dependabot-nuget 0.271.0 → 0.272.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/AnalyzeWorker.cs +19 -4
- data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/DiscoveryWorker.cs +14 -6
- data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Utilities/MSBuildHelper.cs +1 -1
- data/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Analyze/AnalyzeWorkerTests.cs +51 -0
- data/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Discover/DiscoveryWorkerTests.cs +83 -0
- data/lib/dependabot/nuget/file_parser.rb +4 -1
- data/lib/dependabot/nuget/file_updater.rb +100 -126
- data/lib/dependabot/nuget/native_discovery/native_dependency_file_discovery.rb +4 -6
- data/lib/dependabot/nuget/native_discovery/native_discovery_json_reader.rb +78 -4
- data/lib/dependabot/nuget/native_discovery/native_project_discovery.rb +1 -0
- data/lib/dependabot/nuget/native_helpers.rb +25 -10
- data/lib/dependabot/nuget/native_update_checker/native_requirements_updater.rb +17 -8
- data/lib/dependabot/nuget/native_update_checker/native_update_checker.rb +45 -10
- data/lib/dependabot/nuget/update_checker/requirements_updater.rb +4 -4
- data/lib/dependabot/nuget/update_checker.rb +2 -1
- metadata +5 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b33f6b0a817def66d738b6d998bedf0248881c225ddf6b97fa0a5405d92b9d23
|
|
4
|
+
data.tar.gz: 9e736306b9d21e95639627ea2fe585d2e47a8979e1096545b4da2ed49e8dbd5f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4dddbe1b9c9cbf4fb9d7876c143cfbd713bf2f6ca501210ae40a7c37bb2076687ea75996042e9ccc6582a6cd535a24eb3b2caa3143b5e8c3ef8ff500455f7827
|
|
7
|
+
data.tar.gz: f51748be257babb63de285cec8981ca84e580fa48b6d6fec2a89892f485f46ae237af86ab387a584c27c8f207ba1ae16167570bffdc59cf3cd4bb64ac27e9830
|
|
@@ -108,6 +108,7 @@ public partial class AnalyzeWorker
|
|
|
108
108
|
discovery,
|
|
109
109
|
dependenciesToUpdate,
|
|
110
110
|
updatedVersion,
|
|
111
|
+
dependencyInfo,
|
|
111
112
|
nugetContext,
|
|
112
113
|
_logger,
|
|
113
114
|
CancellationToken.None);
|
|
@@ -359,6 +360,7 @@ public partial class AnalyzeWorker
|
|
|
359
360
|
WorkspaceDiscoveryResult discovery,
|
|
360
361
|
ImmutableHashSet<string> packageIds,
|
|
361
362
|
NuGetVersion updatedVersion,
|
|
363
|
+
DependencyInfo dependencyInfo,
|
|
362
364
|
NuGetContext nugetContext,
|
|
363
365
|
Logger logger,
|
|
364
366
|
CancellationToken cancellationToken)
|
|
@@ -379,10 +381,23 @@ public partial class AnalyzeWorker
|
|
|
379
381
|
.Select(NuGetFramework.Parse)
|
|
380
382
|
.ToImmutableArray();
|
|
381
383
|
|
|
382
|
-
// When updating
|
|
383
|
-
var
|
|
384
|
-
.
|
|
385
|
-
|
|
384
|
+
// When updating dependencies, we only need to consider top-level dependencies _UNLESS_ it's specifically vulnerable
|
|
385
|
+
var relevantDependencies = projectsWithDependency.SelectMany(p => p.Dependencies)
|
|
386
|
+
.Where(d =>
|
|
387
|
+
{
|
|
388
|
+
if (string.Compare(d.Name, dependencyInfo.Name, StringComparison.OrdinalIgnoreCase) == 0 &&
|
|
389
|
+
dependencyInfo.IsVulnerable)
|
|
390
|
+
{
|
|
391
|
+
// if this dependency is one we're specifically updating _and_ if it's vulnerable, always update it
|
|
392
|
+
return true;
|
|
393
|
+
}
|
|
394
|
+
else
|
|
395
|
+
{
|
|
396
|
+
// otherwise only update if it's a top-level dependency
|
|
397
|
+
return !d.IsTransitive;
|
|
398
|
+
}
|
|
399
|
+
});
|
|
400
|
+
var projectDependencyNames = relevantDependencies
|
|
386
401
|
.Select(d => d.Name)
|
|
387
402
|
.ToImmutableHashSet(StringComparer.OrdinalIgnoreCase);
|
|
388
403
|
|
|
@@ -199,13 +199,21 @@ public partial class DiscoveryWorker
|
|
|
199
199
|
}
|
|
200
200
|
else
|
|
201
201
|
{
|
|
202
|
-
|
|
203
|
-
// keep this project and check for references
|
|
204
|
-
expandedProjects.Add(candidateEntryPoint);
|
|
205
|
-
IEnumerable<string> referencedProjects = ExpandItemGroupFilesFromProject(candidateEntryPoint, "ProjectReference");
|
|
206
|
-
foreach (string referencedProject in referencedProjects)
|
|
202
|
+
switch (extension)
|
|
207
203
|
{
|
|
208
|
-
|
|
204
|
+
case ".csproj":
|
|
205
|
+
case ".fsproj":
|
|
206
|
+
case ".vbproj":
|
|
207
|
+
// keep this project and check for references
|
|
208
|
+
expandedProjects.Add(candidateEntryPoint);
|
|
209
|
+
IEnumerable<string> referencedProjects = ExpandItemGroupFilesFromProject(candidateEntryPoint, "ProjectReference");
|
|
210
|
+
foreach (string referencedProject in referencedProjects)
|
|
211
|
+
{
|
|
212
|
+
filesToExpand.Push(referencedProject);
|
|
213
|
+
}
|
|
214
|
+
break;
|
|
215
|
+
default:
|
|
216
|
+
continue;
|
|
209
217
|
}
|
|
210
218
|
}
|
|
211
219
|
}
|
|
@@ -169,7 +169,7 @@ internal static partial class MSBuildHelper
|
|
|
169
169
|
string.Equals(property.Condition, $"'$({property.Name})' == ''", StringComparison.OrdinalIgnoreCase);
|
|
170
170
|
if (hasEmptyCondition || conditionIsCheckingForEmptyString)
|
|
171
171
|
{
|
|
172
|
-
properties[property.Name] = new(property.Name, property.Value, buildFile.RelativePath);
|
|
172
|
+
properties[property.Name] = new(property.Name, property.Value, PathHelper.NormalizePathToUnix(buildFile.RelativePath));
|
|
173
173
|
}
|
|
174
174
|
}
|
|
175
175
|
}
|
|
@@ -347,6 +347,57 @@ public partial class AnalyzeWorkerTests : AnalyzeWorkerTestBase
|
|
|
347
347
|
);
|
|
348
348
|
}
|
|
349
349
|
|
|
350
|
+
[Fact]
|
|
351
|
+
public async Task AnalyzeVulnerableTransitiveDependencies()
|
|
352
|
+
{
|
|
353
|
+
await TestAnalyzeAsync(
|
|
354
|
+
packages:
|
|
355
|
+
[
|
|
356
|
+
MockNuGetPackage.CreateSimplePackage("Some.Transitive.Dependency", "1.0.0", "net8.0"),
|
|
357
|
+
MockNuGetPackage.CreateSimplePackage("Some.Transitive.Dependency", "1.0.1", "net8.0"),
|
|
358
|
+
],
|
|
359
|
+
discovery: new()
|
|
360
|
+
{
|
|
361
|
+
Path = "/",
|
|
362
|
+
Projects = [
|
|
363
|
+
new()
|
|
364
|
+
{
|
|
365
|
+
FilePath = "project.csproj",
|
|
366
|
+
TargetFrameworks = ["net8.0"],
|
|
367
|
+
Dependencies = [
|
|
368
|
+
new("Some.Transitive.Dependency", "1.0.0", DependencyType.Unknown, TargetFrameworks: ["net8.0"], IsTransitive: true),
|
|
369
|
+
]
|
|
370
|
+
}
|
|
371
|
+
]
|
|
372
|
+
},
|
|
373
|
+
dependencyInfo: new()
|
|
374
|
+
{
|
|
375
|
+
Name = "Some.Transitive.Dependency",
|
|
376
|
+
Version = "1.0.0",
|
|
377
|
+
IsVulnerable = true,
|
|
378
|
+
IgnoredVersions = [],
|
|
379
|
+
Vulnerabilities = [
|
|
380
|
+
new()
|
|
381
|
+
{
|
|
382
|
+
DependencyName = "Some.Transitive.Dependency",
|
|
383
|
+
PackageManager = "nuget",
|
|
384
|
+
VulnerableVersions = [Requirement.Parse("<= 1.0.0")],
|
|
385
|
+
SafeVersions = [Requirement.Parse("= 1.0.1")],
|
|
386
|
+
}
|
|
387
|
+
]
|
|
388
|
+
},
|
|
389
|
+
expectedResult: new()
|
|
390
|
+
{
|
|
391
|
+
UpdatedVersion = "1.0.1",
|
|
392
|
+
CanUpdate = true,
|
|
393
|
+
VersionComesFromMultiDependencyProperty = false,
|
|
394
|
+
UpdatedDependencies = [
|
|
395
|
+
new("Some.Transitive.Dependency", "1.0.1", DependencyType.Unknown, TargetFrameworks: ["net8.0"]),
|
|
396
|
+
],
|
|
397
|
+
}
|
|
398
|
+
);
|
|
399
|
+
}
|
|
400
|
+
|
|
350
401
|
[Fact]
|
|
351
402
|
public async Task IgnoredVersionsCanHandleWildcardSpecification()
|
|
352
403
|
{
|
|
@@ -375,6 +375,89 @@ public partial class DiscoveryWorkerTests : DiscoveryWorkerTestBase
|
|
|
375
375
|
);
|
|
376
376
|
}
|
|
377
377
|
|
|
378
|
+
[Fact]
|
|
379
|
+
public async Task NonSupportedProjectExtensionsAreSkipped()
|
|
380
|
+
{
|
|
381
|
+
await TestDiscoveryAsync(
|
|
382
|
+
packages:
|
|
383
|
+
[
|
|
384
|
+
MockNuGetPackage.CreateSimplePackage("Some.Package", "1.0.0", "net8.0"),
|
|
385
|
+
],
|
|
386
|
+
workspacePath: "/",
|
|
387
|
+
files: new[]
|
|
388
|
+
{
|
|
389
|
+
("solution.sln", """
|
|
390
|
+
Microsoft Visual Studio Solution File, Format Version 12.00
|
|
391
|
+
# Visual Studio Version 17
|
|
392
|
+
VisualStudioVersion = 17.10.35027.167
|
|
393
|
+
MinimumVisualStudioVersion = 10.0.40219.1
|
|
394
|
+
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "supported", "src\supported.csproj", "{4A3B8D8A-A585-4593-8AF3-DED05AE3C40F}"
|
|
395
|
+
EndProject
|
|
396
|
+
Project("{54435603-DBB4-11D2-8724-00A0C9A8B90C}") = "unsupported", "src\unsupported.vdproj", "{271E533C-8A44-4572-8C18-CD65A79F8658}"
|
|
397
|
+
EndProject
|
|
398
|
+
Global
|
|
399
|
+
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
|
400
|
+
Debug|Any CPU = Debug|Any CPU
|
|
401
|
+
Release|Any CPU = Release|Any CPU
|
|
402
|
+
EndGlobalSection
|
|
403
|
+
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
|
404
|
+
{4A3B8D8A-A585-4593-8AF3-DED05AE3C40F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
|
|
405
|
+
{4A3B8D8A-A585-4593-8AF3-DED05AE3C40F}.Debug|Any CPU.Build.0 = Debug|Any CPU
|
|
406
|
+
{4A3B8D8A-A585-4593-8AF3-DED05AE3C40F}.Release|Any CPU.ActiveCfg = Release|Any CPU
|
|
407
|
+
{4A3B8D8A-A585-4593-8AF3-DED05AE3C40F}.Release|Any CPU.Build.0 = Release|Any CPU
|
|
408
|
+
{271E533C-8A44-4572-8C18-CD65A79F8658}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
|
|
409
|
+
{271E533C-8A44-4572-8C18-CD65A79F8658}.Debug|Any CPU.Build.0 = Debug|Any CPU
|
|
410
|
+
{271E533C-8A44-4572-8C18-CD65A79F8658}.Release|Any CPU.ActiveCfg = Release|Any CPU
|
|
411
|
+
{271E533C-8A44-4572-8C18-CD65A79F8658}.Release|Any CPU.Build.0 = Release|Any CPU
|
|
412
|
+
EndGlobalSection
|
|
413
|
+
GlobalSection(SolutionProperties) = preSolution
|
|
414
|
+
HideSolutionNode = FALSE
|
|
415
|
+
EndGlobalSection
|
|
416
|
+
GlobalSection(ExtensibilityGlobals) = postSolution
|
|
417
|
+
SolutionGuid = {EE5BDEF7-1D4D-4773-9659-FC4A3846CD6D}
|
|
418
|
+
EndGlobalSection
|
|
419
|
+
EndGlobal
|
|
420
|
+
"""),
|
|
421
|
+
("src/supported.csproj", """
|
|
422
|
+
<Project Sdk="Microsoft.NET.Sdk">
|
|
423
|
+
<PropertyGroup>
|
|
424
|
+
<TargetFramework>net8.0</TargetFramework>
|
|
425
|
+
</PropertyGroup>
|
|
426
|
+
<ItemGroup>
|
|
427
|
+
<PackageReference Include="Some.Package" Version="1.0.0" />
|
|
428
|
+
</ItemGroup>
|
|
429
|
+
</Project>
|
|
430
|
+
"""),
|
|
431
|
+
("src/unsupported.vdproj", """
|
|
432
|
+
"DeployProject"
|
|
433
|
+
{
|
|
434
|
+
"SomeKey" = "SomeValue"
|
|
435
|
+
}
|
|
436
|
+
"""),
|
|
437
|
+
},
|
|
438
|
+
expectedResult: new()
|
|
439
|
+
{
|
|
440
|
+
Path = "",
|
|
441
|
+
Projects = [
|
|
442
|
+
new()
|
|
443
|
+
{
|
|
444
|
+
FilePath = "src/supported.csproj",
|
|
445
|
+
TargetFrameworks = ["net8.0"],
|
|
446
|
+
ReferencedProjectPaths = [],
|
|
447
|
+
ExpectedDependencyCount = 2,
|
|
448
|
+
Dependencies = [
|
|
449
|
+
new("Microsoft.NET.Sdk", null, DependencyType.MSBuildSdk),
|
|
450
|
+
new("Some.Package", "1.0.0", DependencyType.PackageReference, TargetFrameworks: ["net8.0"], IsDirect: true)
|
|
451
|
+
],
|
|
452
|
+
Properties = [
|
|
453
|
+
new("TargetFramework", "net8.0", @"src/supported.csproj"),
|
|
454
|
+
]
|
|
455
|
+
}
|
|
456
|
+
]
|
|
457
|
+
}
|
|
458
|
+
);
|
|
459
|
+
}
|
|
460
|
+
|
|
378
461
|
[Fact]
|
|
379
462
|
public async Task ResultFileHasCorrectShapeForAuthenticationFailure()
|
|
380
463
|
{
|
|
@@ -50,7 +50,10 @@ module Dependabot
|
|
|
50
50
|
# cache discovery results
|
|
51
51
|
NativeDiscoveryJsonReader.set_discovery_from_dependency_files(dependency_files: dependency_files,
|
|
52
52
|
discovery: discovery_json_reader)
|
|
53
|
-
|
|
53
|
+
# we only return top-level dependencies and requirements here
|
|
54
|
+
dependency_set = discovery_json_reader.dependency_set(dependency_files: dependency_files,
|
|
55
|
+
top_level_only: true)
|
|
56
|
+
dependency_set.dependencies
|
|
54
57
|
end
|
|
55
58
|
|
|
56
59
|
T.must(self.class.file_dependency_cache[key])
|
|
@@ -16,35 +16,32 @@ module Dependabot
|
|
|
16
16
|
class FileUpdater < Dependabot::FileUpdaters::Base
|
|
17
17
|
extend T::Sig
|
|
18
18
|
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
]
|
|
33
|
-
|
|
34
|
-
#
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
/^Packages\.props$/i
|
|
46
|
-
]
|
|
47
|
-
end
|
|
19
|
+
DependencyDetails = T.type_alias do
|
|
20
|
+
{
|
|
21
|
+
file: String,
|
|
22
|
+
name: String,
|
|
23
|
+
version: String,
|
|
24
|
+
previous_version: String,
|
|
25
|
+
is_transitive: T::Boolean
|
|
26
|
+
}
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
sig { override.returns(T::Array[Regexp]) }
|
|
30
|
+
def self.updated_files_regex
|
|
31
|
+
[
|
|
32
|
+
/.*\.([a-z]{2})?proj$/, # Matches files with any extension like .csproj, .vbproj, etc., in any directory
|
|
33
|
+
/packages\.config$/i, # Matches packages.config in any directory
|
|
34
|
+
/app\.config$/i, # Matches app.config in any directory
|
|
35
|
+
/web\.config$/i, # Matches web.config in any directory
|
|
36
|
+
/global\.json$/i, # Matches global.json in any directory
|
|
37
|
+
/dotnet-tools\.json$/i, # Matches dotnet-tools.json in any directory
|
|
38
|
+
/Directory\.Build\.props$/i, # Matches Directory.Build.props in any directory
|
|
39
|
+
/Directory\.Build\.targets$/i, # Matches Directory.Build.targets in any directory
|
|
40
|
+
/Directory\.targets$/i, # Matches Directory.targets in any directory or root directory
|
|
41
|
+
/Packages\.props$/i, # Matches Packages.props in any directory
|
|
42
|
+
/.*\.nuspec$/, # Matches any .nuspec files in any directory
|
|
43
|
+
%r{^\.config/dotnet-tools\.json$} # Matches .config/dotnet-tools.json in only root directory
|
|
44
|
+
]
|
|
48
45
|
end
|
|
49
46
|
|
|
50
47
|
sig { params(original_content: T.nilable(String), updated_content: String).returns(T::Boolean) }
|
|
@@ -65,9 +62,21 @@ module Dependabot
|
|
|
65
62
|
def updated_dependency_files
|
|
66
63
|
base_dir = "/"
|
|
67
64
|
SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
|
|
68
|
-
|
|
69
|
-
|
|
65
|
+
expanded_dependency_details.each do |dep_details|
|
|
66
|
+
file = T.let(dep_details.fetch(:file), String)
|
|
67
|
+
name = T.let(dep_details.fetch(:name), String)
|
|
68
|
+
version = T.let(dep_details.fetch(:version), String)
|
|
69
|
+
previous_version = T.let(dep_details.fetch(:previous_version), String)
|
|
70
|
+
is_transitive = T.let(dep_details.fetch(:is_transitive), T::Boolean)
|
|
71
|
+
NativeHelpers.run_nuget_updater_tool(repo_root: T.must(repo_contents_path),
|
|
72
|
+
proj_path: file,
|
|
73
|
+
dependency_name: name,
|
|
74
|
+
version: version,
|
|
75
|
+
previous_version: previous_version,
|
|
76
|
+
is_transitive: is_transitive,
|
|
77
|
+
credentials: credentials)
|
|
70
78
|
end
|
|
79
|
+
|
|
71
80
|
updated_files = dependency_files.filter_map do |f|
|
|
72
81
|
updated_content = File.read(dependency_file_path(f))
|
|
73
82
|
next if updated_content == f.content
|
|
@@ -87,104 +96,69 @@ module Dependabot
|
|
|
87
96
|
|
|
88
97
|
private
|
|
89
98
|
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
checked_key = "#{project_file.name}-#{dependency.name}#{dependency.version}"
|
|
105
|
-
call_nuget_updater_tool(dependency, proj_path) unless checked_files.include?(checked_key)
|
|
106
|
-
|
|
107
|
-
checked_files.add(checked_key)
|
|
108
|
-
# We need to check the downstream references even though we're already evaluated the file
|
|
109
|
-
downstream_files = referenced_project_paths(project_file)
|
|
110
|
-
downstream_files.each do |downstream_file|
|
|
111
|
-
checked_files.add("#{downstream_file}-#{dependency.name}#{dependency.version}")
|
|
99
|
+
# rubocop:disable Metrics/AbcSize
|
|
100
|
+
sig { returns(T::Array[DependencyDetails]) }
|
|
101
|
+
def expanded_dependency_details
|
|
102
|
+
discovery_json_reader = NativeDiscoveryJsonReader.get_discovery_from_dependency_files(dependency_files)
|
|
103
|
+
dependency_set = discovery_json_reader.dependency_set(dependency_files: dependency_files, top_level_only: false)
|
|
104
|
+
all_dependencies = dependency_set.dependencies
|
|
105
|
+
dependencies.map do |dep|
|
|
106
|
+
# if vulnerable metadata is set, re-fetch all requirements from discovery
|
|
107
|
+
is_vulnerable = T.let(dep.metadata.fetch(:is_vulnerable, false), T::Boolean)
|
|
108
|
+
relevant_dependencies = all_dependencies.filter { |d| d.name.casecmp?(dep.name) }
|
|
109
|
+
candidate_vulnerable_dependency = T.must(relevant_dependencies.first)
|
|
110
|
+
relevant_dependency = is_vulnerable ? candidate_vulnerable_dependency : dep
|
|
111
|
+
relevant_details = relevant_dependency.requirements.filter_map do |req|
|
|
112
|
+
dependency_details_from_requirement(dep.name, req, is_vulnerable: is_vulnerable)
|
|
112
113
|
end
|
|
113
|
-
update_ran = true
|
|
114
|
-
end
|
|
115
|
-
update_ran
|
|
116
|
-
end
|
|
117
|
-
|
|
118
|
-
sig { params(dependency: Dependabot::Dependency).returns(T::Boolean) }
|
|
119
|
-
def try_update_json(dependency)
|
|
120
|
-
if dotnet_tools_json_dependencies.any? { |dep| dep.name.casecmp?(dependency.name) } ||
|
|
121
|
-
global_json_dependencies.any? { |dep| dep.name.casecmp?(dependency.name) }
|
|
122
|
-
|
|
123
|
-
# We just need to feed the updater a project file, grab the first
|
|
124
|
-
project_file = T.must(project_files.first)
|
|
125
|
-
proj_path = dependency_file_path(project_file)
|
|
126
|
-
|
|
127
|
-
return false unless repo_contents_path
|
|
128
|
-
|
|
129
|
-
call_nuget_updater_tool(dependency, proj_path)
|
|
130
|
-
return true
|
|
131
|
-
end
|
|
132
114
|
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
|
|
142
|
-
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
|
|
147
|
-
|
|
148
|
-
|
|
149
|
-
T.must(@update_tooling_calls[key]) + 1
|
|
150
|
-
else
|
|
151
|
-
1
|
|
115
|
+
next relevant_details if relevant_details.any?
|
|
116
|
+
|
|
117
|
+
# If we didn't find anything to update, we're in a very specific corner case: we were explicitly asked to
|
|
118
|
+
# (1) update a certain dependency, (2) it wasn't listed as a security update, but (3) it only exists as a
|
|
119
|
+
# transitive dependency. In this case, we need to rebuild the dependency requirements as if this were a
|
|
120
|
+
# security update so that we can perform the appropriate update.
|
|
121
|
+
candidate_vulnerable_dependency.requirements.filter_map do |req|
|
|
122
|
+
rebuilt_req = {
|
|
123
|
+
file: req[:file], # simple copy
|
|
124
|
+
requirement: relevant_dependency.version, # the newly available version
|
|
125
|
+
metadata: {
|
|
126
|
+
is_transitive: T.let(req[:metadata], T::Hash[Symbol, T.untyped])[:is_transitive], # simple copy
|
|
127
|
+
previous_requirement: req[:requirement] # the old requirement's "current" version is now the "previous"
|
|
128
|
+
}
|
|
129
|
+
}
|
|
130
|
+
dependency_details_from_requirement(dep.name, rebuilt_req, is_vulnerable: true)
|
|
152
131
|
end
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
#
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
|
|
165
|
-
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
end
|
|
184
|
-
|
|
185
|
-
sig { returns(T::Array[NativeDependencyDetails]) }
|
|
186
|
-
def dotnet_tools_json_dependencies
|
|
187
|
-
workspace&.dotnet_tools_json&.dependencies || []
|
|
132
|
+
end.flatten
|
|
133
|
+
end
|
|
134
|
+
# rubocop:enable Metrics/AbcSize
|
|
135
|
+
|
|
136
|
+
sig do
|
|
137
|
+
params(
|
|
138
|
+
name: String,
|
|
139
|
+
requirement: T::Hash[Symbol, T.untyped],
|
|
140
|
+
is_vulnerable: T::Boolean
|
|
141
|
+
).returns(T.nilable(DependencyDetails))
|
|
142
|
+
end
|
|
143
|
+
def dependency_details_from_requirement(name, requirement, is_vulnerable:)
|
|
144
|
+
metadata = T.let(requirement.fetch(:metadata), T::Hash[Symbol, T.untyped])
|
|
145
|
+
current_file = T.let(requirement.fetch(:file), String)
|
|
146
|
+
return nil unless current_file.match?(/\.(cs|vb|fs)proj$/)
|
|
147
|
+
|
|
148
|
+
is_transitive = T.let(metadata.fetch(:is_transitive), T::Boolean)
|
|
149
|
+
return nil if !is_vulnerable && is_transitive
|
|
150
|
+
|
|
151
|
+
version = T.let(requirement.fetch(:requirement), String)
|
|
152
|
+
previous_version = T.let(metadata[:previous_requirement], String)
|
|
153
|
+
return nil if version == previous_version
|
|
154
|
+
|
|
155
|
+
{
|
|
156
|
+
file: T.let(requirement.fetch(:file), String),
|
|
157
|
+
name: name,
|
|
158
|
+
version: version,
|
|
159
|
+
previous_version: previous_version,
|
|
160
|
+
is_transitive: is_transitive
|
|
161
|
+
}
|
|
188
162
|
end
|
|
189
163
|
|
|
190
164
|
# rubocop:disable Metrics/PerceivedComplexity
|
|
@@ -106,22 +106,20 @@ module Dependabot
|
|
|
106
106
|
.returns(T.nilable(T::Hash[Symbol, T.untyped]))
|
|
107
107
|
end
|
|
108
108
|
def build_requirement(file_name, dependency_details)
|
|
109
|
-
return if dependency_details.is_transitive
|
|
110
|
-
|
|
111
109
|
version = dependency_details.version
|
|
112
110
|
version = nil if version&.empty?
|
|
111
|
+
metadata = { is_transitive: dependency_details.is_transitive }
|
|
113
112
|
|
|
114
113
|
requirement = {
|
|
115
114
|
requirement: version,
|
|
116
115
|
file: file_name,
|
|
117
116
|
groups: [dependency_details.is_dev_dependency ? "devDependencies" : "dependencies"],
|
|
118
|
-
source: nil
|
|
117
|
+
source: nil,
|
|
118
|
+
metadata: metadata
|
|
119
119
|
}
|
|
120
120
|
|
|
121
121
|
property_name = dependency_details.evaluation&.root_property_name
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
requirement[:metadata] = { property_name: property_name }
|
|
122
|
+
metadata[:property_name] = property_name if property_name
|
|
125
123
|
requirement
|
|
126
124
|
end
|
|
127
125
|
end
|
|
@@ -125,16 +125,90 @@ module Dependabot
|
|
|
125
125
|
sig { returns(T.nilable(NativeWorkspaceDiscovery)) }
|
|
126
126
|
attr_reader :workspace_discovery
|
|
127
127
|
|
|
128
|
-
sig { returns(Dependabot::FileParsers::Base::DependencySet) }
|
|
129
|
-
attr_reader :dependency_set
|
|
130
|
-
|
|
131
128
|
sig { params(discovery_json: DependencyFile).void }
|
|
132
129
|
def initialize(discovery_json:)
|
|
133
130
|
@discovery_json = discovery_json
|
|
134
131
|
@workspace_discovery = T.let(read_workspace_discovery, T.nilable(Dependabot::Nuget::NativeWorkspaceDiscovery))
|
|
135
|
-
@dependency_set = T.let(read_dependency_set, Dependabot::FileParsers::Base::DependencySet)
|
|
136
132
|
end
|
|
137
133
|
|
|
134
|
+
# rubocop:disable Metrics/AbcSize
|
|
135
|
+
# rubocop:disable Metrics/MethodLength
|
|
136
|
+
# rubocop:disable Metrics/PerceivedComplexity
|
|
137
|
+
sig do
|
|
138
|
+
params(
|
|
139
|
+
dependency_files: T::Array[Dependabot::DependencyFile],
|
|
140
|
+
top_level_only: T::Boolean
|
|
141
|
+
).returns(Dependabot::FileParsers::Base::DependencySet)
|
|
142
|
+
end
|
|
143
|
+
def dependency_set(dependency_files:, top_level_only:)
|
|
144
|
+
# dependencies must be recalculated so that we:
|
|
145
|
+
# 1. only return dependencies that are in the file set we reported earlier
|
|
146
|
+
# see https://github.com/dependabot/dependabot-core/issues/10303
|
|
147
|
+
# 2. the reported version is the minimum across all requirements; this ensures that we get the opportunity
|
|
148
|
+
# to update everything later
|
|
149
|
+
dependency_file_set = T.let(Set.new(dependency_files.map do |df|
|
|
150
|
+
Pathname.new(File.join(df.directory, df.name)).cleanpath.to_path
|
|
151
|
+
end), T::Set[String])
|
|
152
|
+
|
|
153
|
+
rebuilt_dependencies = read_dependency_set.dependencies.filter_map do |dep|
|
|
154
|
+
# only report requirements in files we know about
|
|
155
|
+
matching_requirements = dep.requirements.filter do |req|
|
|
156
|
+
file = T.let(req.fetch(:file), String)
|
|
157
|
+
dependency_file_set.include?(file)
|
|
158
|
+
end
|
|
159
|
+
|
|
160
|
+
# find the minimum version across all requirements
|
|
161
|
+
min_version = matching_requirements.filter_map do |req|
|
|
162
|
+
v = T.let(req.fetch(:requirement), T.nilable(String))
|
|
163
|
+
next unless v
|
|
164
|
+
|
|
165
|
+
Dependabot::Nuget::Version.new(v)
|
|
166
|
+
end.min
|
|
167
|
+
next unless min_version
|
|
168
|
+
|
|
169
|
+
# only return dependency requirements that are top-level
|
|
170
|
+
if top_level_only
|
|
171
|
+
matching_requirements.reject! do |req|
|
|
172
|
+
metadata = T.let(req.fetch(:metadata), T::Hash[Symbol, T.untyped])
|
|
173
|
+
T.let(metadata.fetch(:is_transitive), T::Boolean)
|
|
174
|
+
end
|
|
175
|
+
end
|
|
176
|
+
|
|
177
|
+
# we might need to return a dependency like this
|
|
178
|
+
dep_without_reqs = Dependabot::Dependency.new(
|
|
179
|
+
name: dep.name,
|
|
180
|
+
version: min_version.to_s,
|
|
181
|
+
package_manager: "nuget",
|
|
182
|
+
requirements: []
|
|
183
|
+
)
|
|
184
|
+
|
|
185
|
+
dep_with_reqs = matching_requirements.filter_map do |req|
|
|
186
|
+
version = T.let(req.fetch(:requirement, nil), T.nilable(String))
|
|
187
|
+
next unless version
|
|
188
|
+
|
|
189
|
+
Dependabot::Dependency.new(
|
|
190
|
+
name: dep.name,
|
|
191
|
+
version: min_version.to_s,
|
|
192
|
+
package_manager: "nuget",
|
|
193
|
+
requirements: [req]
|
|
194
|
+
)
|
|
195
|
+
end
|
|
196
|
+
|
|
197
|
+
# if only returning top-level dependencies and we had no non-transitive requirements, return an empty
|
|
198
|
+
# dependency so it can be tracked for security updates
|
|
199
|
+
matching_requirements.empty? && top_level_only ? [dep_without_reqs] : dep_with_reqs
|
|
200
|
+
end.flatten
|
|
201
|
+
|
|
202
|
+
final_dependency_set = Dependabot::FileParsers::Base::DependencySet.new
|
|
203
|
+
rebuilt_dependencies.each do |dep|
|
|
204
|
+
final_dependency_set << dep
|
|
205
|
+
end
|
|
206
|
+
final_dependency_set
|
|
207
|
+
end
|
|
208
|
+
# rubocop:enable Metrics/PerceivedComplexity
|
|
209
|
+
# rubocop:enable Metrics/MethodLength
|
|
210
|
+
# rubocop:enable Metrics/AbcSize
|
|
211
|
+
|
|
138
212
|
private
|
|
139
213
|
|
|
140
214
|
sig { returns(DependencyFile) }
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
# typed: strong
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
require "dependabot/file_parsers/base/dependency_set"
|
|
4
5
|
require "dependabot/nuget/native_discovery/native_dependency_details"
|
|
5
6
|
require "dependabot/nuget/native_discovery/native_property_details"
|
|
6
7
|
require "sorbet-runtime"
|
|
@@ -171,10 +171,18 @@ module Dependabot
|
|
|
171
171
|
|
|
172
172
|
# rubocop:disable Metrics/MethodLength
|
|
173
173
|
sig do
|
|
174
|
-
params(
|
|
175
|
-
|
|
174
|
+
params(
|
|
175
|
+
repo_root: String,
|
|
176
|
+
proj_path: String,
|
|
177
|
+
dependency_name: String,
|
|
178
|
+
version: String,
|
|
179
|
+
previous_version: String,
|
|
180
|
+
is_transitive: T::Boolean,
|
|
181
|
+
result_output_path: String
|
|
182
|
+
).returns([String, String])
|
|
176
183
|
end
|
|
177
|
-
def self.get_nuget_updater_tool_command(repo_root:, proj_path:,
|
|
184
|
+
def self.get_nuget_updater_tool_command(repo_root:, proj_path:, dependency_name:, version:, previous_version:,
|
|
185
|
+
is_transitive:, result_output_path:)
|
|
178
186
|
exe_path = File.join(native_helpers_root, "NuGetUpdater", "NuGetUpdater.Cli")
|
|
179
187
|
command_parts = [
|
|
180
188
|
exe_path,
|
|
@@ -184,11 +192,11 @@ module Dependabot
|
|
|
184
192
|
"--solution-or-project",
|
|
185
193
|
proj_path,
|
|
186
194
|
"--dependency",
|
|
187
|
-
|
|
195
|
+
dependency_name,
|
|
188
196
|
"--new-version",
|
|
189
|
-
|
|
197
|
+
version,
|
|
190
198
|
"--previous-version",
|
|
191
|
-
|
|
199
|
+
previous_version,
|
|
192
200
|
is_transitive ? "--transitive" : nil,
|
|
193
201
|
"--result-output-path",
|
|
194
202
|
result_output_path,
|
|
@@ -229,14 +237,21 @@ module Dependabot
|
|
|
229
237
|
params(
|
|
230
238
|
repo_root: String,
|
|
231
239
|
proj_path: String,
|
|
232
|
-
|
|
240
|
+
dependency_name: String,
|
|
241
|
+
version: String,
|
|
242
|
+
previous_version: String,
|
|
233
243
|
is_transitive: T::Boolean,
|
|
234
244
|
credentials: T::Array[Dependabot::Credential]
|
|
235
245
|
).void
|
|
236
246
|
end
|
|
237
|
-
def self.run_nuget_updater_tool(repo_root:, proj_path:,
|
|
238
|
-
|
|
239
|
-
|
|
247
|
+
def self.run_nuget_updater_tool(repo_root:, proj_path:, dependency_name:, version:, previous_version:,
|
|
248
|
+
is_transitive:, credentials:)
|
|
249
|
+
(command, fingerprint) = get_nuget_updater_tool_command(repo_root: repo_root,
|
|
250
|
+
proj_path: proj_path,
|
|
251
|
+
dependency_name: dependency_name,
|
|
252
|
+
version: version,
|
|
253
|
+
previous_version: previous_version,
|
|
254
|
+
is_transitive: is_transitive,
|
|
240
255
|
result_output_path: update_result_file_path)
|
|
241
256
|
|
|
242
257
|
puts "running NuGet updater:\n" + command
|
|
@@ -21,15 +21,18 @@ module Dependabot
|
|
|
21
21
|
sig do
|
|
22
22
|
params(
|
|
23
23
|
requirements: T::Array[T::Hash[Symbol, T.untyped]],
|
|
24
|
-
dependency_details: T.nilable(Dependabot::Nuget::NativeDependencyDetails)
|
|
24
|
+
dependency_details: T.nilable(Dependabot::Nuget::NativeDependencyDetails),
|
|
25
|
+
vulnerable: T::Boolean
|
|
25
26
|
)
|
|
26
27
|
.void
|
|
27
28
|
end
|
|
28
|
-
def initialize(requirements:, dependency_details:)
|
|
29
|
+
def initialize(requirements:, dependency_details:, vulnerable:)
|
|
29
30
|
@requirements = requirements
|
|
30
31
|
@dependency_details = dependency_details
|
|
32
|
+
@vulnerable = vulnerable
|
|
31
33
|
end
|
|
32
34
|
|
|
35
|
+
# rubocop:disable Metrics/PerceivedComplexity
|
|
33
36
|
sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
|
|
34
37
|
def updated_requirements
|
|
35
38
|
return requirements unless clean_version
|
|
@@ -37,13 +40,18 @@ module Dependabot
|
|
|
37
40
|
# NOTE: Order is important here. The FileUpdater needs the updated
|
|
38
41
|
# requirement at index `i` to correspond to the previous requirement
|
|
39
42
|
# at the same index.
|
|
40
|
-
requirements.
|
|
41
|
-
next
|
|
42
|
-
|
|
43
|
+
requirements.filter_map do |req|
|
|
44
|
+
next if !@vulnerable && req[:metadata][:is_transitive]
|
|
45
|
+
|
|
46
|
+
previous_requirement = req.fetch(:requirement)
|
|
47
|
+
req[:metadata][:previous_requirement] = previous_requirement
|
|
48
|
+
|
|
49
|
+
next req if previous_requirement.nil?
|
|
50
|
+
next req if previous_requirement.include?(",")
|
|
43
51
|
|
|
44
52
|
new_req =
|
|
45
|
-
if
|
|
46
|
-
update_wildcard_requirement(
|
|
53
|
+
if previous_requirement.include?("*")
|
|
54
|
+
update_wildcard_requirement(previous_requirement)
|
|
47
55
|
else
|
|
48
56
|
# Since range requirements are excluded by the line above we can
|
|
49
57
|
# replace anything that looks like a version with the new
|
|
@@ -54,7 +62,7 @@ module Dependabot
|
|
|
54
62
|
)
|
|
55
63
|
end
|
|
56
64
|
|
|
57
|
-
next req if new_req ==
|
|
65
|
+
next req if new_req == previous_requirement
|
|
58
66
|
|
|
59
67
|
new_source = req[:source]&.dup
|
|
60
68
|
unless @dependency_details.nil?
|
|
@@ -67,6 +75,7 @@ module Dependabot
|
|
|
67
75
|
req.merge({ requirement: new_req, source: new_source })
|
|
68
76
|
end
|
|
69
77
|
end
|
|
78
|
+
# rubocop:enable Metrics/PerceivedComplexity
|
|
70
79
|
|
|
71
80
|
private
|
|
72
81
|
|
|
@@ -56,7 +56,8 @@ module Dependabot
|
|
|
56
56
|
dep_details = updated_dependency_details.find { |d| d.name.casecmp?(dependency.name) }
|
|
57
57
|
NativeRequirementsUpdater.new(
|
|
58
58
|
requirements: dependency.requirements,
|
|
59
|
-
dependency_details: dep_details
|
|
59
|
+
dependency_details: dep_details,
|
|
60
|
+
vulnerable: vulnerable?
|
|
60
61
|
).updated_requirements
|
|
61
62
|
end
|
|
62
63
|
|
|
@@ -112,9 +113,10 @@ module Dependabot
|
|
|
112
113
|
|
|
113
114
|
sig { void }
|
|
114
115
|
def write_dependency_info
|
|
116
|
+
dependency_version = T.let(dependency.requirements.first&.fetch(:requirement, nil), T.nilable(String))
|
|
115
117
|
dependency_info = {
|
|
116
118
|
Name: dependency.name,
|
|
117
|
-
Version: dependency.version.to_s,
|
|
119
|
+
Version: dependency_version || dependency.version.to_s,
|
|
118
120
|
IsVulnerable: vulnerable?,
|
|
119
121
|
IgnoredVersions: ignored_versions,
|
|
120
122
|
Vulnerabilities: security_advisories.map do |vulnerability|
|
|
@@ -141,7 +143,7 @@ module Dependabot
|
|
|
141
143
|
sig { returns(Dependabot::FileParsers::Base::DependencySet) }
|
|
142
144
|
def discovered_dependencies
|
|
143
145
|
discovery_json_reader = NativeDiscoveryJsonReader.get_discovery_from_dependency_files(dependency_files)
|
|
144
|
-
discovery_json_reader.dependency_set
|
|
146
|
+
discovery_json_reader.dependency_set(dependency_files: dependency_files, top_level_only: false)
|
|
145
147
|
end
|
|
146
148
|
|
|
147
149
|
sig { override.returns(T::Boolean) }
|
|
@@ -150,6 +152,10 @@ module Dependabot
|
|
|
150
152
|
true
|
|
151
153
|
end
|
|
152
154
|
|
|
155
|
+
# rubocop:disable Metrics/AbcSize
|
|
156
|
+
# rubocop:disable Metrics/BlockLength
|
|
157
|
+
# rubocop:disable Metrics/MethodLength
|
|
158
|
+
# rubocop:disable Metrics/PerceivedComplexity
|
|
153
159
|
sig { override.returns(T::Array[Dependabot::Dependency]) }
|
|
154
160
|
def updated_dependencies_after_full_unlock
|
|
155
161
|
dependencies = discovered_dependencies.dependencies
|
|
@@ -157,14 +163,16 @@ module Dependabot
|
|
|
157
163
|
dep = dependencies.find { |d| d.name.casecmp(dependency_details.name)&.zero? }
|
|
158
164
|
next unless dep
|
|
159
165
|
|
|
160
|
-
|
|
166
|
+
dep_metadata = T.let({}, T::Hash[Symbol, T.untyped])
|
|
161
167
|
# For peer dependencies, instruct updater to not directly update this dependency
|
|
162
|
-
|
|
168
|
+
dep_metadata[:information_only] = true unless dependency.name.casecmp(dependency_details.name)&.zero?
|
|
169
|
+
dep_metadata[:is_vulnerable] = vulnerable?
|
|
163
170
|
|
|
164
171
|
# rebuild the new requirements with the updated dependency details
|
|
165
172
|
updated_reqs = dep.requirements.map do |r|
|
|
166
173
|
r = r.clone
|
|
167
|
-
r[:
|
|
174
|
+
T.let(r[:metadata], T::Hash[Symbol, T.untyped])[:previous_requirement] = r[:requirement] # keep old version
|
|
175
|
+
r[:requirement] = dependency_details.version # set new version
|
|
168
176
|
r[:source] = {
|
|
169
177
|
type: "nuget_repo",
|
|
170
178
|
source_url: dependency_details.info_url
|
|
@@ -172,17 +180,44 @@ module Dependabot
|
|
|
172
180
|
r
|
|
173
181
|
end
|
|
174
182
|
|
|
183
|
+
reqs = dep.requirements
|
|
184
|
+
unless vulnerable?
|
|
185
|
+
updated_reqs = updated_reqs.filter do |r|
|
|
186
|
+
req_metadata = T.let(r.fetch(:metadata, {}), T::Hash[Symbol, T.untyped])
|
|
187
|
+
!T.let(req_metadata[:is_transitive], T::Boolean)
|
|
188
|
+
end
|
|
189
|
+
reqs = reqs.filter do |r|
|
|
190
|
+
req_metadata = T.let(r.fetch(:metadata, {}), T::Hash[Symbol, T.untyped])
|
|
191
|
+
!T.let(req_metadata[:is_transitive], T::Boolean)
|
|
192
|
+
end
|
|
193
|
+
end
|
|
194
|
+
|
|
195
|
+
# report back the highest version that all of these dependencies can be updated to
|
|
196
|
+
# this will ensure that we get a chance to update all relevant dependencies
|
|
197
|
+
max_updatable_version = updated_reqs.filter_map do |r|
|
|
198
|
+
v = T.let(r.fetch(:requirement, nil), T.nilable(String))
|
|
199
|
+
next unless v
|
|
200
|
+
|
|
201
|
+
Dependabot::Nuget::Version.new(v)
|
|
202
|
+
end.max
|
|
203
|
+
next unless max_updatable_version
|
|
204
|
+
|
|
205
|
+
previous_version = T.let(dep.requirements.first&.fetch(:requirement, nil), T.nilable(String))
|
|
175
206
|
Dependency.new(
|
|
176
207
|
name: dep.name,
|
|
177
|
-
version:
|
|
208
|
+
version: max_updatable_version.to_s,
|
|
178
209
|
requirements: updated_reqs,
|
|
179
|
-
previous_version:
|
|
180
|
-
previous_requirements:
|
|
210
|
+
previous_version: previous_version,
|
|
211
|
+
previous_requirements: reqs,
|
|
181
212
|
package_manager: dep.package_manager,
|
|
182
|
-
metadata:
|
|
213
|
+
metadata: dep_metadata
|
|
183
214
|
)
|
|
184
215
|
end
|
|
185
216
|
end
|
|
217
|
+
# rubocop:enable Metrics/PerceivedComplexity
|
|
218
|
+
# rubocop:enable Metrics/MethodLength
|
|
219
|
+
# rubocop:enable Metrics/BlockLength
|
|
220
|
+
# rubocop:enable Metrics/AbcSize
|
|
186
221
|
|
|
187
222
|
sig { returns(T::Array[Dependabot::Nuget::NativeDependencyDetails]) }
|
|
188
223
|
def updated_dependency_details
|
|
@@ -37,10 +37,11 @@ module Dependabot
|
|
|
37
37
|
def updated_requirements
|
|
38
38
|
return requirements unless latest_version
|
|
39
39
|
|
|
40
|
-
# NOTE: Order is important here. The FileUpdater needs the updated
|
|
41
|
-
# requirement at index `i` to correspond to the previous requirement
|
|
42
|
-
# at the same index.
|
|
43
40
|
requirements.map do |req|
|
|
41
|
+
req[:metadata] ||= {}
|
|
42
|
+
req[:metadata][:is_transitive] = false
|
|
43
|
+
req[:metadata][:previous_requirement] = req[:requirement]
|
|
44
|
+
|
|
44
45
|
next req if req.fetch(:requirement).nil?
|
|
45
46
|
next req if req.fetch(:requirement).include?(",")
|
|
46
47
|
|
|
@@ -56,7 +57,6 @@ module Dependabot
|
|
|
56
57
|
latest_version.to_s
|
|
57
58
|
)
|
|
58
59
|
end
|
|
59
|
-
|
|
60
60
|
next req if new_req == req.fetch(:requirement)
|
|
61
61
|
|
|
62
62
|
req.merge(requirement: new_req, source: updated_source)
|
|
@@ -166,7 +166,8 @@ module Dependabot
|
|
|
166
166
|
requirements: updated_requirements,
|
|
167
167
|
previous_version: dependency.version,
|
|
168
168
|
previous_requirements: dependency.requirements,
|
|
169
|
-
package_manager: dependency.package_manager
|
|
169
|
+
package_manager: dependency.package_manager,
|
|
170
|
+
metadata: { is_vulnerable: vulnerable? }
|
|
170
171
|
)
|
|
171
172
|
updated_dependencies = [updated_dependency]
|
|
172
173
|
updated_dependencies += DependencyFinder.new(
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-nuget
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.272.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-08-
|
|
11
|
+
date: 2024-08-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.272.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.272.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: rubyzip
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -463,7 +463,7 @@ licenses:
|
|
|
463
463
|
- MIT
|
|
464
464
|
metadata:
|
|
465
465
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
466
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
466
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.272.0
|
|
467
467
|
post_install_message:
|
|
468
468
|
rdoc_options: []
|
|
469
469
|
require_paths:
|