dependabot-go_modules 0.362.0 → 0.364.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6e4a9975da382d57158ea52ad6a4d47299daa3f2e99f7133f68923563ca14c42
-  data.tar.gz: 9b1f7a4d3bc51dfbf2b4a8c3f42d90ea833ffe787ba336d3014da205507f19cf
+  metadata.gz: '0549b6632e12248926b3a3b507c6ef80e389fba47bde1cf5886f0b0493a0faad'
+  data.tar.gz: 3928257803da819ec010c35031c94ad78eeacf6effc8f495b257d9b4d95b91cd
 SHA512:
-  metadata.gz: fd095f5658455e70a0651ced2d747f0332e545ceb007e5158058e713bf89ceea86fb2a396fdc73dd058ec0534aa087dfe0052a3f34bc9ac3ba87ad8f8d257b23
-  data.tar.gz: fe1970687918ba78de5b069a52e2273fdbf96dbfa91049b3be3e5e216ddd8ee51993421df887137fed648a64d4d6c554a930882dc78f1af9fbafa7beda501674
+  metadata.gz: 9ae6dd6cca4e9a0dc9e7598c44978f89fcee9fae236b852957718ef0282b7d24f0578f5ef959b37790b16168ea223c78d7fb18a42a4a50fd29cd7b6aff3ef13a
+  data.tar.gz: f9e66da88dd36e4f2da7412f276edbbe296a7745034e4c6ded7d0ec5b46b6071618c21f19b7fe57a1f24087a8dd92b007b5a9b0bc3d4012255c1d6271b633ea7

data/helpers/go.mod

@@ -1,8 +1,8 @@
 module github.com/dependabot/dependabot-core/go_modules/helpers
 
-go 1.23.0
+go 1.24.0
 
 require (
 	github.com/Masterminds/vcs v1.13.3
-	golang.org/x/mod v0.27.0
+	golang.org/x/mod v0.33.0
 )

data/helpers/go.sum

@@ -1,4 +1,4 @@
 github.com/Masterminds/vcs v1.13.3 h1:IIA2aBdXvfbIM+yl/eTnL4hb1XwdpvuQLglAix1gweE=
 github.com/Masterminds/vcs v1.13.3/go.mod h1:TiE7xuEjl1N4j016moRd6vezp6e6Lz23gypeXfzXeW8=
-golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
+golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
+golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=

data/helpers/importresolver/main.go

@@ -1,6 +1,7 @@
 package importresolver
 
 import (
+	"net/url"
 	"os"
 	"strings"
 
@@ -20,6 +21,8 @@ func VCSRemoteForImport(args *Args) (interface{}, error) {
 		remote = "https://" + remote
 	}
 
+	remote = normalizeAzureDevOpsURL(remote)
+
 	local, err := os.MkdirTemp("", "unused-vcs-local-dir")
 	if err != nil {
 		return nil, err
@@ -34,3 +37,60 @@ func VCSRemoteForImport(args *Args) (interface{}, error) {
 	}()
 	return repo.Remote(), nil
 }
+
+func normalizeAzureDevOpsURL(remote string) string {
+	uri, err := url.Parse(remote)
+	if err != nil {
+		return remote
+	}
+
+	host := strings.ToLower(uri.Host)
+	if host != "dev.azure.com" {
+		return remote
+	}
+
+	segments := strings.Split(strings.TrimPrefix(uri.Path, "/"), "/")
+	if len(segments) < 3 {
+		return remote
+	}
+
+	normalizedSegments := segments
+	removeGitSuffix := false
+	if !strings.Contains(uri.Path, "/_git/") {
+		if len(segments) < 3 {
+			return remote
+		}
+
+		// Azure DevOps paths are /{org}/{project}/_git/{repo}[/{subdir}...].
+		// Insert "_git" after the first two segments and preserve the rest.
+		normalizedSegments = make([]string, 0, len(segments)+1)
+		normalizedSegments = append(normalizedSegments, segments[:2]...)
+		normalizedSegments = append(normalizedSegments, "_git")
+		normalizedSegments = append(normalizedSegments, segments[2:]...)
+		removeGitSuffix = true
+	}
+
+	if !removeGitSuffix {
+		uri.Path = "/" + strings.Join(normalizedSegments, "/")
+
+		return uri.String()
+	}
+
+	for i := range normalizedSegments {
+		if normalizedSegments[i] != "_git" {
+			continue
+		}
+
+		repoIndex := i + 1
+		if repoIndex >= len(normalizedSegments) {
+			return remote
+		}
+
+		normalizedSegments[repoIndex] = strings.TrimSuffix(normalizedSegments[repoIndex], ".git")
+		break
+	}
+
+	uri.Path = "/" + strings.Join(normalizedSegments, "/")
+
+	return uri.String()
+}

data/helpers/importresolver/main_test.go

@@ -13,3 +13,51 @@ func TestVCSRemoteForImport(t *testing.T) {
 		t.Fatalf("failed to get VCS remote for import %s: %v", args.Import, err)
 	}
 }
+
+func TestNormalizeAzureDevOpsURL(t *testing.T) {
+	tests := []struct {
+		name  string
+		input string
+		want  string
+	}{
+		{
+			name:  "adds _git segment when missing and removes .git suffix",
+			input: "https://dev.azure.com/VaronisIO/da-cloud/be-protobuf.git",
+			want:  "https://dev.azure.com/VaronisIO/da-cloud/_git/be-protobuf",
+		},
+		{
+			name:  "preserves existing _git segment",
+			input: "https://dev.azure.com/VaronisIO/da-cloud/_git/be-protobuf",
+			want:  "https://dev.azure.com/VaronisIO/da-cloud/_git/be-protobuf",
+		},
+		{
+			name:  "retains .git suffix when _git already exists",
+			input: "https://dev.azure.com/VaronisIO/da-cloud/_git/be-protobuf.git",
+			want:  "https://dev.azure.com/VaronisIO/da-cloud/_git/be-protobuf.git",
+		},
+		{
+			name:  "retains .git suffix and subdirectory when _git already exists",
+			input: "https://dev.azure.com/VaronisIO/da-cloud/_git/be-protobuf.git/submodule",
+			want:  "https://dev.azure.com/VaronisIO/da-cloud/_git/be-protobuf.git/submodule",
+		},
+		{
+			name:  "preserves subdirectory while removing .git suffix",
+			input: "https://dev.azure.com/VaronisIO/da-cloud/be-protobuf.git/submodule",
+			want:  "https://dev.azure.com/VaronisIO/da-cloud/_git/be-protobuf/submodule",
+		},
+		{
+			name:  "ignores non azure hosts",
+			input: "https://github.com/dependabot/dependabot-core",
+			want:  "https://github.com/dependabot/dependabot-core",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			got := normalizeAzureDevOpsURL(test.input)
+			if got != test.want {
+				t.Fatalf("normalizeAzureDevOpsURL(%q) = %q, want %q", test.input, got, test.want)
+			}
+		})
+	}
+}

data/lib/dependabot/go_modules/azure_devops_path_normalizer.rb

@@ -0,0 +1,27 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  module GoModules
+    module AzureDevopsPathNormalizer
+      extend T::Sig
+
+      sig { params(name: String).returns(String) }
+      def self.normalize(name)
+        return name unless name.start_with?("dev.azure.com/")
+
+        segments = name.split("/")
+        return name if segments.length < 4
+        return name if segments[3] == "_git"
+
+        normalized_segments = segments.dup
+        normalized_segments.insert(3, "_git")
+        normalized_segments[4] = normalized_segments.fetch(4).delete_suffix(".git")
+
+        normalized_segments.join("/")
+      end
+    end
+  end
+end

data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb

@@ -57,6 +57,8 @@ module Dependabot
             /go(?: get)?: .*: unknown revision/m,
             # Package pointing to a proxy that 404s
             /go(?: get)?: .*: unrecognized import path/m,
+            # Private repository cannot be fetched over a secure protocol
+            Dependabot::GoModules::ResolvabilityErrors::INSECURE_PROTOCOL_REPOSITORY_REGEX,
             # Package not being referenced correctly
             /go:.*imports.*package.+is not in std/m,
             # Invalid version due to missing go.mod files at specified revision
@@ -94,12 +96,22 @@ module Dependabot
           T::Array[Regexp]
         )
 
+        PATH_DEPENDENCY_ERROR_REGEXES = T.let(
+          [
+            /replaced by (?<path>[^)\s]+)\): reading .*go\.mod: open .*: no such file or directory/
+          ].freeze,
+          T::Array[Regexp]
+        )
+
         GO_LANG = "Go"
 
         AMBIGUOUS_ERROR_MESSAGE = /ambiguous import: found package (?<package>.*) in multiple modules/
 
         GO_VERSION_MISMATCH = /requires go (?<current_ver>.*) .*running go (?<req_ver>.*);/
 
+        GITHUB_403_REGEX =
+          %r{https://github\.com/(?<repo>[^/'\s]+/[^/'\s]+)/?': The requested URL returned error: 403}
+
         GO_MOD_VERSION = /^go 1\.\d+(\.\d+)?$/
 
         sig do
@@ -326,11 +338,8 @@ module Dependabot
         def handle_subprocess_error(stderr) # rubocop:disable Metrics/AbcSize,Metrics/MethodLength
           stderr = stderr.gsub(Dir.getwd, "")
 
-          go_mod_parse_error_regex = GO_MOD_PARSE_ERROR_REGEXES.find { |r| stderr =~ r }
-          if go_mod_parse_error_regex
-            error_message = filter_error_message(message: stderr, regex: go_mod_parse_error_regex)
-            raise Dependabot::DependencyFileNotParseable.new(go_mod_path, error_message)
-          end
+          raise_for_go_mod_parse_error(stderr)
+          raise_for_path_dependency_error(stderr)
 
           # Package version doesn't match the module major version
           error_regex = RESOLVABILITY_ERROR_REGEXES.find { |r| stderr =~ r }
@@ -343,8 +352,12 @@ module Dependabot
             raise Dependabot::PrivateSourceAuthenticationFailure, matches[:url]
           end
 
+          if github_credentials_configured? && (matches = stderr.match(GITHUB_403_REGEX))
+            raise Dependabot::PrivateSourceAuthenticationFailure, "https://github.com/#{matches[:repo]}"
+          end
+
           repo_error_regex = REPO_RESOLVABILITY_ERROR_REGEXES.find { |r| stderr =~ r }
-          ResolvabilityErrors.handle(stderr) if repo_error_regex
+          Dependabot::GoModules::ResolvabilityErrors.handle(stderr) if repo_error_regex
 
           path_regex = MODULE_PATH_MISMATCH_REGEXES.find { |r| stderr =~ r }
           if path_regex
@@ -387,6 +400,44 @@ module Dependabot
           message.match(regex).to_s
         end
 
+        sig { params(message: String).returns(T.nilable(String)) }
+        def extract_replacement_path(message)
+          PATH_DEPENDENCY_ERROR_REGEXES.each do |regex|
+            match = regex.match(message)
+            return match[:path] if match
+          end
+
+          nil
+        end
+
+        sig { returns(T::Boolean) }
+        def github_credentials_configured?
+          credentials.any? do |credential|
+            credential["type"] == "git_source" && credential["host"] == "github.com"
+          end
+        end
+
+        sig { params(stderr: String).void }
+        def raise_for_go_mod_parse_error(stderr)
+          go_mod_parse_error_regex = GO_MOD_PARSE_ERROR_REGEXES.find { |r| stderr =~ r }
+          return unless go_mod_parse_error_regex
+
+          error_message = filter_error_message(message: stderr, regex: go_mod_parse_error_regex)
+          raise Dependabot::DependencyFileNotParseable.new(go_mod_path, error_message)
+        end
+
+        sig { params(stderr: String).void }
+        def raise_for_path_dependency_error(stderr)
+          path_error_regex = PATH_DEPENDENCY_ERROR_REGEXES.find { |r| stderr =~ r }
+          return unless path_error_regex
+
+          dependency_path = extract_replacement_path(stderr)
+          raise Dependabot::PathDependenciesNotReachable, [dependency_path] if dependency_path
+
+          error_message = filter_error_message(message: stderr, regex: path_error_regex)
+          raise Dependabot::DependencyFileNotResolvable, error_message
+        end
+
         sig { returns(String) }
         def go_mod_path
           return "go.mod" if directory == "/"

data/lib/dependabot/go_modules/package/package_details_fetcher.rb

@@ -10,6 +10,7 @@ require "dependabot/shared_helpers"
 require "dependabot/errors"
 require "dependabot/go_modules/requirement"
 require "dependabot/go_modules/resolvability_errors"
+require "dependabot/go_modules/azure_devops_path_normalizer"
 
 module Dependabot
   module GoModules
@@ -77,8 +78,9 @@ module Dependabot
               end
 
               # Turn off the module proxy for private dependencies
+              dependency_name = AzureDevopsPathNormalizer.normalize(dependency.name)
               versions_json = SharedHelpers.run_shell_command(
-                "go list -m -versions -json #{dependency.name}",
+                "go list -m -versions -json #{dependency_name}",
                 fingerprint: "go list -m -versions -json <dependency_name>"
               )
               version_strings = JSON.parse(versions_json)["Versions"]

data/lib/dependabot/go_modules/requirement.rb

@@ -156,7 +156,7 @@ module Dependabot
       def convert_caret_req(req_string)
         version = req_string.gsub(/^\^?v?/, "")
         parts = version.split(".")
-        upper_bound = [parts.first.to_i + 1, 0, 0, "a"].map(&:to_s).join(".")
+        upper_bound = [parts.first.to_i + 1, 0, 0, "a"].join(".")
 
         [">= #{version}", "< #{upper_bound}"]
       end

data/lib/dependabot/go_modules/resolvability_errors.rb

@@ -8,27 +8,41 @@ module Dependabot
     module ResolvabilityErrors
       extend T::Sig
 
-      GITHUB_REPO_REGEX = %r{github.com/[^:@ ]*}
+      GITHUB_REPO_REGEX = T.let(%r{github.com/[^:@ '\n]*}, Regexp)
+      INSECURE_PROTOCOL_REPOSITORY_REGEX = T.let(
+        /go(?: get)?: .*: no secure protocol found for repository/m,
+        Regexp
+      )
+      GO_MODULE_WITH_VERSION_REGEX = T.let(/go(?: get)?:\s*(?<module>[^\s@]+)@/, Regexp)
+      GO_PREFIXED_HOSTED_REPO_REGEX = T.let(
+        %r{(?:^|\n)\s*go(?: get)?:\s*(?<repo>[a-z0-9.-]+\.[a-z]{2,}/[^:@\s]+)(?:[:\s]|$)}i,
+        Regexp
+      )
+      REACHABILITY_CHECK_HINTS = T.let(
+        [
+          /If this is a private repository/i,
+          /Write access to repository not granted/i,
+          /Authentication failed/i
+        ].freeze,
+        T::Array[Regexp]
+      )
 
       sig { params(message: String).void }
       def self.handle(message)
-        mod_path = message.scan(GITHUB_REPO_REGEX).last
-        unless mod_path && message.include?("If this is a private repository")
-          raise Dependabot::DependencyFileNotResolvable, message
+        mod_path = extract_module_path(message)
+
+        if mod_path && insecure_protocol_repo_error?(message)
+          raise Dependabot::GitDependenciesNotReachable, [repo_path_for(mod_path)]
         end
 
-        # Module not found on github.com - query for _any_ version to know if it
-        # doesn't exist (or is private) or we were just given a bad revision by this manifest
+        raise Dependabot::DependencyFileNotResolvable, message unless mod_path && requires_reachability_check?(message)
+
+        # Module not found in the module repository (e.g., GitHub, Gerrit) - query for _any_ version
+        # to know if it doesn't exist (or is private) or we were just given a bad revision by this manifest
         SharedHelpers.in_a_temporary_directory do
           File.write("go.mod", "module dummy\n")
 
-          mod_path = T.cast(mod_path, String)
-          mod_split = mod_path.split("/")
-          repo_path = if mod_split.size > 3
-                        T.must(mod_split[0..2]).join("/")
-                      else
-                        mod_path
-                      end
+          repo_path = repo_path_for(mod_path)
 
           _, _, status = Open3.capture3(SharedHelpers.escape_command("go list -m -versions #{repo_path}"))
           raise Dependabot::DependencyFileNotResolvable, message if status.success?
@@ -36,6 +50,46 @@ module Dependabot
           raise Dependabot::GitDependenciesNotReachable, [repo_path]
         end
       end
+
+      sig { params(message: String).returns(T.nilable(String)) }
+      def self.extract_module_path(message)
+        github_repo_paths = T.let(
+          message.scan(GITHUB_REPO_REGEX).filter_map do |match|
+            next match if match.is_a?(String)
+
+            match.first
+          end,
+          T::Array[String]
+        )
+        return github_repo_paths.last&.delete_suffix("/") if github_repo_paths.any?
+
+        module_with_version_match = message.match(GO_MODULE_WITH_VERSION_REGEX)
+        return module_with_version_match[:module] if module_with_version_match
+
+        hosted_repo_match = message.match(GO_PREFIXED_HOSTED_REPO_REGEX)
+        return hosted_repo_match[:repo] if hosted_repo_match
+
+        nil
+      end
+
+      sig { params(message: String).returns(T::Boolean) }
+      def self.requires_reachability_check?(message)
+        REACHABILITY_CHECK_HINTS.any? { |regex| message.match?(regex) }
+      end
+
+      sig { params(message: String).returns(T::Boolean) }
+      def self.insecure_protocol_repo_error?(message)
+        message.match?(INSECURE_PROTOCOL_REPOSITORY_REGEX)
+      end
+
+      sig { params(mod_path: String).returns(String) }
+      def self.repo_path_for(mod_path)
+        normalized_mod_path = mod_path.delete_suffix("/")
+        mod_split = normalized_mod_path.split("/")
+        return normalized_mod_path unless mod_split.first == "github.com" && mod_split.size > 3
+
+        T.must(mod_split[0..2]).join("/")
+      end
     end
   end
 end

data/lib/dependabot/go_modules/update_checker/latest_version_finder.rb

@@ -11,6 +11,7 @@ require "dependabot/errors"
 require "dependabot/go_modules/requirement"
 require "dependabot/go_modules/resolvability_errors"
 require "dependabot/go_modules/package/package_details_fetcher"
+require "dependabot/go_modules/azure_devops_path_normalizer"
 require "dependabot/package/package_latest_version_finder"
 
 module Dependabot
@@ -198,8 +199,9 @@ module Dependabot
         sig { params(release: Dependabot::Package::PackageRelease).returns(T::Boolean) }
         def in_cooldown_period?(release)
           begin
+            dependency_name = AzureDevopsPathNormalizer.normalize(dependency.name)
             release_info = SharedHelpers.run_shell_command(
-              "go list -m -json #{dependency.name}@#{release.details.[]('version_string')}",
+              "go list -m -json #{dependency_name}@#{release.details.[]('version_string')}",
               fingerprint: "go list -m -json <dependency_name>"
             )
           rescue Dependabot::SharedHelpers::HelperSubprocessFailed => e

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-go_modules
 version: !ruby/object:Gem::Version
-  version: 0.362.0
+  version: 0.364.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.362.0
+        version: 0.364.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.362.0
+        version: 0.364.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -85,14 +85,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rspec-sorbet
   requirement: !ruby/object:Gem::Requirement
@@ -250,6 +250,7 @@ files:
 - helpers/main.go
 - helpers/version_test.go
 - lib/dependabot/go_modules.rb
+- lib/dependabot/go_modules/azure_devops_path_normalizer.rb
 - lib/dependabot/go_modules/dependency_grapher.rb
 - lib/dependabot/go_modules/file_fetcher.rb
 - lib/dependabot/go_modules/file_parser.rb
@@ -273,7 +274,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.362.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.364.0
 rdoc_options: []
 require_paths:
 - lib