dependabot-go_modules 0.168.0 → 0.169.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6f4a5c38ca4522eaa039288aa779a30944ddb53db7a44c3d9b1151404df0ab15
-  data.tar.gz: 36218dfa9f798ab87c48ba71f72130ff3fb108af88fb23f437c7ee1010aa48c5
+  metadata.gz: ba323197349529a5a515b8ccb3e41d22f7d7df32771e190fbcd0417b99a12f0a
+  data.tar.gz: 45f197511d6ef315061207e934af5debbff20126428eca5bb8d38c46e2f03c8f
 SHA512:
-  metadata.gz: 1fea0f03bbacd8fb012a6bf31da93646da57e8f007738126e05979b451438d1ecf3bceeaf6b026f9e55b03d26dfb0972f687b779f172a9d2dfb85c31565620ea
-  data.tar.gz: 3940cddcdb5019cf8627aa6e2e87b6f08ccd58e1614b32f3e579192d63655951fff0fc6fbbb32580ae37b477a31ff27af2537be8b5da509af9d216272c4cb245
+  metadata.gz: 6f23cc0ccd829b67591f41c159a9f2d94fdd2d6ebcf4d7376f8f31a4dc113f1a9bcc35b39a23a94a2aa41574566639c35b29e0e2ac6e2c94ce4acb4fadb0a3d2
+  data.tar.gz: c5e24ae86808fcba4a384b99a8aea43c18345091ffa1f6f1ccce41854ff8c71745fc78c3c995f5c18d1606972d3607b432c6522b1b847cea5e33aa33ccd3f93a

data/helpers/go.mod

@@ -2,8 +2,4 @@ module github.com/dependabot/dependabot-core/go_modules/helpers
 
 go 1.16
 
-require (
-	github.com/Masterminds/vcs v1.13.1
-	github.com/dependabot/gomodules-extracted v1.4.2
-	golang.org/x/mod v0.5.1
-)
+require github.com/Masterminds/vcs v1.13.1

data/helpers/go.sum

@@ -1,20 +1,2 @@
 github.com/Masterminds/vcs v1.13.1 h1:NL3G1X7/7xduQtA2sJLpVpfHTNBALVNSjob6KEjPXNQ=
 github.com/Masterminds/vcs v1.13.1/go.mod h1:N09YCmOQr6RLxC6UNHzuVwAdodYbbnycGHSmwVJjcKA=
-github.com/dependabot/gomodules-extracted v1.4.2 h1:3IxvHARuuSojSNUHguc6kzWgs+uQN3fdRCowJMU1kDE=
-github.com/dependabot/gomodules-extracted v1.4.2/go.mod h1:cpzrmDX1COyhSDQXHfkRMw0STb0vmguBFqmrkr51h1I=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/mod v0.5.1 h1:OJxoQ/rynoF0dcCdI7cLPktw/hR2cueqYfjm43oqK38=
-golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e h1:aZzprAO9/8oim3qStq3wc1Xuxx4QmAGriC4VU4ojemQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898 h1:/atklqdjdhuosWIl6AIbOeHJjicWYPqR9bpxqxYG2pA=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

data/helpers/main.go

@@ -7,7 +7,6 @@ import (
 	"os"
 
 	"github.com/dependabot/dependabot-core/go_modules/helpers/importresolver"
-	"github.com/dependabot/dependabot-core/go_modules/helpers/updatechecker"
 )
 
 type HelperParams struct {
@@ -32,10 +31,6 @@ func main() {
 		funcErr error
 	)
 	switch helperParams.Function {
-	case "getVersions":
-		var args updatechecker.Args
-		parseArgs(helperParams.Args, &args)
-		funcOut, funcErr = updatechecker.GetVersions(&args)
 	case "getVcsRemoteForImport":
 		var args importresolver.Args
 		parseArgs(helperParams.Args, &args)

data/lib/dependabot/go_modules/update_checker/latest_version_finder.rb

@@ -20,9 +20,11 @@ module Dependabot
           /404 Not Found/,
           /Repository not found/,
           /unrecognized import path/,
+          /malformed module path/,
           # (Private) module could not be fetched
           /module .*: git ls-remote .*: exit status 128/m.freeze
         ].freeze
+        INVALID_VERSION_REGEX = /version "[^"]+" invalid/m.freeze
         PSEUDO_VERSION_REGEX = /\b\d{14}-[0-9a-f]{12}$/.freeze
 
         def initialize(dependency:, dependency_files:, credentials:,
@@ -73,23 +75,22 @@ module Dependabot
         def available_versions
           SharedHelpers.in_a_temporary_directory do
             SharedHelpers.with_git_configured(credentials: credentials) do
-              File.write("go.mod", go_mod.content)
+              manifest = parse_manifest
+
+              # Set up an empty go.mod so 'go list -m' won't attempt to download dependencies. This
+              # appears to be a side effect of operating with GOPRIVATE=*. We'll retain any exclude
+              # directives to omit those versions.
+              File.write("go.mod", "module dummy\n")
+              manifest["Exclude"]&.each do |r|
+                SharedHelpers.run_shell_command("go mod edit -exclude=#{r['Path']}@#{r['Version']}")
+              end
 
               # Turn off the module proxy for now, as it's causing issues with
               # private git dependencies
               env = { "GOPRIVATE" => "*" }
 
-              version_strings = SharedHelpers.run_helper_subprocess(
-                command: NativeHelpers.helper_path,
-                env: env,
-                function: "getVersions",
-                args: {
-                  dependency: {
-                    name: dependency.name,
-                    version: "v" + dependency.version
-                  }
-                }
-              )
+              versions_json = SharedHelpers.run_shell_command("go list -m -versions -json #{dependency.name}", env: env)
+              version_strings = JSON.parse(versions_json)["Versions"]
 
               return [version_class.new(dependency.version)] if version_strings.nil?
 
@@ -108,6 +109,8 @@ module Dependabot
         def handle_subprocess_error(error)
           if RESOLVABILITY_ERROR_REGEXES.any? { |rgx| error.message =~ rgx }
             ResolvabilityErrors.handle(error.message, credentials: credentials)
+          elsif INVALID_VERSION_REGEX =~ error.message
+            raise Dependabot::DependencyFileNotResolvable, error.message
           end
 
           raise
@@ -123,6 +126,15 @@ module Dependabot
           @go_mod ||= dependency_files.find { |f| f.name == "go.mod" }
         end
 
+        def parse_manifest
+          SharedHelpers.in_a_temporary_directory do
+            File.write("go.mod", go_mod.content)
+            json = SharedHelpers.run_shell_command("go mod edit -json")
+
+            JSON.parse(json) || {}
+          end
+        end
+
         def filter_prerelease_versions(versions_array)
           return versions_array if wants_prerelease?
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-go_modules
 version: !ruby/object:Gem::Version
-  version: 0.168.0
+  version: 0.169.0
 platform: ruby
 authors:
 - Dependabot
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.168.0
+        version: 0.169.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.168.0
+        version: 0.169.0
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -191,7 +191,6 @@ files:
 - helpers/go.sum
 - helpers/importresolver/main.go
 - helpers/main.go
-- helpers/updatechecker/main.go
 - lib/dependabot/go_modules.rb
 - lib/dependabot/go_modules/file_fetcher.rb
 - lib/dependabot/go_modules/file_parser.rb

data/helpers/updatechecker/main.go

@@ -1,93 +0,0 @@
-package updatechecker
-
-import (
-	"context"
-	"errors"
-	"io/ioutil"
-
-	"github.com/dependabot/gomodules-extracted/cmd/go/_internal_/modfetch"
-	"github.com/dependabot/gomodules-extracted/cmd/go/_internal_/modload"
-	"golang.org/x/mod/modfile"
-	"golang.org/x/mod/semver"
-)
-
-type Dependency struct {
-	Name    string `json:"name"`
-	Version string `json:"version"`
-}
-
-type Args struct {
-	Dependency *Dependency `json:"dependency"`
-}
-
-// GetVersions returns a list of versions for the given dependency that
-// are within the same major version.
-func GetVersions(args *Args) (interface{}, error) {
-	if args.Dependency == nil {
-		return nil, errors.New("Expected args.dependency to not be nil")
-	}
-
-	currentVersion := args.Dependency.Version
-
-	modload.DisallowWriteGoMod()
-	_ = modload.LoadModFile(context.Background())
-
-	repo := modfetch.Lookup("direct", args.Dependency.Name)
-	versions, err := repo.Versions("")
-	if err != nil {
-		return nil, err
-	}
-
-	excludes, err := goModExcludes(args.Dependency.Name)
-	if err != nil {
-		return nil, err
-	}
-
-	currentMajor := semver.Major(currentVersion)
-
-	var candidateVersions []string
-
-Outer:
-	for _, v := range versions {
-		if semver.Major(v) != currentMajor {
-			continue
-		}
-
-		for _, exclude := range excludes {
-			if v == exclude {
-				continue Outer
-			}
-		}
-
-		candidateVersions = append(candidateVersions, v)
-	}
-
-	return candidateVersions, nil
-}
-
-func goModExcludes(dependency string) ([]string, error) {
-	data, err := ioutil.ReadFile("go.mod")
-	if err != nil {
-		return nil, err
-	}
-
-	var f *modfile.File
-	// TODO library detection - don't consider exclude etc for libraries
-	if "library" == "true" {
-		f, err = modfile.ParseLax("go.mod", data, nil)
-	} else {
-		f, err = modfile.Parse("go.mod", data, nil)
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	var excludes []string
-	for _, e := range f.Exclude {
-		if e.Mod.Path == dependency {
-			excludes = append(excludes, e.Mod.Version)
-		}
-	}
-
-	return excludes, nil
-}