dependabot-nuget 0.237.0 → 0.239.0

data/lib/dependabot/nuget/file_updater.rb

@@ -1,19 +1,22 @@
 # typed: true
 # frozen_string_literal: true
 
+require "dependabot/dependency_file"
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
+require "dependabot/nuget/native_helpers"
 
 module Dependabot
   module Nuget
     class FileUpdater < Dependabot::FileUpdaters::Base
-      require_relative "file_updater/packages_config_declaration_finder"
-      require_relative "file_updater/project_file_declaration_finder"
       require_relative "file_updater/property_value_updater"
+      require_relative "file_parser/project_file_parser"
+      require_relative "file_parser/dotnet_tools_json_parser"
+      require_relative "file_parser/packages_config_parser"
 
       def self.updated_files_regex
         [
-          %r{^[^/]*\.[a-z]{2}proj$},
+          %r{^[^/]*\.([a-z]{2})?proj$},
           /^packages\.config$/i,
           /^global\.json$/i,
           /^dotnet-tools\.json$/i,
@@ -24,156 +27,159 @@ module Dependabot
       end
 
       def updated_dependency_files
-        updated_files = T.let(dependency_files.dup, T.untyped)
-
-        # Loop through each of the changed requirements, applying changes to
-        # all files for that change. Note that the logic is different here
-        # to other languages because donet has property inheritance across
-        # files
         dependencies.each do |dependency|
-          updated_files = update_files_for_dependency(
-            files: updated_files,
-            dependency: dependency
-          )
+          try_update_projects(dependency) || try_update_json(dependency)
         end
 
-        updated_files.reject! { |f| dependency_files.include?(f) }
+        # update all with content from disk
+        updated_files = dependency_files.filter_map do |f|
+          updated_content = File.read(dependency_file_path(f))
+          next if updated_content == f.content
 
-        raise "No files changed!" if updated_files.none?
+          normalized_content = normalize_content(f, updated_content)
+          next if normalized_content == f.content
+
+          puts "The contents of file [#{f.name}] were updated."
+
+          updated_file(file: f, content: normalized_content)
+        end
+
+        # reset repo files
+        SharedHelpers.reset_git_repo(T.cast(repo_contents_path, String)) if repo_contents_path
 
         updated_files
       end
 
       private
 
-      def project_files
-        dependency_files.select { |df| df.name.match?(/\.[a-z]{2}proj$|[Dd]irectory.[Pp]ackages.props/) }
+      def try_update_projects(dependency)
+        update_ran = T.let(false, T::Boolean)
+
+        # run update for each project file
+        project_files.each do |project_file|
+          project_dependencies = project_dependencies(project_file)
+          proj_path = dependency_file_path(project_file)
+
+          next unless project_dependencies.any? { |dep| dep.name.casecmp(dependency.name).zero? }
+
+          NativeHelpers.run_nuget_updater_tool(repo_contents_path, proj_path, dependency, !dependency.top_level?)
+          update_ran = true
+        end
+
+        update_ran
       end
 
-      def packages_config_files
-        dependency_files.select do |f|
-          T.must(T.must(f.name.split("/").last).casecmp("packages.config")).zero?
+      def try_update_json(dependency)
+        if dotnet_tools_json_dependencies.any? { |dep| dep.name.casecmp(dependency.name).zero? } ||
+           global_json_dependencies.any? { |dep| dep.name.casecmp(dependency.name).zero? }
+
+          # We just need to feed the updater a project file, grab the first
+          project_file = project_files.first
+          proj_path = dependency_file_path(project_file)
+
+          NativeHelpers.run_nuget_updater_tool(repo_contents_path, proj_path, dependency, !dependency.top_level?)
+          return true
         end
+
+        false
       end
 
-      def global_json
-        dependency_files.find { |f| T.must(f.name.casecmp("global.json")).zero? }
+      def project_dependencies(project_file)
+        # Collect all dependencies from the project file and associated packages.config
+        dependencies = project_file_parser.dependency_set(project_file: project_file).dependencies
+        packages_config = find_packages_config(project_file)
+        return dependencies unless packages_config
+
+        dependencies + FileParser::PackagesConfigParser.new(packages_config: packages_config)
+                                                       .dependency_set.dependencies
       end
 
-      def dotnet_tools_json
-        dependency_files.find { |f| T.must(f.name.casecmp(".config/dotnet-tools.json")).zero? }
+      def find_packages_config(project_file)
+        project_file_name = File.basename(project_file.name)
+        packages_config_path = project_file.name.gsub(project_file_name, "packages.config")
+        packages_config_files.find { |f| f.name == packages_config_path }
       end
 
-      def check_required_files
-        return if project_files.any? || packages_config_files.any?
+      def project_file_parser
+        @project_file_parser ||=
+          FileParser::ProjectFileParser.new(
+            dependency_files: dependency_files,
+            credentials: credentials
+          )
+      end
 
-        raise "No project file or packages.config!"
+      def global_json_dependencies
+        return [] unless global_json
+
+        @global_json_dependencies ||=
+          FileParser::GlobalJsonParser.new(global_json: global_json).dependency_set.dependencies
       end
 
-      def update_files_for_dependency(files:, dependency:)
-        # The UpdateChecker ensures the order of requirements is preserved
-        # when updating, so we can zip them together in new/old pairs.
-        reqs = dependency.requirements.zip(dependency.previous_requirements)
-                         .reject { |new_req, old_req| new_req == old_req }
+      def dotnet_tools_json_dependencies
+        return [] unless dotnet_tools_json
 
-        # Loop through each changed requirement and update the files
-        reqs.each do |new_req, old_req|
-          raise "Bad req match" unless new_req[:file] == old_req[:file]
-          next if new_req[:requirement] == old_req[:requirement]
+        @dotnet_tools_json_dependencies ||=
+          FileParser::DotNetToolsJsonParser.new(dotnet_tools_json: dotnet_tools_json).dependency_set.dependencies
+      end
 
-          file = files.find { |f| f.name == new_req.fetch(:file) }
+      def normalize_content(dependency_file, updated_content)
+        # Fix up line endings
+        if dependency_file.content.include?("\r\n") && updated_content.match?(/(?<!\r)\n/)
+          # The original content contain windows style newlines.
+          # Ensure the updated content also uses windows style newlines.
+          updated_content = updated_content.gsub(/(?<!\r)\n/, "\r\n")
+          puts "Fixing mismatched Windows line endings for [#{dependency_file.name}]."
+        elsif updated_content.include?("\r\n")
+          # The original content does not contain windows style newlines.
+          # Ensure the updated content uses unix style newlines.
+          updated_content = updated_content.gsub("\r\n", "\n")
+          puts "Fixing mismatched Unix line endings for [#{dependency_file.name}]."
+        end
 
-          files =
-            if new_req.dig(:metadata, :property_name)
-              update_property_value(files, file, new_req)
-            else
-              update_declaration(files, dependency, file, old_req, new_req)
-            end
+        # Fix up BOM
+        if !dependency_file.content.start_with?("\uFEFF") && updated_content.start_with?("\uFEFF")
+          updated_content = updated_content.delete_prefix("\uFEFF")
+          puts "Removing BOM from [#{dependency_file.name}]."
+        elsif dependency_file.content.start_with?("\uFEFF") && !updated_content.start_with?("\uFEFF")
+          updated_content = "\uFEFF" + updated_content
+          puts "Adding BOM to [#{dependency_file.name}]."
         end
 
-        files
+        updated_content
       end
 
-      def update_property_value(files, file, req)
-        files = files.dup
-        property_name = req.fetch(:metadata).fetch(:property_name)
-
-        PropertyValueUpdater
-          .new(dependency_files: files)
-          .update_files_for_property_change(
-            property_name: property_name,
-            updated_value: req.fetch(:requirement),
-            callsite_file: file
-          )
+      def dependency_file_path(dependency_file)
+        if dependency_file.directory.start_with?(repo_contents_path)
+          File.join(dependency_file.directory, dependency_file.name)
+        else
+          file_directory = dependency_file.directory
+          file_directory = file_directory[1..-1] if file_directory.start_with?("/")
+          File.join(repo_contents_path || "", file_directory, dependency_file.name)
+        end
       end
 
-      def update_declaration(files, dependency, file, old_req, new_req)
-        files = files.dup
-
-        updated_content = file.content
+      def project_files
+        dependency_files.select { |df| df.name.match?(/\.([a-z]{2})?proj$/) }
+      end
 
-        original_declarations(dependency, old_req).each do |old_dec|
-          updated_content = updated_content.gsub(
-            old_dec,
-            updated_declaration(old_dec, old_req, new_req)
-          )
+      def packages_config_files
+        dependency_files.select do |f|
+          T.must(T.must(f.name.split("/").last).casecmp("packages.config")).zero?
         end
+      end
 
-        raise "Expected content to change!" if updated_content == file.content
-
-        files[files.index(file)] =
-          updated_file(file: file, content: updated_content)
-        files
-      end
-
-      def original_declarations(dependency, requirement)
-        if requirement.fetch(:file).casecmp("global.json").zero?
-          [
-            global_json.content.match(
-              /"#{Regexp.escape(dependency.name)}"\s*:\s*
-               "#{Regexp.escape(dependency.previous_version)}"/x
-            ).to_s
-          ]
-        elsif requirement.fetch(:file).casecmp(".config/dotnet-tools.json").zero?
-          [
-            dotnet_tools_json.content.match(
-              /"#{Regexp.escape(dependency.name)}"\s*:\s*{\s*"version"\s*:\s*
-               "#{Regexp.escape(dependency.previous_version)}"/xm
-            ).to_s
-          ]
-        else
-          declaration_finder(dependency, requirement).declaration_strings
-        end
+      def global_json
+        dependency_files.find { |f| T.must(f.name.casecmp("global.json")).zero? }
       end
 
-      def declaration_finder(dependency, requirement)
-        @declaration_finders ||= {}
-
-        requirement_fn = requirement.fetch(:file)
-        @declaration_finders[dependency.hash + requirement.hash] ||=
-          if requirement_fn.split("/").last.casecmp("packages.config").zero?
-            PackagesConfigDeclarationFinder.new(
-              dependency_name: dependency.name,
-              declaring_requirement: requirement,
-              packages_config:
-                packages_config_files.find { |f| f.name == requirement_fn }
-            )
-          else
-            ProjectFileDeclarationFinder.new(
-              dependency_name: dependency.name,
-              declaring_requirement: requirement,
-              dependency_files: dependency_files
-            )
-          end
-      end
-
-      def updated_declaration(old_declaration, previous_req, requirement)
-        original_req_string = previous_req.fetch(:requirement)
-
-        old_declaration.gsub(
-          original_req_string,
-          requirement.fetch(:requirement)
-        )
+      def dotnet_tools_json
+        dependency_files.find { |f| T.must(f.name.casecmp(".config/dotnet-tools.json")).zero? }
+      end
+
+      def check_required_files
+        return if project_files.any? || packages_config_files.any?
+
+        raise "No project file or packages.config!"
       end
     end
   end

data/lib/dependabot/nuget/native_helpers.rb

@@ -0,0 +1,94 @@
+# typed: true
+# frozen_string_literal: true
+
+module Dependabot
+  module Nuget
+    module NativeHelpers
+      def self.native_helpers_root
+        helpers_root = ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", nil)
+        return File.join(helpers_root, "nuget") unless helpers_root.nil?
+
+        File.expand_path("../../../helpers", __dir__)
+      end
+
+      def self.run_nuget_framework_check(project_tfms, package_tfms)
+        exe_path = File.join(native_helpers_root, "NuGetUpdater", "NuGetUpdater.Cli")
+        command = [
+          exe_path,
+          "framework-check",
+          "--project-tfms",
+          *project_tfms,
+          "--package-tfms",
+          *package_tfms,
+          "--verbose"
+        ].join(" ")
+
+        fingerprint = [
+          exe_path,
+          "framework-check",
+          "--project-tfms",
+          "<project-tfms>",
+          "--package-tfms",
+          "<package-tfms>",
+          "--verbose"
+        ].join(" ")
+
+        puts "running NuGet updater:\n" + command
+
+        output = SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
+        puts output
+
+        # Exit code == 0 means that all project frameworks are compatible
+        true
+      rescue Dependabot::SharedHelpers::HelperSubprocessFailed
+        # Exit code != 0 means that not all project frameworks are compatible
+        false
+      end
+
+      # rubocop:disable Metrics/MethodLength
+      def self.run_nuget_updater_tool(repo_root, proj_path, dependency, is_transitive)
+        exe_path = File.join(native_helpers_root, "NuGetUpdater", "NuGetUpdater.Cli")
+        command = [
+          exe_path,
+          "update",
+          "--repo-root",
+          repo_root,
+          "--solution-or-project",
+          proj_path,
+          "--dependency",
+          dependency.name,
+          "--new-version",
+          dependency.version,
+          "--previous-version",
+          dependency.previous_version,
+          is_transitive ? "--transitive" : "",
+          "--verbose"
+        ].join(" ")
+
+        fingerprint = [
+          exe_path,
+          "update",
+          "--repo-root",
+          "<repo-root>",
+          "--solution-or-project",
+          "<path-to-solution-or-project>",
+          "--dependency",
+          "<dependency-name>",
+          "--new-version",
+          "<new-version>",
+          "--previous-version",
+          "<previous-version>",
+          is_transitive ? "--transitive" : "",
+          "--verbose"
+        ].join(" ")
+
+        puts "running NuGet updater:\n" + command
+
+        output = SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
+
+        puts output
+      end
+      # rubocop:enable Metrics/MethodLength
+    end
+  end
+end

data/lib/dependabot/nuget/requirement.rb

@@ -1,6 +1,9 @@
 # typed: true
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
+require "dependabot/requirement"
 require "dependabot/utils"
 require "dependabot/nuget/version"
 
@@ -8,7 +11,7 @@ require "dependabot/nuget/version"
 # https://docs.microsoft.com/en-us/nuget/reference/package-versioning
 module Dependabot
   module Nuget
-    class Requirement < Gem::Requirement
+    class Requirement < Dependabot::Requirement
       def self.parse(obj)
         return ["=", Nuget::Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
 
@@ -25,6 +28,7 @@ module Dependabot
       # For consistency with other languages, we define a requirements array.
       # Dotnet doesn't have an `OR` separator for requirements, so it always
       # contains a single element.
+      sig { override.params(requirement_string: T.nilable(String)).returns(T::Array[Requirement]) }
       def self.requirements_array(requirement_string)
         [new(requirement_string)]
       end

data/lib/dependabot/nuget/update_checker/compatibility_checker.rb

@@ -0,0 +1,85 @@
+# typed: true
+# frozen_string_literal: true
+
+require "dependabot/nuget/update_checker"
+
+module Dependabot
+  module Nuget
+    class UpdateChecker
+      class CompatibilityChecker
+        require_relative "nuspec_fetcher"
+        require_relative "nupkg_fetcher"
+        require_relative "tfm_finder"
+        require_relative "tfm_comparer"
+
+        def initialize(dependency_urls:, dependency:, tfm_finder:)
+          @dependency_urls = dependency_urls
+          @dependency = dependency
+          @tfm_finder = tfm_finder
+        end
+
+        def compatible?(version)
+          nuspec_xml = NuspecFetcher.fetch_nuspec(dependency_urls, dependency.name, version)
+          return false unless nuspec_xml
+
+          # development dependencies are packages such as analyzers which need to be
+          # compatible with the compiler not the project itself.
+          return true if development_dependency?(nuspec_xml)
+
+          package_tfms = parse_package_tfms(nuspec_xml)
+          package_tfms = fetch_package_tfms(version) if package_tfms.empty?
+          # nil is a special return value that indicates that the package is likely a development dependency
+          return true if package_tfms.nil?
+          return false if package_tfms.empty?
+
+          return false if project_tfms.nil? || project_tfms.empty?
+
+          TfmComparer.are_frameworks_compatible?(project_tfms, package_tfms)
+        end
+
+        private
+
+        attr_reader :dependency_urls, :dependency, :tfm_finder
+
+        def development_dependency?(nuspec_xml)
+          contents = nuspec_xml.at_xpath("package/metadata/developmentDependency")&.content&.strip
+          return false unless contents
+
+          contents.casecmp("true").zero?
+        end
+
+        def parse_package_tfms(nuspec_xml)
+          nuspec_xml.xpath("//dependencies/group").map do |group|
+            group.attribute("targetFramework")
+          end
+        end
+
+        def project_tfms
+          return @project_tfms if defined?(@project_tfms)
+
+          @project_tfms = tfm_finder.frameworks(dependency)
+        end
+
+        def fetch_package_tfms(dependency_version)
+          nupkg_buffer = NupkgFetcher.fetch_nupkg_buffer(dependency_urls, dependency.name, dependency_version)
+          return [] unless nupkg_buffer
+
+          # Parse tfms from the folders beneath the lib folder
+          folder_name = "lib/"
+          tfms = Set.new
+          Zip::File.open_buffer(nupkg_buffer) do |zip|
+            lib_file_entries = zip.select { |entry| entry.name.start_with?(folder_name) }
+            # If there is no lib folder in this package, assume it is a development dependency
+            return nil if lib_file_entries.empty?
+
+            lib_file_entries.each do |entry|
+              _, tfm = entry.name.split("/").first(2)
+              tfms << tfm
+            end
+          end
+          tfms.to_a
+        end
+      end
+    end
+  end
+end