dependabot-nuget 0.245.0 → 0.247.0

data/lib/dependabot/nuget/update_checker/compatibility_checker.rb

@@ -66,23 +66,34 @@ module Dependabot
       end
 
       def fetch_package_tfms(dependency_version)
-        nupkg_buffer = NupkgFetcher.fetch_nupkg_buffer(dependency_urls, dependency.name, dependency_version)
-        return [] unless nupkg_buffer
-
-        # Parse tfms from the folders beneath the lib folder
-        folder_name = "lib/"
-        tfms = Set.new
-        Zip::File.open_buffer(nupkg_buffer) do |zip|
-          lib_file_entries = zip.select { |entry| entry.name.start_with?(folder_name) }
-          # If there is no lib folder in this package, assume it is a development dependency
-          return nil if lib_file_entries.empty?
-
-          lib_file_entries.each do |entry|
-            _, tfm = entry.name.split("/").first(2)
-            tfms << tfm
+        cache = CacheManager.cache("compatibility_checker_tfms_cache")
+        key = "#{dependency.name}::#{dependency_version}"
+
+        cache[key] ||= begin
+          nupkg_buffer = NupkgFetcher.fetch_nupkg_buffer(dependency_urls, dependency.name, dependency_version)
+          return [] unless nupkg_buffer
+
+          # Parse tfms from the folders beneath the lib folder
+          folder_name = "lib/"
+          tfms = Set.new
+          Zip::File.open_buffer(nupkg_buffer) do |zip|
+            lib_file_entries = zip.select { |entry| entry.name.start_with?(folder_name) }
+            # If there is no lib folder in this package, assume it is a development dependency
+            return nil if lib_file_entries.empty?
+
+            lib_file_entries.each do |entry|
+              _, tfm = entry.name.split("/").first(2)
+
+              # some zip compressors create empty directory entries (in this case `lib/`) which can cause the string
+              # split to return `nil`, so we have to explicitly guard against that
+              tfms << tfm if tfm
+            end
           end
+
+          tfms.to_a
         end
-        tfms.to_a
+
+        cache[key]
       end
     end
   end

data/lib/dependabot/nuget/update_checker/dependency_finder.rb

@@ -37,19 +37,29 @@ module Dependabot
           key = "#{dependency.name.downcase}::#{dependency.version}"
           cache = DependencyFinder.transitive_dependencies_cache
 
-          cache[key] ||= fetch_transitive_dependencies(
-            @dependency.name,
-            @dependency.version
-          ).map do |dependency_info|
-            package_name = dependency_info["packageName"]
-            target_version = dependency_info["version"]
-
-            Dependency.new(
-              name: package_name,
-              version: target_version.to_s,
-              requirements: [], # Empty requirements for transitive dependencies
-              package_manager: @dependency.package_manager
-            )
+          unless cache[key]
+            begin
+              # first do a quick sanity check on the version string; if it can't be parsed, an exception will be raised
+              _ = Version.new(dependency.version)
+
+              cache[key] = fetch_transitive_dependencies(
+                @dependency.name,
+                @dependency.version
+              ).map do |dependency_info|
+                package_name = dependency_info["packageName"]
+                target_version = dependency_info["version"]
+
+                Dependency.new(
+                  name: package_name,
+                  version: target_version.to_s,
+                  requirements: [], # Empty requirements for transitive dependencies
+                  package_manager: @dependency.package_manager
+                )
+              end
+            rescue StandardError
+              # if anything happened above, there are no meaningful dependencies that can be derived
+              cache[key] = []
+            end
           end
 
           cache[key]

data/lib/dependabot/nuget/update_checker/nupkg_fetcher.rb

@@ -4,6 +4,7 @@
 require "nokogiri"
 require "zip"
 require "stringio"
+require "dependabot/nuget/http_response_helpers"
 
 module Dependabot
   module Nuget
@@ -24,7 +25,7 @@ module Dependabot
         repository_type = repository_details[:repository_type]
 
         package_url = if repository_type == "v2"
-                        get_nuget_v2_package_url(feed_url, package_id, package_version)
+                        get_nuget_v2_package_url(repository_details, package_id, package_version)
                       elsif repository_type == "v3"
                         get_nuget_v3_package_url(repository_details, package_id, package_version)
                       else
@@ -43,16 +44,66 @@ module Dependabot
       end
 
       def self.get_nuget_v3_package_url(repository_details, package_id, package_version)
-        base_url = repository_details[:base_url].delete_suffix("/")
+        base_url = repository_details[:base_url]
+        unless base_url
+          return get_nuget_v3_package_url_from_search(repository_details, package_id,
+                                                      package_version)
+        end
+
+        base_url = base_url.delete_suffix("/")
         package_id_downcased = package_id.downcase
         "#{base_url}/#{package_id_downcased}/#{package_version}/#{package_id_downcased}.#{package_version}.nupkg"
       end
 
-      def self.get_nuget_v2_package_url(feed_url, package_id, package_version)
-        base_url = feed_url
-        base_url += "/" unless base_url.end_with?("/")
-        package_id_downcased = package_id.downcase
-        "#{base_url}/package/#{package_id_downcased}/#{package_version}"
+      # rubocop:disable Metrics/CyclomaticComplexity
+      # rubocop:disable Metrics/PerceivedComplexity
+      def self.get_nuget_v3_package_url_from_search(repository_details, package_id, package_version)
+        search_url = repository_details[:search_url]
+        return nil unless search_url
+
+        # get search result
+        search_result_response = fetch_url(search_url, repository_details)
+        return nil unless search_result_response.status == 200
+
+        search_response_body = HttpResponseHelpers.remove_wrapping_zero_width_chars(search_result_response.body)
+        search_results = JSON.parse(search_response_body)
+
+        # find matching package and version
+        package_search_result = search_results&.[]("data")&.find { |d| package_id.casecmp?(d&.[]("id")) }
+        version_search_result = package_search_result&.[]("versions")&.find do |v|
+          package_version.casecmp?(v&.[]("version"))
+        end
+        registration_leaf_url = version_search_result&.[]("@id")
+        return nil unless registration_leaf_url
+
+        registration_leaf_response = fetch_url(registration_leaf_url, repository_details)
+        return nil unless registration_leaf_response
+        return nil unless registration_leaf_response.status == 200
+
+        registration_leaf_response_body =
+          HttpResponseHelpers.remove_wrapping_zero_width_chars(registration_leaf_response.body)
+        registration_leaf = JSON.parse(registration_leaf_response_body)
+
+        # finally, get the .nupkg url
+        registration_leaf&.[]("packageContent")
+      end
+      # rubocop:enable Metrics/PerceivedComplexity
+      # rubocop:enable Metrics/CyclomaticComplexity
+
+      def self.get_nuget_v2_package_url(repository_details, package_id, package_version)
+        # get package XML
+        base_url = repository_details[:base_url].delete_suffix("/")
+        package_url = "#{base_url}/Packages(Id='#{package_id}',Version='#{package_version}')"
+        response = fetch_url(package_url, repository_details)
+        return nil unless response.status == 200
+
+        # find relevant element
+        doc = Nokogiri::XML(response.body)
+        doc.remove_namespaces!
+
+        content_element = doc.xpath("/entry/content")
+        nupkg_url = content_element&.attribute("src")&.value
+        nupkg_url
       end
 
       def self.fetch_stream(stream_url, auth_header, max_redirects = 5)
@@ -60,32 +111,43 @@ module Dependabot
         current_redirects = 0
 
         loop do
-          connection = Excon.new(current_url, persistent: true)
-
-          package_data = StringIO.new
-          response_block = lambda do |chunk, _remaining_bytes, _total_bytes|
-            package_data.write(chunk)
-          end
-
-          response = connection.request(
-            method: :get,
+          # Directly download the stream without any additional settings _except_ for `omit_default_port: true` which
+          # is necessary to not break the URL signing that some NuGet feeds use.
+          response = Excon.get(
+            current_url,
             headers: auth_header,
-            response_block: response_block
+            omit_default_port: true
           )
 
-          if response.status == 303 || response.status == 307
+          # redirect the HTTP response as appropriate based on documentation here:
+          # https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections
+          case response.status
+          when 200
+            return response.body
+          when 301, 302, 303, 307, 308
             current_redirects += 1
             return nil if current_redirects > max_redirects
 
             current_url = response.headers["Location"]
-          elsif response.status == 200
-            package_data.rewind
-            return package_data
           else
             return nil
           end
         end
       end
+
+      def self.fetch_url(url, repository_details)
+        fetch_url_with_auth(url, repository_details.fetch(:auth_header))
+      end
+
+      def self.fetch_url_with_auth(url, auth_header)
+        cache = CacheManager.cache("nupkg_fetcher_cache")
+        cache[url] ||= Dependabot::RegistryClient.get(
+          url: url,
+          headers: auth_header
+        )
+
+        cache[url]
+      end
     end
   end
 end

data/lib/dependabot/nuget/update_checker/repository_finder.rb

@@ -7,6 +7,7 @@ require "dependabot/errors"
 require "dependabot/update_checkers/base"
 require "dependabot/registry_client"
 require "dependabot/nuget/cache_manager"
+require "dependabot/nuget/http_response_helpers"
 
 module Dependabot
   module Nuget
@@ -71,19 +72,33 @@ module Dependabot
       end
 
       def build_url_for_details(repo_details)
+        url = repo_details.fetch(:url)
+        url_obj = URI.parse(url)
+        if url_obj.is_a?(URI::HTTP)
+          details = build_url_for_details_remote(repo_details)
+        elsif url_obj.is_a?(URI::File)
+          details = {
+            base_url: url,
+            repository_type: "local"
+          }
+        end
+
+        details
+      end
+
+      def build_url_for_details_remote(repo_details)
         response = get_repo_metadata(repo_details)
         check_repo_response(response, repo_details)
         return unless response.status == 200
 
-        body = remove_wrapping_zero_width_chars(response.body)
+        body = HttpResponseHelpers.remove_wrapping_zero_width_chars(response.body)
         parsed_json = JSON.parse(body)
         base_url = base_url_from_v3_metadata(parsed_json)
-        resolved_base_url = base_url || repo_details.fetch(:url).gsub("/index.json", "-flatcontainer")
         search_url = search_url_from_v3_metadata(parsed_json)
         registration_url = registration_url_from_v3_metadata(parsed_json)
 
         details = {
-          base_url: resolved_base_url,
+          base_url: base_url,
           repository_url: repo_details.fetch(:url),
           auth_header: auth_header_for_token(repo_details.fetch(:token)),
           repository_type: "v3"
@@ -171,7 +186,7 @@ module Dependabot
           base_url: base_url,
           repository_url: base_url,
           versions_url: File.join(
-            base_url,
+            base_url.delete_suffix("/"),
             "FindPackagesById()?id='#{dependency.name}'"
           ),
           auth_header: auth_header_for_token(repo_details.fetch(:token)),
@@ -205,6 +220,7 @@ module Dependabot
 
       # rubocop:disable Metrics/CyclomaticComplexity
       # rubocop:disable Metrics/PerceivedComplexity
+      # rubocop:disable Metrics/MethodLength
       # rubocop:disable Metrics/AbcSize
       def repos_from_config_file(config_file)
         doc = Nokogiri::XML(config_file.content)
@@ -223,7 +239,14 @@ module Dependabot
             key = node.attribute("key")&.value&.strip || node.at_xpath("./key")&.content&.strip
             url = node.attribute("value")&.value&.strip || node.at_xpath("./value")&.content&.strip
             url = expand_windows_style_environment_variables(url) if url
-            sources << { url: url, key: key }
+
+            # if the path isn't absolute it's relative to the nuget.config file
+            if url
+              unless url.include?("://") || Pathname.new(url).absolute?
+                url = Pathname(config_file.directory).join(url).to_path
+              end
+              sources << { url: url, key: key }
+            end
           end
         end
 
@@ -246,14 +269,13 @@ module Dependabot
           known_urls.include?(s.fetch(:url))
         end
 
-        sources.select! { |s| s.fetch(:url)&.include?("://") }
-
         add_config_file_credentials(sources: sources, doc: doc)
         sources.each { |details| details.delete(:key) }
 
         sources
       end
       # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/MethodLength
       # rubocop:enable Metrics/PerceivedComplexity
       # rubocop:enable Metrics/CyclomaticComplexity
 
@@ -330,12 +352,6 @@ module Dependabot
         end
       end
 
-      def remove_wrapping_zero_width_chars(string)
-        string.force_encoding("UTF-8").encode
-              .gsub(/\A[\u200B-\u200D\uFEFF]/, "")
-              .gsub(/[\u200B-\u200D\uFEFF]\Z/, "")
-      end
-
       def auth_header_for_token(token)
         return {} unless token
 

data/lib/dependabot/nuget/update_checker/tfm_finder.rb

@@ -52,13 +52,13 @@ module Dependabot
 
         config_parser = FileParser::PackagesConfigParser.new(packages_config: config_file)
         config_parser.dependency_set.dependencies.any? do |d|
-          d.name.casecmp(dependency.name).zero?
+          d.name.casecmp(dependency.name)&.zero?
         end
       end
 
       def project_file_contains_dependency?(file, dependency)
         project_file_parser.dependency_set(project_file: file).dependencies.any? do |d|
-          d.name.casecmp(dependency.name).zero?
+          d.name.casecmp(dependency.name)&.zero?
         end
       end
 

data/lib/dependabot/nuget/update_checker/version_finder.rb

@@ -1,4 +1,4 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 require "dependabot/nuget/version"
@@ -6,11 +6,14 @@ require "dependabot/nuget/requirement"
 require "dependabot/update_checkers/base"
 require "dependabot/update_checkers/version_filters"
 require "dependabot/nuget/nuget_client"
+require "sorbet-runtime"
 
 module Dependabot
   module Nuget
     class UpdateChecker < Dependabot::UpdateCheckers::Base
       class VersionFinder
+        extend T::Sig
+
         require_relative "compatibility_checker"
         require_relative "repository_finder"
 
@@ -109,13 +112,19 @@ module Dependabot
           )
         end
 
+        sig { params(possible_versions: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
         def filter_prereleases(possible_versions)
-          possible_versions.reject do |d|
+          filtered = possible_versions.reject do |d|
             version = d.fetch(:version)
             version.prerelease? && !related_to_current_pre?(version)
           end
+          if possible_versions.count > filtered.count
+            Dependabot.logger.info("Filtered out #{possible_versions.count - filtered.count} pre-release versions")
+          end
+          filtered
         end
 
+        sig { params(possible_versions: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
         def filter_ignored_versions(possible_versions)
           filtered = possible_versions
 
@@ -131,6 +140,10 @@ module Dependabot
             raise AllVersionsIgnored
           end
 
+          if possible_versions.count > filtered.count
+            Dependabot.logger.info("Filtered out #{possible_versions.count - filtered.count} ignored versions")
+          end
+
           filtered
         end
 
@@ -233,8 +246,6 @@ module Dependabot
         # rubocop:enable Metrics/PerceivedComplexity
 
         def v3_nuget_listings
-          return @v3_nuget_listings unless @v3_nuget_listings.nil?
-
           @v3_nuget_listings ||=
             dependency_urls
             .select { |details| details.fetch(:repository_type) == "v3" }
@@ -247,8 +258,6 @@ module Dependabot
         end
 
         def v2_nuget_listings
-          return @v2_nuget_listings unless @v2_nuget_listings.nil?
-
           @v2_nuget_listings ||=
             dependency_urls
             .select { |details| details.fetch(:repository_type) == "v2" }

data/lib/dependabot/nuget/update_checker.rb

@@ -1,4 +1,4 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 require "dependabot/nuget/file_parser"
@@ -17,7 +17,8 @@ module Dependabot
         # No need to find latest version for transitive dependencies unless they have a vulnerability.
         return dependency.version if !dependency.top_level? && !vulnerable?
 
-        @latest_version = latest_version_details&.fetch(:version)
+        # if no update sources have the requisite package, then we can only assume that the current version is correct
+        @latest_version = latest_version_details&.fetch(:version) || dependency.version
       end
 
       def latest_resolvable_version
@@ -44,9 +45,8 @@ module Dependabot
       def updated_requirements
         RequirementsUpdater.new(
           requirements: dependency.requirements,
-          latest_version: preferred_resolvable_version_details.fetch(:version)&.to_s,
-          source_details: preferred_resolvable_version_details
-                          &.slice(:nuspec_url, :repo_url, :source_url)
+          latest_version: preferred_resolvable_version_details&.fetch(:version, nil)&.to_s,
+          source_details: preferred_resolvable_version_details&.slice(:nuspec_url, :repo_url, :source_url)
         ).updated_requirements
       end
 
@@ -66,9 +66,8 @@ module Dependabot
         # If any requirements have an uninterpolated property in them then
         # that property couldn't be found, and the requirement therefore
         # cannot be unlocked (since we can't update that property)
-        namespace = Nuget::FileParser::PropertyValueFinder
         dependency.requirements.none? do |req|
-          req.fetch(:requirement)&.match?(namespace::PROPERTY_REGEX)
+          req.fetch(:requirement)&.match?(Nuget::FileParser::PropertyValueFinder::PROPERTY_REGEX)
         end
       end
 

data/lib/dependabot/nuget/version.rb

@@ -17,14 +17,14 @@ module Dependabot
       VERSION_PATTERN = T.let(Gem::Version::VERSION_PATTERN + '(\+[0-9a-zA-Z\-.]+)?', String)
       ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/
 
-      sig { override.params(version: T.nilable(T.any(String, Integer, Float, Gem::Version))).returns(T::Boolean) }
+      sig { override.params(version: VersionParameter).returns(T::Boolean) }
       def self.correct?(version)
         return false if version.nil?
 
         version.to_s.match?(ANCHORED_VERSION_PATTERN)
       end
 
-      sig { override.params(version: T.nilable(T.any(String, Integer, Float, Gem::Version))).void }
+      sig { override.params(version: VersionParameter).void }
       def initialize(version)
         version = version.to_s.split("+").first || ""
         @version_string = T.let(version, String)
@@ -32,6 +32,11 @@ module Dependabot
         super
       end
 
+      sig { override.params(version: VersionParameter).returns(Dependabot::Nuget::Version) }
+      def self.new(version)
+        T.cast(super, Dependabot::Nuget::Version)
+      end
+
       sig { returns(String) }
       def to_s
         @version_string

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-nuget
 version: !ruby/object:Gem::Version
-  version: 0.245.0
+  version: 0.247.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-02-22 00:00:00.000000000 Z
+date: 2024-03-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.245.0
+        version: 0.247.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.245.0
+        version: 0.247.0
 - !ruby/object:Gem::Dependency
   name: rubyzip
   requirement: !ruby/object:Gem::Requirement
@@ -156,6 +156,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 1.19.0
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.27.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.27.1
 - !ruby/object:Gem::Dependency
   name: rubocop-sorbet
   requirement: !ruby/object:Gem::Requirement
@@ -292,8 +306,8 @@ files:
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/TemporaryDirectory.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/TestExtensions.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Update/PackagesConfigUpdaterTests.cs
-- helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Update/UpdateWorker.DirsProj.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Update/UpdateWorkerTestBase.cs
+- helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Update/UpdateWorkerTests.DirsProj.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Update/UpdateWorkerTests.DotNetTools.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Update/UpdateWorkerTests.GlobalJson.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Update/UpdateWorkerTests.Mixed.cs
@@ -302,7 +316,6 @@ files:
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Utilities/JsonHelperTests.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Utilities/MSBuildHelperTests.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Utilities/SdkPackageUpdaterHelperTests.cs
-- helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Utilities/SdkPackageUpdaterTests.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/Dependency.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/DependencyType.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/Files/BuildFile.cs
@@ -349,6 +362,7 @@ files:
 - lib/dependabot/nuget/file_parser/property_value_finder.rb
 - lib/dependabot/nuget/file_updater.rb
 - lib/dependabot/nuget/file_updater/property_value_updater.rb
+- lib/dependabot/nuget/http_response_helpers.rb
 - lib/dependabot/nuget/metadata_finder.rb
 - lib/dependabot/nuget/native_helpers.rb
 - lib/dependabot/nuget/nuget_client.rb
@@ -371,7 +385,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.245.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.247.0
 post_install_message: 
 rdoc_options: []
 require_paths: