dependabot-nuget 0.237.0 → 0.239.0

data/lib/dependabot/nuget/update_checker/dependency_finder.rb

@@ -0,0 +1,228 @@
+# typed: true
+# frozen_string_literal: true
+
+require "nokogiri"
+require "zip"
+require "stringio"
+require "dependabot/nuget/update_checker"
+require "dependabot/nuget/version"
+
+module Dependabot
+  module Nuget
+    class UpdateChecker
+      class DependencyFinder
+        require_relative "requirements_updater"
+        require_relative "nuspec_fetcher"
+
+        def self.transitive_dependencies_cache
+          CacheManager.cache("dependency_finder_transitive_dependencies")
+        end
+
+        def self.updated_peer_dependencies_cache
+          CacheManager.cache("dependency_finder_updated_peer_dependencies")
+        end
+
+        def self.fetch_dependencies_cache
+          CacheManager.cache("dependency_finder_fetch_dependencies")
+        end
+
+        def initialize(dependency:, dependency_files:, credentials:)
+          @dependency             = dependency
+          @dependency_files       = dependency_files
+          @credentials            = credentials
+        end
+
+        def transitive_dependencies
+          key = "#{dependency.name.downcase}::#{dependency.version}"
+          cache = DependencyFinder.transitive_dependencies_cache
+
+          cache[key] ||= fetch_transitive_dependencies(
+            @dependency.name,
+            @dependency.version
+          ).map do |dependency_info|
+            package_name = dependency_info["packageName"]
+            target_version = dependency_info["version"]
+
+            Dependency.new(
+              name: package_name,
+              version: target_version.to_s,
+              requirements: [], # Empty requirements for transitive dependencies
+              package_manager: @dependency.package_manager
+            )
+          end
+
+          cache[key]
+        end
+
+        def updated_peer_dependencies
+          key = "#{dependency.name.downcase}::#{dependency.version}"
+          cache = DependencyFinder.updated_peer_dependencies_cache
+
+          cache[key] ||= fetch_transitive_dependencies(
+            @dependency.name,
+            @dependency.version
+          ).filter_map do |dependency_info|
+            package_name = dependency_info["packageName"]
+            target_version = dependency_info["version"]
+
+            # Find the Dependency object for the peer dependency. We will not return
+            # dependencies that are not referenced from dependency files.
+            peer_dependency = top_level_dependencies.find { |d| d.name == package_name }
+            next unless peer_dependency
+            next unless target_version > peer_dependency.numeric_version
+
+            # Use version finder to determine the source details for the peer dependency.
+            target_version_details = version_finder(peer_dependency).versions.find do |v|
+              v.fetch(:version) == target_version
+            end
+            next unless target_version_details
+
+            Dependency.new(
+              name: peer_dependency.name,
+              version: target_version_details.fetch(:version).to_s,
+              requirements: updated_requirements(peer_dependency, target_version_details),
+              previous_version: peer_dependency.version,
+              previous_requirements: peer_dependency.requirements,
+              package_manager: peer_dependency.package_manager,
+              metadata: { information_only: true } # Instruct updater to not directly update this dependency
+            )
+          end
+
+          cache[key]
+        end
+
+        private
+
+        attr_reader :dependency, :dependency_files, :credentials
+
+        def updated_requirements(dep, target_version_details)
+          @updated_requirements ||= {}
+          @updated_requirements[dep.name] ||=
+            RequirementsUpdater.new(
+              requirements: dep.requirements,
+              latest_version: target_version_details.fetch(:version).to_s,
+              source_details: target_version_details
+                          &.slice(:nuspec_url, :repo_url, :source_url)
+            ).updated_requirements
+        end
+
+        def top_level_dependencies
+          @top_level_dependencies ||=
+            Nuget::FileParser.new(
+              dependency_files: dependency_files,
+              source: nil
+            ).parse.select(&:top_level?)
+        end
+
+        def nuget_configs
+          @nuget_configs ||=
+            @dependency_files.select { |f| f.name.match?(/nuget\.config$/i) }
+        end
+
+        def dependency_urls
+          @dependency_urls ||=
+            UpdateChecker::RepositoryFinder.new(
+              dependency: @dependency,
+              credentials: @credentials,
+              config_files: nuget_configs
+            ).dependency_urls
+                                           .select { |url| url.fetch(:repository_type) == "v3" }
+        end
+
+        def fetch_transitive_dependencies(package_id, package_version)
+          all_dependencies = {}
+          fetch_transitive_dependencies_impl(package_id, package_version, all_dependencies)
+          all_dependencies.map { |_, dependency_info| dependency_info }
+        end
+
+        def fetch_transitive_dependencies_impl(package_id, package_version, all_dependencies)
+          dependencies = fetch_dependencies(package_id, package_version)
+          return unless dependencies.any?
+
+          dependencies.each do |dependency|
+            next if dependency.nil?
+
+            dependency_id = dependency["packageName"]
+            dependency_version_range = dependency["versionRange"]
+
+            nuget_version_range_regex = /[\[(](\d+(\.\d+)*(-\w+(\.\d+)*)?)/
+            nuget_version_range_match_data = nuget_version_range_regex.match(dependency_version_range)
+
+            dependency_version = if nuget_version_range_match_data.nil?
+                                   dependency_version_range
+                                 else
+                                   nuget_version_range_match_data[1]
+                                 end
+
+            dependency["version"] = Version.new(dependency_version)
+
+            current_dependency = all_dependencies[dependency_id.downcase]
+            next unless current_dependency.nil? || current_dependency["version"] < dependency["version"]
+
+            all_dependencies[dependency_id.downcase] = dependency
+            fetch_transitive_dependencies_impl(dependency_id, dependency_version, all_dependencies)
+          end
+        end
+
+        def fetch_dependencies(package_id, package_version)
+          key = "#{package_id.downcase}::#{package_version}"
+          cache = DependencyFinder.fetch_dependencies_cache
+
+          cache[key] ||= begin
+            nuspec_xml = NuspecFetcher.fetch_nuspec(dependency_urls, package_id, package_version)
+            if nuspec_xml.nil?
+              []
+            else
+              read_dependencies_from_nuspec(nuspec_xml)
+            end
+          end
+
+          cache[key]
+        end
+
+        def read_dependencies_from_nuspec(nuspec_xml) # rubocop:disable Metrics/PerceivedComplexity
+          # we want to exclude development dependencies from the lookup
+          allowed_attributes = %w(all compile native runtime)
+
+          nuspec_xml_dependencies = nuspec_xml.xpath("//dependencies/child::node()/dependency").select do |dependency|
+            include_attr = dependency.attribute("include")
+            exclude_attr = dependency.attribute("exclude")
+
+            if include_attr.nil? && exclude_attr.nil?
+              true
+            elsif include_attr
+              include_values = include_attr.value.split(",").map(&:strip)
+              include_values.any? { |element1| allowed_attributes.any? { |element2| element1.casecmp?(element2) } }
+            else
+              exclude_values = exclude_attr.value.split(",").map(&:strip)
+              exclude_values.none? { |element1| allowed_attributes.any? { |element2| element1.casecmp?(element2) } }
+            end
+          end
+
+          dependency_list = []
+          nuspec_xml_dependencies.each do |dependency|
+            next unless dependency.attribute("version")
+
+            dependency_list << {
+              "packageName" => dependency.attribute("id").value,
+              "versionRange" => dependency.attribute("version").value
+            }
+          end
+
+          dependency_list
+        end
+
+        def version_finder(dep)
+          VersionFinder.new(
+            dependency: dep,
+            dependency_files: dependency_files,
+            credentials: credentials,
+            ignored_versions: [],
+            raise_on_ignored: false,
+            security_advisories: []
+          )
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/update_checker/nupkg_fetcher.rb

@@ -0,0 +1,119 @@
+# typed: true
+# frozen_string_literal: true
+
+require "nokogiri"
+require "zip"
+require "stringio"
+
+module Dependabot
+  module Nuget
+    class NupkgFetcher
+      require_relative "repository_finder"
+
+      def self.fetch_nupkg_buffer(dependency_urls, package_id, package_version)
+        # check all repositories for the first one that has the nupkg
+        dependency_urls.reduce(nil) do |nupkg_buffer, repository_details|
+          nupkg_buffer || fetch_nupkg_buffer_from_repository(repository_details, package_id, package_version)
+        end
+      end
+
+      def self.fetch_nupkg_url_from_repository(repository_details, package_id, package_version)
+        return unless package_id && package_version && !package_version.empty?
+
+        feed_url = repository_details[:repository_url]
+        repository_type = repository_details[:repository_type]
+
+        azure_devops_match = try_match_azure_url(feed_url)
+        package_url = if azure_devops_match
+                        get_azure_package_url(azure_devops_match, package_id, package_version)
+                      elsif repository_type == "v2"
+                        get_nuget_v2_package_url(feed_url, package_id, package_version)
+                      elsif repository_type == "v3"
+                        get_nuget_v3_package_url(repository_details, package_id, package_version)
+                      else
+                        raise Dependabot::DependencyFileNotResolvable, "Unexpected NuGet feed format: #{feed_url}"
+                      end
+
+        package_url
+      end
+
+      def self.fetch_nupkg_buffer_from_repository(repository_details, package_id, package_version)
+        package_url = fetch_nupkg_url_from_repository(repository_details, package_id, package_version)
+        return unless package_url
+
+        auth_header = repository_details[:auth_header]
+        fetch_stream(package_url, auth_header)
+      end
+
+      def self.try_match_azure_url(feed_url)
+        # if url is azure devops
+        azure_devops_regexs = [
+          %r{https://pkgs\.dev\.azure\.com/(?<organization>[^/]+)/(?<project>[^/]+)/_packaging/(?<feedId>[^/]+)/nuget/v3/index\.json},
+          %r{https://pkgs\.dev\.azure\.com/(?<organization>[^/]+)/_packaging/(?<feedId>[^/]+)/nuget/v3/index\.json(?<project>)},
+          %r{https://(?<organization>[^\.\/]+)\.pkgs\.visualstudio\.com/_packaging/(?<feedId>[^/]+)/nuget/v3/index\.json(?<project>)}
+        ]
+        regex = azure_devops_regexs.find { |reg| reg.match(feed_url) }
+        return unless regex
+
+        regex.match(feed_url)
+      end
+
+      def self.get_azure_package_url(azure_devops_match, package_id, package_version)
+        organization = azure_devops_match[:organization]
+        project = azure_devops_match[:project]
+        feed_id = azure_devops_match[:feedId]
+
+        if project.empty?
+          "https://pkgs.dev.azure.com/#{organization}/_apis/packaging/feeds/#{feed_id}/nuget/packages/#{package_id}/versions/#{package_version}/content?sourceProtocolVersion=nuget&api-version=7.0-preview"
+        else
+          "https://pkgs.dev.azure.com/#{organization}/#{project}/_apis/packaging/feeds/#{feed_id}/nuget/packages/#{package_id}/versions/#{package_version}/content?sourceProtocolVersion=nuget&api-version=7.0-preview"
+        end
+      end
+
+      def self.get_nuget_v3_package_url(repository_details, package_id, package_version)
+        base_url = repository_details[:base_url].delete_suffix("/")
+        package_id_downcased = package_id.downcase
+        "#{base_url}/#{package_id_downcased}/#{package_version}/#{package_id_downcased}.#{package_version}.nupkg"
+      end
+
+      def self.get_nuget_v2_package_url(feed_url, package_id, package_version)
+        base_url = feed_url
+        base_url += "/" unless base_url.end_with?("/")
+        package_id_downcased = package_id.downcase
+        "#{base_url}/package/#{package_id_downcased}/#{package_version}"
+      end
+
+      def self.fetch_stream(stream_url, auth_header, max_redirects = 5)
+        current_url = stream_url
+        current_redirects = 0
+
+        loop do
+          connection = Excon.new(current_url, persistent: true)
+
+          package_data = StringIO.new
+          response_block = lambda do |chunk, _remaining_bytes, _total_bytes|
+            package_data.write(chunk)
+          end
+
+          response = connection.request(
+            method: :get,
+            headers: auth_header,
+            response_block: response_block
+          )
+
+          if response.status == 303
+            current_redirects += 1
+            return nil if current_redirects > max_redirects
+
+            current_url = response.headers["Location"]
+          elsif response.status == 200
+            package_data.rewind
+            return package_data
+          else
+            return nil
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/update_checker/nuspec_fetcher.rb

@@ -0,0 +1,83 @@
+# typed: true
+# frozen_string_literal: true
+
+require "nokogiri"
+require "zip"
+require "stringio"
+
+module Dependabot
+  module Nuget
+    class NuspecFetcher
+      require_relative "nupkg_fetcher"
+      require_relative "repository_finder"
+
+      def self.fetch_nuspec(dependency_urls, package_id, package_version)
+        # check all repositories for the first one that has the nuspec
+        dependency_urls.reduce(nil) do |nuspec_xml, repository_details|
+          nuspec_xml || fetch_nuspec_from_repository(repository_details, package_id, package_version)
+        end
+      end
+
+      def self.fetch_nuspec_from_repository(repository_details, package_id, package_version)
+        return unless package_id && package_version && !package_version.empty?
+
+        feed_url = repository_details[:repository_url]
+        auth_header = repository_details[:auth_header]
+
+        nuspec_xml = nil
+
+        if azure_package_feed?(feed_url)
+          # this is an azure devops url we can extract the nuspec from the nupkg
+          package_data = NupkgFetcher.fetch_nupkg_buffer_from_repository(repository_details, package_id,
+                                                                         package_version)
+          return if package_data.nil?
+
+          nuspec_string = extract_nuspec(package_data, package_id)
+          nuspec_xml = Nokogiri::XML(nuspec_string)
+        else
+          # we can use the normal nuget apis to get the nuspec and list out the dependencies
+          base_url = feed_url.gsub("/index.json", "-flatcontainer")
+          package_id_downcased = package_id.downcase
+          nuspec_url = "#{base_url}/#{package_id_downcased}/#{package_version}/#{package_id_downcased}.nuspec"
+
+          nuspec_response = Dependabot::RegistryClient.get(
+            url: nuspec_url,
+            headers: auth_header
+          )
+
+          return unless nuspec_response.status == 200
+
+          nuspec_response_body = remove_wrapping_zero_width_chars(nuspec_response.body)
+          nuspec_xml = Nokogiri::XML(nuspec_response_body)
+        end
+
+        nuspec_xml.remove_namespaces!
+        nuspec_xml
+      end
+
+      def self.azure_package_feed?(feed_url)
+        # if url is azure devops
+        azure_devops_regexs = [
+          %r{https://pkgs\.dev\.azure\.com/(?<organization>[^/]+)/(?<project>[^/]+)/_packaging/(?<feedId>[^/]+)/nuget/v3/index\.json},
+          %r{https://pkgs\.dev\.azure\.com/(?<organization>[^/]+)/_packaging/(?<feedId>[^/]+)/nuget/v3/index\.json(?<project>)},
+          %r{https://(?<organization>[^\.\/]+)\.pkgs\.visualstudio\.com/_packaging/(?<feedId>[^/]+)/nuget/v3/index\.json(?<project>)}
+        ]
+        azure_devops_regexs.any? { |reg| reg.match(feed_url) }
+      end
+
+      def self.extract_nuspec(zip_stream, package_id)
+        Zip::File.open_buffer(zip_stream) do |zip|
+          nuspec_entry = zip.find { |entry| entry.name == "#{package_id}.nuspec" }
+          return nuspec_entry.get_input_stream.read if nuspec_entry
+        end
+        nil
+      end
+
+      def self.remove_wrapping_zero_width_chars(string)
+        string.force_encoding("UTF-8").encode
+              .gsub(/\A[\u200B-\u200D\uFEFF]/, "")
+              .gsub(/[\u200B-\u200D\uFEFF]\Z/, "")
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/update_checker/property_updater.rb

@@ -10,6 +10,7 @@ module Dependabot
       class PropertyUpdater
         require_relative "version_finder"
         require_relative "requirements_updater"
+        require_relative "dependency_finder"
 
         def initialize(dependency:, dependency_files:, credentials:,
                        target_version_details:, ignored_versions:,
@@ -45,9 +46,15 @@ module Dependabot
         def updated_dependencies
           raise "Update not possible!" unless update_possible?
 
-          @updated_dependencies ||=
-            dependencies_using_property.map do |dep|
-              Dependency.new(
+          @updated_dependencies ||= begin
+            dependencies = {}
+
+            dependencies_using_property.each do |dep|
+              # Only keep one copy of each dependency, the one with the highest target version.
+              visited_dependency = dependencies[dep.name.downcase]
+              next unless visited_dependency.nil? || visited_dependency.numeric_version < target_version
+
+              updated_dependency = Dependency.new(
                 name: dep.name,
                 version: target_version.to_s,
                 requirements: updated_requirements(dep),
@@ -55,7 +62,13 @@ module Dependabot
                 previous_requirements: dep.requirements,
                 package_manager: dep.package_manager
               )
+              dependencies[updated_dependency.name.downcase] = updated_dependency
+              # Add peer dependencies to the list of updated dependencies.
+              process_updated_peer_dependencies(updated_dependency, dependencies)
             end
+
+            dependencies.map { |_, dependency| dependency }
+          end
         end
 
         private
@@ -63,6 +76,20 @@ module Dependabot
         attr_reader :dependency, :dependency_files, :target_version,
                     :source_details, :credentials, :ignored_versions
 
+        def process_updated_peer_dependencies(dependency, dependencies)
+          DependencyFinder.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            credentials: credentials
+          ).updated_peer_dependencies.each do |peer_dependency|
+            # Only keep one copy of each dependency, the one with the highest target version.
+            visited_dependency = dependencies[peer_dependency.name.downcase]
+            next unless visited_dependency.nil? || visited_dependency.numeric_version < peer_dependency.numeric_version
+
+            dependencies[peer_dependency.name.downcase] = peer_dependency
+          end
+        end
+
         def dependencies_using_property
           @dependencies_using_property ||=
             Nuget::FileParser.new(

data/lib/dependabot/nuget/update_checker/repository_finder.rb

@@ -24,6 +24,19 @@ module Dependabot
           find_dependency_urls
         end
 
+        def self.get_default_repository_details(dependency_name)
+          {
+            base_url: "https://api.nuget.org/v3-flatcontainer/",
+            repository_url: DEFAULT_REPOSITORY_URL,
+            versions_url: "https://api.nuget.org/v3-flatcontainer/" \
+                          "#{dependency_name.downcase}/index.json",
+            search_url: "https://azuresearch-usnc.nuget.org/query" \
+                        "?q=#{dependency_name.downcase}&prerelease=true&semVerLevel=2.0.0",
+            auth_header: {},
+            repository_type: "v3"
+          }
+        end
+
         private
 
         attr_reader :dependency, :credentials, :config_files
@@ -48,9 +61,11 @@ module Dependabot
 
           body = remove_wrapping_zero_width_chars(response.body)
           base_url = base_url_from_v3_metadata(JSON.parse(body))
+          resolved_base_url = base_url || repo_details.fetch(:url).gsub("/index.json", "-flatcontainer")
           search_url = search_url_from_v3_metadata(JSON.parse(body))
 
           details = {
+            base_url: resolved_base_url,
             repository_url: repo_details.fetch(:url),
             auth_header: auth_header_for_token(repo_details.fetch(:token)),
             repository_type: "v3"
@@ -85,9 +100,16 @@ module Dependabot
         end
 
         def search_url_from_v3_metadata(metadata)
+          # allowable values from here: https://learn.microsoft.com/en-us/nuget/api/search-query-service-resource#versioning
+          allowed_search_types = %w(
+            SearchQueryService
+            SearchQueryService/3.0.0-beta
+            SearchQueryService/3.0.0-rc
+            SearchQueryService/3.5.0
+          )
           metadata
             .fetch("resources", [])
-            .find { |r| r.fetch("@type") == "SearchQueryService" }
+            .find { |r| allowed_search_types.find { |s| r.fetch("@type") == s } }
             &.fetch("@id")
         end
 
@@ -101,6 +123,7 @@ module Dependabot
           base_url ||= repo_details.fetch(:url)
 
           {
+            base_url: base_url,
             repository_url: base_url,
             versions_url: File.join(
               base_url,
@@ -157,6 +180,8 @@ module Dependabot
           base_sources = [{ url: DEFAULT_REPOSITORY_URL, key: "nuget.org" }]
 
           sources = []
+
+          # regular package sources
           doc.css("configuration > packageSources").children.each do |node|
             if node.name == "clear"
               sources.clear
@@ -167,6 +192,15 @@ module Dependabot
               sources << { url: url, key: key }
             end
           end
+
+          # signed package sources
+          # https://learn.microsoft.com/en-us/nuget/reference/nuget-config-file#trustedsigners-section
+          doc.xpath("/configuration/trustedSigners/repository").each do |node|
+            name = node.attribute("name")&.value&.strip
+            service_index = node.attribute("serviceIndex")&.value&.strip
+            sources << { url: service_index, key: name }
+          end
+
           sources += base_sources # TODO: quirky overwrite behavior
           disabled_sources = disabled_sources(doc)
           sources.reject! do |s|
@@ -190,15 +224,7 @@ module Dependabot
         # rubocop:enable Metrics/CyclomaticComplexity
 
         def default_repository_details
-          {
-            repository_url: DEFAULT_REPOSITORY_URL,
-            versions_url: "https://api.nuget.org/v3-flatcontainer/" \
-                          "#{dependency.name.downcase}/index.json",
-            search_url: "https://azuresearch-usnc.nuget.org/query" \
-                        "?q=#{dependency.name.downcase}&prerelease=true&semVerLevel=2.0.0",
-            auth_header: {},
-            repository_type: "v3"
-          }
+          RepositoryFinder.get_default_repository_details(dependency.name)
         end
 
         # rubocop:disable Metrics/PerceivedComplexity

data/lib/dependabot/nuget/update_checker/tfm_comparer.rb

@@ -0,0 +1,31 @@
+# typed: true
+# frozen_string_literal: true
+
+require "dependabot/nuget/version"
+require "dependabot/nuget/requirement"
+require "dependabot/nuget/native_helpers"
+require "dependabot/nuget/update_checker"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module Nuget
+    class UpdateChecker
+      class TfmComparer
+        def self.are_frameworks_compatible?(project_tfms, package_tfms)
+          return false if package_tfms.empty?
+          return false if project_tfms.empty?
+
+          key = "project_ftms:#{project_tfms.sort.join(',')}:package_tfms:#{package_tfms.sort.join(',')}".downcase
+
+          @cached_framework_check ||= {}
+          unless @cached_framework_check.key?(key)
+            @cached_framework_check[key] =
+              NativeHelpers.run_nuget_framework_check(project_tfms,
+                                                      package_tfms)
+          end
+          @cached_framework_check[key]
+        end
+      end
+    end
+  end
+end