dependabot-nuget 0.293.0 → 0.294.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/helpers/lib/NuGetUpdater/Directory.Packages.props +1 -1
- data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/VersionFinder.cs +16 -5
- data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/Advisory.cs +2 -0
- data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/RunWorker.cs +27 -9
- data/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Analyze/AnalyzeWorkerTests.cs +55 -0
- data/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Run/MiscellaneousTests.cs +61 -0
- metadata +5 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 97e76c69b2fed1672ebe1e9b3b890e8f445139f26729895c72a196d49cd43d63
|
|
4
|
+
data.tar.gz: 10ef8cb4d30c84e9e8f51fdc5bf4f529b451936ad8a34e905e69fbaa0b813cac
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 73cdefd4ef762621a7142a040a747011ee4a390635379ee311deccaf6664062834a8e809b6203816e81f8ebb24ed10f68d04975e9bcde40e5ffd2d3720779c68
|
|
7
|
+
data.tar.gz: a8cde74fdb1b400ced101cac7132bb32c8dc6b3d36ff6c249908e33e9e8c719e63999c02982ba2bf7704b18007be0daac14dcdd6c39ba74c4a8c38ccad2ae11e
|
|
@@ -36,7 +36,7 @@
|
|
|
36
36
|
<PackageVersion Include="System.Text.Json" Version="8.0.4" />
|
|
37
37
|
<PackageVersion Include="System.Text.RegularExpressions" Version="4.3.1" />
|
|
38
38
|
<PackageVersion Include="System.Threading.Tasks.Dataflow" Version="9.0.0" />
|
|
39
|
-
<PackageVersion Include="xunit" Version="2.9.
|
|
39
|
+
<PackageVersion Include="xunit" Version="2.9.3" />
|
|
40
40
|
<PackageVersion Include="xunit.runner.visualstudio" Version="3.0.0" />
|
|
41
41
|
</ItemGroup>
|
|
42
42
|
|
|
@@ -113,11 +113,22 @@ internal static class VersionFinder
|
|
|
113
113
|
? versionRange.MinVersion
|
|
114
114
|
: null;
|
|
115
115
|
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
116
|
+
var safeVersions = dependencyInfo.Vulnerabilities.SelectMany(v => v.SafeVersions).ToList();
|
|
117
|
+
return version =>
|
|
118
|
+
{
|
|
119
|
+
var versionGreaterThanCurrent = currentVersion is null || version > currentVersion;
|
|
120
|
+
var rangeSatisfies = versionRange.Satisfies(version);
|
|
121
|
+
var prereleaseTypeMatches = currentVersion is null || !currentVersion.IsPrerelease || !version.IsPrerelease || version.Version == currentVersion.Version;
|
|
122
|
+
var isIgnoredVersion = dependencyInfo.IgnoredVersions.Any(i => i.IsSatisfiedBy(version));
|
|
123
|
+
var isVulnerableVersion = dependencyInfo.Vulnerabilities.Any(v => v.IsVulnerable(version));
|
|
124
|
+
var isSafeVersion = !safeVersions.Any() || safeVersions.Any(s => s.IsSatisfiedBy(version));
|
|
125
|
+
return versionGreaterThanCurrent
|
|
126
|
+
&& rangeSatisfies
|
|
127
|
+
&& prereleaseTypeMatches
|
|
128
|
+
&& !isIgnoredVersion
|
|
129
|
+
&& !isVulnerableVersion
|
|
130
|
+
&& isSafeVersion;
|
|
131
|
+
};
|
|
121
132
|
}
|
|
122
133
|
|
|
123
134
|
internal static Func<NuGetVersion, bool> CreateVersionFilter(NuGetVersion currentVersion)
|
|
@@ -10,4 +10,6 @@ public record Advisory
|
|
|
10
10
|
public ImmutableArray<Requirement>? AffectedVersions { get; init; } = null;
|
|
11
11
|
public ImmutableArray<Requirement>? PatchedVersions { get; init; } = null;
|
|
12
12
|
public ImmutableArray<Requirement>? UnaffectedVersions { get; init; } = null;
|
|
13
|
+
|
|
14
|
+
public IEnumerable<Requirement> SafeVersions => (PatchedVersions ?? []).Concat(UnaffectedVersions ?? []);
|
|
13
15
|
}
|
|
@@ -4,6 +4,8 @@ using System.Text;
|
|
|
4
4
|
using System.Text.Json;
|
|
5
5
|
using System.Text.Json.Serialization;
|
|
6
6
|
|
|
7
|
+
using NuGet.Versioning;
|
|
8
|
+
|
|
7
9
|
using NuGetUpdater.Core.Analyze;
|
|
8
10
|
using NuGetUpdater.Core.Discover;
|
|
9
11
|
using NuGetUpdater.Core.Run.ApiModel;
|
|
@@ -164,15 +166,7 @@ public class RunWorker
|
|
|
164
166
|
continue;
|
|
165
167
|
}
|
|
166
168
|
|
|
167
|
-
var
|
|
168
|
-
var dependencyInfo = new DependencyInfo()
|
|
169
|
-
{
|
|
170
|
-
Name = dependency.Name,
|
|
171
|
-
Version = dependency.Version!,
|
|
172
|
-
IsVulnerable = false,
|
|
173
|
-
IgnoredVersions = ignoredVersions,
|
|
174
|
-
Vulnerabilities = [],
|
|
175
|
-
};
|
|
169
|
+
var dependencyInfo = GetDependencyInfo(job, dependency);
|
|
176
170
|
var analysisResult = await _analyzeWorker.RunAsync(repoContentsPath.FullName, discoveryResult, dependencyInfo);
|
|
177
171
|
// TODO: log analysisResult
|
|
178
172
|
if (analysisResult.CanUpdate)
|
|
@@ -314,6 +308,30 @@ public class RunWorker
|
|
|
314
308
|
return ignoredVersions;
|
|
315
309
|
}
|
|
316
310
|
|
|
311
|
+
internal static DependencyInfo GetDependencyInfo(Job job, Dependency dependency)
|
|
312
|
+
{
|
|
313
|
+
var dependencyVersion = NuGetVersion.Parse(dependency.Version!);
|
|
314
|
+
var securityAdvisories = job.SecurityAdvisories.Where(s => s.DependencyName.Equals(dependency.Name, StringComparison.OrdinalIgnoreCase)).ToArray();
|
|
315
|
+
var isVulnerable = securityAdvisories.Any(s => (s.AffectedVersions ?? []).Any(v => v.IsSatisfiedBy(dependencyVersion)));
|
|
316
|
+
var ignoredVersions = GetIgnoredRequirementsForDependency(job, dependency.Name);
|
|
317
|
+
var vulnerabilities = securityAdvisories.Select(s => new SecurityVulnerability()
|
|
318
|
+
{
|
|
319
|
+
DependencyName = dependency.Name,
|
|
320
|
+
PackageManager = "nuget",
|
|
321
|
+
VulnerableVersions = s.AffectedVersions ?? [],
|
|
322
|
+
SafeVersions = s.SafeVersions.ToImmutableArray(),
|
|
323
|
+
}).ToImmutableArray();
|
|
324
|
+
var dependencyInfo = new DependencyInfo()
|
|
325
|
+
{
|
|
326
|
+
Name = dependency.Name,
|
|
327
|
+
Version = dependencyVersion.ToString(),
|
|
328
|
+
IsVulnerable = isVulnerable,
|
|
329
|
+
IgnoredVersions = ignoredVersions,
|
|
330
|
+
Vulnerabilities = vulnerabilities,
|
|
331
|
+
};
|
|
332
|
+
return dependencyInfo;
|
|
333
|
+
}
|
|
334
|
+
|
|
317
335
|
internal static UpdatedDependencyList GetUpdatedDependencyListFromDiscovery(WorkspaceDiscoveryResult discoveryResult, string pathToContents)
|
|
318
336
|
{
|
|
319
337
|
string GetFullRepoPath(string path)
|
|
@@ -478,6 +478,61 @@ public partial class AnalyzeWorkerTests : AnalyzeWorkerTestBase
|
|
|
478
478
|
);
|
|
479
479
|
}
|
|
480
480
|
|
|
481
|
+
[Fact]
|
|
482
|
+
public async Task SafeVersionsPropertyIsHonored()
|
|
483
|
+
{
|
|
484
|
+
await TestAnalyzeAsync(
|
|
485
|
+
packages:
|
|
486
|
+
[
|
|
487
|
+
MockNuGetPackage.CreateSimplePackage("Some.Package", "1.0.0", "net8.0"), // initially this
|
|
488
|
+
MockNuGetPackage.CreateSimplePackage("Some.Package", "1.1.0", "net8.0"), // should update to this due to `SafeVersions`
|
|
489
|
+
MockNuGetPackage.CreateSimplePackage("Some.Package", "1.2.0", "net8.0"), // this should not be considered
|
|
490
|
+
],
|
|
491
|
+
discovery: new()
|
|
492
|
+
{
|
|
493
|
+
Path = "/",
|
|
494
|
+
Projects = [
|
|
495
|
+
new()
|
|
496
|
+
{
|
|
497
|
+
FilePath = "./project.csproj",
|
|
498
|
+
TargetFrameworks = ["net8.0"],
|
|
499
|
+
Dependencies = [
|
|
500
|
+
new("Some.Package", "1.0.0", DependencyType.PackageReference),
|
|
501
|
+
],
|
|
502
|
+
ReferencedProjectPaths = [],
|
|
503
|
+
ImportedFiles = [],
|
|
504
|
+
AdditionalFiles = [],
|
|
505
|
+
},
|
|
506
|
+
],
|
|
507
|
+
},
|
|
508
|
+
dependencyInfo: new()
|
|
509
|
+
{
|
|
510
|
+
Name = "Some.Package",
|
|
511
|
+
Version = "1.0.0",
|
|
512
|
+
IgnoredVersions = [],
|
|
513
|
+
IsVulnerable = false,
|
|
514
|
+
Vulnerabilities = [
|
|
515
|
+
new()
|
|
516
|
+
{
|
|
517
|
+
DependencyName = "Some.Package",
|
|
518
|
+
PackageManager = "nuget",
|
|
519
|
+
VulnerableVersions = [Requirement.Parse(">= 1.0.0, < 1.1.0")],
|
|
520
|
+
SafeVersions = [Requirement.Parse("= 1.1.0")]
|
|
521
|
+
}
|
|
522
|
+
],
|
|
523
|
+
},
|
|
524
|
+
expectedResult: new()
|
|
525
|
+
{
|
|
526
|
+
UpdatedVersion = "1.1.0",
|
|
527
|
+
CanUpdate = true,
|
|
528
|
+
VersionComesFromMultiDependencyProperty = false,
|
|
529
|
+
UpdatedDependencies = [
|
|
530
|
+
new("Some.Package", "1.1.0", DependencyType.Unknown, TargetFrameworks: ["net8.0"]),
|
|
531
|
+
],
|
|
532
|
+
}
|
|
533
|
+
);
|
|
534
|
+
}
|
|
535
|
+
|
|
481
536
|
[Fact]
|
|
482
537
|
public async Task VersionFinderCanHandle404FromPackageSource_V2()
|
|
483
538
|
{
|
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
using System.Text.Json;
|
|
2
|
+
|
|
1
3
|
using NuGet.Versioning;
|
|
2
4
|
|
|
3
5
|
using NuGetUpdater.Core.Analyze;
|
|
@@ -29,6 +31,16 @@ public class MiscellaneousTests
|
|
|
29
31
|
Assert.Equal(expectedRequirementsStrings, actualRequirementsStrings);
|
|
30
32
|
}
|
|
31
33
|
|
|
34
|
+
[Theory]
|
|
35
|
+
[MemberData(nameof(DependencyInfoFromJobData))]
|
|
36
|
+
public void DependencyInfoFromJob(Job job, Dependency dependency, DependencyInfo expectedDependencyInfo)
|
|
37
|
+
{
|
|
38
|
+
var actualDependencyInfo = RunWorker.GetDependencyInfo(job, dependency);
|
|
39
|
+
var expectedString = JsonSerializer.Serialize(expectedDependencyInfo, AnalyzeWorker.SerializerOptions);
|
|
40
|
+
var actualString = JsonSerializer.Serialize(actualDependencyInfo, AnalyzeWorker.SerializerOptions);
|
|
41
|
+
Assert.Equal(expectedString, actualString);
|
|
42
|
+
}
|
|
43
|
+
|
|
32
44
|
public static IEnumerable<object?[]> RequirementsFromIgnoredVersionsData()
|
|
33
45
|
{
|
|
34
46
|
yield return
|
|
@@ -82,4 +94,53 @@ public class MiscellaneousTests
|
|
|
82
94
|
}
|
|
83
95
|
];
|
|
84
96
|
}
|
|
97
|
+
|
|
98
|
+
public static IEnumerable<object[]> DependencyInfoFromJobData()
|
|
99
|
+
{
|
|
100
|
+
yield return
|
|
101
|
+
[
|
|
102
|
+
// job
|
|
103
|
+
new Job()
|
|
104
|
+
{
|
|
105
|
+
Source = new()
|
|
106
|
+
{
|
|
107
|
+
Provider = "github",
|
|
108
|
+
Repo = "some/repo"
|
|
109
|
+
},
|
|
110
|
+
SecurityAdvisories = [
|
|
111
|
+
new()
|
|
112
|
+
{
|
|
113
|
+
DependencyName = "Some.Dependency",
|
|
114
|
+
AffectedVersions = [Requirement.Parse(">= 1.0.0, < 1.1.0")],
|
|
115
|
+
PatchedVersions = [Requirement.Parse("= 1.1.0")],
|
|
116
|
+
UnaffectedVersions = [Requirement.Parse("= 1.2.0")]
|
|
117
|
+
},
|
|
118
|
+
new()
|
|
119
|
+
{
|
|
120
|
+
DependencyName = "Unrelated.Dependency",
|
|
121
|
+
AffectedVersions = [Requirement.Parse(">= 1.0.0, < 99.99.99")]
|
|
122
|
+
}
|
|
123
|
+
]
|
|
124
|
+
},
|
|
125
|
+
// dependency
|
|
126
|
+
new Dependency("Some.Dependency", "1.0.0", DependencyType.PackageReference),
|
|
127
|
+
// expectedDependencyInfo
|
|
128
|
+
new DependencyInfo()
|
|
129
|
+
{
|
|
130
|
+
Name = "Some.Dependency",
|
|
131
|
+
Version = "1.0.0",
|
|
132
|
+
IsVulnerable = true,
|
|
133
|
+
IgnoredVersions = [],
|
|
134
|
+
Vulnerabilities = [
|
|
135
|
+
new()
|
|
136
|
+
{
|
|
137
|
+
DependencyName = "Some.Dependency",
|
|
138
|
+
PackageManager = "nuget",
|
|
139
|
+
VulnerableVersions = [Requirement.Parse(">= 1.0.0, < 1.1.0")],
|
|
140
|
+
SafeVersions = [Requirement.Parse("= 1.1.0"), Requirement.Parse("= 1.2.0")],
|
|
141
|
+
}
|
|
142
|
+
]
|
|
143
|
+
}
|
|
144
|
+
];
|
|
145
|
+
}
|
|
85
146
|
}
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-nuget
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.294.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2025-01-
|
|
11
|
+
date: 2025-01-23 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.294.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.294.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: rubyzip
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -528,7 +528,7 @@ licenses:
|
|
|
528
528
|
- MIT
|
|
529
529
|
metadata:
|
|
530
530
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
531
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
531
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.294.0
|
|
532
532
|
post_install_message:
|
|
533
533
|
rdoc_options: []
|
|
534
534
|
require_paths:
|