dependabot-go_modules 0.120.5 → 0.121.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fce526d6f1486979f1480199b40e32a9c98f4e50851e4d5821efb8541c31cec2
-  data.tar.gz: 7cea6d48092354e728a1fef289916415d557dbdb068611a3fa406f7c246a8e03
+  metadata.gz: 701e98b35df513747baf443e0438108b3b9654e27f34f8c2222a6a66ca2ed629
+  data.tar.gz: 9a072a70eff30b0958a11ea3c18a52a9d226f0638802cac4c1a11ce43c11179e
 SHA512:
-  metadata.gz: c075d6cff1b7ef09ccab054cce4f6a8e66d732b4301aaebf8a7b75a6a4e1bc2b9300a7b81a41afb383faad942a56f791d819dd5d0a2cd3c60460661d24feaf1f
-  data.tar.gz: d9b4889b2dfc29755c10e8545e8e4e0022420e7dcf411bcc4fddf73c79af9bf3aacf7b88324baddd14bee80ab5132103b4db958cf8c8e278acd8641adf96d473
+  metadata.gz: f4c5afb8286faed93d541b40f466baa9ccf3204b3ba7ef600658b202dc30ec3085f8ac22a81169372a92d3edbbe4232ba2018c69824394d81db57cae44108f56
+  data.tar.gz: 3637c5c1b624bfba9e3b4a4af263e2aff7411c5ff181ae9c35cf1edc34b11fe62206dce9b3917dcc3869f78f76030158f43747fe0205becb969d3593a7ce1216

data/lib/dependabot/go_modules.rb

@@ -17,3 +17,6 @@ Dependabot::PullRequestCreator::Labeler.
 require "dependabot/dependency"
 Dependabot::Dependency.
   register_production_check("go_modules", ->(_) { true })
+
+require "dependabot/utils"
+Dependabot::Utils.register_always_clone("go_modules")

data/lib/dependabot/go_modules/file_fetcher.rb

@@ -17,23 +17,31 @@ module Dependabot
       private
 
       def fetch_files
-        unless go_mod
-          raise(
-            Dependabot::DependencyFileNotFound,
-            File.join(directory, "go.mod")
-          )
+        # Ensure we always check out the full repo contents for go_module
+        # updates.
+        SharedHelpers.in_a_temporary_repo_directory(
+          directory,
+          clone_repo_contents
+        ) do
+          unless go_mod
+            raise(
+              Dependabot::DependencyFileNotFound,
+              Pathname.new(File.join(directory, "go.mod")).
+              cleanpath.to_path
+            )
+          end
+
+          fetched_files = [go_mod]
+
+          # Fetch the (optional) go.sum
+          fetched_files << go_sum if go_sum
+
+          # Fetch the main.go file if present, as this will later identify
+          # this repo as an app.
+          fetched_files << main if main
+
+          fetched_files
         end
-
-        fetched_files = [go_mod]
-
-        # Fetch the (optional) go.sum
-        fetched_files << go_sum if go_sum
-
-        # Fetch the main.go file if present, as this will later identify
-        # this repo as an app.
-        fetched_files << main if main
-
-        fetched_files
       end
 
       def go_mod
@@ -45,15 +53,21 @@ module Dependabot
       end
 
       def main
-        return @main if @main
+        return @main if defined?(@main)
 
-        go_files = repo_contents.select { |f| f.name.end_with?(".go") }
+        go_files = Dir.glob("*.go")
 
-        go_files.each do |go_file|
-          file = fetch_file_from_host(go_file.name, type: "package_main")
-          next unless file.content.match?(/\s*package\s+main/)
+        go_files.each do |filename|
+          file_content = File.read(filename)
+          next unless file_content.match?(/\s*package\s+main/)
 
-          return @main = file.tap { |f| f.support_file = true }
+          return @main = DependencyFile.new(
+            name: Pathname.new(filename).cleanpath.to_path,
+            directory: "/",
+            type: "package_main",
+            support_file: true,
+            content: file_content
+          )
         end
 
         nil

data/lib/dependabot/go_modules/file_updater.rb

@@ -9,6 +9,25 @@ module Dependabot
     class FileUpdater < Dependabot::FileUpdaters::Base
       require_relative "file_updater/go_mod_updater"
 
+      def initialize(dependencies:, dependency_files:, repo_contents_path: nil,
+                     credentials:, options: {})
+        super
+        return unless repo_contents_path.nil?
+
+        # masquerade repo_contents_path for GoModUpdater during transition
+        tmp = Dir.mktmpdir
+        Dir.chdir(tmp) do
+          dependency_files.each do |file|
+            File.write(file.name, file.content)
+          end
+          `git init .`
+          `git add .`
+          `git commit -m'fake repo_contents_path'`
+        end
+        @repo_contents_path = tmp
+        @repo_contents_stub = true
+      end
+
       def self.updated_files_regex
         [
           /^go\.mod$/,
@@ -56,13 +75,18 @@ module Dependabot
         @go_sum ||= get_original_file("go.sum")
       end
 
+      def directory
+        dependency_files.first.directory
+      end
+
       def file_updater
         @file_updater ||=
           GoModUpdater.new(
             dependencies: dependencies,
-            go_mod: go_mod,
-            go_sum: go_sum,
-            credentials: credentials
+            credentials: credentials,
+            repo_contents_path: repo_contents_path,
+            directory: directory,
+            tidy: !@repo_contents_stub && options.fetch(:go_mod_tidy, false)
           )
       end
     end

data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb

@@ -25,11 +25,13 @@ module Dependabot
           /go: ([^@\s]+)(?:@[^\s]+)?: .* declares its path as: ([\S]*)/m
         ].freeze
 
-        def initialize(dependencies:, go_mod:, go_sum:, credentials:)
+        def initialize(dependencies:, credentials:, repo_contents_path:,
+                       directory:, tidy:)
           @dependencies = dependencies
-          @go_mod = go_mod
-          @go_sum = go_sum
           @credentials = credentials
+          @repo_contents_path = repo_contents_path
+          @directory = directory
+          @tidy = tidy
         end
 
         def updated_go_mod_content
@@ -42,64 +44,74 @@ module Dependabot
 
         private
 
-        attr_reader :dependencies, :go_mod, :go_sum, :credentials
+        attr_reader :dependencies, :credentials, :repo_contents_path,
+                    :directory
 
         def updated_files
           @updated_files ||= update_files
         end
 
-        # rubocop:disable Metrics/AbcSize
         def update_files
-          # Map paths in local replace directives to path hashes
-          substitutions = replace_directive_substitutions(go_mod.content)
-          stub_dirs = substitutions.values
+          in_repo_path do
+            # Map paths in local replace directives to path hashes
 
-          # Replace full paths with path hashes in the go.mod
-          clean_go_mod = substitute_all(go_mod.content, substitutions)
+            original_go_mod = File.read("go.mod")
+            original_manifest = parse_manifest
+            original_go_sum = File.read("go.sum") if File.exist?("go.sum")
 
-          # Set the new dependency versions in the go.mod
-          updated_go_mod = in_temp_dir(stub_dirs) do
-            update_go_mod(clean_go_mod, dependencies)
-          end
+            substitutions = replace_directive_substitutions(original_manifest)
+            build_module_stubs(substitutions.values)
 
-          # Then run `go get` to pick up other changes to the file caused by
-          # the upgrade
-          regenerated_files = in_temp_dir(stub_dirs) do
-            run_go_get(updated_go_mod, go_sum)
-          end
+            # Replace full paths with path hashes in the go.mod
+            substitute_all(substitutions)
 
-          # At this point, the go.mod returned from run_go_get contains the
-          # correct set of modules, but running `go get` can change the file in
-          # undesirable ways (such as injecting the current Go version), so we
-          # need to update the original go.mod with the updated set of
-          # requirements rather than using the regenerated file directly
-          original_reqs = in_temp_dir(stub_dirs) do
-            parse_manifest_requirements(go_mod.content)
-          end
-          updated_reqs = in_temp_dir(stub_dirs) do
-            parse_manifest_requirements(regenerated_files[:go_mod])
-          end
+            # Set the stubbed replace directives
+            update_go_mod(dependencies)
 
-          original_paths = original_reqs.map { |r| r["Path"] }
-          updated_paths = updated_reqs.map { |r| r["Path"] }
-          req_paths_to_remove = original_paths - updated_paths
+            # Then run `go get` to pick up other changes to the file caused by
+            # the upgrade
+            run_go_get
+            run_go_mod_tidy
 
-          output_go_mod = in_temp_dir(stub_dirs) do
-            remove_requirements(go_mod.content, req_paths_to_remove)
-          end
+            # At this point, the go.mod returned from run_go_get contains the
+            # correct set of modules, but running `go get` can change the file
+            # in undesirable ways (such as injecting the current Go version),
+            # so we need to update the original go.mod with the updated set of
+            # requirements rather than using the regenerated file directly
+            original_reqs = original_manifest["Require"] || []
+            updated_reqs = parse_manifest["Require"] || []
 
-          output_go_mod = in_temp_dir(stub_dirs) do
+            original_paths = original_reqs.map { |r| r["Path"] }
+            updated_paths = updated_reqs.map { |r| r["Path"] }
+            req_paths_to_remove = original_paths - updated_paths
+
+            # Put back the original content before we replace just the updated
+            # dependencies.
+            write_go_mod(original_go_mod)
+
+            remove_requirements(req_paths_to_remove)
             deps = updated_reqs.map { |r| requirement_to_dependency_obj(r) }
-            update_go_mod(output_go_mod, deps)
-          end
+            update_go_mod(deps)
+
+            # put the old replace directives back again
+            substitute_all(substitutions.invert)
 
-          { go_mod: output_go_mod, go_sum: regenerated_files[:go_sum] }
+            updated_go_sum = original_go_sum ? File.read("go.sum") : nil
+            updated_go_mod = File.read("go.mod")
+
+            { go_mod: updated_go_mod, go_sum: updated_go_sum }
+          end
         end
-        # rubocop:enable Metrics/AbcSize
 
-        def update_go_mod(go_mod_content, dependencies)
-          File.write("go.mod", go_mod_content)
+        def run_go_mod_tidy
+          return unless tidy?
+
+          command = "go mod tidy"
+          _, stderr, status = Open3.capture3(ENVIRONMENT, command)
+          handle_subprocess_error(stderr) unless status.success?
+        end
 
+        def update_go_mod(dependencies)
           deps = dependencies.map do |dep|
             {
               name: dep.name,
@@ -108,78 +120,75 @@ module Dependabot
             }
           end
 
-          SharedHelpers.run_helper_subprocess(
+          body = SharedHelpers.run_helper_subprocess(
             command: NativeHelpers.helper_path,
             env: ENVIRONMENT,
             function: "updateDependencyFile",
             args: { dependencies: deps }
           )
+
+          write_go_mod(body)
         end
 
-        def run_go_get(go_mod_content, go_sum)
-          File.write("go.mod", go_mod_content)
-          File.write("go.sum", go_sum.content) if go_sum
-          File.write("main.go", dummy_main_go)
+        def run_go_get
+          tmp_go_file = "#{SecureRandom.hex}.go"
+
+          unless Dir.glob("*.go").any?
+            File.write(tmp_go_file, "package dummypkg\n")
+          end
 
           _, stderr, status = Open3.capture3(ENVIRONMENT, "go get -d")
           handle_subprocess_error(stderr) unless status.success?
-
-          updated_go_sum = go_sum ? File.read("go.sum") : nil
-          { go_mod: File.read("go.mod"), go_sum: updated_go_sum }
+        ensure
+          File.delete(tmp_go_file) if File.exist?(tmp_go_file)
         end
 
-        def parse_manifest_requirements(go_mod_content)
-          File.write("go.mod", go_mod_content)
-
+        def parse_manifest
           command = "go mod edit -json"
           stdout, stderr, status = Open3.capture3(ENVIRONMENT, command)
           handle_subprocess_error(stderr) unless status.success?
 
-          JSON.parse(stdout)["Require"] || []
+          JSON.parse(stdout) || {}
         end
 
-        def remove_requirements(go_mod_content, requirement_paths)
-          File.write("go.mod", go_mod_content)
-
+        def remove_requirements(requirement_paths)
           requirement_paths.each do |path|
             escaped_path = Shellwords.escape(path)
             command = "go mod edit -droprequire #{escaped_path}"
             _, stderr, status = Open3.capture3(ENVIRONMENT, command)
             handle_subprocess_error(stderr) unless status.success?
           end
-
-          File.read("go.mod")
         end
 
-        def add_requirements(go_mod_content, requirements)
-          File.write("go.mod", go_mod_content)
-
+        def add_requirements(requirements)
           requirements.each do |r|
             escaped_req = Shellwords.escape("#{r['Path']}@#{r['Version']}")
             command = "go mod edit -require #{escaped_req}"
             _, stderr, status = Open3.capture3(ENVIRONMENT, command)
             handle_subprocess_error(stderr) unless status.success?
           end
-
-          File.read("go.mod")
         end
 
-        def in_temp_dir(stub_paths, &block)
-          SharedHelpers.in_a_temporary_directory do
+        def in_repo_path(&block)
+          SharedHelpers.
+            in_a_temporary_repo_directory(directory, repo_contents_path) do
             SharedHelpers.with_git_configured(credentials: credentials) do
-              # Create a fake empty module for each local module so that
-              # `go get -d` works, even if some modules have been `replace`d
-              # with a local module that we don't have access to.
-              stub_paths.each do |stub_path|
-                Dir.mkdir(stub_path) unless Dir.exist?(stub_path)
-                FileUtils.touch(File.join(stub_path, "go.mod"))
-              end
-
               block.call
             end
           end
         end
 
+        def build_module_stubs(stub_paths)
+          # Create a fake empty module for each local module so that
+          # `go get -d` works, even if some modules have been `replace`d
+          # with a local module that we don't have access to.
+          stub_paths.each do |stub_path|
+            Dir.mkdir(stub_path) unless Dir.exist?(stub_path)
+            FileUtils.touch(File.join(stub_path, "go.mod"))
+            FileUtils.touch(File.join(stub_path, "main.go"))
+          end
+        end
+
         # Given a go.mod file, find all `replace` directives pointing to a path
         # on the local filesystem, and return an array of pairs mapping the
         # original path to a hash of the path.
@@ -188,22 +197,14 @@ module Dependabot
         # the layout of the filesystem with a structure we can reproduce (i.e.
         # no paths such as ../../../foo), run the Go tooling, then reverse the
         # process afterwards.
-        def replace_directive_substitutions(go_mod_content)
+        def replace_directive_substitutions(manifest)
           @replace_directive_substitutions ||=
-            SharedHelpers.in_a_temporary_directory do |path|
-              File.write("go.mod", go_mod_content)
-
-              # Parse the go.mod to get a JSON representation of the replace
-              # directives
-              command = "go mod edit -json"
-              stdout, stderr, status = Open3.capture3(ENVIRONMENT, command)
-              handle_subprocess_error(path, stderr) unless status.success?
-
+            begin
               # Find all the local replacements, and return them with a stub
               # path we can use in their place. Using generated paths is safer
               # as it means we don't need to worry about references to parent
               # directories, etc.
-              (JSON.parse(stdout)["Replace"] || []).
+              (manifest["Replace"] || []).
                 map { |r| r["New"]["Path"] }.
                 compact.
                 select { |p| p.start_with?(".") || p.start_with?("/") }.
@@ -212,10 +213,12 @@ module Dependabot
             end
         end
 
-        def substitute_all(file, substitutions)
-          substitutions.reduce(file) do |text, (a, b)|
+        def substitute_all(substitutions)
+          body = substitutions.reduce(File.read("go.mod")) do |text, (a, b)|
             text.sub(a, b)
           end
+
+          write_go_mod(body)
         end
 
         def handle_subprocess_error(stderr)
@@ -231,28 +234,18 @@ module Dependabot
           if path_regex
             match = path_regex.match(stderr)
             raise Dependabot::GoModulePathMismatch.
-              new(go_mod.path, match[1], match[2])
+              new(go_mod_path, match[1], match[2])
           end
 
           msg = stderr.lines.last(10).join.strip
-          raise Dependabot::DependencyFileNotParseable.new(go_mod.path, msg)
+          raise Dependabot::DependencyFileNotParseable.
+            new(go_mod_path, msg)
         end
 
-        def dummy_main_go
-          # If we use `main` as the package name, running `go get -d` seems to
-          # invoke the build systems, which can cause problems. For instance,
-          # if the go.mod includes a module that doesn't have a top-level
-          # package, we have no way of working out the import path, so the
-          # build step fails.
-          #
-          # In due course, if we end up fetching the full repo, it might be
-          # good to switch back to `main` so we can surface more errors.
-          lines = ["package dummypkg", "import ("]
-          dependencies.each do |dep|
-            lines << "_ \"#{dep.name}\"" unless dep.requirements.empty?
-          end
-          lines << ")"
-          lines.join("\n")
+        def go_mod_path
+          return "go.mod" if directory == "/"
+
+          File.join(directory, "go.mod")
         end
 
         def requirement_to_dependency_obj(req)
@@ -272,6 +265,14 @@ module Dependabot
             package_manager: "go_modules"
           )
         end
+
+        def write_go_mod(body)
+          File.write("go.mod", body)
+        end
+
+        def tidy?
+          !!@tidy
+        end
       end
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-go_modules
 version: !ruby/object:Gem::Version
-  version: 0.120.5
+  version: 0.121.0
 platform: ruby
 authors:
 - Dependabot
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.120.5
+        version: 0.121.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.120.5
+        version: 0.121.0
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement