dependabot-nuget 0.251.0 → 0.253.0

data/lib/dependabot/nuget/file_parser.rb

@@ -1,11 +1,11 @@
 # typed: strong
 # frozen_string_literal: true
 
-require "nokogiri"
-
 require "dependabot/dependency"
 require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
+require "dependabot/nuget/discovery/discovery_json_reader"
+require "dependabot/nuget/native_helpers"
 require "sorbet-runtime"
 
 # For details on how dotnet handles version constraints, see:
@@ -16,106 +16,31 @@ module Dependabot
       extend T::Sig
 
       require "dependabot/file_parsers/base/dependency_set"
-      require_relative "file_parser/project_file_parser"
-      require_relative "file_parser/packages_config_parser"
-      require_relative "file_parser/global_json_parser"
-      require_relative "file_parser/dotnet_tools_json_parser"
-
-      PACKAGE_CONF_DEPENDENCY_SELECTOR = "packages > packages"
 
       sig { override.returns(T::Array[Dependabot::Dependency]) }
       def parse
-        dependency_set = DependencySet.new
-        dependency_set += project_file_dependencies
-        dependency_set += packages_config_dependencies
-        dependency_set += global_json_dependencies if global_json
-        dependency_set += dotnet_tools_json_dependencies if dotnet_tools_json
-
-        (dependencies, deps_with_unresolved_versions) = dependency_set.dependencies.partition do |d|
-          # try to parse the version; don't care about result, just that it succeeded
-          _ = Version.new(d.version)
-          true
-        rescue ArgumentError
-          # version could not be parsed
-          false
-        end
+        workspace_path = project_files.first&.directory
+        return [] unless workspace_path
 
-        deps_with_unresolved_versions.each do |d|
-          Dependabot.logger.warn "Dependency '#{d.name}' excluded due to unparsable version: #{d.version}"
-        end
-
-        dependency_info = dependencies.map do |d|
-          requirements_info = d.requirements.filter_map { |r| "    file: #{r[:file]}, metadata: #{r[:metadata]}" }
-                               .join("\n")
-          "  name: #{d.name}, version: #{d.version}\n#{requirements_info}"
-        end.join("\n")
+        # run discovery for the repo
+        NativeHelpers.run_nuget_discover_tool(repo_root: T.must(repo_contents_path),
+                                              workspace_path: workspace_path,
+                                              output_path: DiscoveryJsonReader.discovery_file_path,
+                                              credentials: credentials)
 
-        if dependencies.length.positive?
-          Dependabot.logger.info "The following dependencies were found:\n#{dependency_info}"
-        end
-
-        dependencies
+        discovered_dependencies.dependencies
       end
 
       private
 
       sig { returns(Dependabot::FileParsers::Base::DependencySet) }
-      def project_file_dependencies
-        dependency_set = DependencySet.new
-
-        project_files.each do |project_file|
-          tfms = project_file_parser.target_frameworks(project_file: project_file)
-          unless tfms.any?
-            Dependabot.logger.warn "Excluding project file '#{project_file.name}' due to unresolvable target framework"
-            next
-          end
-
-          dependency_set += project_file_parser.dependency_set(project_file: project_file)
-        end
-
-        proj_files.each do |proj_file|
-          dependency_set += project_file_parser.dependency_set(project_file: proj_file)
-        end
-
-        dependency_set
-      end
-
-      sig { returns(Dependabot::FileParsers::Base::DependencySet) }
-      def packages_config_dependencies
-        dependency_set = DependencySet.new
-
-        packages_config_files.each do |file|
-          parser = PackagesConfigParser.new(packages_config: file)
-          dependency_set += parser.dependency_set
-        end
-
-        dependency_set
-      end
-
-      sig { returns(Dependabot::FileParsers::Base::DependencySet) }
-      def global_json_dependencies
-        return DependencySet.new unless global_json
+      def discovered_dependencies
+        discovery_json = DiscoveryJsonReader.discovery_json
+        return DependencySet.new unless discovery_json
 
-        GlobalJsonParser.new(global_json: T.must(global_json)).dependency_set
-      end
-
-      sig { returns(Dependabot::FileParsers::Base::DependencySet) }
-      def dotnet_tools_json_dependencies
-        return DependencySet.new unless dotnet_tools_json
-
-        DotNetToolsJsonParser.new(dotnet_tools_json: T.must(dotnet_tools_json)).dependency_set
-      end
-
-      sig { returns(Dependabot::Nuget::FileParser::ProjectFileParser) }
-      def project_file_parser
-        @project_file_parser ||= T.let(
-          ProjectFileParser.new(
-            dependency_files: dependency_files,
-            credentials: credentials,
-            repo_contents_path: @repo_contents_path
-          ),
-          T.nilable(Dependabot::Nuget::FileParser::ProjectFileParser)
-        )
+        DiscoveryJsonReader.new(
+          discovery_json: discovery_json
+        ).dependency_set
       end
 
       sig { returns(T::Array[Dependabot::DependencyFile]) }
@@ -136,47 +61,13 @@ module Dependabot
         end
       end
 
-      sig { returns(T::Array[Dependabot::DependencyFile]) }
-      def packages_config_files
-        dependency_files.select do |f|
-          f.name.split("/").last&.casecmp("packages.config")&.zero?
-        end
-      end
-
-      sig { returns(T::Array[Dependabot::DependencyFile]) }
-      def project_import_files
-        dependency_files -
-          project_files -
-          packages_config_files -
-          nuget_configs -
-          [global_json] -
-          [dotnet_tools_json]
-      end
-
-      sig { returns(T::Array[Dependabot::DependencyFile]) }
-      def nuget_configs
-        dependency_files.select { |f| f.name.match?(/nuget\.config$/i) }
-      end
-
-      sig { returns(T.nilable(Dependabot::DependencyFile)) }
-      def global_json
-        dependency_files.find { |f| f.name.casecmp?("global.json") }
-      end
-
-      sig { returns(T.nilable(Dependabot::DependencyFile)) }
-      def dotnet_tools_json
-        dependency_files.find { |f| f.name.casecmp?(".config/dotnet-tools.json") }
-      end
-
       sig { override.void }
       def check_required_files
-        if project_files.any? || proj_files.any? || packages_config_files.any? || global_json || dotnet_tools_json
-          return
-        end
+        return if project_files.any? || proj_files.any?
 
         raise Dependabot::DependencyFileNotFound.new(
-          "*.(cs|vb|fs)proj, *.proj, packages.config, global.json, dotnet-tools.json",
-          "No project file, *.proj, packages.config, global.json, or dotnet-tools.json!"
+          "*.(cs|vb|fs)proj, *.proj",
+          "No project file or *.proj!"
         )
       end
     end

data/lib/dependabot/nuget/file_updater.rb

@@ -4,6 +4,9 @@
 require "dependabot/dependency_file"
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
+require "dependabot/nuget/discovery/dependency_details"
+require "dependabot/nuget/discovery/discovery_json_reader"
+require "dependabot/nuget/discovery/workspace_discovery"
 require "dependabot/nuget/native_helpers"
 require "dependabot/shared_helpers"
 require "sorbet-runtime"
@@ -13,11 +16,6 @@ module Dependabot
     class FileUpdater < Dependabot::FileUpdaters::Base
       extend T::Sig
 
-      require_relative "file_updater/property_value_updater"
-      require_relative "file_parser/project_file_parser"
-      require_relative "file_parser/dotnet_tools_json_parser"
-      require_relative "file_parser/packages_config_parser"
-
       sig { override.returns(T::Array[Regexp]) }
       def self.updated_files_regex
         [
@@ -67,7 +65,7 @@ module Dependabot
           project_dependencies = project_dependencies(project_file)
           proj_path = dependency_file_path(project_file)
 
-          next unless project_dependencies.any? { |dep| dep.name.casecmp(dependency.name)&.zero? }
+          next unless project_dependencies.any? { |dep| dep.name.casecmp?(dependency.name) }
 
           next unless repo_contents_path
 
@@ -76,7 +74,7 @@ module Dependabot
 
           checked_files.add(checked_key)
           # We need to check the downstream references even though we're already evaluated the file
-          downstream_files = project_file_parser.downstream_file_references(project_file: project_file)
+          downstream_files = referenced_project_paths(project_file)
           downstream_files.each do |downstream_file|
             checked_files.add("#{downstream_file}-#{dependency.name}#{dependency.version}")
           end
@@ -87,8 +85,8 @@ module Dependabot
 
       sig { params(dependency: Dependabot::Dependency).returns(T::Boolean) }
       def try_update_json(dependency)
-        if dotnet_tools_json_dependencies.any? { |dep| dep.name.casecmp(dependency.name)&.zero? } ||
-           global_json_dependencies.any? { |dep| dep.name.casecmp(dependency.name)&.zero? }
+        if dotnet_tools_json_dependencies.any? { |dep| dep.name.casecmp?(dependency.name) } ||
+           global_json_dependencies.any? { |dep| dep.name.casecmp?(dependency.name) }
 
           # We just need to feed the updater a project file, grab the first
           project_file = T.must(project_files.first)
@@ -128,58 +126,38 @@ module Dependabot
         @update_tooling_calls
       end
 
-      sig { params(project_file: Dependabot::DependencyFile).returns(T::Array[Dependabot::Dependency]) }
-      def project_dependencies(project_file)
-        # Collect all dependencies from the project file and associated packages.config
-        dependencies = project_file_parser.dependency_set(project_file: project_file).dependencies
-        packages_config = find_packages_config(project_file)
-        return dependencies unless packages_config
+      sig { returns(T.nilable(WorkspaceDiscovery)) }
+      def workspace
+        @workspace ||= T.let(begin
+          discovery_json = DiscoveryJsonReader.discovery_json
+          if discovery_json
+            workspace = DiscoveryJsonReader.new(
+              discovery_json: discovery_json
+            ).workspace_discovery
+          end
 
-        dependencies + FileParser::PackagesConfigParser.new(packages_config: packages_config)
-                                                       .dependency_set.dependencies
+          workspace
+        end, T.nilable(WorkspaceDiscovery))
       end
 
-      sig { params(project_file: Dependabot::DependencyFile).returns(T.nilable(Dependabot::DependencyFile)) }
-      def find_packages_config(project_file)
-        project_file_name = File.basename(project_file.name)
-        packages_config_path = project_file.name.gsub(project_file_name, "packages.config")
-        packages_config_files.find { |f| f.name == packages_config_path }
+      sig { params(project_file: Dependabot::DependencyFile).returns(T::Array[String]) }
+      def referenced_project_paths(project_file)
+        workspace&.projects&.find { |p| p.file_path == project_file.name }&.referenced_project_paths || []
       end
 
-      sig { returns(Dependabot::Nuget::FileParser::ProjectFileParser) }
-      def project_file_parser
-        @project_file_parser ||=
-          T.let(
-            FileParser::ProjectFileParser.new(
-              dependency_files: dependency_files,
-              credentials: credentials,
-              repo_contents_path: repo_contents_path
-            ),
-            T.nilable(Dependabot::Nuget::FileParser::ProjectFileParser)
-          )
+      sig { params(project_file: Dependabot::DependencyFile).returns(T::Array[DependencyDetails]) }
+      def project_dependencies(project_file)
+        workspace&.projects&.find { |p| p.file_path == project_file.name }&.dependencies || []
       end
 
-      sig { returns(T::Array[Dependabot::Dependency]) }
+      sig { returns(T::Array[DependencyDetails]) }
       def global_json_dependencies
-        return [] unless global_json
-
-        @global_json_dependencies ||=
-          T.let(
-            FileParser::GlobalJsonParser.new(global_json: T.must(global_json)).dependency_set.dependencies,
-            T.nilable(T::Array[Dependabot::Dependency])
-          )
+        workspace&.global_json&.dependencies || []
       end
 
-      sig { returns(T::Array[Dependabot::Dependency]) }
+      sig { returns(T::Array[DependencyDetails]) }
       def dotnet_tools_json_dependencies
-        return [] unless dotnet_tools_json
-
-        @dotnet_tools_json_dependencies ||=
-          T.let(
-            FileParser::DotNetToolsJsonParser.new(dotnet_tools_json: T.must(dotnet_tools_json))
-                                             .dependency_set.dependencies,
-            T.nilable(T::Array[Dependabot::Dependency])
-          )
+        workspace&.dotnet_tools_json&.dependencies || []
       end
 
       # rubocop:disable Metrics/PerceivedComplexity
@@ -234,16 +212,6 @@ module Dependabot
         end
       end
 
-      sig { returns(T.nilable(Dependabot::DependencyFile)) }
-      def global_json
-        dependency_files.find { |f| T.must(f.name.casecmp("global.json")).zero? }
-      end
-
-      sig { returns(T.nilable(Dependabot::DependencyFile)) }
-      def dotnet_tools_json
-        dependency_files.find { |f| T.must(f.name.casecmp(".config/dotnet-tools.json")).zero? }
-      end
-
       sig { override.void }
       def check_required_files
         return if project_files.any? || packages_config_files.any?

data/lib/dependabot/nuget/native_helpers.rb

@@ -55,6 +55,61 @@ module Dependabot
         false
       end
 
+      sig do
+        params(repo_root: String, workspace_path: String, output_path: String).returns([String, String])
+      end
+      def self.get_nuget_discover_tool_command(repo_root:, workspace_path:, output_path:)
+        exe_path = File.join(native_helpers_root, "NuGetUpdater", "NuGetUpdater.Cli")
+        command_parts = [
+          exe_path,
+          "discover",
+          "--repo-root",
+          repo_root,
+          "--workspace",
+          workspace_path,
+          "--output",
+          output_path,
+          "--verbose"
+        ].compact
+
+        command = Shellwords.join(command_parts)
+
+        fingerprint = [
+          exe_path,
+          "discover",
+          "--repo-root",
+          "<repo-root>",
+          "--workspace",
+          "<path-to-workspace>",
+          "--output",
+          "<path-to-output>",
+          "--verbose"
+        ].compact.join(" ")
+
+        [command, fingerprint]
+      end
+
+      sig do
+        params(
+          repo_root: String,
+          workspace_path: String,
+          output_path: String,
+          credentials: T::Array[Dependabot::Credential]
+        ).void
+      end
+      def self.run_nuget_discover_tool(repo_root:, workspace_path:, output_path:, credentials:)
+        (command, fingerprint) = get_nuget_discover_tool_command(repo_root: repo_root,
+                                                                 workspace_path: workspace_path,
+                                                                 output_path: output_path)
+
+        puts "running NuGet discovery:\n" + command
+
+        NuGetConfigCredentialHelpers.patch_nuget_config_for_action(credentials) do
+          output = SharedHelpers.run_shell_command(command, allow_unsafe_shell_command: true, fingerprint: fingerprint)
+          puts output
+        end
+      end
+
       sig do
         params(repo_root: String, proj_path: String, dependency: Dependency,
                is_transitive: T::Boolean).returns([String, String])

data/lib/dependabot/nuget/update_checker/compatibility_checker.rb

@@ -18,14 +18,12 @@ module Dependabot
       sig do
         params(
           dependency_urls: T::Array[T::Hash[Symbol, String]],
-          dependency: Dependabot::Dependency,
-          tfm_finder: Dependabot::Nuget::TfmFinder
+          dependency: Dependabot::Dependency
         ).void
       end
-      def initialize(dependency_urls:, dependency:, tfm_finder:)
+      def initialize(dependency_urls:, dependency:)
         @dependency_urls = dependency_urls
         @dependency = dependency
-        @tfm_finder = tfm_finder
       end
 
       sig { params(version: String).returns(T::Boolean) }
@@ -57,9 +55,6 @@ module Dependabot
       sig { returns(Dependabot::Dependency) }
       attr_reader :dependency
 
-      sig { returns(Dependabot::Nuget::TfmFinder) }
-      attr_reader :tfm_finder
-
       sig { params(nuspec_xml: Nokogiri::XML::Document).returns(T::Boolean) }
       def pure_development_dependency?(nuspec_xml)
         contents = nuspec_xml.at_xpath("package/metadata/developmentDependency")&.content&.strip
@@ -82,7 +77,7 @@ module Dependabot
 
       sig { returns(T.nilable(T::Array[String])) }
       def project_tfms
-        @project_tfms ||= T.let(tfm_finder.frameworks(dependency), T.nilable(T::Array[String]))
+        @project_tfms ||= T.let(TfmFinder.frameworks(dependency), T.nilable(T::Array[String]))
       end
 
       sig { params(dependency_version: String).returns(T.nilable(T::Array[String])) }

data/lib/dependabot/nuget/update_checker/dependency_finder.rb

@@ -156,6 +156,7 @@ module Dependabot
             T.let(
               Nuget::FileParser.new(
                 dependency_files: dependency_files,
+                repo_contents_path: repo_contents_path,
                 source: nil
               ).parse.select(&:top_level?),
               T.nilable(T::Array[Dependabot::Dependency])

data/lib/dependabot/nuget/update_checker/property_updater.rb

@@ -154,6 +154,7 @@ module Dependabot
             T.let(
               Nuget::FileParser.new(
                 dependency_files: dependency_files,
+                repo_contents_path: repo_contents_path,
                 source: nil
               ).parse.select do |dep|
                 dep.requirements.any? do |r|

data/lib/dependabot/nuget/update_checker/tfm_finder.rb

@@ -1,164 +1,29 @@
 # typed: strong
 # frozen_string_literal: true
 
-require "excon"
-require "nokogiri"
-require "sorbet-runtime"
-
-require "dependabot/update_checkers/base"
-require "dependabot/nuget/version"
-require "dependabot/nuget/requirement"
-require "dependabot/nuget/native_helpers"
-require "dependabot/shared_helpers"
+require "dependabot/nuget/discovery/discovery_json_reader"
 
 module Dependabot
   module Nuget
     class TfmFinder
       extend T::Sig
 
-      require "dependabot/nuget/file_parser/packages_config_parser"
-      require "dependabot/nuget/file_parser/project_file_parser"
-
-      sig do
-        params(
-          dependency_files: T::Array[Dependabot::DependencyFile],
-          credentials: T::Array[Dependabot::Credential],
-          repo_contents_path: T.nilable(String)
-        ).void
-      end
-      def initialize(dependency_files:, credentials:, repo_contents_path:)
-        @dependency_files       = dependency_files
-        @credentials            = credentials
-        @repo_contents_path     = repo_contents_path
-      end
-
-      sig { params(dependency: Dependabot::Dependency).returns(T::Array[String]) }
-      def frameworks(dependency)
-        tfms = Set.new
-        tfms += project_file_tfms(dependency)
-        tfms += project_import_file_tfms
-        tfms.to_a
-      end
-
-      private
-
-      sig { returns(T::Array[Dependabot::DependencyFile]) }
-      attr_reader :dependency_files
-
-      sig { returns(T::Array[Dependabot::Credential]) }
-      attr_reader :credentials
-
-      sig { returns(T.nilable(String)) }
-      attr_reader :repo_contents_path
-
-      sig { params(dependency: Dependabot::Dependency).returns(T::Array[String]) }
-      def project_file_tfms(dependency)
-        project_files_with_dependency(dependency).flat_map do |file|
-          project_file_parser.target_frameworks(project_file: file)
-        end
-      end
-
-      sig { params(dependency: Dependabot::Dependency).returns(T::Array[Dependabot::DependencyFile]) }
-      def project_files_with_dependency(dependency)
-        project_files.select do |file|
-          packages_config_contains_dependency?(file, dependency) ||
-            project_file_contains_dependency?(file, dependency)
-        end
-      end
-
-      sig { params(file: Dependabot::DependencyFile, dependency: Dependabot::Dependency).returns(T::Boolean) }
-      def packages_config_contains_dependency?(file, dependency)
-        config_file = find_packages_config_file(file)
-        return false unless config_file
-
-        config_parser = FileParser::PackagesConfigParser.new(packages_config: config_file)
-        config_parser.dependency_set.dependencies.any? do |d|
-          d.name.casecmp(dependency.name)&.zero?
-        end
-      end
-
-      sig { params(file: Dependabot::DependencyFile, dependency: Dependabot::Dependency).returns(T::Boolean) }
-      def project_file_contains_dependency?(file, dependency)
-        project_file_parser.dependency_set(project_file: file).dependencies.any? do |d|
-          d.name.casecmp(dependency.name)&.zero?
-        end
-      end
-
-      sig { params(file: Dependabot::DependencyFile).returns(T.nilable(Dependabot::DependencyFile)) }
-      def find_packages_config_file(file)
-        return file if file.name.end_with?("packages.config")
-
-        filename = File.basename(file.name)
-        search_path = file.name.sub(filename, "packages.config")
-
-        dependency_files.find { |f| f.name.casecmp(search_path)&.zero? }
-      end
-
-      sig { returns(T::Array[String]) }
-      def project_import_file_tfms
-        @project_import_file_tfms ||=
-          T.let(
-            project_import_files.flat_map do |file|
-              project_file_parser.target_frameworks(project_file: file)
-            end,
-            T.nilable(T::Array[String])
-          )
-      end
-
-      sig { returns(FileParser::ProjectFileParser) }
-      def project_file_parser
-        @project_file_parser ||=
-          T.let(
-            FileParser::ProjectFileParser.new(
-              dependency_files: dependency_files,
-              credentials: credentials,
-              repo_contents_path: repo_contents_path
-            ),
-            T.nilable(FileParser::ProjectFileParser)
-          )
-      end
-
-      sig { returns(T::Array[Dependabot::DependencyFile]) }
-      def project_files
-        projfile = /\.[a-z]{2}proj$/
-        packageprops = /[Dd]irectory.[Pp]ackages.props/
-
-        dependency_files.select do |df|
-          df.name.match?(projfile) ||
-            df.name.match?(packageprops)
-        end
-      end
-
-      sig { returns(T::Array[Dependabot::DependencyFile]) }
-      def packages_config_files
-        dependency_files.select do |f|
-          f.name.split("/").last&.casecmp("packages.config")&.zero?
-        end
-      end
-
-      sig { returns(T::Array[Dependabot::DependencyFile]) }
-      def project_import_files
-        dependency_files -
-          project_files -
-          packages_config_files -
-          nuget_configs -
-          [global_json] -
-          [dotnet_tools_json]
-      end
-
-      sig { returns(T::Array[Dependabot::DependencyFile]) }
-      def nuget_configs
-        dependency_files.select { |f| f.name.match?(/nuget\.config$/i) }
-      end
-
-      sig { returns(T.nilable(Dependabot::DependencyFile)) }
-      def global_json
-        dependency_files.find { |f| f.name.casecmp("global.json")&.zero? }
-      end
-
-      sig { returns(T.nilable(Dependabot::DependencyFile)) }
-      def dotnet_tools_json
-        dependency_files.find { |f| f.name.casecmp(".config/dotnet-tools.json")&.zero? }
+      sig { params(dependency: Dependency).returns(T::Array[String]) }
+      def self.frameworks(dependency)
+        discovery_json = DiscoveryJsonReader.discovery_json
+        return [] unless discovery_json
+
+        workspace = DiscoveryJsonReader.new(
+          discovery_json: discovery_json
+        ).workspace_discovery
+        return [] unless workspace
+
+        workspace.projects.select do |project|
+          all_dependencies = project.dependencies + project.referenced_project_paths.flat_map do |ref|
+            workspace.projects.find { |p| p.file_path == ref }&.dependencies || []
+          end
+          all_dependencies.any? { |d| d.name.casecmp?(dependency.name) }
+        end.flat_map(&:target_frameworks).uniq
       end
     end
   end

data/lib/dependabot/nuget/update_checker/version_finder.rb

@@ -160,12 +160,7 @@ module Dependabot
             T.let(
               CompatibilityChecker.new(
                 dependency_urls: dependency_urls,
-                dependency: dependency,
-                tfm_finder: TfmFinder.new(
-                  dependency_files: dependency_files,
-                  credentials: credentials,
-                  repo_contents_path: repo_contents_path
-                )
+                dependency: dependency
               ),
               T.nilable(Dependabot::Nuget::CompatibilityChecker)
             )

data/lib/dependabot/nuget/update_checker.rb

@@ -16,6 +16,8 @@ module Dependabot
       require_relative "update_checker/requirements_updater"
       require_relative "update_checker/dependency_finder"
 
+      PROPERTY_REGEX = /\$\((?<property>.*?)\)/
+
       sig { override.returns(T.nilable(String)) }
       def latest_version
         # No need to find latest version for transitive dependencies unless they have a vulnerability.
@@ -81,7 +83,7 @@ module Dependabot
         # that property couldn't be found, and the requirement therefore
         # cannot be unlocked (since we can't update that property)
         dependency.requirements.none? do |req|
-          req.fetch(:requirement)&.match?(Nuget::FileParser::PropertyValueFinder::PROPERTY_REGEX)
+          req.fetch(:requirement)&.match?(PROPERTY_REGEX)
         end
       end
 
@@ -219,6 +221,7 @@ module Dependabot
           T.let(
             Nuget::FileParser.new(
               dependency_files: dependency_files,
+              repo_contents_path: repo_contents_path,
               source: nil
             ).parse.select do |dep|
               dep.requirements.any? { |req| req.dig(:metadata, :property_name) }