dependabot-nuget 0.293.0 → 0.294.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/lib/NuGetUpdater/Directory.Packages.props +1 -1
- data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Analyze/VersionFinder.cs +16 -5
- data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/Advisory.cs +2 -0
- data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/RunWorker.cs +27 -9
- data/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Analyze/AnalyzeWorkerTests.cs +55 -0
- data/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Run/MiscellaneousTests.cs +61 -0
- metadata +5 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 97e76c69b2fed1672ebe1e9b3b890e8f445139f26729895c72a196d49cd43d63
|
|
4
|
+
data.tar.gz: 10ef8cb4d30c84e9e8f51fdc5bf4f529b451936ad8a34e905e69fbaa0b813cac
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 73cdefd4ef762621a7142a040a747011ee4a390635379ee311deccaf6664062834a8e809b6203816e81f8ebb24ed10f68d04975e9bcde40e5ffd2d3720779c68
|
|
7
|
+
data.tar.gz: a8cde74fdb1b400ced101cac7132bb32c8dc6b3d36ff6c249908e33e9e8c719e63999c02982ba2bf7704b18007be0daac14dcdd6c39ba74c4a8c38ccad2ae11e
|
|
@@ -36,7 +36,7 @@
|
|
|
36
36
|
<PackageVersion Include="System.Text.Json" Version="8.0.4" />
|
|
37
37
|
<PackageVersion Include="System.Text.RegularExpressions" Version="4.3.1" />
|
|
38
38
|
<PackageVersion Include="System.Threading.Tasks.Dataflow" Version="9.0.0" />
|
|
39
|
-
<PackageVersion Include="xunit" Version="2.9.
|
|
39
|
+
<PackageVersion Include="xunit" Version="2.9.3" />
|
|
40
40
|
<PackageVersion Include="xunit.runner.visualstudio" Version="3.0.0" />
|
|
41
41
|
</ItemGroup>
|
|
42
42
|
|
|
@@ -113,11 +113,22 @@ internal static class VersionFinder
|
|
|
113
113
|
? versionRange.MinVersion
|
|
114
114
|
: null;
|
|
115
115
|
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
116
|
+
var safeVersions = dependencyInfo.Vulnerabilities.SelectMany(v => v.SafeVersions).ToList();
|
|
117
|
+
return version =>
|
|
118
|
+
{
|
|
119
|
+
var versionGreaterThanCurrent = currentVersion is null || version > currentVersion;
|
|
120
|
+
var rangeSatisfies = versionRange.Satisfies(version);
|
|
121
|
+
var prereleaseTypeMatches = currentVersion is null || !currentVersion.IsPrerelease || !version.IsPrerelease || version.Version == currentVersion.Version;
|
|
122
|
+
var isIgnoredVersion = dependencyInfo.IgnoredVersions.Any(i => i.IsSatisfiedBy(version));
|
|
123
|
+
var isVulnerableVersion = dependencyInfo.Vulnerabilities.Any(v => v.IsVulnerable(version));
|
|
124
|
+
var isSafeVersion = !safeVersions.Any() || safeVersions.Any(s => s.IsSatisfiedBy(version));
|
|
125
|
+
return versionGreaterThanCurrent
|
|
126
|
+
&& rangeSatisfies
|
|
127
|
+
&& prereleaseTypeMatches
|
|
128
|
+
&& !isIgnoredVersion
|
|
129
|
+
&& !isVulnerableVersion
|
|
130
|
+
&& isSafeVersion;
|
|
131
|
+
};
|
|
121
132
|
}
|
|
122
133
|
|
|
123
134
|
internal static Func<NuGetVersion, bool> CreateVersionFilter(NuGetVersion currentVersion)
|
|
@@ -10,4 +10,6 @@ public record Advisory
|
|
|
10
10
|
public ImmutableArray<Requirement>? AffectedVersions { get; init; } = null;
|
|
11
11
|
public ImmutableArray<Requirement>? PatchedVersions { get; init; } = null;
|
|
12
12
|
public ImmutableArray<Requirement>? UnaffectedVersions { get; init; } = null;
|
|
13
|
+
|
|
14
|
+
public IEnumerable<Requirement> SafeVersions => (PatchedVersions ?? []).Concat(UnaffectedVersions ?? []);
|
|
13
15
|
}
|
|
@@ -4,6 +4,8 @@ using System.Text;
|
|
|
4
4
|
using System.Text.Json;
|
|
5
5
|
using System.Text.Json.Serialization;
|
|
6
6
|
|
|
7
|
+
using NuGet.Versioning;
|
|
8
|
+
|
|
7
9
|
using NuGetUpdater.Core.Analyze;
|
|
8
10
|
using NuGetUpdater.Core.Discover;
|
|
9
11
|
using NuGetUpdater.Core.Run.ApiModel;
|
|
@@ -164,15 +166,7 @@ public class RunWorker
|
|
|
164
166
|
continue;
|
|
165
167
|
}
|
|
166
168
|
|
|
167
|
-
var
|
|
168
|
-
var dependencyInfo = new DependencyInfo()
|
|
169
|
-
{
|
|
170
|
-
Name = dependency.Name,
|
|
171
|
-
Version = dependency.Version!,
|
|
172
|
-
IsVulnerable = false,
|
|
173
|
-
IgnoredVersions = ignoredVersions,
|
|
174
|
-
Vulnerabilities = [],
|
|
175
|
-
};
|
|
169
|
+
var dependencyInfo = GetDependencyInfo(job, dependency);
|
|
176
170
|
var analysisResult = await _analyzeWorker.RunAsync(repoContentsPath.FullName, discoveryResult, dependencyInfo);
|
|
177
171
|
// TODO: log analysisResult
|
|
178
172
|
if (analysisResult.CanUpdate)
|
|
@@ -314,6 +308,30 @@ public class RunWorker
|
|
|
314
308
|
return ignoredVersions;
|
|
315
309
|
}
|
|
316
310
|
|
|
311
|
+
internal static DependencyInfo GetDependencyInfo(Job job, Dependency dependency)
|
|
312
|
+
{
|
|
313
|
+
var dependencyVersion = NuGetVersion.Parse(dependency.Version!);
|
|
314
|
+
var securityAdvisories = job.SecurityAdvisories.Where(s => s.DependencyName.Equals(dependency.Name, StringComparison.OrdinalIgnoreCase)).ToArray();
|
|
315
|
+
var isVulnerable = securityAdvisories.Any(s => (s.AffectedVersions ?? []).Any(v => v.IsSatisfiedBy(dependencyVersion)));
|
|
316
|
+
var ignoredVersions = GetIgnoredRequirementsForDependency(job, dependency.Name);
|
|
317
|
+
var vulnerabilities = securityAdvisories.Select(s => new SecurityVulnerability()
|
|
318
|
+
{
|
|
319
|
+
DependencyName = dependency.Name,
|
|
320
|
+
PackageManager = "nuget",
|
|
321
|
+
VulnerableVersions = s.AffectedVersions ?? [],
|
|
322
|
+
SafeVersions = s.SafeVersions.ToImmutableArray(),
|
|
323
|
+
}).ToImmutableArray();
|
|
324
|
+
var dependencyInfo = new DependencyInfo()
|
|
325
|
+
{
|
|
326
|
+
Name = dependency.Name,
|
|
327
|
+
Version = dependencyVersion.ToString(),
|
|
328
|
+
IsVulnerable = isVulnerable,
|
|
329
|
+
IgnoredVersions = ignoredVersions,
|
|
330
|
+
Vulnerabilities = vulnerabilities,
|
|
331
|
+
};
|
|
332
|
+
return dependencyInfo;
|
|
333
|
+
}
|
|
334
|
+
|
|
317
335
|
internal static UpdatedDependencyList GetUpdatedDependencyListFromDiscovery(WorkspaceDiscoveryResult discoveryResult, string pathToContents)
|
|
318
336
|
{
|
|
319
337
|
string GetFullRepoPath(string path)
|
|
@@ -478,6 +478,61 @@ public partial class AnalyzeWorkerTests : AnalyzeWorkerTestBase
|
|
|
478
478
|
);
|
|
479
479
|
}
|
|
480
480
|
|
|
481
|
+
[Fact]
|
|
482
|
+
public async Task SafeVersionsPropertyIsHonored()
|
|
483
|
+
{
|
|
484
|
+
await TestAnalyzeAsync(
|
|
485
|
+
packages:
|
|
486
|
+
[
|
|
487
|
+
MockNuGetPackage.CreateSimplePackage("Some.Package", "1.0.0", "net8.0"), // initially this
|
|
488
|
+
MockNuGetPackage.CreateSimplePackage("Some.Package", "1.1.0", "net8.0"), // should update to this due to `SafeVersions`
|
|
489
|
+
MockNuGetPackage.CreateSimplePackage("Some.Package", "1.2.0", "net8.0"), // this should not be considered
|
|
490
|
+
],
|
|
491
|
+
discovery: new()
|
|
492
|
+
{
|
|
493
|
+
Path = "/",
|
|
494
|
+
Projects = [
|
|
495
|
+
new()
|
|
496
|
+
{
|
|
497
|
+
FilePath = "./project.csproj",
|
|
498
|
+
TargetFrameworks = ["net8.0"],
|
|
499
|
+
Dependencies = [
|
|
500
|
+
new("Some.Package", "1.0.0", DependencyType.PackageReference),
|
|
501
|
+
],
|
|
502
|
+
ReferencedProjectPaths = [],
|
|
503
|
+
ImportedFiles = [],
|
|
504
|
+
AdditionalFiles = [],
|
|
505
|
+
},
|
|
506
|
+
],
|
|
507
|
+
},
|
|
508
|
+
dependencyInfo: new()
|
|
509
|
+
{
|
|
510
|
+
Name = "Some.Package",
|
|
511
|
+
Version = "1.0.0",
|
|
512
|
+
IgnoredVersions = [],
|
|
513
|
+
IsVulnerable = false,
|
|
514
|
+
Vulnerabilities = [
|
|
515
|
+
new()
|
|
516
|
+
{
|
|
517
|
+
DependencyName = "Some.Package",
|
|
518
|
+
PackageManager = "nuget",
|
|
519
|
+
VulnerableVersions = [Requirement.Parse(">= 1.0.0, < 1.1.0")],
|
|
520
|
+
SafeVersions = [Requirement.Parse("= 1.1.0")]
|
|
521
|
+
}
|
|
522
|
+
],
|
|
523
|
+
},
|
|
524
|
+
expectedResult: new()
|
|
525
|
+
{
|
|
526
|
+
UpdatedVersion = "1.1.0",
|
|
527
|
+
CanUpdate = true,
|
|
528
|
+
VersionComesFromMultiDependencyProperty = false,
|
|
529
|
+
UpdatedDependencies = [
|
|
530
|
+
new("Some.Package", "1.1.0", DependencyType.Unknown, TargetFrameworks: ["net8.0"]),
|
|
531
|
+
],
|
|
532
|
+
}
|
|
533
|
+
);
|
|
534
|
+
}
|
|
535
|
+
|
|
481
536
|
[Fact]
|
|
482
537
|
public async Task VersionFinderCanHandle404FromPackageSource_V2()
|
|
483
538
|
{
|
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
using System.Text.Json;
|
|
2
|
+
|
|
1
3
|
using NuGet.Versioning;
|
|
2
4
|
|
|
3
5
|
using NuGetUpdater.Core.Analyze;
|
|
@@ -29,6 +31,16 @@ public class MiscellaneousTests
|
|
|
29
31
|
Assert.Equal(expectedRequirementsStrings, actualRequirementsStrings);
|
|
30
32
|
}
|
|
31
33
|
|
|
34
|
+
[Theory]
|
|
35
|
+
[MemberData(nameof(DependencyInfoFromJobData))]
|
|
36
|
+
public void DependencyInfoFromJob(Job job, Dependency dependency, DependencyInfo expectedDependencyInfo)
|
|
37
|
+
{
|
|
38
|
+
var actualDependencyInfo = RunWorker.GetDependencyInfo(job, dependency);
|
|
39
|
+
var expectedString = JsonSerializer.Serialize(expectedDependencyInfo, AnalyzeWorker.SerializerOptions);
|
|
40
|
+
var actualString = JsonSerializer.Serialize(actualDependencyInfo, AnalyzeWorker.SerializerOptions);
|
|
41
|
+
Assert.Equal(expectedString, actualString);
|
|
42
|
+
}
|
|
43
|
+
|
|
32
44
|
public static IEnumerable<object?[]> RequirementsFromIgnoredVersionsData()
|
|
33
45
|
{
|
|
34
46
|
yield return
|
|
@@ -82,4 +94,53 @@ public class MiscellaneousTests
|
|
|
82
94
|
}
|
|
83
95
|
];
|
|
84
96
|
}
|
|
97
|
+
|
|
98
|
+
public static IEnumerable<object[]> DependencyInfoFromJobData()
|
|
99
|
+
{
|
|
100
|
+
yield return
|
|
101
|
+
[
|
|
102
|
+
// job
|
|
103
|
+
new Job()
|
|
104
|
+
{
|
|
105
|
+
Source = new()
|
|
106
|
+
{
|
|
107
|
+
Provider = "github",
|
|
108
|
+
Repo = "some/repo"
|
|
109
|
+
},
|
|
110
|
+
SecurityAdvisories = [
|
|
111
|
+
new()
|
|
112
|
+
{
|
|
113
|
+
DependencyName = "Some.Dependency",
|
|
114
|
+
AffectedVersions = [Requirement.Parse(">= 1.0.0, < 1.1.0")],
|
|
115
|
+
PatchedVersions = [Requirement.Parse("= 1.1.0")],
|
|
116
|
+
UnaffectedVersions = [Requirement.Parse("= 1.2.0")]
|
|
117
|
+
},
|
|
118
|
+
new()
|
|
119
|
+
{
|
|
120
|
+
DependencyName = "Unrelated.Dependency",
|
|
121
|
+
AffectedVersions = [Requirement.Parse(">= 1.0.0, < 99.99.99")]
|
|
122
|
+
}
|
|
123
|
+
]
|
|
124
|
+
},
|
|
125
|
+
// dependency
|
|
126
|
+
new Dependency("Some.Dependency", "1.0.0", DependencyType.PackageReference),
|
|
127
|
+
// expectedDependencyInfo
|
|
128
|
+
new DependencyInfo()
|
|
129
|
+
{
|
|
130
|
+
Name = "Some.Dependency",
|
|
131
|
+
Version = "1.0.0",
|
|
132
|
+
IsVulnerable = true,
|
|
133
|
+
IgnoredVersions = [],
|
|
134
|
+
Vulnerabilities = [
|
|
135
|
+
new()
|
|
136
|
+
{
|
|
137
|
+
DependencyName = "Some.Dependency",
|
|
138
|
+
PackageManager = "nuget",
|
|
139
|
+
VulnerableVersions = [Requirement.Parse(">= 1.0.0, < 1.1.0")],
|
|
140
|
+
SafeVersions = [Requirement.Parse("= 1.1.0"), Requirement.Parse("= 1.2.0")],
|
|
141
|
+
}
|
|
142
|
+
]
|
|
143
|
+
}
|
|
144
|
+
];
|
|
145
|
+
}
|
|
85
146
|
}
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-nuget
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.294.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2025-01-
|
|
11
|
+
date: 2025-01-23 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.294.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.294.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: rubyzip
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -528,7 +528,7 @@ licenses:
|
|
|
528
528
|
- MIT
|
|
529
529
|
metadata:
|
|
530
530
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
531
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
531
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.294.0
|
|
532
532
|
post_install_message:
|
|
533
533
|
rdoc_options: []
|
|
534
534
|
require_paths:
|