dependabot-nuget 0.265.0 → 0.267.0

data/lib/dependabot/nuget/file_updater.rb

@@ -21,6 +21,8 @@ module Dependabot
         [
           %r{^[^/]*\.([a-z]{2})?proj$},
           /^packages\.config$/i,
+          /^app\.config$/i,
+          /^web\.config$/i,
           /^global\.json$/i,
           /^dotnet-tools\.json$/i,
           /^Directory\.Build\.props$/i,

data/lib/dependabot/nuget/metadata_finder.rb

@@ -12,16 +12,148 @@ module Dependabot
     class MetadataFinder < Dependabot::MetadataFinders::Base
       extend T::Sig
 
+      sig do
+        override
+          .params(
+            dependency: Dependabot::Dependency,
+            credentials: T::Array[Dependabot::Credential]
+          )
+          .void
+      end
+      def initialize(dependency:, credentials:)
+        @dependency_nuspec_file = T.let(nil, T.nilable(Nokogiri::XML::Document))
+
+        super
+      end
+
       private
 
       sig { override.returns(T.nilable(Dependabot::Source)) }
       def look_up_source
-        source_url = dependency_source_url
-        return Source.from_url(source_url) if source_url
+        return Source.from_url(dependency_source_url) if dependency_source_url
+
+        if dependency_nuspec_file
+          src_repo = look_up_source_in_nuspec(T.must(dependency_nuspec_file))
+          return src_repo if src_repo
+        end
+
+        # Fallback to getting source from the search result's projectUrl or licenseUrl.
+        # GitHub Packages doesn't support getting the `.nuspec`, switch to getting
+        # that instead once it is supported.
+        src_repo_from_project
+      rescue StandardError
+        # At this point in the process the PR is ready to be posted, we tried to gather commit
+        # and release notes, but have encountered an exception. So let's eat it since it's
+        # better to have a PR with no info than error out.
+        nil
+      end
+
+      sig { returns(T.nilable(Dependabot::Source)) }
+      def src_repo_from_project
+        source = dependency.requirements.find { |r| r.fetch(:source) }&.fetch(:source)
+        return unless source
+
+        # Query the service index e.g. https://nuget.pkg.github.com/ORG/index.json
+        response = Dependabot::RegistryClient.get(
+          url: source.fetch(:url),
+          headers: { **auth_header, "Accept" => "application/json" }
+        )
+        return unless response.status == 200
 
+        # Extract the query url e.g. https://nuget.pkg.github.com/ORG/query
+        search_base = extract_search_url(response.body)
+        return unless search_base
+
+        response = Dependabot::RegistryClient.get(
+          url: search_base + "?q=#{dependency.name.downcase}&prerelease=true&semVerLevel=2.0.0",
+          headers: { **auth_header, "Accept" => "application/json" }
+        )
+        return unless response.status == 200
+
+        # Find a projectUrl or licenseUrl that look like a source URL
+        extract_source_repo(response.body)
+      rescue JSON::ParserError
+        # Ignored, this is expected for some registries that don't handle these request.
+      end
+
+      sig { params(body: String).returns(T.nilable(String)) }
+      def extract_search_url(body)
+        JSON.parse(body)
+            .fetch("resources", [])
+            .find { |r| r.fetch("@type") == "SearchQueryService" }
+            &.fetch("@id")
+      end
+
+      sig { params(body: String).returns(T.nilable(Dependabot::Source)) }
+      def extract_source_repo(body)
+        JSON.parse(body).fetch("data", []).each do |search_result|
+          next unless search_result["id"].casecmp(dependency.name).zero?
+
+          if search_result.key?("projectUrl")
+            source = Source.from_url(search_result.fetch("projectUrl"))
+            return source if source
+          end
+          if search_result.key?("licenseUrl")
+            source = Source.from_url(search_result.fetch("licenseUrl"))
+            return source if source
+          end
+        end
+        # failed to find a source URL
         nil
       end
 
+      sig { params(nuspec: Nokogiri::XML::Document).returns(T.nilable(Dependabot::Source)) }
+      def look_up_source_in_nuspec(nuspec)
+        potential_source_urls = [
+          nuspec.at_css("package > metadata > repository")
+                &.attribute("url")&.value,
+          nuspec.at_css("package > metadata > repository > url")&.content,
+          nuspec.at_css("package > metadata > projectUrl")&.content,
+          nuspec.at_css("package > metadata > licenseUrl")&.content
+        ].compact
+
+        source_url = potential_source_urls.find { |url| Source.from_url(url) }
+        source_url ||= source_from_anywhere_in_nuspec(nuspec)
+
+        Source.from_url(source_url)
+      end
+
+      sig { params(nuspec: Nokogiri::XML::Document).returns(T.nilable(String)) }
+      def source_from_anywhere_in_nuspec(nuspec)
+        github_urls = []
+        nuspec.to_s.force_encoding(Encoding::UTF_8)
+              .scan(Source::SOURCE_REGEX) do
+          github_urls << Regexp.last_match.to_s
+        end
+
+        github_urls.find do |url|
+          repo = T.must(Source.from_url(url)).repo
+          repo.downcase.end_with?(dependency.name.downcase)
+        end
+      end
+
+      sig { returns(T.nilable(Nokogiri::XML::Document)) }
+      def dependency_nuspec_file
+        return @dependency_nuspec_file unless @dependency_nuspec_file.nil?
+
+        return if dependency_nuspec_url.nil?
+
+        response = Dependabot::RegistryClient.get(
+          url: T.must(dependency_nuspec_url),
+          headers: auth_header
+        )
+
+        @dependency_nuspec_file = Nokogiri::XML(response.body)
+      end
+
+      sig { returns(T.nilable(String)) }
+      def dependency_nuspec_url
+        source = dependency.requirements
+                           .find { |r| r.fetch(:source) }&.fetch(:source)
+
+        source.fetch(:nuspec_url) if source&.key?(:nuspec_url)
+      end
+
       sig { returns(T.nilable(String)) }
       def dependency_source_url
         source = dependency.requirements
@@ -32,6 +164,32 @@ module Dependabot
 
         source.fetch("source_url")
       end
+
+      # rubocop:disable Metrics/PerceivedComplexity
+      sig { returns(T::Hash[String, String]) }
+      def auth_header
+        source = dependency.requirements
+                           .find { |r| r.fetch(:source) }&.fetch(:source)
+        url = source&.fetch(:url, nil) || source&.fetch("url")
+
+        token = credentials
+                .select { |cred| cred["type"] == "nuget_feed" }
+                .find { |cred| cred["url"] == url }
+                &.fetch("token", nil)
+
+        return {} unless token
+
+        if token.include?(":")
+          encoded_token = Base64.encode64(token).delete("\n")
+          { "Authorization" => "Basic #{encoded_token}" }
+        elsif Base64.decode64(token).ascii_only? &&
+              Base64.decode64(token).include?(":")
+          { "Authorization" => "Basic #{token.delete("\n")}" }
+        else
+          { "Authorization" => "Bearer #{token}" }
+        end
+      end
+      # rubocop:enable Metrics/PerceivedComplexity
     end
   end
 end

data/lib/dependabot/nuget/native_discovery/native_workspace_discovery.rb

@@ -4,6 +4,7 @@
 require "dependabot/nuget/native_discovery/native_dependency_file_discovery"
 require "dependabot/nuget/native_discovery/native_directory_packages_props_discovery"
 require "dependabot/nuget/native_discovery/native_project_discovery"
+require "dependabot/nuget/native_helpers"
 require "sorbet-runtime"
 
 module Dependabot
@@ -13,6 +14,8 @@ module Dependabot
 
       sig { params(json: T::Hash[String, T.untyped]).returns(NativeWorkspaceDiscovery) }
       def self.from_json(json)
+        Dependabot::Nuget::NativeHelpers.ensure_no_errors(json)
+
         path = T.let(json.fetch("Path"), String)
         path = "/" + path unless path.start_with?("/")
         projects = T.let(json.fetch("Projects"), T::Array[T::Hash[String, T.untyped]]).filter_map do |project|

data/lib/dependabot/nuget/native_helpers.rb

@@ -169,11 +169,12 @@ module Dependabot
         end
       end
 
+      # rubocop:disable Metrics/MethodLength
       sig do
         params(repo_root: String, proj_path: String, dependency: Dependency,
-               is_transitive: T::Boolean).returns([String, String])
+               is_transitive: T::Boolean, result_output_path: String).returns([String, String])
       end
-      def self.get_nuget_updater_tool_command(repo_root:, proj_path:, dependency:, is_transitive:)
+      def self.get_nuget_updater_tool_command(repo_root:, proj_path:, dependency:, is_transitive:, result_output_path:)
         exe_path = File.join(native_helpers_root, "NuGetUpdater", "NuGetUpdater.Cli")
         command_parts = [
           exe_path,
@@ -189,6 +190,8 @@ module Dependabot
           "--previous-version",
           dependency.previous_version,
           is_transitive ? "--transitive" : nil,
+          "--result-output-path",
+          result_output_path,
           "--verbose"
         ].compact
 
@@ -208,11 +211,19 @@ module Dependabot
           "--previous-version",
           "<previous-version>",
           is_transitive ? "--transitive" : nil,
+          "--result-output-path",
+          "<result-output-path>",
           "--verbose"
         ].compact.join(" ")
 
         [command, fingerprint]
       end
+      # rubocop:enable Metrics/MethodLength
+
+      sig { returns(String) }
+      def self.update_result_file_path
+        File.join(Dir.tmpdir, "update-result.json")
+      end
 
       sig do
         params(
@@ -225,13 +236,35 @@ module Dependabot
       end
       def self.run_nuget_updater_tool(repo_root:, proj_path:, dependency:, is_transitive:, credentials:)
         (command, fingerprint) = get_nuget_updater_tool_command(repo_root: repo_root, proj_path: proj_path,
-                                                                dependency: dependency, is_transitive: is_transitive)
+                                                                dependency: dependency, is_transitive: is_transitive,
+                                                                result_output_path: update_result_file_path)
 
         puts "running NuGet updater:\n" + command
 
         NuGetConfigCredentialHelpers.patch_nuget_config_for_action(credentials) do
           output = SharedHelpers.run_shell_command(command, allow_unsafe_shell_command: true, fingerprint: fingerprint)
           puts output
+
+          result_contents = File.read(update_result_file_path)
+          Dependabot.logger.info("update result: #{result_contents}")
+          result_json = T.let(JSON.parse(result_contents), T::Hash[String, T.untyped])
+          ensure_no_errors(result_json)
+        end
+      end
+
+      sig { params(json: T::Hash[String, T.untyped]).void }
+      def self.ensure_no_errors(json)
+        error_type = T.let(json.fetch("ErrorType", nil), T.nilable(String))
+        error_details = T.let(json.fetch("ErrorDetails", nil), T.nilable(String))
+        case error_type
+        when "None", nil
+          # no issue
+        when "AuthenticationFailure"
+          raise PrivateSourceAuthenticationFailure, error_details
+        when "MissingFile"
+          raise DependencyFileNotFound, error_details
+        else
+          raise "Unexpected error type from native tool: #{error_type}: #{error_details}"
         end
       end
     end

data/lib/dependabot/nuget/native_update_checker/native_update_checker.rb

@@ -134,6 +134,7 @@ module Dependabot
           nil?
         end
 
+        Dependabot.logger.info("Writing dependency info: #{dependency_info}")
         File.write(dependency_file_path, dependency_info)
       end
 

data/lib/dependabot/nuget/nuget_config_credential_helpers.rb

@@ -68,6 +68,9 @@ module Dependabot
         add_credentials_to_nuget_config(credentials)
         begin
           yield
+        rescue DependabotError
+          # forward these
+          raise
         rescue StandardError => e
           log_message =
             <<~LOG_MESSAGE

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-nuget
 version: !ruby/object:Gem::Version
-  version: 0.265.0
+  version: 0.267.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-07-11 00:00:00.000000000 Z
+date: 2024-07-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.265.0
+        version: 0.267.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.265.0
+        version: 0.267.0
 - !ruby/object:Gem::Dependency
   name: rubyzip
   requirement: !ruby/object:Gem::Requirement
@@ -134,14 +134,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.63.2
+        version: 1.65.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.63.2
+        version: 1.65.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
@@ -328,6 +328,7 @@ files:
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/TemporaryDirectory.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/TestBase.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/TestExtensions.cs
+- helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/TestHttpServer.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Update/PackagesConfigUpdaterTests.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Update/UpdateWorkerTestBase.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Update/UpdateWorkerTests.DirsProj.cs
@@ -369,6 +370,7 @@ files:
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/ProjectDiscoveryResult.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/SdkProjectDiscovery.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/WorkspaceDiscoveryResult.cs
+- helpers/lib/NuGetUpdater/NuGetUpdater.Core/ErrorType.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/EvaluationResult.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/EvaluationResultType.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/Files/BuildFile.cs
@@ -381,6 +383,8 @@ files:
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/FrameworkChecker/CompatabilityChecker.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/FrameworkChecker/FrameworkCompatibilityService.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/FrameworkChecker/SupportedFrameworks.cs
+- helpers/lib/NuGetUpdater/NuGetUpdater.Core/MissingFileException.cs
+- helpers/lib/NuGetUpdater/NuGetUpdater.Core/NativeResult.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/NuGetUpdater.Core.csproj
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/Property.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/BindingRedirectManager.cs
@@ -390,6 +394,7 @@ files:
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/GlobalJsonUpdater.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/PackagesConfigUpdater.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/SdkPackageUpdater.cs
+- helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/UpdateOperationResult.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/UpdateResult.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/UpdaterWorker.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core/Updater/WebApplicationTargetsConditionPatcher.cs
@@ -456,7 +461,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.265.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.267.0
 post_install_message: 
 rdoc_options: []
 require_paths: