dependabot-go_modules 0.362.0 → 0.363.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6e4a9975da382d57158ea52ad6a4d47299daa3f2e99f7133f68923563ca14c42
-  data.tar.gz: 9b1f7a4d3bc51dfbf2b4a8c3f42d90ea833ffe787ba336d3014da205507f19cf
+  metadata.gz: 5965746c422a57549c538c2b97ce0a49b8d2d48f909a702bc0ae1c3eb8d703be
+  data.tar.gz: dac70528a9b16c8fc626876f8d624b0b83415aa55183437a37524a9796be90d1
 SHA512:
-  metadata.gz: fd095f5658455e70a0651ced2d747f0332e545ceb007e5158058e713bf89ceea86fb2a396fdc73dd058ec0534aa087dfe0052a3f34bc9ac3ba87ad8f8d257b23
-  data.tar.gz: fe1970687918ba78de5b069a52e2273fdbf96dbfa91049b3be3e5e216ddd8ee51993421df887137fed648a64d4d6c554a930882dc78f1af9fbafa7beda501674
+  metadata.gz: fe95cd8a7772a0129b312a38470f8460dad450e019c7cd5364c577aab9b4d13d8850d9f68504b1fe24b5b599735857cbf25f6fc93936d62edc126bcac4b27bab
+  data.tar.gz: ef222139597a40135a9e6bf7d29c7717d1a2a868e0f49592364d2ae89a245de87a47206a20ebee567c5cdeb220536b824362d01c8e0ff64c1a4f64fda295b614

data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb

@@ -57,6 +57,8 @@ module Dependabot
             /go(?: get)?: .*: unknown revision/m,
             # Package pointing to a proxy that 404s
             /go(?: get)?: .*: unrecognized import path/m,
+            # Private repository cannot be fetched over a secure protocol
+            Dependabot::GoModules::ResolvabilityErrors::INSECURE_PROTOCOL_REPOSITORY_REGEX,
             # Package not being referenced correctly
             /go:.*imports.*package.+is not in std/m,
             # Invalid version due to missing go.mod files at specified revision
@@ -94,12 +96,22 @@ module Dependabot
           T::Array[Regexp]
         )
 
+        PATH_DEPENDENCY_ERROR_REGEXES = T.let(
+          [
+            /replaced by (?<path>[^)\s]+)\): reading .*go\.mod: open .*: no such file or directory/
+          ].freeze,
+          T::Array[Regexp]
+        )
+
         GO_LANG = "Go"
 
         AMBIGUOUS_ERROR_MESSAGE = /ambiguous import: found package (?<package>.*) in multiple modules/
 
         GO_VERSION_MISMATCH = /requires go (?<current_ver>.*) .*running go (?<req_ver>.*);/
 
+        GITHUB_403_REGEX =
+          %r{https://github\.com/(?<repo>[^/'\s]+/[^/'\s]+)/?': The requested URL returned error: 403}
+
         GO_MOD_VERSION = /^go 1\.\d+(\.\d+)?$/
 
         sig do
@@ -326,11 +338,8 @@ module Dependabot
         def handle_subprocess_error(stderr) # rubocop:disable Metrics/AbcSize,Metrics/MethodLength
           stderr = stderr.gsub(Dir.getwd, "")
 
-          go_mod_parse_error_regex = GO_MOD_PARSE_ERROR_REGEXES.find { |r| stderr =~ r }
-          if go_mod_parse_error_regex
-            error_message = filter_error_message(message: stderr, regex: go_mod_parse_error_regex)
-            raise Dependabot::DependencyFileNotParseable.new(go_mod_path, error_message)
-          end
+          raise_for_go_mod_parse_error(stderr)
+          raise_for_path_dependency_error(stderr)
 
           # Package version doesn't match the module major version
           error_regex = RESOLVABILITY_ERROR_REGEXES.find { |r| stderr =~ r }
@@ -343,8 +352,12 @@ module Dependabot
             raise Dependabot::PrivateSourceAuthenticationFailure, matches[:url]
           end
 
+          if github_credentials_configured? && (matches = stderr.match(GITHUB_403_REGEX))
+            raise Dependabot::PrivateSourceAuthenticationFailure, "https://github.com/#{matches[:repo]}"
+          end
+
           repo_error_regex = REPO_RESOLVABILITY_ERROR_REGEXES.find { |r| stderr =~ r }
-          ResolvabilityErrors.handle(stderr) if repo_error_regex
+          Dependabot::GoModules::ResolvabilityErrors.handle(stderr) if repo_error_regex
 
           path_regex = MODULE_PATH_MISMATCH_REGEXES.find { |r| stderr =~ r }
           if path_regex
@@ -387,6 +400,44 @@ module Dependabot
           message.match(regex).to_s
         end
 
+        sig { params(message: String).returns(T.nilable(String)) }
+        def extract_replacement_path(message)
+          PATH_DEPENDENCY_ERROR_REGEXES.each do |regex|
+            match = regex.match(message)
+            return match[:path] if match
+          end
+
+          nil
+        end
+
+        sig { returns(T::Boolean) }
+        def github_credentials_configured?
+          credentials.any? do |credential|
+            credential["type"] == "git_source" && credential["host"] == "github.com"
+          end
+        end
+
+        sig { params(stderr: String).void }
+        def raise_for_go_mod_parse_error(stderr)
+          go_mod_parse_error_regex = GO_MOD_PARSE_ERROR_REGEXES.find { |r| stderr =~ r }
+          return unless go_mod_parse_error_regex
+
+          error_message = filter_error_message(message: stderr, regex: go_mod_parse_error_regex)
+          raise Dependabot::DependencyFileNotParseable.new(go_mod_path, error_message)
+        end
+
+        sig { params(stderr: String).void }
+        def raise_for_path_dependency_error(stderr)
+          path_error_regex = PATH_DEPENDENCY_ERROR_REGEXES.find { |r| stderr =~ r }
+          return unless path_error_regex
+
+          dependency_path = extract_replacement_path(stderr)
+          raise Dependabot::PathDependenciesNotReachable, [dependency_path] if dependency_path
+
+          error_message = filter_error_message(message: stderr, regex: path_error_regex)
+          raise Dependabot::DependencyFileNotResolvable, error_message
+        end
+
         sig { returns(String) }
         def go_mod_path
           return "go.mod" if directory == "/"

data/lib/dependabot/go_modules/file_updater.rb

@@ -56,7 +56,7 @@ module Dependabot
 
           vendor_updater.updated_files(base_directory: T.must(directory))
                         .each do |file|
-            updated_files << file
+                          updated_files << file
           end
         end
 

data/lib/dependabot/go_modules/requirement.rb

@@ -110,14 +110,14 @@ module Dependabot
 
         req_string.split(".")
                   .map do |part|
-          part.split("-").map.with_index do |p, i|
-            # Before we hit a wildcard we just return the existing part
-            next p unless p.match?(WILDCARD_REGEX) || after_wildcard
-
-            # On or after a wildcard we replace the version part with zero
-            after_wildcard = true
-            i.zero? ? "0" : "a"
-          end.join("-")
+                    part.split("-").map.with_index do |p, i|
+                      # Before we hit a wildcard we just return the existing part
+                      next p unless p.match?(WILDCARD_REGEX) || after_wildcard
+
+                      # On or after a wildcard we replace the version part with zero
+                      after_wildcard = true
+                      i.zero? ? "0" : "a"
+                    end.join("-")
         end.join(".")
       end
 

data/lib/dependabot/go_modules/resolvability_errors.rb

@@ -8,27 +8,41 @@ module Dependabot
     module ResolvabilityErrors
       extend T::Sig
 
-      GITHUB_REPO_REGEX = %r{github.com/[^:@ ]*}
+      GITHUB_REPO_REGEX = T.let(%r{github.com/[^:@ '\n]*}, Regexp)
+      INSECURE_PROTOCOL_REPOSITORY_REGEX = T.let(
+        /go(?: get)?: .*: no secure protocol found for repository/m,
+        Regexp
+      )
+      GO_MODULE_WITH_VERSION_REGEX = T.let(/go(?: get)?:\s*(?<module>[^\s@]+)@/, Regexp)
+      GO_PREFIXED_HOSTED_REPO_REGEX = T.let(
+        %r{(?:^|\n)\s*go(?: get)?:\s*(?<repo>[a-z0-9.-]+\.[a-z]{2,}/[^:@\s]+)(?:[:\s]|$)}i,
+        Regexp
+      )
+      REACHABILITY_CHECK_HINTS = T.let(
+        [
+          /If this is a private repository/i,
+          /Write access to repository not granted/i,
+          /Authentication failed/i
+        ].freeze,
+        T::Array[Regexp]
+      )
 
       sig { params(message: String).void }
       def self.handle(message)
-        mod_path = message.scan(GITHUB_REPO_REGEX).last
-        unless mod_path && message.include?("If this is a private repository")
-          raise Dependabot::DependencyFileNotResolvable, message
+        mod_path = extract_module_path(message)
+
+        if mod_path && insecure_protocol_repo_error?(message)
+          raise Dependabot::GitDependenciesNotReachable, [repo_path_for(mod_path)]
         end
 
-        # Module not found on github.com - query for _any_ version to know if it
-        # doesn't exist (or is private) or we were just given a bad revision by this manifest
+        raise Dependabot::DependencyFileNotResolvable, message unless mod_path && requires_reachability_check?(message)
+
+        # Module not found in the module repository (e.g., GitHub, Gerrit) - query for _any_ version
+        # to know if it doesn't exist (or is private) or we were just given a bad revision by this manifest
         SharedHelpers.in_a_temporary_directory do
           File.write("go.mod", "module dummy\n")
 
-          mod_path = T.cast(mod_path, String)
-          mod_split = mod_path.split("/")
-          repo_path = if mod_split.size > 3
-                        T.must(mod_split[0..2]).join("/")
-                      else
-                        mod_path
-                      end
+          repo_path = repo_path_for(mod_path)
 
           _, _, status = Open3.capture3(SharedHelpers.escape_command("go list -m -versions #{repo_path}"))
           raise Dependabot::DependencyFileNotResolvable, message if status.success?
@@ -36,6 +50,46 @@ module Dependabot
           raise Dependabot::GitDependenciesNotReachable, [repo_path]
         end
       end
+
+      sig { params(message: String).returns(T.nilable(String)) }
+      def self.extract_module_path(message)
+        github_repo_paths = T.let(
+          message.scan(GITHUB_REPO_REGEX).filter_map do |match|
+            next match if match.is_a?(String)
+
+            match.first
+          end,
+          T::Array[String]
+        )
+        return github_repo_paths.last&.delete_suffix("/") if github_repo_paths.any?
+
+        module_with_version_match = message.match(GO_MODULE_WITH_VERSION_REGEX)
+        return module_with_version_match[:module] if module_with_version_match
+
+        hosted_repo_match = message.match(GO_PREFIXED_HOSTED_REPO_REGEX)
+        return hosted_repo_match[:repo] if hosted_repo_match
+
+        nil
+      end
+
+      sig { params(message: String).returns(T::Boolean) }
+      def self.requires_reachability_check?(message)
+        REACHABILITY_CHECK_HINTS.any? { |regex| message.match?(regex) }
+      end
+
+      sig { params(message: String).returns(T::Boolean) }
+      def self.insecure_protocol_repo_error?(message)
+        message.match?(INSECURE_PROTOCOL_REPOSITORY_REGEX)
+      end
+
+      sig { params(mod_path: String).returns(String) }
+      def self.repo_path_for(mod_path)
+        normalized_mod_path = mod_path.delete_suffix("/")
+        mod_split = normalized_mod_path.split("/")
+        return normalized_mod_path unless mod_split.first == "github.com" && mod_split.size > 3
+
+        T.must(mod_split[0..2]).join("/")
+      end
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-go_modules
 version: !ruby/object:Gem::Version
-  version: 0.362.0
+  version: 0.363.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.362.0
+        version: 0.363.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.362.0
+        version: 0.363.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -85,14 +85,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rspec-sorbet
   requirement: !ruby/object:Gem::Requirement
@@ -273,7 +273,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.362.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.363.0
 rdoc_options: []
 require_paths:
 - lib