dependabot-nuget 0.289.0 → 0.290.0

data/lib/dependabot/nuget/file_updater.rb

@@ -4,9 +4,9 @@
 require "dependabot/dependency_file"
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
-require "dependabot/nuget/native_discovery/native_dependency_details"
-require "dependabot/nuget/native_discovery/native_discovery_json_reader"
-require "dependabot/nuget/native_discovery/native_workspace_discovery"
+require "dependabot/nuget/discovery/dependency_details"
+require "dependabot/nuget/discovery/discovery_json_reader"
+require "dependabot/nuget/discovery/workspace_discovery"
 require "dependabot/nuget/native_helpers"
 require "dependabot/shared_helpers"
 require "sorbet-runtime"
@@ -57,7 +57,7 @@ module Dependabot
             try_update_projects(dependency) || try_update_json(dependency)
           end
           updated_files = dependency_files.filter_map do |f|
-            dependency_file_path = NativeDiscoveryJsonReader.dependency_file_path(
+            dependency_file_path = DiscoveryJsonReader.dependency_file_path(
               repo_contents_path: T.must(repo_contents_path),
               dependency_file: f
             )
@@ -97,7 +97,7 @@ module Dependabot
         # run update for each project file
         project_files.each do |project_file|
           project_dependencies = project_dependencies(project_file)
-          dependency_file_path = NativeDiscoveryJsonReader.dependency_file_path(
+          dependency_file_path = DiscoveryJsonReader.dependency_file_path(
             repo_contents_path: T.must(repo_contents_path),
             dependency_file: project_file
           )
@@ -128,7 +128,7 @@ module Dependabot
 
           # We just need to feed the updater a project file, grab the first
           project_file = T.must(project_files.first)
-          dependency_file_path = NativeDiscoveryJsonReader.dependency_file_path(
+          dependency_file_path = DiscoveryJsonReader.dependency_file_path(
             repo_contents_path: T.must(repo_contents_path),
             dependency_file: project_file
           )
@@ -168,13 +168,13 @@ module Dependabot
         @update_tooling_calls
       end
 
-      sig { returns(T.nilable(NativeWorkspaceDiscovery)) }
+      sig { returns(T.nilable(WorkspaceDiscovery)) }
       def workspace
         dependency_file_paths = dependency_files.map do |f|
-          NativeDiscoveryJsonReader.dependency_file_path(repo_contents_path: T.must(repo_contents_path),
-                                                         dependency_file: f)
+          DiscoveryJsonReader.dependency_file_path(repo_contents_path: T.must(repo_contents_path),
+                                                   dependency_file: f)
         end
-        NativeDiscoveryJsonReader.load_discovery_for_dependency_file_paths(dependency_file_paths).workspace_discovery
+        DiscoveryJsonReader.load_discovery_for_dependency_file_paths(dependency_file_paths).workspace_discovery
       end
 
       sig { params(project_file: Dependabot::DependencyFile).returns(T::Array[String]) }
@@ -182,7 +182,7 @@ module Dependabot
         workspace&.projects&.find { |p| p.file_path == project_file.name }&.referenced_project_paths || []
       end
 
-      sig { params(project_file: Dependabot::DependencyFile).returns(T::Array[NativeDependencyDetails]) }
+      sig { params(project_file: Dependabot::DependencyFile).returns(T::Array[DependencyDetails]) }
       def project_dependencies(project_file)
         workspace&.projects&.find do |p|
           full_project_file_path = File.join(project_file.directory, project_file.name)
@@ -190,12 +190,12 @@ module Dependabot
         end&.dependencies || []
       end
 
-      sig { returns(T::Array[NativeDependencyDetails]) }
+      sig { returns(T::Array[DependencyDetails]) }
       def global_json_dependencies
         workspace&.global_json&.dependencies || []
       end
 
-      sig { returns(T::Array[NativeDependencyDetails]) }
+      sig { returns(T::Array[DependencyDetails]) }
       def dotnet_tools_json_dependencies
         workspace&.dotnet_tools_json&.dependencies || []
       end

data/lib/dependabot/nuget/native_helpers.rb

@@ -81,6 +81,8 @@ module Dependabot
         fingerprint = [
           exe_path,
           "discover",
+          "--job-path",
+          "<job-path>",
           "--repo-root",
           "<repo-root>",
           "--workspace",
@@ -116,15 +118,17 @@ module Dependabot
       end
 
       sig do
-        params(repo_root: String, discovery_file_path: String, dependency_file_path: String,
+        params(job_path: String, repo_root: String, discovery_file_path: String, dependency_file_path: String,
                analysis_folder_path: String).returns([String, String])
       end
-      def self.get_nuget_analyze_tool_command(repo_root:, discovery_file_path:, dependency_file_path:,
+      def self.get_nuget_analyze_tool_command(job_path:, repo_root:, discovery_file_path:, dependency_file_path:,
                                               analysis_folder_path:)
         exe_path = File.join(native_helpers_root, "NuGetUpdater", "NuGetUpdater.Cli")
         command_parts = [
           exe_path,
           "analyze",
+          "--job-path",
+          job_path,
           "--repo-root",
           repo_root,
           "--discovery-file-path",
@@ -140,6 +144,8 @@ module Dependabot
         fingerprint = [
           exe_path,
           "analyze",
+          "--job-path",
+          "<job-path>",
           "--discovery-file-path",
           "<discovery-file-path>",
           "--dependency-file-path",
@@ -153,13 +159,14 @@ module Dependabot
 
       sig do
         params(
-          repo_root: String, discovery_file_path: String, dependency_file_path: String,
+          job_path: String, repo_root: String, discovery_file_path: String, dependency_file_path: String,
           analysis_folder_path: String, credentials: T::Array[Dependabot::Credential]
         ).void
       end
-      def self.run_nuget_analyze_tool(repo_root:, discovery_file_path:, dependency_file_path:,
+      def self.run_nuget_analyze_tool(job_path:, repo_root:, discovery_file_path:, dependency_file_path:,
                                       analysis_folder_path:, credentials:)
-        (command, fingerprint) = get_nuget_analyze_tool_command(repo_root: repo_root,
+        (command, fingerprint) = get_nuget_analyze_tool_command(job_path: job_path,
+                                                                repo_root: repo_root,
                                                                 discovery_file_path: discovery_file_path,
                                                                 dependency_file_path: dependency_file_path,
                                                                 analysis_folder_path: analysis_folder_path)
@@ -205,6 +212,8 @@ module Dependabot
         fingerprint = [
           exe_path,
           "update",
+          "--job-path",
+          "<job-path>",
           "--repo-root",
           "<repo-root>",
           "--solution-or-project",

data/lib/dependabot/nuget/update_checker/requirements_updater.rb

@@ -9,6 +9,7 @@
 require "sorbet-runtime"
 
 require "dependabot/update_checkers/base"
+require "dependabot/nuget/discovery/dependency_details"
 require "dependabot/nuget/version"
 
 module Dependabot
@@ -20,22 +21,18 @@ module Dependabot
         sig do
           params(
             requirements: T::Array[T::Hash[Symbol, T.untyped]],
-            latest_version: T.nilable(T.any(String, Dependabot::Nuget::Version)),
-            source_details: T.nilable(T::Hash[Symbol, T.untyped])
+            dependency_details: T.nilable(Dependabot::Nuget::DependencyDetails)
           )
             .void
         end
-        def initialize(requirements:, latest_version:, source_details:)
+        def initialize(requirements:, dependency_details:)
           @requirements = requirements
-          @source_details = source_details
-          return unless latest_version
-
-          @latest_version = T.let(version_class.new(latest_version), Dependabot::Nuget::Version)
+          @dependency_details = dependency_details
         end
 
         sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
         def updated_requirements
-          return requirements unless latest_version
+          return requirements unless clean_version
 
           # NOTE: Order is important here. The FileUpdater needs the updated
           # requirement at index `i` to correspond to the previous requirement
@@ -53,13 +50,21 @@ module Dependabot
                 # version
                 req[:requirement].sub(
                   /#{Nuget::Version::VERSION_PATTERN}/o,
-                  latest_version.to_s
+                  clean_version.to_s
                 )
               end
 
             next req if new_req == req.fetch(:requirement)
 
-            req.merge(requirement: new_req, source: updated_source)
+            new_source = req[:source]&.dup
+            unless @dependency_details.nil?
+              new_source = {
+                type: "nuget_repo",
+                source_url: @dependency_details.info_url
+              }
+            end
+
+            req.merge({ requirement: new_req, source: new_source })
           end
         end
 
@@ -68,17 +73,18 @@ module Dependabot
         sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
         attr_reader :requirements
 
-        sig { returns(T.nilable(Dependabot::Nuget::Version)) }
-        attr_reader :latest_version
-
-        sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
-        attr_reader :source_details
-
         sig { returns(T.class_of(Dependabot::Nuget::Version)) }
         def version_class
           Dependabot::Nuget::Version
         end
 
+        sig { returns(T.nilable(Dependabot::Nuget::Version)) }
+        def clean_version
+          return unless @dependency_details&.version
+
+          version_class.new(@dependency_details.version)
+        end
+
         sig { params(req_string: String).returns(String) }
         def update_wildcard_requirement(req_string)
           return req_string if req_string == "*-*"
@@ -88,21 +94,11 @@ module Dependabot
           precision = T.must(req_string.split("*").first).split(/\.|\-/).count
           wildcard_section = req_string.partition(/(?=[.\-]\*)/).last
 
-          version_parts = T.must(latest_version).segments.first(precision)
+          version_parts = T.must(clean_version).segments.first(precision)
           version = version_parts.join(".")
 
           version + wildcard_section
         end
-
-        sig { returns(T::Hash[Symbol, T.untyped]) }
-        def updated_source
-          {
-            type: "nuget_repo",
-            url: source_details&.fetch(:repo_url),
-            nuspec_url: source_details&.fetch(:nuspec_url),
-            source_url: source_details&.fetch(:source_url)
-          }
-        end
       end
     end
   end

data/lib/dependabot/nuget/update_checker.rb

@@ -1,7 +1,8 @@
-# typed: strict
+# typed: strong
 # frozen_string_literal: true
 
-require "dependabot/nuget/file_parser"
+require "dependabot/nuget/analysis/analysis_json_reader"
+require "dependabot/nuget/discovery/discovery_json_reader"
 require "dependabot/update_checkers"
 require "dependabot/update_checkers/base"
 require "sorbet-runtime"
@@ -11,38 +12,22 @@ module Dependabot
     class UpdateChecker < Dependabot::UpdateCheckers::Base
       extend T::Sig
 
-      require_relative "update_checker/version_finder"
-      require_relative "update_checker/property_updater"
       require_relative "update_checker/requirements_updater"
-      require_relative "update_checker/dependency_finder"
-
-      require_relative "native_update_checker/native_update_checker"
-
-      PROPERTY_REGEX = /\$\((?<property>.*?)\)/
-
-      sig { returns(T::Boolean) }
-      def self.native_analysis_enabled?
-        Dependabot::Experiments.enabled?(:nuget_native_analysis)
-      end
 
       sig { override.returns(T.nilable(String)) }
       def latest_version
-        return native_update_checker.latest_version if UpdateChecker.native_analysis_enabled?
-
         # No need to find latest version for transitive dependencies unless they have a vulnerability.
         return dependency.version if !dependency.top_level? && !vulnerable?
 
         # if no update sources have the requisite package, then we can only assume that the current version is correct
         @latest_version = T.let(
-          latest_version_details&.fetch(:version)&.to_s || dependency.version,
+          update_analysis.dependency_analysis.updated_version,
           T.nilable(String)
         )
       end
 
       sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
       def latest_resolvable_version
-        return native_update_checker.latest_resolvable_version if UpdateChecker.native_analysis_enabled?
-
         # We always want a full unlock since any package update could update peer dependencies as well.
         # To force a full unlock instead of an own unlock, we return nil.
         nil
@@ -50,232 +35,173 @@ module Dependabot
 
       sig { override.returns(Dependabot::Nuget::Version) }
       def lowest_security_fix_version
-        return native_update_checker.lowest_security_fix_version if UpdateChecker.native_analysis_enabled?
-
-        lowest_security_fix_version_details&.fetch(:version)
+        update_analysis.dependency_analysis.numeric_updated_version
       end
 
       sig { override.returns(T.nilable(Dependabot::Nuget::Version)) }
       def lowest_resolvable_security_fix_version
         return nil if version_comes_from_multi_dependency_property?
 
-        lowest_security_fix_version
+        update_analysis.dependency_analysis.numeric_updated_version
       end
 
       sig { override.returns(NilClass) }
       def latest_resolvable_version_with_no_unlock
-        return native_update_checker.latest_resolvable_version_with_no_unlock if UpdateChecker.native_analysis_enabled?
-
         # Irrelevant, since Nuget has a single dependency file
         nil
       end
 
       sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
       def updated_requirements
-        return native_update_checker.updated_requirements if UpdateChecker.native_analysis_enabled?
-
+        dep_details = updated_dependency_details.find { |d| d.name.casecmp?(dependency.name) }
         RequirementsUpdater.new(
           requirements: dependency.requirements,
-          latest_version: preferred_resolvable_version_details&.fetch(:version, nil)&.to_s,
-          source_details: preferred_resolvable_version_details&.slice(:nuspec_url, :repo_url, :source_url)
+          dependency_details: dep_details
         ).updated_requirements
       end
 
       sig { returns(T::Boolean) }
       def up_to_date?
-        return native_update_checker.up_to_date? if UpdateChecker.native_analysis_enabled?
-
-        # No need to update transitive dependencies unless they have a vulnerability.
-        return true if !dependency.top_level? && !vulnerable?
-
-        # If any requirements have an uninterpolated property in them then
-        # that property couldn't be found, and we assume that the dependency
-        # is up-to-date
-        return true unless requirements_unlocked_or_can_be?
-
-        super
+        !update_analysis.dependency_analysis.can_update
       end
 
       sig { returns(T::Boolean) }
       def requirements_unlocked_or_can_be?
-        # If any requirements have an uninterpolated property in them then
-        # that property couldn't be found, and the requirement therefore
-        # cannot be unlocked (since we can't update that property)
-        dependency.requirements.none? do |req|
-          req.fetch(:requirement)&.match?(PROPERTY_REGEX)
-        end
+        update_analysis.dependency_analysis.can_update
       end
 
       private
 
-      sig { returns(Dependabot::Nuget::NativeUpdateChecker) }
-      def native_update_checker
-        @native_update_checker ||=
-          T.let(
-            Dependabot::Nuget::NativeUpdateChecker.new(
-              dependency: dependency,
-              dependency_files: dependency_files,
-              credentials: credentials,
-              repo_contents_path: repo_contents_path,
-              ignored_versions: ignored_versions,
-              raise_on_ignored: raise_on_ignored,
-              security_advisories: security_advisories,
-              requirements_update_strategy: requirements_update_strategy,
-              dependency_group: dependency_group,
-              options: options
-            ),
-            T.nilable(Dependabot::Nuget::NativeUpdateChecker)
-          )
+      sig { returns(String) }
+      def job_file_path
+        ENV.fetch("DEPENDABOT_JOB_PATH")
       end
 
-      sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
-      def preferred_resolvable_version_details
-        # If this dependency is vulnerable, prefer trying to update to the
-        # lowest_resolvable_security_fix_version. Otherwise update all the way
-        # to the latest_resolvable_version.
-        return lowest_security_fix_version_details if vulnerable?
-
-        latest_version_details
+      sig { returns(AnalysisJsonReader) }
+      def update_analysis
+        @update_analysis ||= T.let(request_analysis, T.nilable(AnalysisJsonReader))
       end
 
-      sig { override.returns(T::Boolean) }
-      def latest_version_resolvable_with_full_unlock?
-        if UpdateChecker.native_analysis_enabled?
-          return native_update_checker.public_latest_version_resolvable_with_full_unlock?
-        end
-
-        # We always want a full unlock since any package update could update peer dependencies as well.
-        return true unless version_comes_from_multi_dependency_property?
-
-        property_updater.update_possible?
+      sig { returns(String) }
+      def dependency_file_path
+        d = File.join(Dir.tmpdir, "dependency")
+        FileUtils.mkdir_p(d)
+        File.join(d, "#{dependency.name}.json")
       end
 
-      sig { override.returns(T::Array[Dependabot::Dependency]) }
-      def updated_dependencies_after_full_unlock
-        if UpdateChecker.native_analysis_enabled?
-          return native_update_checker.public_updated_dependencies_after_full_unlock
+      sig { returns(T::Array[String]) }
+      def dependency_file_paths
+        dependency_files.map do |file|
+          DiscoveryJsonReader.dependency_file_path(
+            repo_contents_path: T.must(repo_contents_path),
+            dependency_file: file
+          )
         end
+      end
 
-        return property_updater.updated_dependencies if version_comes_from_multi_dependency_property?
-
-        puts "Finding updated dependencies for #{dependency.name}."
-
-        updated_dependency = Dependency.new(
-          name: dependency.name,
-          version: latest_version,
-          requirements: updated_requirements,
-          previous_version: dependency.version,
-          previous_requirements: dependency.requirements,
-          package_manager: dependency.package_manager
+      sig { returns(AnalysisJsonReader) }
+      def request_analysis
+        discovery_file_path = DiscoveryJsonReader.get_discovery_json_path_for_dependency_file_paths(
+          dependency_file_paths
         )
-        updated_dependencies = [updated_dependency]
-        updated_dependencies += DependencyFinder.new(
-          dependency: updated_dependency,
-          dependency_files: dependency_files,
-          ignored_versions: ignored_versions,
-          credentials: credentials,
-          repo_contents_path: @repo_contents_path
-        ).updated_peer_dependencies
-        updated_dependencies
-      end
+        analysis_folder_path = AnalysisJsonReader.temp_directory
+
+        write_dependency_info
+
+        NativeHelpers.run_nuget_analyze_tool(job_path: job_file_path,
+                                             repo_root: T.must(repo_contents_path),
+                                             discovery_file_path: discovery_file_path,
+                                             dependency_file_path: dependency_file_path,
+                                             analysis_folder_path: analysis_folder_path,
+                                             credentials: credentials)
+
+        analysis_json = AnalysisJsonReader.analysis_json(dependency_name: dependency.name)
+
+        AnalysisJsonReader.new(analysis_json: T.must(analysis_json))
+      end
+
+      sig { void }
+      def write_dependency_info
+        dependency_info = {
+          Name: dependency.name,
+          Version: dependency.version.to_s,
+          IsVulnerable: vulnerable?,
+          IgnoredVersions: ignored_versions,
+          Vulnerabilities: security_advisories.map do |vulnerability|
+            {
+              DependencyName: vulnerability.dependency_name,
+              PackageManager: vulnerability.package_manager,
+              VulnerableVersions: vulnerability.vulnerable_versions.map(&:to_s),
+              SafeVersions: vulnerability.safe_versions.map(&:to_s)
+            }
+          end
+        }.to_json
+        dependency_directory = File.dirname(dependency_file_path)
 
-      sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
-      def preferred_version_details
-        return lowest_security_fix_version_details if vulnerable?
+        begin
+          Dir.mkdir(dependency_directory)
+        rescue StandardError
+          nil?
+        end
 
-        latest_version_details
+        Dependabot.logger.info("Writing dependency info: #{dependency_info}")
+        File.write(dependency_file_path, dependency_info)
       end
 
-      sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
-      def latest_version_details
-        @latest_version_details ||=
-          T.let(
-            version_finder.latest_version_details,
-            T.nilable(T::Hash[Symbol, T.untyped])
-          )
+      sig { returns(Dependabot::FileParsers::Base::DependencySet) }
+      def discovered_dependencies
+        DiscoveryJsonReader.load_discovery_for_dependency_file_paths(dependency_file_paths).dependency_set
       end
 
-      sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
-      def lowest_security_fix_version_details
-        @lowest_security_fix_version_details ||=
-          T.let(
-            version_finder.lowest_security_fix_version_details,
-            T.nilable(T::Hash[Symbol, T.untyped])
-          )
+      sig { override.returns(T::Boolean) }
+      def latest_version_resolvable_with_full_unlock?
+        # We always want a full unlock since any package update could update peer dependencies as well.
+        true
       end
 
-      sig { returns(Dependabot::Nuget::UpdateChecker::VersionFinder) }
-      def version_finder
-        @version_finder ||=
-          T.let(
-            VersionFinder.new(
-              dependency: dependency,
-              dependency_files: dependency_files,
-              credentials: credentials,
-              ignored_versions: ignored_versions,
-              raise_on_ignored: @raise_on_ignored,
-              security_advisories: security_advisories,
-              repo_contents_path: @repo_contents_path
-            ),
-            T.nilable(Dependabot::Nuget::UpdateChecker::VersionFinder)
-          )
-      end
+      sig { override.returns(T::Array[Dependabot::Dependency]) }
+      def updated_dependencies_after_full_unlock
+        dependencies = discovered_dependencies.dependencies
+        updated_dependency_details.filter_map do |dependency_details|
+          dep = dependencies.find { |d| d.name.casecmp(dependency_details.name)&.zero? }
+          next unless dep
+
+          metadata = {}
+          # For peer dependencies, instruct updater to not directly update this dependency
+          metadata = { information_only: true } unless dependency.name.casecmp(dependency_details.name)&.zero?
+
+          # rebuild the new requirements with the updated dependency details
+          updated_reqs = dep.requirements.map do |r|
+            r = r.clone
+            r[:requirement] = dependency_details.version
+            r[:source] = {
+              type: "nuget_repo",
+              source_url: dependency_details.info_url
+            }
+            r
+          end
 
-      sig { returns(Dependabot::Nuget::UpdateChecker::PropertyUpdater) }
-      def property_updater
-        @property_updater ||=
-          T.let(
-            PropertyUpdater.new(
-              dependency: dependency,
-              dependency_files: dependency_files,
-              target_version_details: latest_version_details,
-              credentials: credentials,
-              ignored_versions: ignored_versions,
-              raise_on_ignored: @raise_on_ignored,
-              repo_contents_path: @repo_contents_path
-            ),
-            T.nilable(Dependabot::Nuget::UpdateChecker::PropertyUpdater)
+          Dependency.new(
+            name: dep.name,
+            version: dependency_details.version,
+            requirements: updated_reqs,
+            previous_version: dep.version,
+            previous_requirements: dep.requirements,
+            package_manager: dep.package_manager,
+            metadata: metadata
           )
-      end
-
-      sig { returns(T::Boolean) }
-      def version_comes_from_multi_dependency_property?
-        declarations_using_a_property.any? do |requirement|
-          property_name = requirement.fetch(:metadata).fetch(:property_name)
-
-          all_property_based_dependencies.any? do |dep|
-            next false if dep.name == dependency.name
-
-            dep.requirements.any? do |req|
-              req.dig(:metadata, :property_name) == property_name
-            end
-          end
         end
       end
 
-      sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
-      def declarations_using_a_property
-        @declarations_using_a_property ||=
-          T.let(
-            dependency.requirements
-                      .select { |req| req.dig(:metadata, :property_name) },
-            T.nilable(T::Array[T::Hash[Symbol, T.untyped]])
-          )
+      sig { returns(T::Array[Dependabot::Nuget::DependencyDetails]) }
+      def updated_dependency_details
+        @updated_dependency_details ||= T.let(update_analysis.dependency_analysis.updated_dependencies,
+                                              T.nilable(T::Array[Dependabot::Nuget::DependencyDetails]))
       end
 
-      sig { returns(T::Array[Dependabot::Dependency]) }
-      def all_property_based_dependencies
-        @all_property_based_dependencies ||=
-          T.let(
-            Nuget::FileParser.new(
-              dependency_files: dependency_files,
-              repo_contents_path: repo_contents_path,
-              source: nil
-            ).parse.select do |dep|
-              dep.requirements.any? { |req| req.dig(:metadata, :property_name) }
-            end,
-            T.nilable(T::Array[Dependabot::Dependency])
-          )
+      sig { returns(T::Boolean) }
+      def version_comes_from_multi_dependency_property?
+        update_analysis.dependency_analysis.version_comes_from_multi_dependency_property
       end
     end
   end