dependabot-nuget 0.315.0 → 0.316.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 599cf0f919d861ba0185c00daedeacf4c1025ba1b8db76095de6fc1b11112f17
-  data.tar.gz: 82e97522f5878ee5bf2b7a0542f3eb7be518b2f6d5c82e4f96d61648ec68483c
+  metadata.gz: b42ebbf0a6556e3766516b2b59eec508929837779a8f9ca2042a4d4f7d629626
+  data.tar.gz: abb2a60e86d368d9d4a0f09c6311fd7b73f2ac708c1ec73c05d92d1b9409b27d
 SHA512:
-  metadata.gz: 0deda57ef624bdd66f09b1e86dd8854e5c97380f74b2518be3a846b8893682ecba6b1f346c1eec26f08769c6d61125b1ead35e6bc4abcac1b87ce4857bf9286c
-  data.tar.gz: 7d29664a09cd947e72a9adf5875509cfc2fc49c220b3d55eac5c12899449316f706c6186037feff106b32edff0a684fe90934d9eb271b99fb25ee863202776f5
+  metadata.gz: 5b266cf823214164397b8e9ed67e5f238364ab95074f33f5cacec47adac5a6cecf147a39ccdb11701e29d0de0ca675b3dabd4a330d75d8ff81dbf7b660c26807
+  data.tar.gz: fa309cdd55f81b5507329def15d7a7e6c50b7668e8f1f886cc7c0e1498ac8209aab577d6ba617dbe7ecffda79f93be8d696908b692a07415b78c677905bb9fdb

data/helpers/lib/NuGetUpdater/NuGetUpdater.Cli.Test/EntryPointTests.Run.cs

@@ -50,8 +50,8 @@ public partial class EntryPointTests
                 },
                 expectedUrls:
                 [
-                    "POST /update_jobs/TEST-ID/update_dependency_list",
                     "POST /update_jobs/TEST-ID/increment_metric",
+                    "POST /update_jobs/TEST-ID/update_dependency_list",
                     "POST /update_jobs/TEST-ID/create_pull_request",
                     "PATCH /update_jobs/TEST-ID/mark_as_processed",
                 ]

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Discover/WorkspaceDiscoveryResult.cs

@@ -9,4 +9,10 @@ public sealed record WorkspaceDiscoveryResult : NativeResult
     public ImmutableArray<ProjectDiscoveryResult> Projects { get; init; }
     public GlobalJsonDiscoveryResult? GlobalJson { get; init; }
     public DotNetToolsJsonDiscoveryResult? DotNetToolsJson { get; init; }
+
+    public ProjectDiscoveryResult? GetProjectDiscoveryFromPath(string repoPath)
+    {
+        var projectDiscovery = Projects.FirstOrDefault(p => System.IO.Path.Join(Path, p.FilePath).FullyNormalizedRootedPath().Equals(repoPath, StringComparison.OrdinalIgnoreCase));
+        return projectDiscovery;
+    }
 }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/ExperimentsManager.cs

@@ -10,6 +10,7 @@ public record ExperimentsManager
     public bool InstallDotnetSdks { get; init; } = false;
     public bool NativeUpdater { get; init; } = false;
     public bool UseLegacyDependencySolver { get; init; } = false;
+    public bool UseLegacyUpdateHandler { get; init; } = false;
     public bool UseDirectDiscovery { get; init; } = false;
 
     public Dictionary<string, object> ToDictionary()
@@ -19,6 +20,7 @@ public record ExperimentsManager
             ["nuget_install_dotnet_sdks"] = InstallDotnetSdks,
             ["nuget_native_updater"] = NativeUpdater,
             ["nuget_legacy_dependency_solver"] = UseLegacyDependencySolver,
+            ["nuget_use_legacy_update_handler"] = UseLegacyUpdateHandler,
             ["nuget_use_direct_discovery"] = UseDirectDiscovery,
         };
     }
@@ -30,6 +32,7 @@ public record ExperimentsManager
             InstallDotnetSdks = IsEnabled(experiments, "nuget_install_dotnet_sdks"),
             NativeUpdater = IsEnabled(experiments, "nuget_native_updater"),
             UseLegacyDependencySolver = IsEnabled(experiments, "nuget_legacy_dependency_solver"),
+            UseLegacyUpdateHandler = IsEnabled(experiments, "nuget_use_legacy_update_handler"),
             UseDirectDiscovery = IsEnabled(experiments, "nuget_use_direct_discovery"),
         };
     }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/ClosePullRequest.cs

@@ -22,4 +22,19 @@ public sealed record ClosePullRequest : MessageBase
 
         return report.ToString().Trim();
     }
+
+    public static ClosePullRequest WithDependenciesChanged(Job job) => CloseWithReason(job, "dependencies_changed");
+    public static ClosePullRequest WithDependenciesRemoved(Job job) => CloseWithReason(job, "dependencies_removed");
+    public static ClosePullRequest WithDependencyRemoved(Job job) => CloseWithReason(job, "dependency_removed");
+    public static ClosePullRequest WithUpdateNoLongerPossible(Job job) => CloseWithReason(job, "update_no_longer_possible");
+    public static ClosePullRequest WithUpToDate(Job job) => CloseWithReason(job, "up_to_date");
+
+    private static ClosePullRequest CloseWithReason(Job job, string reason)
+    {
+        return new ClosePullRequest()
+        {
+            DependencyNames = [.. job.Dependencies.Distinct().OrderBy(n => n, StringComparer.OrdinalIgnoreCase)],
+            Reason = reason,
+        };
+    }
 }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/CreatePullRequest.cs

@@ -1,4 +1,5 @@
 using System.Text;
+using System.Text.Json;
 using System.Text.Json.Serialization;
 
 using NuGet.Versioning;
@@ -8,17 +9,29 @@ namespace NuGetUpdater.Core.Run.ApiModel;
 public sealed record CreatePullRequest : MessageBase
 {
     public required ReportedDependency[] Dependencies { get; init; }
+
     [JsonPropertyName("updated-dependency-files")]
     public required DependencyFile[] UpdatedDependencyFiles { get; init; }
+
     [JsonPropertyName("base-commit-sha")]
     public required string BaseCommitSha { get; init; }
+
     [JsonPropertyName("commit-message")]
     public required string CommitMessage { get; init; }
+
     [JsonPropertyName("pr-title")]
     public required string PrTitle { get; init; }
+
     [JsonPropertyName("pr-body")]
     public required string PrBody { get; init; }
 
+    /// <summary>
+    /// This is serialized as either `null` or `{"name": "group-name"}`.
+    /// </summary>
+    [JsonPropertyName("dependency-group")]
+    [JsonConverter(typeof(DependencyGroupConverter))]
+    public required string? DependencyGroup { get; init; }
+
     public override string GetReport()
     {
         var dependencyNames = Dependencies
@@ -35,4 +48,38 @@ public sealed record CreatePullRequest : MessageBase
 
         return report.ToString().Trim();
     }
+
+    public class DependencyGroupConverter : JsonConverter<string?>
+    {
+        public override string? Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
+        {
+            if (reader.TokenType == JsonTokenType.Null)
+            {
+                return null;
+            }
+
+            var dict = JsonSerializer.Deserialize<Dictionary<string, string>>(ref reader, options);
+            if (dict is not null &&
+                dict.TryGetValue("name", out var name))
+            {
+                return name;
+            }
+
+            throw new NotSupportedException("Expected an object with a `name` property.");
+        }
+
+        public override void Write(Utf8JsonWriter writer, string? value, JsonSerializerOptions options)
+        {
+            if (value is null)
+            {
+                writer.WriteNullValue();
+            }
+            else
+            {
+                writer.WriteStartObject();
+                writer.WriteString("name", value);
+                writer.WriteEndObject();
+            }
+        }
+    }
 }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/DependencyGroup.cs

@@ -1,8 +1,68 @@
+using System.Collections.Immutable;
+using System.IO.Enumeration;
+
 namespace NuGetUpdater.Core.Run.ApiModel;
 
 public record DependencyGroup
 {
     public required string Name { get; init; }
     public string? AppliesTo { get; init; }
+
+    // TODO: make more strongly typed, but currently this seems to be:
+    //   "patterns" => string[] where each element is a wildcard name pattern
+    //   "exclude-patterns"=> string[] where each element is a wildcard name pattern
+    //   "dependency-type" => production|development // not used for nuget?
     public Dictionary<string, object> Rules { get; init; } = new();
+
+    public GroupMatcher GetGroupMatcher() => GroupMatcher.FromRules(Rules);
+}
+
+public class GroupMatcher
+{
+    public ImmutableArray<string> Patterns { get; init; } = ImmutableArray<string>.Empty;
+    public ImmutableArray<string> ExcludePatterns { get; init; } = ImmutableArray<string>.Empty;
+
+    public bool IsMatch(string dependencyName)
+    {
+        var isIncluded = Patterns.Any(p => FileSystemName.MatchesSimpleExpression(p, dependencyName));
+        var isExcluded = ExcludePatterns.Any(p => FileSystemName.MatchesSimpleExpression(p, dependencyName));
+        var isMatch = isIncluded && !isExcluded;
+        return isMatch;
+    }
+
+    public static GroupMatcher FromRules(Dictionary<string, object> rules)
+    {
+        string[] patterns;
+        if (rules.TryGetValue("patterns", out var patternsObject) &&
+            patternsObject is string[] patternsArray)
+        {
+            patterns = patternsArray;
+        }
+        else
+        {
+            patterns = ["*"]; // default to matching everything unless excluded below
+        }
+
+        string[] excludePatterns;
+        if (rules.TryGetValue("exclude-patterns", out var excludePatternsObject) &&
+            excludePatternsObject is string[] excludePatternsArray)
+        {
+            excludePatterns = excludePatternsArray;
+        }
+        else
+        {
+            excludePatterns = [];
+        }
+
+        return new GroupMatcher()
+        {
+            Patterns = [.. patterns],
+            ExcludePatterns = [.. excludePatterns],
+        };
+    }
+}
+
+public static class DependencyGroupExtensions
+{
+    public static bool IsSecurity(this DependencyGroup group) => group.AppliesTo == "security-updates";
 }

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/Job.cs

@@ -1,9 +1,14 @@
 using System.Collections.Immutable;
+using System.IO.Enumeration;
 using System.Text.Json;
 using System.Text.Json.Serialization;
 
+using Microsoft.Extensions.FileSystemGlobbing;
+
 using NuGet.Versioning;
 
+using NuGetUpdater.Core.Analyze;
+
 namespace NuGetUpdater.Core.Run.ApiModel;
 
 public sealed record Job
@@ -14,7 +19,9 @@ public sealed record Job
     [JsonConverter(typeof(NullAsBoolConverter))]
     public bool Debug { get; init; } = false;
     public ImmutableArray<DependencyGroup> DependencyGroups { get; init; } = [];
-    public ImmutableArray<string>? Dependencies { get; init; } = null;
+
+    [JsonConverter(typeof(NullAsEmptyStringArrayConverter))]
+    public ImmutableArray<string> Dependencies { get; init; } = [];
     public string? DependencyGroupToRefresh { get; init; } = null;
     public ImmutableArray<PullRequest> ExistingPullRequests { get; init; } = [];
     public ImmutableArray<GroupPullRequest> ExistingGroupPullRequests { get; init; } = [];
@@ -34,25 +41,29 @@ public sealed record Job
     public ImmutableArray<Dictionary<string, object>>? CredentialsMetadata { get; init; } = null;
     public int MaxUpdaterRunTime { get; init; } = 0;
 
-    public IEnumerable<string> GetAllDirectories()
+    public ImmutableArray<string> GetAllDirectories()
     {
-        var returnedADirectory = false;
+        var builder = ImmutableArray.CreateBuilder<string>();
         if (Source.Directory is not null)
         {
-            returnedADirectory = true;
-            yield return Source.Directory;
+            builder.Add(Source.Directory);
         }
 
-        foreach (var directory in Source.Directories ?? [])
+        builder.AddRange(Source.Directories ?? []);
+        if (builder.Count == 0)
         {
-            returnedADirectory = true;
-            yield return directory;
+            builder.Add("/");
         }
 
-        if (!returnedADirectory)
-        {
-            yield return "/";
-        }
+        return builder.ToImmutable();
+    }
+
+    public ImmutableArray<DependencyGroup> GetRelevantDependencyGroups()
+    {
+        var appliesToKey = SecurityUpdatesOnly ? "security-updates" : "version-updates";
+        var groups = DependencyGroups.Where(g => g.AppliesTo == appliesToKey)
+            .ToImmutableArray();
+        return groups;
     }
 
     public ImmutableArray<Tuple<string?, ImmutableArray<PullRequestDependency>>> GetAllExistingPullRequests()
@@ -66,27 +77,125 @@ public sealed record Job
         return existingPullRequests;
     }
 
-    public Tuple<string?, ImmutableArray<PullRequestDependency>>? GetExistingPullRequestForDependency(Dependency dependency)
+    public Tuple<string?, ImmutableArray<PullRequestDependency>>? GetExistingPullRequestForDependencies(IEnumerable<Dependency> dependencies, bool considerVersions)
     {
-        if (dependency.Version is null)
+        if (dependencies.Any(d => d.Version is null))
         {
             return null;
         }
 
-        var dependencyVersion = NuGetVersion.Parse(dependency.Version);
+        string CreateIdentifier(string dependencyName, string dependencyVersion)
+        {
+            return $"{dependencyName}/{(considerVersions ? dependencyVersion : null)}";
+        }
+
+        var desiredDependencySet = dependencies.Select(d => CreateIdentifier(d.Name, d.Version!)).ToHashSet(StringComparer.OrdinalIgnoreCase);
         var existingPullRequests = GetAllExistingPullRequests();
-        var existingPullRequest = existingPullRequests.FirstOrDefault(pr =>
+        var existingPullRequest = existingPullRequests
+            .FirstOrDefault(pr =>
+            {
+                var prDependencySet = pr.Item2.Select(d => CreateIdentifier(d.DependencyName, d.DependencyVersion.ToString())).ToHashSet(StringComparer.OrdinalIgnoreCase);
+                return prDependencySet.SetEquals(desiredDependencySet);
+            });
+        return existingPullRequest;
+    }
+
+    public bool IsDependencyIgnored(string dependencyName, string dependencyVersion)
+    {
+        var versionsToIgnore = IgnoreConditions
+            .Where(c => FileSystemName.MatchesSimpleExpression(c.DependencyName, dependencyName))
+            .Select(c => c.VersionRequirement ?? Requirement.Parse(">= 0.0.0")) // no range means ignore everything
+            .ToArray();
+        var parsedDependencyVersion = NuGetVersion.Parse(dependencyVersion);
+        var isIgnored = versionsToIgnore
+            .Any(r => r.IsSatisfiedBy(parsedDependencyVersion));
+        return isIgnored;
+    }
+
+    public bool IsUpdatePermitted(Dependency dependency)
+    {
+        if (dependency.Version is null)
         {
-            if (pr.Item2.Length == 1 &&
-                pr.Item2[0].DependencyName.Equals(dependency.Name, StringComparison.OrdinalIgnoreCase) &&
-                pr.Item2[0].DependencyVersion == dependencyVersion)
+            // if we don't know the version, there's nothing we can do
+            return false;
+        }
+
+        var version = NuGetVersion.Parse(dependency.Version);
+        var dependencyInfo = RunWorker.GetDependencyInfo(this, dependency);
+        var isVulnerable = dependencyInfo.Vulnerabilities.Any(v => v.IsVulnerable(version));
+
+        bool IsAllowed(AllowedUpdate allowedUpdate)
+        {
+            // check name restriction, if any
+            if (allowedUpdate.DependencyName is not null)
             {
-                return true;
+                var matcher = new Matcher(StringComparison.OrdinalIgnoreCase)
+                    .AddInclude(allowedUpdate.DependencyName);
+                var result = matcher.Match(dependency.Name);
+                if (!result.HasMatches)
+                {
+                    return false;
+                }
             }
 
-            return false;
-        });
-        return existingPullRequest;
+            var isSecurityUpdate = allowedUpdate.UpdateType == UpdateType.Security || SecurityUpdatesOnly;
+            if (isSecurityUpdate)
+            {
+                if (isVulnerable)
+                {
+                    // try to match to existing PR
+                    var dependencyVersion = NuGetVersion.Parse(dependency.Version);
+                    var existingPullRequests = GetAllExistingPullRequests()
+                        .Where(pr => pr.Item2.Any(d => d.DependencyName.Equals(dependency.Name, StringComparison.OrdinalIgnoreCase) && d.DependencyVersion >= dependencyVersion))
+                        .ToArray();
+                    if (existingPullRequests.Length > 0)
+                    {
+                        // found a matching pr...
+                        if (UpdatingAPullRequest)
+                        {
+                            // ...and we've been asked to update it
+                            return true;
+                        }
+                        else
+                        {
+                            // ...but no update requested => don't perform any update
+                            return false;
+                        }
+                    }
+                    else
+                    {
+                        // no matching pr...
+                        if (UpdatingAPullRequest)
+                        {
+                            // ...but we've been asked to perform an update => no update possible
+                            return false;
+                        }
+                        else
+                        {
+                            // ...and no update specifically requested => create new
+                            return true;
+                        }
+                    }
+                }
+
+                return false;
+            }
+            else
+            {
+                // not a security update, so only update if...
+                // ...we've been explicitly asked to update this
+                if (Dependencies.Any(d => d.Equals(dependency.Name, StringComparison.OrdinalIgnoreCase)))
+                {
+                    return true;
+                }
+
+                // ...no specific update being performed, do it if it's not transitive
+                return !dependency.IsTransitive;
+            }
+        }
+
+        var allowed = AllowedUpdates.Any(IsAllowed);
+        return allowed;
     }
 }
 
@@ -107,3 +216,22 @@ public class NullAsBoolConverter : JsonConverter<bool>
         writer.WriteBooleanValue(value);
     }
 }
+
+public class NullAsEmptyStringArrayConverter : JsonConverter<ImmutableArray<string>>
+{
+    public override ImmutableArray<string> Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
+    {
+        if (reader.TokenType == JsonTokenType.Null)
+        {
+            return [];
+        }
+
+        return JsonSerializer.Deserialize<ImmutableArray<string>>(ref reader, options);
+    }
+
+    public override void Write(Utf8JsonWriter writer, ImmutableArray<string> value, JsonSerializerOptions options)
+    {
+        writer.WriteStartArray();
+        writer.WriteEndArray();
+    }
+}

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/JobErrorBase.cs

@@ -5,6 +5,7 @@ using System.Text.Json.Serialization;
 using Microsoft.Build.Exceptions;
 
 using NuGetUpdater.Core.Analyze;
+using NuGetUpdater.Core.Utilities;
 
 namespace NuGetUpdater.Core.Run.ApiModel;
 
@@ -25,24 +26,9 @@ public abstract record JobErrorBase : MessageBase
     {
         var report = new StringBuilder();
         report.AppendLine($"Error type: {Type}");
-        foreach (var (key, value) in Details)
-        {
-            if (this is UnknownError && key == "error-backtrace")
-            {
-                // there's nothing meaningful in this field
-                continue;
-            }
-
-            var valueString = value.ToString();
-            if (value is IEnumerable<string> strings)
-            {
-                valueString = string.Join(", ", strings);
-            }
-
-            report.AppendLine($"- {key}: {valueString}");
-        }
-
-        return report.ToString().Trim();
+        report.Append(MarkdownListBuilder.FromObject(Details));
+        var fullReport = report.ToString().TrimEnd();
+        return fullReport;
     }
 
     public static JobErrorBase ErrorFromException(Exception ex, string jobId, string currentDirectory)

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/PullRequestExistsForSecurityUpdate.cs

@@ -0,0 +1,15 @@
+namespace NuGetUpdater.Core.Run.ApiModel;
+
+public record PullRequestExistsForSecurityUpdate : JobErrorBase
+{
+    public PullRequestExistsForSecurityUpdate(Dependency[] dependencies)
+        : base("pull_request_exists_for_security_update")
+    {
+        Details["updated-dependencies"] = dependencies.Select(d => new Dictionary<string, object>()
+        {
+            ["dependency-name"] = d.Name,
+            ["dependency-version"] = d.Version!,
+            ["dependency-removed"] = false,
+        }).ToArray();
+    }
+}

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/SecurityUpdateDependencyNotFound.cs

@@ -0,0 +1,9 @@
+namespace NuGetUpdater.Core.Run.ApiModel;
+
+public record SecurityUpdateDependencyNotFound : JobErrorBase
+{
+    public SecurityUpdateDependencyNotFound()
+        : base("security_update_dependency_not_found")
+    {
+    }
+}

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/SecurityUpdateIgnored.cs

@@ -0,0 +1,10 @@
+namespace NuGetUpdater.Core.Run.ApiModel;
+
+public record SecurityUpdateIgnored : JobErrorBase
+{
+    public SecurityUpdateIgnored(string dependencyName)
+        : base("all_versions_ignored")
+    {
+        Details["dependency-name"] = dependencyName;
+    }
+}

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/SecurityUpdateNotFound.cs

@@ -0,0 +1,11 @@
+namespace NuGetUpdater.Core.Run.ApiModel;
+
+public record SecurityUpdateNotFound : JobErrorBase
+{
+    public SecurityUpdateNotFound(string dependencyName, string dependencyVersion)
+        : base("security_update_not_found")
+    {
+        Details["dependency-name"] = dependencyName;
+        Details["dependency-version"] = dependencyVersion;
+    }
+}

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/SecurityUpdateNotPossible.cs

@@ -0,0 +1,13 @@
+namespace NuGetUpdater.Core.Run.ApiModel;
+
+public record SecurityUpdateNotPossible : JobErrorBase
+{
+    public SecurityUpdateNotPossible(string dependencyName, string latestResolvableVersion, string lowestNonVulnerableVersion, string[] conflictingDependencies)
+        : base("security_update_not_possible")
+    {
+        Details["dependency-name"] = dependencyName;
+        Details["latest-resolvable-version"] = latestResolvableVersion;
+        Details["lowest-non-vulnerable-version"] = lowestNonVulnerableVersion;
+        Details["conflicting-dependencies"] = conflictingDependencies;
+    }
+}

data/helpers/lib/NuGetUpdater/NuGetUpdater.Core/Run/ApiModel/UpdatePullRequest.cs

@@ -2,6 +2,8 @@ using System.Collections.Immutable;
 using System.Text;
 using System.Text.Json.Serialization;
 
+using static NuGetUpdater.Core.Run.ApiModel.CreatePullRequest;
+
 namespace NuGetUpdater.Core.Run.ApiModel;
 
 public sealed record UpdatePullRequest : MessageBase
@@ -24,7 +26,11 @@ public sealed record UpdatePullRequest : MessageBase
     [JsonPropertyName("commit-message")]
     public required string CommitMessage { get; init; }
 
+    /// <summary>
+    /// This is serialized as either `null` or `{"name": "group-name"}`.
+    /// </summary>
     [JsonPropertyName("dependency-group")]
+    [JsonConverter(typeof(DependencyGroupConverter))]
     public required string? DependencyGroup { get; init; }
 
     public override string GetReport()