_version_finder"
       def latest_resolvable_version
-        # We don't yet support updating indirect dependencies for go_modules
-        #
-        # To update indirect dependencies we'll need to promote the indirect
-        # dependency to the go.mod file forcing the resolver to pick this
-        # version (possibly as `// indirect`)
-        unless dependency.top_level?
-          return unless dependency.version
-          return current_version
-        end
         latest_version_finder.latest_version
       end
@@ -37,12 +26,6 @@ module Dependabot
       def lowest_resolvable_security_fix_version
         raise "Dependency not vulnerable!" unless vulnerable?
-        unless dependency.top_level?
-          return unless dependency.version
-          return current_version
-        end
         lowest_security_fix_version
       end
@@ -85,11 +68,9 @@ module Dependabot
         raise NotImplementedError
       end
-      # Override the base class's check for whether this is a git dependency,
-      # since not all dep git dependencies have a SHA version (sometimes their
-      # version is the tag)
+      # Go only supports semver and semver-compliant pseudo-versions, so it can't be a SHA.
       def existing_version_is_sha?
-        git_dependency?
+        false
       end
       def version_from_tag(tag)
@@ -100,23 +81,9 @@ module Dependabot
         tag&.fetch(:tag)
       end
-      def git_dependency?
-        git_commit_checker.git_dependency?
-      end
       def default_source
         { type: "default", source: dependency.name }
       end
-      def git_commit_checker
-        @git_commit_checker ||=
-          GitCommitChecker.new(
-            dependency: dependency,
-            credentials: credentials,
-            ignored_versions: ignored_versions,
-            raise_on_ignored: raise_on_ignored
-          )
-      end
     end
   end
 end

data/lib/dependabot/go_modules/version.rb CHANGED Viewed

@@ -5,11 +5,12 @@
 # alteration.
 # Best docs are at https://github.com/Masterminds/semver
+require "dependabot/version"
 require "dependabot/utils"
 module Dependabot
   module GoModules
-    class Version < Gem::Version
+    class Version < Dependabot::Version
       VERSION_PATTERN = '[0-9]+[0-9a-zA-Z]*(?>\.[0-9a-zA-Z]+)*' \
                         '(-[0-9A-Za-z-]+(\.[0-9a-zA-Z-]+)*)?' \
                         '(\+incompatible)?'

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-go_modules
 version: !ruby/object:Gem::Version
-  version: 0.215.0
+  version: 0.216.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-12-07 00:00:00.000000000 Z
+date: 2023-04-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.215.0
+        version: 0.216.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.215.0
+        version: 0.216.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 1.7.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 1.7.1
 - !ruby/object:Gem::Dependency
   name: gpgme
   requirement: !ruby/object:Gem::Requirement
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.0.0
+        version: 4.2.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.0.0
+        version: 4.2.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -86,70 +86,70 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.12'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.12'
 - !ruby/object:Gem::Dependency
   name: rspec-its
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.39.0
+        version: 1.48.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.39.0
+        version: 1.48.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.15.0
+        version: 1.17.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.15.0
+        version: 1.17.1
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.21.0
+        version: 0.22.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.21.0
+        version: 0.22.0
 - !ruby/object:Gem::Dependency
   name: simplecov-console
   requirement: !ruby/object:Gem::Requirement
@@ -182,33 +182,34 @@ dependencies:
   name: vcr
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 6.1.0
+        version: '6.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 6.1.0
+        version: '6.1'
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.4'
+        version: '3.18'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.4'
-description: Automated dependency management for Ruby, JavaScript, Python, PHP, Elixir,
-  Rust, Java, .NET, Elm and Go
-email: support@dependabot.com
+        version: '3.18'
+description: Dependabot-Go_Modules provides support for bumping Go Modules versions
+  via Dependabot. If you want support for multiple package managers, you probably
+  want the meta-gem dependabot-omnibus.
+email: opensource@github.com
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -236,7 +237,9 @@ files:
 homepage: https://github.com/dependabot/dependabot-core
 licenses:
 - Nonstandard
-metadata: {}
+metadata:
+  issue_tracker_uri: https://github.com/dependabot/dependabot-core/issues
+  changelog_uri: https://github.com/dependabot/dependabot-core/blob/main/CHANGELOG.md
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -252,8 +255,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.1.0
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.3.26
 signing_key:
 specification_version: 4
-summary: Go modules support for dependabot
+summary: Provides Dependabot support for Go Modules
 test_files: []