dependabot-nuget 0.165.0 → 0.168.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3ccc1d32bb0cdcba1e74f0418107007625bc3943f11fa6833ad438ab4d998674
-  data.tar.gz: b171c5f4de467e8d2f77c84aac9bb6e68489fb63207df1ac52faf4d0fccbdedb
+  metadata.gz: 8d1b0b5a09504aa57e374c1d00c2ffb4a05c1ea5fd71aa615dfec6571703f548
+  data.tar.gz: 2e78701dd574cff32135556ad4458d5fb9a7a8775bff9e65d6d3ea1627763fb2
 SHA512:
-  metadata.gz: 466d2aa9ee10ec1c4e9763357d7f2f4242b75317455fe0c4e36d8551a5c11faefff293796673cabd30512442ed00b7fa08ca0664d4ede23b0916f806ec7cd7a5
-  data.tar.gz: 228d1c6bd07cc24d98335cef129f1b68e7dc2c1880162439fa25a28236621e0bcb97be5f1ffe53a520712f4219cb6965ffd1d7133c3e31a259354073818f588e
+  metadata.gz: c6f478e817c4cff02f20da4f5bb7bf050c9443889a514e6ca9a05272ac686b1f5d4603939ae8f454d2079ea76fa34dc4f50c322ccab37850badcea6c660b6f3a
+  data.tar.gz: f0f15fef9443e7191e29e6b8a1c2d6a00ee4e3117ac55d7cafb49460f4d42ed3e1885a53e3b1596d50361182ebcc29bc49e663a9966793c7381827d8a83a9ec8

data/lib/dependabot/nuget/file_parser/project_file_parser.rb

@@ -20,6 +20,7 @@ module Dependabot
                               "ItemGroup > Dependency, "\
                               "ItemGroup > DevelopmentDependency"
 
+        PROJECT_SDK_REGEX   = %r{^([^/]+)/(\d+(?:[.]\d+(?:[.]\d+)?)?(?:[+-].*)?)$}.freeze
         PROPERTY_REGEX      = /\$\((?<property>.*?)\)/.freeze
         ITEM_REGEX          = /\@\((?<property>.*?)\)/.freeze
 
@@ -32,16 +33,19 @@ module Dependabot
 
           doc = Nokogiri::XML(project_file.content)
           doc.remove_namespaces!
+          # Look for regular package references
           doc.css(DEPENDENCY_SELECTOR).each do |dependency_node|
             name = dependency_name(dependency_node, project_file)
             req = dependency_requirement(dependency_node, project_file)
             version = dependency_version(dependency_node, project_file)
             prop_name = req_property_name(dependency_node)
 
-            dependency =
-              build_dependency(name, req, version, prop_name, project_file)
+            dependency = build_dependency(name, req, version, prop_name, project_file)
             dependency_set << dependency if dependency
           end
+          # Look for SDK references; see:
+          # https://docs.microsoft.com/en-us/visualstudio/msbuild/how-to-use-project-sdk
+          add_sdk_references(doc, dependency_set, project_file)
 
           dependency_set
         end
@@ -50,6 +54,61 @@ module Dependabot
 
         attr_reader :dependency_files
 
+        def add_sdk_references(doc, dependency_set, project_file)
+          # These come in 3 flavours:
+          # - <Project Sdk="Name/Version">
+          # - <Sdk Name="Name" Version="Version" />
+          # - <Import Project="..." Sdk="Name" Version="Version" />
+          # None of these support the use of properties, nor do they allow child
+          # elements instead of attributes.
+          add_sdk_refs_from_project(doc, dependency_set, project_file)
+          add_sdk_refs_from_sdk_tags(doc, dependency_set, project_file)
+          add_sdk_refs_from_import_tags(doc, dependency_set, project_file)
+        end
+
+        def add_sdk_ref_from_project(sdk_references, dependency_set, project_file)
+          sdk_references.split(";")&.each do |sdk_reference|
+            m = sdk_reference.match(PROJECT_SDK_REGEX)
+            if m
+              dependency = build_dependency(m[1], m[2], m[2], nil, project_file)
+              dependency_set << dependency if dependency
+            end
+          end
+        end
+
+        def add_sdk_refs_from_import_tags(doc, dependency_set, project_file)
+          doc.xpath("/Project/Import").each do |import_node|
+            next unless import_node.attribute("Sdk") && import_node.attribute("Version")
+
+            name = import_node.attribute("Sdk")&.value&.strip
+            version = import_node.attribute("Version")&.value&.strip
+
+            dependency = build_dependency(name, version, version, nil, project_file)
+            dependency_set << dependency if dependency
+          end
+        end
+
+        def add_sdk_refs_from_project(doc, dependency_set, project_file)
+          doc.xpath("/Project").each do |project_node|
+            sdk_references = project_node.attribute("Sdk")&.value&.strip
+            next unless sdk_references
+
+            add_sdk_ref_from_project(sdk_references, dependency_set, project_file)
+          end
+        end
+
+        def add_sdk_refs_from_sdk_tags(doc, dependency_set, project_file)
+          doc.xpath("/Project/Sdk").each do |sdk_node|
+            next unless sdk_node.attribute("Version")
+
+            name = sdk_node.attribute("Name")&.value&.strip
+            version = sdk_node.attribute("Version")&.value&.strip
+
+            dependency = build_dependency(name, version, version, nil, project_file)
+            dependency_set << dependency if dependency
+          end
+        end
+
         def build_dependency(name, req, version, prop_name, project_file)
           return unless name
 

data/lib/dependabot/nuget/file_updater/project_file_declaration_finder.rb

@@ -20,6 +20,17 @@ module Dependabot
             <DevelopmentDependency [^>]*?/>|
             <DevelopmentDependency [^>]*?[^/]>.*?</DevelopmentDependency>
           }mx.freeze
+        SDK_IMPORT_REGEX =
+          / <Import [^>]*?Sdk="[^"]*?"[^>]*?Version="[^"]*?"[^>]*?>
+          | <Import [^>]*?Version="[^"]*?"[^>]*?Sdk="[^"]*?"[^>]*?>
+          /mx.freeze
+        SDK_PROJECT_REGEX =
+          / <Project [^>]*?Sdk="[^"]*?"[^>]*?>
+          /mx.freeze
+        SDK_SDK_REGEX =
+          / <Sdk [^>]*?Name="[^"]*?"[^>]*?Version="[^"]*?"[^>]*?>
+          | <Sdk [^>]*?Version="[^"]*?"[^>]*?Name="[^"]*?"[^>]*?>
+          /mx.freeze
 
         attr_reader :dependency_name, :declaring_requirement,
                     :dependency_files
@@ -33,6 +44,7 @@ module Dependabot
 
         def declaration_strings
           @declaration_strings ||= fetch_declaration_strings
+          @declaration_strings += fetch_sdk_strings
         end
 
         def declaration_nodes
@@ -72,6 +84,10 @@ module Dependabot
         # rubocop:enable Metrics/PerceivedComplexity
         # rubocop:enable Metrics/CyclomaticComplexity
 
+        def fetch_sdk_strings
+          sdk_project_strings + sdk_sdk_strings + sdk_import_strings
+        end
+
         # rubocop:disable Metrics/PerceivedComplexity
         def get_node_version_value(node)
           attribute = "Version"
@@ -95,6 +111,71 @@ module Dependabot
 
           raise "No file found with name #{filename}!"
         end
+
+        def sdk_import_strings
+          sdk_strings(SDK_IMPORT_REGEX, "Import", "Sdk", "Version")
+        end
+
+        def parse_element(string, name)
+          xml = string
+          xml += "</#{name}>" unless string.end_with?("/>")
+          node = Nokogiri::XML(xml)
+          node.remove_namespaces!
+          node.at_xpath("/#{name}")
+        end
+
+        def get_attribute_value_nocase(element, name)
+          value = element.attribute(name)&.value ||
+                  element.attribute(name.downcase)&.value ||
+                  element.attribute(name.upcase)&.value
+          value&.strip
+        end
+
+        def desired_sdk_reference?(sdk_reference, dep_name, dep_version)
+          parts = sdk_reference.split("/")
+          parts.length == 2 && parts[0]&.downcase == dep_name && parts[1] == dep_version
+        end
+
+        def sdk_project_strings
+          dep_name = dependency_name&.downcase
+          dep_version = declaring_requirement.fetch(:requirement)
+          strings = []
+          declaring_file.content.scan(SDK_PROJECT_REGEX).each do |string|
+            element = parse_element(string, "Project")
+            next unless element
+
+            sdk_references = get_attribute_value_nocase(element, "Sdk")
+            next unless sdk_references&.include?("/")
+
+            sdk_references.split(";").each do |sdk_reference|
+              strings << sdk_reference if desired_sdk_reference?(sdk_reference, dep_name, dep_version)
+            end
+          end
+          strings.uniq
+        end
+
+        def sdk_sdk_strings
+          sdk_strings(SDK_SDK_REGEX, "Sdk", "Name", "Version")
+        end
+
+        def sdk_strings(regex, element_name, name_attribute, version_attribute)
+          dep_name = dependency_name&.downcase
+          dep_version = declaring_requirement.fetch(:requirement)
+          strings = []
+          declaring_file.content.scan(regex).each do |string|
+            element = parse_element(string, element_name)
+            next unless element
+
+            node_name = get_attribute_value_nocase(element, name_attribute)&.downcase
+            next unless node_name == dep_name
+
+            node_version = get_attribute_value_nocase(element, version_attribute)
+            next unless node_version == dep_version
+
+            strings << string
+          end
+          strings
+        end
       end
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-nuget
 version: !ruby/object:Gem::Version
-  version: 0.165.0
+  version: 0.168.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-11-08 00:00:00.000000000 Z
+date: 2021-11-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.165.0
+        version: 0.168.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.165.0
+        version: 0.168.0
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement