dependabot-nuget 0.242.1 → 0.243.0

data/lib/dependabot/nuget/file_parser/project_file_parser.rb

@@ -27,6 +27,8 @@ module Dependabot
 
         PROJECT_REFERENCE_SELECTOR = "ItemGroup > ProjectReference"
 
+        PROJECT_FILE_SELECTOR = "ItemGroup > ProjectFile"
+
         PACKAGE_REFERENCE_SELECTOR = "ItemGroup > PackageReference, " \
                                      "ItemGroup > GlobalPackageReference"
 
@@ -56,6 +58,24 @@ module Dependabot
           cache[key] ||= parse_dependencies(project_file)
         end
 
+        def downstream_file_references(project_file:)
+          file_set = Set.new
+
+          doc = Nokogiri::XML(project_file.content)
+          doc.remove_namespaces!
+          proj_refs = doc.css(PROJECT_REFERENCE_SELECTOR)
+          proj_files = doc.css(PROJECT_FILE_SELECTOR)
+          ref_nodes = proj_refs + proj_files
+          ref_nodes.each do |project_reference_node|
+            dep_file = get_attribute_value(project_reference_node, "Include")
+            full_project_path = full_path(project_file, dep_file)
+            full_project_path = full_project_path[1..-1] if full_project_path.start_with?("/")
+            file_set << full_project_path if full_project_path
+          end
+
+          file_set
+        end
+
         def target_frameworks(project_file:)
           target_framework = details_for_property("TargetFramework", project_file)
           return [target_framework&.fetch(:value)] if target_framework
@@ -80,6 +100,21 @@ module Dependabot
 
         attr_reader :dependency_files, :credentials
 
+        def full_path(project_file, ref_path)
+          project_file_directory = File.dirname(project_file.name)
+          is_rooted = project_file_directory.start_with?("/")
+          # Root the directory path to avoid expand_path prepending the working directory
+          project_file_directory = "/" + project_file_directory unless is_rooted
+
+          # normalize path separators
+          relative_path = ref_path.tr("\\", "/")
+          # path is relative to the project file directory
+          relative_path = File.join(project_file_directory, relative_path)
+          result = File.expand_path(relative_path)
+          result = result[1..-1] unless is_rooted
+          result
+        end
+
         def parse_dependencies(project_file)
           dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
@@ -131,27 +166,20 @@ module Dependabot
         end
 
         def add_transitive_dependencies_from_project_references(project_file, doc, dependency_set)
-          project_file_directory = File.dirname(project_file.name)
-          is_rooted = project_file_directory.start_with?("/")
-          # Root the directory path to avoid expand_path prepending the working directory
-          project_file_directory = "/" + project_file_directory unless is_rooted
-
           # Look for regular project references
-          doc.css(PROJECT_REFERENCE_SELECTOR).each do |reference_node|
+          project_refs = doc.css(PROJECT_REFERENCE_SELECTOR)
+          # Look for ProjectFile references (dirs.proj)
+          project_files = doc.css(PROJECT_FILE_SELECTOR)
+          ref_nodes = project_refs + project_files
+
+          ref_nodes.each do |reference_node|
             relative_path = dependency_name(reference_node, project_file)
             # This could result from a <ProjectReference Remove="..." /> item.
             next unless relative_path
 
-            # normalize path separators
-            relative_path = relative_path.tr("\\", "/")
-            # path is relative to the project file directory
-            relative_path = File.join(project_file_directory, relative_path)
+            full_project_path = full_path(project_file, relative_path)
 
-            # get absolute path
-            full_path = File.expand_path(relative_path)
-            full_path = full_path[1..-1] unless is_rooted
-
-            referenced_file = dependency_files.find { |f| f.name == full_path }
+            referenced_file = dependency_files.find { |f| f.name == full_project_path }
             next unless referenced_file
 
             dependency_set(project_file: referenced_file).dependencies.each do |dep|
@@ -279,14 +307,12 @@ module Dependabot
         end
 
         def dependency_has_search_results?(dependency)
-          dependency_urls = UpdateChecker::RepositoryFinder.new(
+          dependency_urls = RepositoryFinder.new(
             dependency: dependency,
             credentials: credentials,
             config_files: nuget_configs
           ).dependency_urls
-          if dependency_urls.empty?
-            dependency_urls = [UpdateChecker::RepositoryFinder.get_default_repository_details(dependency.name)]
-          end
+          dependency_urls = [RepositoryFinder.get_default_repository_details(dependency.name)] if dependency_urls.empty?
           dependency_urls.any? do |dependency_url|
             dependency_url_has_matching_result?(dependency.name, dependency_url)
           end

data/lib/dependabot/nuget/file_parser.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "nokogiri"
@@ -6,12 +6,15 @@ require "nokogiri"
 require "dependabot/dependency"
 require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
+require "sorbet-runtime"
 
 # For details on how dotnet handles version constraints, see:
 # https://docs.microsoft.com/en-us/nuget/reference/package-versioning
 module Dependabot
   module Nuget
     class FileParser < Dependabot::FileParsers::Base
+      extend T::Sig
+
       require "dependabot/file_parsers/base/dependency_set"
       require_relative "file_parser/project_file_parser"
       require_relative "file_parser/packages_config_parser"
@@ -20,6 +23,7 @@ module Dependabot
 
       PACKAGE_CONF_DEPENDENCY_SELECTOR = "packages > packages"
 
+      sig { override.returns(T::Array[Dependabot::Dependency]) }
       def parse
         dependency_set = DependencySet.new
         dependency_set += project_file_dependencies
@@ -31,6 +35,7 @@ module Dependabot
 
       private
 
+      sig { returns(Dependabot::FileParsers::Base::DependencySet) }
       def project_file_dependencies
         dependency_set = DependencySet.new
 
@@ -42,6 +47,7 @@ module Dependabot
         dependency_set
       end
 
+      sig { returns(Dependabot::FileParsers::Base::DependencySet) }
       def packages_config_dependencies
         dependency_set = DependencySet.new
 
@@ -53,26 +59,32 @@ module Dependabot
         dependency_set
       end
 
+      sig { returns(Dependabot::FileParsers::Base::DependencySet) }
       def global_json_dependencies
         return DependencySet.new unless global_json
 
         GlobalJsonParser.new(global_json: global_json).dependency_set
       end
 
+      sig { returns(Dependabot::FileParsers::Base::DependencySet) }
       def dotnet_tools_json_dependencies
         return DependencySet.new unless dotnet_tools_json
 
         DotNetToolsJsonParser.new(dotnet_tools_json: dotnet_tools_json).dependency_set
       end
 
+      sig { returns(Dependabot::Nuget::FileParser::ProjectFileParser) }
       def project_file_parser
-        @project_file_parser ||=
+        @project_file_parser ||= T.let(
           ProjectFileParser.new(
             dependency_files: dependency_files,
             credentials: credentials
-          )
+          ),
+          T.nilable(Dependabot::Nuget::FileParser::ProjectFileParser)
+        )
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def project_files
         projfile = /\.([a-z]{2})?proj$/
         packageprops = /[Dd]irectory.[Pp]ackages.props/
@@ -83,12 +95,14 @@ module Dependabot
         end
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def packages_config_files
         dependency_files.select do |f|
           f.name.split("/").last&.casecmp("packages.config")&.zero?
         end
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def project_import_files
         dependency_files -
           project_files -
@@ -98,18 +112,22 @@ module Dependabot
           [dotnet_tools_json]
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def nuget_configs
         dependency_files.select { |f| f.name.match?(/nuget\.config$/i) }
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def global_json
         dependency_files.find { |f| f.name.casecmp("global.json")&.zero? }
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def dotnet_tools_json
         dependency_files.find { |f| f.name.casecmp(".config/dotnet-tools.json")&.zero? }
       end
 
+      sig { override.void }
       def check_required_files
         return if project_files.any? || packages_config_files.any?
 

data/lib/dependabot/nuget/file_updater.rb

@@ -5,10 +5,13 @@ require "dependabot/dependency_file"
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
 require "dependabot/nuget/native_helpers"
+require "sorbet-runtime"
 
 module Dependabot
   module Nuget
     class FileUpdater < Dependabot::FileUpdaters::Base
+      extend T::Sig
+
       require_relative "file_updater/property_value_updater"
       require_relative "file_parser/project_file_parser"
       require_relative "file_parser/dotnet_tools_json_parser"
@@ -54,6 +57,7 @@ module Dependabot
 
       def try_update_projects(dependency)
         update_ran = T.let(false, T::Boolean)
+        checked_files = Set.new
 
         # run update for each project file
         project_files.each do |project_file|
@@ -62,9 +66,17 @@ module Dependabot
 
           next unless project_dependencies.any? { |dep| dep.name.casecmp(dependency.name).zero? }
 
-          NativeHelpers.run_nuget_updater_tool(repo_root: repo_contents_path, proj_path: proj_path,
-                                               dependency: dependency, is_transitive: !dependency.top_level?,
-                                               credentials: credentials)
+          next unless repo_contents_path
+
+          checked_key = "#{project_file.name}-#{dependency.name}#{dependency.version}"
+          call_nuget_updater_tool(dependency, proj_path) unless checked_files.include?(checked_key)
+
+          checked_files.add(checked_key)
+          # We need to check the downstream references even though we're already evaluated the file
+          downstream_files = project_file_parser.downstream_file_references(project_file: project_file)
+          downstream_files.each do |downstream_file|
+            checked_files.add("#{downstream_file}-#{dependency.name}#{dependency.version}")
+          end
           update_ran = true
         end
 
@@ -79,15 +91,39 @@ module Dependabot
           project_file = project_files.first
           proj_path = dependency_file_path(project_file)
 
-          NativeHelpers.run_nuget_updater_tool(repo_root: repo_contents_path, proj_path: proj_path,
-                                               dependency: dependency, is_transitive: !dependency.top_level?,
-                                               credentials: credentials)
+          return false unless repo_contents_path
+
+          call_nuget_updater_tool(dependency, proj_path)
           return true
         end
 
         false
       end
 
+      sig { params(dependency: Dependency, proj_path: String).void }
+      def call_nuget_updater_tool(dependency, proj_path)
+        NativeHelpers.run_nuget_updater_tool(repo_root: T.must(repo_contents_path), proj_path: proj_path,
+                                             dependency: dependency, is_transitive: !dependency.top_level?,
+                                             credentials: credentials)
+
+        # Tests need to track how many times we call the tooling updater to ensure we don't recurse needlessly
+        # Ideally we should find a way to not run this code in prod
+        # (or a better way to track calls made to NativeHelpers)
+        @update_tooling_calls ||= {}
+        key = proj_path + dependency.name
+        if @update_tooling_calls[key]
+          @update_tooling_calls[key] += 1
+        else
+          @update_tooling_calls[key] = 1
+        end
+      end
+
+      # Don't call this from outside tests, we're only checking that we aren't recursing needlessly
+      sig { returns(T.nilable(T::Hash[String, Integer])) }
+      def testonly_update_tooling_calls
+        @update_tooling_calls
+      end
+
       def project_dependencies(project_file)
         # Collect all dependencies from the project file and associated packages.config
         dependencies = project_file_parser.dependency_set(project_file: project_file).dependencies

data/lib/dependabot/nuget/native_helpers.rb

@@ -1,11 +1,17 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
+require "shellwords"
+require "sorbet-runtime"
+
 require_relative "nuget_config_credential_helpers"
 
 module Dependabot
   module Nuget
     module NativeHelpers
+      extend T::Sig
+
+      sig { returns(String) }
       def self.native_helpers_root
         helpers_root = ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", nil)
         return File.join(helpers_root, "nuget") unless helpers_root.nil?
@@ -13,9 +19,10 @@ module Dependabot
         File.expand_path("../../../helpers", __dir__)
       end
 
+      sig { params(project_tfms: T::Array[String], package_tfms: T::Array[String]).returns(T::Boolean) }
       def self.run_nuget_framework_check(project_tfms, package_tfms)
         exe_path = File.join(native_helpers_root, "NuGetUpdater", "NuGetUpdater.Cli")
-        command = [
+        command_parts = [
           exe_path,
           "framework-check",
           "--project-tfms",
@@ -23,7 +30,8 @@ module Dependabot
           "--package-tfms",
           *package_tfms,
           "--verbose"
-        ].join(" ")
+        ]
+        command = Shellwords.join(command_parts)
 
         fingerprint = [
           exe_path,
@@ -48,9 +56,18 @@ module Dependabot
       end
 
       # rubocop:disable Metrics/MethodLength
+      sig do
+        params(
+          repo_root: String,
+          proj_path: String,
+          dependency: Dependency,
+          is_transitive: T::Boolean,
+          credentials: T::Array[T.untyped]
+        ).void
+      end
       def self.run_nuget_updater_tool(repo_root:, proj_path:, dependency:, is_transitive:, credentials:)
         exe_path = File.join(native_helpers_root, "NuGetUpdater", "NuGetUpdater.Cli")
-        command = [
+        command_parts = [
           exe_path,
           "update",
           "--repo-root",
@@ -63,9 +80,11 @@ module Dependabot
           dependency.version,
           "--previous-version",
           dependency.previous_version,
-          is_transitive ? "--transitive" : "",
+          is_transitive ? "--transitive" : nil,
           "--verbose"
-        ].join(" ")
+        ].compact
+
+        command = Shellwords.join(command_parts)
 
         fingerprint = [
           exe_path,
@@ -80,9 +99,9 @@ module Dependabot
           "<new-version>",
           "--previous-version",
           "<previous-version>",
-          is_transitive ? "--transitive" : "",
+          is_transitive ? "--transitive" : nil,
           "--verbose"
-        ].join(" ")
+        ].compact.join(" ")
 
         puts "running NuGet updater:\n" + command
 

data/lib/dependabot/nuget/nuget_client.rb

@@ -1,12 +1,19 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "dependabot/nuget/cache_manager"
 require "dependabot/nuget/update_checker/repository_finder"
+require "sorbet-runtime"
 
 module Dependabot
   module Nuget
     class NugetClient
+      extend T::Sig
+
+      sig do
+        params(dependency_name: String, repository_details: T::Hash[Symbol, String])
+          .returns(T.nilable(T::Set[String]))
+      end
       def self.get_package_versions(dependency_name, repository_details)
         repository_type = repository_details.fetch(:repository_type)
         if repository_type == "v3"
@@ -18,6 +25,10 @@ module Dependabot
         end
       end
 
+      sig do
+        params(dependency_name: String, repository_details: T::Hash[Symbol, String])
+          .returns(T.nilable(T::Set[String]))
+      end
       private_class_method def self.get_package_versions_v3(dependency_name, repository_details)
         # Use the registration URL if possible because it is fast and correct
         if repository_details[:registration_url]
@@ -28,9 +39,15 @@ module Dependabot
         # Otherwise, use the versions URL (fast but wrong because it includes unlisted versions)
         elsif repository_details[:versions_url]
           get_versions_from_versions_url_v3(repository_details)
+        else
+          raise "No version sources were available for #{dependency_name} in #{repository_details}"
         end
       end
 
+      sig do
+        params(dependency_name: String, repository_details: T::Hash[Symbol, String])
+          .returns(T.nilable(T::Set[String]))
+      end
       private_class_method def self.get_package_versions_v2(dependency_name, repository_details)
         doc = execute_xml_nuget_request(repository_details.fetch(:versions_url), repository_details)
         return unless doc
@@ -49,34 +66,33 @@ module Dependabot
         matching_versions
       end
 
+      sig { params(repository_details: T::Hash[Symbol, String]).returns(T.nilable(T::Set[String])) }
       private_class_method def self.get_versions_from_versions_url_v3(repository_details)
-        body = execute_json_nuget_request(repository_details[:versions_url], repository_details)
-        body&.fetch("versions")
+        body = execute_json_nuget_request(repository_details.fetch(:versions_url), repository_details)
+        ver_array = T.let(body&.fetch("versions"), T.nilable(T::Array[String]))
+        ver_array&.to_set
       end
 
+      sig { params(repository_details: T::Hash[Symbol, String]).returns(T.nilable(T::Set[String])) }
       private_class_method def self.get_versions_from_registration_v3(repository_details)
-        url = repository_details[:registration_url]
+        url = repository_details.fetch(:registration_url)
         body = execute_json_nuget_request(url, repository_details)
 
         return unless body
 
         pages = body.fetch("items")
-        versions = Set.new
+        versions = T.let(Set.new, T::Set[String])
         pages.each do |page|
           items = page["items"]
           if items
             # inlined entries
-            items.each do |item|
-              catalog_entry = item["catalogEntry"]
-              if catalog_entry["listed"] == true
-                vers = catalog_entry["version"]
-                versions << vers
-              end
-            end
+            get_versions_from_inline_page(items, versions)
           else
             # paged entries
             page_url = page["@id"]
             page_body = execute_json_nuget_request(page_url, repository_details)
+            next unless page_body
+
             items = page_body.fetch("items")
             items.each do |item|
               catalog_entry = item.fetch("catalogEntry")
@@ -88,8 +104,27 @@ module Dependabot
         versions
       end
 
+      sig { params(items: T::Array[T::Hash[String, T.untyped]], versions: T::Set[String]).void }
+      private_class_method def self.get_versions_from_inline_page(items, versions)
+        items.each do |item|
+          catalog_entry = item["catalogEntry"]
+
+          # a package is considered listed if the `listed` property is either `true` or missing
+          listed_property = catalog_entry["listed"]
+          is_listed = listed_property.nil? || listed_property == true
+          if is_listed
+            vers = catalog_entry["version"]
+            versions << vers
+          end
+        end
+      end
+
+      sig do
+        params(repository_details: T::Hash[Symbol, String], dependency_name: String)
+          .returns(T.nilable(T::Set[String]))
+      end
       private_class_method def self.get_versions_from_search_url_v3(repository_details, dependency_name)
-        search_url = repository_details[:search_url]
+        search_url = repository_details.fetch(:search_url)
         body = execute_json_nuget_request(search_url, repository_details)
 
         body&.fetch("data")
@@ -98,11 +133,14 @@ module Dependabot
             &.map { |d| d.fetch("version") }
       end
 
+      sig do
+        params(url: String, repository_details: T::Hash[Symbol, T.untyped]).returns(T.nilable(Nokogiri::XML::Document))
+      end
       private_class_method def self.execute_xml_nuget_request(url, repository_details)
         response = execute_nuget_request_internal(
           url: url,
-          auth_header: repository_details[:auth_header],
-          repository_url: repository_details[:repository_url]
+          auth_header: repository_details.fetch(:auth_header),
+          repository_url: repository_details.fetch(:repository_url)
         )
         return unless response.status == 200
 
@@ -111,11 +149,16 @@ module Dependabot
         doc
       end
 
+      sig do
+        params(url: String,
+               repository_details: T::Hash[Symbol, T.untyped])
+          .returns(T.nilable(T::Hash[T.untyped, T.untyped]))
+      end
       private_class_method def self.execute_json_nuget_request(url, repository_details)
         response = execute_nuget_request_internal(
           url: url,
-          auth_header: repository_details[:auth_header],
-          repository_url: repository_details[:repository_url]
+          auth_header: repository_details.fetch(:auth_header),
+          repository_url: repository_details.fetch(:repository_url)
         )
         return unless response.status == 200
 
@@ -123,11 +166,10 @@ module Dependabot
         JSON.parse(body)
       end
 
-      private_class_method def self.execute_nuget_request_internal(
-        url: String,
-        auth_header: String,
-        repository_url: String
-      )
+      sig do
+        params(url: String, auth_header: T::Hash[Symbol, T.untyped], repository_url: String).returns(Excon::Response)
+      end
+      private_class_method def self.execute_nuget_request_internal(url:, auth_header:, repository_url:)
         cache = CacheManager.cache("dependency_url_search_cache")
         if cache[url].nil?
           response = Dependabot::RegistryClient.get(
@@ -147,11 +189,12 @@ module Dependabot
         response
       rescue Excon::Error::Timeout, Excon::Error::Socket
         repo_url = repository_url
-        raise if repo_url == Dependabot::Nuget::UpdateChecker::RepositoryFinder::DEFAULT_REPOSITORY_URL
+        raise if repo_url == Dependabot::Nuget::RepositoryFinder::DEFAULT_REPOSITORY_URL
 
         raise PrivateSourceTimedOut, repo_url
       end
 
+      sig { params(string: String).returns(String) }
       private_class_method def self.remove_wrapping_zero_width_chars(string)
         string.force_encoding("UTF-8").encode
               .gsub(/\A[\u200B-\u200D\uFEFF]/, "")

data/lib/dependabot/nuget/nuget_config_credential_helpers.rb

@@ -55,17 +55,21 @@ module Dependabot
         File.rename(temporary_nuget_config_path, user_nuget_config_path)
       end
 
-      # rubocop:disable Lint/SuppressedException
       def self.patch_nuget_config_for_action(credentials, &_block)
         add_credentials_to_nuget_config(credentials)
         begin
           yield
-        rescue StandardError
+        rescue StandardError => e
+          Dependabot.logger.error(
+            <<~LOG_MESSAGE
+              Block argument of NuGetConfigCredentialHelpers::patch_nuget_config_for_action causes an exception #{e}:
+              #{e.message}
+            LOG_MESSAGE
+          )
         ensure
           restore_user_nuget_config
         end
       end
-      # rubocop:enable Lint/SuppressedException
     end
   end
 end