dependabot-nuget 0.237.0 → 0.239.0

data/lib/dependabot/nuget/update_checker/tfm_finder.rb

@@ -0,0 +1,127 @@
+# typed: true
+# frozen_string_literal: true
+
+require "excon"
+require "nokogiri"
+
+require "dependabot/nuget/version"
+require "dependabot/nuget/requirement"
+require "dependabot/nuget/native_helpers"
+require "dependabot/nuget/update_checker"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module Nuget
+    class UpdateChecker
+      class TfmFinder
+        require "dependabot/nuget/file_parser/packages_config_parser"
+        require "dependabot/nuget/file_parser/project_file_parser"
+
+        def initialize(dependency_files:, credentials:)
+          @dependency_files       = dependency_files
+          @credentials            = credentials
+        end
+
+        def frameworks(dependency)
+          tfms = Set.new
+          tfms += project_file_tfms(dependency)
+          tfms += project_import_file_tfms
+          tfms.to_a
+        end
+
+        private
+
+        attr_reader :dependency_files, :credentials
+
+        def project_file_tfms(dependency)
+          project_files_with_dependency(dependency).flat_map do |file|
+            project_file_parser.target_frameworks(project_file: file)
+          end
+        end
+
+        def project_files_with_dependency(dependency)
+          project_files.select do |file|
+            packages_config_contains_dependency?(file, dependency) ||
+              project_file_contains_dependency?(file, dependency)
+          end
+        end
+
+        def packages_config_contains_dependency?(file, dependency)
+          config_file = find_packages_config_file(file)
+          return false unless config_file
+
+          config_parser = FileParser::PackagesConfigParser.new(packages_config: config_file)
+          config_parser.dependency_set.dependencies.any? do |d|
+            d.name.casecmp(dependency.name).zero?
+          end
+        end
+
+        def project_file_contains_dependency?(file, dependency)
+          project_file_parser.dependency_set(project_file: file).dependencies.any? do |d|
+            d.name.casecmp(dependency.name).zero?
+          end
+        end
+
+        def find_packages_config_file(file)
+          return file if file.name.end_with?("packages.config")
+
+          filename = File.basename(file.name)
+          search_path = file.name.sub(filename, "packages.config")
+
+          dependency_files.find { |f| f.name.casecmp(search_path).zero? }
+        end
+
+        def project_import_file_tfms
+          @project_import_file_tfms ||= project_import_files.flat_map do |file|
+            project_file_parser.target_frameworks(project_file: file)
+          end
+        end
+
+        def project_file_parser
+          @project_file_parser ||=
+            FileParser::ProjectFileParser.new(
+              dependency_files: dependency_files,
+              credentials: credentials
+            )
+        end
+
+        def project_files
+          projfile = /\.[a-z]{2}proj$/
+          packageprops = /[Dd]irectory.[Pp]ackages.props/
+
+          dependency_files.select do |df|
+            df.name.match?(projfile) ||
+              df.name.match?(packageprops)
+          end
+        end
+
+        def packages_config_files
+          dependency_files.select do |f|
+            f.name.split("/").last.casecmp("packages.config").zero?
+          end
+        end
+
+        def project_import_files
+          dependency_files -
+            project_files -
+            packages_config_files -
+            nuget_configs -
+            [global_json] -
+            [dotnet_tools_json]
+        end
+
+        def nuget_configs
+          dependency_files.select { |f| f.name.match?(/nuget\.config$/i) }
+        end
+
+        def global_json
+          dependency_files.find { |f| f.name.casecmp("global.json").zero? }
+        end
+
+        def dotnet_tools_json
+          dependency_files.find { |f| f.name.casecmp(".config/dotnet-tools.json").zero? }
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/update_checker/version_finder.rb

@@ -1,19 +1,16 @@
 # typed: false
 # frozen_string_literal: true
 
-require "excon"
-require "nokogiri"
-
 require "dependabot/nuget/version"
 require "dependabot/nuget/requirement"
 require "dependabot/update_checkers/version_filters"
 require "dependabot/nuget/update_checker"
-require "dependabot/shared_helpers"
 
 module Dependabot
   module Nuget
     class UpdateChecker
       class VersionFinder
+        require_relative "compatibility_checker"
         require_relative "repository_finder"
 
         NUGET_RANGE_REGEX = /[\(\[].*,.*[\)\]]/
@@ -35,7 +32,8 @@ module Dependabot
               possible_versions = versions
               possible_versions = filter_prereleases(possible_versions)
               possible_versions = filter_ignored_versions(possible_versions)
-              possible_versions.max_by { |hash| hash.fetch(:version) }
+
+              find_highest_compatible_version(possible_versions)
             end
         end
 
@@ -50,7 +48,7 @@ module Dependabot
               possible_versions = filter_ignored_versions(possible_versions)
               possible_versions = filter_lower_versions(possible_versions)
 
-              possible_versions.min_by { |hash| hash.fetch(:version) }
+              find_lowest_compatible_version(possible_versions)
             end
         end
 
@@ -63,6 +61,49 @@ module Dependabot
 
         private
 
+        def find_highest_compatible_version(possible_versions)
+          # sorted versions descending
+          sorted_versions = possible_versions.sort_by { |v| v.fetch(:version) }.reverse
+          find_compatible_version(sorted_versions)
+        end
+
+        def find_lowest_compatible_version(possible_versions)
+          # sorted versions ascending
+          sorted_versions = possible_versions.sort_by { |v| v.fetch(:version) }
+          find_compatible_version(sorted_versions)
+        end
+
+        def find_compatible_version(sorted_versions)
+          # By checking the first version separately, we can avoid additional network requests
+          first_version = sorted_versions.first
+          return unless first_version
+          # If the current package version is incompatible, then we don't enforce compatibility.
+          # It could appear incompatible because they are ignoring NU1701 or the package is poorly authored.
+          return first_version unless version_compatible?(dependency.version)
+          return first_version if version_compatible?(first_version.fetch(:version))
+
+          sorted_versions.bsearch { |v| version_compatible?(v.fetch(:version)) }
+        end
+
+        def version_compatible?(version)
+          str_version_compatible?(version.to_s)
+        end
+
+        def str_version_compatible?(version)
+          compatibility_checker.compatible?(version)
+        end
+
+        def compatibility_checker
+          @compatibility_checker ||= CompatibilityChecker.new(
+            dependency_urls: dependency_urls,
+            dependency: dependency,
+            tfm_finder: TfmFinder.new(
+              dependency_files: dependency_files,
+              credentials: credentials
+            )
+          )
+        end
+
         def filter_prereleases(possible_versions)
           possible_versions.reject do |d|
             version = d.fetch(:version)

data/lib/dependabot/nuget/update_checker.rb

@@ -11,16 +11,19 @@ module Dependabot
       require_relative "update_checker/version_finder"
       require_relative "update_checker/property_updater"
       require_relative "update_checker/requirements_updater"
+      require_relative "update_checker/dependency_finder"
 
       def latest_version
+        # No need to find latest version for transitive dependencies unless they have a vulnerability.
+        return dependency.version if !dependency.top_level? && !vulnerable?
+
         @latest_version = latest_version_details&.fetch(:version)
       end
 
       def latest_resolvable_version
-        # TODO: Check version resolution!
-        return nil if version_comes_from_multi_dependency_property?
-
-        latest_version
+        # We always want a full unlock since any package update could update peer dependencies as well.
+        # To force a full unlock instead of an own unlock, we return nil.
+        nil
       end
 
       def lowest_security_fix_version
@@ -41,13 +44,16 @@ module Dependabot
       def updated_requirements
         RequirementsUpdater.new(
           requirements: dependency.requirements,
-          latest_version: preferred_resolvable_version&.to_s,
-          source_details: preferred_version_details
+          latest_version: preferred_resolvable_version_details.fetch(:version)&.to_s,
+          source_details: preferred_resolvable_version_details
                           &.slice(:nuspec_url, :repo_url, :source_url)
         ).updated_requirements
       end
 
       def up_to_date?
+        # No need to update transitive dependencies unless they have a vulnerability.
+        return true if !dependency.top_level? && !vulnerable?
+
         # If any requirements have an uninterpolated property in them then
         # that property couldn't be found, and we assume that the dependency
         # is up-to-date
@@ -68,14 +74,42 @@ module Dependabot
 
       private
 
+      def preferred_resolvable_version_details
+        # If this dependency is vulnerable, prefer trying to update to the
+        # lowest_resolvable_security_fix_version. Otherwise update all the way
+        # to the latest_resolvable_version.
+        return lowest_security_fix_version_details if vulnerable?
+
+        latest_version_details
+      end
+
       def latest_version_resolvable_with_full_unlock?
-        return false unless version_comes_from_multi_dependency_property?
+        # We always want a full unlock since any package update could update peer dependencies as well.
+        return true unless version_comes_from_multi_dependency_property?
 
         property_updater.update_possible?
       end
 
       def updated_dependencies_after_full_unlock
-        property_updater.updated_dependencies
+        return property_updater.updated_dependencies if version_comes_from_multi_dependency_property?
+
+        puts "Finding updated dependencies for #{dependency.name}."
+
+        updated_dependency = Dependency.new(
+          name: dependency.name,
+          version: latest_version&.to_s,
+          requirements: updated_requirements,
+          previous_version: dependency.version,
+          previous_requirements: dependency.requirements,
+          package_manager: dependency.package_manager
+        )
+        updated_dependencies = [updated_dependency]
+        updated_dependencies += DependencyFinder.new(
+          dependency: updated_dependency,
+          dependency_files: dependency_files,
+          credentials: credentials
+        ).updated_peer_dependencies
+        updated_dependencies
       end
 
       def preferred_version_details

data/lib/dependabot/nuget.rb

@@ -24,3 +24,5 @@ Dependabot::Dependency.register_production_check(
     groups.include?("dependencies")
   end
 )
+
+Dependabot::Utils.register_always_clone("nuget")

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-nuget
 version: !ruby/object:Gem::Version
-  version: 0.237.0
+  version: 0.239.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-11-21 00:00:00.000000000 Z
+date: 2023-12-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,34 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.237.0
+        version: 0.239.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.237.0
+        version: 0.239.0
+- !ruby/object:Gem::Dependency
+  name: rubyzip
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.3.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.3.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -114,14 +134,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.57.2
+        version: 1.58.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.57.2
+        version: 1.58.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
@@ -215,6 +235,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/dependabot/nuget.rb
+- lib/dependabot/nuget/cache_manager.rb
 - lib/dependabot/nuget/file_fetcher.rb
 - lib/dependabot/nuget/file_fetcher/import_paths_finder.rb
 - lib/dependabot/nuget/file_fetcher/sln_project_paths_finder.rb
@@ -225,15 +246,20 @@ files:
 - lib/dependabot/nuget/file_parser/project_file_parser.rb
 - lib/dependabot/nuget/file_parser/property_value_finder.rb
 - lib/dependabot/nuget/file_updater.rb
-- lib/dependabot/nuget/file_updater/packages_config_declaration_finder.rb
-- lib/dependabot/nuget/file_updater/project_file_declaration_finder.rb
 - lib/dependabot/nuget/file_updater/property_value_updater.rb
 - lib/dependabot/nuget/metadata_finder.rb
+- lib/dependabot/nuget/native_helpers.rb
 - lib/dependabot/nuget/requirement.rb
 - lib/dependabot/nuget/update_checker.rb
+- lib/dependabot/nuget/update_checker/compatibility_checker.rb
+- lib/dependabot/nuget/update_checker/dependency_finder.rb
+- lib/dependabot/nuget/update_checker/nupkg_fetcher.rb
+- lib/dependabot/nuget/update_checker/nuspec_fetcher.rb
 - lib/dependabot/nuget/update_checker/property_updater.rb
 - lib/dependabot/nuget/update_checker/repository_finder.rb
 - lib/dependabot/nuget/update_checker/requirements_updater.rb
+- lib/dependabot/nuget/update_checker/tfm_comparer.rb
+- lib/dependabot/nuget/update_checker/tfm_finder.rb
 - lib/dependabot/nuget/update_checker/version_finder.rb
 - lib/dependabot/nuget/version.rb
 homepage: https://github.com/dependabot/dependabot-core
@@ -241,7 +267,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.237.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.239.0
 post_install_message: 
 rdoc_options: []
 require_paths:

data/lib/dependabot/nuget/file_updater/packages_config_declaration_finder.rb

@@ -1,70 +0,0 @@
-# typed: true
-# frozen_string_literal: true
-
-require "nokogiri"
-require "dependabot/nuget/file_updater"
-
-module Dependabot
-  module Nuget
-    class FileUpdater
-      class PackagesConfigDeclarationFinder
-        DECLARATION_REGEX =
-          %r{<package\s[^>]*?/>|
-             <package\s[^>]*?[^/]>.*?</package>}mx
-
-        attr_reader :dependency_name, :declaring_requirement,
-                    :packages_config
-
-        def initialize(dependency_name:, packages_config:,
-                       declaring_requirement:)
-          @dependency_name        = dependency_name
-          @packages_config        = packages_config
-          @declaring_requirement  = declaring_requirement
-
-          if declaring_requirement[:file].split("/").last
-                                         .casecmp("packages.config").zero?
-            return
-          end
-
-          raise "Requirement not from packages.config!"
-        end
-
-        def declaration_strings
-          @declaration_strings ||= fetch_declaration_strings
-        end
-
-        def declaration_nodes
-          declaration_strings.map do |declaration_string|
-            Nokogiri::XML(declaration_string)
-          end
-        end
-
-        private
-
-        # rubocop:disable Metrics/PerceivedComplexity
-        def fetch_declaration_strings
-          deep_find_declarations(packages_config.content).select do |nd|
-            node = Nokogiri::XML(nd)
-            node.remove_namespaces!
-            node = node.at_xpath("/package")
-
-            node_name = node.attribute("id")&.value&.strip ||
-                        node.at_xpath("./id")&.content&.strip
-            next false unless node_name&.downcase == dependency_name&.downcase
-
-            node_requirement = node.attribute("version")&.value&.strip ||
-                               node.at_xpath("./version")&.content&.strip
-            node_requirement == declaring_requirement.fetch(:requirement)
-          end
-        end
-        # rubocop:enable Metrics/PerceivedComplexity
-
-        def deep_find_declarations(string)
-          string.scan(DECLARATION_REGEX).flat_map do |matching_node|
-            [matching_node, *deep_find_declarations(matching_node[0..-2])]
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/nuget/file_updater/project_file_declaration_finder.rb

@@ -1,183 +0,0 @@
-# typed: true
-# frozen_string_literal: true
-
-require "nokogiri"
-require "dependabot/nuget/file_updater"
-
-module Dependabot
-  module Nuget
-    class FileUpdater
-      class ProjectFileDeclarationFinder
-        DECLARATION_REGEX =
-          %r{
-            <PackageReference [^>]*?/>|
-            <PackageReference [^>]*?[^/]>.*?</PackageReference>|
-            <GlobalPackageReference [^>]*?/>|
-            <GlobalPackageReference [^>]*?[^/]>.*?</GlobalPackageReference>|
-            <PackageVersion [^>]*?/>|
-            <PackageVersion [^>]*?[^/]>.*?</PackageVersion>|
-            <Dependency [^>]*?/>|
-            <Dependency [^>]*?[^/]>.*?</Dependency>|
-            <DevelopmentDependency [^>]*?/>|
-            <DevelopmentDependency [^>]*?[^/]>.*?</DevelopmentDependency>
-          }mx
-        SDK_IMPORT_REGEX =
-          / <Import [^>]*?Sdk="[^"]*?"[^>]*?Version="[^"]*?"[^>]*?>
-          | <Import [^>]*?Version="[^"]*?"[^>]*?Sdk="[^"]*?"[^>]*?>
-          /mx
-        SDK_PROJECT_REGEX =
-          / <Project [^>]*?Sdk="[^"]*?"[^>]*?>
-          /mx
-        SDK_SDK_REGEX =
-          / <Sdk [^>]*?Name="[^"]*?"[^>]*?Version="[^"]*?"[^>]*?>
-          | <Sdk [^>]*?Version="[^"]*?"[^>]*?Name="[^"]*?"[^>]*?>
-          /mx
-
-        attr_reader :dependency_name, :declaring_requirement,
-                    :dependency_files
-
-        def initialize(dependency_name:, dependency_files:,
-                       declaring_requirement:)
-          @dependency_name       = dependency_name
-          @dependency_files      = dependency_files
-          @declaring_requirement = declaring_requirement
-        end
-
-        def declaration_strings
-          @declaration_strings ||= fetch_declaration_strings
-          @declaration_strings += fetch_sdk_strings
-        end
-
-        def declaration_nodes
-          declaration_strings.map do |declaration_string|
-            Nokogiri::XML(declaration_string)
-          end
-        end
-
-        private
-
-        def get_element_from_node(node)
-          node.at_xpath("/PackageReference") ||
-            node.at_xpath("/GlobalPackageReference") ||
-            node.at_xpath("/PackageVersion") ||
-            node.at_xpath("/Dependency") ||
-            node.at_xpath("/DevelopmentDependency")
-        end
-
-        # rubocop:disable Metrics/CyclomaticComplexity
-        # rubocop:disable Metrics/PerceivedComplexity
-        def fetch_declaration_strings
-          deep_find_declarations(declaring_file.content).select do |nd|
-            node = Nokogiri::XML(nd)
-            node.remove_namespaces!
-            node = get_element_from_node(node)
-
-            node_name = node.attribute("Include")&.value&.strip ||
-                        node.at_xpath("./Include")&.content&.strip ||
-                        node.attribute("Update")&.value&.strip ||
-                        node.at_xpath("./Update")&.content&.strip
-            next false unless node_name&.downcase == dependency_name&.downcase
-
-            node_requirement = get_node_version_value(node)
-            node_requirement == declaring_requirement.fetch(:requirement)
-          end
-        end
-        # rubocop:enable Metrics/PerceivedComplexity
-        # rubocop:enable Metrics/CyclomaticComplexity
-
-        def fetch_sdk_strings
-          sdk_project_strings + sdk_sdk_strings + sdk_import_strings
-        end
-
-        # rubocop:disable Metrics/PerceivedComplexity
-        def get_node_version_value(node)
-          attribute = "Version"
-          node.attribute(attribute)&.value&.strip ||
-            node.at_xpath("./#{attribute}")&.content&.strip ||
-            node.attribute(attribute.downcase)&.value&.strip ||
-            node.at_xpath("./#{attribute.downcase}")&.content&.strip
-        end
-        # rubocop:enable Metrics/PerceivedComplexity
-
-        def deep_find_declarations(string)
-          string.scan(DECLARATION_REGEX).flat_map do |matching_node|
-            [matching_node, *deep_find_declarations(matching_node[0..-2])]
-          end
-        end
-
-        def declaring_file
-          filename = declaring_requirement.fetch(:file)
-          declaring_file = dependency_files.find { |f| f.name == filename }
-          return declaring_file if declaring_file
-
-          raise "No file found with name #{filename}!"
-        end
-
-        def sdk_import_strings
-          sdk_strings(SDK_IMPORT_REGEX, "Import", "Sdk", "Version")
-        end
-
-        def parse_element(string, name)
-          xml = string
-          xml += "</#{name}>" unless string.end_with?("/>")
-          node = Nokogiri::XML(xml)
-          node.remove_namespaces!
-          node.at_xpath("/#{name}")
-        end
-
-        def get_attribute_value_nocase(element, name)
-          value = element.attribute(name)&.value ||
-                  element.attribute(name.downcase)&.value ||
-                  element.attribute(name.upcase)&.value
-          value&.strip
-        end
-
-        def desired_sdk_reference?(sdk_reference, dep_name, dep_version)
-          parts = sdk_reference.split("/")
-          parts.length == 2 && parts[0]&.downcase == dep_name && parts[1] == dep_version
-        end
-
-        def sdk_project_strings
-          dep_name = dependency_name&.downcase
-          dep_version = declaring_requirement.fetch(:requirement)
-          strings = []
-          declaring_file.content.scan(SDK_PROJECT_REGEX).each do |string|
-            element = parse_element(string, "Project")
-            next unless element
-
-            sdk_references = get_attribute_value_nocase(element, "Sdk")
-            next unless sdk_references&.include?("/")
-
-            sdk_references.split(";").each do |sdk_reference|
-              strings << sdk_reference if desired_sdk_reference?(sdk_reference, dep_name, dep_version)
-            end
-          end
-          strings.uniq
-        end
-
-        def sdk_sdk_strings
-          sdk_strings(SDK_SDK_REGEX, "Sdk", "Name", "Version")
-        end
-
-        def sdk_strings(regex, element_name, name_attribute, version_attribute)
-          dep_name = dependency_name&.downcase
-          dep_version = declaring_requirement.fetch(:requirement)
-          strings = []
-          declaring_file.content.scan(regex).each do |string|
-            element = parse_element(string, element_name)
-            next unless element
-
-            node_name = get_attribute_value_nocase(element, name_attribute)&.downcase
-            next unless node_name == dep_name
-
-            node_version = get_attribute_value_nocase(element, version_attribute)
-            next unless node_version == dep_version
-
-            strings << string
-          end
-          strings
-        end
-      end
-    end
-  end
-end