dependabot-nuget 0.237.0 → 0.239.0

data/lib/dependabot/nuget/file_parser/project_file_parser.rb

@@ -5,15 +5,19 @@ require "nokogiri"
 
 require "dependabot/dependency"
 require "dependabot/nuget/file_parser"
+require "dependabot/nuget/update_checker"
+require "dependabot/nuget/cache_manager"
 
 # For details on how dotnet handles version constraints, see:
 # https://docs.microsoft.com/en-us/nuget/reference/package-versioning
 module Dependabot
   module Nuget
     class FileParser
+      # rubocop:disable Metrics/ClassLength
       class ProjectFileParser
         require "dependabot/file_parsers/base/dependency_set"
         require_relative "property_value_finder"
+        require_relative "../update_checker/repository_finder"
 
         DEPENDENCY_SELECTOR = "ItemGroup > PackageReference, " \
                               "ItemGroup > GlobalPackageReference, " \
@@ -21,15 +25,64 @@ module Dependabot
                               "ItemGroup > Dependency, " \
                               "ItemGroup > DevelopmentDependency"
 
+        PROJECT_REFERENCE_SELECTOR = "ItemGroup > ProjectReference"
+
+        PACKAGE_REFERENCE_SELECTOR = "ItemGroup > PackageReference, " \
+                                     "ItemGroup > GlobalPackageReference"
+
+        PACKAGE_VERSION_SELECTOR = "ItemGroup > PackageVersion"
+
         PROJECT_SDK_REGEX   = %r{^([^/]+)/(\d+(?:[.]\d+(?:[.]\d+)?)?(?:[+-].*)?)$}
         PROPERTY_REGEX      = /\$\((?<property>.*?)\)/
         ITEM_REGEX          = /\@\((?<property>.*?)\)/
 
-        def initialize(dependency_files:)
-          @dependency_files = dependency_files
+        def self.dependency_set_cache
+          CacheManager.cache("project_file_dependency_set")
+        end
+
+        def self.dependency_url_search_cache
+          CacheManager.cache("dependency_url_search_cache")
+        end
+
+        def initialize(dependency_files:, credentials:)
+          @dependency_files       = dependency_files
+          @credentials            = credentials
         end
 
         def dependency_set(project_file:)
+          return parse_dependencies(project_file) if CacheManager.caching_disabled?
+
+          key = "#{project_file.name.downcase}::#{project_file.content.hash}"
+          cache = ProjectFileParser.dependency_set_cache
+
+          cache[key] ||= parse_dependencies(project_file)
+
+          dependency_set = Dependabot::FileParsers::Base::DependencySet.new
+          dependency_set += cache[key]
+          dependency_set
+        end
+
+        def target_frameworks(project_file:)
+          target_framework = details_for_property("TargetFramework", project_file)
+          return [target_framework&.fetch(:value)] if target_framework
+
+          target_frameworks = details_for_property("TargetFrameworks", project_file)
+          return target_frameworks&.fetch(:value)&.split(";") if target_frameworks
+
+          target_framework = details_for_property("TargetFrameworkVersion", project_file)
+          return [] unless target_framework
+
+          # TargetFrameworkVersion is a string like "v4.7.2"
+          value = target_framework&.fetch(:value)
+          # convert it to a string like "net472"
+          ["net#{value[1..-1].delete('.')}"]
+        end
+
+        private
+
+        attr_reader :dependency_files, :credentials
+
+        def parse_dependencies(project_file)
           dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
           doc = Nokogiri::XML(project_file.content)
@@ -46,6 +99,10 @@ module Dependabot
             dependency_set << dependency if dependency
           end
 
+          add_global_package_references(dependency_set)
+
+          add_transitive_dependencies(project_file, doc, dependency_set)
+
           # Look for SDK references; see:
           # https://docs.microsoft.com/en-us/visualstudio/msbuild/how-to-use-project-sdk
           add_sdk_references(doc, dependency_set, project_file)
@@ -53,9 +110,86 @@ module Dependabot
           dependency_set
         end
 
-        private
+        def add_global_package_references(dependency_set)
+          project_import_files.each do |file|
+            doc = Nokogiri::XML(file.content)
+            doc.remove_namespaces!
 
-        attr_reader :dependency_files
+            doc.css(PACKAGE_REFERENCE_SELECTOR).each do |dependency_node|
+              name = dependency_name(dependency_node, file)
+              req = dependency_requirement(dependency_node, file)
+              version = dependency_version(dependency_node, file)
+              prop_name = req_property_name(dependency_node)
+
+              dependency = build_dependency(name, req, version, prop_name, file)
+              dependency_set << dependency if dependency
+            end
+          end
+        end
+
+        def add_transitive_dependencies(project_file, doc, dependency_set)
+          add_transitive_dependencies_from_packages(dependency_set)
+          add_transitive_dependencies_from_project_references(project_file, doc, dependency_set)
+        end
+
+        def add_transitive_dependencies_from_project_references(project_file, doc, dependency_set)
+          project_file_directory = File.dirname(project_file.name)
+          is_rooted = project_file_directory.start_with?("/")
+          # Root the directory path to avoid expand_path prepending the working directory
+          project_file_directory = "/" + project_file_directory unless is_rooted
+
+          # Look for regular project references
+          doc.css(PROJECT_REFERENCE_SELECTOR).each do |reference_node|
+            relative_path = dependency_name(reference_node, project_file)
+            # This could result from a <ProjectReference Remove="..." /> item.
+            next unless relative_path
+
+            # normalize path separators
+            relative_path = relative_path.tr("\\", "/")
+            # path is relative to the project file directory
+            relative_path = File.join(project_file_directory, relative_path)
+
+            # get absolute path
+            full_path = File.expand_path(relative_path)
+            full_path = full_path[1..-1] unless is_rooted
+
+            referenced_file = dependency_files.find { |f| f.name == full_path }
+            next unless referenced_file
+
+            dependency_set(project_file: referenced_file).dependencies.each do |dep|
+              dependency = Dependency.new(
+                name: dep.name,
+                version: dep.version,
+                package_manager: dep.package_manager,
+                requirements: []
+              )
+              dependency_set << dependency
+            end
+          end
+        end
+
+        def add_transitive_dependencies_from_packages(dependency_set)
+          transitive_dependencies_from_packages(dependency_set.dependencies).each { |dep| dependency_set << dep }
+        end
+
+        def transitive_dependencies_from_packages(dependencies)
+          transitive_dependencies = {}
+
+          dependencies.each do |dependency|
+            UpdateChecker::DependencyFinder.new(
+              dependency: dependency,
+              dependency_files: dependency_files,
+              credentials: credentials
+            ).transitive_dependencies.each do |transitive_dep|
+              visited_dep = transitive_dependencies[transitive_dep.name.downcase]
+              next if !visited_dep.nil? && visited_dep.numeric_version > transitive_dep.numeric_version
+
+              transitive_dependencies[transitive_dep.name.downcase] = transitive_dep
+            end
+          end
+
+          transitive_dependencies.values
+        end
 
         def add_sdk_references(doc, dependency_set, project_file)
           # These come in 3 flavours:
@@ -133,21 +267,88 @@ module Dependabot
             requirement[:metadata] = { property_name: root_prop_name }
           end
 
-          Dependency.new(
+          dependency = Dependency.new(
             name: name,
             version: version,
             package_manager: "nuget",
             requirements: [requirement]
           )
+
+          # only include dependency if one of the sources has it
+          return unless dependency_has_search_results?(dependency)
+
+          dependency
+        end
+
+        def dependency_has_search_results?(dependency)
+          nuget_configs = dependency_files.select { |f| f.name.casecmp?("nuget.config") }
+          dependency_urls = UpdateChecker::RepositoryFinder.new(
+            dependency: dependency,
+            credentials: credentials,
+            config_files: nuget_configs
+          ).dependency_urls
+          if dependency_urls.empty?
+            dependency_urls = [UpdateChecker::RepositoryFinder.get_default_repository_details(dependency.name)]
+          end
+          dependency_urls.any? do |dependency_url|
+            dependency_url_has_matching_result?(dependency.name, dependency_url)
+          end
+        end
+
+        def dependency_url_has_matching_result?(dependency_name, dependency_url)
+          repository_type = dependency_url.fetch(:repository_type)
+          if repository_type == "v3"
+            dependency_url_has_matching_result_v3?(dependency_name, dependency_url)
+          elsif repository_type == "v2"
+            dependency_url_has_matching_result_v2?(dependency_name, dependency_url)
+          else
+            raise "Unknown repository type: #{repository_type}"
+          end
+        end
+
+        def dependency_url_has_matching_result_v3?(dependency_name, dependency_url)
+          url = dependency_url.fetch(:search_url)
+          auth_header = dependency_url.fetch(:auth_header)
+          response = execute_search_for_dependency_url(url, auth_header)
+          return false unless response.status == 200
+
+          body = JSON.parse(response.body)
+          data = body["data"]
+          return false unless data.length.positive?
+
+          data.any? { |result| result["id"].casecmp?(dependency_name) }
+        end
+
+        def dependency_url_has_matching_result_v2?(dependency_name, dependency_url)
+          url = dependency_url.fetch(:versions_url)
+          auth_header = dependency_url.fetch(:auth_header)
+          response = execute_search_for_dependency_url(url, auth_header)
+          return false unless response.status == 200
+
+          doc = Nokogiri::XML(response.body)
+          doc.remove_namespaces!
+          id_nodes = doc.xpath("/feed/entry/properties/Id")
+          found_matching_result = id_nodes.any? do |id_node|
+            return false unless id_node.text
+
+            id_node.text.casecmp?(dependency_name)
+          end
+          found_matching_result
+        end
+
+        def execute_search_for_dependency_url(url, auth_header)
+          cache = ProjectFileParser.dependency_url_search_cache
+          cache[url] ||= Dependabot::RegistryClient.get(
+            url: url,
+            headers: auth_header
+          )
+
+          cache[url]
         end
 
-        # rubocop:disable Metrics/PerceivedComplexity
         def dependency_name(dependency_node, project_file)
-          raw_name =
-            dependency_node.attribute("Include")&.value&.strip ||
-            dependency_node.at_xpath("./Include")&.content&.strip ||
-            dependency_node.attribute("Update")&.value&.strip ||
-            dependency_node.at_xpath("./Update")&.content&.strip
+          raw_name = get_attribute_value(dependency_node, "Include") ||
+                     get_attribute_value(dependency_node, "Update")
           return unless raw_name
 
           # If the item contains @(ItemGroup) then ignore as it
@@ -156,15 +357,51 @@ module Dependabot
 
           evaluated_value(raw_name, project_file)
         end
-        # rubocop:enable Metrics/PerceivedComplexity
 
         def dependency_requirement(dependency_node, project_file)
-          raw_requirement = get_node_version_value(dependency_node)
+          raw_requirement = get_node_version_value(dependency_node) ||
+                            find_package_version(dependency_node, project_file)
           return unless raw_requirement
 
           evaluated_value(raw_requirement, project_file)
         end
 
+        def find_package_version(dependency_node, project_file)
+          name = dependency_name(dependency_node, project_file)
+          return unless name
+
+          package_version_string = package_versions[name].to_s
+          return unless package_version_string != ""
+
+          package_version_string
+        end
+
+        def package_versions
+          @package_versions ||= begin
+            package_versions = {}
+            directory_packages_props_files.each do |file|
+              doc = Nokogiri::XML(file.content)
+              doc.remove_namespaces!
+              doc.css(PACKAGE_VERSION_SELECTOR).each do |package_node|
+                name = dependency_name(package_node, file)
+                version = dependency_version(package_node, file)
+                next unless name && version
+
+                version = Version.new(version)
+                existing_version = package_versions[name]
+                next if existing_version && existing_version > version
+
+                package_versions[name] = version
+              end
+            end
+            package_versions
+          end
+        end
+
+        def directory_packages_props_files
+          dependency_files.select { |df| df.name.match?(/[Dd]irectory.[Pp]ackages.props/) }
+        end
+
         def dependency_version(dependency_node, project_file)
           requirement = dependency_requirement(dependency_node, project_file)
           return unless requirement
@@ -191,9 +428,12 @@ module Dependabot
             .named_captures.fetch("property")
         end
 
-        # rubocop:disable Metrics/PerceivedComplexity
         def get_node_version_value(node)
-          attribute = "Version"
+          get_attribute_value(node, "Version") || get_attribute_value(node, "VersionOverride")
+        end
+
+        # rubocop:disable Metrics/PerceivedComplexity
+        def get_attribute_value(node, attribute)
           value =
             node.attribute(attribute)&.value&.strip ||
             node.at_xpath("./#{attribute}")&.content&.strip ||
@@ -230,7 +470,39 @@ module Dependabot
           @property_value_finder ||=
             PropertyValueFinder.new(dependency_files: dependency_files)
         end
+
+        def project_import_files
+          dependency_files -
+            project_files -
+            packages_config_files -
+            nuget_configs -
+            [global_json] -
+            [dotnet_tools_json]
+        end
+
+        def project_files
+          dependency_files.select { |f| f.name.match?(/\.[a-z]{2}proj$/) }
+        end
+
+        def packages_config_files
+          dependency_files.select do |f|
+            f.name.split("/").last.casecmp("packages.config").zero?
+          end
+        end
+
+        def nuget_configs
+          dependency_files.select { |f| f.name.match?(/nuget\.config$/i) }
+        end
+
+        def global_json
+          dependency_files.find { |f| f.name.casecmp("global.json").zero? }
+        end
+
+        def dotnet_tools_json
+          dependency_files.find { |f| f.name.casecmp(".config/dotnet-tools.json").zero? }
+        end
       end
+      # rubocop:enable Metrics/ClassLength
     end
   end
 end

data/lib/dependabot/nuget/file_parser/property_value_finder.rb

@@ -39,7 +39,7 @@ module Dependabot
             )
 
           node_details ||=
-            find_property_in_directory_build_packages(
+            find_property_in_directory_packages_props(
               property: property_name,
               callsite_file: callsite_file
             )
@@ -101,24 +101,18 @@ module Dependabot
         end
 
         def find_property_in_directory_build_targets(property:, callsite_file:)
-          file = build_targets_file_for_project(callsite_file)
-          return unless file
-
-          deep_find_prop_node(property: property, file: file)
+          find_property_in_up_tree_files(property: property, callsite_file: callsite_file,
+                                         expected_file_name: "Directory.Build.targets")
         end
 
         def find_property_in_directory_build_props(property:, callsite_file:)
-          file = build_props_file_for_project(callsite_file)
-          return unless file
-
-          deep_find_prop_node(property: property, file: file)
+          find_property_in_up_tree_files(property: property, callsite_file: callsite_file,
+                                         expected_file_name: "Directory.Build.props")
         end
 
-        def find_property_in_directory_build_packages(property:, callsite_file:)
-          file = build_packages_file_for_project(callsite_file)
-          return unless file
-
-          deep_find_prop_node(property: property, file: file)
+        def find_property_in_directory_packages_props(property:, callsite_file:)
+          find_property_in_up_tree_files(property: property, callsite_file: callsite_file,
+                                         expected_file_name: "Directory.Packages.props")
         end
 
         def find_property_in_packages_props(property:)
@@ -128,53 +122,29 @@ module Dependabot
           deep_find_prop_node(property: property, file: file)
         end
 
-        def build_targets_file_for_project(project_file)
-          dir = File.dirname(project_file.name)
-
-          # Nuget walks up the directory structure looking for a
-          # Directory.Build.targets file
-          possible_paths = dir.split("/").map.with_index do |_, i|
-            base = dir.split("/").first(i + 1).join("/")
-            Pathname.new(base + "/Directory.Build.targets").cleanpath.to_path
-          end.reverse + ["Directory.Build.targets"]
-
-          path = possible_paths.uniq
-                               .find { |p| dependency_files.find { |f| f.name == p } }
+        def find_property_in_up_tree_files(property:, callsite_file:, expected_file_name:)
+          files = up_tree_files_for_project(callsite_file, expected_file_name)
+          return unless files
+          return if files.empty?
 
-          dependency_files.find { |f| f.name == path }
+          # first file where we were able to find the node
+          files.reduce(nil) { |acc, file| acc || deep_find_prop_node(property: property, file: file) }
         end
 
-        def build_props_file_for_project(project_file)
+        def up_tree_files_for_project(project_file, expected_file_name)
           dir = File.dirname(project_file.name)
 
-          # Nuget walks up the directory structure looking for a
-          # Directory.Build.props file
+          # Simulate MSBuild walking up the directory structure looking for a file
           possible_paths = dir.split("/").map.with_index do |_, i|
             base = dir.split("/").first(i + 1).join("/")
-            Pathname.new(base + "/Directory.Build.props").cleanpath.to_path
-          end.reverse + ["Directory.Build.props"]
+            Pathname.new(base + "/#{expected_file_name}").cleanpath.to_path
+          end.reverse + [expected_file_name]
 
-          path =
+          paths =
             possible_paths.uniq
-                          .find { |p| dependency_files.find { |f| f.name.casecmp(p).zero? } }
-
-          dependency_files.find { |f| f.name == path }
-        end
-
-        def build_packages_file_for_project(project_file)
-          dir = File.dirname(project_file.name)
-
-          # Nuget walks up the directory structure looking for a
-          # Directory.Packages.props file
-          possible_paths = dir.split("/").map.with_index do |_, i|
-            base = dir.split("/").first(i + 1).join("/")
-            Pathname.new(base + "/Directory.Packages.props").cleanpath.to_path
-          end.reverse + ["Directory.Packages.props"]
-
-          path = possible_paths.uniq
-                               .find { |p| dependency_files.find { |f| f.name == p } }
+                          .select { |p| dependency_files.find { |f| f.name.casecmp(p).zero? } }
 
-          dependency_files.find { |f| f.name == path }
+          dependency_files.select { |f| paths.include?(f.name) }
         end
 
         def packages_props_file
@@ -182,7 +152,9 @@ module Dependabot
         end
 
         def property_xpath(property_name)
-          "/Project/PropertyGroup/#{property_name}"
+          # only return properties that don't have a `Condition` attribute or the `Condition` attribute is checking for
+          # an empty string, e.g., Condition="$(SomeProperty) == ''"
+          %{/Project/PropertyGroup/#{property_name}[not(@Condition) or @Condition="$(#{property_name}) == ''"]}
         end
 
         def node_details(file:, node:, property:)

data/lib/dependabot/nuget/file_parser.rb

@@ -67,7 +67,10 @@ module Dependabot
 
       def project_file_parser
         @project_file_parser ||=
-          ProjectFileParser.new(dependency_files: dependency_files)
+          ProjectFileParser.new(
+            dependency_files: dependency_files,
+            credentials: credentials
+          )
       end
 
       def project_files