dependabot-nuget 0.289.0 → 0.291.0

data/lib/dependabot/nuget/update_checker/compatibility_checker.rb

@@ -1,116 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-
-require "sorbet-runtime"
-
-require "dependabot/update_checkers/base"
-
-module Dependabot
-  module Nuget
-    class CompatibilityChecker
-      extend T::Sig
-
-      require_relative "nuspec_fetcher"
-      require_relative "nupkg_fetcher"
-      require_relative "tfm_finder"
-      require_relative "tfm_comparer"
-
-      sig do
-        params(
-          dependency_urls: T::Array[T::Hash[Symbol, String]],
-          dependency: Dependabot::Dependency
-        ).void
-      end
-      def initialize(dependency_urls:, dependency:)
-        @dependency_urls = dependency_urls
-        @dependency = dependency
-      end
-
-      sig { params(version: String).returns(T::Boolean) }
-      def compatible?(version)
-        nuspec_xml = NuspecFetcher.fetch_nuspec(dependency_urls, dependency.name, version)
-        return false unless nuspec_xml
-
-        # development dependencies are packages such as analyzers which need to be compatible with the compiler not the
-        # project itself, but some packages that report themselves as development dependencies still contain target
-        # framework dependencies and should be checked for compatibility through the regular means
-        return true if pure_development_dependency?(nuspec_xml)
-
-        package_tfms = parse_package_tfms(nuspec_xml)
-        package_tfms = fetch_package_tfms(version) if package_tfms.empty?
-        # nil is a special return value that indicates that the package is likely a development dependency
-        return true if package_tfms.nil?
-        return false if package_tfms.empty?
-
-        return false if project_tfms.nil? || project_tfms&.empty?
-
-        TfmComparer.are_frameworks_compatible?(T.must(project_tfms), package_tfms)
-      end
-
-      private
-
-      sig { returns(T::Array[T::Hash[Symbol, String]]) }
-      attr_reader :dependency_urls
-
-      sig { returns(Dependabot::Dependency) }
-      attr_reader :dependency
-
-      sig { params(nuspec_xml: Nokogiri::XML::Document).returns(T::Boolean) }
-      def pure_development_dependency?(nuspec_xml)
-        contents = nuspec_xml.at_xpath("package/metadata/developmentDependency")&.content&.strip
-        return false unless contents # no `developmentDependency` element
-
-        self_reports_as_development_dependency = contents.casecmp?("true")
-        return false unless self_reports_as_development_dependency
-
-        # even though a package self-reports as a development dependency, it might not be if it has dependency groups
-        # with a target framework
-        dependency_groups_with_target_framework =
-          nuspec_xml.at_xpath("/package/metadata/dependencies/group[@targetFramework]")
-        dependency_groups_with_target_framework.to_a.empty?
-      end
-
-      sig { params(nuspec_xml: Nokogiri::XML::Document).returns(T::Array[String]) }
-      def parse_package_tfms(nuspec_xml)
-        nuspec_xml.xpath("//dependencies/group").filter_map { |group| group.attribute("targetFramework") }
-      end
-
-      sig { returns(T.nilable(T::Array[String])) }
-      def project_tfms
-        @project_tfms ||= T.let(TfmFinder.frameworks(dependency), T.nilable(T::Array[String]))
-      end
-
-      sig { params(dependency_version: String).returns(T.nilable(T::Array[String])) }
-      def fetch_package_tfms(dependency_version)
-        cache = CacheManager.cache("compatibility_checker_tfms_cache")
-        key = "#{dependency.name}::#{dependency_version}"
-
-        cache[key] ||= begin
-          nupkg_buffer = NupkgFetcher.fetch_nupkg_buffer(dependency_urls, dependency.name, dependency_version)
-          return [] unless nupkg_buffer
-
-          # Parse tfms from the folders beneath the lib folder
-          folder_name = "lib/"
-          tfms = Set.new
-          Zip::File.open_buffer(nupkg_buffer) do |zip|
-            lib_file_entries = zip.select { |entry| entry.name.start_with?(folder_name) }
-            # If there is no lib folder in this package, assume it is a development dependency
-            return nil if lib_file_entries.empty?
-
-            lib_file_entries.each do |entry|
-              _, tfm = entry.name.split("/").first(2)
-
-              # some zip compressors create empty directory entries (in this case `lib/`) which can cause the string
-              # split to return `nil`, so we have to explicitly guard against that
-              tfms << tfm if tfm
-            end
-          end
-
-          tfms.to_a
-        end
-
-        cache[key]
-      end
-    end
-  end
-end

data/lib/dependabot/nuget/update_checker/dependency_finder.rb

@@ -1,297 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-
-require "nokogiri"
-require "sorbet-runtime"
-require "stringio"
-require "zip"
-
-require "dependabot/update_checkers/base"
-require "dependabot/nuget/version"
-
-module Dependabot
-  module Nuget
-    class UpdateChecker < Dependabot::UpdateCheckers::Base
-      class DependencyFinder
-        extend T::Sig
-
-        require_relative "requirements_updater"
-        require_relative "nuspec_fetcher"
-
-        sig { returns(T::Hash[String, T.untyped]) }
-        def self.transitive_dependencies_cache
-          CacheManager.cache("dependency_finder_transitive_dependencies")
-        end
-
-        sig { returns(T::Hash[String, T.untyped]) }
-        def self.updated_peer_dependencies_cache
-          CacheManager.cache("dependency_finder_updated_peer_dependencies")
-        end
-
-        sig { returns(T::Hash[String, T.untyped]) }
-        def self.fetch_dependencies_cache
-          CacheManager.cache("dependency_finder_fetch_dependencies")
-        end
-
-        sig do
-          params(
-            dependency: Dependabot::Dependency,
-            dependency_files: T::Array[Dependabot::DependencyFile],
-            ignored_versions: T::Array[String],
-            credentials: T::Array[Dependabot::Credential],
-            repo_contents_path: T.nilable(String)
-          ).void
-        end
-        def initialize(dependency:, dependency_files:, ignored_versions:, credentials:, repo_contents_path:)
-          @dependency             = dependency
-          @dependency_files       = dependency_files
-          @ignored_versions       = ignored_versions
-          @credentials            = credentials
-          @repo_contents_path     = repo_contents_path
-        end
-
-        sig { returns(T::Array[Dependabot::Dependency]) }
-        def transitive_dependencies
-          key = "#{dependency.name.downcase}::#{dependency.version}"
-          cache = DependencyFinder.transitive_dependencies_cache
-
-          unless cache[key]
-            begin
-              # first do a quick sanity check on the version string; if it can't be parsed, an exception will be raised
-              _ = Version.new(dependency.version)
-
-              cache[key] = fetch_transitive_dependencies(
-                @dependency.name,
-                T.must(@dependency.version)
-              ).map do |dependency_info|
-                package_name = dependency_info["packageName"]
-                target_version = dependency_info["version"]
-
-                Dependency.new(
-                  name: package_name,
-                  version: target_version.to_s,
-                  requirements: [], # Empty requirements for transitive dependencies
-                  package_manager: @dependency.package_manager
-                )
-              end
-            rescue StandardError
-              # if anything happened above, there are no meaningful dependencies that can be derived
-              cache[key] = []
-            end
-          end
-
-          cache[key]
-        end
-
-        sig { returns(T::Array[Dependabot::Dependency]) }
-        def updated_peer_dependencies
-          key = "#{dependency.name.downcase}::#{dependency.version}"
-          cache = DependencyFinder.updated_peer_dependencies_cache
-
-          cache[key] ||= fetch_transitive_dependencies(
-            @dependency.name,
-            T.must(@dependency.version)
-          ).filter_map do |dependency_info|
-            package_name = dependency_info["packageName"]
-            target_version = dependency_info["version"]
-
-            # Find the Dependency object for the peer dependency. We will not return
-            # dependencies that are not referenced from dependency files.
-            peer_dependency = top_level_dependencies.find { |d| d.name == package_name }
-            next unless peer_dependency
-            next unless target_version > peer_dependency.numeric_version
-
-            # Use version finder to determine the source details for the peer dependency.
-            target_version_details = version_finder(peer_dependency).versions.find do |v|
-              v.fetch(:version) == target_version
-            end
-            next unless target_version_details
-
-            Dependency.new(
-              name: peer_dependency.name,
-              version: target_version_details.fetch(:version).to_s,
-              requirements: updated_requirements(peer_dependency, target_version_details),
-              previous_version: peer_dependency.version,
-              previous_requirements: peer_dependency.requirements,
-              package_manager: peer_dependency.package_manager,
-              metadata: { information_only: true } # Instruct updater to not directly update this dependency
-            )
-          end
-
-          cache[key]
-        end
-
-        private
-
-        sig { returns(Dependabot::Dependency) }
-        attr_reader :dependency
-
-        sig { returns(T::Array[Dependabot::DependencyFile]) }
-        attr_reader :dependency_files
-
-        sig { returns(T::Array[String]) }
-        attr_reader :ignored_versions
-
-        sig { returns(T::Array[Dependabot::Credential]) }
-        attr_reader :credentials
-
-        sig { returns(T.nilable(String)) }
-        attr_reader :repo_contents_path
-
-        sig do
-          params(
-            dep: Dependabot::Dependency,
-            target_version_details: T::Hash[Symbol, T.untyped]
-          )
-            .returns(T::Array[T::Hash[String, T.untyped]])
-        end
-        def updated_requirements(dep, target_version_details)
-          @updated_requirements ||= T.let({}, T.nilable(T::Hash[String, T.untyped]))
-          @updated_requirements[dep.name] ||=
-            RequirementsUpdater.new(
-              requirements: dep.requirements,
-              latest_version: target_version_details.fetch(:version).to_s,
-              source_details: target_version_details.slice(:nuspec_url, :repo_url, :source_url)
-            ).updated_requirements
-        end
-
-        sig { returns(T::Array[Dependabot::Dependency]) }
-        def top_level_dependencies
-          @top_level_dependencies ||=
-            T.let(
-              Nuget::FileParser.new(
-                dependency_files: dependency_files,
-                repo_contents_path: repo_contents_path,
-                source: nil
-              ).parse.select(&:top_level?),
-              T.nilable(T::Array[Dependabot::Dependency])
-            )
-        end
-
-        sig { returns(T::Array[Dependabot::DependencyFile]) }
-        def nuget_configs
-          @nuget_configs ||=
-            T.let(
-              @dependency_files.select { |f| f.name.match?(/nuget\.config$/i) },
-              T.nilable(T::Array[Dependabot::DependencyFile])
-            )
-        end
-
-        sig { returns(T::Array[T::Hash[Symbol, String]]) }
-        def dependency_urls
-          @dependency_urls ||=
-            T.let(
-              RepositoryFinder.new(
-                dependency: @dependency,
-                credentials: @credentials,
-                config_files: nuget_configs
-              )
-              .dependency_urls
-              .select { |url| url.fetch(:repository_type) == "v3" },
-              T.nilable(T::Array[T::Hash[Symbol, String]])
-            )
-        end
-
-        sig { params(package_id: String, package_version: String).returns(T::Array[T::Hash[String, T.untyped]]) }
-        def fetch_transitive_dependencies(package_id, package_version)
-          all_dependencies = {}
-          fetch_transitive_dependencies_impl(package_id, package_version, all_dependencies)
-          all_dependencies.map { |_, dependency_info| dependency_info }
-        end
-
-        sig { params(package_id: String, package_version: String, all_dependencies: T::Hash[String, T.untyped]).void }
-        def fetch_transitive_dependencies_impl(package_id, package_version, all_dependencies)
-          dependencies = fetch_dependencies(package_id, package_version)
-          return unless dependencies.any?
-
-          dependencies.each do |dependency|
-            next if dependency.nil?
-
-            dependency_id = dependency["packageName"]
-            dependency_version_range = dependency["versionRange"]
-
-            nuget_version_range_regex = /[\[(](\d+(\.\d+)*(-\w+(\.\d+)*)?)/
-            nuget_version_range_match_data = nuget_version_range_regex.match(dependency_version_range)
-
-            dependency_version = if nuget_version_range_match_data.nil?
-                                   dependency_version_range
-                                 else
-                                   nuget_version_range_match_data[1]
-                                 end
-
-            dependency["version"] = Version.new(dependency_version)
-
-            current_dependency = all_dependencies[dependency_id.downcase]
-            next unless current_dependency.nil? || current_dependency["version"] < dependency["version"]
-
-            all_dependencies[dependency_id.downcase] = dependency
-            fetch_transitive_dependencies_impl(dependency_id, dependency_version, all_dependencies)
-          end
-        end
-
-        sig { params(package_id: String, package_version: String).returns(T::Array[T::Hash[String, T.untyped]]) }
-        def fetch_dependencies(package_id, package_version)
-          key = "#{package_id.downcase}::#{package_version}"
-          cache = DependencyFinder.fetch_dependencies_cache
-
-          cache[key] ||= begin
-            nuspec_xml = NuspecFetcher.fetch_nuspec(dependency_urls, package_id, package_version)
-            if nuspec_xml.nil?
-              []
-            else
-              read_dependencies_from_nuspec(nuspec_xml)
-            end
-          end
-
-          cache[key]
-        end
-
-        sig { params(nuspec_xml: Nokogiri::XML::Document).returns(T::Array[T::Hash[String, String]]) }
-        def read_dependencies_from_nuspec(nuspec_xml) # rubocop:disable Metrics/PerceivedComplexity
-          # we want to exclude development dependencies from the lookup
-          allowed_attributes = %w(all compile native runtime)
-
-          nuspec_xml_dependencies = nuspec_xml.xpath("//dependencies/child::node()/dependency").select do |dependency|
-            include_attr = dependency.attribute("include")
-            exclude_attr = dependency.attribute("exclude")
-
-            if include_attr.nil? && exclude_attr.nil?
-              true
-            elsif include_attr
-              include_values = include_attr.value.split(",").map(&:strip)
-              include_values.any? { |element1| allowed_attributes.any? { |element2| element1.casecmp?(element2) } }
-            else
-              exclude_values = exclude_attr.value.split(",").map(&:strip)
-              exclude_values.none? { |element1| allowed_attributes.any? { |element2| element1.casecmp?(element2) } }
-            end
-          end
-
-          dependency_list = []
-          nuspec_xml_dependencies.each do |dependency|
-            next unless dependency.attribute("version")
-
-            dependency_list << {
-              "packageName" => dependency.attribute("id").value,
-              "versionRange" => dependency.attribute("version").value
-            }
-          end
-
-          dependency_list
-        end
-
-        sig { params(dep: Dependabot::Dependency).returns(Dependabot::Nuget::UpdateChecker::VersionFinder) }
-        def version_finder(dep)
-          VersionFinder.new(
-            dependency: dep,
-            dependency_files: dependency_files,
-            credentials: credentials,
-            ignored_versions: ignored_versions,
-            raise_on_ignored: false,
-            security_advisories: [],
-            repo_contents_path: repo_contents_path
-          )
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/nuget/update_checker/nupkg_fetcher.rb

@@ -1,221 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-
-require "nokogiri"
-require "stringio"
-require "sorbet-runtime"
-require "zip"
-
-require "dependabot/nuget/http_response_helpers"
-
-module Dependabot
-  module Nuget
-    class NupkgFetcher
-      extend T::Sig
-
-      require_relative "repository_finder"
-
-      sig do
-        params(
-          dependency_urls: T::Array[T::Hash[Symbol, String]],
-          package_id: String,
-          package_version: String
-        )
-          .returns(T.nilable(String))
-      end
-      def self.fetch_nupkg_buffer(dependency_urls, package_id, package_version)
-        # check all repositories for the first one that has the nupkg
-        dependency_urls.reduce(T.let(nil, T.nilable(String))) do |nupkg_buffer, repository_details|
-          nupkg_buffer || fetch_nupkg_buffer_from_repository(repository_details, package_id, package_version)
-        end
-      end
-
-      sig do
-        params(
-          repository_details: T::Hash[Symbol, T.untyped],
-          package_id: T.nilable(String),
-          package_version: T.nilable(String)
-        )
-          .returns(T.nilable(String))
-      end
-      def self.fetch_nupkg_url_from_repository(repository_details, package_id, package_version)
-        return unless package_id && package_version && !package_version.empty?
-
-        feed_url = repository_details[:repository_url]
-        repository_type = repository_details[:repository_type]
-
-        package_url = if repository_type == "v2"
-                        get_nuget_v2_package_url(repository_details, package_id, package_version)
-                      elsif repository_type == "v3"
-                        get_nuget_v3_package_url(repository_details, package_id, package_version)
-                      else
-                        raise Dependabot::DependencyFileNotResolvable, "Unexpected NuGet feed format: #{feed_url}"
-                      end
-
-        package_url
-      end
-
-      sig do
-        params(
-          repository_details: T::Hash[Symbol, T.untyped],
-          package_id: String,
-          package_version: String
-        )
-          .returns(T.nilable(String))
-      end
-      def self.fetch_nupkg_buffer_from_repository(repository_details, package_id, package_version)
-        package_url = fetch_nupkg_url_from_repository(repository_details, package_id, package_version)
-        return unless package_url
-
-        auth_header = repository_details[:auth_header]
-        fetch_stream(package_url, auth_header)
-      end
-
-      sig do
-        params(
-          repository_details: T::Hash[Symbol, T.untyped],
-          package_id: String,
-          package_version: String
-        )
-          .returns(T.nilable(String))
-      end
-      def self.get_nuget_v3_package_url(repository_details, package_id, package_version)
-        base_url = repository_details[:base_url]
-        unless base_url
-          return get_nuget_v3_package_url_from_search(repository_details, package_id,
-                                                      package_version)
-        end
-
-        base_url = base_url.delete_suffix("/")
-        package_id_downcased = package_id.downcase
-        "#{base_url}/#{package_id_downcased}/#{package_version}/#{package_id_downcased}.#{package_version}.nupkg"
-      end
-
-      # rubocop:disable Metrics/CyclomaticComplexity
-      # rubocop:disable Metrics/PerceivedComplexity
-      sig do
-        params(
-          repository_details: T::Hash[Symbol, T.untyped],
-          package_id: String,
-          package_version: String
-        )
-          .returns(T.nilable(String))
-      end
-      def self.get_nuget_v3_package_url_from_search(repository_details, package_id, package_version)
-        search_url = repository_details[:search_url]
-        return nil unless search_url
-
-        # get search result
-        search_result_response = fetch_url(search_url, repository_details)
-        return nil unless search_result_response&.status == 200
-
-        search_response_body = HttpResponseHelpers.remove_wrapping_zero_width_chars(T.must(search_result_response).body)
-        search_results = JSON.parse(search_response_body)
-
-        # find matching package and version
-        package_search_result = search_results&.[]("data")&.find { |d| package_id.casecmp?(d&.[]("id")) }
-        version_search_result = package_search_result&.[]("versions")&.find do |v|
-          package_version.casecmp?(v&.[]("version"))
-        end
-        registration_leaf_url = version_search_result&.[]("@id")
-        return nil unless registration_leaf_url
-
-        registration_leaf_response = fetch_url(registration_leaf_url, repository_details)
-        return nil unless registration_leaf_response
-        return nil unless registration_leaf_response.status == 200
-
-        registration_leaf_response_body =
-          HttpResponseHelpers.remove_wrapping_zero_width_chars(registration_leaf_response.body)
-        registration_leaf = JSON.parse(registration_leaf_response_body)
-
-        # finally, get the .nupkg url
-        registration_leaf&.[]("packageContent")
-      end
-      # rubocop:enable Metrics/PerceivedComplexity
-      # rubocop:enable Metrics/CyclomaticComplexity
-
-      sig do
-        params(
-          repository_details: T::Hash[Symbol, T.untyped],
-          package_id: String,
-          package_version: String
-        )
-          .returns(T.nilable(String))
-      end
-      def self.get_nuget_v2_package_url(repository_details, package_id, package_version)
-        # get package XML
-        base_url = repository_details[:base_url].delete_suffix("/")
-        package_url = "#{base_url}/Packages(Id='#{package_id}',Version='#{package_version}')"
-        response = fetch_url(package_url, repository_details)
-        return nil unless response&.status == 200
-
-        # find relevant element
-        doc = Nokogiri::XML(T.must(response).body)
-        doc.remove_namespaces!
-
-        content_element = doc.xpath("/entry/content")
-        nupkg_url = content_element&.attribute("src")&.value
-        nupkg_url
-      end
-
-      sig do
-        params(
-          stream_url: String,
-          auth_header: T::Hash[String, String],
-          max_redirects: Integer
-        )
-          .returns(T.nilable(String))
-      end
-      def self.fetch_stream(stream_url, auth_header, max_redirects = 5)
-        current_url = stream_url
-        current_redirects = 0
-
-        loop do
-          # Directly download the stream without any additional settings _except_ for `omit_default_port: true` which
-          # is necessary to not break the URL signing that some NuGet feeds use.
-          response = Excon.get(
-            current_url,
-            headers: auth_header,
-            omit_default_port: true
-          )
-
-          # redirect the HTTP response as appropriate based on documentation here:
-          # https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections
-          case response.status
-          when 200
-            return response.body
-          when 301, 302, 303, 307, 308
-            current_redirects += 1
-            return nil if current_redirects > max_redirects
-
-            current_url = T.must(response.headers["Location"])
-          else
-            return nil
-          end
-        end
-      end
-
-      sig do
-        params(
-          url: String,
-          repository_details: T::Hash[Symbol, T.untyped]
-        )
-          .returns(T.nilable(Excon::Response))
-      end
-      def self.fetch_url(url, repository_details)
-        fetch_url_with_auth(url, repository_details.fetch(:auth_header))
-      end
-
-      sig { params(url: String, auth_header: T::Hash[T.any(String, Symbol), T.untyped]).returns(Excon::Response) }
-      def self.fetch_url_with_auth(url, auth_header)
-        cache = CacheManager.cache("nupkg_fetcher_cache")
-        cache[url] ||= Dependabot::RegistryClient.get(
-          url: url,
-          headers: auth_header
-        )
-
-        cache[url]
-      end
-    end
-  end
-end