RubyGems - dependabot-nuget - Versions diffs - 0.265.0 → 0.267.0 - Mend

dependabot-nuget 0.265.0 → 0.267.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0c8985bae397230599aee116240d6569573ea126c70bc39a37a568935aaf3649
-  data.tar.gz: b137e9983b1ce14c86235b898a70039c53aadf9eb7a4389b94631bc787ba7914
+  metadata.gz: 19fd9d2635d3d1f5737870ebe8bcd155fb5e90557c7eec2b6832233bb0573b29
+  data.tar.gz: d1bd4ff99ae3fd8319a796cf04ba3a859c084cd465013cd5a1c8b106969a8183
 SHA512:
-  metadata.gz: bbcf0d5509e6bad8ea0af998c7ee6ea6047c13153c4111b2f9e46d568b559bcbe93eb21e8a200ee9deabb4c41bad10e789d236bb6fb30a34ed8c072a47537ced
-  data.tar.gz: 21ffbb1f7c7ff6a40d8db845b6e175c0f9478d5b99cadd969b127bbed07171b2b120bb3c6a107a1a41d59245906a7276f4006f0cdef4a2f01105d218596bfc6e
+  metadata.gz: 4b1c5c0ed9ca379e3c209c21dbc047e7364a9c3f7eda956ebd11a6f0f44b5a3a3e5a7fe9493ccafe82ac98bad132ab2323a56817c2f234c135814282cd229c30
+  data.tar.gz: c0f297752cb28d6c32df1261ab10199a5f39e17af23f3c3e46ed76aafd59785e79cd43c81e1a164b8fe92b9f7763f50e3d2c4a8d34c9bb59a4976d0e6eb44be4

data/helpers/lib/NuGetUpdater/NuGetUpdater.Cli/Commands/UpdateCommand.cs CHANGED Viewed

@@ -1,6 +1,4 @@
-using System;
 using System.CommandLine;
-using System.IO;
 using NuGetUpdater.Core;
@@ -15,6 +13,7 @@ internal static class UpdateCommand
     internal static readonly Option<string> PreviousVersionOption = new("--previous-version") { IsRequired = true };
     internal static readonly Option<bool> IsTransitiveOption = new("--transitive", getDefaultValue: () => false);
     internal static readonly Option<bool> VerboseOption = new("--verbose", getDefaultValue: () => false);
+    internal static readonly Option<string?> ResultOutputPathOption = new("--result-output-path", getDefaultValue: () => null);
     internal static Command GetCommand(Action<int> setExitCode)
     {
@@ -26,17 +25,18 @@ internal static class UpdateCommand
             NewVersionOption,
             PreviousVersionOption,
             IsTransitiveOption,
-            VerboseOption
+            VerboseOption,
+            ResultOutputPathOption
         };
         command.TreatUnmatchedTokensAsErrors = true;
-        command.SetHandler(async (repoRoot, solutionOrProjectFile, dependencyName, newVersion, previousVersion, isTransitive, verbose) =>
+        command.SetHandler(async (repoRoot, solutionOrProjectFile, dependencyName, newVersion, previousVersion, isTransitive, verbose, resultOutputPath) =>
         {
             var worker = new UpdaterWorker(new Logger(verbose));
-            await worker.RunAsync(repoRoot.FullName, solutionOrProjectFile.FullName, dependencyName, previousVersion, newVersion, isTransitive);
+            await worker.RunAsync(repoRoot.FullName, solutionOrProjectFile.FullName, dependencyName, previousVersion, newVersion, isTransitive, resultOutputPath);
             setExitCode(0);
-        }, RepoRootOption, SolutionOrProjectFileOption, DependencyNameOption, NewVersionOption, PreviousVersionOption, IsTransitiveOption, VerboseOption);
+        }, RepoRootOption, SolutionOrProjectFileOption, DependencyNameOption, NewVersionOption, PreviousVersionOption, IsTransitiveOption, VerboseOption, ResultOutputPathOption);
         return command;
     }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Cli.Test/EntryPointTests.Analyze.cs CHANGED Viewed

@@ -134,6 +134,179 @@ public partial class EntryPointTests
             );
         }
+        [Fact]
+        public async Task DotNetToolsJsonCanBeAnalyzed()
+        {
+            var repoMetadata = XElement.Parse("""<repository type="git" url="https://nuget.example.com/some-global-tool" />""");
+            await RunAsync(path =>
+                [
+                    "analyze",
+                    "--repo-root",
+                    path,
+                    "--discovery-file-path",
+                    Path.Join(path, "discovery.json"),
+                    "--dependency-file-path",
+                    Path.Join(path, "some-global-tool.json"),
+                    "--analysis-folder-path",
+                    Path.Join(path, AnalyzeWorker.AnalysisDirectoryName),
+                    "--verbose",
+                ],
+                packages:
+                [
+                    MockNuGetPackage.CreateDotNetToolPackage("some-global-tool", "1.0.0", "net8.0", additionalMetadata: [repoMetadata]),
+                    MockNuGetPackage.CreateDotNetToolPackage("some-global-tool", "1.1.0", "net8.0", additionalMetadata: [repoMetadata]),
+                ],
+                dependencyName: "some-global-tool",
+                initialFiles:
+                [
+                    (".config/dotnet-tools.json", """
+                        {
+                          "version": 1,
+                          "isRoot": true,
+                          "tools": {
+                            "some-global-tool": {
+                              "version": "1.0.0",
+                              "commands": [
+                                "some-global-tool"
+                              ]
+                            }
+                          }
+                        }
+                        """),
+                    ("discovery.json", """
+                        {
+                          "Path": "",
+                          "IsSuccess": true,
+                          "Projects": [],
+                          "DotNetToolsJson": {
+                            "FilePath": ".config/dotnet-tools.json",
+                            "IsSuccess": true,
+                            "Dependencies": [
+                              {
+                                "Name": "some-global-tool",
+                                "Version": "1.0.0",
+                                "Type": "DotNetTool",
+                                "EvaluationResult": null,
+                                "TargetFrameworks": null,
+                                "IsDevDependency": false,
+                                "IsDirect": false,
+                                "IsTransitive": false,
+                                "IsOverride": false,
+                                "IsUpdate": false,
+                                "InfoUrl": null
+                              }
+                            ]
+                          }
+                        }
+                        """),
+                    ("some-global-tool.json", """
+                        {
+                          "Name": "some-global-tool",
+                          "Version": "1.0.0",
+                          "IsVulnerable": false,
+                          "IgnoredVersions": [],
+                          "Vulnerabilities": []
+                        }
+                        """),
+                ],
+                expectedResult: new()
+                {
+                    UpdatedVersion = "1.1.0",
+                    CanUpdate = true,
+                    VersionComesFromMultiDependencyProperty = false,
+                    UpdatedDependencies =
+                    [
+                        new Dependency("some-global-tool", "1.1.0", DependencyType.DotNetTool, TargetFrameworks: null, IsDirect: true, InfoUrl: "https://nuget.example.com/some-global-tool")
+                    ],
+                }
+            );
+        }
+        [Fact]
+        public async Task GlobalJsonCanBeAnalyzed()
+        {
+            var repoMetadata = XElement.Parse("""<repository type="git" url="https://nuget.example.com/some.msbuild.sdk" />""");
+            await RunAsync(path =>
+                [
+                    "analyze",
+                    "--repo-root",
+                    path,
+                    "--discovery-file-path",
+                    Path.Join(path, "discovery.json"),
+                    "--dependency-file-path",
+                    Path.Join(path, "Some.MSBuild.Sdk.json"),
+                    "--analysis-folder-path",
+                    Path.Join(path, AnalyzeWorker.AnalysisDirectoryName),
+                    "--verbose",
+                ],
+                packages:
+                [
+                    MockNuGetPackage.CreateMSBuildSdkPackage("Some.MSBuild.Sdk", "1.0.0", "net8.0", additionalMetadata: [repoMetadata]),
+                    MockNuGetPackage.CreateMSBuildSdkPackage("Some.MSBuild.Sdk", "1.1.0", "net8.0", additionalMetadata: [repoMetadata]),
+                ],
+                dependencyName: "Some.MSBuild.Sdk",
+                initialFiles:
+                [
+                    ("global.json", """
+                        {
+                          "sdk": {
+                            "version": "8.0.300",
+                            "rollForward": "latestPatch"
+                          },
+                          "msbuild-sdks": {
+                            "Some.MSBuild.Sdk": "1.0.0"
+                          }
+                        }
+                        """),
+                    ("discovery.json", """
+                        {
+                          "Path": "",
+                          "IsSuccess": true,
+                          "Projects": [],
+                          "GlobalJson": {
+                            "FilePath": "global.json",
+                            "IsSuccess": true,
+                            "Dependencies": [
+                              {
+                                "Name": "Some.MSBuild.Sdk",
+                                "Version": "1.0.0",
+                                "Type": "MSBuildSdk",
+                                "EvaluationResult": null,
+                                "TargetFrameworks": null,
+                                "IsDevDependency": false,
+                                "IsDirect": false,
+                                "IsTransitive": false,
+                                "IsOverride": false,
+                                "IsUpdate": false,
+                                "InfoUrl": null
+                              }
+                            ]
+                          }
+                        }
+                        """),
+                    ("Some.MSBuild.Sdk.json", """
+                        {
+                          "Name": "Some.MSBuild.Sdk",
+                          "Version": "1.0.0",
+                          "IsVulnerable": false,
+                          "IgnoredVersions": [],
+                          "Vulnerabilities": []
+                        }
+                        """),
+                ],
+                expectedResult: new()
+                {
+                    UpdatedVersion = "1.1.0",
+                    CanUpdate = true,
+                    VersionComesFromMultiDependencyProperty = false,
+                    UpdatedDependencies =
+                    [
+                        new Dependency("Some.MSBuild.Sdk", "1.1.0", DependencyType.MSBuildSdk, TargetFrameworks: null, IsDirect: true, InfoUrl: "https://nuget.example.com/some.msbuild.sdk")
+                    ],
+                }
+            );
+        }
         private static async Task RunAsync(Func<string, string[]> getArgs, string dependencyName, TestFile[] initialFiles, ExpectedAnalysisResult expectedResult, MockNuGetPackage[]? packages = null)
         {
             var actualResult = await RunAnalyzerAsync(dependencyName, initialFiles, async path =>

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/AnalysisResult.cs CHANGED Viewed

@@ -2,7 +2,7 @@ using System.Collections.Immutable;
 namespace NuGetUpdater.Core.Analyze;
-public record AnalysisResult
+public record AnalysisResult : NativeResult
 {
     public required string UpdatedVersion { get; init; }
     public bool CanUpdate { get; init; }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/AnalyzeWorker.cs CHANGED Viewed

@@ -1,8 +1,8 @@
 using System.Collections.Immutable;
+using System.Net;
 using System.Text.Json;
 using System.Text.Json.Serialization;
-using NuGet.Configuration;
 using NuGet.Frameworks;
 using NuGet.Versioning;
@@ -51,76 +51,110 @@ public partial class AnalyzeWorker
             => p.Dependencies.Where(d => !d.IsTransitive &&
                 d.EvaluationResult?.RootPropertyName is not null)
             ).ToImmutableArray();
+        var dotnetToolsHasDependency = discovery.DotNetToolsJson?.Dependencies.Any(d => d.Name.Equals(dependencyInfo.Name, StringComparison.OrdinalIgnoreCase)) == true;
+        var globalJsonHasDependency = discovery.GlobalJson?.Dependencies.Any(d => d.Name.Equals(dependencyInfo.Name, StringComparison.OrdinalIgnoreCase)) == true;
         bool usesMultiDependencyProperty = false;
         NuGetVersion? updatedVersion = null;
         ImmutableArray<Dependency> updatedDependencies = [];
-        bool isUpdateNecessary = IsUpdateNecessary(dependencyInfo, projectsWithDependency);
-        if (isUpdateNecessary)
+        bool isProjectUpdateNecessary = IsUpdateNecessary(dependencyInfo, projectsWithDependency);
+        var isUpdateNecessary = isProjectUpdateNecessary || dotnetToolsHasDependency || globalJsonHasDependency;
+        using var nugetContext = new NuGetContext(startingDirectory);
+        AnalysisResult result;
+        try
         {
-            var nugetContext = new NuGetContext(startingDirectory);
-            if (!Directory.Exists(nugetContext.TempPackageDirectory))
+            if (isUpdateNecessary)
             {
-                Directory.CreateDirectory(nugetContext.TempPackageDirectory);
-            }
-            _logger.Log($"  Determining multi-dependency property.");
-            var multiDependencies = DetermineMultiDependencyDetails(
-                discovery,
-                dependencyInfo.Name,
-                propertyBasedDependencies);
-            usesMultiDependencyProperty = multiDependencies.Any(md => md.DependencyNames.Count > 1);
-            var dependenciesToUpdate = usesMultiDependencyProperty
-                ? multiDependencies
-                    .SelectMany(md => md.DependencyNames)
-                    .ToImmutableHashSet(StringComparer.OrdinalIgnoreCase)
-                : [dependencyInfo.Name];
-            var applicableTargetFrameworks = usesMultiDependencyProperty
-                ? multiDependencies
-                    .SelectMany(md => md.TargetFrameworks)
-                    .ToImmutableHashSet(StringComparer.OrdinalIgnoreCase)
-                    .Select(NuGetFramework.Parse)
-                    .ToImmutableArray()
-                : projectFrameworks;
-            _logger.Log($"  Finding updated version.");
-            updatedVersion = await FindUpdatedVersionAsync(
-                startingDirectory,
-                dependencyInfo,
-                dependenciesToUpdate,
-                applicableTargetFrameworks,
-                nugetContext,
-                _logger,
-                CancellationToken.None);
-            _logger.Log($"  Finding updated peer dependencies.");
-            updatedDependencies = updatedVersion is not null
-                ? await FindUpdatedDependenciesAsync(
-                    repoRoot,
+                _logger.Log($"  Determining multi-dependency property.");
+                var multiDependencies = DetermineMultiDependencyDetails(
                     discovery,
+                    dependencyInfo.Name,
+                    propertyBasedDependencies);
+                usesMultiDependencyProperty = multiDependencies.Any(md => md.DependencyNames.Count > 1);
+                var dependenciesToUpdate = usesMultiDependencyProperty
+                    ? multiDependencies
+                        .SelectMany(md => md.DependencyNames)
+                        .ToImmutableHashSet(StringComparer.OrdinalIgnoreCase)
+                    : [dependencyInfo.Name];
+                var applicableTargetFrameworks = usesMultiDependencyProperty
+                    ? multiDependencies
+                        .SelectMany(md => md.TargetFrameworks)
+                        .ToImmutableHashSet(StringComparer.OrdinalIgnoreCase)
+                        .Select(NuGetFramework.Parse)
+                        .ToImmutableArray()
+                    : projectFrameworks;
+                _logger.Log($"  Finding updated version.");
+                updatedVersion = await FindUpdatedVersionAsync(
+                    startingDirectory,
+                    dependencyInfo,
                     dependenciesToUpdate,
-                    updatedVersion,
+                    applicableTargetFrameworks,
                     nugetContext,
                     _logger,
-                    CancellationToken.None)
-                : [];
-            //TODO: At this point we should add the peer dependencies to a queue where
-            // we will analyze them one by one to see if they themselves are part of a
-            // multi-dependency property. Basically looping this if-body until we have
-            // emptied the queue and have a complete list of updated dependencies. We
-            // should track the dependenciesToUpdate as they have already been analyzed.
-        }
+                    CancellationToken.None);
+                _logger.Log($"  Finding updated peer dependencies.");
+                if (updatedVersion is null)
+                {
+                    updatedDependencies = [];
+                }
+                else if (isProjectUpdateNecessary)
+                {
+                    updatedDependencies = await FindUpdatedDependenciesAsync(
+                        repoRoot,
+                        discovery,
+                        dependenciesToUpdate,
+                        updatedVersion,
+                        nugetContext,
+                        _logger,
+                        CancellationToken.None);
+                }
+                else if (dotnetToolsHasDependency)
+                {
+                    var infoUrl = await nugetContext.GetPackageInfoUrlAsync(dependencyInfo.Name, updatedVersion.ToNormalizedString(), CancellationToken.None);
+                    updatedDependencies = [new Dependency(dependencyInfo.Name, updatedVersion.ToNormalizedString(), DependencyType.DotNetTool, IsDirect: true, InfoUrl: infoUrl)];
+                }
+                else if (globalJsonHasDependency)
+                {
+                    var infoUrl = await nugetContext.GetPackageInfoUrlAsync(dependencyInfo.Name, updatedVersion.ToNormalizedString(), CancellationToken.None);
+                    updatedDependencies = [new Dependency(dependencyInfo.Name, updatedVersion.ToNormalizedString(), DependencyType.MSBuildSdk, IsDirect: true, InfoUrl: infoUrl)];
+                }
+                else
+                {
+                    throw new InvalidOperationException("Unreachable.");
+                }
+                //TODO: At this point we should add the peer dependencies to a queue where
+                // we will analyze them one by one to see if they themselves are part of a
+                // multi-dependency property. Basically looping this if-body until we have
+                // emptied the queue and have a complete list of updated dependencies. We
+                // should track the dependenciesToUpdate as they have already been analyzed.
+            }
-        var result = new AnalysisResult
+            result = new AnalysisResult
+            {
+                UpdatedVersion = updatedVersion?.ToNormalizedString() ?? dependencyInfo.Version,
+                CanUpdate = updatedVersion is not null,
+                VersionComesFromMultiDependencyProperty = usesMultiDependencyProperty,
+                UpdatedDependencies = updatedDependencies,
+            };
+        }
+        catch (HttpRequestException ex)
+        when (ex.StatusCode == HttpStatusCode.Unauthorized || ex.StatusCode == HttpStatusCode.Forbidden)
         {
-            UpdatedVersion = updatedVersion?.ToNormalizedString() ?? dependencyInfo.Version,
-            CanUpdate = updatedVersion is not null,
-            VersionComesFromMultiDependencyProperty = usesMultiDependencyProperty,
-            UpdatedDependencies = updatedDependencies,
-        };
+            // TODO: consolidate this error handling between AnalyzeWorker, DiscoveryWorker, and UpdateWorker
+            result = new AnalysisResult
+            {
+                ErrorType = ErrorType.AuthenticationFailure,
+                ErrorDetails = "(" + string.Join("|", nugetContext.PackageSources.Select(s => s.Source)) + ")",
+                UpdatedVersion = string.Empty,
+                CanUpdate = false,
+                UpdatedDependencies = [],
+            };
+        }
         await WriteResultsAsync(analysisDirectory, dependencyInfo.Name, result, _logger);
@@ -314,27 +348,6 @@ public partial class AnalyzeWorker
         return true;
     }
-    internal static async Task<ImmutableDictionary<NuGetFramework, ImmutableArray<Dependency>>> GetDependenciesAsync(
-        string workspacePath,
-        string projectPath,
-        IEnumerable<NuGetFramework> frameworks,
-        Dependency package,
-        Logger logger)
-    {
-        var result = ImmutableDictionary.CreateBuilder<NuGetFramework, ImmutableArray<Dependency>>();
-        foreach (var framework in frameworks)
-        {
-            var dependencies = await MSBuildHelper.GetAllPackageDependenciesAsync(
-                workspacePath,
-                projectPath,
-                framework.ToString(),
-                [package],
-                logger);
-            result.Add(framework, [.. dependencies]);
-        }
-        return result.ToImmutable();
-    }
     internal static async Task<ImmutableArray<Dependency>> FindUpdatedDependenciesAsync(
         string repoRoot,
         WorkspaceDiscoveryResult discovery,

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/CompatabilityChecker.cs CHANGED Viewed

@@ -54,6 +54,11 @@ internal static class CompatibilityChecker
         var compatibilityService = new FrameworkCompatibilityService();
         var compatibleFrameworks = compatibilityService.GetCompatibleFrameworks(packageFrameworks);
+        var packageSupportsAny = compatibleFrameworks.Any(f => f.IsAny);
+        if (packageSupportsAny)
+        {
+            return true;
+        }
         var incompatibleFrameworks = projectFrameworks.Where(f => !compatibleFrameworks.Contains(f)).ToArray();
         if (incompatibleFrameworks.Length > 0)
@@ -141,15 +146,23 @@ internal static class CompatibilityChecker
                 throw new NotSupportedException($"Failed to get FindPackageByIdResource for {source.SourceUri}");
             }
-            var exists = await feed.DoesPackageExistAsync(
-                package.Id,
-                package.Version,
-                context.SourceCacheContext,
-                NullLogger.Instance,
-                cancellationToken);
-            if (!exists)
+            try
+            {
+                // a non-compliant v2 API returning 404 can cause this to throw
+                var exists = await feed.DoesPackageExistAsync(
+                    package.Id,
+                    package.Version,
+                    context.SourceCacheContext,
+                    NullLogger.Instance,
+                    cancellationToken);
+                if (!exists)
+                {
+                    continue;
+                }
+            }
+            catch (FatalProtocolException)
             {
+                // if anything goes wrong here, the package source obviously doesn't contain the requested package
                 continue;
             }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/NuGetContext.cs CHANGED Viewed

@@ -37,16 +37,34 @@ internal record NuGetContext : IDisposable
             .Where(p => p.IsEnabled)
             .ToImmutableArray();
         Logger = logger ?? NullLogger.Instance;
-        TempPackageDirectory = Path.Combine(Path.GetTempPath(), ".dependabot", "packages");
+        TempPackageDirectory = Path.Combine(Path.GetTempPath(), $"dependabot-packages_{Guid.NewGuid():d}");
+        Directory.CreateDirectory(TempPackageDirectory);
     }
     public void Dispose()
     {
         SourceCacheContext.Dispose();
+        if (Directory.Exists(TempPackageDirectory))
+        {
+            try
+            {
+                Directory.Delete(TempPackageDirectory, recursive: true);
+            }
+            catch
+            {
+            }
+        }
     }
     private readonly Dictionary<PackageIdentity, string?> _packageInfoUrlCache = new();
+    public static string[] GetPackageSourceUrls(string currentDirectory)
+    {
+        using var context = new NuGetContext(currentDirectory);
+        var sourceUrls = context.PackageSources.Select(s => s.Source).ToArray();
+        return sourceUrls;
+    }
     public async Task<string?> GetPackageInfoUrlAsync(string packageId, string packageVersion, CancellationToken cancellationToken)
     {
         var packageIdentity = new PackageIdentity(packageId, NuGetVersion.Parse(packageVersion));
@@ -86,15 +104,24 @@ internal record NuGetContext : IDisposable
                 continue;
             }
-            var existsInFeed = await feed.Exists(
-                packageIdentity,
-                includeUnlisted: false,
-                SourceCacheContext,
-                NullLogger.Instance,
-                cancellationToken);
-            if (!existsInFeed)
+            try
+            {
+                // a non-compliant v2 API returning 404 can cause this to throw
+                var existsInFeed = await feed.Exists(
+                    packageIdentity,
+                    includeUnlisted: false,
+                    SourceCacheContext,
+                    NullLogger.Instance,
+                    cancellationToken);
+                if (!existsInFeed)
+                {
+                    message.AppendLine($"    package {packageIdentity} does not exist in {source.Name}");
+                    continue;
+                }
+            }
+            catch (FatalProtocolException)
             {
-                message.AppendLine($"    package {packageIdentity} does not exist in {source.Name}");
+                // if anything goes wrong here, the package source obviously doesn't contain the requested package
                 continue;
             }