dependabot-nuget 0.100.2 → 0.101.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bc810cea298983ce9c1c3bf8380c8ae533f96ebf5834ad289f39da1070a11fa4
-  data.tar.gz: 0b35e5986a7b7321a811dc8d8b166b3a949b05bd2092c428d0ce2451169c549f
+  metadata.gz: b6127f346f242e91f4d6d8dc9d1ce6d11d543ed63fc32727f6a8138af185d775
+  data.tar.gz: b832964c19dcbd0de3a20f89b06eaf2b298570399de786538a215f70b0e37728
 SHA512:
-  metadata.gz: e8b433771c9d5ee0dc689468f04ea067961e6b4681f9fe77ef7c31f257fcbc8ee955dbf6b87a5a92c94497db99264690835ea99d37354db1329d6309eac961e8
-  data.tar.gz: 6dbe5845c9fe7e5f71b92ff1fce6b541b50e42731ce27e8284afc983b92105e36f2c91aad325daf2ee55372356bcead83a3cea8567b38c304909c4602f94920d
+  metadata.gz: 13f11948ec57a58bf63f4d1a0991de9d208f33f18d7cc35b2b6520a0657d3f834d305f130e4976cb25998eb76b67809341ddc6f42ff81e1e97fee770109d63bd
+  data.tar.gz: '0386b5365781008d232db19a91d3b2fc4a6ad0851091cbb25da89693bc2cf68b2195eae43510b7bdeb72ec7951c9112b2be3e0bef8cf76ce3d77723ecfc6f37f'

data/lib/dependabot/nuget/update_checker.rb

@@ -22,6 +22,12 @@ module Dependabot
         latest_version
       end
 
+      def lowest_resolvable_security_fix_version
+        return nil if version_comes_from_multi_dependency_property?
+
+        lowest_security_fix_version_details&.fetch(:version)
+      end
+
       def latest_resolvable_version_with_no_unlock
         # Irrelevant, since Nuget has a single dependency file
         nil
@@ -30,8 +36,8 @@ module Dependabot
       def updated_requirements
         RequirementsUpdater.new(
           requirements: dependency.requirements,
-          latest_version: latest_version&.to_s,
-          source_details: latest_version_details&.
+          latest_version: preferred_resolvable_version&.to_s,
+          source_details: preferred_version_details&.
                           slice(:nuspec_url, :repo_url, :source_url)
         ).updated_requirements
       end
@@ -67,17 +73,29 @@ module Dependabot
         property_updater.updated_dependencies
       end
 
+      def preferred_version_details
+        return lowest_security_fix_version_details if vulnerable?
+
+        latest_version_details
+      end
+
       def latest_version_details
         @latest_version_details ||= version_finder.latest_version_details
       end
 
+      def lowest_security_fix_version_details
+        @lowest_security_fix_version_details ||=
+          version_finder.lowest_security_fix_version_details
+      end
+
       def version_finder
         @version_finder ||=
           VersionFinder.new(
             dependency: dependency,
             dependency_files: dependency_files,
             credentials: credentials,
-            ignored_versions: ignored_versions
+            ignored_versions: ignored_versions,
+            security_advisories: security_advisories
           )
       end
 

data/lib/dependabot/nuget/update_checker/property_updater.rb

@@ -30,7 +30,8 @@ module Dependabot
                 dependency: dep,
                 dependency_files: dependency_files,
                 credentials: credentials,
-                ignored_versions: ignored_versions
+                ignored_versions: ignored_versions,
+                security_advisories: []
               ).versions.map { |v| v.fetch(:version) }
 
               versions.include?(target_version) || versions.none?

data/lib/dependabot/nuget/update_checker/version_finder.rb

@@ -15,25 +15,33 @@ module Dependabot
         require_relative "repository_finder"
 
         def initialize(dependency:, dependency_files:, credentials:,
-                       ignored_versions: [])
-          @dependency = dependency
-          @dependency_files = dependency_files
-          @credentials = credentials
-          @ignored_versions = ignored_versions
+                       ignored_versions:, security_advisories:)
+          @dependency          = dependency
+          @dependency_files    = dependency_files
+          @credentials         = credentials
+          @ignored_versions    = ignored_versions
+          @security_advisories = security_advisories
         end
 
         def latest_version_details
           @latest_version_details ||=
             begin
-              tmp_versions = versions
-              tmp_versions.reject! do |d|
-                version = d.fetch(:version)
-                version.prerelease? && !related_to_current_pre?(version)
-              end
-              tmp_versions.reject! do |hash|
-                ignore_reqs.any? { |r| r.satisfied_by?(hash.fetch(:version)) }
-              end
-              tmp_versions.max_by { |hash| hash.fetch(:version) }
+              possible_versions = versions
+              possible_versions = filter_prereleases(possible_versions)
+              possible_versions = filter_ignored_versions(possible_versions)
+              possible_versions.max_by { |hash| hash.fetch(:version) }
+            end
+        end
+
+        def lowest_security_fix_version_details
+          @lowest_security_fix_version_details ||=
+            begin
+              possible_versions = versions
+              possible_versions = filter_prereleases(possible_versions)
+              possible_versions = filter_ignored_versions(possible_versions)
+              possible_versions = filter_vulnerable_versions(possible_versions)
+              possible_versions = filter_lower_versions(possible_versions)
+              possible_versions.min_by { |hash| hash.fetch(:version) }
             end
         end
 
@@ -42,10 +50,48 @@ module Dependabot
         end
 
         attr_reader :dependency, :dependency_files, :credentials,
-                    :ignored_versions
+                    :ignored_versions, :security_advisories
 
         private
 
+        def filter_prereleases(possible_versions)
+          possible_versions.reject do |d|
+            version = d.fetch(:version)
+            version.prerelease? && !related_to_current_pre?(version)
+          end
+        end
+
+        def filter_ignored_versions(possible_versions)
+          versions_array = possible_versions
+
+          ignored_versions.each do |req|
+            ignore_req = requirement_class.new(req.split(","))
+            versions_array =
+              versions_array.
+              reject { |v| ignore_req.satisfied_by?(v.fetch(:version)) }
+          end
+
+          versions_array
+        end
+
+        def filter_vulnerable_versions(possible_versions)
+          versions_array = possible_versions
+
+          security_advisories.each do |advisory|
+            versions_array =
+              versions_array.
+              reject { |v| advisory.vulnerable?(v.fetch(:version)) }
+          end
+
+          versions_array
+        end
+
+        def filter_lower_versions(possible_versions)
+          possible_versions.select do |v|
+            v.fetch(:version) > version_class.new(dependency.version)
+          end
+        end
+
         def available_v3_versions
           v3_nuget_listings.flat_map do |listing|
             listing.
@@ -208,10 +254,6 @@ module Dependabot
             ).dependency_urls
         end
 
-        def ignore_reqs
-          ignored_versions.map { |req| requirement_class.new(req.split(",")) }
-        end
-
         def nuget_config
           @nuget_config ||=
             dependency_files.find { |f| f.name.casecmp("nuget.config").zero? }

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-nuget
 version: !ruby/object:Gem::Version
-  version: 0.100.2
+  version: 0.101.0
 platform: ruby
 authors:
 - Dependabot
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.100.2
+        version: 0.101.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.100.2
+        version: 0.101.0
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement