dependabot-nuget 0.244.0 → 0.246.0

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Utilities/MSBuildHelperTests.cs

@@ -36,7 +36,9 @@ public class MSBuildHelperTests
         };
 
         // Act
-        var rootValue = MSBuildHelper.GetRootedValue(projectContents, propertyInfo);
+        var (resultType, evaluatedValue, _) = MSBuildHelper.GetEvaluatedValue(projectContents, propertyInfo);
+
+        Assert.Equal(MSBuildHelper.EvaluationResultType.Success, resultType);
 
         // Assert
         Assert.Equal("""
@@ -48,7 +50,7 @@ public class MSBuildHelperTests
                     <PackageReference Include="Newtonsoft.Json" Version="1.1.1" />
                 </ItemGroup>
             </Project>
-            """, rootValue);
+            """, evaluatedValue);
     }
 
     [Fact(Timeout = 1000)]
@@ -74,10 +76,11 @@ public class MSBuildHelperTests
         await Task.Delay(1);
 
         // Act
-        var ex = Assert.Throws<InvalidDataException>(() => MSBuildHelper.GetRootedValue(projectContents, propertyInfo));
+        var (resultType, _, errorMessage) = MSBuildHelper.GetEvaluatedValue(projectContents, propertyInfo);
 
         // Assert
-        Assert.Equal("Property 'PackageVersion1' has a circular reference.", ex.Message);
+        Assert.Equal(MSBuildHelper.EvaluationResultType.CircularReference, resultType);
+        Assert.Equal("Property 'PackageVersion1' has a circular reference.", errorMessage);
     }
 
     [Theory]

data/lib/dependabot/nuget/file_parser/project_file_parser.rb

@@ -408,10 +408,6 @@ module Dependabot
                 version = dependency_version(package_node, file)
                 next unless name && version
 
-                version = Version.new(version)
-                existing_version = package_versions[name]
-                next if existing_version && existing_version > version
-
                 package_versions[name] = version
               end
             end

data/lib/dependabot/nuget/file_parser.rb

@@ -30,7 +30,21 @@ module Dependabot
         dependency_set += packages_config_dependencies
         dependency_set += global_json_dependencies if global_json
         dependency_set += dotnet_tools_json_dependencies if dotnet_tools_json
-        dependency_set.dependencies
+
+        (dependencies, deps_with_unresolved_versions) = dependency_set.dependencies.partition do |d|
+          # try to parse the version; don't care about result, just that it succeeded
+          _ = Version.new(d.version)
+          true
+        rescue ArgumentError
+          # version could not be parsed
+          false
+        end
+
+        deps_with_unresolved_versions.each do |d|
+          Dependabot.logger.warn "Dependency '#{d.name}' excluded due to unparsable version: #{d.version}"
+        end
+
+        dependencies
       end
 
       private

data/lib/dependabot/nuget/http_response_helpers.rb

@@ -0,0 +1,14 @@
+# typed: true
+# frozen_string_literal: true
+
+module Dependabot
+  module Nuget
+    module HttpResponseHelpers
+      def self.remove_wrapping_zero_width_chars(string)
+        string.force_encoding("UTF-8").encode
+              .gsub(/\A[\u200B-\u200D\uFEFF]/, "")
+              .gsub(/[\u200B-\u200D\uFEFF]\Z/, "")
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/metadata_finder.rb

@@ -17,8 +17,10 @@ module Dependabot
       def look_up_source
         return Source.from_url(dependency_source_url) if dependency_source_url
 
-        src_repo = look_up_source_in_nuspec(dependency_nuspec_file)
-        return src_repo if src_repo
+        if dependency_nuspec_file
+          src_repo = look_up_source_in_nuspec(dependency_nuspec_file)
+          return src_repo if src_repo
+        end
 
         # Fallback to getting source from the search result's projectUrl or licenseUrl.
         # GitHub Packages doesn't support getting the `.nuspec`, switch to getting
@@ -113,6 +115,8 @@ module Dependabot
       def dependency_nuspec_file
         return @dependency_nuspec_file unless @dependency_nuspec_file.nil?
 
+        return if dependency_nuspec_url.nil?
+
         response = Dependabot::RegistryClient.get(
           url: dependency_nuspec_url,
           headers: auth_header

data/lib/dependabot/nuget/native_helpers.rb

@@ -45,7 +45,7 @@ module Dependabot
 
         puts "running NuGet updater:\n" + command
 
-        output = SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
+        output = SharedHelpers.run_shell_command(command, allow_unsafe_shell_command: true, fingerprint: fingerprint)
         puts output
 
         # Exit code == 0 means that all project frameworks are compatible
@@ -55,17 +55,11 @@ module Dependabot
         false
       end
 
-      # rubocop:disable Metrics/MethodLength
       sig do
-        params(
-          repo_root: String,
-          proj_path: String,
-          dependency: Dependency,
-          is_transitive: T::Boolean,
-          credentials: T::Array[T.untyped]
-        ).void
+        params(repo_root: String, proj_path: String, dependency: Dependency,
+               is_transitive: T::Boolean).returns([String, String])
       end
-      def self.run_nuget_updater_tool(repo_root:, proj_path:, dependency:, is_transitive:, credentials:)
+      def self.get_nuget_updater_tool_command(repo_root:, proj_path:, dependency:, is_transitive:)
         exe_path = File.join(native_helpers_root, "NuGetUpdater", "NuGetUpdater.Cli")
         command_parts = [
           exe_path,
@@ -103,14 +97,29 @@ module Dependabot
           "--verbose"
         ].compact.join(" ")
 
+        [command, fingerprint]
+      end
+
+      sig do
+        params(
+          repo_root: String,
+          proj_path: String,
+          dependency: Dependency,
+          is_transitive: T::Boolean,
+          credentials: T::Array[Dependabot::Credential]
+        ).void
+      end
+      def self.run_nuget_updater_tool(repo_root:, proj_path:, dependency:, is_transitive:, credentials:)
+        (command, fingerprint) = get_nuget_updater_tool_command(repo_root: repo_root, proj_path: proj_path,
+                                                                dependency: dependency, is_transitive: is_transitive)
+
         puts "running NuGet updater:\n" + command
 
         NuGetConfigCredentialHelpers.patch_nuget_config_for_action(credentials) do
-          output = SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
+          output = SharedHelpers.run_shell_command(command, allow_unsafe_shell_command: true, fingerprint: fingerprint)
           puts output
         end
       end
-      # rubocop:enable Metrics/MethodLength
     end
   end
 end

data/lib/dependabot/nuget/nuget_client.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "dependabot/nuget/cache_manager"
+require "dependabot/nuget/http_response_helpers"
 require "dependabot/nuget/update_checker/repository_finder"
 require "sorbet-runtime"
 
@@ -52,14 +53,15 @@ module Dependabot
         doc = execute_xml_nuget_request(repository_details.fetch(:versions_url), repository_details)
         return unless doc
 
-        id_nodes = doc.xpath("/feed/entry/properties/Id")
+        # v2 APIs can differ, but all tested have this title value set to the name of the package
+        title_nodes = doc.xpath("/feed/entry/title")
         matching_versions = Set.new
-        id_nodes.each do |id_node|
-          return nil unless id_node.text
+        title_nodes.each do |title_node|
+          return nil unless title_node.text
 
-          next unless id_node.text.casecmp?(dependency_name)
+          next unless title_node.text.casecmp?(dependency_name)
 
-          version_node = id_node.parent.xpath("Version")
+          version_node = title_node.parent.xpath("properties/Version")
           matching_versions << version_node.text if version_node && version_node.text
         end
 
@@ -162,7 +164,7 @@ module Dependabot
         )
         return unless response.status == 200
 
-        body = remove_wrapping_zero_width_chars(response.body)
+        body = HttpResponseHelpers.remove_wrapping_zero_width_chars(response.body)
         JSON.parse(body)
       end
 
@@ -193,13 +195,6 @@ module Dependabot
 
         raise PrivateSourceTimedOut, repo_url
       end
-
-      sig { params(string: String).returns(String) }
-      private_class_method def self.remove_wrapping_zero_width_chars(string)
-        string.force_encoding("UTF-8").encode
-              .gsub(/\A[\u200B-\u200D\uFEFF]/, "")
-              .gsub(/[\u200B-\u200D\uFEFF]\Z/, "")
-      end
     end
   end
 end

data/lib/dependabot/nuget/update_checker/dependency_finder.rb

@@ -37,19 +37,29 @@ module Dependabot
           key = "#{dependency.name.downcase}::#{dependency.version}"
           cache = DependencyFinder.transitive_dependencies_cache
 
-          cache[key] ||= fetch_transitive_dependencies(
-            @dependency.name,
-            @dependency.version
-          ).map do |dependency_info|
-            package_name = dependency_info["packageName"]
-            target_version = dependency_info["version"]
-
-            Dependency.new(
-              name: package_name,
-              version: target_version.to_s,
-              requirements: [], # Empty requirements for transitive dependencies
-              package_manager: @dependency.package_manager
-            )
+          unless cache[key]
+            begin
+              # first do a quick sanity check on the version string; if it can't be parsed, an exception will be raised
+              _ = Version.new(dependency.version)
+
+              cache[key] = fetch_transitive_dependencies(
+                @dependency.name,
+                @dependency.version
+              ).map do |dependency_info|
+                package_name = dependency_info["packageName"]
+                target_version = dependency_info["version"]
+
+                Dependency.new(
+                  name: package_name,
+                  version: target_version.to_s,
+                  requirements: [], # Empty requirements for transitive dependencies
+                  package_manager: @dependency.package_manager
+                )
+              end
+            rescue StandardError
+              # if anything happened above, there are no meaningful dependencies that can be derived
+              cache[key] = []
+            end
           end
 
           cache[key]

data/lib/dependabot/nuget/update_checker/nupkg_fetcher.rb

@@ -4,6 +4,7 @@
 require "nokogiri"
 require "zip"
 require "stringio"
+require "dependabot/nuget/http_response_helpers"
 
 module Dependabot
   module Nuget
@@ -24,7 +25,7 @@ module Dependabot
         repository_type = repository_details[:repository_type]
 
         package_url = if repository_type == "v2"
-                        get_nuget_v2_package_url(feed_url, package_id, package_version)
+                        get_nuget_v2_package_url(repository_details, package_id, package_version)
                       elsif repository_type == "v3"
                         get_nuget_v3_package_url(repository_details, package_id, package_version)
                       else
@@ -43,16 +44,66 @@ module Dependabot
       end
 
       def self.get_nuget_v3_package_url(repository_details, package_id, package_version)
-        base_url = repository_details[:base_url].delete_suffix("/")
+        base_url = repository_details[:base_url]
+        unless base_url
+          return get_nuget_v3_package_url_from_search(repository_details, package_id,
+                                                      package_version)
+        end
+
+        base_url = base_url.delete_suffix("/")
         package_id_downcased = package_id.downcase
         "#{base_url}/#{package_id_downcased}/#{package_version}/#{package_id_downcased}.#{package_version}.nupkg"
       end
 
-      def self.get_nuget_v2_package_url(feed_url, package_id, package_version)
-        base_url = feed_url
-        base_url += "/" unless base_url.end_with?("/")
-        package_id_downcased = package_id.downcase
-        "#{base_url}/package/#{package_id_downcased}/#{package_version}"
+      # rubocop:disable Metrics/CyclomaticComplexity
+      # rubocop:disable Metrics/PerceivedComplexity
+      def self.get_nuget_v3_package_url_from_search(repository_details, package_id, package_version)
+        search_url = repository_details[:search_url]
+        return nil unless search_url
+
+        # get search result
+        search_result_response = fetch_url(search_url, repository_details)
+        return nil unless search_result_response.status == 200
+
+        search_response_body = HttpResponseHelpers.remove_wrapping_zero_width_chars(search_result_response.body)
+        search_results = JSON.parse(search_response_body)
+
+        # find matching package and version
+        package_search_result = search_results&.[]("data")&.find { |d| package_id.casecmp?(d&.[]("id")) }
+        version_search_result = package_search_result&.[]("versions")&.find do |v|
+          package_version.casecmp?(v&.[]("version"))
+        end
+        registration_leaf_url = version_search_result&.[]("@id")
+        return nil unless registration_leaf_url
+
+        registration_leaf_response = fetch_url(registration_leaf_url, repository_details)
+        return nil unless registration_leaf_response
+        return nil unless registration_leaf_response.status == 200
+
+        registration_leaf_response_body =
+          HttpResponseHelpers.remove_wrapping_zero_width_chars(registration_leaf_response.body)
+        registration_leaf = JSON.parse(registration_leaf_response_body)
+
+        # finally, get the .nupkg url
+        registration_leaf&.[]("packageContent")
+      end
+      # rubocop:enable Metrics/PerceivedComplexity
+      # rubocop:enable Metrics/CyclomaticComplexity
+
+      def self.get_nuget_v2_package_url(repository_details, package_id, package_version)
+        # get package XML
+        base_url = repository_details[:base_url].delete_suffix("/")
+        package_url = "#{base_url}/Packages(Id='#{package_id}',Version='#{package_version}')"
+        response = fetch_url(package_url, repository_details)
+        return nil unless response.status == 200
+
+        # find relevant element
+        doc = Nokogiri::XML(response.body)
+        doc.remove_namespaces!
+
+        content_element = doc.xpath("/entry/content")
+        nupkg_url = content_element&.attribute("src")&.value
+        nupkg_url
       end
 
       def self.fetch_stream(stream_url, auth_header, max_redirects = 5)
@@ -73,19 +124,32 @@ module Dependabot
             response_block: response_block
           )
 
-          if response.status == 303 || response.status == 307
+          # redirect the HTTP response as appropriate based on documentation here:
+          # https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections
+          case response.status
+          when 200
+            package_data.rewind
+            return package_data
+          when 301, 302, 303, 307, 308
             current_redirects += 1
             return nil if current_redirects > max_redirects
 
             current_url = response.headers["Location"]
-          elsif response.status == 200
-            package_data.rewind
-            return package_data
           else
             return nil
           end
         end
       end
+
+      def self.fetch_url(url, repository_details)
+        cache = CacheManager.cache("nupkg_fetcher_cache")
+        cache[url] ||= Dependabot::RegistryClient.get(
+          url: url,
+          headers: repository_details.fetch(:auth_header)
+        )
+
+        cache[url]
+      end
     end
   end
 end

data/lib/dependabot/nuget/update_checker/repository_finder.rb

@@ -7,6 +7,7 @@ require "dependabot/errors"
 require "dependabot/update_checkers/base"
 require "dependabot/registry_client"
 require "dependabot/nuget/cache_manager"
+require "dependabot/nuget/http_response_helpers"
 
 module Dependabot
   module Nuget
@@ -75,15 +76,14 @@ module Dependabot
         check_repo_response(response, repo_details)
         return unless response.status == 200
 
-        body = remove_wrapping_zero_width_chars(response.body)
+        body = HttpResponseHelpers.remove_wrapping_zero_width_chars(response.body)
         parsed_json = JSON.parse(body)
         base_url = base_url_from_v3_metadata(parsed_json)
-        resolved_base_url = base_url || repo_details.fetch(:url).gsub("/index.json", "-flatcontainer")
         search_url = search_url_from_v3_metadata(parsed_json)
         registration_url = registration_url_from_v3_metadata(parsed_json)
 
         details = {
-          base_url: resolved_base_url,
+          base_url: base_url,
           repository_url: repo_details.fetch(:url),
           auth_header: auth_header_for_token(repo_details.fetch(:token)),
           repository_type: "v3"
@@ -171,7 +171,7 @@ module Dependabot
           base_url: base_url,
           repository_url: base_url,
           versions_url: File.join(
-            base_url,
+            base_url.delete_suffix("/"),
             "FindPackagesById()?id='#{dependency.name}'"
           ),
           auth_header: auth_header_for_token(repo_details.fetch(:token)),
@@ -330,12 +330,6 @@ module Dependabot
         end
       end
 
-      def remove_wrapping_zero_width_chars(string)
-        string.force_encoding("UTF-8").encode
-              .gsub(/\A[\u200B-\u200D\uFEFF]/, "")
-              .gsub(/[\u200B-\u200D\uFEFF]\Z/, "")
-      end
-
       def auth_header_for_token(token)
         return {} unless token
 

data/lib/dependabot/nuget/update_checker.rb

@@ -1,4 +1,4 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 require "dependabot/nuget/file_parser"
@@ -66,9 +66,8 @@ module Dependabot
         # If any requirements have an uninterpolated property in them then
         # that property couldn't be found, and the requirement therefore
         # cannot be unlocked (since we can't update that property)
-        namespace = Nuget::FileParser::PropertyValueFinder
         dependency.requirements.none? do |req|
-          req.fetch(:requirement)&.match?(namespace::PROPERTY_REGEX)
+          req.fetch(:requirement)&.match?(Nuget::FileParser::PropertyValueFinder::PROPERTY_REGEX)
         end
       end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-nuget
 version: !ruby/object:Gem::Version
-  version: 0.244.0
+  version: 0.246.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-02-15 00:00:00.000000000 Z
+date: 2024-03-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.244.0
+        version: 0.246.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.244.0
+        version: 0.246.0
 - !ruby/object:Gem::Dependency
   name: rubyzip
   requirement: !ruby/object:Gem::Requirement
@@ -292,8 +292,8 @@ files:
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/TemporaryDirectory.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/TestExtensions.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Update/PackagesConfigUpdaterTests.cs
-- helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Update/UpdateWorker.DirsProj.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Update/UpdateWorkerTestBase.cs
+- helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Update/UpdateWorkerTests.DirsProj.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Update/UpdateWorkerTests.DotNetTools.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Update/UpdateWorkerTests.GlobalJson.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Update/UpdateWorkerTests.Mixed.cs
@@ -302,7 +302,6 @@ files:
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Utilities/JsonHelperTests.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Utilities/MSBuildHelperTests.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Utilities/SdkPackageUpdaterHelperTests.cs
-- helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Utilities/SdkPackageUpdaterTests.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/Dependency.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/DependencyType.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/Files/BuildFile.cs
@@ -349,6 +348,7 @@ files:
 - lib/dependabot/nuget/file_parser/property_value_finder.rb
 - lib/dependabot/nuget/file_updater.rb
 - lib/dependabot/nuget/file_updater/property_value_updater.rb
+- lib/dependabot/nuget/http_response_helpers.rb
 - lib/dependabot/nuget/metadata_finder.rb
 - lib/dependabot/nuget/native_helpers.rb
 - lib/dependabot/nuget/nuget_client.rb
@@ -371,7 +371,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.244.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.246.0
 post_install_message: 
 rdoc_options: []
 require_paths: