dependabot-go_modules 0.87.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: bb5f0e8824ed0a3c60ce0cfc69bddb79e1d3d543df45e7e5682a56162a4890b2
+  data.tar.gz: a4b0207e8c5c10f44897928e6f7c8710d941ef80b76209d923c9c2bf1a0379ed
+SHA512:
+  metadata.gz: d3da4238b2bf752585fa3e892a48a88e5edc9c76b1ea9de1dff18a68be9a839f0664ae8602414e718d7f5d9726fb91ba4ae11b3a74b1bf57d4b7499442805ae4
+  data.tar.gz: 655b4ab4aaf213cafd84a88f956a029c6d28c088dc465b831a1f914e558fc98155fca27b566fea380ae5ec850e66497a445849d754ffeb11f1f38697f8288c67

data/helpers/Makefile

@@ -0,0 +1,9 @@
+.PHONY = all
+
+all: darwin linux
+
+darwin:
+	GO111MODULE=on GOOS=darwin GOARCH=amd64 go build -o go-helpers.darwin64 .
+
+linux:
+	GO111MODULE=on GOOS=linux GOARCH=amd64  go build -o go-helpers.linux64 .

data/helpers/build

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -e
+
+install_dir=$1
+if [ -z "$install_dir" ]; then
+  echo "usage: $0 INSTALL_DIR"
+  exit 1
+fi
+
+if ! [[ "$install_dir" =~ ^/ ]]; then
+  echo "$install_dir must be an absolute path"
+  exit 1
+fi
+
+if [ ! -d "$install_dir/bin" ]; then
+  mkdir -p "$install_dir/bin"
+fi
+
+helpers_dir="$(dirname "${BASH_SOURCE[0]}")"
+cd $helpers_dir
+
+os="$(uname -s | tr '[:upper:]' '[:lower:]')"
+echo "building $install_dir/bin/helper"
+
+GO111MODULE=on GOOS="$os" GOARCH=amd64 go build -o "$install_dir/bin/helper" .

data/helpers/go.mod

@@ -0,0 +1,13 @@
+module github.com/dependabot/dependabot-core/go_modules/helpers
+
+require (
+	github.com/Masterminds/vcs v1.12.0
+	github.com/dependabot/dependabot-core/go_modules/helpers/updater v0.0.0
+	github.com/dependabot/gomodules-extracted v0.0.0-20181020215834-1b2f850478a3
+)
+
+replace github.com/dependabot/dependabot-core/go_modules/helpers/importresolver => ./importresolver
+
+replace github.com/dependabot/dependabot-core/go_modules/helpers/updater => ./updater
+
+replace github.com/dependabot/dependabot-core/go_modules/helpers/updatechecker => ./updatechecker

data/helpers/go.sum

@@ -0,0 +1,6 @@
+github.com/Masterminds/vcs v1.12.0 h1:bt9Hb4XlfmEfLnVA0MVz2NO0GFuMN5vX8iOWW38Xde4=
+github.com/Masterminds/vcs v1.12.0/go.mod h1:N09YCmOQr6RLxC6UNHzuVwAdodYbbnycGHSmwVJjcKA=
+github.com/dependabot/dependabot-core v0.74.6 h1:SB2Oyie+Ex9ARXLHbFrnoQSWSixAG4ORHA+s6YEvVag=
+github.com/dependabot/dependabot-core v0.79.4 h1:d3/V6TTj+58ULw6824RK2zR+esZQw3bU/vRkCtCh4JU=
+github.com/dependabot/gomodules-extracted v0.0.0-20181020215834-1b2f850478a3 h1:Xj2leY0FVyZuo+p59vkIWG3dIqo+QtjskT5O1iTiywA=
+github.com/dependabot/gomodules-extracted v0.0.0-20181020215834-1b2f850478a3/go.mod h1:+dRXSrUymjpT4yzKtn1QmeknT1S/yAHRr35en18dHp8=

data/helpers/importresolver/main.go

@@ -0,0 +1,34 @@
+package importresolver
+
+import (
+	"io/ioutil"
+	"strings"
+
+	"github.com/Masterminds/vcs"
+)
+
+type Args struct {
+	Import string
+}
+
+func VCSRemoteForImport(args *Args) (interface{}, error) {
+	remote := args.Import
+	scheme := strings.Split(remote, ":")[0]
+	switch scheme {
+	case "http", "https":
+	default:
+		remote = "https://" + remote
+	}
+
+	local, err := ioutil.TempDir("", "unused-vcs-local-dir")
+	if err != nil {
+		return nil, err
+	}
+
+	repo, err := vcs.NewRepo(remote, local)
+	if err != nil {
+		return nil, err
+	}
+
+	return repo.Remote(), nil
+}

data/helpers/main.go

@@ -0,0 +1,77 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"os"
+
+	"github.com/dependabot/dependabot-core/go_modules/helpers/importresolver"
+	"github.com/dependabot/dependabot-core/go_modules/helpers/updatechecker"
+	"github.com/dependabot/dependabot-core/go_modules/helpers/updater"
+)
+
+type HelperParams struct {
+	Function string          `json:"function"`
+	Args     json.RawMessage `json:"args"`
+}
+
+type Output struct {
+	Error  string      `json:"error,omitempty"`
+	Result interface{} `json:"result,omitempty"`
+}
+
+func main() {
+	d := json.NewDecoder(os.Stdin)
+	helperParams := &HelperParams{}
+	if err := d.Decode(helperParams); err != nil {
+		abort(err)
+	}
+
+	var (
+		funcOut interface{}
+		funcErr error
+	)
+	switch helperParams.Function {
+	case "getUpdatedVersion":
+		var args updatechecker.Args
+		parseArgs(helperParams.Args, &args)
+		funcOut, funcErr = updatechecker.GetUpdatedVersion(&args)
+	case "updateDependencyFile":
+		var args updater.Args
+		parseArgs(helperParams.Args, &args)
+		funcOut, funcErr = updater.UpdateDependencyFile(&args)
+	case "getVcsRemoteForImport":
+		var args importresolver.Args
+		parseArgs(helperParams.Args, &args)
+		funcOut, funcErr = importresolver.VCSRemoteForImport(&args)
+	default:
+		abort(fmt.Errorf("Unrecognised function '%s'", helperParams.Function))
+	}
+
+	if funcErr != nil {
+		abort(funcErr)
+	}
+
+	output(&Output{Result: funcOut})
+}
+
+func parseArgs(data []byte, args interface{}) {
+	if err := json.Unmarshal(data, args); err != nil {
+		abort(err)
+	}
+}
+
+func output(o *Output) {
+	bytes, jsonErr := json.Marshal(o)
+	if jsonErr != nil {
+		log.Fatal(jsonErr)
+	}
+
+	os.Stdout.Write(bytes)
+}
+
+func abort(err error) {
+	output(&Output{Error: err.Error()})
+	os.Exit(1)
+}

data/helpers/updatechecker/main.go

@@ -0,0 +1,107 @@
+package updatechecker
+
+import (
+	"errors"
+	"io/ioutil"
+
+	"github.com/dependabot/gomodules-extracted/cmd/go/_internal_/modfetch"
+	"github.com/dependabot/gomodules-extracted/cmd/go/_internal_/modfile"
+	"github.com/dependabot/gomodules-extracted/cmd/go/_internal_/modload"
+	"github.com/dependabot/gomodules-extracted/cmd/go/_internal_/semver"
+)
+
+type Dependency struct {
+	Name     string `json:"name"`
+	Version  string `json:"version"`
+	Indirect bool   `json:"indirect"`
+}
+
+type IgnoreRange struct {
+	MinVersionInclusive string `json:"min_version_inclusive"`
+	MaxVersionExclusive string `json:"max_version_exclusive"`
+}
+
+type Args struct {
+	Dependency   *Dependency    `json:"dependency"`
+	IgnoreRanges []*IgnoreRange `json:"ignore_ranges"`
+}
+
+func GetUpdatedVersion(args *Args) (interface{}, error) {
+	if args.Dependency == nil {
+		return nil, errors.New("Expected args.dependency to not be nil")
+	}
+
+	modload.InitMod()
+
+	repo, err := modfetch.Lookup(args.Dependency.Name)
+	if err != nil {
+		return nil, err
+	}
+
+	versions, err := repo.Versions("")
+	if err != nil {
+		return nil, err
+	}
+
+	excludes, err := goModExcludes(args.Dependency.Name)
+	if err != nil {
+		return nil, err
+	}
+
+	currentVersion := args.Dependency.Version
+	currentMajor := semver.Major(currentVersion)
+	currentPrerelease := semver.Prerelease(currentVersion)
+	latestVersion := args.Dependency.Version
+
+Outer:
+	for _, v := range versions {
+		if semver.Major(v) != currentMajor {
+			continue
+		}
+
+		if semver.Compare(v, latestVersion) < 1 {
+			continue
+		}
+
+		if currentPrerelease == "" && semver.Prerelease(v) != "" {
+			continue
+		}
+
+		for _, exclude := range excludes {
+			if v == exclude {
+				continue Outer
+			}
+		}
+
+		latestVersion = v
+	}
+
+	return latestVersion, nil
+}
+
+func goModExcludes(dependency string) ([]string, error) {
+	data, err := ioutil.ReadFile("go.mod")
+	if err != nil {
+		return nil, err
+	}
+
+	var f *modfile.File
+	// TODO library detection - don't consider exclude etc for libraries
+	if "library" == "true" {
+		f, err = modfile.ParseLax("go.mod", data, nil)
+	} else {
+		f, err = modfile.Parse("go.mod", data, nil)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	var excludes []string
+	for _, e := range f.Exclude {
+		if e.Mod.Path == dependency {
+			excludes = append(excludes, e.Mod.Version)
+		}
+	}
+
+	return excludes, nil
+}

data/helpers/updater/go.mod

@@ -0,0 +1,3 @@
+module github.com/dependabot/dependabot-core/helpers/go/updater
+
+require github.com/dependabot/gomodules-extracted v0.0.0-20181020215834-1b2f850478a3

data/helpers/updater/go.sum

@@ -0,0 +1,2 @@
+github.com/dependabot/gomodules-extracted v0.0.0-20181020215834-1b2f850478a3 h1:Xj2leY0FVyZuo+p59vkIWG3dIqo+QtjskT5O1iTiywA=
+github.com/dependabot/gomodules-extracted v0.0.0-20181020215834-1b2f850478a3/go.mod h1:+dRXSrUymjpT4yzKtn1QmeknT1S/yAHRr35en18dHp8=

data/helpers/updater/helpers.go

@@ -0,0 +1,57 @@
+package updater
+
+import (
+	"strings"
+
+	"github.com/dependabot/gomodules-extracted/cmd/go/_internal_/modfile"
+)
+
+// Private methods lifted from the `modfile` package
+
+// setIndirect sets line to have (or not have) a "// indirect" comment.
+func setIndirect(line *modfile.Line, indirect bool) {
+	if isIndirect(line) == indirect {
+		return
+	}
+	if indirect {
+		// Adding comment.
+		if len(line.Suffix) == 0 {
+			// New comment.
+			line.Suffix = []modfile.Comment{{Token: "// indirect", Suffix: true}}
+			return
+		}
+		// Insert at beginning of existing comment.
+		com := &line.Suffix[0]
+		space := " "
+		if len(com.Token) > 2 && com.Token[2] == ' ' || com.Token[2] == '\t' {
+			space = ""
+		}
+		com.Token = "// indirect;" + space + com.Token[2:]
+		return
+	}
+
+	// Removing comment.
+	f := strings.Fields(line.Suffix[0].Token)
+	if len(f) == 2 {
+		// Remove whole comment.
+		line.Suffix = nil
+		return
+	}
+
+	// Remove comment prefix.
+	com := &line.Suffix[0]
+	i := strings.Index(com.Token, "indirect;")
+	com.Token = "//" + com.Token[i+len("indirect;"):]
+}
+
+// isIndirect reports whether line has a "// indirect" comment,
+// meaning it is in go.mod only for its effect on indirect dependencies,
+// so that it can be dropped entirely once the effective version of the
+// indirect dependency reaches the given minimum version.
+func isIndirect(line *modfile.Line) bool {
+	if len(line.Suffix) == 0 {
+		return false
+	}
+	f := strings.Fields(line.Suffix[0].Token)
+	return (len(f) == 2 && f[1] == "indirect" || len(f) > 2 && f[1] == "indirect;") && f[0] == "//"
+}

data/helpers/updater/main.go

@@ -0,0 +1,48 @@
+package updater
+
+import (
+	"io/ioutil"
+
+	"github.com/dependabot/gomodules-extracted/cmd/go/_internal_/modfile"
+)
+
+type Dependency struct {
+	Name     string `json:"name"`
+	Version  string `json:"version"`
+	Indirect bool   `json:"indirect"`
+}
+
+type Args struct {
+	Dependencies []Dependency `json:"dependencies"`
+}
+
+func UpdateDependencyFile(args *Args) (interface{}, error) {
+	data, err := ioutil.ReadFile("go.mod")
+	if err != nil {
+		return nil, err
+	}
+
+	f, err := modfile.Parse("go.mod", data, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, dep := range args.Dependencies {
+		f.AddRequire(dep.Name, dep.Version)
+	}
+
+	for _, r := range f.Require {
+		for _, dep := range args.Dependencies {
+			if r.Mod.Path == dep.Name {
+				setIndirect(r.Syntax, dep.Indirect)
+			}
+		}
+	}
+
+	f.SortBlocks()
+	f.Cleanup()
+
+	newModFile, _ := f.Format()
+
+	return string(newModFile), nil
+}

data/lib/dependabot/go_modules.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+# These all need to be required so the various classes can be registered in a
+# lookup table of package manager names to concrete classes.
+require "dependabot/go_modules/file_fetcher"
+require "dependabot/go_modules/file_parser"
+require "dependabot/go_modules/update_checker"
+require "dependabot/go_modules/file_updater"
+require "dependabot/go_modules/metadata_finder"
+require "dependabot/go_modules/requirement"
+require "dependabot/go_modules/version"

data/lib/dependabot/go_modules/file_fetcher.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+require "dependabot/file_fetchers"
+require "dependabot/file_fetchers/base"
+
+module Dependabot
+  module GoModules
+    class FileFetcher < Dependabot::FileFetchers::Base
+      def self.required_files_in?(filenames)
+        filenames.include?("go.mod")
+      end
+
+      def self.required_files_message
+        "Repo must contain a go.mod."
+      end
+
+      private
+
+      def fetch_files
+        unless go_mod
+          raise(
+            Dependabot::DependencyFileNotFound,
+            File.join(directory, "go.mod")
+          )
+        end
+
+        fetched_files = [go_mod]
+
+        # Fetch the (optional) go.sum
+        fetched_files << go_sum if go_sum
+
+        # Fetch the main.go file if present, as this will later identify
+        # this repo as an app.
+        fetched_files << main if main
+
+        fetched_files
+      end
+
+      def go_mod
+        @go_mod ||= fetch_file_if_present("go.mod")
+      end
+
+      def go_sum
+        @go_sum ||= fetch_file_if_present("go.sum")
+      end
+
+      def main
+        return @main if @main
+
+        go_files = repo_contents.select { |f| f.name.end_with?(".go") }
+
+        go_files.each do |go_file|
+          file = fetch_file_from_host(go_file.name, type: "package_main")
+          next unless file.content.match?(/\s*package\s+main/)
+
+          return @main = file.tap { |f| f.support_file = true }
+        end
+
+        nil
+      end
+    end
+  end
+end
+
+Dependabot::FileFetchers.
+  register("go_modules", Dependabot::GoModules::FileFetcher)