dependabot-nuget 0.288.0 → 0.290.0

data/lib/dependabot/nuget/native_update_checker/native_update_checker.rb

@@ -1,201 +0,0 @@
-# typed: strong
-# frozen_string_literal: true
-
-require "dependabot/nuget/analysis/analysis_json_reader"
-require "dependabot/nuget/native_discovery/native_discovery_json_reader"
-require "dependabot/update_checkers"
-require "dependabot/update_checkers/base"
-require "sorbet-runtime"
-
-module Dependabot
-  module Nuget
-    class NativeUpdateChecker < Dependabot::UpdateCheckers::Base
-      extend T::Sig
-
-      require_relative "native_requirements_updater"
-
-      sig { override.returns(T.nilable(String)) }
-      def latest_version
-        # No need to find latest version for transitive dependencies unless they have a vulnerability.
-        return dependency.version if !dependency.top_level? && !vulnerable?
-
-        # if no update sources have the requisite package, then we can only assume that the current version is correct
-        @latest_version = T.let(
-          update_analysis.dependency_analysis.updated_version,
-          T.nilable(String)
-        )
-      end
-
-      sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
-      def latest_resolvable_version
-        # We always want a full unlock since any package update could update peer dependencies as well.
-        # To force a full unlock instead of an own unlock, we return nil.
-        nil
-      end
-
-      sig { override.returns(Dependabot::Nuget::Version) }
-      def lowest_security_fix_version
-        update_analysis.dependency_analysis.numeric_updated_version
-      end
-
-      sig { override.returns(T.nilable(Dependabot::Nuget::Version)) }
-      def lowest_resolvable_security_fix_version
-        return nil if version_comes_from_multi_dependency_property?
-
-        update_analysis.dependency_analysis.numeric_updated_version
-      end
-
-      sig { override.returns(NilClass) }
-      def latest_resolvable_version_with_no_unlock
-        # Irrelevant, since Nuget has a single dependency file
-        nil
-      end
-
-      sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
-      def updated_requirements
-        dep_details = updated_dependency_details.find { |d| d.name.casecmp?(dependency.name) }
-        NativeRequirementsUpdater.new(
-          requirements: dependency.requirements,
-          dependency_details: dep_details
-        ).updated_requirements
-      end
-
-      sig { returns(T::Boolean) }
-      def up_to_date?
-        !update_analysis.dependency_analysis.can_update
-      end
-
-      sig { returns(T::Boolean) }
-      def requirements_unlocked_or_can_be?
-        update_analysis.dependency_analysis.can_update
-      end
-
-      sig { returns(T::Boolean) }
-      def public_latest_version_resolvable_with_full_unlock?
-        latest_version_resolvable_with_full_unlock?
-      end
-
-      sig { returns(T::Array[Dependabot::Dependency]) }
-      def public_updated_dependencies_after_full_unlock
-        updated_dependencies_after_full_unlock
-      end
-
-      private
-
-      sig { returns(AnalysisJsonReader) }
-      def update_analysis
-        @update_analysis ||= T.let(request_analysis, T.nilable(AnalysisJsonReader))
-      end
-
-      sig { returns(String) }
-      def dependency_file_path
-        File.join(NativeDiscoveryJsonReader.temp_directory, "dependency", "#{dependency.name}.json")
-      end
-
-      sig { returns(AnalysisJsonReader) }
-      def request_analysis
-        discovery_file_path = NativeDiscoveryJsonReader.get_discovery_file_path_from_dependency_files(dependency_files)
-        analysis_folder_path = AnalysisJsonReader.temp_directory
-
-        write_dependency_info
-
-        NativeHelpers.run_nuget_analyze_tool(repo_root: T.must(repo_contents_path),
-                                             discovery_file_path: discovery_file_path,
-                                             dependency_file_path: dependency_file_path,
-                                             analysis_folder_path: analysis_folder_path,
-                                             credentials: credentials)
-
-        analysis_json = AnalysisJsonReader.analysis_json(dependency_name: dependency.name)
-
-        AnalysisJsonReader.new(analysis_json: T.must(analysis_json))
-      end
-
-      sig { void }
-      def write_dependency_info
-        dependency_info = {
-          Name: dependency.name,
-          Version: dependency.version.to_s,
-          IsVulnerable: vulnerable?,
-          IgnoredVersions: ignored_versions,
-          Vulnerabilities: security_advisories.map do |vulnerability|
-            {
-              DependencyName: vulnerability.dependency_name,
-              PackageManager: vulnerability.package_manager,
-              VulnerableVersions: vulnerability.vulnerable_versions.map(&:to_s),
-              SafeVersions: vulnerability.safe_versions.map(&:to_s)
-            }
-          end
-        }.to_json
-        dependency_directory = File.dirname(dependency_file_path)
-
-        begin
-          Dir.mkdir(dependency_directory)
-        rescue StandardError
-          nil?
-        end
-
-        Dependabot.logger.info("Writing dependency info: #{dependency_info}")
-        File.write(dependency_file_path, dependency_info)
-      end
-
-      sig { returns(Dependabot::FileParsers::Base::DependencySet) }
-      def discovered_dependencies
-        discovery_json_reader = NativeDiscoveryJsonReader.get_discovery_from_dependency_files(dependency_files)
-        discovery_json_reader.dependency_set
-      end
-
-      sig { override.returns(T::Boolean) }
-      def latest_version_resolvable_with_full_unlock?
-        # We always want a full unlock since any package update could update peer dependencies as well.
-        true
-      end
-
-      sig { override.returns(T::Array[Dependabot::Dependency]) }
-      def updated_dependencies_after_full_unlock
-        dependencies = discovered_dependencies.dependencies
-        updated_dependency_details.filter_map do |dependency_details|
-          dep = dependencies.find { |d| d.name.casecmp(dependency_details.name)&.zero? }
-          next unless dep
-
-          metadata = {}
-          # For peer dependencies, instruct updater to not directly update this dependency
-          metadata = { information_only: true } unless dependency.name.casecmp(dependency_details.name)&.zero?
-
-          # rebuild the new requirements with the updated dependency details
-          updated_reqs = dep.requirements.map do |r|
-            r = r.clone
-            r[:requirement] = dependency_details.version
-            r[:source] = {
-              type: "nuget_repo",
-              source_url: dependency_details.info_url
-            }
-            r
-          end
-
-          Dependency.new(
-            name: dep.name,
-            version: dependency_details.version,
-            requirements: updated_reqs,
-            previous_version: dep.version,
-            previous_requirements: dep.requirements,
-            package_manager: dep.package_manager,
-            metadata: metadata
-          )
-        end
-      end
-
-      sig { returns(T::Array[Dependabot::Nuget::NativeDependencyDetails]) }
-      def updated_dependency_details
-        @updated_dependency_details ||= T.let(update_analysis.dependency_analysis.updated_dependencies,
-                                              T.nilable(T::Array[Dependabot::Nuget::NativeDependencyDetails]))
-      end
-
-      sig { returns(T::Boolean) }
-      def version_comes_from_multi_dependency_property?
-        update_analysis.dependency_analysis.version_comes_from_multi_dependency_property
-      end
-    end
-  end
-end
-
-Dependabot::UpdateCheckers.register("nuget", Dependabot::Nuget::UpdateChecker)

data/lib/dependabot/nuget/nuget_client.rb

@@ -1,223 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-
-require "dependabot/nuget/cache_manager"
-require "dependabot/nuget/http_response_helpers"
-require "dependabot/nuget/update_checker/repository_finder"
-require "sorbet-runtime"
-
-module Dependabot
-  module Nuget
-    class NugetClient
-      extend T::Sig
-
-      sig do
-        params(dependency_name: String, repository_details: T::Hash[Symbol, String])
-          .returns(T.nilable(T::Set[String]))
-      end
-      def self.get_package_versions(dependency_name, repository_details)
-        repository_type = repository_details.fetch(:repository_type)
-        if repository_type == "v3"
-          get_package_versions_v3(dependency_name, repository_details)
-        elsif repository_type == "v2"
-          get_package_versions_v2(dependency_name, repository_details)
-        elsif repository_type == "local"
-          get_package_versions_local(dependency_name, repository_details)
-        else
-          raise "Unknown repository type: #{repository_type}"
-        end
-      end
-
-      sig do
-        params(dependency_name: String, repository_details: T::Hash[Symbol, String])
-          .returns(T.nilable(T::Set[String]))
-      end
-      private_class_method def self.get_package_versions_local(dependency_name, repository_details)
-        url = repository_details.fetch(:base_url)
-        raise "Local repo #{url} doesn't exist or isn't a directory" unless File.exist?(url) && File.directory?(url)
-
-        package_dir = File.join(url, dependency_name)
-
-        versions = Set.new
-        return versions unless File.exist?(package_dir) && File.directory?(package_dir)
-
-        Dir.each_child(package_dir) do |child|
-          versions.add(child) if File.directory?(File.join(package_dir, child))
-        end
-
-        versions
-      end
-
-      sig do
-        params(dependency_name: String, repository_details: T::Hash[Symbol, String])
-          .returns(T.nilable(T::Set[String]))
-      end
-      private_class_method def self.get_package_versions_v3(dependency_name, repository_details)
-        # Use the registration URL if possible because it is fast and correct
-        if repository_details[:registration_url]
-          get_versions_from_registration_v3(repository_details)
-        # use the search API if not because it is slow but correct
-        elsif repository_details[:search_url]
-          get_versions_from_search_url_v3(repository_details, dependency_name)
-        # Otherwise, use the versions URL (fast but wrong because it includes unlisted versions)
-        elsif repository_details[:versions_url]
-          get_versions_from_versions_url_v3(repository_details)
-        else
-          raise "No version sources were available for #{dependency_name} in #{repository_details}"
-        end
-      end
-
-      sig do
-        params(dependency_name: String, repository_details: T::Hash[Symbol, String])
-          .returns(T.nilable(T::Set[String]))
-      end
-      private_class_method def self.get_package_versions_v2(dependency_name, repository_details)
-        doc = execute_xml_nuget_request(repository_details.fetch(:versions_url), repository_details)
-        return unless doc
-
-        # v2 APIs can differ, but all tested have this title value set to the name of the package
-        title_nodes = doc.xpath("/feed/entry/title")
-        matching_versions = Set.new
-        title_nodes.each do |title_node|
-          return nil unless title_node.text
-
-          next unless title_node.text.casecmp?(dependency_name)
-
-          version_node = title_node.parent.xpath("properties/Version")
-          matching_versions << version_node.text if version_node && version_node.text
-        end
-
-        matching_versions
-      end
-
-      sig { params(repository_details: T::Hash[Symbol, String]).returns(T.nilable(T::Set[String])) }
-      private_class_method def self.get_versions_from_versions_url_v3(repository_details)
-        body = execute_json_nuget_request(repository_details.fetch(:versions_url), repository_details)
-        ver_array = T.let(body&.fetch("versions"), T.nilable(T::Array[String]))
-        ver_array&.to_set
-      end
-
-      sig { params(repository_details: T::Hash[Symbol, String]).returns(T.nilable(T::Set[String])) }
-      private_class_method def self.get_versions_from_registration_v3(repository_details)
-        url = repository_details.fetch(:registration_url)
-        body = execute_json_nuget_request(url, repository_details)
-
-        return unless body
-
-        pages = body.fetch("items")
-        versions = T.let(Set.new, T::Set[String])
-        pages.each do |page|
-          items = page["items"]
-          if items
-            # inlined entries
-            get_versions_from_inline_page(items, versions)
-          else
-            # paged entries
-            page_url = page["@id"]
-            page_body = execute_json_nuget_request(page_url, repository_details)
-            next unless page_body
-
-            items = page_body.fetch("items")
-            items.each do |item|
-              catalog_entry = item.fetch("catalogEntry")
-              versions << catalog_entry.fetch("version") if catalog_entry["listed"] == true
-            end
-          end
-        end
-
-        versions
-      end
-
-      sig { params(items: T::Array[T::Hash[String, T.untyped]], versions: T::Set[String]).void }
-      private_class_method def self.get_versions_from_inline_page(items, versions)
-        items.each do |item|
-          catalog_entry = item["catalogEntry"]
-
-          # a package is considered listed if the `listed` property is either `true` or missing
-          listed_property = catalog_entry["listed"]
-          is_listed = listed_property.nil? || listed_property == true
-          if is_listed
-            vers = catalog_entry["version"]
-            versions << vers
-          end
-        end
-      end
-
-      sig do
-        params(repository_details: T::Hash[Symbol, String], dependency_name: String)
-          .returns(T.nilable(T::Set[String]))
-      end
-      private_class_method def self.get_versions_from_search_url_v3(repository_details, dependency_name)
-        search_url = repository_details.fetch(:search_url)
-        body = execute_json_nuget_request(search_url, repository_details)
-
-        body&.fetch("data")
-            &.find { |d| d.fetch("id").casecmp(dependency_name.downcase).zero? }
-            &.fetch("versions")
-            &.map { |d| d.fetch("version") }
-            &.to_set
-      end
-
-      sig do
-        params(url: String, repository_details: T::Hash[Symbol, T.untyped]).returns(T.nilable(Nokogiri::XML::Document))
-      end
-      private_class_method def self.execute_xml_nuget_request(url, repository_details)
-        response = execute_nuget_request_internal(
-          url: url,
-          auth_header: repository_details.fetch(:auth_header),
-          repository_url: repository_details.fetch(:repository_url)
-        )
-        return unless response.status == 200
-
-        doc = Nokogiri::XML(response.body)
-        doc.remove_namespaces!
-        doc
-      end
-
-      sig do
-        params(url: String,
-               repository_details: T::Hash[Symbol, T.untyped])
-          .returns(T.nilable(T::Hash[T.untyped, T.untyped]))
-      end
-      private_class_method def self.execute_json_nuget_request(url, repository_details)
-        response = execute_nuget_request_internal(
-          url: url,
-          auth_header: repository_details.fetch(:auth_header),
-          repository_url: repository_details.fetch(:repository_url)
-        )
-        return unless response.status == 200
-
-        body = HttpResponseHelpers.remove_wrapping_zero_width_chars(response.body)
-        JSON.parse(body)
-      end
-
-      sig do
-        params(url: String, auth_header: T::Hash[Symbol, T.untyped], repository_url: String).returns(Excon::Response)
-      end
-      private_class_method def self.execute_nuget_request_internal(url:, auth_header:, repository_url:)
-        cache = CacheManager.cache("dependency_url_search_cache")
-        if cache[url].nil?
-          response = Dependabot::RegistryClient.get(
-            url: url,
-            headers: auth_header
-          )
-
-          if [401, 402, 403].include?(response.status)
-            raise Dependabot::PrivateSourceAuthenticationFailure, repository_url
-          end
-
-          cache[url] = response if !CacheManager.caching_disabled? && response.status == 200
-        else
-          response = cache[url]
-        end
-
-        response
-      rescue Excon::Error::Timeout, Excon::Error::Socket
-        repo_url = repository_url
-        raise if repo_url == Dependabot::Nuget::RepositoryFinder::DEFAULT_REPOSITORY_URL
-
-        raise PrivateSourceTimedOut, repo_url
-      end
-    end
-  end
-end

data/lib/dependabot/nuget/update_checker/compatibility_checker.rb

@@ -1,116 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-
-require "sorbet-runtime"
-
-require "dependabot/update_checkers/base"
-
-module Dependabot
-  module Nuget
-    class CompatibilityChecker
-      extend T::Sig
-
-      require_relative "nuspec_fetcher"
-      require_relative "nupkg_fetcher"
-      require_relative "tfm_finder"
-      require_relative "tfm_comparer"
-
-      sig do
-        params(
-          dependency_urls: T::Array[T::Hash[Symbol, String]],
-          dependency: Dependabot::Dependency
-        ).void
-      end
-      def initialize(dependency_urls:, dependency:)
-        @dependency_urls = dependency_urls
-        @dependency = dependency
-      end
-
-      sig { params(version: String).returns(T::Boolean) }
-      def compatible?(version)
-        nuspec_xml = NuspecFetcher.fetch_nuspec(dependency_urls, dependency.name, version)
-        return false unless nuspec_xml
-
-        # development dependencies are packages such as analyzers which need to be compatible with the compiler not the
-        # project itself, but some packages that report themselves as development dependencies still contain target
-        # framework dependencies and should be checked for compatibility through the regular means
-        return true if pure_development_dependency?(nuspec_xml)
-
-        package_tfms = parse_package_tfms(nuspec_xml)
-        package_tfms = fetch_package_tfms(version) if package_tfms.empty?
-        # nil is a special return value that indicates that the package is likely a development dependency
-        return true if package_tfms.nil?
-        return false if package_tfms.empty?
-
-        return false if project_tfms.nil? || project_tfms&.empty?
-
-        TfmComparer.are_frameworks_compatible?(T.must(project_tfms), package_tfms)
-      end
-
-      private
-
-      sig { returns(T::Array[T::Hash[Symbol, String]]) }
-      attr_reader :dependency_urls
-
-      sig { returns(Dependabot::Dependency) }
-      attr_reader :dependency
-
-      sig { params(nuspec_xml: Nokogiri::XML::Document).returns(T::Boolean) }
-      def pure_development_dependency?(nuspec_xml)
-        contents = nuspec_xml.at_xpath("package/metadata/developmentDependency")&.content&.strip
-        return false unless contents # no `developmentDependency` element
-
-        self_reports_as_development_dependency = contents.casecmp?("true")
-        return false unless self_reports_as_development_dependency
-
-        # even though a package self-reports as a development dependency, it might not be if it has dependency groups
-        # with a target framework
-        dependency_groups_with_target_framework =
-          nuspec_xml.at_xpath("/package/metadata/dependencies/group[@targetFramework]")
-        dependency_groups_with_target_framework.to_a.empty?
-      end
-
-      sig { params(nuspec_xml: Nokogiri::XML::Document).returns(T::Array[String]) }
-      def parse_package_tfms(nuspec_xml)
-        nuspec_xml.xpath("//dependencies/group").filter_map { |group| group.attribute("targetFramework") }
-      end
-
-      sig { returns(T.nilable(T::Array[String])) }
-      def project_tfms
-        @project_tfms ||= T.let(TfmFinder.frameworks(dependency), T.nilable(T::Array[String]))
-      end
-
-      sig { params(dependency_version: String).returns(T.nilable(T::Array[String])) }
-      def fetch_package_tfms(dependency_version)
-        cache = CacheManager.cache("compatibility_checker_tfms_cache")
-        key = "#{dependency.name}::#{dependency_version}"
-
-        cache[key] ||= begin
-          nupkg_buffer = NupkgFetcher.fetch_nupkg_buffer(dependency_urls, dependency.name, dependency_version)
-          return [] unless nupkg_buffer
-
-          # Parse tfms from the folders beneath the lib folder
-          folder_name = "lib/"
-          tfms = Set.new
-          Zip::File.open_buffer(nupkg_buffer) do |zip|
-            lib_file_entries = zip.select { |entry| entry.name.start_with?(folder_name) }
-            # If there is no lib folder in this package, assume it is a development dependency
-            return nil if lib_file_entries.empty?
-
-            lib_file_entries.each do |entry|
-              _, tfm = entry.name.split("/").first(2)
-
-              # some zip compressors create empty directory entries (in this case `lib/`) which can cause the string
-              # split to return `nil`, so we have to explicitly guard against that
-              tfms << tfm if tfm
-            end
-          end
-
-          tfms.to_a
-        end
-
-        cache[key]
-      end
-    end
-  end
-end