dependabot-nuget 0.242.1 → 0.243.0

data/lib/dependabot/nuget/update_checker/compatibility_checker.rb

@@ -5,80 +5,84 @@ require "dependabot/update_checkers/base"
 
 module Dependabot
   module Nuget
-    class UpdateChecker < Dependabot::UpdateCheckers::Base
-      class CompatibilityChecker
-        require_relative "nuspec_fetcher"
-        require_relative "nupkg_fetcher"
-        require_relative "tfm_finder"
-        require_relative "tfm_comparer"
-
-        def initialize(dependency_urls:, dependency:, tfm_finder:)
-          @dependency_urls = dependency_urls
-          @dependency = dependency
-          @tfm_finder = tfm_finder
-        end
+    class CompatibilityChecker
+      require_relative "nuspec_fetcher"
+      require_relative "nupkg_fetcher"
+      require_relative "tfm_finder"
+      require_relative "tfm_comparer"
+
+      def initialize(dependency_urls:, dependency:, tfm_finder:)
+        @dependency_urls = dependency_urls
+        @dependency = dependency
+        @tfm_finder = tfm_finder
+      end
 
-        def compatible?(version)
-          nuspec_xml = NuspecFetcher.fetch_nuspec(dependency_urls, dependency.name, version)
-          return false unless nuspec_xml
+      def compatible?(version)
+        nuspec_xml = NuspecFetcher.fetch_nuspec(dependency_urls, dependency.name, version)
+        return false unless nuspec_xml
 
-          # development dependencies are packages such as analyzers which need to be
-          # compatible with the compiler not the project itself.
-          return true if development_dependency?(nuspec_xml)
+        # development dependencies are packages such as analyzers which need to be compatible with the compiler not the
+        # project itself, but some packages that report themselves as development dependencies still contain target
+        # framework dependencies and should be checked for compatibility through the regular means
+        return true if pure_development_dependency?(nuspec_xml)
 
-          package_tfms = parse_package_tfms(nuspec_xml)
-          package_tfms = fetch_package_tfms(version) if package_tfms.empty?
-          # nil is a special return value that indicates that the package is likely a development dependency
-          return true if package_tfms.nil?
-          return false if package_tfms.empty?
+        package_tfms = parse_package_tfms(nuspec_xml)
+        package_tfms = fetch_package_tfms(version) if package_tfms.empty?
+        # nil is a special return value that indicates that the package is likely a development dependency
+        return true if package_tfms.nil?
+        return false if package_tfms.empty?
 
-          return false if project_tfms.nil? || project_tfms.empty?
+        return false if project_tfms.nil? || project_tfms.empty?
 
-          TfmComparer.are_frameworks_compatible?(project_tfms, package_tfms)
-        end
+        TfmComparer.are_frameworks_compatible?(project_tfms, package_tfms)
+      end
 
-        private
+      private
 
-        attr_reader :dependency_urls, :dependency, :tfm_finder
+      attr_reader :dependency_urls, :dependency, :tfm_finder
 
-        def development_dependency?(nuspec_xml)
-          contents = nuspec_xml.at_xpath("package/metadata/developmentDependency")&.content&.strip
-          return false unless contents
+      def pure_development_dependency?(nuspec_xml)
+        contents = nuspec_xml.at_xpath("package/metadata/developmentDependency")&.content&.strip
+        return false unless contents # no `developmentDependency` element
 
-          contents.casecmp("true").zero?
-        end
+        self_reports_as_development_dependency = contents.casecmp?("true")
+        return false unless self_reports_as_development_dependency
 
-        def parse_package_tfms(nuspec_xml)
-          nuspec_xml.xpath("//dependencies/group").map do |group|
-            group.attribute("targetFramework")
-          end
-        end
+        # even though a package self-reports as a development dependency, it might not be if it has dependency groups
+        # with a target framework
+        dependency_groups_with_target_framework =
+          nuspec_xml.at_xpath("/package/metadata/dependencies/group[@targetFramework]")
+        dependency_groups_with_target_framework.to_a.empty?
+      end
+
+      def parse_package_tfms(nuspec_xml)
+        nuspec_xml.xpath("//dependencies/group").filter_map { |group| group.attribute("targetFramework") }
+      end
 
-        def project_tfms
-          return @project_tfms if defined?(@project_tfms)
+      def project_tfms
+        return @project_tfms if defined?(@project_tfms)
 
-          @project_tfms = tfm_finder.frameworks(dependency)
-        end
+        @project_tfms = tfm_finder.frameworks(dependency)
+      end
 
-        def fetch_package_tfms(dependency_version)
-          nupkg_buffer = NupkgFetcher.fetch_nupkg_buffer(dependency_urls, dependency.name, dependency_version)
-          return [] unless nupkg_buffer
-
-          # Parse tfms from the folders beneath the lib folder
-          folder_name = "lib/"
-          tfms = Set.new
-          Zip::File.open_buffer(nupkg_buffer) do |zip|
-            lib_file_entries = zip.select { |entry| entry.name.start_with?(folder_name) }
-            # If there is no lib folder in this package, assume it is a development dependency
-            return nil if lib_file_entries.empty?
-
-            lib_file_entries.each do |entry|
-              _, tfm = entry.name.split("/").first(2)
-              tfms << tfm
-            end
+      def fetch_package_tfms(dependency_version)
+        nupkg_buffer = NupkgFetcher.fetch_nupkg_buffer(dependency_urls, dependency.name, dependency_version)
+        return [] unless nupkg_buffer
+
+        # Parse tfms from the folders beneath the lib folder
+        folder_name = "lib/"
+        tfms = Set.new
+        Zip::File.open_buffer(nupkg_buffer) do |zip|
+          lib_file_entries = zip.select { |entry| entry.name.start_with?(folder_name) }
+          # If there is no lib folder in this package, assume it is a development dependency
+          return nil if lib_file_entries.empty?
+
+          lib_file_entries.each do |entry|
+            _, tfm = entry.name.split("/").first(2)
+            tfms << tfm
           end
-          tfms.to_a
         end
+        tfms.to_a
       end
     end
   end

data/lib/dependabot/nuget/update_checker/dependency_finder.rb

@@ -121,12 +121,12 @@ module Dependabot
 
         def dependency_urls
           @dependency_urls ||=
-            UpdateChecker::RepositoryFinder.new(
+            RepositoryFinder.new(
               dependency: @dependency,
               credentials: @credentials,
               config_files: nuget_configs
             ).dependency_urls
-                                           .select { |url| url.fetch(:repository_type) == "v3" }
+                            .select { |url| url.fetch(:repository_type) == "v3" }
         end
 
         def fetch_transitive_dependencies(package_id, package_version)

data/lib/dependabot/nuget/update_checker/nupkg_fetcher.rb

@@ -73,7 +73,7 @@ module Dependabot
             response_block: response_block
           )
 
-          if response.status == 303
+          if response.status == 303 || response.status == 307
             current_redirects += 1
             return nil if current_redirects > max_redirects
 

data/lib/dependabot/nuget/update_checker/nuspec_fetcher.rb

@@ -26,17 +26,9 @@ module Dependabot
 
         nuspec_xml = nil
 
-        if azure_package_feed?(feed_url)
-          # this is an azure devops url we can extract the nuspec from the nupkg
-          package_data = NupkgFetcher.fetch_nupkg_buffer_from_repository(repository_details, package_id,
-                                                                         package_version)
-          return if package_data.nil?
-
-          nuspec_string = extract_nuspec(package_data, package_id)
-          nuspec_xml = Nokogiri::XML(nuspec_string)
-        else
+        if feed_supports_nuspec_download?(feed_url)
           # we can use the normal nuget apis to get the nuspec and list out the dependencies
-          base_url = feed_url.gsub("/index.json", "-flatcontainer")
+          base_url = repository_details[:base_url].delete_suffix("/")
           package_id_downcased = package_id.downcase
           nuspec_url = "#{base_url}/#{package_id_downcased}/#{package_version}/#{package_id_downcased}.nuspec"
 
@@ -47,22 +39,32 @@ module Dependabot
 
           return unless nuspec_response.status == 200
 
-          nuspec_response_body = remove_wrapping_zero_width_chars(nuspec_response.body)
+          nuspec_response_body = remove_invalid_characters(nuspec_response.body)
           nuspec_xml = Nokogiri::XML(nuspec_response_body)
+        else
+          # no guarantee we can directly query the .nuspec; fall back to extracting it from the .nupkg
+          package_data = NupkgFetcher.fetch_nupkg_buffer_from_repository(repository_details, package_id,
+                                                                         package_version)
+          return if package_data.nil?
+
+          nuspec_string = extract_nuspec(package_data, package_id)
+          nuspec_xml = Nokogiri::XML(nuspec_string)
         end
 
         nuspec_xml.remove_namespaces!
         nuspec_xml
       end
 
-      def self.azure_package_feed?(feed_url)
-        # if url is azure devops
-        azure_devops_regexs = [
+      def self.feed_supports_nuspec_download?(feed_url)
+        feed_regexs = [
+          # nuget
+          %r{https://api\.nuget\.org/v3/index\.json},
+          # azure devops
           %r{https://pkgs\.dev\.azure\.com/(?<organization>[^/]+)/(?<project>[^/]+)/_packaging/(?<feedId>[^/]+)/nuget/v3/index\.json},
           %r{https://pkgs\.dev\.azure\.com/(?<organization>[^/]+)/_packaging/(?<feedId>[^/]+)/nuget/v3/index\.json(?<project>)},
           %r{https://(?<organization>[^\.\/]+)\.pkgs\.visualstudio\.com/_packaging/(?<feedId>[^/]+)/nuget/v3/index\.json(?<project>)}
         ]
-        azure_devops_regexs.any? { |reg| reg.match(feed_url) }
+        feed_regexs.any? { |reg| reg.match(feed_url) }
       end
 
       def self.extract_nuspec(zip_stream, package_id)
@@ -73,8 +75,11 @@ module Dependabot
         nil
       end
 
-      def self.remove_wrapping_zero_width_chars(string)
-        string.force_encoding("UTF-8").encode
+      def self.remove_invalid_characters(string)
+        string.dup
+              .force_encoding(Encoding::UTF_8)
+              .encode
+              .scrub("")
               .gsub(/\A[\u200B-\u200D\uFEFF]/, "")
               .gsub(/[\u200B-\u200D\uFEFF]\Z/, "")
       end