dependabot-nuget 0.245.0 → 0.247.0

data/lib/dependabot/nuget/file_parser.rb

@@ -1,4 +1,4 @@
-# typed: strict
+# typed: strong
 # frozen_string_literal: true
 
 require "nokogiri"
@@ -30,7 +30,21 @@ module Dependabot
         dependency_set += packages_config_dependencies
         dependency_set += global_json_dependencies if global_json
         dependency_set += dotnet_tools_json_dependencies if dotnet_tools_json
-        dependency_set.dependencies
+
+        (dependencies, deps_with_unresolved_versions) = dependency_set.dependencies.partition do |d|
+          # try to parse the version; don't care about result, just that it succeeded
+          _ = Version.new(d.version)
+          true
+        rescue ArgumentError
+          # version could not be parsed
+          false
+        end
+
+        deps_with_unresolved_versions.each do |d|
+          Dependabot.logger.warn "Dependency '#{d.name}' excluded due to unparsable version: #{d.version}"
+        end
+
+        dependencies
       end
 
       private
@@ -63,14 +77,14 @@ module Dependabot
       def global_json_dependencies
         return DependencySet.new unless global_json
 
-        GlobalJsonParser.new(global_json: global_json).dependency_set
+        GlobalJsonParser.new(global_json: T.must(global_json)).dependency_set
       end
 
       sig { returns(Dependabot::FileParsers::Base::DependencySet) }
       def dotnet_tools_json_dependencies
         return DependencySet.new unless dotnet_tools_json
 
-        DotNetToolsJsonParser.new(dotnet_tools_json: dotnet_tools_json).dependency_set
+        DotNetToolsJsonParser.new(dotnet_tools_json: T.must(dotnet_tools_json)).dependency_set
       end
 
       sig { returns(Dependabot::Nuget::FileParser::ProjectFileParser) }

data/lib/dependabot/nuget/file_updater/property_value_updater.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "nokogiri"
@@ -11,25 +11,38 @@ module Dependabot
   module Nuget
     class FileUpdater
       class PropertyValueUpdater
+        extend T::Sig
+
+        sig { params(dependency_files: T::Array[Dependabot::DependencyFile]).void }
         def initialize(dependency_files:)
           @dependency_files = dependency_files
         end
 
+        sig do
+          params(property_name: String,
+                 updated_value: String,
+                 callsite_file: Dependabot::DependencyFile)
+            .returns(T::Array[Dependabot::DependencyFile])
+        end
         def update_files_for_property_change(property_name:, updated_value:,
                                              callsite_file:)
           declaration_details =
-            property_value_finder
-            .property_details(
+            property_value_finder.property_details(
               property_name: property_name,
               callsite_file: callsite_file
             )
+          throw "Unable to locate property details" unless declaration_details
 
+          declaration_filename = declaration_details.fetch(:file)
           declaration_file = dependency_files.find do |f|
-            declaration_details.fetch(:file) == f.name
+            declaration_filename == f.name
           end
+          throw "Unable to locate declaration file" unless declaration_file
+
+          content = T.must(declaration_file.content)
           node = declaration_details.fetch(:node)
 
-          updated_content = declaration_file.content.sub(
+          updated_content = content.sub(
             %r{(<#{Regexp.quote(node.name)}(?:\s[^>]*)?>)
                \s*#{Regexp.quote(node.content)}\s*
                </#{Regexp.quote(node.name)}>}xm,
@@ -37,21 +50,25 @@ module Dependabot
           )
 
           files = dependency_files.dup
-          files[files.index(declaration_file)] =
+          file_index = T.must(files.index(declaration_file))
+          files[file_index] =
             update_file(file: declaration_file, content: updated_content)
           files
         end
 
         private
 
+        sig { returns(T::Array[DependencyFile]) }
         attr_reader :dependency_files
 
+        sig { returns(FileParser::PropertyValueFinder) }
         def property_value_finder
           @property_value_finder ||=
-            Nuget::FileParser::PropertyValueFinder
-            .new(dependency_files: dependency_files)
+            T.let(FileParser::PropertyValueFinder
+            .new(dependency_files: dependency_files), T.nilable(FileParser::PropertyValueFinder))
         end
 
+        sig { params(file: DependencyFile, content: String).returns(DependencyFile) }
         def update_file(file:, content:)
           updated_file = file.dup
           updated_file.content = content

data/lib/dependabot/nuget/file_updater.rb

@@ -1,10 +1,11 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
 require "dependabot/dependency_file"
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
 require "dependabot/nuget/native_helpers"
+require "dependabot/shared_helpers"
 require "sorbet-runtime"
 
 module Dependabot
@@ -17,6 +18,7 @@ module Dependabot
       require_relative "file_parser/dotnet_tools_json_parser"
       require_relative "file_parser/packages_config_parser"
 
+      sig { override.returns(T::Array[Regexp]) }
       def self.updated_files_regex
         [
           %r{^[^/]*\.([a-z]{2})?proj$},
@@ -29,32 +31,33 @@ module Dependabot
         ]
       end
 
+      sig { override.returns(T::Array[Dependabot::DependencyFile]) }
       def updated_dependency_files
-        dependencies.each do |dependency|
-          try_update_projects(dependency) || try_update_json(dependency)
-        end
+        base_dir = T.must(dependency_files.first).directory
+        SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
+          dependencies.each do |dependency|
+            try_update_projects(dependency) || try_update_json(dependency)
+          end
+          updated_files = dependency_files.filter_map do |f|
+            updated_content = File.read(dependency_file_path(f))
+            next if updated_content == f.content
 
-        # update all with content from disk
-        updated_files = dependency_files.filter_map do |f|
-          updated_content = File.read(dependency_file_path(f))
-          next if updated_content == f.content
+            normalized_content = normalize_content(f, updated_content)
+            next if normalized_content == f.content
 
-          normalized_content = normalize_content(f, updated_content)
-          next if normalized_content == f.content
+            next if only_deleted_lines?(f.content, normalized_content)
 
-          puts "The contents of file [#{f.name}] were updated."
+            puts "The contents of file [#{f.name}] were updated."
 
-          updated_file(file: f, content: normalized_content)
+            updated_file(file: f, content: normalized_content)
+          end
+          updated_files
         end
-
-        # reset repo files
-        SharedHelpers.reset_git_repo(T.cast(repo_contents_path, String)) if repo_contents_path
-
-        updated_files
       end
 
       private
 
+      sig { params(dependency: Dependabot::Dependency).returns(T::Boolean) }
       def try_update_projects(dependency)
         update_ran = T.let(false, T::Boolean)
         checked_files = Set.new
@@ -64,7 +67,7 @@ module Dependabot
           project_dependencies = project_dependencies(project_file)
           proj_path = dependency_file_path(project_file)
 
-          next unless project_dependencies.any? { |dep| dep.name.casecmp(dependency.name).zero? }
+          next unless project_dependencies.any? { |dep| dep.name.casecmp(dependency.name)&.zero? }
 
           next unless repo_contents_path
 
@@ -79,16 +82,16 @@ module Dependabot
           end
           update_ran = true
         end
-
         update_ran
       end
 
+      sig { params(dependency: Dependabot::Dependency).returns(T::Boolean) }
       def try_update_json(dependency)
-        if dotnet_tools_json_dependencies.any? { |dep| dep.name.casecmp(dependency.name).zero? } ||
-           global_json_dependencies.any? { |dep| dep.name.casecmp(dependency.name).zero? }
+        if dotnet_tools_json_dependencies.any? { |dep| dep.name.casecmp(dependency.name)&.zero? } ||
+           global_json_dependencies.any? { |dep| dep.name.casecmp(dependency.name)&.zero? }
 
           # We just need to feed the updater a project file, grab the first
-          project_file = project_files.first
+          project_file = T.must(project_files.first)
           proj_path = dependency_file_path(project_file)
 
           return false unless repo_contents_path
@@ -109,13 +112,14 @@ module Dependabot
         # Tests need to track how many times we call the tooling updater to ensure we don't recurse needlessly
         # Ideally we should find a way to not run this code in prod
         # (or a better way to track calls made to NativeHelpers)
-        @update_tooling_calls ||= {}
+        @update_tooling_calls ||= T.let({}, T.nilable(T::Hash[String, Integer]))
         key = proj_path + dependency.name
-        if @update_tooling_calls[key]
-          @update_tooling_calls[key] += 1
-        else
-          @update_tooling_calls[key] = 1
-        end
+        @update_tooling_calls[key] =
+          if @update_tooling_calls[key]
+            T.must(@update_tooling_calls[key]) + 1
+          else
+            1
+          end
       end
 
       # Don't call this from outside tests, we're only checking that we aren't recursing needlessly
@@ -124,6 +128,7 @@ module Dependabot
         @update_tooling_calls
       end
 
+      sig { params(project_file: Dependabot::DependencyFile).returns(T::Array[Dependabot::Dependency]) }
       def project_dependencies(project_file)
         # Collect all dependencies from the project file and associated packages.config
         dependencies = project_file_parser.dependency_set(project_file: project_file).dependencies
@@ -134,38 +139,54 @@ module Dependabot
                                                        .dependency_set.dependencies
       end
 
+      sig { params(project_file: Dependabot::DependencyFile).returns(T.nilable(Dependabot::DependencyFile)) }
       def find_packages_config(project_file)
         project_file_name = File.basename(project_file.name)
         packages_config_path = project_file.name.gsub(project_file_name, "packages.config")
         packages_config_files.find { |f| f.name == packages_config_path }
       end
 
+      sig { returns(Dependabot::Nuget::FileParser::ProjectFileParser) }
       def project_file_parser
         @project_file_parser ||=
-          FileParser::ProjectFileParser.new(
-            dependency_files: dependency_files,
-            credentials: credentials,
-            repo_contents_path: repo_contents_path
+          T.let(
+            FileParser::ProjectFileParser.new(
+              dependency_files: dependency_files,
+              credentials: credentials,
+              repo_contents_path: repo_contents_path
+            ),
+            T.nilable(Dependabot::Nuget::FileParser::ProjectFileParser)
           )
       end
 
+      sig { returns(T::Array[Dependabot::Dependency]) }
       def global_json_dependencies
         return [] unless global_json
 
         @global_json_dependencies ||=
-          FileParser::GlobalJsonParser.new(global_json: global_json).dependency_set.dependencies
+          T.let(
+            FileParser::GlobalJsonParser.new(global_json: T.must(global_json)).dependency_set.dependencies,
+            T.nilable(T::Array[Dependabot::Dependency])
+          )
       end
 
+      sig { returns(T::Array[Dependabot::Dependency]) }
       def dotnet_tools_json_dependencies
         return [] unless dotnet_tools_json
 
         @dotnet_tools_json_dependencies ||=
-          FileParser::DotNetToolsJsonParser.new(dotnet_tools_json: dotnet_tools_json).dependency_set.dependencies
+          T.let(
+            FileParser::DotNetToolsJsonParser.new(dotnet_tools_json: T.must(dotnet_tools_json))
+                                             .dependency_set.dependencies,
+            T.nilable(T::Array[Dependabot::Dependency])
+          )
       end
 
+      # rubocop:disable Metrics/PerceivedComplexity
+      sig { params(dependency_file: Dependabot::DependencyFile, updated_content: String).returns(String) }
       def normalize_content(dependency_file, updated_content)
         # Fix up line endings
-        if dependency_file.content.include?("\r\n") && updated_content.match?(/(?<!\r)\n/)
+        if dependency_file.content&.include?("\r\n") && updated_content.match?(/(?<!\r)\n/)
           # The original content contain windows style newlines.
           # Ensure the updated content also uses windows style newlines.
           updated_content = updated_content.gsub(/(?<!\r)\n/, "\r\n")
@@ -178,19 +199,21 @@ module Dependabot
         end
 
         # Fix up BOM
-        if !dependency_file.content.start_with?("\uFEFF") && updated_content.start_with?("\uFEFF")
+        if !dependency_file.content&.start_with?("\uFEFF") && updated_content.start_with?("\uFEFF")
           updated_content = updated_content.delete_prefix("\uFEFF")
           puts "Removing BOM from [#{dependency_file.name}]."
-        elsif dependency_file.content.start_with?("\uFEFF") && !updated_content.start_with?("\uFEFF")
+        elsif dependency_file.content&.start_with?("\uFEFF") && !updated_content.start_with?("\uFEFF")
           updated_content = "\uFEFF" + updated_content
           puts "Adding BOM to [#{dependency_file.name}]."
         end
 
         updated_content
       end
+      # rubocop:enable Metrics/PerceivedComplexity
 
+      sig { params(dependency_file: Dependabot::DependencyFile).returns(String) }
       def dependency_file_path(dependency_file)
-        if dependency_file.directory.start_with?(repo_contents_path)
+        if dependency_file.directory.start_with?(T.must(repo_contents_path))
           File.join(dependency_file.directory, dependency_file.name)
         else
           file_directory = dependency_file.directory
@@ -199,29 +222,42 @@ module Dependabot
         end
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def project_files
         dependency_files.select { |df| df.name.match?(/\.([a-z]{2})?proj$/) }
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def packages_config_files
         dependency_files.select do |f|
           T.must(T.must(f.name.split("/").last).casecmp("packages.config")).zero?
         end
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def global_json
         dependency_files.find { |f| T.must(f.name.casecmp("global.json")).zero? }
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def dotnet_tools_json
         dependency_files.find { |f| T.must(f.name.casecmp(".config/dotnet-tools.json")).zero? }
       end
 
+      sig { override.void }
       def check_required_files
         return if project_files.any? || packages_config_files.any?
 
         raise "No project file or packages.config!"
       end
+
+      sig { params(original_content: T.nilable(String), updated_content: String).returns(T::Boolean) }
+      def only_deleted_lines?(original_content, updated_content)
+        original_lines = original_content&.lines || []
+        updated_lines = updated_content.lines
+
+        original_lines.count > updated_lines.count
+      end
     end
   end
 end

data/lib/dependabot/nuget/http_response_helpers.rb

@@ -0,0 +1,19 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  module Nuget
+    module HttpResponseHelpers
+      extend T::Sig
+
+      sig { params(string: String).returns(String) }
+      def self.remove_wrapping_zero_width_chars(string)
+        string.force_encoding("UTF-8").encode
+              .gsub(/\A[\u200B-\u200D\uFEFF]/, "")
+              .gsub(/[\u200B-\u200D\uFEFF]\Z/, "")
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/metadata_finder.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "nokogiri"
@@ -12,13 +12,30 @@ module Dependabot
     class MetadataFinder < Dependabot::MetadataFinders::Base
       extend T::Sig
 
+      sig do
+        override
+          .params(
+            dependency: Dependabot::Dependency,
+            credentials: T::Array[Dependabot::Credential]
+          )
+          .void
+      end
+      def initialize(dependency:, credentials:)
+        @dependency_nuspec_file = T.let(nil, T.nilable(Nokogiri::XML::Document))
+
+        super
+      end
+
       private
 
+      sig { override.returns(T.nilable(Dependabot::Source)) }
       def look_up_source
         return Source.from_url(dependency_source_url) if dependency_source_url
 
-        src_repo = look_up_source_in_nuspec(dependency_nuspec_file)
-        return src_repo if src_repo
+        if dependency_nuspec_file
+          src_repo = look_up_source_in_nuspec(T.must(dependency_nuspec_file))
+          return src_repo if src_repo
+        end
 
         # Fallback to getting source from the search result's projectUrl or licenseUrl.
         # GitHub Packages doesn't support getting the `.nuspec`, switch to getting
@@ -31,6 +48,7 @@ module Dependabot
         nil
       end
 
+      sig { returns(T.nilable(Dependabot::Source)) }
       def src_repo_from_project
         source = dependency.requirements.find { |r| r.fetch(:source) }&.fetch(:source)
         return unless source
@@ -58,6 +76,7 @@ module Dependabot
         # Ignored, this is expected for some registries that don't handle these request.
       end
 
+      sig { params(body: String).returns(T.nilable(String)) }
       def extract_search_url(body)
         JSON.parse(body)
             .fetch("resources", [])
@@ -65,6 +84,7 @@ module Dependabot
             &.fetch("@id")
       end
 
+      sig { params(body: String).returns(T.nilable(Dependabot::Source)) }
       def extract_source_repo(body)
         JSON.parse(body).fetch("data", []).each do |search_result|
           next unless search_result["id"].casecmp(dependency.name).zero?
@@ -82,6 +102,7 @@ module Dependabot
         nil
       end
 
+      sig { params(nuspec: Nokogiri::XML::Document).returns(T.nilable(Dependabot::Source)) }
       def look_up_source_in_nuspec(nuspec)
         potential_source_urls = [
           nuspec.at_css("package > metadata > repository")
@@ -97,6 +118,7 @@ module Dependabot
         Source.from_url(source_url)
       end
 
+      sig { params(nuspec: Nokogiri::XML::Document).returns(T.nilable(String)) }
       def source_from_anywhere_in_nuspec(nuspec)
         github_urls = []
         nuspec.to_s.force_encoding(Encoding::UTF_8)
@@ -110,17 +132,21 @@ module Dependabot
         end
       end
 
+      sig { returns(T.nilable(Nokogiri::XML::Document)) }
       def dependency_nuspec_file
         return @dependency_nuspec_file unless @dependency_nuspec_file.nil?
 
+        return if dependency_nuspec_url.nil?
+
         response = Dependabot::RegistryClient.get(
-          url: dependency_nuspec_url,
+          url: T.must(dependency_nuspec_url),
           headers: auth_header
         )
 
         @dependency_nuspec_file = Nokogiri::XML(response.body)
       end
 
+      sig { returns(T.nilable(String)) }
       def dependency_nuspec_url
         source = dependency.requirements
                            .find { |r| r.fetch(:source) }&.fetch(:source)
@@ -128,6 +154,7 @@ module Dependabot
         source.fetch(:nuspec_url) if source&.key?(:nuspec_url)
       end
 
+      sig { returns(T.nilable(String)) }
       def dependency_source_url
         source = dependency.requirements
                            .find { |r| r.fetch(:source) }&.fetch(:source)
@@ -139,6 +166,7 @@ module Dependabot
       end
 
       # rubocop:disable Metrics/PerceivedComplexity
+      sig { returns(T::Hash[String, String]) }
       def auth_header
         source = dependency.requirements
                            .find { |r| r.fetch(:source) }&.fetch(:source)

data/lib/dependabot/nuget/nuget_client.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "dependabot/nuget/cache_manager"
+require "dependabot/nuget/http_response_helpers"
 require "dependabot/nuget/update_checker/repository_finder"
 require "sorbet-runtime"
 
@@ -20,11 +21,33 @@ module Dependabot
           get_package_versions_v3(dependency_name, repository_details)
         elsif repository_type == "v2"
           get_package_versions_v2(dependency_name, repository_details)
+        elsif repository_type == "local"
+          get_package_versions_local(dependency_name, repository_details)
         else
           raise "Unknown repository type: #{repository_type}"
         end
       end
 
+      sig do
+        params(dependency_name: String, repository_details: T::Hash[Symbol, String])
+          .returns(T.nilable(T::Set[String]))
+      end
+      private_class_method def self.get_package_versions_local(dependency_name, repository_details)
+        url = repository_details.fetch(:base_url)
+        raise "Local repo #{url} doesn't exist or isn't a directory" unless File.exist?(url) && File.directory?(url)
+
+        package_dir = File.join(url, dependency_name)
+
+        versions = Set.new
+        return versions unless File.exist?(package_dir) && File.directory?(package_dir)
+
+        Dir.each_child(package_dir) do |child|
+          versions.add(child) if File.directory?(File.join(package_dir, child))
+        end
+
+        versions
+      end
+
       sig do
         params(dependency_name: String, repository_details: T::Hash[Symbol, String])
           .returns(T.nilable(T::Set[String]))
@@ -52,14 +75,15 @@ module Dependabot
         doc = execute_xml_nuget_request(repository_details.fetch(:versions_url), repository_details)
         return unless doc
 
-        id_nodes = doc.xpath("/feed/entry/properties/Id")
+        # v2 APIs can differ, but all tested have this title value set to the name of the package
+        title_nodes = doc.xpath("/feed/entry/title")
         matching_versions = Set.new
-        id_nodes.each do |id_node|
-          return nil unless id_node.text
+        title_nodes.each do |title_node|
+          return nil unless title_node.text
 
-          next unless id_node.text.casecmp?(dependency_name)
+          next unless title_node.text.casecmp?(dependency_name)
 
-          version_node = id_node.parent.xpath("Version")
+          version_node = title_node.parent.xpath("properties/Version")
           matching_versions << version_node.text if version_node && version_node.text
         end
 
@@ -131,6 +155,7 @@ module Dependabot
             &.find { |d| d.fetch("id").casecmp(dependency_name.downcase).zero? }
             &.fetch("versions")
             &.map { |d| d.fetch("version") }
+            &.to_set
       end
 
       sig do
@@ -162,7 +187,7 @@ module Dependabot
         )
         return unless response.status == 200
 
-        body = remove_wrapping_zero_width_chars(response.body)
+        body = HttpResponseHelpers.remove_wrapping_zero_width_chars(response.body)
         JSON.parse(body)
       end
 
@@ -193,13 +218,6 @@ module Dependabot
 
         raise PrivateSourceTimedOut, repo_url
       end
-
-      sig { params(string: String).returns(String) }
-      private_class_method def self.remove_wrapping_zero_width_chars(string)
-        string.force_encoding("UTF-8").encode
-              .gsub(/\A[\u200B-\u200D\uFEFF]/, "")
-              .gsub(/[\u200B-\u200D\uFEFF]\Z/, "")
-      end
     end
   end
 end

data/lib/dependabot/nuget/requirement.rb

@@ -60,6 +60,7 @@ module Dependabot
         convert_wildcard_req(req_string)
       end
 
+      # rubocop:disable Metrics/PerceivedComplexity
       def convert_dotnet_range_to_ruby_range(req_string)
         lower_b, upper_b = req_string.split(",").map(&:strip).map do |bound|
           next convert_range_wildcard_req(bound) if bound.include?("*")
@@ -75,7 +76,8 @@ module Dependabot
           end
 
         upper_b =
-          if [")", "]"].include?(upper_b) then nil
+          if !upper_b then nil
+          elsif [")", "]"].include?(upper_b) then nil
           elsif upper_b.end_with?(")") then "< #{upper_b.sub(/\s*\)/, '')}"
           else
             "<= #{upper_b.sub(/\s*\]/, '').strip}"
@@ -83,6 +85,7 @@ module Dependabot
 
         [lower_b, upper_b].compact
       end
+      # rubocop:enable Metrics/PerceivedComplexity
 
       def convert_range_wildcard_req(req_string)
         range_end = req_string[-1]