dependabot-nuget 0.246.0 → 0.247.0

data/lib/dependabot/nuget/file_parser/project_file_parser.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "nokogiri"
@@ -40,20 +40,31 @@ module Dependabot
         PROPERTY_REGEX      = /\$\((?<property>.*?)\)/
         ITEM_REGEX          = /\@\((?<property>.*?)\)/
 
+        sig { returns(T::Hash[String, Dependabot::FileParsers::Base::DependencySet]) }
         def self.dependency_set_cache
           CacheManager.cache("project_file_dependency_set")
         end
 
+        sig { returns(T::Hash[String, T.untyped]) }
         def self.dependency_url_search_cache
           CacheManager.cache("dependency_url_search_cache")
         end
 
+        sig do
+          params(dependency_files: T::Array[DependencyFile],
+                 credentials: T::Array[Credential],
+                 repo_contents_path: T.nilable(String)).void
+        end
         def initialize(dependency_files:, credentials:, repo_contents_path:)
           @dependency_files       = dependency_files
           @credentials            = credentials
           @repo_contents_path     = repo_contents_path
         end
 
+        sig do
+          params(project_file: DependencyFile, visited_project_files: T::Set[String])
+            .returns(Dependabot::FileParsers::Base::DependencySet)
+        end
         def dependency_set(project_file:, visited_project_files: Set.new)
           key = "#{project_file.name.downcase}::#{project_file.content.hash}"
           cache = ProjectFileParser.dependency_set_cache
@@ -64,8 +75,9 @@ module Dependabot
           cache[key] ||= parse_dependencies(project_file, visited_project_files)
         end
 
+        sig { params(project_file: DependencyFile).returns(T::Set[String]) }
         def downstream_file_references(project_file:)
-          file_set = Set.new
+          file_set = T.let(Set.new, T::Set[String])
 
           doc = Nokogiri::XML(project_file.content)
           doc.remove_namespaces!
@@ -74,9 +86,11 @@ module Dependabot
           ref_nodes = proj_refs + proj_files
           ref_nodes.each do |project_reference_node|
             dep_file = get_attribute_value(project_reference_node, "Include")
+            next unless dep_file
+
             full_project_path = full_path(project_file, dep_file)
             full_project_path = full_project_path[1..-1] if full_project_path.start_with?("/")
-            full_project_paths = expand_wildcards_in_project_reference_path(full_project_path)
+            full_project_paths = expand_wildcards_in_project_reference_path(T.must(full_project_path))
             full_project_paths.each do |full_project_path_expanded|
               file_set << full_project_path_expanded if full_project_path_expanded
             end
@@ -85,30 +99,37 @@ module Dependabot
           file_set
         end
 
+        sig { params(project_file: DependencyFile).returns(T::Array[String]) }
         def target_frameworks(project_file:)
           target_framework = details_for_property("TargetFramework", project_file)
-          return [target_framework&.fetch(:value)] if target_framework
+          return [target_framework.fetch(:value)] if target_framework
 
           target_frameworks = details_for_property("TargetFrameworks", project_file)
-          return target_frameworks&.fetch(:value)&.split(";") if target_frameworks
+          return target_frameworks.fetch(:value)&.split(";") if target_frameworks
 
           target_framework = details_for_property("TargetFrameworkVersion", project_file)
           return [] unless target_framework
 
           # TargetFrameworkVersion is a string like "v4.7.2"
-          value = target_framework&.fetch(:value)
+          value = target_framework.fetch(:value)
           # convert it to a string like "net472"
           ["net#{value[1..-1].delete('.')}"]
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def nuget_configs
           dependency_files.select { |f| f.name.match?(%r{(^|/)nuget\.config$}i) }
         end
 
         private
 
-        attr_reader :dependency_files, :credentials
+        sig { returns(T::Array[DependencyFile]) }
+        attr_reader :dependency_files
+
+        sig { returns(T::Array[Credential]) }
+        attr_reader :credentials
 
+        sig { params(project_file: DependencyFile, ref_path: String).returns(String) }
         def full_path(project_file, ref_path)
           project_file_directory = File.dirname(project_file.name)
           is_rooted = project_file_directory.start_with?("/")
@@ -121,9 +142,13 @@ module Dependabot
           relative_path = File.join(project_file_directory, relative_path)
           result = File.expand_path(relative_path)
           result = result[1..-1] unless is_rooted
-          result
+          T.must(result)
         end
 
+        sig do
+          params(project_file: DependencyFile, visited_project_files: T.untyped)
+            .returns(Dependabot::FileParsers::Base::DependencySet)
+        end
         def parse_dependencies(project_file, visited_project_files)
           dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
@@ -152,6 +177,7 @@ module Dependabot
           dependency_set
         end
 
+        sig { params(dependency_set: Dependabot::FileParsers::Base::DependencySet).void }
         def add_global_package_references(dependency_set)
           project_import_files.each do |file|
             doc = Nokogiri::XML(file.content)
@@ -169,11 +195,25 @@ module Dependabot
           end
         end
 
+        sig do
+          params(project_file: DependencyFile,
+                 doc: Nokogiri::XML::Document,
+                 dependency_set: Dependabot::FileParsers::Base::DependencySet,
+                 visited_project_files: T::Set[String])
+            .void
+        end
         def add_transitive_dependencies(project_file, doc, dependency_set, visited_project_files)
           add_transitive_dependencies_from_packages(dependency_set)
           add_transitive_dependencies_from_project_references(project_file, doc, dependency_set, visited_project_files)
         end
 
+        sig do
+          params(project_file: DependencyFile,
+                 doc: Nokogiri::XML::Document,
+                 dependency_set: Dependabot::FileParsers::Base::DependencySet,
+                 visited_project_files: T::Set[String])
+            .void
+        end
         def add_transitive_dependencies_from_project_references(project_file, doc, dependency_set,
                                                                 visited_project_files)
 
@@ -216,31 +256,33 @@ module Dependabot
           end
         end
 
-        sig { params(full_path: T.untyped).returns(T::Array[T.nilable(String)]) }
+        sig { params(full_path: String).returns(T::Array[T.nilable(String)]) }
         def expand_wildcards_in_project_reference_path(full_path)
-          full_path = T.let(File.join(@repo_contents_path, full_path), T.nilable(String))
-          expanded_wildcard = Dir.glob(T.must(full_path))
-
-          filtered_paths = []
+          full_path = File.join(@repo_contents_path, full_path)
 
           # For each expanded path, remove the @repo_contents_path prefix and leading slash
-          expanded_wildcard.map do |path|
+          filtered_paths = Dir.glob(full_path).map do |path|
             # Remove @repo_contents_path prefix
-            path = path.sub(@repo_contents_path, "")
+            path = path.sub(@repo_contents_path, "") if @repo_contents_path
             # Remove leading slash
             path = path[1..-1] if path.start_with?("/")
-            filtered_paths << path
             path # Return the modified path
           end
 
+          return filtered_paths if filtered_paths.any?
+
           # If the wildcard didn't match anything, strip the @repo_contents_path prefix and return the original path.
-          filtered_paths.any? ? filtered_paths : [T.must(full_path).sub(@repo_contents_path, "")[1..-1]]
+          full_path = full_path.sub(@repo_contents_path, "") if @repo_contents_path
+          full_path = full_path[1..-1] if full_path.start_with?("/")
+          [full_path]
         end
 
+        sig { params(dependency_set: Dependabot::FileParsers::Base::DependencySet).void }
         def add_transitive_dependencies_from_packages(dependency_set)
           transitive_dependencies_from_packages(dependency_set.dependencies).each { |dep| dependency_set << dep }
         end
 
+        sig { params(dependencies: T::Array[Dependency]).returns(T::Array[Dependency]) }
         def transitive_dependencies_from_packages(dependencies)
           transitive_dependencies = {}
 
@@ -261,6 +303,11 @@ module Dependabot
           transitive_dependencies.values
         end
 
+        sig do
+          params(doc: Nokogiri::XML::Document,
+                 dependency_set: Dependabot::FileParsers::Base::DependencySet,
+                 project_file: DependencyFile).void
+        end
         def add_sdk_references(doc, dependency_set, project_file)
           # These come in 3 flavours:
           # - <Project Sdk="Name/Version">
@@ -273,8 +320,13 @@ module Dependabot
           add_sdk_refs_from_import_tags(doc, dependency_set, project_file)
         end
 
+        sig do
+          params(sdk_references: String,
+                 dependency_set: Dependabot::FileParsers::Base::DependencySet,
+                 project_file: DependencyFile).void
+        end
         def add_sdk_ref_from_project(sdk_references, dependency_set, project_file)
-          sdk_references.split(";")&.each do |sdk_reference|
+          sdk_references.split(";").each do |sdk_reference|
             m = sdk_reference.match(PROJECT_SDK_REGEX)
             if m
               dependency = build_dependency(m[1], m[2], m[2], nil, project_file)
@@ -283,6 +335,11 @@ module Dependabot
           end
         end
 
+        sig do
+          params(doc: Nokogiri::XML::Document,
+                 dependency_set: Dependabot::FileParsers::Base::DependencySet,
+                 project_file: DependencyFile).void
+        end
         def add_sdk_refs_from_import_tags(doc, dependency_set, project_file)
           doc.xpath("/Project/Import").each do |import_node|
             next unless import_node.attribute("Sdk") && import_node.attribute("Version")
@@ -295,6 +352,11 @@ module Dependabot
           end
         end
 
+        sig do
+          params(doc: Nokogiri::XML::Document,
+                 dependency_set: Dependabot::FileParsers::Base::DependencySet,
+                 project_file: DependencyFile).void
+        end
         def add_sdk_refs_from_project(doc, dependency_set, project_file)
           doc.xpath("/Project").each do |project_node|
             sdk_references = project_node.attribute("Sdk")&.value&.strip
@@ -304,6 +366,11 @@ module Dependabot
           end
         end
 
+        sig do
+          params(doc: Nokogiri::XML::Document,
+                 dependency_set: Dependabot::FileParsers::Base::DependencySet,
+                 project_file: DependencyFile).void
+        end
         def add_sdk_refs_from_sdk_tags(doc, dependency_set, project_file)
           doc.xpath("/Project/Sdk").each do |sdk_node|
             next unless sdk_node.attribute("Version")
@@ -316,6 +383,15 @@ module Dependabot
           end
         end
 
+        sig do
+          params(name: T.nilable(String),
+                 req: T.nilable(String),
+                 version: T.nilable(String),
+                 prop_name: T.nilable(String),
+                 project_file: Dependabot::DependencyFile,
+                 dev: T.untyped)
+            .returns(T.nilable(Dependabot::Dependency))
+        end
         def build_dependency(name, req, version, prop_name, project_file, dev: false)
           return unless name
 
@@ -350,6 +426,7 @@ module Dependabot
           dependency
         end
 
+        sig { params(dependency: Dependency).returns(T::Boolean) }
         def dependency_has_search_results?(dependency)
           dependency_urls = RepositoryFinder.new(
             dependency: dependency,
@@ -362,11 +439,13 @@ module Dependabot
           end
         end
 
+        sig { params(dependency_name: String, dependency_url: T::Hash[Symbol, String]).returns(T.nilable(T::Boolean)) }
         def dependency_url_has_matching_result?(dependency_name, dependency_url)
           versions = NugetClient.get_package_versions(dependency_name, dependency_url)
           versions&.any?
         end
 
+        sig { params(dependency_node: Nokogiri::XML::Node, project_file: DependencyFile).returns(T.nilable(String)) }
         def dependency_name(dependency_node, project_file)
           raw_name = get_attribute_value(dependency_node, "Include") ||
                      get_attribute_value(dependency_node, "Update")
@@ -379,6 +458,7 @@ module Dependabot
           evaluated_value(raw_name, project_file)
         end
 
+        sig { params(dependency_node: Nokogiri::XML::Node, project_file: DependencyFile).returns(T.nilable(String)) }
         def dependency_requirement(dependency_node, project_file)
           raw_requirement = get_node_version_value(dependency_node) ||
                             find_package_version(dependency_node, project_file)
@@ -387,6 +467,7 @@ module Dependabot
           evaluated_value(raw_requirement, project_file)
         end
 
+        sig { params(dependency_node: Nokogiri::XML::Node, project_file: DependencyFile).returns(T.nilable(String)) }
         def find_package_version(dependency_node, project_file)
           name = dependency_name(dependency_node, project_file)
           return unless name
@@ -397,28 +478,34 @@ module Dependabot
           package_version_string
         end
 
+        sig { returns(T::Hash[String, String]) }
         def package_versions
-          @package_versions ||= begin
-            package_versions = {}
-            directory_packages_props_files.each do |file|
-              doc = Nokogiri::XML(file.content)
-              doc.remove_namespaces!
-              doc.css(PACKAGE_VERSION_SELECTOR).each do |package_node|
-                name = dependency_name(package_node, file)
-                version = dependency_version(package_node, file)
-                next unless name && version
-
-                package_versions[name] = version
-              end
+          @package_versions ||= T.let(parse_package_versions, T.nilable(T::Hash[String, String]))
+        end
+
+        sig { returns(T::Hash[String, String]) }
+        def parse_package_versions
+          package_versions = T.let({}, T::Hash[String, String])
+          directory_packages_props_files.each do |file|
+            doc = Nokogiri::XML(file.content)
+            doc.remove_namespaces!
+            doc.css(PACKAGE_VERSION_SELECTOR).each do |package_node|
+              name = dependency_name(package_node, file)
+              version = dependency_version(package_node, file)
+              next unless name && version
+
+              package_versions[name] = version
             end
-            package_versions
           end
+          package_versions
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def directory_packages_props_files
           dependency_files.select { |df| df.name.match?(/[Dd]irectory.[Pp]ackages.props/) }
         end
 
+        sig { params(dependency_node: Nokogiri::XML::Node, project_file: DependencyFile).returns(T.nilable(String)) }
         def dependency_version(dependency_node, project_file)
           requirement = dependency_requirement(dependency_node, project_file)
           return unless requirement
@@ -434,22 +521,24 @@ module Dependabot
           version
         end
 
+        sig { params(dependency_node: Nokogiri::XML::Node).returns(T.nilable(String)) }
         def req_property_name(dependency_node)
           raw_requirement = get_node_version_value(dependency_node)
           return unless raw_requirement
 
           return unless raw_requirement.match?(PROPERTY_REGEX)
 
-          raw_requirement
-            .match(PROPERTY_REGEX)
-            .named_captures.fetch("property")
+          T.must(raw_requirement.match(PROPERTY_REGEX))
+           .named_captures.fetch("property")
         end
 
+        sig { params(node: Nokogiri::XML::Node).returns(T.nilable(String)) }
         def get_node_version_value(node)
           get_attribute_value(node, "Version") || get_attribute_value(node, "VersionOverride")
         end
 
         # rubocop:disable Metrics/PerceivedComplexity
+        sig { params(node: Nokogiri::XML::Node, attribute: String).returns(T.nilable(String)) }
         def get_attribute_value(node, attribute)
           value =
             node.attribute(attribute)&.value&.strip ||
@@ -461,20 +550,24 @@ module Dependabot
         end
         # rubocop:enable Metrics/PerceivedComplexity
 
+        sig { params(value: String, project_file: Dependabot::DependencyFile).returns(String) }
         def evaluated_value(value, project_file)
           return value unless value.match?(PROPERTY_REGEX)
 
-          property_name = value.match(PROPERTY_REGEX)
-                               .named_captures.fetch("property")
+          property_name = T.must(value.match(PROPERTY_REGEX)&.named_captures&.fetch("property"))
           property_details = details_for_property(property_name, project_file)
 
           # Don't halt parsing for a missing property value until we're
           # confident we're fetching property values correctly
           return value unless property_details&.fetch(:value)
 
-          value.gsub(PROPERTY_REGEX, property_details&.fetch(:value))
+          value.gsub(PROPERTY_REGEX, property_details.fetch(:value))
         end
 
+        sig do
+          params(property_name: String, project_file: Dependabot::DependencyFile)
+            .returns(T.nilable(T::Hash[T.untyped, T.untyped]))
+        end
         def details_for_property(property_name, project_file)
           property_value_finder
             .property_details(
@@ -483,11 +576,13 @@ module Dependabot
             )
         end
 
+        sig { returns(PropertyValueFinder) }
         def property_value_finder
           @property_value_finder ||=
-            PropertyValueFinder.new(dependency_files: dependency_files)
+            T.let(PropertyValueFinder.new(dependency_files: dependency_files), T.nilable(PropertyValueFinder))
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def project_import_files
           dependency_files -
             project_files -
@@ -497,22 +592,26 @@ module Dependabot
             [dotnet_tools_json]
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def project_files
           dependency_files.select { |f| f.name.match?(/\.[a-z]{2}proj$/) }
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def packages_config_files
           dependency_files.select do |f|
-            f.name.split("/").last.casecmp("packages.config").zero?
+            f.name.split("/").last&.casecmp("packages.config")&.zero?
           end
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def global_json
-          dependency_files.find { |f| f.name.casecmp("global.json").zero? }
+          dependency_files.find { |f| f.name.casecmp("global.json")&.zero? }
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def dotnet_tools_json
-          dependency_files.find { |f| f.name.casecmp(".config/dotnet-tools.json").zero? }
+          dependency_files.find { |f| f.name.casecmp(".config/dotnet-tools.json")&.zero? }
         end
       end
     end

data/lib/dependabot/nuget/file_parser/property_value_finder.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "dependabot/nuget/file_fetcher/import_paths_finder"
@@ -11,12 +11,21 @@ module Dependabot
   module Nuget
     class FileParser
       class PropertyValueFinder
+        extend T::Sig
+
         PROPERTY_REGEX = /\$\((?<property>.*?)\)/
 
+        sig { params(dependency_files: T::Array[Dependabot::DependencyFile]).void }
         def initialize(dependency_files:)
           @dependency_files = dependency_files
         end
 
+        sig do
+          params(property_name: String,
+                 callsite_file: Dependabot::DependencyFile,
+                 stack: T::Array[[String, String]])
+            .returns(T.nilable(T::Hash[T.untyped, T.untyped]))
+        end
         def property_details(property_name:, callsite_file:, stack: [])
           stack += [[property_name, callsite_file.name]]
           return if property_name.include?("(")
@@ -53,12 +62,18 @@ module Dependabot
           check_next_level_of_stack(node_details, stack)
         end
 
+        sig do
+          params(node_details: T.untyped,
+                 stack: T::Array[[String, String]])
+            .returns(T.nilable(T::Hash[T.untyped, T.untyped]))
+        end
         def check_next_level_of_stack(node_details, stack)
           property_name = node_details.fetch(:value)
                                       .match(PROPERTY_REGEX)
                                       .named_captures.fetch("property")
           callsite_file = dependency_files
                           .find { |f| f.name == node_details.fetch(:file) }
+          return unless callsite_file
 
           raise "Circular reference!" if stack.include?([property_name, callsite_file.name])
 
@@ -71,8 +86,14 @@ module Dependabot
 
         private
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
 
+        sig do
+          params(property: String,
+                 file: Dependabot::DependencyFile)
+            .returns(T.nilable(T::Hash[Symbol, T.untyped]))
+        end
         def deep_find_prop_node(property:, file:)
           doc = Nokogiri::XML(file.content)
           doc.remove_namespaces!
@@ -100,21 +121,34 @@ module Dependabot
           deep_find_prop_node(property: property, file: file)
         end
 
+        sig do
+          params(property: String, callsite_file: Dependabot::DependencyFile)
+            .returns(T.nilable(T::Hash[Symbol, T.untyped]))
+        end
         def find_property_in_directory_build_targets(property:, callsite_file:)
           find_property_in_up_tree_files(property: property, callsite_file: callsite_file,
                                          expected_file_name: "Directory.Build.targets")
         end
 
+        sig do
+          params(property: String, callsite_file: Dependabot::DependencyFile)
+            .returns(T.nilable(T::Hash[Symbol, T.untyped]))
+        end
         def find_property_in_directory_build_props(property:, callsite_file:)
           find_property_in_up_tree_files(property: property, callsite_file: callsite_file,
                                          expected_file_name: "Directory.Build.props")
         end
 
+        sig do
+          params(property: String, callsite_file: Dependabot::DependencyFile)
+            .returns(T.nilable(T::Hash[Symbol, T.untyped]))
+        end
         def find_property_in_directory_packages_props(property:, callsite_file:)
           find_property_in_up_tree_files(property: property, callsite_file: callsite_file,
                                          expected_file_name: "Directory.Packages.props")
         end
 
+        sig { params(property: String).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
         def find_property_in_packages_props(property:)
           file = packages_props_file
           return unless file
@@ -122,15 +156,25 @@ module Dependabot
           deep_find_prop_node(property: property, file: file)
         end
 
+        sig do
+          params(property: String,
+                 callsite_file: Dependabot::DependencyFile,
+                 expected_file_name: String)
+            .returns(T.untyped)
+        end
         def find_property_in_up_tree_files(property:, callsite_file:, expected_file_name:)
           files = up_tree_files_for_project(callsite_file, expected_file_name)
-          return unless files
           return if files.empty?
 
           # first file where we were able to find the node
-          files.reduce(nil) { |acc, file| acc || deep_find_prop_node(property: property, file: file) }
+          files.reduce(T.let(nil, T.nilable(String))) do |acc, file|
+            acc || deep_find_prop_node(property: property, file: file)
+          end
         end
 
+        sig do
+          params(project_file: DependencyFile, expected_file_name: String).returns(T::Array[Dependabot::DependencyFile])
+        end
         def up_tree_files_for_project(project_file, expected_file_name)
           dir = File.dirname(project_file.name)
 
@@ -142,21 +186,29 @@ module Dependabot
 
           paths =
             possible_paths.uniq
-                          .select { |p| dependency_files.find { |f| f.name.casecmp(p).zero? } }
+                          .select { |p| dependency_files.find { |f| f.name.casecmp(p)&.zero? } }
 
           dependency_files.select { |f| paths.include?(f.name) }
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def packages_props_file
-          dependency_files.find { |f| f.name.casecmp("Packages.props").zero? }
+          dependency_files.find { |f| f.name.casecmp("Packages.props")&.zero? }
         end
 
+        sig { params(property_name: String).returns(String) }
         def property_xpath(property_name)
           # only return properties that don't have a `Condition` attribute or the `Condition` attribute is checking for
           # an empty string, e.g., Condition="$(SomeProperty) == ''"
           %{/Project/PropertyGroup/#{property_name}[not(@Condition) or @Condition="$(#{property_name}) == ''"]}
         end
 
+        sig do
+          params(file: DependencyFile,
+                 node: Nokogiri::XML::Node,
+                 property: String)
+            .returns(T::Hash[Symbol, T.untyped])
+        end
         def node_details(file:, node:, property:)
           {
             file: file.name,

data/lib/dependabot/nuget/file_parser.rb

@@ -1,4 +1,4 @@
-# typed: strict
+# typed: strong
 # frozen_string_literal: true
 
 require "nokogiri"
@@ -77,14 +77,14 @@ module Dependabot
       def global_json_dependencies
         return DependencySet.new unless global_json
 
-        GlobalJsonParser.new(global_json: global_json).dependency_set
+        GlobalJsonParser.new(global_json: T.must(global_json)).dependency_set
       end
 
       sig { returns(Dependabot::FileParsers::Base::DependencySet) }
       def dotnet_tools_json_dependencies
         return DependencySet.new unless dotnet_tools_json
 
-        DotNetToolsJsonParser.new(dotnet_tools_json: dotnet_tools_json).dependency_set
+        DotNetToolsJsonParser.new(dotnet_tools_json: T.must(dotnet_tools_json)).dependency_set
       end
 
       sig { returns(Dependabot::Nuget::FileParser::ProjectFileParser) }