dependabot-go_modules 0.129.1 → 0.129.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/go_modules/file_parser.rb +32 -87
  3. data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb +29 -63
  4. metadata +8 -8
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 66a84b6b47ca0b0c2123cbb74dc9289edf5a3456e47e243b9f5f7e3e811a6e83
4
- data.tar.gz: c818cafc810e2d768e1048c30b9c28b06b2f74d0c15fe4fecb38ccc3341b4746
3
+ metadata.gz: 9a5732b46b502a7660d58467755acc033f3eddd7ac90d457401479dc21985504
4
+ data.tar.gz: 70b7dc19d8f80346f8300ce48995e68e425e79e4a33ff6b33f80d3cf09c34321
5
5
  SHA512:
6
- metadata.gz: 6fafe82fab2b405593f8a7c8a431ff71804189922a9f7d3d920ee6b4295417294e904c4b123fb4f3cdea32e8044ad69f5a130e342418f36d0e819e934be1980b
7
- data.tar.gz: 1456d1903e1b9b1b832de978aad3f2ba579d9dc30ef5179f97ef3d9f62963c01e8586967729e44e1da015166fa7e96ba4496d76309311ff79d3414d8b42726fc
6
+ metadata.gz: 8b21e2f1b812745f68fe053aaa3e20735e56c5f50d060a896db9484087ffd1ee091ae22039e4d384ac9aefdc66561c657cda30aad5dab53a62a6f833a1305dbc
7
+ data.tar.gz: d75ca92c24e867137de528fb58db6a100333fb6089e487c5511e4438087f9b71abc8c8a4e5249eed543cc0548ffafa6703ddd8db193f3a7402a80e85487767c3
data/lib/dependabot/go_modules/file_parser.rb CHANGED
@@ -16,17 +16,8 @@ module Dependabot
16
16
  def parse
17
17
  dependency_set = Dependabot::FileParsers::Base::DependencySet.new
18
18
 
19
- i = 0
20
- chunks = module_info.lines.
21
- group_by { |line| line == "{\n" ? i += 1 : i }
22
- deps = chunks.values.map { |chunk| JSON.parse(chunk.join) }
23
-
24
- deps.each do |dep|
25
- # The project itself appears in this list as "Main"
26
- next if dep["Main"]
27
-
28
- dependency = dependency_from_details(dep)
29
- dependency_set << dependency if dependency
19
+ required_packages.each do |dep|
20
+ dependency_set << dependency_from_details(dep) unless dep["Indirect"]
30
21
  end
31
22
 
32
23
  dependency_set.dependencies
@@ -65,39 +56,36 @@ module Dependabot
65
56
  )
66
57
  end
67
58
 
68
- def module_info
69
- @module_info ||=
59
+ def required_packages
60
+ @required_packages ||=
70
61
  SharedHelpers.in_a_temporary_directory do |path|
71
- SharedHelpers.with_git_configured(credentials: credentials) do
72
- # Create a fake empty module for each local module so that
73
- # `go list` works, even if some modules have been `replace`d with
74
- # a local module that we don't have access to.
75
- local_replacements.each do |_, stub_path|
76
- Dir.mkdir(stub_path) unless Dir.exist?(stub_path)
77
- FileUtils.touch(File.join(stub_path, "go.mod"))
78
- end
79
-
80
- File.write("go.mod", go_mod_content)
81
-
82
- command = "go mod edit -print > /dev/null"
83
- command += " && go list -m -json all"
84
-
85
- # Turn off the module proxy for now, as it's causing issues with
86
- # private git dependencies
87
- env = { "GOPRIVATE" => "*" }
88
-
89
- stdout, stderr, status = Open3.capture3(env, command)
90
- handle_parser_error(path, stderr) unless status.success?
91
- stdout
92
- rescue Dependabot::DependencyFileNotResolvable
93
- # We sometimes see this error if a host times out.
94
- # In such cases, retrying (a maximum of 3 times) may fix it.
95
- retry_count ||= 0
96
- raise if retry_count >= 3
97
-
98
- retry_count += 1
99
- retry
62
+ # Create a fake empty module for each local module so that
63
+ # `go mod edit` works, even if some modules have been `replace`d with
64
+ # a local module that we don't have access to.
65
+ local_replacements.each do |_, stub_path|
66
+ Dir.mkdir(stub_path) unless Dir.exist?(stub_path)
67
+ FileUtils.touch(File.join(stub_path, "go.mod"))
100
68
  end
69
+
70
+ File.write("go.mod", go_mod_content)
71
+
72
+ command = "go mod edit -json"
73
+
74
+ # Turn off the module proxy for now, as it's causing issues with
75
+ # private git dependencies
76
+ env = { "GOPRIVATE" => "*" }
77
+
78
+ stdout, stderr, status = Open3.capture3(env, command)
79
+ handle_parser_error(path, stderr) unless status.success?
80
+ JSON.parse(stdout)["Require"]
81
+ rescue Dependabot::DependencyFileNotResolvable
82
+ # We sometimes see this error if a host times out.
83
+ # In such cases, retrying (a maximum of 3 times) may fix it.
84
+ retry_count ||= 0
85
+ raise if retry_count >= 3
86
+
87
+ retry_count += 1
88
+ retry
101
89
  end
102
90
  end
103
91
 
@@ -135,52 +123,9 @@ module Dependabot
135
123
  end
136
124
  end
137
125
 
138
- GIT_ERROR_REGEX = /go: .*: git fetch .*: exit status 128/m.freeze
139
126
  def handle_parser_error(path, stderr)
140
- case stderr
141
- when /go: .*: unknown revision/m
142
- line = stderr.lines.grep(/unknown revision/).first.strip
143
- handle_github_unknown_revision(line) if line.start_with?("go: github.com/")
144
- raise Dependabot::DependencyFileNotResolvable, line
145
- when /go: .*: unrecognized import path/m
146
- line = stderr.lines.grep(/unrecognized import/).first
147
- raise Dependabot::DependencyFileNotResolvable, line.strip
148
- when /go: errors parsing go.mod/m
149
- msg = stderr.gsub(path.to_s, "").strip
150
- raise Dependabot::DependencyFileNotParseable.new(go_mod.path, msg)
151
- when GIT_ERROR_REGEX
152
- lines = stderr.lines.drop_while { |l| GIT_ERROR_REGEX !~ l }
153
- raise Dependabot::DependencyFileNotResolvable.new, lines.join
154
- else
155
- msg = stderr.gsub(path.to_s, "").strip
156
- raise Dependabot::DependencyFileNotParseable.new(go_mod.path, msg)
157
- end
158
- end
159
-
160
- GITHUB_REPO_REGEX = %r{github.com/[^@]*}.freeze
161
- def handle_github_unknown_revision(line)
162
- mod_path = line.scan(GITHUB_REPO_REGEX).first
163
- return unless mod_path
164
-
165
- # Query for _any_ version of this module, to know if it doesn't exist (or is private)
166
- # or we were just given a bad revision by this manifest
167
- SharedHelpers.in_a_temporary_directory do
168
- SharedHelpers.with_git_configured(credentials: credentials) do
169
- File.write("go.mod", "module dummy\n")
170
-
171
- env = { "GOPRIVATE" => "*" }
172
- _, _, status = Open3.capture3(env, SharedHelpers.escape_command("go get #{mod_path}"))
173
- raise Dependabot::DependencyFileNotResolvable, line if status.success?
174
-
175
- mod_split = mod_path.split("/")
176
- repo_path = if mod_split.size > 3
177
- mod_split[0..2].join("/")
178
- else
179
- mod_path
180
- end
181
- raise Dependabot::GitDependenciesNotReachable, [repo_path]
182
- end
183
- end
127
+ msg = stderr.gsub(path.to_s, "").strip
128
+ raise Dependabot::DependencyFileNotParseable.new(go_mod.path, msg)
184
129
  end
185
130
 
186
131
  def rev_identifier?(dep)
data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb CHANGED
@@ -40,6 +40,8 @@ module Dependabot
40
40
  /no space left on device/.freeze
41
41
  ].freeze
42
42
 
43
+ GO_MOD_VERSION = /^go 1\.[\d]+$/.freeze
44
+
43
45
  def initialize(dependencies:, credentials:, repo_contents_path:,
44
46
  directory:, options:)
45
47
  @dependencies = dependencies
@@ -67,10 +69,9 @@ module Dependabot
67
69
  @updated_files ||= update_files
68
70
  end
69
71
 
70
- def update_files # rubocop:disable Metrics/AbcSize
72
+ def update_files # rubocop:disable Metrics/AbcSize, Metrics/PerceivedComplexity
71
73
  in_repo_path do
72
74
  # Map paths in local replace directives to path hashes
73
-
74
75
  original_go_mod = File.read("go.mod")
75
76
  original_manifest = parse_manifest
76
77
  original_go_sum = File.read("go.sum") if File.exist?("go.sum")
@@ -87,35 +88,36 @@ module Dependabot
87
88
  # Then run `go get` to pick up other changes to the file caused by
88
89
  # the upgrade
89
90
  run_go_get
90
- run_go_vendor
91
- run_go_mod_tidy
92
-
93
- # At this point, the go.mod returned from run_go_get contains the
94
- # correct set of modules, but running `go get` can change the file
95
- # in undesirable ways (such as injecting the current Go version),
96
- # so we need to update the original go.mod with the updated set of
97
- # requirements rather than using the regenerated file directly
98
- original_reqs = original_manifest["Require"] || []
99
- updated_reqs = parse_manifest["Require"] || []
100
-
101
- original_paths = original_reqs.map { |r| r["Path"] }
102
- updated_paths = updated_reqs.map { |r| r["Path"] }
103
- req_paths_to_remove = original_paths - updated_paths
104
-
105
- # Put back the original content before we replace just the updated
106
- # dependencies.
107
- write_go_mod(original_go_mod)
108
91
 
109
- remove_requirements(req_paths_to_remove)
110
- deps = updated_reqs.map { |r| requirement_to_dependency_obj(r) }
111
- update_go_mod(deps)
112
-
113
- # put the old replace directives back again
114
- substitute_all(substitutions.invert)
92
+ # If we stubbed modules, don't run `go mod {tidy,vendor}` as
93
+ # dependencies are incomplete
94
+ if substitutions.empty?
95
+ run_go_mod_tidy
96
+ run_go_vendor
97
+ else
98
+ substitute_all(substitutions.invert)
99
+ end
115
100
 
116
101
  updated_go_sum = original_go_sum ? File.read("go.sum") : nil
117
102
  updated_go_mod = File.read("go.mod")
118
103
 
104
+ # running "go get" may inject the current go version, remove it
105
+ original_go_version = original_go_mod.match(GO_MOD_VERSION)&.to_a&.first
106
+ updated_go_version = updated_go_mod.match(GO_MOD_VERSION)&.to_a&.first
107
+ if original_go_version != updated_go_version
108
+ go_mod_lines = updated_go_mod.lines
109
+ go_mod_lines.each_with_index do |line, i|
110
+ next unless line&.match?(GO_MOD_VERSION)
111
+
112
+ # replace with the original version
113
+ go_mod_lines[i] = original_go_version
114
+ # avoid a stranded newline if there was no version originally
115
+ go_mod_lines[i + 1] = nil if original_go_version.nil?
116
+ end
117
+
118
+ updated_go_mod = go_mod_lines.compact.join
119
+ end
120
+
119
121
  { go_mod: updated_go_mod, go_sum: updated_go_sum }
120
122
  end
121
123
  end
@@ -184,24 +186,6 @@ module Dependabot
184
186
  JSON.parse(stdout) || {}
185
187
  end
186
188
 
187
- def remove_requirements(requirement_paths)
188
- requirement_paths.each do |path|
189
- escaped_path = Shellwords.escape(path)
190
- command = "go mod edit -droprequire #{escaped_path}"
191
- _, stderr, status = Open3.capture3(ENVIRONMENT, command)
192
- handle_subprocess_error(stderr) unless status.success?
193
- end
194
- end
195
-
196
- def add_requirements(requirements)
197
- requirements.each do |r|
198
- escaped_req = Shellwords.escape("#{r['Path']}@#{r['Version']}")
199
- command = "go mod edit -require #{escaped_req}"
200
- _, stderr, status = Open3.capture3(ENVIRONMENT, command)
201
- handle_subprocess_error(stderr) unless status.success?
202
- end
203
- end
204
-
205
189
  def in_repo_path(&block)
206
190
  SharedHelpers.
207
191
  in_a_temporary_repo_directory(directory, repo_contents_path) do
@@ -268,7 +252,7 @@ module Dependabot
268
252
  end
269
253
 
270
254
  def module_pathname
271
- @module_pathname ||= Pathname.new(repo_contents_path).join(directory)
255
+ @module_pathname ||= Pathname.new(repo_contents_path).join(directory.sub(%r{^/}, ""))
272
256
  end
273
257
 
274
258
  def substitute_all(substitutions)
@@ -312,24 +296,6 @@ module Dependabot
312
296
  File.join(directory, "go.mod")
313
297
  end
314
298
 
315
- def requirement_to_dependency_obj(req)
316
- # This is an approximation - we're not correctly populating `source`
317
- # for instance, but it's only to plug the requirement into the
318
- # `update_go_mod` method so this mapping doesn't need to be perfect
319
- dep_req = {
320
- file: "go.mod",
321
- requirement: req["Version"],
322
- groups: [],
323
- source: nil
324
- }
325
- Dependency.new(
326
- name: req["Path"],
327
- version: req["Version"],
328
- requirements: req["Indirect"] ? [] : [dep_req],
329
- package_manager: "go_modules"
330
- )
331
- end
332
-
333
299
  def write_go_mod(body)
334
300
  File.write("go.mod", body)
335
301
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-go_modules
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.129.1
4
+ version: 0.129.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-12-21 00:00:00.000000000 Z
11
+ date: 2021-01-04 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.129.1
19
+ version: 0.129.2
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.129.1
26
+ version: 0.129.2
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: byebug
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -100,28 +100,28 @@ dependencies:
100
100
  requirements:
101
101
  - - "~>"
102
102
  - !ruby/object:Gem::Version
103
- version: 1.6.0
103
+ version: 1.7.0
104
104
  type: :development
105
105
  prerelease: false
106
106
  version_requirements: !ruby/object:Gem::Requirement
107
107
  requirements:
108
108
  - - "~>"
109
109
  - !ruby/object:Gem::Version
110
- version: 1.6.0
110
+ version: 1.7.0
111
111
  - !ruby/object:Gem::Dependency
112
112
  name: simplecov
113
113
  requirement: !ruby/object:Gem::Requirement
114
114
  requirements:
115
115
  - - "~>"
116
116
  - !ruby/object:Gem::Version
117
- version: 0.20.0
117
+ version: 0.21.0
118
118
  type: :development
119
119
  prerelease: false
120
120
  version_requirements: !ruby/object:Gem::Requirement
121
121
  requirements:
122
122
  - - "~>"
123
123
  - !ruby/object:Gem::Version
124
- version: 0.20.0
124
+ version: 0.21.0
125
125
  - !ruby/object:Gem::Dependency
126
126
  name: simplecov-console
127
127
  requirement: !ruby/object:Gem::Requirement