dependabot-go_modules 0.377.0 → 0.379.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/go_modules/file_parser.rb +21 -1
  3. data/lib/dependabot/go_modules/package/package_details_fetcher.rb +34 -0
  4. metadata +4 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: bf97969c0a98df4328d5ed5780f92a9340a2a382acb7159a8a54141bfc5a75d8
4
- data.tar.gz: aacdfc5d7c13bf0a8e3c1fb9db5ab9e30dfb3fbcc0adcd1059cea0551eee5ade
3
+ metadata.gz: 7416aab2410b4a4f4f7b2f56c0034baa13956825415fc1af57a84fd383f5baa3
4
+ data.tar.gz: 7a36751b391d9d8d2a184098d8dd0a2ba521e1de92292b4ee059d9dd0f2c0e0b
5
5
  SHA512:
6
- metadata.gz: a608eb9a09a25ab99d680a32a75eab06c2782fba4e5f9bd3d363da9c314f94f15c7b08cb1501a2ddc2754c88fb499c0a9a67dd41c64a09105383a89710a47ed3
7
- data.tar.gz: f5bbfefc7577f2d65e035b2b976fe2824cc423b063dd62875f1af201185c32332a6daf4f6c603d5e5165b75aa664728aec712fabf8ce9be529a1b8002546a083
6
+ metadata.gz: 8aa196a52e254dc86a25aca1b727b631afc931164b1ad3e842fa62a1611d82884ee0a3844010f53b9a3598a0521dda2012c2b1fa6d6bdea36e732b4fda92cb09
7
+ data.tar.gz: 54d75e5a9b298b855f2761e87e101ceab4686d8dfe7833493e662b7f977c93538303690d01c65f933b69b10724efa76aa41debf590af2d06fbeec3398dc995b8
data/lib/dependabot/go_modules/file_parser.rb CHANGED
@@ -114,10 +114,30 @@ module Dependabot
114
114
  return unless go_env
115
115
 
116
116
  env_file = T.must(go_env)
117
- File.write(env_file.name, env_file.content)
117
+ File.write(env_file.name, sanitize_go_env_content(T.must(env_file.content)))
118
118
  ENV["GOENV"] = Pathname.new(env_file.name).realpath.to_s
119
119
  end
120
120
 
121
+ # Go's GOENV file format does not support shell-style quoting, but users
122
+ # commonly write values like GOPROXY="https://..." which Go reads literally
123
+ # (including the quotes), causing URL parse failures. Strip surrounding
124
+ # matching " or ' from each value.
125
+ sig { params(content: String).returns(String) }
126
+ def sanitize_go_env_content(content)
127
+ content.gsub(
128
+ /
129
+ ^ # start of line
130
+ ([^=\n]+) # key: one or more chars that are not = or newline
131
+ = # separator
132
+ (["']) # opening quote, captured for backreference
133
+ (.*) # value
134
+ \2 # closing quote must match opening
135
+ $ # end of line
136
+ /x,
137
+ '\1=\3'
138
+ )
139
+ end
140
+
121
141
  sig { void }
122
142
  def set_goprivate_variable
123
143
  return if go_env&.content&.include?("GOPRIVATE")
data/lib/dependabot/go_modules/package/package_details_fetcher.rb CHANGED
@@ -85,6 +85,10 @@ module Dependabot
85
85
  )
86
86
  version_strings = JSON.parse(versions_json)["Versions"]
87
87
 
88
+ # If no versions found, the path may be a sub-package rather than a module root.
89
+ # Try progressively shorter paths to find the actual module.
90
+ version_strings = resolve_module_versions_from_subpath(dependency_name) if version_strings.nil?
91
+
88
92
  return [package_release(version: T.must(dependency.version))] if version_strings.nil?
89
93
 
90
94
  version_info = version_strings.select { |v| version_class.correct?(v) }
@@ -161,6 +165,36 @@ module Dependabot
161
165
  dependency.version_class
162
166
  end
163
167
 
168
+ sig { params(module_path: String).returns(T.nilable(T::Array[String])) }
169
+ def fetch_module_versions(module_path)
170
+ versions_json = SharedHelpers.run_shell_command(
171
+ "go list -m -versions -json #{module_path}",
172
+ fingerprint: "go list -m -versions -json <dependency_name>"
173
+ )
174
+ JSON.parse(versions_json)["Versions"]
175
+ end
176
+
177
+ # When a full import path (e.g. github.com/owner/repo/cmd/tool) is not a module,
178
+ # try progressively shorter paths to find the actual module root.
179
+ sig { params(full_path: String).returns(T.nilable(T::Array[String])) }
180
+ def resolve_module_versions_from_subpath(full_path)
181
+ parts = full_path.split("/")
182
+ # Valid Go module roots can be as short as 2 segments (e.g., k8s.io/kubernetes)
183
+ min_parts = 2
184
+ return nil if parts.length <= min_parts
185
+
186
+ (parts.length - 1).downto(min_parts).each do |i|
187
+ candidate = T.must(parts[0...i]).join("/")
188
+ Dependabot.logger.debug("Trying shorter module path: #{candidate}")
189
+ versions = fetch_module_versions(candidate)
190
+ return versions if versions&.any?
191
+ rescue SharedHelpers::HelperSubprocessFailed
192
+ next
193
+ end
194
+
195
+ nil
196
+ end
197
+
164
198
  sig do
165
199
  params(releases: T::Array[Dependabot::Package::PackageRelease])
166
200
  .returns(Dependabot::Package::PackageDetails)
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-go_modules
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.377.0
4
+ version: 0.379.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
@@ -15,14 +15,14 @@ dependencies:
15
15
  requirements:
16
16
  - - '='
17
17
  - !ruby/object:Gem::Version
18
- version: 0.377.0
18
+ version: 0.379.0
19
19
  type: :runtime
20
20
  prerelease: false
21
21
  version_requirements: !ruby/object:Gem::Requirement
22
22
  requirements:
23
23
  - - '='
24
24
  - !ruby/object:Gem::Version
25
- version: 0.377.0
25
+ version: 0.379.0
26
26
  - !ruby/object:Gem::Dependency
27
27
  name: debug
28
28
  requirement: !ruby/object:Gem::Requirement
@@ -275,7 +275,7 @@ licenses:
275
275
  - MIT
276
276
  metadata:
277
277
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
278
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.377.0
278
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.379.0
279
279
  rdoc_options: []
280
280
  require_paths:
281
281
  - lib