dependabot-nuget 0.263.0 → 0.265.0

data/lib/dependabot/nuget/native_discovery/native_dependency_file_discovery.rb

@@ -0,0 +1,129 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/nuget/native_discovery/native_dependency_details"
+require "sorbet-runtime"
+
+module Dependabot
+  module Nuget
+    class NativeDependencyFileDiscovery
+      extend T::Sig
+
+      sig do
+        params(json: T.nilable(T::Hash[String, T.untyped]),
+               directory: String).returns(T.nilable(NativeDependencyFileDiscovery))
+      end
+      def self.from_json(json, directory)
+        return nil if json.nil?
+
+        file_path = File.join(directory, T.let(json.fetch("FilePath"), String))
+        dependencies = T.let(json.fetch("Dependencies"), T::Array[T::Hash[String, T.untyped]]).map do |dep|
+          NativeDependencyDetails.from_json(dep)
+        end
+
+        NativeDependencyFileDiscovery.new(file_path: file_path,
+                                          dependencies: dependencies)
+      end
+
+      sig do
+        params(file_path: String,
+               dependencies: T::Array[NativeDependencyDetails]).void
+      end
+      def initialize(file_path:, dependencies:)
+        @file_path = file_path
+        @dependencies = dependencies
+      end
+
+      sig { returns(String) }
+      attr_reader :file_path
+
+      sig { returns(T::Array[NativeDependencyDetails]) }
+      attr_reader :dependencies
+
+      sig { overridable.returns(Dependabot::FileParsers::Base::DependencySet) }
+      def dependency_set # rubocop:disable Metrics/PerceivedComplexity,Metrics/CyclomaticComplexity,Metrics/AbcSize
+        dependency_set = Dependabot::FileParsers::Base::DependencySet.new
+
+        file_name = Pathname.new(file_path).cleanpath.to_path
+        dependencies.each do |dependency|
+          next if dependency.name.casecmp("Microsoft.NET.Sdk")&.zero?
+
+          # If the version string was evaluated it must have been successfully resolved
+          if dependency.evaluation && dependency.evaluation&.result_type != "Success"
+            logger.warn "Dependency '#{dependency.name}' excluded due to unparsable version: #{dependency.version}"
+            next
+          end
+
+          # Exclude any dependencies using version ranges or wildcards
+          next if dependency.version&.include?(",") ||
+                  dependency.version&.include?("*")
+
+          # Exclude any dependencies specified using interpolation
+          next if dependency.name.include?("%(") ||
+                  dependency.version&.include?("%(")
+
+          # Exclude any dependencies which reference an item type
+          next if dependency.name.include?("@(")
+
+          dependency_file_name = file_name
+          if dependency.type == "PackagesConfig"
+            dir_name = File.dirname(file_name)
+            dependency_file_name = "packages.config"
+            dependency_file_name = File.join(dir_name, "packages.config") unless dir_name == "."
+          end
+
+          dependency_set << build_dependency(dependency_file_name, dependency)
+        end
+
+        dependency_set
+      end
+
+      private
+
+      sig { returns(::Logger) }
+      def logger
+        Dependabot.logger
+      end
+
+      sig { params(file_name: String, dependency_details: NativeDependencyDetails).returns(Dependabot::Dependency) }
+      def build_dependency(file_name, dependency_details)
+        requirement = build_requirement(file_name, dependency_details)
+        requirements = requirement.nil? ? [] : [requirement]
+
+        version = dependency_details.version&.gsub(/[\(\)\[\]]/, "")&.strip
+        version = nil if version&.empty?
+
+        Dependency.new(
+          name: dependency_details.name,
+          version: version,
+          package_manager: "nuget",
+          requirements: requirements
+        )
+      end
+
+      sig do
+        params(file_name: String, dependency_details: NativeDependencyDetails)
+          .returns(T.nilable(T::Hash[Symbol, T.untyped]))
+      end
+      def build_requirement(file_name, dependency_details)
+        return if dependency_details.is_transitive
+
+        version = dependency_details.version
+        version = nil if version&.empty?
+
+        requirement = {
+          requirement: version,
+          file: file_name,
+          groups: [dependency_details.is_dev_dependency ? "devDependencies" : "dependencies"],
+          source: nil
+        }
+
+        property_name = dependency_details.evaluation&.root_property_name
+        return requirement unless property_name
+
+        requirement[:metadata] = { property_name: property_name }
+        requirement
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/native_discovery/native_directory_packages_props_discovery.rb

@@ -0,0 +1,44 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/nuget/native_discovery/native_dependency_details"
+require "sorbet-runtime"
+
+module Dependabot
+  module Nuget
+    class NativeDirectoryPackagesPropsDiscovery < NativeDependencyFileDiscovery
+      extend T::Sig
+
+      sig do
+        override.params(json: T.nilable(T::Hash[String, T.untyped]),
+                        directory: String).returns(T.nilable(NativeDirectoryPackagesPropsDiscovery))
+      end
+      def self.from_json(json, directory)
+        return nil if json.nil?
+
+        file_path = File.join(directory, T.let(json.fetch("FilePath"), String))
+        is_transitive_pinning_enabled = T.let(json.fetch("IsTransitivePinningEnabled"), T::Boolean)
+        dependencies = T.let(json.fetch("Dependencies"), T::Array[T::Hash[String, T.untyped]]).map do |dep|
+          NativeDependencyDetails.from_json(dep)
+        end
+
+        NativeDirectoryPackagesPropsDiscovery.new(file_path: file_path,
+                                                  is_transitive_pinning_enabled: is_transitive_pinning_enabled,
+                                                  dependencies: dependencies)
+      end
+
+      sig do
+        params(file_path: String,
+               is_transitive_pinning_enabled: T::Boolean,
+               dependencies: T::Array[NativeDependencyDetails]).void
+      end
+      def initialize(file_path:, is_transitive_pinning_enabled:, dependencies:)
+        super(file_path: file_path, dependencies: dependencies)
+        @is_transitive_pinning_enabled = is_transitive_pinning_enabled
+      end
+
+      sig { returns(T::Boolean) }
+      attr_reader :is_transitive_pinning_enabled
+    end
+  end
+end

data/lib/dependabot/nuget/native_discovery/native_discovery_json_reader.rb

@@ -0,0 +1,174 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/dependency"
+require "dependabot/nuget/native_discovery/native_workspace_discovery"
+require "json"
+require "sorbet-runtime"
+
+module Dependabot
+  module Nuget
+    class NativeDiscoveryJsonReader
+      extend T::Sig
+
+      sig { returns(T::Hash[String, NativeDiscoveryJsonReader]) }
+      def self.discovery_result_cache
+        T.let(CacheManager.cache("discovery_json_cache"), T::Hash[String, NativeDiscoveryJsonReader])
+      end
+
+      sig { returns(T::Hash[String, String]) }
+      def self.discovery_path_cache
+        T.let(CacheManager.cache("discovery_path_cache"), T::Hash[String, String])
+      end
+
+      sig do
+        params(
+          dependency_files: T::Array[Dependabot::DependencyFile]
+        ).returns(NativeDiscoveryJsonReader)
+      end
+      def self.get_discovery_from_dependency_files(dependency_files)
+        key = create_cache_key(dependency_files)
+        discovery_json = discovery_result_cache[key]
+        raise "No discovery result for specified dependency files: #{key}" unless discovery_json
+
+        discovery_json
+      end
+
+      sig do
+        params(
+          dependency_files: T::Array[Dependabot::DependencyFile],
+          discovery: NativeDiscoveryJsonReader
+        ).void
+      end
+      def self.set_discovery_from_dependency_files(dependency_files:, discovery:)
+        key = create_cache_key(dependency_files)
+        discovery_result_cache[key] = discovery
+      end
+
+      sig do
+        params(
+          dependency_files: T::Array[Dependabot::DependencyFile]
+        ).returns(String)
+      end
+      def self.get_discovery_file_path_from_dependency_files(dependency_files)
+        key = create_cache_key(dependency_files)
+        discovery_path = discovery_path_cache[key]
+        raise "No discovery path found for specified dependency files: #{key}" unless discovery_path
+
+        discovery_path
+      end
+
+      sig do
+        params(
+          dependency_files: T::Array[Dependabot::DependencyFile]
+        ).returns(String)
+      end
+      def self.create_discovery_file_path_from_dependency_files(dependency_files)
+        discovery_key = create_cache_key(dependency_files)
+        if discovery_path_cache[discovery_key]
+          raise "Discovery file path already exists for the given dependency files: #{discovery_key}"
+        end
+
+        discovery_counter_cache = T.let(CacheManager.cache("discovery_counter_cache"), T::Hash[String, Integer])
+        counter_key = "counter"
+        current_counter = discovery_counter_cache[counter_key] || 0
+        current_counter += 1
+        discovery_counter_cache[counter_key] = current_counter
+        incremeted_discovery_file_path = File.join(temp_directory, "discovery.#{current_counter}.json")
+        discovery_path_cache[discovery_key] = incremeted_discovery_file_path
+        incremeted_discovery_file_path
+      end
+
+      # this is a test-only method
+      sig do
+        params(
+          dependency_files: T::Array[Dependabot::DependencyFile]
+        ).void
+      end
+      def self.clear_discovery_file_path_from_cache(dependency_files)
+        key = create_cache_key(dependency_files)
+        discovery_file_path = discovery_path_cache[key]
+        File.delete(discovery_file_path) if discovery_file_path && File.exist?(discovery_file_path)
+        discovery_path_cache.delete(key)
+      end
+
+      sig do
+        params(
+          dependency_files: T::Array[Dependabot::DependencyFile]
+        ).returns(String)
+      end
+      def self.create_cache_key(dependency_files)
+        dependency_files.map { |d| d.to_h.except("content") }.to_s
+      end
+
+      sig { returns(String) }
+      def self.temp_directory
+        File.join(Dir.tmpdir, ".dependabot")
+      end
+
+      sig do
+        params(
+          discovery_json_path: String
+        ).returns(T.nilable(DependencyFile))
+      end
+      def self.discovery_json_from_path(discovery_json_path)
+        return unless File.exist?(discovery_json_path)
+
+        DependencyFile.new(
+          name: Pathname.new(discovery_json_path).cleanpath.to_path,
+          directory: temp_directory,
+          type: "file",
+          content: File.read(discovery_json_path)
+        )
+      end
+
+      sig { returns(T.nilable(NativeWorkspaceDiscovery)) }
+      attr_reader :workspace_discovery
+
+      sig { returns(Dependabot::FileParsers::Base::DependencySet) }
+      attr_reader :dependency_set
+
+      sig { params(discovery_json: DependencyFile).void }
+      def initialize(discovery_json:)
+        @discovery_json = discovery_json
+        @workspace_discovery = T.let(read_workspace_discovery, T.nilable(Dependabot::Nuget::NativeWorkspaceDiscovery))
+        @dependency_set = T.let(read_dependency_set, Dependabot::FileParsers::Base::DependencySet)
+      end
+
+      private
+
+      sig { returns(DependencyFile) }
+      attr_reader :discovery_json
+
+      sig { returns(T.nilable(NativeWorkspaceDiscovery)) }
+      def read_workspace_discovery
+        return nil unless discovery_json.content
+
+        parsed_json = T.let(JSON.parse(T.must(discovery_json.content)), T::Hash[String, T.untyped])
+        NativeWorkspaceDiscovery.from_json(parsed_json)
+      rescue JSON::ParserError
+        raise Dependabot::DependencyFileNotParseable, discovery_json.path
+      end
+
+      sig { returns(Dependabot::FileParsers::Base::DependencySet) }
+      def read_dependency_set
+        dependency_set = Dependabot::FileParsers::Base::DependencySet.new
+        return dependency_set unless workspace_discovery
+
+        workspace_result = T.must(workspace_discovery)
+        workspace_result.projects.each do |project|
+          dependency_set += project.dependency_set
+        end
+        if workspace_result.directory_packages_props
+          dependency_set += T.must(workspace_result.directory_packages_props).dependency_set
+        end
+        if workspace_result.dotnet_tools_json
+          dependency_set += T.must(workspace_result.dotnet_tools_json).dependency_set
+        end
+        dependency_set += T.must(workspace_result.global_json).dependency_set if workspace_result.global_json
+
+        dependency_set
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/native_discovery/native_evaluation_details.rb

@@ -0,0 +1,63 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  module Nuget
+    class NativeEvaluationDetails
+      extend T::Sig
+
+      sig { params(json: T.nilable(T::Hash[String, T.untyped])).returns(T.nilable(NativeEvaluationDetails)) }
+      def self.from_json(json)
+        return nil if json.nil?
+
+        result_type = T.let(json.fetch("ResultType"), String)
+        original_value = T.let(json.fetch("OriginalValue"), String)
+        evaluated_value = T.let(json.fetch("EvaluatedValue"), String)
+        root_property_name = T.let(json.fetch("RootPropertyName", nil), T.nilable(String))
+        error_message = T.let(json.fetch("ErrorMessage", nil), T.nilable(String))
+
+        NativeEvaluationDetails.new(result_type: result_type,
+                                    original_value: original_value,
+                                    evaluated_value: evaluated_value,
+                                    root_property_name: root_property_name,
+                                    error_message: error_message)
+      end
+
+      sig do
+        params(result_type: String,
+               original_value: String,
+               evaluated_value: String,
+               root_property_name: T.nilable(String),
+               error_message: T.nilable(String)).void
+      end
+      def initialize(result_type:,
+                     original_value:,
+                     evaluated_value:,
+                     root_property_name:,
+                     error_message:)
+        @result_type = result_type
+        @original_value = original_value
+        @evaluated_value = evaluated_value
+        @root_property_name = root_property_name
+        @error_message = error_message
+      end
+
+      sig { returns(String) }
+      attr_reader :result_type
+
+      sig { returns(String) }
+      attr_reader :original_value
+
+      sig { returns(String) }
+      attr_reader :evaluated_value
+
+      sig { returns(T.nilable(String)) }
+      attr_reader :root_property_name
+
+      sig { returns(T.nilable(String)) }
+      attr_reader :error_message
+    end
+  end
+end

data/lib/dependabot/nuget/native_discovery/native_project_discovery.rb

@@ -0,0 +1,82 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/nuget/native_discovery/native_dependency_details"
+require "dependabot/nuget/native_discovery/native_property_details"
+require "sorbet-runtime"
+
+module Dependabot
+  module Nuget
+    class NativeProjectDiscovery < NativeDependencyFileDiscovery
+      extend T::Sig
+
+      sig do
+        override.params(json: T.nilable(T::Hash[String, T.untyped]),
+                        directory: String).returns(T.nilable(NativeProjectDiscovery))
+      end
+      def self.from_json(json, directory)
+        return nil if json.nil?
+
+        file_path = File.join(directory, T.let(json.fetch("FilePath"), String))
+        properties = T.let(json.fetch("Properties"), T::Array[T::Hash[String, T.untyped]]).map do |prop|
+          NativePropertyDetails.from_json(prop)
+        end
+        target_frameworks = T.let(json.fetch("TargetFrameworks"), T::Array[String])
+        referenced_project_paths = T.let(json.fetch("ReferencedProjectPaths"), T::Array[String])
+        dependencies = T.let(json.fetch("Dependencies"), T::Array[T::Hash[String, T.untyped]]).filter_map do |dep|
+          details = NativeDependencyDetails.from_json(dep)
+          next unless details.version # can't do anything without a version
+
+          version = T.must(details.version)
+          next unless version.length.positive? # can't do anything with an empty version
+
+          next if version.include? "," # can't do anything with a range
+
+          next if version.include? "*" # can't do anything with a wildcard
+
+          details
+        end
+
+        NativeProjectDiscovery.new(file_path: file_path,
+                                   properties: properties,
+                                   target_frameworks: target_frameworks,
+                                   referenced_project_paths: referenced_project_paths,
+                                   dependencies: dependencies)
+      end
+
+      sig do
+        params(file_path: String,
+               properties: T::Array[NativePropertyDetails],
+               target_frameworks: T::Array[String],
+               referenced_project_paths: T::Array[String],
+               dependencies: T::Array[NativeDependencyDetails]).void
+      end
+      def initialize(file_path:, properties:, target_frameworks:, referenced_project_paths:, dependencies:)
+        super(file_path: file_path, dependencies: dependencies)
+        @properties = properties
+        @target_frameworks = target_frameworks
+        @referenced_project_paths = referenced_project_paths
+      end
+
+      sig { returns(T::Array[NativePropertyDetails]) }
+      attr_reader :properties
+
+      sig { returns(T::Array[String]) }
+      attr_reader :target_frameworks
+
+      sig { returns(T::Array[String]) }
+      attr_reader :referenced_project_paths
+
+      sig { override.returns(Dependabot::FileParsers::Base::DependencySet) }
+      def dependency_set
+        if target_frameworks.empty? && file_path.end_with?("proj")
+          Dependabot.logger.warn("Excluding project file '#{file_path}' due to unresolvable target framework")
+          dependency_set = Dependabot::FileParsers::Base::DependencySet.new
+          return dependency_set
+        end
+
+        super
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/native_discovery/native_property_details.rb

@@ -0,0 +1,43 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  module Nuget
+    class NativePropertyDetails
+      extend T::Sig
+
+      sig { params(json: T::Hash[String, T.untyped]).returns(NativePropertyDetails) }
+      def self.from_json(json)
+        name = T.let(json.fetch("Name"), String)
+        value = T.let(json.fetch("Value"), String)
+        source_file_path = T.let(json.fetch("SourceFilePath"), String)
+
+        NativePropertyDetails.new(name: name,
+                                  value: value,
+                                  source_file_path: source_file_path)
+      end
+
+      sig do
+        params(name: String,
+               value: String,
+               source_file_path: String).void
+      end
+      def initialize(name:, value:, source_file_path:)
+        @name = name
+        @value = value
+        @source_file_path = source_file_path
+      end
+
+      sig { returns(String) }
+      attr_reader :name
+
+      sig { returns(String) }
+      attr_reader :value
+
+      sig { returns(String) }
+      attr_reader :source_file_path
+    end
+  end
+end

data/lib/dependabot/nuget/native_discovery/native_workspace_discovery.rb

@@ -0,0 +1,68 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/nuget/native_discovery/native_dependency_file_discovery"
+require "dependabot/nuget/native_discovery/native_directory_packages_props_discovery"
+require "dependabot/nuget/native_discovery/native_project_discovery"
+require "sorbet-runtime"
+
+module Dependabot
+  module Nuget
+    class NativeWorkspaceDiscovery
+      extend T::Sig
+
+      sig { params(json: T::Hash[String, T.untyped]).returns(NativeWorkspaceDiscovery) }
+      def self.from_json(json)
+        path = T.let(json.fetch("Path"), String)
+        path = "/" + path unless path.start_with?("/")
+        projects = T.let(json.fetch("Projects"), T::Array[T::Hash[String, T.untyped]]).filter_map do |project|
+          NativeProjectDiscovery.from_json(project, path)
+        end
+        directory_packages_props = NativeDirectoryPackagesPropsDiscovery
+                                   .from_json(T.let(json.fetch("DirectoryPackagesProps"),
+                                                    T.nilable(T::Hash[String, T.untyped])), path)
+        global_json = NativeDependencyFileDiscovery
+                      .from_json(T.let(json.fetch("GlobalJson"), T.nilable(T::Hash[String, T.untyped])), path)
+        dotnet_tools_json = NativeDependencyFileDiscovery
+                            .from_json(T.let(json.fetch("DotNetToolsJson"),
+                                             T.nilable(T::Hash[String, T.untyped])), path)
+
+        NativeWorkspaceDiscovery.new(path: path,
+                                     projects: projects,
+                                     directory_packages_props: directory_packages_props,
+                                     global_json: global_json,
+                                     dotnet_tools_json: dotnet_tools_json)
+      end
+
+      sig do
+        params(path: String,
+               projects: T::Array[NativeProjectDiscovery],
+               directory_packages_props: T.nilable(NativeDirectoryPackagesPropsDiscovery),
+               global_json: T.nilable(NativeDependencyFileDiscovery),
+               dotnet_tools_json: T.nilable(NativeDependencyFileDiscovery)).void
+      end
+      def initialize(path:, projects:, directory_packages_props:, global_json:, dotnet_tools_json:)
+        @path = path
+        @projects = projects
+        @directory_packages_props = directory_packages_props
+        @global_json = global_json
+        @dotnet_tools_json = dotnet_tools_json
+      end
+
+      sig { returns(String) }
+      attr_reader :path
+
+      sig { returns(T::Array[NativeProjectDiscovery]) }
+      attr_reader :projects
+
+      sig { returns(T.nilable(NativeDirectoryPackagesPropsDiscovery)) }
+      attr_reader :directory_packages_props
+
+      sig { returns(T.nilable(NativeDependencyFileDiscovery)) }
+      attr_reader :global_json
+
+      sig { returns(T.nilable(NativeDependencyFileDiscovery)) }
+      attr_reader :dotnet_tools_json
+    end
+  end
+end

data/lib/dependabot/nuget/native_helpers.rb

@@ -110,6 +110,65 @@ module Dependabot
         end
       end
 
+      sig do
+        params(repo_root: String, discovery_file_path: String, dependency_file_path: String,
+               analysis_folder_path: String).returns([String, String])
+      end
+      def self.get_nuget_analyze_tool_command(repo_root:, discovery_file_path:, dependency_file_path:,
+                                              analysis_folder_path:)
+        exe_path = File.join(native_helpers_root, "NuGetUpdater", "NuGetUpdater.Cli")
+        command_parts = [
+          exe_path,
+          "analyze",
+          "--repo-root",
+          repo_root,
+          "--discovery-file-path",
+          discovery_file_path,
+          "--dependency-file-path",
+          dependency_file_path,
+          "--analysis-folder-path",
+          analysis_folder_path,
+          "--verbose"
+        ].compact
+
+        command = Shellwords.join(command_parts)
+
+        fingerprint = [
+          exe_path,
+          "analyze",
+          "--discovery-file-path",
+          "<discovery-file-path>",
+          "--dependency-file-path",
+          "<dependency-file-path>",
+          "--analysis-folder-path",
+          "<analysis_folder_path>",
+          "--verbose"
+        ].compact.join(" ")
+
+        [command, fingerprint]
+      end
+
+      sig do
+        params(
+          repo_root: String, discovery_file_path: String, dependency_file_path: String,
+          analysis_folder_path: String, credentials: T::Array[Dependabot::Credential]
+        ).void
+      end
+      def self.run_nuget_analyze_tool(repo_root:, discovery_file_path:, dependency_file_path:,
+                                      analysis_folder_path:, credentials:)
+        (command, fingerprint) = get_nuget_analyze_tool_command(repo_root: repo_root,
+                                                                discovery_file_path: discovery_file_path,
+                                                                dependency_file_path: dependency_file_path,
+                                                                analysis_folder_path: analysis_folder_path)
+
+        puts "running NuGet analyze:\n" + command
+
+        NuGetConfigCredentialHelpers.patch_nuget_config_for_action(credentials) do
+          output = SharedHelpers.run_shell_command(command, allow_unsafe_shell_command: true, fingerprint: fingerprint)
+          puts output
+        end
+      end
+
       sig do
         params(repo_root: String, proj_path: String, dependency: Dependency,
                is_transitive: T::Boolean).returns([String, String])