RubyGems - dependabot-go_modules - Versions diffs - 0.215.0 → 0.216.0 - Mend

dependabot-go_modules 0.215.0 → 0.216.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

checksums.yaml +4 -4
data/helpers/go.mod +1 -1
data/lib/dependabot/go_modules/file_fetcher.rb +11 -2
data/lib/dependabot/go_modules/file_parser.rb +9 -68
data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb +20 -5
data/lib/dependabot/go_modules/file_updater.rb +6 -1
data/lib/dependabot/go_modules/metadata_finder.rb +1 -38
data/lib/dependabot/go_modules/path_converter.rb +0 -50
data/lib/dependabot/go_modules/update_checker/latest_version_finder.rb +11 -5
data/lib/dependabot/go_modules/update_checker.rb +2 -35
data/lib/dependabot/go_modules/version.rb +2 -1
metadata +35 -32

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 911b1d3b5dfcb057ec0dea49f0f65d128720286a905a313a6cd1cfe5ab6a2695
-  data.tar.gz: 06db3d3b812b5f61ad29ddd388e57488cc07316953159c2b030b175bd0293a46
+  metadata.gz: 5ce14da8132843f24f4fe7252d3236184a8af451c2a8de9c53d7e64d69b6e694
+  data.tar.gz: d79638429d7815e7325bc3bf35c6acfbf932e1642fdd26232bd272a2a568c35e
 SHA512:
-  metadata.gz: d357876461478010bd2a37aaf5b8827e05c95ec6650c6252ccf78604d3c7d5942e72482ebc731ace633836d4990f6a6b6b79d4516a1d145d55aca8423c7b6ad0
-  data.tar.gz: 1e3d56283adf355baf4597641b61f6b3707ef6bb6774722e8ae99af7429a7451bc58f755fa87e9452e4f4efea2b3f19103023a055ac4dc6e095f1460b8b92dba
+  metadata.gz: 236a2b718e573f78f2c0a9388702a67ce8dc6e67390e9d11da0124cb527e9ce2d78918bdbb65ebd13c2d51963b46de821bb947e80e766f2bb95df1694ef622a0
+  data.tar.gz: b0ee24269dee9be22ad5f553f53afc93a9e5910f4a9b98cdc916351222035e8e4d711f5535be329cd9c7003863b12ba433c469b86c059fc309e63a9e202ea20e

data/helpers/go.mod CHANGED Viewed

@@ -1,5 +1,5 @@
 module github.com/dependabot/dependabot-core/go_modules/helpers
-go 1.19
+go 1.20
 require github.com/Masterminds/vcs v1.13.3

data/lib/dependabot/go_modules/file_fetcher.rb CHANGED Viewed

@@ -14,6 +14,17 @@ module Dependabot
         "Repo must contain a go.mod."
       end
+      def package_manager_version
+        return nil unless go_mod
+        {
+          ecosystem: "gomod",
+          package_managers: {
+            "gomod" => go_mod.content.match(/^go\s(\d+\.\d+)/)&.captures&.first || "unknown"
+          }
+        }
+      end
       private
       def fetch_files
@@ -32,10 +43,8 @@ module Dependabot
           end
           fetched_files = [go_mod]
           # Fetch the (optional) go.sum
           fetched_files << go_sum if go_sum
           fetched_files
         end
       end

data/lib/dependabot/go_modules/file_parser.rb CHANGED Viewed

@@ -12,8 +12,6 @@ require "dependabot/file_parsers/base"
 module Dependabot
   module GoModules
     class FileParser < Dependabot::FileParsers::Base
-      GIT_VERSION_REGEX = /^v\d+\.\d+\.\d+-.*-(?<sha>[0-9a-f]{12})$/
       def parse
         dependency_set = Dependabot::FileParsers::Base::DependencySet.new
@@ -35,16 +33,11 @@ module Dependabot
       end
       def dependency_from_details(details)
-        source =
-          if rev_identifier?(details) then git_source(details)
-          else
-            { type: "default", source: details["Path"] }
-          end
+        source = { type: "default", source: details["Path"] }
         version = details["Version"]&.sub(/^v?/, "")
         reqs = [{
-          requirement: rev_identifier?(details) ? nil : details["Version"],
+          requirement: details["Version"],
           file: go_mod.name,
           source: source,
           groups: []
@@ -53,7 +46,7 @@ module Dependabot
         Dependency.new(
           name: details["Path"],
           version: version,
-          requirements: details["Indirect"] || dependency_is_replaced(details) ? [] : reqs,
+          requirements: details["Indirect"] ? [] : reqs,
           package_manager: "go_modules"
         )
       end
@@ -115,54 +108,14 @@ module Dependabot
         raise Dependabot::DependencyFileNotParseable.new(go_mod.path, msg)
       end
-      def rev_identifier?(dep)
-        dep["Version"]&.match?(GIT_VERSION_REGEX)
-      end
-      def git_source(dep)
-        url = PathConverter.git_url_for_path(dep["Path"])
-        # Currently, we have no way of knowing whether the commit tagged
-        # is being used because a branch is being followed or because a
-        # particular ref is in use. We *assume* that a particular ref is in
-        # use (which means we'll only propose updates when its included in
-        # a release)
-        {
-          type: "git",
-          url: url || dep["Path"],
-          ref: git_revision(dep),
-          branch: nil
-        }
-      rescue Dependabot::SharedHelpers::HelperSubprocessFailed => e
-        if e.message == "Cannot detect VCS"
-          # if the dependency is locally replaced, this is not a fatal error
-          return { type: "default", source: dep["Path"] } if dependency_has_local_replacement(dep)
-          msg = e.message + " for #{dep['Path']}. Attempted to detect VCS " \
-                            "because the version looks like a git revision: " \
-                            "#{dep['Version']}"
-          raise Dependabot::DependencyFileNotResolvable, msg
-        end
-        raise
-      end
-      def git_revision(dep)
-        raw_version = dep.fetch("Version")
-        return raw_version unless raw_version.match?(GIT_VERSION_REGEX)
-        raw_version.match(GIT_VERSION_REGEX).named_captures.fetch("sha")
-      end
       def skip_dependency?(dep)
-        return true if dep["Indirect"]
+        # Updating replaced dependencies is not supported
+        return true if dependency_is_replaced(dep)
-        begin
-          path_uri = URI.parse("https://#{dep['Path']}")
-          !path_uri.host.include?(".")
-        rescue URI::InvalidURIError
-          false
-        end
+        path_uri = URI.parse("https://#{dep['Path']}")
+        !path_uri.host.include?(".")
+      rescue URI::InvalidURIError
+        false
       end
       def dependency_is_replaced(details)
@@ -182,18 +135,6 @@ module Dependabot
         end
         false
       end
-      def dependency_has_local_replacement(details)
-        if manifest["Replace"]
-          has_local_replacement = manifest["Replace"].find do |replace|
-            replace["New"]["Path"].start_with?("./", "../") &&
-              replace["Old"]["Path"] == details["Path"]
-          end
-          return true if has_local_replacement
-        end
-        false
-      end
     end
   end
 end

data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb CHANGED Viewed

@@ -2,6 +2,7 @@
 require "dependabot/shared_helpers"
 require "dependabot/errors"
+require "dependabot/logger"
 require "dependabot/go_modules/file_updater"
 require "dependabot/go_modules/native_helpers"
 require "dependabot/go_modules/replace_stubber"
@@ -14,12 +15,25 @@ module Dependabot
         RESOLVABILITY_ERROR_REGEXES = [
           # The checksum in go.sum does not match the downloaded content
           /verifying .*: checksum mismatch/,
-          /go(?: get)?: .*: go.mod has post-v\d+ module path/
+          /go(?: get)?: .*: go.mod has post-v\d+ module path/,
+          # The Go tool is suggesting the user should run go mod tidy
+          /go mod tidy/,
+          # Something wrong in the chain of go.mod/go.sum files
+          # These are often fixable with go mod tidy too.
+          /no required module provides package/,
+          /missing go\.sum entry for module providing package/,
+          /malformed module path/,
+          /used for two different module paths/,
+          # https://github.com/golang/go/issues/56494
+          /can't find reason for requirement on/,
+          # import path doesn't exist
+          /package \S+ is not in GOROOT/
         ].freeze
         REPO_RESOLVABILITY_ERROR_REGEXES = [
           /fatal: The remote end hung up unexpectedly/,
           /repository '.+' not found/,
+          %r{net/http: TLS handshake timeout},
           # (Private) module could not be fetched
           /go(?: get)?: .*: git (fetch|ls-remote) .*: exit status 128/m,
           # (Private) module could not be found
@@ -139,10 +153,11 @@ module Dependabot
           command = "go mod tidy -e"
           # we explicitly don't raise an error for 'go mod tidy' and silently
-          # continue here. `go mod tidy` shouldn't block updating versions
-          # because there are some edge cases where it's OK to fail (such as
-          # generated files not available yet to us).
-          Open3.capture3(environment, command)
+          # continue with an info log here. `go mod tidy` shouldn't block
+          # updating versions because there are some edge cases where it's OK to fail
+          # (such as generated files not available yet to us).
+          _, stderr, status = Open3.capture3(environment, command)
+          Dependabot.logger.info "Failed to `go mod tidy`: #{stderr}" unless status.success?
         end
         def run_go_vendor

data/lib/dependabot/go_modules/file_updater.rb CHANGED Viewed

@@ -28,7 +28,7 @@ module Dependabot
       def updated_dependency_files
         updated_files = []
-        if go_mod && file_changed?(go_mod)
+        if go_mod && dependency_changed?(go_mod)
           updated_files <<
             updated_file(
               file: go_mod,
@@ -56,6 +56,11 @@ module Dependabot
       private
+      def dependency_changed?(go_mod)
+        # file_changed? only checks for changed requirements. Need to check for indirect dep version changes too.
+        file_changed?(go_mod) || dependencies.any? { |dep| dep.previous_version != dep.version }
+      end
       def check_required_files
         return if go_mod

data/lib/dependabot/go_modules/metadata_finder.rb CHANGED Viewed

@@ -10,46 +10,9 @@ module Dependabot
       private
       def look_up_source
-        return look_up_git_dependency_source if git_dependency?
-        path_str = (specified_source_string || dependency.name)
-        url = Dependabot::GoModules::PathConverter.
-              git_url_for_path_without_go_helper(path_str)
+        url = Dependabot::GoModules::PathConverter.git_url_for_path(dependency.name)
         Source.from_url(url) if url
       end
-      def git_dependency?
-        return false unless declared_source_details
-        dependency_type =
-          declared_source_details.fetch(:type, nil) ||
-          declared_source_details.fetch("type")
-        dependency_type == "git"
-      end
-      def look_up_git_dependency_source
-        specified_url =
-          declared_source_details.fetch(:url, nil) ||
-          declared_source_details.fetch("url")
-        Source.from_url(specified_url)
-      end
-      def specified_source_string
-        declared_source_details&.fetch(:source, nil) ||
-          declared_source_details&.fetch("source", nil)
-      end
-      def declared_source_details
-        sources = dependency.requirements.
-                  map { |r| r.fetch(:source) }.
-                  uniq.compact
-        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
-        sources.first
-      end
     end
   end
 end

data/lib/dependabot/go_modules/path_converter.rb CHANGED Viewed

@@ -1,10 +1,5 @@
 # frozen_string_literal: true
-require "excon"
-require "nokogiri"
-require "dependabot/registry_client"
-require "dependabot/source"
 require "dependabot/go_modules/native_helpers"
 module Dependabot
@@ -20,51 +15,6 @@ module Dependabot
           args: { import: import_path }
         )
       end
-      # rubocop:disable Metrics/PerceivedComplexity
-      # Used in dependabot-backend, which doesn't have access to any Go
-      # helpers.
-      # TODO: remove the need for this.
-      def self.git_url_for_path_without_go_helper(path)
-        # Save a query by manually converting golang.org/x names
-        tmp_path = path.gsub(%r{^golang\.org/x}, "github.com/golang")
-        # Currently, Dependabot::Source.new will return `nil` if it can't
-        # find a git SCH associated with a path. If it is ever extended to
-        # handle non-git sources we'll need to add an additional check here.
-        return Source.from_url(tmp_path).url if Source.from_url(tmp_path)
-        return "https://#{tmp_path}" if tmp_path.end_with?(".git")
-        return unless (metadata_response = fetch_path_metadata(path))
-        # Look for a GitHub, Bitbucket or GitLab URL in the response
-        metadata_response.scan(Dependabot::Source::SOURCE_REGEX) do
-          source_url = Regexp.last_match.to_s
-          return Source.from_url(source_url).url
-        end
-        # If none are found, parse the response and return the go-import path
-        doc = Nokogiri::XML(metadata_response)
-        doc.remove_namespaces!
-        import_details =
-          doc.xpath("//meta").
-          find { |n| n.attributes["name"]&.value == "go-import" }&.
-          attributes&.fetch("content")&.value&.split(/\s+/)
-        return unless import_details && import_details[1] == "git"
-        import_details[2]
-      end
-      # rubocop:enable Metrics/PerceivedComplexity
-      def self.fetch_path_metadata(path)
-        # TODO: This is not robust! Instead, we should shell out to Go and
-        # use https://github.com/Masterminds/vcs.
-        response = Dependabot::RegistryClient.get(url: "https://#{path}?go-get=1")
-        return unless response.status == 200
-        response.body
-      end
-      private_class_method :fetch_path_metadata
     end
   end
 end

data/lib/dependabot/go_modules/update_checker/latest_version_finder.rb CHANGED Viewed

@@ -52,18 +52,16 @@ module Dependabot
         attr_reader :dependency, :dependency_files, :credentials, :ignored_versions, :security_advisories
         def fetch_latest_version
-          return dependency.version if PSEUDO_VERSION_REGEX.match?(dependency.version)
           candidate_versions = available_versions
           candidate_versions = filter_prerelease_versions(candidate_versions)
           candidate_versions = filter_ignored_versions(candidate_versions)
+          # Adding the psuedo-version to the list to avoid downgrades
+          candidate_versions << dependency.version if PSEUDO_VERSION_REGEX.match?(dependency.version)
           candidate_versions.max
         end
         def fetch_lowest_security_fix_version
-          return dependency.version if PSEUDO_VERSION_REGEX.match?(dependency.version)
           relevant_versions = available_versions
           relevant_versions = filter_prerelease_versions(relevant_versions)
           relevant_versions = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(relevant_versions,
@@ -75,6 +73,10 @@ module Dependabot
         end
         def available_versions
+          @available_versions ||= fetch_available_versions
+        end
+        def fetch_available_versions
           SharedHelpers.in_a_temporary_directory do
             SharedHelpers.with_git_configured(credentials: credentials) do
               manifest = parse_manifest
@@ -90,7 +92,11 @@ module Dependabot
               # Turn off the module proxy for private dependencies
               env = { "GOPRIVATE" => @goprivate }
-              versions_json = SharedHelpers.run_shell_command("go list -m -versions -json #{dependency.name}", env: env)
+              versions_json = SharedHelpers.run_shell_command(
+                "go list -m -versions -json #{dependency.name}",
+                fingerprint: "go list -m -versions -json <dependency_name>",
+                env: env
+              )
               version_strings = JSON.parse(versions_json)["Versions"]
               return [version_class.new(dependency.version)] if version_strings.nil?

data/lib/dependabot/go_modules/update_checker.rb CHANGED Viewed

@@ -13,17 +13,6 @@ module Dependabot
       require_relative "update_checker/latest_version_finder"
       def latest_resolvable_version
-        # We don't yet support updating indirect dependencies for go_modules
-        #
-        # To update indirect dependencies we'll need to promote the indirect
-        # dependency to the go.mod file forcing the resolver to pick this
-        # version (possibly as `// indirect`)
-        unless dependency.top_level?
-          return unless dependency.version
-          return current_version
-        end
         latest_version_finder.latest_version
       end
@@ -37,12 +26,6 @@ module Dependabot
       def lowest_resolvable_security_fix_version
         raise "Dependency not vulnerable!" unless vulnerable?
-        unless dependency.top_level?
-          return unless dependency.version
-          return current_version
-        end
         lowest_security_fix_version
       end
@@ -85,11 +68,9 @@ module Dependabot
         raise NotImplementedError
       end
-      # Override the base class's check for whether this is a git dependency,
-      # since not all dep git dependencies have a SHA version (sometimes their
-      # version is the tag)
+      # Go only supports semver and semver-compliant pseudo-versions, so it can't be a SHA.
       def existing_version_is_sha?
-        git_dependency?
+        false
       end
       def version_from_tag(tag)
@@ -100,23 +81,9 @@ module Dependabot
         tag&.fetch(:tag)
       end
-      def git_dependency?
-        git_commit_checker.git_dependency?
-      end
       def default_source
         { type: "default", source: dependency.name }
       end
-      def git_commit_checker
-        @git_commit_checker ||=
-          GitCommitChecker.new(
-            dependency: dependency,
-            credentials: credentials,
-            ignored_versions: ignored_versions,
-            raise_on_ignored: raise_on_ignored
-          )
-      end
     end
   end
 end

data/lib/dependabot/go_modules/version.rb CHANGED Viewed

@@ -5,11 +5,12 @@
 # alteration.
 # Best docs are at https://github.com/Masterminds/semver
+require "dependabot/version"
 require "dependabot/utils"
 module Dependabot
   module GoModules
-    class Version < Gem::Version
+    class Version < Dependabot::Version
       VERSION_PATTERN = '[0-9]+[0-9a-zA-Z]*(?>\.[0-9a-zA-Z]+)*' \
                         '(-[0-9A-Za-z-]+(\.[0-9a-zA-Z-]+)*)?' \
                         '(\+incompatible)?'

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-go_modules
 version: !ruby/object:Gem::Version
-  version: 0.215.0
+  version: 0.216.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-12-07 00:00:00.000000000 Z
+date: 2023-04-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.215.0
+        version: 0.216.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.215.0
+        version: 0.216.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 1.7.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 1.7.1
 - !ruby/object:Gem::Dependency
   name: gpgme
   requirement: !ruby/object:Gem::Requirement
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.0.0
+        version: 4.2.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.0.0
+        version: 4.2.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -86,70 +86,70 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.12'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.12'
 - !ruby/object:Gem::Dependency
   name: rspec-its
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.39.0
+        version: 1.48.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.39.0
+        version: 1.48.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.15.0
+        version: 1.17.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.15.0
+        version: 1.17.1
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.21.0
+        version: 0.22.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.21.0
+        version: 0.22.0
 - !ruby/object:Gem::Dependency
   name: simplecov-console
   requirement: !ruby/object:Gem::Requirement
@@ -182,33 +182,34 @@ dependencies:
   name: vcr
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 6.1.0
+        version: '6.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 6.1.0
+        version: '6.1'
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.4'
+        version: '3.18'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.4'
-description: Automated dependency management for Ruby, JavaScript, Python, PHP, Elixir,
-  Rust, Java, .NET, Elm and Go
-email: support@dependabot.com
+        version: '3.18'
+description: Dependabot-Go_Modules provides support for bumping Go Modules versions
+  via Dependabot. If you want support for multiple package managers, you probably
+  want the meta-gem dependabot-omnibus.
+email: opensource@github.com
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -236,7 +237,9 @@ files:
 homepage: https://github.com/dependabot/dependabot-core
 licenses:
 - Nonstandard
-metadata: {}
+metadata:
+  issue_tracker_uri: https://github.com/dependabot/dependabot-core/issues
+  changelog_uri: https://github.com/dependabot/dependabot-core/blob/main/CHANGELOG.md
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -252,8 +255,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.1.0
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.3.26
 signing_key:
 specification_version: 4
-summary: Go modules support for dependabot
+summary: Provides Dependabot support for Go Modules
 test_files: []