dependabot-nuget 0.80.0

data/lib/dependabot/nuget/file_parser.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+
+require "dependabot/dependency"
+require "dependabot/file_parsers"
+require "dependabot/file_parsers/base"
+
+# For details on how dotnet handles version constraints, see:
+# https://docs.microsoft.com/en-us/nuget/reference/package-versioning
+module Dependabot
+  module Nuget
+    class FileParser < Dependabot::FileParsers::Base
+      require "dependabot/file_parsers/base/dependency_set"
+      require_relative "file_parser/project_file_parser"
+      require_relative "file_parser/packages_config_parser"
+
+      PACKAGE_CONF_DEPENDENCY_SELECTOR = "packages > packages"
+
+      def parse
+        dependency_set = DependencySet.new
+        dependency_set += project_file_dependencies
+        dependency_set += packages_config_dependencies
+        dependency_set.dependencies
+      end
+
+      private
+
+      def project_file_dependencies
+        dependency_set = DependencySet.new
+
+        (project_files + project_import_files).each do |file|
+          parser = project_file_parser
+          dependency_set += parser.dependency_set(project_file: file)
+        end
+
+        dependency_set
+      end
+
+      def packages_config_dependencies
+        dependency_set = DependencySet.new
+
+        packages_config_files.each do |file|
+          parser = PackagesConfigParser.new(packages_config: file)
+          dependency_set += parser.dependency_set
+        end
+
+        dependency_set
+      end
+
+      def project_file_parser
+        @project_file_parser ||=
+          ProjectFileParser.new(dependency_files: dependency_files)
+      end
+
+      def project_files
+        dependency_files.select { |df| df.name.match?(/\.[a-z]{2}proj$/) }
+      end
+
+      def packages_config_files
+        dependency_files.select do |f|
+          f.name.split("/").last.casecmp("packages.config").zero?
+        end
+      end
+
+      def project_import_files
+        dependency_files -
+          project_files -
+          packages_config_files -
+          [nuget_config]
+      end
+
+      def nuget_config
+        dependency_files.find { |f| f.name.casecmp("nuget.config").zero? }
+      end
+
+      def check_required_files
+        return if project_files.any? || packages_config_files.any?
+
+        raise "No project file or packages.config!"
+      end
+    end
+  end
+end
+
+Dependabot::FileParsers.register("nuget", Dependabot::Nuget::FileParser)

data/lib/dependabot/nuget/file_updater/packages_config_declaration_finder.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+require "dependabot/nuget/file_updater"
+
+module Dependabot
+  module Nuget
+    class FileUpdater
+      class PackagesConfigDeclarationFinder
+        DECLARATION_REGEX =
+          %r{<package [^>]*?/>|
+             <package [^>]*?[^/]>.*?</package>}mx.freeze
+
+        attr_reader :dependency_name, :declaring_requirement,
+                    :packages_config
+
+        def initialize(dependency_name:, packages_config:,
+                       declaring_requirement:)
+          @dependency_name        = dependency_name
+          @packages_config        = packages_config
+          @declaring_requirement  = declaring_requirement
+
+          if declaring_requirement[:file].split("/").last.
+             casecmp("packages.config").zero?
+            return
+          end
+
+          raise "Requirement not from packages.config!"
+        end
+
+        def declaration_strings
+          @declaration_strings ||= fetch_declaration_strings
+        end
+
+        def declaration_nodes
+          declaration_strings.map do |declaration_string|
+            Nokogiri::XML(declaration_string)
+          end
+        end
+
+        private
+
+        def fetch_declaration_strings
+          deep_find_declarations(packages_config.content).select do |nd|
+            node = Nokogiri::XML(nd)
+            node.remove_namespaces!
+            node = node.at_xpath("/package")
+
+            node_name = node.attribute("id")&.value&.strip ||
+                        node.at_xpath("./id")&.content&.strip
+            next false unless node_name == dependency_name
+
+            node_requirement = node.attribute("version")&.value&.strip ||
+                               node.at_xpath("./version")&.content&.strip
+            node_requirement == declaring_requirement.fetch(:requirement)
+          end
+        end
+
+        def deep_find_declarations(string)
+          string.scan(DECLARATION_REGEX).flat_map do |matching_node|
+            [matching_node, *deep_find_declarations(matching_node[0..-2])]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/file_updater/project_file_declaration_finder.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+require "dependabot/nuget/file_updater"
+
+module Dependabot
+  module Nuget
+    class FileUpdater
+      class ProjectFileDeclarationFinder
+        DECLARATION_REGEX =
+          %r{
+            <PackageReference [^>]*?/>|
+            <PackageReference [^>]*?[^/]>.*?</PackageReference>|
+            <Dependency [^>]*?/>|
+            <Dependency [^>]*?[^/]>.*?</Dependency>|
+            <DevelopmentDependency [^>]*?/>|
+            <DevelopmentDependency [^>]*?[^/]>.*?</DevelopmentDependency>
+          }mx.freeze
+
+        attr_reader :dependency_name, :declaring_requirement,
+                    :dependency_files
+
+        def initialize(dependency_name:, dependency_files:,
+                       declaring_requirement:)
+          @dependency_name       = dependency_name
+          @dependency_files      = dependency_files
+          @declaring_requirement = declaring_requirement
+        end
+
+        def declaration_strings
+          @declaration_strings ||= fetch_declaration_strings
+        end
+
+        def declaration_nodes
+          declaration_strings.map do |declaration_string|
+            Nokogiri::XML(declaration_string)
+          end
+        end
+
+        private
+
+        def fetch_declaration_strings
+          deep_find_declarations(declaring_file.content).select do |nd|
+            node = Nokogiri::XML(nd)
+            node.remove_namespaces!
+            node = node.at_xpath("/PackageReference") ||
+                   node.at_xpath("/Dependency") ||
+                   node.at_xpath("/DevelopmentDependency")
+
+            node_name = node.attribute("Include")&.value&.strip ||
+                        node.at_xpath("./Include")&.content&.strip
+            next false unless node_name == dependency_name
+
+            node_requirement = node.attribute("Version")&.value&.strip ||
+                               node.at_xpath("./Version")&.content&.strip
+            node_requirement == declaring_requirement.fetch(:requirement)
+          end
+        end
+
+        def deep_find_declarations(string)
+          string.scan(DECLARATION_REGEX).flat_map do |matching_node|
+            [matching_node, *deep_find_declarations(matching_node[0..-2])]
+          end
+        end
+
+        def declaring_file
+          filename = declaring_requirement.fetch(:file)
+          declaring_file = dependency_files.find { |f| f.name == filename }
+          return declaring_file if declaring_file
+
+          raise "No file found with name #{filename}!"
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/file_updater/property_value_updater.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+
+require "dependabot/dependency_file"
+require "dependabot/nuget/file_updater"
+require "dependabot/nuget/file_parser/property_value_finder"
+
+module Dependabot
+  module Nuget
+    class FileUpdater
+      class PropertyValueUpdater
+        def initialize(dependency_files:)
+          @dependency_files = dependency_files
+        end
+
+        def update_files_for_property_change(property_name:, updated_value:,
+                                             callsite_file:)
+          declaration_details =
+            property_value_finder.
+            property_details(
+              property_name: property_name,
+              callsite_file: callsite_file
+            )
+
+          declaration_file = dependency_files.find do |f|
+            declaration_details.fetch(:file) == f.name
+          end
+          node = declaration_details.fetch(:node)
+
+          updated_content = declaration_file.content.sub(
+            %r{<#{Regexp.quote(node.name)}>
+               \s*#{Regexp.quote(node.content)}\s*
+               </#{Regexp.quote(node.name)}>}xm,
+            "<#{node.name}>#{updated_value}</#{node.name}>"
+          )
+
+          files = dependency_files.dup
+          files[files.index(declaration_file)] =
+            update_file(file: declaration_file, content: updated_content)
+          files
+        end
+
+        private
+
+        attr_reader :dependency_files
+
+        def property_value_finder
+          @property_value_finder ||=
+            Nuget::FileParser::PropertyValueFinder.
+            new(dependency_files: dependency_files)
+        end
+
+        def update_file(file:, content:)
+          updated_file = file.dup
+          updated_file.content = content
+          updated_file
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/file_updater.rb

@@ -0,0 +1,152 @@
+# frozen_string_literal: true
+
+require "dependabot/file_updaters"
+require "dependabot/file_updaters/base"
+
+module Dependabot
+  module Nuget
+    class FileUpdater < Dependabot::FileUpdaters::Base
+      require_relative "file_updater/packages_config_declaration_finder"
+      require_relative "file_updater/project_file_declaration_finder"
+      require_relative "file_updater/property_value_updater"
+
+      def self.updated_files_regex
+        [
+          %r{^[^/]*\.[a-z]{2}proj$},
+          /^packages\.config$/i
+        ]
+      end
+
+      def updated_dependency_files
+        updated_files = dependency_files.dup
+
+        # Loop through each of the changed requirements, applying changes to
+        # all files for that change. Note that the logic is different here
+        # to other languages because donet has property inheritance across
+        # files
+        dependencies.each do |dependency|
+          updated_files = update_files_for_dependency(
+            files: updated_files,
+            dependency: dependency
+          )
+        end
+
+        updated_files.reject! { |f| dependency_files.include?(f) }
+
+        raise "No files changed!" if updated_files.none?
+
+        updated_files
+      end
+
+      private
+
+      def project_files
+        dependency_files.select { |df| df.name.match?(/\.[a-z]{2}proj$/) }
+      end
+
+      def packages_config_files
+        dependency_files.select do |f|
+          f.name.split("/").last.casecmp("packages.config").zero?
+        end
+      end
+
+      def check_required_files
+        return if project_files.any? || packages_config_files.any?
+
+        raise "No project file or packages.config!"
+      end
+
+      def update_files_for_dependency(files:, dependency:)
+        # The UpdateChecker ensures the order of requirements is preserved
+        # when updating, so we can zip them together in new/old pairs.
+        reqs = dependency.requirements.zip(dependency.previous_requirements).
+               reject { |new_req, old_req| new_req == old_req }
+
+        # Loop through each changed requirement and update the files
+        reqs.each do |new_req, old_req|
+          raise "Bad req match" unless new_req[:file] == old_req[:file]
+          next if new_req[:requirement] == old_req[:requirement]
+
+          file = files.find { |f| f.name == new_req.fetch(:file) }
+
+          files =
+            if new_req.dig(:metadata, :property_name)
+              update_property_value(files, file, new_req)
+            else
+              update_declaration(files, dependency, file, old_req, new_req)
+            end
+        end
+
+        files
+      end
+
+      def update_property_value(files, file, req)
+        files = files.dup
+        property_name = req.fetch(:metadata).fetch(:property_name)
+
+        PropertyValueUpdater.
+          new(dependency_files: files).
+          update_files_for_property_change(
+            property_name: property_name,
+            updated_value: req.fetch(:requirement),
+            callsite_file: file
+          )
+      end
+
+      def update_declaration(files, dependency, file, old_req, new_req)
+        files = files.dup
+
+        updated_content = file.content
+
+        original_declarations(dependency, old_req).each do |old_dec|
+          updated_content = updated_content.gsub(
+            old_dec,
+            updated_declaration(old_dec, old_req, new_req)
+          )
+        end
+
+        raise "Expected content to change!" if updated_content == file.content
+
+        files[files.index(file)] =
+          updated_file(file: file, content: updated_content)
+        files
+      end
+
+      def original_declarations(dependency, requirement)
+        declaration_finder(dependency, requirement).declaration_strings
+      end
+
+      def declaration_finder(dependency, requirement)
+        @declaration_finders ||= {}
+
+        requirement_fn = requirement.fetch(:file)
+        @declaration_finders[dependency.hash + requirement.hash] ||=
+          if requirement_fn.split("/").last.casecmp("packages.config").zero?
+            PackagesConfigDeclarationFinder.new(
+              dependency_name: dependency.name,
+              declaring_requirement: requirement,
+              packages_config:
+                packages_config_files.find { |f| f.name == requirement_fn }
+            )
+          else
+            ProjectFileDeclarationFinder.new(
+              dependency_name: dependency.name,
+              declaring_requirement: requirement,
+              dependency_files: dependency_files
+            )
+          end
+      end
+
+      def updated_declaration(old_declaration, previous_req, requirement)
+        original_req_string = previous_req.fetch(:requirement)
+
+        old_declaration.gsub(
+          original_req_string,
+          requirement.fetch(:requirement)
+        )
+      end
+    end
+  end
+end
+
+Dependabot::FileUpdaters.register("nuget", Dependabot::Nuget::FileUpdater)

data/lib/dependabot/nuget/metadata_finder.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+require "dependabot/metadata_finders"
+require "dependabot/metadata_finders/base"
+
+module Dependabot
+  module Nuget
+    class MetadataFinder < Dependabot::MetadataFinders::Base
+      private
+
+      def look_up_source
+        return Source.from_url(dependency_source_url) if dependency_source_url
+
+        look_up_source_in_nuspec(dependency_nuspec_file)
+      end
+
+      def look_up_source_in_nuspec(nuspec)
+        potential_source_urls = [
+          nuspec.at_css("package > metadata > repository")&.
+            attribute("url")&.value,
+          nuspec.at_css("package > metadata > repository > url")&.content,
+          nuspec.at_css("package > metadata > projectUrl")&.content,
+          nuspec.at_css("package > metadata > licenseUrl")&.content
+        ].compact
+
+        source_url = potential_source_urls.find { |url| Source.from_url(url) }
+        source_url ||= source_from_anywhere_in_nuspec(nuspec)
+
+        Source.from_url(source_url)
+      end
+
+      def source_from_anywhere_in_nuspec(nuspec)
+        github_urls = []
+        nuspec.to_s.scan(Source::SOURCE_REGEX) do
+          github_urls << Regexp.last_match.to_s
+        end
+
+        github_urls.find do |url|
+          repo = Source.from_url(url).repo
+          repo.downcase.end_with?(dependency.name.downcase)
+        end
+      end
+
+      def dependency_nuspec_file
+        return @dependency_nuspec_file unless @dependency_nuspec_file.nil?
+
+        response = Excon.get(
+          dependency_nuspec_url,
+          headers: auth_header,
+          idempotent: true,
+          **SharedHelpers.excon_defaults
+        )
+
+        @dependency_nuspec_file = Nokogiri::XML(response.body)
+      end
+
+      # rubocop:disable Metrics/AbcSize
+      def dependency_nuspec_url
+        source = dependency.requirements.
+                 find { |r| r&.fetch(:source) }&.fetch(:source)
+
+        if source&.key?(:nuspec_url)
+          source.fetch(:nuspec_url) ||
+            "https://api.nuget.org/v3-flatcontainer/"\
+            "#{dependency.name.downcase}/#{dependency.version}/"\
+            "#{dependency.name.downcase}.nuspec"
+        elsif source&.key?(:nuspec_url)
+          source.fetch("nuspec_url") ||
+            "https://api.nuget.org/v3-flatcontainer/"\
+            "#{dependency.name.downcase}/#{dependency.version}/"\
+            "#{dependency.name.downcase}.nuspec"
+        else
+          "https://api.nuget.org/v3-flatcontainer/"\
+          "#{dependency.name.downcase}/#{dependency.version}/"\
+          "#{dependency.name.downcase}.nuspec"
+        end
+      end
+      # rubocop:enable Metrics/AbcSize
+
+      def dependency_source_url
+        source = dependency.requirements.
+                 find { |r| r&.fetch(:source) }&.fetch(:source)
+
+        return unless source
+        return source.fetch(:source_url) if source.key?(:source_url)
+
+        source.fetch("source_url")
+      end
+
+      def auth_header
+        source = dependency.requirements.
+                 find { |r| r&.fetch(:source) }&.fetch(:source)
+        url = source&.fetch(:url, nil) || source&.fetch("url")
+
+        token = credentials.
+                select { |cred| cred["type"] == "nuget_feed" }.
+                find { |cred| cred["url"] == url }&.
+                fetch("token", nil)
+
+        return {} unless token
+
+        if token.include?(":")
+          encoded_token = Base64.encode64(token).delete("\n")
+          { "Authorization" => "Basic #{encoded_token}" }
+        elsif Base64.decode64(token).ascii_only? &&
+              Base64.decode64(token).include?(":")
+          { "Authorization" => "Basic #{token.delete("\n")}" }
+        else
+          { "Authorization" => "Bearer #{token}" }
+        end
+      end
+    end
+  end
+end
+
+Dependabot::MetadataFinders.register("nuget", Dependabot::Nuget::MetadataFinder)

data/lib/dependabot/nuget/requirement.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+require "dependabot/utils"
+require "dependabot/nuget/version"
+
+# For details on .NET version constraints see:
+# https://docs.microsoft.com/en-us/nuget/reference/package-versioning
+module Dependabot
+  module Nuget
+    class Requirement < Gem::Requirement
+      def self.parse(obj)
+        return ["=", Nuget::Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
+
+        unless (matches = PATTERN.match(obj.to_s))
+          msg = "Illformed requirement [#{obj.inspect}]"
+          raise BadRequirementError, msg
+        end
+
+        return DefaultRequirement if matches[1] == ">=" && matches[2] == "0"
+
+        [matches[1] || "=", Nuget::Version.new(matches[2])]
+      end
+
+      # For consistency with other langauges, we define a requirements array.
+      # Dotnet doesn't have an `OR` separator for requirements, so it always
+      # contains a single element.
+      def self.requirements_array(requirement_string)
+        [new(requirement_string)]
+      end
+
+      def initialize(*requirements)
+        requirements = requirements.flatten.flat_map do |req_string|
+          convert_dotnet_constraint_to_ruby_constraint(req_string)
+        end
+
+        super(requirements)
+      end
+
+      def satisfied_by?(version)
+        version = Nuget::Version.new(version.to_s)
+        super
+      end
+
+      private
+
+      def convert_dotnet_constraint_to_ruby_constraint(req_string)
+        return unless req_string
+
+        if req_string&.start_with?("(", "[")
+          return convert_dotnet_range_to_ruby_range(req_string)
+        end
+
+        return req_string.split(",").map(&:strip) if req_string.include?(",")
+        return req_string unless req_string.include?("*")
+
+        convert_wildcard_req(req_string)
+      end
+
+      def convert_dotnet_range_to_ruby_range(req_string)
+        lower_b, upper_b = req_string.split(",").map(&:strip)
+
+        lower_b =
+          if ["(", "["].include?(lower_b) then nil
+          elsif lower_b.start_with?("(") then "> #{lower_b.sub(/\(\s*/, '')}"
+          else ">= #{lower_b.sub(/\[\s*/, '').strip}"
+          end
+
+        upper_b =
+          if [")", "]"].include?(upper_b) then nil
+          elsif upper_b.end_with?(")") then "< #{upper_b.sub(/\s*\)/, '')}"
+          else "<= #{upper_b.sub(/\s*\]/, '').strip}"
+          end
+
+        [lower_b, upper_b].compact
+      end
+
+      def convert_wildcard_req(req_string)
+        return ">= 0" if req_string.start_with?("*")
+
+        defined_part = req_string.split("*").first
+        suffix = defined_part.end_with?(".") ? "0" : "a"
+        version = defined_part + suffix
+        "~> #{version}"
+      end
+    end
+  end
+end
+
+Dependabot::Utils.
+  register_requirement_class("nuget", Dependabot::Nuget::Requirement)