dependabot-nuget 0.293.0 → 0.295.0

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Run/UpdateAllowedTests.cs

@@ -0,0 +1,286 @@
+using System.Collections.Immutable;
+
+using NuGetUpdater.Core.Analyze;
+using NuGetUpdater.Core.Run;
+using NuGetUpdater.Core.Run.ApiModel;
+
+using Xunit;
+
+using DepType = NuGetUpdater.Core.Run.ApiModel.DependencyType;
+
+namespace NuGetUpdater.Core.Test.Run;
+
+public class UpdateAllowedTests
+{
+    [Theory]
+    [MemberData(nameof(IsUpdateAllowedTestData))]
+    public void IsUpdateAllowed(Job job, Dependency dependency, bool expectedResult)
+    {
+        var actualResult = RunWorker.IsUpdateAllowed(job, dependency);
+        Assert.Equal(expectedResult, actualResult);
+    }
+
+    public static IEnumerable<object[]> IsUpdateAllowedTestData()
+    {
+        // with default allowed updates on a transitive dependency
+        yield return
+        [
+            CreateJob(
+                allowedUpdates: [
+                    new AllowedUpdate() { DependencyType = DepType.Direct, UpdateType = UpdateType.All }
+                ],
+                securityAdvisories: [
+                    new Advisory() { DependencyName = "Some.Package", AffectedVersions = [], PatchedVersions = [Requirement.Parse(">= 1.11.0")], UnaffectedVersions = [] }
+                ],
+                securityUpdatesOnly: false),
+            new Dependency("Some.Package", "1.8.0", DependencyType.PackageReference, IsTransitive: true),
+            // expectedResult
+            false,
+        ];
+
+        // when dealing with a security update
+        yield return
+        [
+            CreateJob(
+                allowedUpdates: [
+                    new AllowedUpdate() { DependencyType = DepType.Direct, UpdateType = UpdateType.All }
+                ],
+                securityAdvisories: [
+                    new Advisory() { DependencyName = "Some.Package", AffectedVersions = [], PatchedVersions = [Requirement.Parse(">= 1.11.0")], UnaffectedVersions = [] }
+                ],
+                securityUpdatesOnly: true),
+            new Dependency("Some.Package", "1.8.0", DependencyType.PackageReference, IsTransitive: true),
+            // expectedResult
+            true,
+        ];
+
+        // with a top-level dependency
+        yield return
+        [
+            CreateJob(
+                allowedUpdates: [
+                    new AllowedUpdate() { DependencyType = DepType.Direct, UpdateType = UpdateType.All },
+                    new AllowedUpdate() { DependencyType = DepType.Indirect, UpdateType = UpdateType.Security }
+                ],
+                securityAdvisories: [],
+                securityUpdatesOnly: false),
+            new Dependency("Some.Package", "1.8.0", DependencyType.PackageReference, IsTransitive: false),
+            // expectedResult
+            true,
+        ];
+
+        // with a sub-dependency
+        yield return
+        [
+            CreateJob(
+                allowedUpdates: [
+                    new AllowedUpdate() { DependencyType = DepType.Direct, UpdateType = UpdateType.All },
+                    new AllowedUpdate() { DependencyType = DepType.Indirect, UpdateType = UpdateType.Security }
+                ],
+                securityAdvisories: [],
+                securityUpdatesOnly: false),
+            new Dependency("Some.Package", "1.8.0", DependencyType.PackageReference, IsTransitive: true),
+            // expectedResult
+            false,
+        ];
+
+        // when insecure
+        yield return
+        [
+            CreateJob(
+                allowedUpdates: [
+                    new AllowedUpdate() { DependencyType = DepType.Direct, UpdateType = UpdateType.All },
+                    new AllowedUpdate() { DependencyType = DepType.Indirect, UpdateType = UpdateType.Security }
+                ],
+                securityAdvisories: [
+                    new Advisory() { DependencyName = "Some.Package", AffectedVersions = [], PatchedVersions = [Requirement.Parse(">= 1.11.0")], UnaffectedVersions = [] }
+                ],
+                securityUpdatesOnly: false),
+            new Dependency("Some.Package", "1.8.0", DependencyType.PackageReference, IsTransitive: true),
+            // expectedResult
+            true,
+        ];
+
+        // when only security fixes are allowed
+        yield return
+        [
+            CreateJob(
+                allowedUpdates: [
+                    new AllowedUpdate() { DependencyType = DepType.Direct, UpdateType = UpdateType.All },
+                    new AllowedUpdate() { DependencyType = DepType.Indirect, UpdateType = UpdateType.Security }
+                ],
+                securityAdvisories: [],
+                securityUpdatesOnly: true),
+            new Dependency("Some.Package", "1.8.0", DependencyType.PackageReference, IsTransitive: false),
+            // expectedResult
+            false,
+        ];
+
+        // when dealing with a security fix
+        yield return
+        [
+            CreateJob(
+                allowedUpdates: [
+                    new AllowedUpdate() { DependencyType = DepType.Direct, UpdateType = UpdateType.All },
+                    new AllowedUpdate() { DependencyType = DepType.Indirect, UpdateType = UpdateType.Security }
+                ],
+                securityAdvisories: [
+                    new Advisory() { DependencyName = "Some.Package", AffectedVersions = [], PatchedVersions = [Requirement.Parse(">= 1.11.0")], UnaffectedVersions = [] }
+                ],
+                securityUpdatesOnly: true),
+            new Dependency("Some.Package", "1.8.0", DependencyType.PackageReference, IsTransitive: false),
+            // expectedResult
+            true,
+        ];
+
+        // when dealing with a security fix that doesn't apply
+        yield return
+        [
+            CreateJob(
+                allowedUpdates: [
+                    new AllowedUpdate() { DependencyType = DepType.Direct, UpdateType = UpdateType.All },
+                    new AllowedUpdate() { DependencyType = DepType.Indirect, UpdateType = UpdateType.Security }
+                ],
+                securityAdvisories: [
+                    new Advisory() { DependencyName = "Some.Package", AffectedVersions = [Requirement.Parse("> 1.8.0")], PatchedVersions = [], UnaffectedVersions = [] }
+                ],
+                securityUpdatesOnly: true),
+            new Dependency("Some.Package", "1.8.0", DependencyType.PackageReference, IsTransitive: false),
+            // expectedResult
+            false,
+        ];
+
+        // when dealing with a security fix that doesn't apply to some versions
+        yield return
+        [
+            CreateJob(
+                allowedUpdates: [
+                    new AllowedUpdate() { DependencyType = DepType.Direct, UpdateType = UpdateType.All },
+                    new AllowedUpdate() { DependencyType = DepType.Indirect, UpdateType = UpdateType.Security }
+                ],
+                securityAdvisories: [
+                    new Advisory() { DependencyName = "Some.Package", AffectedVersions = [Requirement.Parse("< 1.8.0"), Requirement.Parse("> 1.8.0")], PatchedVersions = [], UnaffectedVersions = [] }
+                ],
+                securityUpdatesOnly: true),
+            new Dependency("Some.Package", "1.8.1", DependencyType.PackageReference, IsTransitive: false),
+            // expectedResult
+            true,
+        ];
+
+        // when a dependency allow list that includes the dependency
+        yield return
+        [
+            CreateJob(
+                allowedUpdates: [
+                    new AllowedUpdate() { DependencyName = "Some.Package" }
+                ],
+                securityAdvisories: [],
+                securityUpdatesOnly: false),
+            new Dependency("Some.Package", "1.8.0", DependencyType.PackageReference, IsTransitive: false),
+            // expectedResult
+            true,
+        ];
+
+        // with a dependency allow list that uses a wildcard
+        yield return
+        [
+            CreateJob(
+                allowedUpdates: [
+                    new AllowedUpdate() { DependencyName = "Some.*" }
+                ],
+                securityAdvisories: [],
+                securityUpdatesOnly: false),
+            new Dependency("Some.Package", "1.8.0", DependencyType.PackageReference, IsTransitive: false),
+            // expectedResult
+            true,
+        ];
+
+        // when dependency allow list that excludes the dependency
+        yield return
+        [
+            CreateJob(
+                allowedUpdates: [
+                    new AllowedUpdate() { DependencyName = "Unrelated.Package" }
+                ],
+                securityAdvisories: [],
+                securityUpdatesOnly: false),
+            new Dependency("Some.Package", "1.8.0", DependencyType.PackageReference, IsTransitive: false),
+            // expectedResult
+            false,
+        ];
+
+        // when matching with an incomplete dependency name
+        yield return
+        [
+            CreateJob(
+                allowedUpdates: [
+                    new AllowedUpdate() { DependencyName = "Some" }
+                ],
+                securityAdvisories: [],
+                securityUpdatesOnly: false),
+            new Dependency("Some.Package", "1.8.0", DependencyType.PackageReference, IsTransitive: false),
+            // expectedResult
+            false,
+        ];
+
+        // with a dependency allow list that uses a wildcard
+        yield return
+        [
+            CreateJob(
+                allowedUpdates: [
+                    new AllowedUpdate() { DependencyName = "Unrelated.*" }
+                ],
+                securityAdvisories: [],
+                securityUpdatesOnly: false),
+            new Dependency("Some.Package", "1.8.0", DependencyType.PackageReference, IsTransitive: false),
+            // expectedResult
+            false,
+        ];
+
+        // when security fixes are also allowed
+        yield return
+        [
+            CreateJob(
+                allowedUpdates: [
+                    new AllowedUpdate() { DependencyName = "Unrelated.Package" },
+                    new AllowedUpdate() { UpdateType = UpdateType.Security }
+                ],
+                securityAdvisories: [],
+                securityUpdatesOnly: false),
+            new Dependency("Some.Package", "1.8.0", DependencyType.PackageReference, IsTransitive: false),
+            // expectedResult
+            false,
+        ];
+
+        // when dealing with a security fix
+        yield return
+        [
+            CreateJob(
+                allowedUpdates: [
+                    new AllowedUpdate() { DependencyName = "Unrelated.Package"}, new AllowedUpdate(){ UpdateType = UpdateType.Security }
+                ],
+                securityAdvisories: [
+                    new Advisory() { DependencyName = "Some.Package", AffectedVersions = [], PatchedVersions = [Requirement.Parse(">= 1.11.0")], UnaffectedVersions = [] }
+                ],
+                securityUpdatesOnly: false),
+            new Dependency("Some.Package", "1.8.0", DependencyType.PackageReference, IsTransitive: false),
+            // expectedResult
+            true,
+        ];
+    }
+
+    private static Job CreateJob(AllowedUpdate[] allowedUpdates, Advisory[] securityAdvisories, bool securityUpdatesOnly)
+    {
+        return new Job()
+        {
+            AllowedUpdates = allowedUpdates.ToImmutableArray(),
+            SecurityAdvisories = securityAdvisories.ToImmutableArray(),
+            SecurityUpdatesOnly = securityUpdatesOnly,
+            Source = new()
+            {
+                Provider = "nuget",
+                Repo = "test/repo",
+            }
+        };
+    }
+}

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Run/UpdatedDependencyListTests.cs

@@ -94,7 +94,15 @@ public class UpdatedDependencyListTests
                 {
                     Name = "System.Text.Json",
                     Version = "6.0.0",
-                    Requirements = [],
+                    Requirements =
+                    [
+                        new ReportedRequirement()
+                        {
+                            Requirement = "6.0.0",
+                            File = "/src/c/project.csproj",
+                            Groups = ["dependencies"],
+                        }
+                    ],
                 },
                 new ReportedDependency()
                 {

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Utilities/MSBuildHelperTests.cs

@@ -1,7 +1,8 @@
 using System.Collections.Immutable;
+using System.Text.Json;
 
-using NuGet.Build.Tasks;
-
+using NuGetUpdater.Core.Run;
+using NuGetUpdater.Core.Run.ApiModel;
 using NuGetUpdater.Core.Test.Update;
 
 using Xunit;
@@ -1366,6 +1367,91 @@ public class MSBuildHelperTests : TestBase
     }
     #endregion
 
+    [Theory]
+    [MemberData(nameof(GenerateErrorFromToolOutputTestData))]
+    public async Task GenerateErrorFromToolOutput(string output, JobErrorBase? expectedError)
+    {
+        Exception? exception = null;
+        try
+        {
+            MSBuildHelper.ThrowOnError(output);
+        }
+        catch (Exception ex)
+        {
+            exception = ex;
+        }
+
+        if (expectedError is null)
+        {
+            Assert.Null(exception);
+        }
+        else
+        {
+            Assert.NotNull(exception);
+            using var tempDir = await TemporaryDirectory.CreateWithContentsAsync([("NuGet.Config", """
+                <configuration>
+                  <packageSources>
+                    <clear />
+                    <add key="test-feed" value="http://localhost/test-feed" />
+                  </packageSources>
+                </configuration>
+                """)]);
+            var actualError = JobErrorBase.ErrorFromException(exception, "TEST-JOB-ID", tempDir.DirectoryPath);
+            if (actualError is DependencyFileNotFound notFound)
+            {
+                // normalize default message for the test
+                actualError = new DependencyFileNotFound(notFound.Details["file-path"].ToString()!, "test message");
+            }
+
+            var actualErrorJson = JsonSerializer.Serialize(actualError, RunWorker.SerializerOptions);
+            var expectedErrorJson = JsonSerializer.Serialize(expectedError, RunWorker.SerializerOptions);
+            Assert.Equal(expectedErrorJson, actualErrorJson);
+        }
+    }
+
+    public static IEnumerable<object?[]> GenerateErrorFromToolOutputTestData()
+    {
+        yield return
+        [
+            // output
+            "Everything was good.",
+            // expectedError
+            null,
+        ];
+
+        yield return
+        [
+            // output
+            "Response status code does not indicate success: 403",
+            // expectedError
+            new PrivateSourceAuthenticationFailure(["http://localhost/test-feed"]),
+        ];
+
+        yield return
+        [
+            // output
+            "The imported file \"some.file\" does not exist",
+            // expectedError
+            new DependencyFileNotFound("some.file", "test message"),
+        ];
+
+        yield return
+        [
+            // output
+            "Package 'Some.Package' is not found on source",
+            // expectedError
+            new UpdateNotPossible(["Some.Package"]),
+        ];
+
+        yield return
+        [
+            // output
+            "Unable to resolve dependencies. 'Some.Package 1.2.3' is not compatible with",
+            // expectedError
+            new UpdateNotPossible(["Some.Package.1.2.3"]),
+        ];
+    }
+
     public static IEnumerable<object[]> GetTopLevelPackageDependencyInfosTestData()
     {
         // simple case

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-nuget
 version: !ruby/object:Gem::Version
-  version: 0.293.0
+  version: 0.295.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-01-16 00:00:00.000000000 Z
+date: 2025-01-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.293.0
+        version: 0.295.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.293.0
+        version: 0.295.0
 - !ruby/object:Gem::Dependency
   name: rubyzip
   requirement: !ruby/object:Gem::Requirement
@@ -351,6 +351,7 @@ files:
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Run/RunWorkerTests.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Run/SerializationTests.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Run/TestApiHandler.cs
+- helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Run/UpdateAllowedTests.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/Run/UpdatedDependencyListTests.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/TemporaryDirectory.cs
 - helpers/lib/NuGetUpdater/NuGetUpdater.Core.Test/TemporaryEnvironment.cs
@@ -528,7 +529,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.293.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.295.0
 post_install_message:
 rdoc_options: []
 require_paths: