dependabot-nuget 0.246.0 → 0.248.0

data/lib/dependabot/nuget/update_checker/compatibility_checker.rb

@@ -66,23 +66,34 @@ module Dependabot
       end
 
       def fetch_package_tfms(dependency_version)
-        nupkg_buffer = NupkgFetcher.fetch_nupkg_buffer(dependency_urls, dependency.name, dependency_version)
-        return [] unless nupkg_buffer
-
-        # Parse tfms from the folders beneath the lib folder
-        folder_name = "lib/"
-        tfms = Set.new
-        Zip::File.open_buffer(nupkg_buffer) do |zip|
-          lib_file_entries = zip.select { |entry| entry.name.start_with?(folder_name) }
-          # If there is no lib folder in this package, assume it is a development dependency
-          return nil if lib_file_entries.empty?
-
-          lib_file_entries.each do |entry|
-            _, tfm = entry.name.split("/").first(2)
-            tfms << tfm
+        cache = CacheManager.cache("compatibility_checker_tfms_cache")
+        key = "#{dependency.name}::#{dependency_version}"
+
+        cache[key] ||= begin
+          nupkg_buffer = NupkgFetcher.fetch_nupkg_buffer(dependency_urls, dependency.name, dependency_version)
+          return [] unless nupkg_buffer
+
+          # Parse tfms from the folders beneath the lib folder
+          folder_name = "lib/"
+          tfms = Set.new
+          Zip::File.open_buffer(nupkg_buffer) do |zip|
+            lib_file_entries = zip.select { |entry| entry.name.start_with?(folder_name) }
+            # If there is no lib folder in this package, assume it is a development dependency
+            return nil if lib_file_entries.empty?
+
+            lib_file_entries.each do |entry|
+              _, tfm = entry.name.split("/").first(2)
+
+              # some zip compressors create empty directory entries (in this case `lib/`) which can cause the string
+              # split to return `nil`, so we have to explicitly guard against that
+              tfms << tfm if tfm
+            end
           end
+
+          tfms.to_a
         end
-        tfms.to_a
+
+        cache[key]
       end
     end
   end

data/lib/dependabot/nuget/update_checker/nupkg_fetcher.rb

@@ -1,23 +1,43 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "nokogiri"
-require "zip"
 require "stringio"
+require "sorbet-runtime"
+require "zip"
+
 require "dependabot/nuget/http_response_helpers"
 
 module Dependabot
   module Nuget
     class NupkgFetcher
+      extend T::Sig
+
       require_relative "repository_finder"
 
+      sig do
+        params(
+          dependency_urls: T::Array[T::Hash[Symbol, String]],
+          package_id: String,
+          package_version: String
+        )
+          .returns(T.nilable(String))
+      end
       def self.fetch_nupkg_buffer(dependency_urls, package_id, package_version)
         # check all repositories for the first one that has the nupkg
-        dependency_urls.reduce(nil) do |nupkg_buffer, repository_details|
+        dependency_urls.reduce(T.let(nil, T.nilable(String))) do |nupkg_buffer, repository_details|
           nupkg_buffer || fetch_nupkg_buffer_from_repository(repository_details, package_id, package_version)
         end
       end
 
+      sig do
+        params(
+          repository_details: T::Hash[Symbol, T.untyped],
+          package_id: T.nilable(String),
+          package_version: T.nilable(String)
+        )
+          .returns(T.nilable(String))
+      end
       def self.fetch_nupkg_url_from_repository(repository_details, package_id, package_version)
         return unless package_id && package_version && !package_version.empty?
 
@@ -35,6 +55,14 @@ module Dependabot
         package_url
       end
 
+      sig do
+        params(
+          repository_details: T::Hash[Symbol, T.untyped],
+          package_id: String,
+          package_version: String
+        )
+          .returns(T.nilable(String))
+      end
       def self.fetch_nupkg_buffer_from_repository(repository_details, package_id, package_version)
         package_url = fetch_nupkg_url_from_repository(repository_details, package_id, package_version)
         return unless package_url
@@ -43,6 +71,14 @@ module Dependabot
         fetch_stream(package_url, auth_header)
       end
 
+      sig do
+        params(
+          repository_details: T::Hash[Symbol, T.untyped],
+          package_id: String,
+          package_version: String
+        )
+          .returns(T.nilable(String))
+      end
       def self.get_nuget_v3_package_url(repository_details, package_id, package_version)
         base_url = repository_details[:base_url]
         unless base_url
@@ -57,15 +93,23 @@ module Dependabot
 
       # rubocop:disable Metrics/CyclomaticComplexity
       # rubocop:disable Metrics/PerceivedComplexity
+      sig do
+        params(
+          repository_details: T::Hash[Symbol, T.untyped],
+          package_id: String,
+          package_version: String
+        )
+          .returns(T.nilable(String))
+      end
       def self.get_nuget_v3_package_url_from_search(repository_details, package_id, package_version)
         search_url = repository_details[:search_url]
         return nil unless search_url
 
         # get search result
         search_result_response = fetch_url(search_url, repository_details)
-        return nil unless search_result_response.status == 200
+        return nil unless search_result_response&.status == 200
 
-        search_response_body = HttpResponseHelpers.remove_wrapping_zero_width_chars(search_result_response.body)
+        search_response_body = HttpResponseHelpers.remove_wrapping_zero_width_chars(T.must(search_result_response).body)
         search_results = JSON.parse(search_response_body)
 
         # find matching package and version
@@ -90,15 +134,23 @@ module Dependabot
       # rubocop:enable Metrics/PerceivedComplexity
       # rubocop:enable Metrics/CyclomaticComplexity
 
+      sig do
+        params(
+          repository_details: T::Hash[Symbol, T.untyped],
+          package_id: String,
+          package_version: String
+        )
+          .returns(T.nilable(String))
+      end
       def self.get_nuget_v2_package_url(repository_details, package_id, package_version)
         # get package XML
         base_url = repository_details[:base_url].delete_suffix("/")
         package_url = "#{base_url}/Packages(Id='#{package_id}',Version='#{package_version}')"
         response = fetch_url(package_url, repository_details)
-        return nil unless response.status == 200
+        return nil unless response&.status == 200
 
         # find relevant element
-        doc = Nokogiri::XML(response.body)
+        doc = Nokogiri::XML(T.must(response).body)
         doc.remove_namespaces!
 
         content_element = doc.xpath("/entry/content")
@@ -106,46 +158,60 @@ module Dependabot
         nupkg_url
       end
 
+      sig do
+        params(
+          stream_url: String,
+          auth_header: T::Hash[String, String],
+          max_redirects: Integer
+        )
+          .returns(T.nilable(String))
+      end
       def self.fetch_stream(stream_url, auth_header, max_redirects = 5)
         current_url = stream_url
         current_redirects = 0
 
         loop do
-          connection = Excon.new(current_url, persistent: true)
-
-          package_data = StringIO.new
-          response_block = lambda do |chunk, _remaining_bytes, _total_bytes|
-            package_data.write(chunk)
-          end
-
-          response = connection.request(
-            method: :get,
+          # Directly download the stream without any additional settings _except_ for `omit_default_port: true` which
+          # is necessary to not break the URL signing that some NuGet feeds use.
+          response = Excon.get(
+            current_url,
             headers: auth_header,
-            response_block: response_block
+            omit_default_port: true
           )
 
           # redirect the HTTP response as appropriate based on documentation here:
           # https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections
           case response.status
           when 200
-            package_data.rewind
-            return package_data
+            return response.body
           when 301, 302, 303, 307, 308
             current_redirects += 1
             return nil if current_redirects > max_redirects
 
-            current_url = response.headers["Location"]
+            current_url = T.must(response.headers["Location"])
           else
             return nil
           end
         end
       end
 
+      sig do
+        params(
+          url: String,
+          repository_details: T::Hash[Symbol, T.untyped]
+        )
+          .returns(T.nilable(Excon::Response))
+      end
       def self.fetch_url(url, repository_details)
+        fetch_url_with_auth(url, repository_details.fetch(:auth_header))
+      end
+
+      sig { params(url: String, auth_header: T::Hash[T.any(String, Symbol), T.untyped]).returns(Excon::Response) }
+      def self.fetch_url_with_auth(url, auth_header)
         cache = CacheManager.cache("nupkg_fetcher_cache")
         cache[url] ||= Dependabot::RegistryClient.get(
           url: url,
-          headers: repository_details.fetch(:auth_header)
+          headers: auth_header
         )
 
         cache[url]

data/lib/dependabot/nuget/update_checker/nuspec_fetcher.rb

@@ -1,23 +1,42 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "nokogiri"
-require "zip"
 require "stringio"
+require "sorbet-runtime"
+require "zip"
 
 module Dependabot
   module Nuget
     class NuspecFetcher
+      extend T::Sig
+
       require_relative "nupkg_fetcher"
       require_relative "repository_finder"
 
+      sig do
+        params(
+          dependency_urls: T::Array[T::Hash[Symbol, String]],
+          package_id: String,
+          package_version: String
+        )
+          .returns(T.nilable(Nokogiri::XML::Document))
+      end
       def self.fetch_nuspec(dependency_urls, package_id, package_version)
         # check all repositories for the first one that has the nuspec
-        dependency_urls.reduce(nil) do |nuspec_xml, repository_details|
+        dependency_urls.reduce(T.let(nil, T.nilable(Nokogiri::XML::Document))) do |nuspec_xml, repository_details|
           nuspec_xml || fetch_nuspec_from_repository(repository_details, package_id, package_version)
         end
       end
 
+      sig do
+        params(
+          repository_details: T::Hash[Symbol, T.untyped],
+          package_id: T.nilable(String),
+          package_version: T.nilable(String)
+        )
+          .returns(T.nilable(Nokogiri::XML::Document))
+      end
       def self.fetch_nuspec_from_repository(repository_details, package_id, package_version)
         return unless package_id && package_version && !package_version.empty?
 
@@ -55,6 +74,7 @@ module Dependabot
         nuspec_xml
       end
 
+      sig { params(feed_url: String).returns(T::Boolean) }
       def self.feed_supports_nuspec_download?(feed_url)
         feed_regexs = [
           # nuget
@@ -67,6 +87,7 @@ module Dependabot
         feed_regexs.any? { |reg| reg.match(feed_url) }
       end
 
+      sig { params(zip_stream: String, package_id: String).returns(T.nilable(String)) }
       def self.extract_nuspec(zip_stream, package_id)
         Zip::File.open_buffer(zip_stream) do |zip|
           nuspec_entry = zip.find { |entry| entry.name == "#{package_id}.nuspec" }
@@ -75,6 +96,7 @@ module Dependabot
         nil
       end
 
+      sig { params(string: String).returns(String) }
       def self.remove_invalid_characters(string)
         string.dup
               .force_encoding(Encoding::UTF_8)

data/lib/dependabot/nuget/update_checker/repository_finder.rb

@@ -72,6 +72,21 @@ module Dependabot
       end
 
       def build_url_for_details(repo_details)
+        url = repo_details.fetch(:url)
+        url_obj = URI.parse(url)
+        if url_obj.is_a?(URI::HTTP)
+          details = build_url_for_details_remote(repo_details)
+        elsif url_obj.is_a?(URI::File)
+          details = {
+            base_url: url,
+            repository_type: "local"
+          }
+        end
+
+        details
+      end
+
+      def build_url_for_details_remote(repo_details)
         response = get_repo_metadata(repo_details)
         check_repo_response(response, repo_details)
         return unless response.status == 200
@@ -205,6 +220,7 @@ module Dependabot
 
       # rubocop:disable Metrics/CyclomaticComplexity
       # rubocop:disable Metrics/PerceivedComplexity
+      # rubocop:disable Metrics/MethodLength
       # rubocop:disable Metrics/AbcSize
       def repos_from_config_file(config_file)
         doc = Nokogiri::XML(config_file.content)
@@ -223,7 +239,14 @@ module Dependabot
             key = node.attribute("key")&.value&.strip || node.at_xpath("./key")&.content&.strip
             url = node.attribute("value")&.value&.strip || node.at_xpath("./value")&.content&.strip
             url = expand_windows_style_environment_variables(url) if url
-            sources << { url: url, key: key }
+
+            # if the path isn't absolute it's relative to the nuget.config file
+            if url
+              unless url.include?("://") || Pathname.new(url).absolute?
+                url = Pathname(config_file.directory).join(url).to_path
+              end
+              sources << { url: url, key: key }
+            end
           end
         end
 
@@ -246,14 +269,13 @@ module Dependabot
           known_urls.include?(s.fetch(:url))
         end
 
-        sources.select! { |s| s.fetch(:url)&.include?("://") }
-
         add_config_file_credentials(sources: sources, doc: doc)
         sources.each { |details| details.delete(:key) }
 
         sources
       end
       # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/MethodLength
       # rubocop:enable Metrics/PerceivedComplexity
       # rubocop:enable Metrics/CyclomaticComplexity
 

data/lib/dependabot/nuget/update_checker/requirements_updater.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 #######################################################################
@@ -6,6 +6,8 @@
 # https://docs.microsoft.com/en-us/nuget/reference/package-versioning #
 #######################################################################
 
+require "sorbet-runtime"
+
 require "dependabot/update_checkers/base"
 require "dependabot/nuget/version"
 
@@ -13,14 +15,25 @@ module Dependabot
   module Nuget
     class UpdateChecker < Dependabot::UpdateCheckers::Base
       class RequirementsUpdater
+        extend T::Sig
+
+        sig do
+          params(
+            requirements: T::Array[T::Hash[Symbol, T.untyped]],
+            latest_version: T.nilable(T.any(String, Dependabot::Nuget::Version)),
+            source_details: T.nilable(T::Hash[Symbol, T.untyped])
+          )
+            .void
+        end
         def initialize(requirements:, latest_version:, source_details:)
           @requirements = requirements
           @source_details = source_details
           return unless latest_version
 
-          @latest_version = version_class.new(latest_version)
+          @latest_version = T.let(version_class.new(latest_version), Dependabot::Nuget::Version)
         end
 
+        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
         def updated_requirements
           return requirements unless latest_version
 
@@ -52,32 +65,42 @@ module Dependabot
 
         private
 
-        attr_reader :requirements, :latest_version, :source_details
+        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+        attr_reader :requirements
+
+        sig { returns(T.nilable(Dependabot::Nuget::Version)) }
+        attr_reader :latest_version
+
+        sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+        attr_reader :source_details
 
+        sig { returns(T.class_of(Dependabot::Nuget::Version)) }
         def version_class
-          Nuget::Version
+          Dependabot::Nuget::Version
         end
 
+        sig { params(req_string: String).returns(String) }
         def update_wildcard_requirement(req_string)
           return req_string if req_string == "*-*"
 
           return req_string if req_string == "*"
 
-          precision = req_string.split("*").first.split(/\.|\-/).count
+          precision = T.must(req_string.split("*").first).split(/\.|\-/).count
           wildcard_section = req_string.partition(/(?=[.\-]\*)/).last
 
-          version_parts = latest_version.segments.first(precision)
+          version_parts = T.must(latest_version).segments.first(precision)
           version = version_parts.join(".")
 
           version + wildcard_section
         end
 
+        sig { returns(T::Hash[Symbol, T.untyped]) }
         def updated_source
           {
             type: "nuget_repo",
-            url: source_details.fetch(:repo_url),
-            nuspec_url: source_details.fetch(:nuspec_url),
-            source_url: source_details.fetch(:source_url)
+            url: source_details&.fetch(:repo_url),
+            nuspec_url: source_details&.fetch(:nuspec_url),
+            source_url: source_details&.fetch(:source_url)
           }
         end
       end

data/lib/dependabot/nuget/update_checker/tfm_finder.rb

@@ -52,13 +52,13 @@ module Dependabot
 
         config_parser = FileParser::PackagesConfigParser.new(packages_config: config_file)
         config_parser.dependency_set.dependencies.any? do |d|
-          d.name.casecmp(dependency.name).zero?
+          d.name.casecmp(dependency.name)&.zero?
         end
       end
 
       def project_file_contains_dependency?(file, dependency)
         project_file_parser.dependency_set(project_file: file).dependencies.any? do |d|
-          d.name.casecmp(dependency.name).zero?
+          d.name.casecmp(dependency.name)&.zero?
         end
       end