dependabot-nuget 0.288.0 → 0.290.0

data/lib/dependabot/nuget/update_checker/dependency_finder.rb

@@ -1,297 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-
-require "nokogiri"
-require "sorbet-runtime"
-require "stringio"
-require "zip"
-
-require "dependabot/update_checkers/base"
-require "dependabot/nuget/version"
-
-module Dependabot
-  module Nuget
-    class UpdateChecker < Dependabot::UpdateCheckers::Base
-      class DependencyFinder
-        extend T::Sig
-
-        require_relative "requirements_updater"
-        require_relative "nuspec_fetcher"
-
-        sig { returns(T::Hash[String, T.untyped]) }
-        def self.transitive_dependencies_cache
-          CacheManager.cache("dependency_finder_transitive_dependencies")
-        end
-
-        sig { returns(T::Hash[String, T.untyped]) }
-        def self.updated_peer_dependencies_cache
-          CacheManager.cache("dependency_finder_updated_peer_dependencies")
-        end
-
-        sig { returns(T::Hash[String, T.untyped]) }
-        def self.fetch_dependencies_cache
-          CacheManager.cache("dependency_finder_fetch_dependencies")
-        end
-
-        sig do
-          params(
-            dependency: Dependabot::Dependency,
-            dependency_files: T::Array[Dependabot::DependencyFile],
-            ignored_versions: T::Array[String],
-            credentials: T::Array[Dependabot::Credential],
-            repo_contents_path: T.nilable(String)
-          ).void
-        end
-        def initialize(dependency:, dependency_files:, ignored_versions:, credentials:, repo_contents_path:)
-          @dependency             = dependency
-          @dependency_files       = dependency_files
-          @ignored_versions       = ignored_versions
-          @credentials            = credentials
-          @repo_contents_path     = repo_contents_path
-        end
-
-        sig { returns(T::Array[Dependabot::Dependency]) }
-        def transitive_dependencies
-          key = "#{dependency.name.downcase}::#{dependency.version}"
-          cache = DependencyFinder.transitive_dependencies_cache
-
-          unless cache[key]
-            begin
-              # first do a quick sanity check on the version string; if it can't be parsed, an exception will be raised
-              _ = Version.new(dependency.version)
-
-              cache[key] = fetch_transitive_dependencies(
-                @dependency.name,
-                T.must(@dependency.version)
-              ).map do |dependency_info|
-                package_name = dependency_info["packageName"]
-                target_version = dependency_info["version"]
-
-                Dependency.new(
-                  name: package_name,
-                  version: target_version.to_s,
-                  requirements: [], # Empty requirements for transitive dependencies
-                  package_manager: @dependency.package_manager
-                )
-              end
-            rescue StandardError
-              # if anything happened above, there are no meaningful dependencies that can be derived
-              cache[key] = []
-            end
-          end
-
-          cache[key]
-        end
-
-        sig { returns(T::Array[Dependabot::Dependency]) }
-        def updated_peer_dependencies
-          key = "#{dependency.name.downcase}::#{dependency.version}"
-          cache = DependencyFinder.updated_peer_dependencies_cache
-
-          cache[key] ||= fetch_transitive_dependencies(
-            @dependency.name,
-            T.must(@dependency.version)
-          ).filter_map do |dependency_info|
-            package_name = dependency_info["packageName"]
-            target_version = dependency_info["version"]
-
-            # Find the Dependency object for the peer dependency. We will not return
-            # dependencies that are not referenced from dependency files.
-            peer_dependency = top_level_dependencies.find { |d| d.name == package_name }
-            next unless peer_dependency
-            next unless target_version > peer_dependency.numeric_version
-
-            # Use version finder to determine the source details for the peer dependency.
-            target_version_details = version_finder(peer_dependency).versions.find do |v|
-              v.fetch(:version) == target_version
-            end
-            next unless target_version_details
-
-            Dependency.new(
-              name: peer_dependency.name,
-              version: target_version_details.fetch(:version).to_s,
-              requirements: updated_requirements(peer_dependency, target_version_details),
-              previous_version: peer_dependency.version,
-              previous_requirements: peer_dependency.requirements,
-              package_manager: peer_dependency.package_manager,
-              metadata: { information_only: true } # Instruct updater to not directly update this dependency
-            )
-          end
-
-          cache[key]
-        end
-
-        private
-
-        sig { returns(Dependabot::Dependency) }
-        attr_reader :dependency
-
-        sig { returns(T::Array[Dependabot::DependencyFile]) }
-        attr_reader :dependency_files
-
-        sig { returns(T::Array[String]) }
-        attr_reader :ignored_versions
-
-        sig { returns(T::Array[Dependabot::Credential]) }
-        attr_reader :credentials
-
-        sig { returns(T.nilable(String)) }
-        attr_reader :repo_contents_path
-
-        sig do
-          params(
-            dep: Dependabot::Dependency,
-            target_version_details: T::Hash[Symbol, T.untyped]
-          )
-            .returns(T::Array[T::Hash[String, T.untyped]])
-        end
-        def updated_requirements(dep, target_version_details)
-          @updated_requirements ||= T.let({}, T.nilable(T::Hash[String, T.untyped]))
-          @updated_requirements[dep.name] ||=
-            RequirementsUpdater.new(
-              requirements: dep.requirements,
-              latest_version: target_version_details.fetch(:version).to_s,
-              source_details: target_version_details.slice(:nuspec_url, :repo_url, :source_url)
-            ).updated_requirements
-        end
-
-        sig { returns(T::Array[Dependabot::Dependency]) }
-        def top_level_dependencies
-          @top_level_dependencies ||=
-            T.let(
-              Nuget::FileParser.new(
-                dependency_files: dependency_files,
-                repo_contents_path: repo_contents_path,
-                source: nil
-              ).parse.select(&:top_level?),
-              T.nilable(T::Array[Dependabot::Dependency])
-            )
-        end
-
-        sig { returns(T::Array[Dependabot::DependencyFile]) }
-        def nuget_configs
-          @nuget_configs ||=
-            T.let(
-              @dependency_files.select { |f| f.name.match?(/nuget\.config$/i) },
-              T.nilable(T::Array[Dependabot::DependencyFile])
-            )
-        end
-
-        sig { returns(T::Array[T::Hash[Symbol, String]]) }
-        def dependency_urls
-          @dependency_urls ||=
-            T.let(
-              RepositoryFinder.new(
-                dependency: @dependency,
-                credentials: @credentials,
-                config_files: nuget_configs
-              )
-              .dependency_urls
-              .select { |url| url.fetch(:repository_type) == "v3" },
-              T.nilable(T::Array[T::Hash[Symbol, String]])
-            )
-        end
-
-        sig { params(package_id: String, package_version: String).returns(T::Array[T::Hash[String, T.untyped]]) }
-        def fetch_transitive_dependencies(package_id, package_version)
-          all_dependencies = {}
-          fetch_transitive_dependencies_impl(package_id, package_version, all_dependencies)
-          all_dependencies.map { |_, dependency_info| dependency_info }
-        end
-
-        sig { params(package_id: String, package_version: String, all_dependencies: T::Hash[String, T.untyped]).void }
-        def fetch_transitive_dependencies_impl(package_id, package_version, all_dependencies)
-          dependencies = fetch_dependencies(package_id, package_version)
-          return unless dependencies.any?
-
-          dependencies.each do |dependency|
-            next if dependency.nil?
-
-            dependency_id = dependency["packageName"]
-            dependency_version_range = dependency["versionRange"]
-
-            nuget_version_range_regex = /[\[(](\d+(\.\d+)*(-\w+(\.\d+)*)?)/
-            nuget_version_range_match_data = nuget_version_range_regex.match(dependency_version_range)
-
-            dependency_version = if nuget_version_range_match_data.nil?
-                                   dependency_version_range
-                                 else
-                                   nuget_version_range_match_data[1]
-                                 end
-
-            dependency["version"] = Version.new(dependency_version)
-
-            current_dependency = all_dependencies[dependency_id.downcase]
-            next unless current_dependency.nil? || current_dependency["version"] < dependency["version"]
-
-            all_dependencies[dependency_id.downcase] = dependency
-            fetch_transitive_dependencies_impl(dependency_id, dependency_version, all_dependencies)
-          end
-        end
-
-        sig { params(package_id: String, package_version: String).returns(T::Array[T::Hash[String, T.untyped]]) }
-        def fetch_dependencies(package_id, package_version)
-          key = "#{package_id.downcase}::#{package_version}"
-          cache = DependencyFinder.fetch_dependencies_cache
-
-          cache[key] ||= begin
-            nuspec_xml = NuspecFetcher.fetch_nuspec(dependency_urls, package_id, package_version)
-            if nuspec_xml.nil?
-              []
-            else
-              read_dependencies_from_nuspec(nuspec_xml)
-            end
-          end
-
-          cache[key]
-        end
-
-        sig { params(nuspec_xml: Nokogiri::XML::Document).returns(T::Array[T::Hash[String, String]]) }
-        def read_dependencies_from_nuspec(nuspec_xml) # rubocop:disable Metrics/PerceivedComplexity
-          # we want to exclude development dependencies from the lookup
-          allowed_attributes = %w(all compile native runtime)
-
-          nuspec_xml_dependencies = nuspec_xml.xpath("//dependencies/child::node()/dependency").select do |dependency|
-            include_attr = dependency.attribute("include")
-            exclude_attr = dependency.attribute("exclude")
-
-            if include_attr.nil? && exclude_attr.nil?
-              true
-            elsif include_attr
-              include_values = include_attr.value.split(",").map(&:strip)
-              include_values.any? { |element1| allowed_attributes.any? { |element2| element1.casecmp?(element2) } }
-            else
-              exclude_values = exclude_attr.value.split(",").map(&:strip)
-              exclude_values.none? { |element1| allowed_attributes.any? { |element2| element1.casecmp?(element2) } }
-            end
-          end
-
-          dependency_list = []
-          nuspec_xml_dependencies.each do |dependency|
-            next unless dependency.attribute("version")
-
-            dependency_list << {
-              "packageName" => dependency.attribute("id").value,
-              "versionRange" => dependency.attribute("version").value
-            }
-          end
-
-          dependency_list
-        end
-
-        sig { params(dep: Dependabot::Dependency).returns(Dependabot::Nuget::UpdateChecker::VersionFinder) }
-        def version_finder(dep)
-          VersionFinder.new(
-            dependency: dep,
-            dependency_files: dependency_files,
-            credentials: credentials,
-            ignored_versions: ignored_versions,
-            raise_on_ignored: false,
-            security_advisories: [],
-            repo_contents_path: repo_contents_path
-          )
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/nuget/update_checker/nupkg_fetcher.rb

@@ -1,221 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-
-require "nokogiri"
-require "stringio"
-require "sorbet-runtime"
-require "zip"
-
-require "dependabot/nuget/http_response_helpers"
-
-module Dependabot
-  module Nuget
-    class NupkgFetcher
-      extend T::Sig
-
-      require_relative "repository_finder"
-
-      sig do
-        params(
-          dependency_urls: T::Array[T::Hash[Symbol, String]],
-          package_id: String,
-          package_version: String
-        )
-          .returns(T.nilable(String))
-      end
-      def self.fetch_nupkg_buffer(dependency_urls, package_id, package_version)
-        # check all repositories for the first one that has the nupkg
-        dependency_urls.reduce(T.let(nil, T.nilable(String))) do |nupkg_buffer, repository_details|
-          nupkg_buffer || fetch_nupkg_buffer_from_repository(repository_details, package_id, package_version)
-        end
-      end
-
-      sig do
-        params(
-          repository_details: T::Hash[Symbol, T.untyped],
-          package_id: T.nilable(String),
-          package_version: T.nilable(String)
-        )
-          .returns(T.nilable(String))
-      end
-      def self.fetch_nupkg_url_from_repository(repository_details, package_id, package_version)
-        return unless package_id && package_version && !package_version.empty?
-
-        feed_url = repository_details[:repository_url]
-        repository_type = repository_details[:repository_type]
-
-        package_url = if repository_type == "v2"
-                        get_nuget_v2_package_url(repository_details, package_id, package_version)
-                      elsif repository_type == "v3"
-                        get_nuget_v3_package_url(repository_details, package_id, package_version)
-                      else
-                        raise Dependabot::DependencyFileNotResolvable, "Unexpected NuGet feed format: #{feed_url}"
-                      end
-
-        package_url
-      end
-
-      sig do
-        params(
-          repository_details: T::Hash[Symbol, T.untyped],
-          package_id: String,
-          package_version: String
-        )
-          .returns(T.nilable(String))
-      end
-      def self.fetch_nupkg_buffer_from_repository(repository_details, package_id, package_version)
-        package_url = fetch_nupkg_url_from_repository(repository_details, package_id, package_version)
-        return unless package_url
-
-        auth_header = repository_details[:auth_header]
-        fetch_stream(package_url, auth_header)
-      end
-
-      sig do
-        params(
-          repository_details: T::Hash[Symbol, T.untyped],
-          package_id: String,
-          package_version: String
-        )
-          .returns(T.nilable(String))
-      end
-      def self.get_nuget_v3_package_url(repository_details, package_id, package_version)
-        base_url = repository_details[:base_url]
-        unless base_url
-          return get_nuget_v3_package_url_from_search(repository_details, package_id,
-                                                      package_version)
-        end
-
-        base_url = base_url.delete_suffix("/")
-        package_id_downcased = package_id.downcase
-        "#{base_url}/#{package_id_downcased}/#{package_version}/#{package_id_downcased}.#{package_version}.nupkg"
-      end
-
-      # rubocop:disable Metrics/CyclomaticComplexity
-      # rubocop:disable Metrics/PerceivedComplexity
-      sig do
-        params(
-          repository_details: T::Hash[Symbol, T.untyped],
-          package_id: String,
-          package_version: String
-        )
-          .returns(T.nilable(String))
-      end
-      def self.get_nuget_v3_package_url_from_search(repository_details, package_id, package_version)
-        search_url = repository_details[:search_url]
-        return nil unless search_url
-
-        # get search result
-        search_result_response = fetch_url(search_url, repository_details)
-        return nil unless search_result_response&.status == 200
-
-        search_response_body = HttpResponseHelpers.remove_wrapping_zero_width_chars(T.must(search_result_response).body)
-        search_results = JSON.parse(search_response_body)
-
-        # find matching package and version
-        package_search_result = search_results&.[]("data")&.find { |d| package_id.casecmp?(d&.[]("id")) }
-        version_search_result = package_search_result&.[]("versions")&.find do |v|
-          package_version.casecmp?(v&.[]("version"))
-        end
-        registration_leaf_url = version_search_result&.[]("@id")
-        return nil unless registration_leaf_url
-
-        registration_leaf_response = fetch_url(registration_leaf_url, repository_details)
-        return nil unless registration_leaf_response
-        return nil unless registration_leaf_response.status == 200
-
-        registration_leaf_response_body =
-          HttpResponseHelpers.remove_wrapping_zero_width_chars(registration_leaf_response.body)
-        registration_leaf = JSON.parse(registration_leaf_response_body)
-
-        # finally, get the .nupkg url
-        registration_leaf&.[]("packageContent")
-      end
-      # rubocop:enable Metrics/PerceivedComplexity
-      # rubocop:enable Metrics/CyclomaticComplexity
-
-      sig do
-        params(
-          repository_details: T::Hash[Symbol, T.untyped],
-          package_id: String,
-          package_version: String
-        )
-          .returns(T.nilable(String))
-      end
-      def self.get_nuget_v2_package_url(repository_details, package_id, package_version)
-        # get package XML
-        base_url = repository_details[:base_url].delete_suffix("/")
-        package_url = "#{base_url}/Packages(Id='#{package_id}',Version='#{package_version}')"
-        response = fetch_url(package_url, repository_details)
-        return nil unless response&.status == 200
-
-        # find relevant element
-        doc = Nokogiri::XML(T.must(response).body)
-        doc.remove_namespaces!
-
-        content_element = doc.xpath("/entry/content")
-        nupkg_url = content_element&.attribute("src")&.value
-        nupkg_url
-      end
-
-      sig do
-        params(
-          stream_url: String,
-          auth_header: T::Hash[String, String],
-          max_redirects: Integer
-        )
-          .returns(T.nilable(String))
-      end
-      def self.fetch_stream(stream_url, auth_header, max_redirects = 5)
-        current_url = stream_url
-        current_redirects = 0
-
-        loop do
-          # Directly download the stream without any additional settings _except_ for `omit_default_port: true` which
-          # is necessary to not break the URL signing that some NuGet feeds use.
-          response = Excon.get(
-            current_url,
-            headers: auth_header,
-            omit_default_port: true
-          )
-
-          # redirect the HTTP response as appropriate based on documentation here:
-          # https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections
-          case response.status
-          when 200
-            return response.body
-          when 301, 302, 303, 307, 308
-            current_redirects += 1
-            return nil if current_redirects > max_redirects
-
-            current_url = T.must(response.headers["Location"])
-          else
-            return nil
-          end
-        end
-      end
-
-      sig do
-        params(
-          url: String,
-          repository_details: T::Hash[Symbol, T.untyped]
-        )
-          .returns(T.nilable(Excon::Response))
-      end
-      def self.fetch_url(url, repository_details)
-        fetch_url_with_auth(url, repository_details.fetch(:auth_header))
-      end
-
-      sig { params(url: String, auth_header: T::Hash[T.any(String, Symbol), T.untyped]).returns(Excon::Response) }
-      def self.fetch_url_with_auth(url, auth_header)
-        cache = CacheManager.cache("nupkg_fetcher_cache")
-        cache[url] ||= Dependabot::RegistryClient.get(
-          url: url,
-          headers: auth_header
-        )
-
-        cache[url]
-      end
-    end
-  end
-end

data/lib/dependabot/nuget/update_checker/nuspec_fetcher.rb

@@ -1,110 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-
-require "nokogiri"
-require "stringio"
-require "sorbet-runtime"
-require "zip"
-
-module Dependabot
-  module Nuget
-    class NuspecFetcher
-      extend T::Sig
-
-      require_relative "nupkg_fetcher"
-      require_relative "repository_finder"
-
-      sig do
-        params(
-          dependency_urls: T::Array[T::Hash[Symbol, String]],
-          package_id: String,
-          package_version: T.nilable(String)
-        )
-          .returns(T.nilable(Nokogiri::XML::Document))
-      end
-      def self.fetch_nuspec(dependency_urls, package_id, package_version)
-        # check all repositories for the first one that has the nuspec
-        dependency_urls.reduce(T.let(nil, T.nilable(Nokogiri::XML::Document))) do |nuspec_xml, repository_details|
-          nuspec_xml || fetch_nuspec_from_repository(repository_details, package_id, package_version)
-        end
-      end
-
-      sig do
-        params(
-          repository_details: T::Hash[Symbol, T.untyped],
-          package_id: T.nilable(String),
-          package_version: T.nilable(String)
-        )
-          .returns(T.nilable(Nokogiri::XML::Document))
-      end
-      def self.fetch_nuspec_from_repository(repository_details, package_id, package_version)
-        return unless package_id && package_version && !package_version.empty?
-
-        feed_url = repository_details[:repository_url]
-        auth_header = repository_details[:auth_header]
-
-        nuspec_xml = nil
-
-        if feed_supports_nuspec_download?(feed_url)
-          # we can use the normal nuget apis to get the nuspec and list out the dependencies
-          base_url = repository_details[:base_url].delete_suffix("/")
-          package_id_downcased = package_id.downcase
-          nuspec_url = "#{base_url}/#{package_id_downcased}/#{package_version}/#{package_id_downcased}.nuspec"
-
-          nuspec_response = Dependabot::RegistryClient.get(
-            url: nuspec_url,
-            headers: auth_header
-          )
-
-          return unless nuspec_response.status == 200
-
-          nuspec_response_body = remove_invalid_characters(nuspec_response.body)
-          nuspec_xml = Nokogiri::XML(nuspec_response_body)
-        else
-          # no guarantee we can directly query the .nuspec; fall back to extracting it from the .nupkg
-          package_data = NupkgFetcher.fetch_nupkg_buffer_from_repository(repository_details, package_id,
-                                                                         package_version)
-          return if package_data.nil?
-
-          nuspec_string = extract_nuspec(package_data, package_id)
-          nuspec_xml = Nokogiri::XML(nuspec_string)
-        end
-
-        nuspec_xml.remove_namespaces!
-        nuspec_xml
-      end
-
-      sig { params(feed_url: String).returns(T::Boolean) }
-      def self.feed_supports_nuspec_download?(feed_url)
-        feed_regexs = [
-          # nuget
-          %r{https://api\.nuget\.org/v3/index\.json},
-          # azure devops
-          %r{https://pkgs\.dev\.azure\.com/(?<organization>[^/]+)/(?<project>[^/]+)/_packaging/(?<feedId>[^/]+)/nuget/v3/index\.json},
-          %r{https://pkgs\.dev\.azure\.com/(?<organization>[^/]+)/_packaging/(?<feedId>[^/]+)/nuget/v3/index\.json(?<project>)},
-          %r{https://(?<organization>[^\.\/]+)\.pkgs\.visualstudio\.com/_packaging/(?<feedId>[^/]+)/nuget/v3/index\.json(?<project>)}
-        ]
-        feed_regexs.any? { |reg| reg.match(feed_url) }
-      end
-
-      sig { params(zip_stream: String, package_id: String).returns(T.nilable(String)) }
-      def self.extract_nuspec(zip_stream, package_id)
-        Zip::File.open_buffer(zip_stream) do |zip|
-          nuspec_entry = zip.find { |entry| entry.name == "#{package_id}.nuspec" }
-          return nuspec_entry.get_input_stream.read if nuspec_entry
-        end
-        nil
-      end
-
-      sig { params(string: String).returns(String) }
-      def self.remove_invalid_characters(string)
-        string.dup
-              .force_encoding(Encoding::UTF_8)
-              .encode
-              .scrub("")
-              .gsub(/\A[\u200B-\u200D\uFEFF]/, "")
-              .gsub(/[\u200B-\u200D\uFEFF]\Z/, "")
-      end
-    end
-  end
-end