dependabot-nuget 0.251.0 → 0.253.0

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Utilities/SdkPackageUpdaterHelperTests.cs

@@ -1,7 +1,3 @@
-using System.IO;
-using System.Linq;
-using System.Threading.Tasks;
-
 using Xunit;
 
 namespace NuGetUpdater.Core.Test.Utilities
@@ -11,7 +7,7 @@ namespace NuGetUpdater.Core.Test.Utilities
         [Fact]
         public async Task DirectoryBuildFilesAreOnlyPulledInFromParentDirectories()
         {
-            using var temporaryDirectory = TemporaryDirectory.CreateWithContents(
+            using var temporaryDirectory = await TemporaryDirectory.CreateWithContentsAsync(
                 ("src/SomeProject.csproj", """
                     <Project Sdk="Microsoft.NET.Sdk">
                       <Import Project="..\props\Versions.props" />
@@ -52,7 +48,7 @@ namespace NuGetUpdater.Core.Test.Utilities
         [InlineData("src/", "")] // project in subdirectory, global.json at root
         public async Task BuildFileEnumerationWorksEvenWithNonSupportedSdkInGlobalJson(string projectSubpath, string globalJsonSubpath)
         {
-            using var temporaryDirectory = TemporaryDirectory.CreateWithContents(
+            using var temporaryDirectory = await TemporaryDirectory.CreateWithContentsAsync(
                 ($"{projectSubpath}SomeProject.csproj", """
                     <Project Sdk="Microsoft.NET.Sdk">
                     </Project>
@@ -82,7 +78,7 @@ namespace NuGetUpdater.Core.Test.Utilities
         [Fact]
         public async Task BuildFileEnumerationWithNonStandardMSBuildSdkAndNonSupportedSdkVersionInGlobalJson()
         {
-            using var temporaryDirectory = TemporaryDirectory.CreateWithContents(
+            using var temporaryDirectory = await TemporaryDirectory.CreateWithContentsAsync(
                 ("global.json", """
                     {
                       "sdk": {
@@ -123,7 +119,7 @@ namespace NuGetUpdater.Core.Test.Utilities
         [Fact]
         public async Task BuildFileEnumerationWithUnsuccessfulImport()
         {
-            using var temporaryDirectory = TemporaryDirectory.CreateWithContents(
+            using var temporaryDirectory = await TemporaryDirectory.CreateWithContentsAsync(
                 ("Directory.Build.props", """
                     <Project>
                       <Import Project="file-that-does-not-exist.targets" />
@@ -146,7 +142,7 @@ namespace NuGetUpdater.Core.Test.Utilities
         [Fact]
         public async Task BuildFileEnumerationWithGlobalJsonWithComments()
         {
-            using var temporaryDirectory = TemporaryDirectory.CreateWithContents(
+            using var temporaryDirectory = await TemporaryDirectory.CreateWithContentsAsync(
                 ("global.json", """
                     {
                       // this is a comment
@@ -171,8 +167,8 @@ namespace NuGetUpdater.Core.Test.Utilities
 
         private static async Task<string[]> LoadBuildFilesFromTemp(TemporaryDirectory temporaryDirectory, string relativeProjectPath)
         {
-            var buildFiles = await MSBuildHelper.LoadBuildFiles(temporaryDirectory.DirectoryPath, $"{temporaryDirectory.DirectoryPath}/{relativeProjectPath}");
-            var buildFilePaths = buildFiles.Select(f => f.RepoRelativePath.NormalizePathToUnix()).ToArray();
+            var (buildFiles, _tfms) = await MSBuildHelper.LoadBuildFilesAndTargetFrameworksAsync(temporaryDirectory.DirectoryPath, $"{temporaryDirectory.DirectoryPath}/{relativeProjectPath}");
+            var buildFilePaths = buildFiles.Select(f => f.RelativePath.NormalizePathToUnix()).ToArray();
             return buildFilePaths;
         }
     }

data/lib/dependabot/nuget/discovery/dependency_details.rb

@@ -0,0 +1,95 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/nuget/discovery/evaluation_details"
+require "sorbet-runtime"
+
+module Dependabot
+  module Nuget
+    class DependencyDetails
+      extend T::Sig
+
+      sig { params(json: T::Hash[String, T.untyped]).returns(DependencyDetails) }
+      def self.from_json(json)
+        name = T.let(json.fetch("Name"), String)
+        version = T.let(json.fetch("Version"), T.nilable(String))
+        type = T.let(json.fetch("Type"), String)
+        evaluation = EvaluationDetails
+                     .from_json(T.let(json.fetch("EvaluationResult"), T.nilable(T::Hash[String, T.untyped])))
+        target_frameworks = T.let(json.fetch("TargetFrameworks"), T.nilable(T::Array[String]))
+        is_dev_dependency = T.let(json.fetch("IsDevDependency"), T::Boolean)
+        is_direct = T.let(json.fetch("IsDirect"), T::Boolean)
+        is_transitive = T.let(json.fetch("IsTransitive"), T::Boolean)
+        is_override = T.let(json.fetch("IsOverride"), T::Boolean)
+        is_update = T.let(json.fetch("IsUpdate"), T::Boolean)
+
+        DependencyDetails.new(name: name,
+                              version: version,
+                              type: type,
+                              evaluation: evaluation,
+                              target_frameworks: target_frameworks,
+                              is_dev_dependency: is_dev_dependency,
+                              is_direct: is_direct,
+                              is_transitive: is_transitive,
+                              is_override: is_override,
+                              is_update: is_update)
+      end
+
+      sig do
+        params(name: String,
+               version: T.nilable(String),
+               type: String,
+               evaluation: T.nilable(EvaluationDetails),
+               target_frameworks: T.nilable(T::Array[String]),
+               is_dev_dependency: T::Boolean,
+               is_direct: T::Boolean,
+               is_transitive: T::Boolean,
+               is_override: T::Boolean,
+               is_update: T::Boolean).void
+      end
+      def initialize(name:, version:, type:, evaluation:, target_frameworks:, is_dev_dependency:, is_direct:,
+                     is_transitive:, is_override:, is_update:)
+        @name = name
+        @version = version
+        @type = type
+        @evaluation = evaluation
+        @target_frameworks = target_frameworks
+        @is_dev_dependency = is_dev_dependency
+        @is_direct = is_direct
+        @is_transitive = is_transitive
+        @is_override = is_override
+        @is_update = is_update
+      end
+
+      sig { returns(String) }
+      attr_reader :name
+
+      sig { returns(T.nilable(String)) }
+      attr_reader :version
+
+      sig { returns(String) }
+      attr_reader :type
+
+      sig { returns(T.nilable(EvaluationDetails)) }
+      attr_reader :evaluation
+
+      sig { returns(T.nilable(T::Array[String])) }
+      attr_reader :target_frameworks
+
+      sig { returns(T::Boolean) }
+      attr_reader :is_dev_dependency
+
+      sig { returns(T::Boolean) }
+      attr_reader :is_direct
+
+      sig { returns(T::Boolean) }
+      attr_reader :is_transitive
+
+      sig { returns(T::Boolean) }
+      attr_reader :is_override
+
+      sig { returns(T::Boolean) }
+      attr_reader :is_update
+    end
+  end
+end

data/lib/dependabot/nuget/discovery/dependency_file_discovery.rb

@@ -0,0 +1,126 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/nuget/discovery/dependency_details"
+require "sorbet-runtime"
+
+module Dependabot
+  module Nuget
+    class DependencyFileDiscovery
+      extend T::Sig
+
+      sig { params(json: T.nilable(T::Hash[String, T.untyped])).returns(T.nilable(DependencyFileDiscovery)) }
+      def self.from_json(json)
+        return nil if json.nil?
+
+        file_path = T.let(json.fetch("FilePath"), String)
+        dependencies = T.let(json.fetch("Dependencies"), T::Array[T::Hash[String, T.untyped]]).map do |dep|
+          DependencyDetails.from_json(dep)
+        end
+
+        DependencyFileDiscovery.new(file_path: file_path,
+                                    dependencies: dependencies)
+      end
+
+      sig do
+        params(file_path: String,
+               dependencies: T::Array[DependencyDetails]).void
+      end
+      def initialize(file_path:, dependencies:)
+        @file_path = file_path
+        @dependencies = dependencies
+      end
+
+      sig { returns(String) }
+      attr_reader :file_path
+
+      sig { returns(T::Array[DependencyDetails]) }
+      attr_reader :dependencies
+
+      sig { overridable.returns(Dependabot::FileParsers::Base::DependencySet) }
+      def dependency_set # rubocop:disable Metrics/PerceivedComplexity,Metrics/CyclomaticComplexity,Metrics/AbcSize
+        dependency_set = Dependabot::FileParsers::Base::DependencySet.new
+
+        file_name = Pathname.new(file_path).cleanpath.to_path
+        dependencies.each do |dependency|
+          next if dependency.name.casecmp("Microsoft.NET.Sdk")&.zero?
+
+          # If the version string was evaluated it must have been successfully resolved
+          if dependency.evaluation && dependency.evaluation&.result_type != "Success"
+            logger.warn "Dependency '#{dependency.name}' excluded due to unparsable version: #{dependency.version}"
+            next
+          end
+
+          # Exclude any dependencies using version ranges or wildcards
+          next if dependency.version&.include?(",") ||
+                  dependency.version&.include?("*")
+
+          # Exclude any dependencies specified using interpolation
+          next if dependency.name.include?("%(") ||
+                  dependency.version&.include?("%(")
+
+          # Exclude any dependencies which reference an item type
+          next if dependency.name.include?("@(")
+
+          dependency_file_name = file_name
+          if dependency.type == "PackagesConfig"
+            dir_name = File.dirname(file_name)
+            dependency_file_name = "packages.config"
+            dependency_file_name = File.join(dir_name, "packages.config") unless dir_name == "."
+          end
+
+          dependency_set << build_dependency(dependency_file_name, dependency)
+        end
+
+        dependency_set
+      end
+
+      private
+
+      sig { returns(::Logger) }
+      def logger
+        Dependabot.logger
+      end
+
+      sig { params(file_name: String, dependency_details: DependencyDetails).returns(Dependabot::Dependency) }
+      def build_dependency(file_name, dependency_details)
+        requirement = build_requirement(file_name, dependency_details)
+        requirements = requirement.nil? ? [] : [requirement]
+
+        version = dependency_details.version&.gsub(/[\(\)\[\]]/, "")&.strip
+        version = nil if version&.empty?
+
+        Dependency.new(
+          name: dependency_details.name,
+          version: version,
+          package_manager: "nuget",
+          requirements: requirements
+        )
+      end
+
+      sig do
+        params(file_name: String, dependency_details: DependencyDetails)
+          .returns(T.nilable(T::Hash[Symbol, T.untyped]))
+      end
+      def build_requirement(file_name, dependency_details)
+        return if dependency_details.is_transitive
+
+        version = dependency_details.version
+        version = nil if version&.empty?
+
+        requirement = {
+          requirement: version,
+          file: file_name,
+          groups: [dependency_details.is_dev_dependency ? "devDependencies" : "dependencies"],
+          source: nil
+        }
+
+        property_name = dependency_details.evaluation&.root_property_name
+        return requirement unless property_name
+
+        requirement[:metadata] = { property_name: property_name }
+        requirement
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/discovery/directory_packages_props_discovery.rb

@@ -0,0 +1,43 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/nuget/discovery/dependency_details"
+require "sorbet-runtime"
+
+module Dependabot
+  module Nuget
+    class DirectoryPackagesPropsDiscovery < DependencyFileDiscovery
+      extend T::Sig
+
+      sig do
+        params(json: T.nilable(T::Hash[String, T.untyped])).returns(T.nilable(DirectoryPackagesPropsDiscovery))
+      end
+      def self.from_json(json)
+        return nil if json.nil?
+
+        file_path = T.let(json.fetch("FilePath"), String)
+        is_transitive_pinning_enabled = T.let(json.fetch("IsTransitivePinningEnabled"), T::Boolean)
+        dependencies = T.let(json.fetch("Dependencies"), T::Array[T::Hash[String, T.untyped]]).map do |dep|
+          DependencyDetails.from_json(dep)
+        end
+
+        DirectoryPackagesPropsDiscovery.new(file_path: file_path,
+                                            is_transitive_pinning_enabled: is_transitive_pinning_enabled,
+                                            dependencies: dependencies)
+      end
+
+      sig do
+        params(file_path: String,
+               is_transitive_pinning_enabled: T::Boolean,
+               dependencies: T::Array[DependencyDetails]).void
+      end
+      def initialize(file_path:, is_transitive_pinning_enabled:, dependencies:)
+        super(file_path: file_path, dependencies: dependencies)
+        @is_transitive_pinning_enabled = is_transitive_pinning_enabled
+      end
+
+      sig { returns(T::Boolean) }
+      attr_reader :is_transitive_pinning_enabled
+    end
+  end
+end

data/lib/dependabot/nuget/discovery/discovery_json_reader.rb

@@ -0,0 +1,83 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/dependency"
+require "dependabot/nuget/discovery/workspace_discovery"
+require "json"
+require "sorbet-runtime"
+
+module Dependabot
+  module Nuget
+    class DiscoveryJsonReader
+      extend T::Sig
+
+      DISCOVERY_JSON_PATH = ".dependabot/discovery.json"
+
+      sig { returns(String) }
+      private_class_method def self.temp_directory
+        Dir.tmpdir
+      end
+
+      sig { returns(String) }
+      def self.discovery_file_path
+        File.join(temp_directory, DISCOVERY_JSON_PATH)
+      end
+
+      sig { returns(T.nilable(DependencyFile)) }
+      def self.discovery_json
+        return unless File.exist?(discovery_file_path)
+
+        DependencyFile.new(
+          name: Pathname.new(discovery_file_path).cleanpath.to_path,
+          directory: temp_directory,
+          type: "file",
+          content: File.read(discovery_file_path)
+        )
+      end
+
+      sig { params(discovery_json: DependencyFile).void }
+      def initialize(discovery_json:)
+        @discovery_json = discovery_json
+      end
+
+      sig { returns(Dependabot::FileParsers::Base::DependencySet) }
+      def dependency_set
+        dependency_set = Dependabot::FileParsers::Base::DependencySet.new
+        return dependency_set unless workspace_discovery
+
+        workspace_result = T.must(workspace_discovery)
+        workspace_result.projects.each do |project|
+          dependency_set += project.dependency_set
+        end
+        if workspace_result.directory_packages_props
+          dependency_set += T.must(workspace_result.directory_packages_props).dependency_set
+        end
+        if workspace_result.dotnet_tools_json
+          dependency_set += T.must(workspace_result.dotnet_tools_json).dependency_set
+        end
+        dependency_set += T.must(workspace_result.global_json).dependency_set if workspace_result.global_json
+
+        dependency_set
+      end
+
+      sig { returns(T.nilable(WorkspaceDiscovery)) }
+      def workspace_discovery
+        @workspace_discovery ||= T.let(begin
+          return nil unless discovery_json.content
+
+          Dependabot.logger.info("Discovery JSON content: #{discovery_json.content}")
+
+          parsed_json = T.let(JSON.parse(T.must(discovery_json.content)), T::Hash[String, T.untyped])
+          WorkspaceDiscovery.from_json(parsed_json)
+        end, T.nilable(WorkspaceDiscovery))
+      rescue JSON::ParserError
+        raise Dependabot::DependencyFileNotParseable, discovery_json.path
+      end
+
+      private
+
+      sig { returns(DependencyFile) }
+      attr_reader :discovery_json
+    end
+  end
+end

data/lib/dependabot/nuget/discovery/evaluation_details.rb

@@ -0,0 +1,63 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  module Nuget
+    class EvaluationDetails
+      extend T::Sig
+
+      sig { params(json: T.nilable(T::Hash[String, T.untyped])).returns(T.nilable(EvaluationDetails)) }
+      def self.from_json(json)
+        return nil if json.nil?
+
+        result_type = T.let(json.fetch("ResultType"), String)
+        original_value = T.let(json.fetch("OriginalValue"), String)
+        evaluated_value = T.let(json.fetch("EvaluatedValue"), String)
+        root_property_name = T.let(json.fetch("RootPropertyName", nil), T.nilable(String))
+        error_message = T.let(json.fetch("ErrorMessage", nil), T.nilable(String))
+
+        EvaluationDetails.new(result_type: result_type,
+                              original_value: original_value,
+                              evaluated_value: evaluated_value,
+                              root_property_name: root_property_name,
+                              error_message: error_message)
+      end
+
+      sig do
+        params(result_type: String,
+               original_value: String,
+               evaluated_value: String,
+               root_property_name: T.nilable(String),
+               error_message: T.nilable(String)).void
+      end
+      def initialize(result_type:,
+                     original_value:,
+                     evaluated_value:,
+                     root_property_name:,
+                     error_message:)
+        @result_type = result_type
+        @original_value = original_value
+        @evaluated_value = evaluated_value
+        @root_property_name = root_property_name
+        @error_message = error_message
+      end
+
+      sig { returns(String) }
+      attr_reader :result_type
+
+      sig { returns(String) }
+      attr_reader :original_value
+
+      sig { returns(String) }
+      attr_reader :evaluated_value
+
+      sig { returns(T.nilable(String)) }
+      attr_reader :root_property_name
+
+      sig { returns(T.nilable(String)) }
+      attr_reader :error_message
+    end
+  end
+end

data/lib/dependabot/nuget/discovery/project_discovery.rb

@@ -0,0 +1,71 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/nuget/discovery/dependency_details"
+require "dependabot/nuget/discovery/property_details"
+require "sorbet-runtime"
+
+module Dependabot
+  module Nuget
+    class ProjectDiscovery < DependencyFileDiscovery
+      extend T::Sig
+
+      sig do
+        params(json: T.nilable(T::Hash[String, T.untyped])).returns(T.nilable(ProjectDiscovery))
+      end
+      def self.from_json(json)
+        return nil if json.nil?
+
+        file_path = T.let(json.fetch("FilePath"), String)
+        properties = T.let(json.fetch("Properties"), T::Array[T::Hash[String, T.untyped]]).map do |prop|
+          PropertyDetails.from_json(prop)
+        end
+        target_frameworks = T.let(json.fetch("TargetFrameworks"), T::Array[String])
+        referenced_project_paths = T.let(json.fetch("ReferencedProjectPaths"), T::Array[String])
+        dependencies = T.let(json.fetch("Dependencies"), T::Array[T::Hash[String, T.untyped]]).map do |dep|
+          DependencyDetails.from_json(dep)
+        end
+
+        ProjectDiscovery.new(file_path: file_path,
+                             properties: properties,
+                             target_frameworks: target_frameworks,
+                             referenced_project_paths: referenced_project_paths,
+                             dependencies: dependencies)
+      end
+
+      sig do
+        params(file_path: String,
+               properties: T::Array[PropertyDetails],
+               target_frameworks: T::Array[String],
+               referenced_project_paths: T::Array[String],
+               dependencies: T::Array[DependencyDetails]).void
+      end
+      def initialize(file_path:, properties:, target_frameworks:, referenced_project_paths:, dependencies:)
+        super(file_path: file_path, dependencies: dependencies)
+        @properties = properties
+        @target_frameworks = target_frameworks
+        @referenced_project_paths = referenced_project_paths
+      end
+
+      sig { returns(T::Array[PropertyDetails]) }
+      attr_reader :properties
+
+      sig { returns(T::Array[String]) }
+      attr_reader :target_frameworks
+
+      sig { returns(T::Array[String]) }
+      attr_reader :referenced_project_paths
+
+      sig { override.returns(Dependabot::FileParsers::Base::DependencySet) }
+      def dependency_set
+        if target_frameworks.empty? && file_path.end_with?("proj")
+          Dependabot.logger.warn("Excluding project file '#{file_path}' due to unresolvable target framework")
+          dependency_set = Dependabot::FileParsers::Base::DependencySet.new
+          return dependency_set
+        end
+
+        super
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/discovery/property_details.rb

@@ -0,0 +1,43 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  module Nuget
+    class PropertyDetails
+      extend T::Sig
+
+      sig { params(json: T::Hash[String, T.untyped]).returns(PropertyDetails) }
+      def self.from_json(json)
+        name = T.let(json.fetch("Name"), String)
+        value = T.let(json.fetch("Value"), String)
+        source_file_path = T.let(json.fetch("SourceFilePath"), String)
+
+        PropertyDetails.new(name: name,
+                            value: value,
+                            source_file_path: source_file_path)
+      end
+
+      sig do
+        params(name: String,
+               value: String,
+               source_file_path: String).void
+      end
+      def initialize(name:, value:, source_file_path:)
+        @name = name
+        @value = value
+        @source_file_path = source_file_path
+      end
+
+      sig { returns(String) }
+      attr_reader :name
+
+      sig { returns(String) }
+      attr_reader :value
+
+      sig { returns(String) }
+      attr_reader :source_file_path
+    end
+  end
+end

data/lib/dependabot/nuget/discovery/workspace_discovery.rb

@@ -0,0 +1,66 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/nuget/discovery/dependency_file_discovery"
+require "dependabot/nuget/discovery/directory_packages_props_discovery"
+require "dependabot/nuget/discovery/project_discovery"
+require "sorbet-runtime"
+
+module Dependabot
+  module Nuget
+    class WorkspaceDiscovery
+      extend T::Sig
+
+      sig { params(json: T::Hash[String, T.untyped]).returns(WorkspaceDiscovery) }
+      def self.from_json(json)
+        file_path = T.let(json.fetch("FilePath"), String)
+        projects = T.let(json.fetch("Projects"), T::Array[T::Hash[String, T.untyped]]).filter_map do |project|
+          ProjectDiscovery.from_json(project)
+        end
+        directory_packages_props = DirectoryPackagesPropsDiscovery
+                                   .from_json(T.let(json.fetch("DirectoryPackagesProps"),
+                                                    T.nilable(T::Hash[String, T.untyped])))
+        global_json = DependencyFileDiscovery
+                      .from_json(T.let(json.fetch("GlobalJson"), T.nilable(T::Hash[String, T.untyped])))
+        dotnet_tools_json = DependencyFileDiscovery
+                            .from_json(T.let(json.fetch("DotNetToolsJson"), T.nilable(T::Hash[String, T.untyped])))
+
+        WorkspaceDiscovery.new(file_path: file_path,
+                               projects: projects,
+                               directory_packages_props: directory_packages_props,
+                               global_json: global_json,
+                               dotnet_tools_json: dotnet_tools_json)
+      end
+
+      sig do
+        params(file_path: String,
+               projects: T::Array[ProjectDiscovery],
+               directory_packages_props: T.nilable(DirectoryPackagesPropsDiscovery),
+               global_json: T.nilable(DependencyFileDiscovery),
+               dotnet_tools_json: T.nilable(DependencyFileDiscovery)).void
+      end
+      def initialize(file_path:, projects:, directory_packages_props:, global_json:, dotnet_tools_json:)
+        @file_path = file_path
+        @projects = projects
+        @directory_packages_props = directory_packages_props
+        @global_json = global_json
+        @dotnet_tools_json = dotnet_tools_json
+      end
+
+      sig { returns(String) }
+      attr_reader :file_path
+
+      sig { returns(T::Array[ProjectDiscovery]) }
+      attr_reader :projects
+
+      sig { returns(T.nilable(DirectoryPackagesPropsDiscovery)) }
+      attr_reader :directory_packages_props
+
+      sig { returns(T.nilable(DependencyFileDiscovery)) }
+      attr_reader :global_json
+
+      sig { returns(T.nilable(DependencyFileDiscovery)) }
+      attr_reader :dotnet_tools_json
+    end
+  end
+end