RubyGems - dependabot-nuget - Versions diffs - 0.289.0 → 0.291.0 - Mend

dependabot-nuget 0.289.0 → 0.291.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (97) hide show

data/lib/dependabot/nuget/native_discovery/native_property_details.rb DELETED Viewed

@@ -1,43 +0,0 @@
-# typed: strong
-# frozen_string_literal: true
-require "sorbet-runtime"
-module Dependabot
-  module Nuget
-    class NativePropertyDetails
-      extend T::Sig
-      sig { params(json: T::Hash[String, T.untyped]).returns(NativePropertyDetails) }
-      def self.from_json(json)
-        name = T.let(json.fetch("Name"), String)
-        value = T.let(json.fetch("Value"), String)
-        source_file_path = T.let(json.fetch("SourceFilePath"), String)
-        NativePropertyDetails.new(name: name,
-                                  value: value,
-                                  source_file_path: source_file_path)
-      end
-      sig do
-        params(name: String,
-               value: String,
-               source_file_path: String).void
-      end
-      def initialize(name:, value:, source_file_path:)
-        @name = name
-        @value = value
-        @source_file_path = source_file_path
-      end
-      sig { returns(String) }
-      attr_reader :name
-      sig { returns(String) }
-      attr_reader :value
-      sig { returns(String) }
-      attr_reader :source_file_path
-    end
-  end
-end

data/lib/dependabot/nuget/native_discovery/native_workspace_discovery.rb DELETED Viewed

@@ -1,61 +0,0 @@
-# typed: strong
-# frozen_string_literal: true
-require "dependabot/nuget/native_discovery/native_dependency_file_discovery"
-require "dependabot/nuget/native_discovery/native_project_discovery"
-require "dependabot/nuget/native_helpers"
-require "sorbet-runtime"
-module Dependabot
-  module Nuget
-    class NativeWorkspaceDiscovery
-      extend T::Sig
-      sig { params(json: T::Hash[String, T.untyped]).returns(NativeWorkspaceDiscovery) }
-      def self.from_json(json)
-        Dependabot::Nuget::NativeHelpers.ensure_no_errors(json)
-        path = T.let(json.fetch("Path"), String)
-        path = "/" + path unless path.start_with?("/")
-        projects = T.let(json.fetch("Projects"), T::Array[T::Hash[String, T.untyped]]).filter_map do |project|
-          NativeProjectDiscovery.from_json(project, path)
-        end
-        global_json = NativeDependencyFileDiscovery
-                      .from_json(T.let(json.fetch("GlobalJson"), T.nilable(T::Hash[String, T.untyped])), path)
-        dotnet_tools_json = NativeDependencyFileDiscovery
-                            .from_json(T.let(json.fetch("DotNetToolsJson"),
-                                             T.nilable(T::Hash[String, T.untyped])), path)
-        NativeWorkspaceDiscovery.new(path: path,
-                                     projects: projects,
-                                     global_json: global_json,
-                                     dotnet_tools_json: dotnet_tools_json)
-      end
-      sig do
-        params(path: String,
-               projects: T::Array[NativeProjectDiscovery],
-               global_json: T.nilable(NativeDependencyFileDiscovery),
-               dotnet_tools_json: T.nilable(NativeDependencyFileDiscovery)).void
-      end
-      def initialize(path:, projects:, global_json:, dotnet_tools_json:)
-        @path = path
-        @projects = projects
-        @global_json = global_json
-        @dotnet_tools_json = dotnet_tools_json
-      end
-      sig { returns(String) }
-      attr_reader :path
-      sig { returns(T::Array[NativeProjectDiscovery]) }
-      attr_reader :projects
-      sig { returns(T.nilable(NativeDependencyFileDiscovery)) }
-      attr_reader :global_json
-      sig { returns(T.nilable(NativeDependencyFileDiscovery)) }
-      attr_reader :dotnet_tools_json
-    end
-  end
-end

data/lib/dependabot/nuget/native_update_checker/native_requirements_updater.rb DELETED Viewed

@@ -1,105 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-#######################################################################
-# For more details on Dotnet version constraints, see:                #
-# https://docs.microsoft.com/en-us/nuget/reference/package-versioning #
-#######################################################################
-require "sorbet-runtime"
-require "dependabot/update_checkers/base"
-require "dependabot/nuget/native_discovery/native_dependency_details"
-require "dependabot/nuget/version"
-module Dependabot
-  module Nuget
-    class NativeUpdateChecker < Dependabot::UpdateCheckers::Base
-      class NativeRequirementsUpdater
-        extend T::Sig
-        sig do
-          params(
-            requirements: T::Array[T::Hash[Symbol, T.untyped]],
-            dependency_details: T.nilable(Dependabot::Nuget::NativeDependencyDetails)
-          )
-            .void
-        end
-        def initialize(requirements:, dependency_details:)
-          @requirements = requirements
-          @dependency_details = dependency_details
-        end
-        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
-        def updated_requirements
-          return requirements unless clean_version
-          # NOTE: Order is important here. The FileUpdater needs the updated
-          # requirement at index `i` to correspond to the previous requirement
-          # at the same index.
-          requirements.map do |req|
-            next req if req.fetch(:requirement).nil?
-            next req if req.fetch(:requirement).include?(",")
-            new_req =
-              if req.fetch(:requirement).include?("*")
-                update_wildcard_requirement(req.fetch(:requirement))
-              else
-                # Since range requirements are excluded by the line above we can
-                # replace anything that looks like a version with the new
-                # version
-                req[:requirement].sub(
-                  /#{Nuget::Version::VERSION_PATTERN}/o,
-                  clean_version.to_s
-                )
-              end
-            next req if new_req == req.fetch(:requirement)
-            new_source = req[:source]&.dup
-            unless @dependency_details.nil?
-              new_source = {
-                type: "nuget_repo",
-                source_url: @dependency_details.info_url
-              }
-            end
-            req.merge({ requirement: new_req, source: new_source })
-          end
-        end
-        private
-        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
-        attr_reader :requirements
-        sig { returns(T.class_of(Dependabot::Nuget::Version)) }
-        def version_class
-          Dependabot::Nuget::Version
-        end
-        sig { returns(T.nilable(Dependabot::Nuget::Version)) }
-        def clean_version
-          return unless @dependency_details&.version
-          version_class.new(@dependency_details.version)
-        end
-        sig { params(req_string: String).returns(String) }
-        def update_wildcard_requirement(req_string)
-          return req_string if req_string == "*-*"
-          return req_string if req_string == "*"
-          precision = T.must(req_string.split("*").first).split(/\.|\-/).count
-          wildcard_section = req_string.partition(/(?=[.\-]\*)/).last
-          version_parts = T.must(clean_version).segments.first(precision)
-          version = version_parts.join(".")
-          version + wildcard_section
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/nuget/native_update_checker/native_update_checker.rb DELETED Viewed

@@ -1,214 +0,0 @@
-# typed: strong
-# frozen_string_literal: true
-require "dependabot/nuget/analysis/analysis_json_reader"
-require "dependabot/nuget/native_discovery/native_discovery_json_reader"
-require "dependabot/update_checkers"
-require "dependabot/update_checkers/base"
-require "sorbet-runtime"
-module Dependabot
-  module Nuget
-    class NativeUpdateChecker < Dependabot::UpdateCheckers::Base
-      extend T::Sig
-      require_relative "native_requirements_updater"
-      sig { override.returns(T.nilable(String)) }
-      def latest_version
-        # No need to find latest version for transitive dependencies unless they have a vulnerability.
-        return dependency.version if !dependency.top_level? && !vulnerable?
-        # if no update sources have the requisite package, then we can only assume that the current version is correct
-        @latest_version = T.let(
-          update_analysis.dependency_analysis.updated_version,
-          T.nilable(String)
-        )
-      end
-      sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
-      def latest_resolvable_version
-        # We always want a full unlock since any package update could update peer dependencies as well.
-        # To force a full unlock instead of an own unlock, we return nil.
-        nil
-      end
-      sig { override.returns(Dependabot::Nuget::Version) }
-      def lowest_security_fix_version
-        update_analysis.dependency_analysis.numeric_updated_version
-      end
-      sig { override.returns(T.nilable(Dependabot::Nuget::Version)) }
-      def lowest_resolvable_security_fix_version
-        return nil if version_comes_from_multi_dependency_property?
-        update_analysis.dependency_analysis.numeric_updated_version
-      end
-      sig { override.returns(NilClass) }
-      def latest_resolvable_version_with_no_unlock
-        # Irrelevant, since Nuget has a single dependency file
-        nil
-      end
-      sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
-      def updated_requirements
-        dep_details = updated_dependency_details.find { |d| d.name.casecmp?(dependency.name) }
-        NativeRequirementsUpdater.new(
-          requirements: dependency.requirements,
-          dependency_details: dep_details
-        ).updated_requirements
-      end
-      sig { returns(T::Boolean) }
-      def up_to_date?
-        !update_analysis.dependency_analysis.can_update
-      end
-      sig { returns(T::Boolean) }
-      def requirements_unlocked_or_can_be?
-        update_analysis.dependency_analysis.can_update
-      end
-      sig { returns(T::Boolean) }
-      def public_latest_version_resolvable_with_full_unlock?
-        latest_version_resolvable_with_full_unlock?
-      end
-      sig { returns(T::Array[Dependabot::Dependency]) }
-      def public_updated_dependencies_after_full_unlock
-        updated_dependencies_after_full_unlock
-      end
-      private
-      sig { returns(AnalysisJsonReader) }
-      def update_analysis
-        @update_analysis ||= T.let(request_analysis, T.nilable(AnalysisJsonReader))
-      end
-      sig { returns(String) }
-      def dependency_file_path
-        d = File.join(Dir.tmpdir, "dependency")
-        FileUtils.mkdir_p(d)
-        File.join(d, "#{dependency.name}.json")
-      end
-      sig { returns(T::Array[String]) }
-      def dependency_file_paths
-        dependency_files.map do |file|
-          NativeDiscoveryJsonReader.dependency_file_path(
-            repo_contents_path: T.must(repo_contents_path),
-            dependency_file: file
-          )
-        end
-      end
-      sig { returns(AnalysisJsonReader) }
-      def request_analysis
-        discovery_file_path = NativeDiscoveryJsonReader.get_discovery_json_path_for_dependency_file_paths(
-          dependency_file_paths
-        )
-        analysis_folder_path = AnalysisJsonReader.temp_directory
-        write_dependency_info
-        NativeHelpers.run_nuget_analyze_tool(repo_root: T.must(repo_contents_path),
-                                             discovery_file_path: discovery_file_path,
-                                             dependency_file_path: dependency_file_path,
-                                             analysis_folder_path: analysis_folder_path,
-                                             credentials: credentials)
-        analysis_json = AnalysisJsonReader.analysis_json(dependency_name: dependency.name)
-        AnalysisJsonReader.new(analysis_json: T.must(analysis_json))
-      end
-      sig { void }
-      def write_dependency_info
-        dependency_info = {
-          Name: dependency.name,
-          Version: dependency.version.to_s,
-          IsVulnerable: vulnerable?,
-          IgnoredVersions: ignored_versions,
-          Vulnerabilities: security_advisories.map do |vulnerability|
-            {
-              DependencyName: vulnerability.dependency_name,
-              PackageManager: vulnerability.package_manager,
-              VulnerableVersions: vulnerability.vulnerable_versions.map(&:to_s),
-              SafeVersions: vulnerability.safe_versions.map(&:to_s)
-            }
-          end
-        }.to_json
-        dependency_directory = File.dirname(dependency_file_path)
-        begin
-          Dir.mkdir(dependency_directory)
-        rescue StandardError
-          nil?
-        end
-        Dependabot.logger.info("Writing dependency info: #{dependency_info}")
-        File.write(dependency_file_path, dependency_info)
-      end
-      sig { returns(Dependabot::FileParsers::Base::DependencySet) }
-      def discovered_dependencies
-        NativeDiscoveryJsonReader.load_discovery_for_dependency_file_paths(dependency_file_paths).dependency_set
-      end
-      sig { override.returns(T::Boolean) }
-      def latest_version_resolvable_with_full_unlock?
-        # We always want a full unlock since any package update could update peer dependencies as well.
-        true
-      end
-      sig { override.returns(T::Array[Dependabot::Dependency]) }
-      def updated_dependencies_after_full_unlock
-        dependencies = discovered_dependencies.dependencies
-        updated_dependency_details.filter_map do |dependency_details|
-          dep = dependencies.find { |d| d.name.casecmp(dependency_details.name)&.zero? }
-          next unless dep
-          metadata = {}
-          # For peer dependencies, instruct updater to not directly update this dependency
-          metadata = { information_only: true } unless dependency.name.casecmp(dependency_details.name)&.zero?
-          # rebuild the new requirements with the updated dependency details
-          updated_reqs = dep.requirements.map do |r|
-            r = r.clone
-            r[:requirement] = dependency_details.version
-            r[:source] = {
-              type: "nuget_repo",
-              source_url: dependency_details.info_url
-            }
-            r
-          end
-          Dependency.new(
-            name: dep.name,
-            version: dependency_details.version,
-            requirements: updated_reqs,
-            previous_version: dep.version,
-            previous_requirements: dep.requirements,
-            package_manager: dep.package_manager,
-            metadata: metadata
-          )
-        end
-      end
-      sig { returns(T::Array[Dependabot::Nuget::NativeDependencyDetails]) }
-      def updated_dependency_details
-        @updated_dependency_details ||= T.let(update_analysis.dependency_analysis.updated_dependencies,
-                                              T.nilable(T::Array[Dependabot::Nuget::NativeDependencyDetails]))
-      end
-      sig { returns(T::Boolean) }
-      def version_comes_from_multi_dependency_property?
-        update_analysis.dependency_analysis.version_comes_from_multi_dependency_property
-      end
-    end
-  end
-end
-Dependabot::UpdateCheckers.register("nuget", Dependabot::Nuget::UpdateChecker)

data/lib/dependabot/nuget/nuget_client.rb DELETED Viewed

@@ -1,223 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-require "dependabot/nuget/cache_manager"
-require "dependabot/nuget/http_response_helpers"
-require "dependabot/nuget/update_checker/repository_finder"
-require "sorbet-runtime"
-module Dependabot
-  module Nuget
-    class NugetClient
-      extend T::Sig
-      sig do
-        params(dependency_name: String, repository_details: T::Hash[Symbol, String])
-          .returns(T.nilable(T::Set[String]))
-      end
-      def self.get_package_versions(dependency_name, repository_details)
-        repository_type = repository_details.fetch(:repository_type)
-        if repository_type == "v3"
-          get_package_versions_v3(dependency_name, repository_details)
-        elsif repository_type == "v2"
-          get_package_versions_v2(dependency_name, repository_details)
-        elsif repository_type == "local"
-          get_package_versions_local(dependency_name, repository_details)
-        else
-          raise "Unknown repository type: #{repository_type}"
-        end
-      end
-      sig do
-        params(dependency_name: String, repository_details: T::Hash[Symbol, String])
-          .returns(T.nilable(T::Set[String]))
-      end
-      private_class_method def self.get_package_versions_local(dependency_name, repository_details)
-        url = repository_details.fetch(:base_url)
-        raise "Local repo #{url} doesn't exist or isn't a directory" unless File.exist?(url) && File.directory?(url)
-        package_dir = File.join(url, dependency_name)
-        versions = Set.new
-        return versions unless File.exist?(package_dir) && File.directory?(package_dir)
-        Dir.each_child(package_dir) do |child|
-          versions.add(child) if File.directory?(File.join(package_dir, child))
-        end
-        versions
-      end
-      sig do
-        params(dependency_name: String, repository_details: T::Hash[Symbol, String])
-          .returns(T.nilable(T::Set[String]))
-      end
-      private_class_method def self.get_package_versions_v3(dependency_name, repository_details)
-        # Use the registration URL if possible because it is fast and correct
-        if repository_details[:registration_url]
-          get_versions_from_registration_v3(repository_details)
-        # use the search API if not because it is slow but correct
-        elsif repository_details[:search_url]
-          get_versions_from_search_url_v3(repository_details, dependency_name)
-        # Otherwise, use the versions URL (fast but wrong because it includes unlisted versions)
-        elsif repository_details[:versions_url]
-          get_versions_from_versions_url_v3(repository_details)
-        else
-          raise "No version sources were available for #{dependency_name} in #{repository_details}"
-        end
-      end
-      sig do
-        params(dependency_name: String, repository_details: T::Hash[Symbol, String])
-          .returns(T.nilable(T::Set[String]))
-      end
-      private_class_method def self.get_package_versions_v2(dependency_name, repository_details)
-        doc = execute_xml_nuget_request(repository_details.fetch(:versions_url), repository_details)
-        return unless doc
-        # v2 APIs can differ, but all tested have this title value set to the name of the package
-        title_nodes = doc.xpath("/feed/entry/title")
-        matching_versions = Set.new
-        title_nodes.each do |title_node|
-          return nil unless title_node.text
-          next unless title_node.text.casecmp?(dependency_name)
-          version_node = title_node.parent.xpath("properties/Version")
-          matching_versions << version_node.text if version_node && version_node.text
-        end
-        matching_versions
-      end
-      sig { params(repository_details: T::Hash[Symbol, String]).returns(T.nilable(T::Set[String])) }
-      private_class_method def self.get_versions_from_versions_url_v3(repository_details)
-        body = execute_json_nuget_request(repository_details.fetch(:versions_url), repository_details)
-        ver_array = T.let(body&.fetch("versions"), T.nilable(T::Array[String]))
-        ver_array&.to_set
-      end
-      sig { params(repository_details: T::Hash[Symbol, String]).returns(T.nilable(T::Set[String])) }
-      private_class_method def self.get_versions_from_registration_v3(repository_details)
-        url = repository_details.fetch(:registration_url)
-        body = execute_json_nuget_request(url, repository_details)
-        return unless body
-        pages = body.fetch("items")
-        versions = T.let(Set.new, T::Set[String])
-        pages.each do |page|
-          items = page["items"]
-          if items
-            # inlined entries
-            get_versions_from_inline_page(items, versions)
-          else
-            # paged entries
-            page_url = page["@id"]
-            page_body = execute_json_nuget_request(page_url, repository_details)
-            next unless page_body
-            items = page_body.fetch("items")
-            items.each do |item|
-              catalog_entry = item.fetch("catalogEntry")
-              versions << catalog_entry.fetch("version") if catalog_entry["listed"] == true
-            end
-          end
-        end
-        versions
-      end
-      sig { params(items: T::Array[T::Hash[String, T.untyped]], versions: T::Set[String]).void }
-      private_class_method def self.get_versions_from_inline_page(items, versions)
-        items.each do |item|
-          catalog_entry = item["catalogEntry"]
-          # a package is considered listed if the `listed` property is either `true` or missing
-          listed_property = catalog_entry["listed"]
-          is_listed = listed_property.nil? || listed_property == true
-          if is_listed
-            vers = catalog_entry["version"]
-            versions << vers
-          end
-        end
-      end
-      sig do
-        params(repository_details: T::Hash[Symbol, String], dependency_name: String)
-          .returns(T.nilable(T::Set[String]))
-      end
-      private_class_method def self.get_versions_from_search_url_v3(repository_details, dependency_name)
-        search_url = repository_details.fetch(:search_url)
-        body = execute_json_nuget_request(search_url, repository_details)
-        body&.fetch("data")
-            &.find { |d| d.fetch("id").casecmp(dependency_name.downcase).zero? }
-            &.fetch("versions")
-            &.map { |d| d.fetch("version") }
-            &.to_set
-      end
-      sig do
-        params(url: String, repository_details: T::Hash[Symbol, T.untyped]).returns(T.nilable(Nokogiri::XML::Document))
-      end
-      private_class_method def self.execute_xml_nuget_request(url, repository_details)
-        response = execute_nuget_request_internal(
-          url: url,
-          auth_header: repository_details.fetch(:auth_header),
-          repository_url: repository_details.fetch(:repository_url)
-        )
-        return unless response.status == 200
-        doc = Nokogiri::XML(response.body)
-        doc.remove_namespaces!
-        doc
-      end
-      sig do
-        params(url: String,
-               repository_details: T::Hash[Symbol, T.untyped])
-          .returns(T.nilable(T::Hash[T.untyped, T.untyped]))
-      end
-      private_class_method def self.execute_json_nuget_request(url, repository_details)
-        response = execute_nuget_request_internal(
-          url: url,
-          auth_header: repository_details.fetch(:auth_header),
-          repository_url: repository_details.fetch(:repository_url)
-        )
-        return unless response.status == 200
-        body = HttpResponseHelpers.remove_wrapping_zero_width_chars(response.body)
-        JSON.parse(body)
-      end
-      sig do
-        params(url: String, auth_header: T::Hash[Symbol, T.untyped], repository_url: String).returns(Excon::Response)
-      end
-      private_class_method def self.execute_nuget_request_internal(url:, auth_header:, repository_url:)
-        cache = CacheManager.cache("dependency_url_search_cache")
-        if cache[url].nil?
-          response = Dependabot::RegistryClient.get(
-            url: url,
-            headers: auth_header
-          )
-          if [401, 402, 403].include?(response.status)
-            raise Dependabot::PrivateSourceAuthenticationFailure, repository_url
-          end
-          cache[url] = response if !CacheManager.caching_disabled? && response.status == 200
-        else
-          response = cache[url]
-        end
-        response
-      rescue Excon::Error::Timeout, Excon::Error::Socket
-        repo_url = repository_url
-        raise if repo_url == Dependabot::Nuget::RepositoryFinder::DEFAULT_REPOSITORY_URL
-        raise PrivateSourceTimedOut, repo_url
-      end
-    end
-  end
-end