dependabot-nuget 0.237.0 → 0.239.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d633bba8c781dee126f8f39e1646bf6fa77624c4154f599c379a7a2597ca2ab5
-  data.tar.gz: 1b6363c64e9ec7d3d9b44d3c5eb62a4065bbfe57da21e48e95a2b45a7ecd7c3e
+  metadata.gz: 2bf5bdfc4f365f5d04c30193e1b44e7a82ddb5816461148e4172cabc1a86bea3
+  data.tar.gz: 0ca7483d0fdc3d3a7dc2af7c8f475e7b02a121d4a8a5c58f495ff857d32c3dad
 SHA512:
-  metadata.gz: fbf7eb348c2a69d39eb4058efa0c68da4bfd8cac52646fa6230ed9dcc4efbe1c5ac216f03d67249b8fc48fe542790cac2e6b360e7725f7d2f8f7edb023d2cb4d
-  data.tar.gz: 9f96e9f0a24581bed453c8c16246d01c5f284e52e1972614be5b0dadea10c8de2351ec06d37c59872066bf07ea0e5605c0549437b53c883d1ebebf9689525ec8
+  metadata.gz: a0bd5448386d99ac0fa6a27ea6f5ec137885cd8a208762602d69284c1cdea6bb9e521a885b9a50cb42eb45b2de9ec760def87940c15023a910f7f9455a612fc9
+  data.tar.gz: 4096cfc58f861ec2f4f5d7a4022fd06f001d0f4421130bf0708e877a93ce2e12e722259d60b29f8303375d2e3cdc5f595e396cb4273d5c1e03a34e23a3a154ec

data/lib/dependabot/nuget/cache_manager.rb

@@ -0,0 +1,22 @@
+# typed: true
+# frozen_string_literal: true
+
+require "dependabot/file_fetchers"
+require "dependabot/file_fetchers/base"
+require "set"
+
+module Dependabot
+  module Nuget
+    class CacheManager
+      def self.caching_disabled?
+        ENV["DEPENDABOT_NUGET_CACHE_DISABLED"] == "true"
+      end
+
+      def self.cache(name)
+        @cache ||= {}
+        @cache[name] ||= {}
+        @cache[name]
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/file_fetcher/import_paths_finder.rb

@@ -39,6 +39,21 @@ module Dependabot
           nodes.compact
         end
 
+        def project_file_paths
+          doc = Nokogiri::XML(project_file.content)
+          doc.remove_namespaces!
+          nodes = doc.xpath("/Project/ItemGroup/ProjectFile").map do |node|
+            attribute = node.attribute("Include")
+            next unless attribute
+
+            path = attribute.value.strip.tr("\\", "/")
+            path = File.join(current_dir, path) unless current_dir.nil?
+            Pathname.new(path).cleanpath.to_path
+          end
+
+          nodes.compact
+        end
+
         private
 
         attr_reader :project_file

data/lib/dependabot/nuget/file_fetcher.rb

@@ -15,16 +15,19 @@ module Dependabot
       require_relative "file_fetcher/import_paths_finder"
       require_relative "file_fetcher/sln_project_paths_finder"
 
+      BUILD_FILE_NAMES = /^Directory\.Build\.(props|targets)$/i # Directory.Build.props, Directory.Build.targets
+
       def self.required_files_in?(filenames)
         return true if filenames.any? { |f| f.match?(/^packages\.config$/i) }
         return true if filenames.any? { |f| f.end_with?(".sln") }
         return true if filenames.any? { |f| f.match?("^src$") }
+        return true if filenames.any? { |f| f.end_with?(".proj") }
 
         filenames.any? { |name| name.match?(%r{^[^/]*\.[a-z]{2}proj$}) }
       end
 
       def self.required_files_message
-        "Repo must contain a .(cs|vb|fs)proj file or a packages.config."
+        "Repo must contain a .proj file, .(cs|vb|fs)proj file, or a packages.config."
       end
 
       sig { override.returns(T::Array[DependencyFile]) }
@@ -40,7 +43,10 @@ module Dependabot
         fetched_files << dotnet_tools_json if dotnet_tools_json
         fetched_files << packages_props if packages_props
 
-        fetched_files = fetched_files.uniq
+        # dedup files based on their absolute path
+        fetched_files = fetched_files.uniq do |fetched_file|
+          Pathname.new(fetched_file.directory).join(fetched_file.name).cleanpath.to_path
+        end
 
         if project_files.none? && packages_config_files.none?
           raise @missing_sln_project_file_errors.first if @missing_sln_project_file_errors&.any?
@@ -60,12 +66,12 @@ module Dependabot
         @project_files ||=
           begin
             project_files = []
-            project_files << csproj_file if csproj_file
-            project_files << vbproj_file if vbproj_file
-            project_files << fsproj_file if fsproj_file
-            project_files << directory_packages_props_file if directory_packages_props_file
-
+            project_files += csproj_file
+            project_files += vbproj_file
+            project_files += fsproj_file
             project_files += sln_project_files
+            project_files += proj_files
+            project_files += project_files.filter_map { |f| directory_packages_props_file_from_project_file(f) }
             project_files
           end
       rescue Octokit::NotFound, Gitlab::Error::NotFound
@@ -113,49 +119,29 @@ module Dependabot
       end
 
       def fetch_directory_build_files
-        attempted_paths = []
+        attempted_dirs = []
         directory_build_files = []
-
-        # Don't need to insert "." here, because Directory.Build.props files
-        # can only be used by project files (not packages.config ones)
-        project_files.map { |f| File.dirname(f.name) }.uniq.map do |dir|
-          possible_paths = dir.split("/").flat_map.with_index do |_, i|
-            base = dir.split("/").first(i + 1).join("/")
-            possible_build_file_paths(base)
-          end.reverse
-
-          possible_paths += [
-            "Directory.Build.props",
-            "Directory.build.props",
-            "Directory.Packages.props",
-            "Directory.packages.props",
-            "Directory.Build.targets",
-            "Directory.build.targets"
-          ]
-
-          possible_paths.each do |path|
-            break if attempted_paths.include?(path)
-
-            attempted_paths << path
-            file = fetch_file_if_present(path)
-            directory_build_files << file if file
+        directory_path = Pathname.new(directory)
+
+        # find all build files (Directory.Build.props/.targets) relative to the given project file
+        project_files.map { |f| Pathname.new(f.directory).join(f.name).dirname }.uniq.each do |dir|
+          # Simulate MSBuild walking up the directory structure looking for a file
+          dir.descend.each do |possible_dir|
+            break if attempted_dirs.include?(possible_dir)
+
+            attempted_dirs << possible_dir
+            relative_possible_dir = Pathname.new(possible_dir).relative_path_from(directory_path).to_s
+            build_files = repo_contents(dir: relative_possible_dir).select { |f| f.name.match?(BUILD_FILE_NAMES) }
+            directory_build_files += build_files.map do |file|
+              possible_file = File.join(relative_possible_dir, file.name).delete_prefix("/")
+              fetch_file_from_host(possible_file)
+            end
           end
         end
 
         directory_build_files
       end
 
-      def possible_build_file_paths(base)
-        [
-          Pathname.new(base + "/Directory.Build.props").cleanpath.to_path,
-          Pathname.new(base + "/Directory.build.props").cleanpath.to_path,
-          Pathname.new(base + "/Directory.Packages.props").cleanpath.to_path,
-          Pathname.new(base + "/Directory.packages.props").cleanpath.to_path,
-          Pathname.new(base + "/Directory.Build.targets").cleanpath.to_path,
-          Pathname.new(base + "/Directory.build.targets").cleanpath.to_path
-        ]
-      end
-
       def sln_project_files
         return [] unless sln_files
 
@@ -189,35 +175,45 @@ module Dependabot
       end
 
       def csproj_file
-        @csproj_file ||=
-          begin
-            file = repo_contents.find { |f| f.name.end_with?(".csproj") }
-            fetch_file_from_host(file.name) if file
-          end
+        @csproj_file ||= find_and_fetch_with_suffix(".csproj")
       end
 
       def vbproj_file
-        @vbproj_file ||=
-          begin
-            file = repo_contents.find { |f| f.name.end_with?(".vbproj") }
-            fetch_file_from_host(file.name) if file
-          end
+        @vbproj_file ||= find_and_fetch_with_suffix(".vbproj")
       end
 
       def fsproj_file
-        @fsproj_file ||=
-          begin
-            file = repo_contents.find { |f| f.name.end_with?(".fsproj") }
-            fetch_file_from_host(file.name) if file
-          end
+        @fsproj_file ||= find_and_fetch_with_suffix(".fsproj")
       end
 
-      def directory_packages_props_file
-        @directory_packages_props_file ||=
-          begin
-            file = repo_contents.find { |f| f.name.casecmp?("directory.packages.props") }
-            fetch_file_from_host(file.name) if file
+      def proj_files
+        @proj_files ||= find_and_fetch_with_suffix(".proj")
+      end
+
+      def directory_packages_props_file_from_project_file(project_file)
+        # walk up the tree from each project file stopping at the first `Directory.Packages.props` file found
+        # https://learn.microsoft.com/en-us/nuget/consume-packages/central-package-management#central-package-management-rules
+
+        found_directory_packages_props_file = nil
+        directory_path = Pathname.new(directory)
+        full_project_dir = Pathname.new(project_file.directory).join(project_file.name).dirname
+        full_project_dir.ascend.each do |base|
+          break if found_directory_packages_props_file
+
+          candidate_file_path = Pathname.new(base).join("Directory.Packages.props").cleanpath.to_path
+          candidate_directory = Pathname.new(File.dirname(candidate_file_path))
+          relative_candidate_directory = candidate_directory.relative_path_from(directory_path)
+          candidate_file = repo_contents(dir: relative_candidate_directory).find do |f|
+            f.name.casecmp?("Directory.Packages.props")
           end
+          found_directory_packages_props_file = fetch_file_from_host(candidate_file.name) if candidate_file
+        end
+
+        found_directory_packages_props_file
+      end
+
+      def find_and_fetch_with_suffix(suffix)
+        repo_contents.select { |f| f.name.end_with?(suffix) }.map { |f| fetch_file_from_host(f.name) }
       end
 
       def nuget_config_files
@@ -286,7 +282,8 @@ module Dependabot
       def fetch_imported_property_files(file:, previously_fetched_files:)
         paths =
           ImportPathsFinder.new(project_file: file).import_paths +
-          ImportPathsFinder.new(project_file: file).project_reference_paths
+          ImportPathsFinder.new(project_file: file).project_reference_paths +
+          ImportPathsFinder.new(project_file: file).project_file_paths
 
         paths.flat_map do |path|
           next if previously_fetched_files.map(&:name).include?(path)

data/lib/dependabot/nuget/file_parser/dotnet_tools_json_parser.rb

@@ -51,7 +51,8 @@ module Dependabot
         attr_reader :dotnet_tools_json
 
         def parsed_dotnet_tools_json
-          @parsed_dotnet_tools_json ||= JSON.parse(dotnet_tools_json.content)
+          # Remove BOM if present as JSON should be UTF-8
+          @parsed_dotnet_tools_json ||= JSON.parse(dotnet_tools_json.content.delete_prefix("\uFEFF"))
         rescue JSON::ParserError
           raise Dependabot::DependencyFileNotParseable, dotnet_tools_json.path
         end

data/lib/dependabot/nuget/file_parser/global_json_parser.rb

@@ -48,7 +48,8 @@ module Dependabot
         attr_reader :global_json
 
         def parsed_global_json
-          @parsed_global_json ||= JSON.parse(global_json.content)
+          # Remove BOM if present as JSON should be UTF-8
+          @parsed_global_json ||= JSON.parse(global_json.content.delete_prefix("\uFEFF"))
         rescue JSON::ParserError
           raise Dependabot::DependencyFileNotParseable, global_json.path
         end

data/lib/dependabot/nuget/file_parser/packages_config_parser.rb

@@ -5,6 +5,7 @@ require "nokogiri"
 
 require "dependabot/dependency"
 require "dependabot/nuget/file_parser"
+require "dependabot/nuget/cache_manager"
 
 # For details on packages.config files see:
 # https://docs.microsoft.com/en-us/nuget/reference/packages-config
@@ -16,11 +17,32 @@ module Dependabot
 
         DEPENDENCY_SELECTOR = "packages > package"
 
+        def self.dependency_set_cache
+          CacheManager.cache("packages_config_dependency_set")
+        end
+
         def initialize(packages_config:)
           @packages_config = packages_config
         end
 
         def dependency_set
+          return parse_dependencies if CacheManager.caching_disabled?
+
+          key = "#{packages_config.name.downcase}::#{packages_config.content.hash}"
+          cache = PackagesConfigParser.dependency_set_cache
+
+          cache[key] ||= parse_dependencies
+
+          dependency_set = Dependabot::FileParsers::Base::DependencySet.new
+          dependency_set += cache[key]
+          dependency_set
+        end
+
+        private
+
+        attr_reader :packages_config
+
+        def parse_dependencies
           dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
           doc = Nokogiri::XML(packages_config.content)
@@ -43,10 +65,6 @@ module Dependabot
           dependency_set
         end
 
-        private
-
-        attr_reader :packages_config
-
         def dependency_name(dependency_node)
           dependency_node.attribute("id")&.value&.strip ||
             dependency_node.at_xpath("./id")&.content&.strip