dependabot-nuget 0.166.1 → 0.167.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1880021ddebc227f6c1793151b1d674e169def5b26cd549ac37aff97b8516bf5
-  data.tar.gz: 844ce4f5abeb8b0733b0dcd9b74c380a2bbb041cede63f79b51d13eb4ea059e0
+  metadata.gz: dd50661c29ea424e1badac29db1bd3604155c95b604f683242d7b9123ec485db
+  data.tar.gz: a0a78364ec7de0244e02321f64c59fdb12f14e415becf20c332c4e0ce333f198
 SHA512:
-  metadata.gz: 24a6623ef4b3925173a2274202ec1efeac7591e248bd8d91e5e71c06a33a28a151832015caf4b298a3c15dab0ba368bdb37772e34ad410db0c29fa5d0d32038c
-  data.tar.gz: 5ed2ffcd69d6965f4879b29759d185fc9ab2d3244dc113d5991b3460edb5c8d0e939ad42452b38d85644fb9940933bd5581be22c6b5d64891be93a0042b8ffa2
+  metadata.gz: 2af5e06c5f76730ac8e04acc79ca42238746b15f788567cf9f22dd20541caa58f86a3a83c797143e2bdb27821e914eea44ee7b5a36fc40f9ed40f1a8db1de51b
+  data.tar.gz: 952c5056834c0d52c515d71b355f16e84f0689ad29538279083e73274381fbce18899d3ed9af0e3ed252a29fc24a6f21a55788ab07211eef6d495665609ee000

data/lib/dependabot/nuget/file_parser/project_file_parser.rb

@@ -20,6 +20,7 @@ module Dependabot
                               "ItemGroup > Dependency, "\
                               "ItemGroup > DevelopmentDependency"
 
+        PROJECT_SDK_REGEX   = %r{^([^/]+)/(\d+(?:[.]\d+(?:[.]\d+)?)?(?:[+-].*)?)$}.freeze
         PROPERTY_REGEX      = /\$\((?<property>.*?)\)/.freeze
         ITEM_REGEX          = /\@\((?<property>.*?)\)/.freeze
 
@@ -32,16 +33,19 @@ module Dependabot
 
           doc = Nokogiri::XML(project_file.content)
           doc.remove_namespaces!
+          # Look for regular package references
           doc.css(DEPENDENCY_SELECTOR).each do |dependency_node|
             name = dependency_name(dependency_node, project_file)
             req = dependency_requirement(dependency_node, project_file)
             version = dependency_version(dependency_node, project_file)
             prop_name = req_property_name(dependency_node)
 
-            dependency =
-              build_dependency(name, req, version, prop_name, project_file)
+            dependency = build_dependency(name, req, version, prop_name, project_file)
             dependency_set << dependency if dependency
           end
+          # Look for SDK references; see:
+          # https://docs.microsoft.com/en-us/visualstudio/msbuild/how-to-use-project-sdk
+          add_sdk_references(doc, dependency_set, project_file)
 
           dependency_set
         end
@@ -50,6 +54,61 @@ module Dependabot
 
         attr_reader :dependency_files
 
+        def add_sdk_references(doc, dependency_set, project_file)
+          # These come in 3 flavours:
+          # - <Project Sdk="Name/Version">
+          # - <Sdk Name="Name" Version="Version" />
+          # - <Import Project="..." Sdk="Name" Version="Version" />
+          # None of these support the use of properties, nor do they allow child
+          # elements instead of attributes.
+          add_sdk_refs_from_project(doc, dependency_set, project_file)
+          add_sdk_refs_from_sdk_tags(doc, dependency_set, project_file)
+          add_sdk_refs_from_import_tags(doc, dependency_set, project_file)
+        end
+
+        def add_sdk_ref_from_project(sdk_references, dependency_set, project_file)
+          sdk_references.split(";")&.each do |sdk_reference|
+            m = sdk_reference.match(PROJECT_SDK_REGEX)
+            if m
+              dependency = build_dependency(m[1], m[2], m[2], nil, project_file)
+              dependency_set << dependency if dependency
+            end
+          end
+        end
+
+        def add_sdk_refs_from_import_tags(doc, dependency_set, project_file)
+          doc.xpath("/Project/Import").each do |import_node|
+            next unless import_node.attribute("Sdk") && import_node.attribute("Version")
+
+            name = import_node.attribute("Sdk")&.value&.strip
+            version = import_node.attribute("Version")&.value&.strip
+
+            dependency = build_dependency(name, version, version, nil, project_file)
+            dependency_set << dependency if dependency
+          end
+        end
+
+        def add_sdk_refs_from_project(doc, dependency_set, project_file)
+          doc.xpath("/Project").each do |project_node|
+            sdk_references = project_node.attribute("Sdk")&.value&.strip
+            next unless sdk_references
+
+            add_sdk_ref_from_project(sdk_references, dependency_set, project_file)
+          end
+        end
+
+        def add_sdk_refs_from_sdk_tags(doc, dependency_set, project_file)
+          doc.xpath("/Project/Sdk").each do |sdk_node|
+            next unless sdk_node.attribute("Version")
+
+            name = sdk_node.attribute("Name")&.value&.strip
+            version = sdk_node.attribute("Version")&.value&.strip
+
+            dependency = build_dependency(name, version, version, nil, project_file)
+            dependency_set << dependency if dependency
+          end
+        end
+
         def build_dependency(name, req, version, prop_name, project_file)
           return unless name
 

data/lib/dependabot/nuget/file_updater/project_file_declaration_finder.rb

@@ -20,6 +20,17 @@ module Dependabot
             <DevelopmentDependency [^>]*?/>|
             <DevelopmentDependency [^>]*?[^/]>.*?</DevelopmentDependency>
           }mx.freeze
+        SDK_IMPORT_REGEX =
+          / <Import [^>]*?Sdk="[^"]*?"[^>]*?Version="[^"]*?"[^>]*?>
+          | <Import [^>]*?Version="[^"]*?"[^>]*?Sdk="[^"]*?"[^>]*?>
+          /mx.freeze
+        SDK_PROJECT_REGEX =
+          / <Project [^>]*?Sdk="[^"]*?"[^>]*?>
+          /mx.freeze
+        SDK_SDK_REGEX =
+          / <Sdk [^>]*?Name="[^"]*?"[^>]*?Version="[^"]*?"[^>]*?>
+          | <Sdk [^>]*?Version="[^"]*?"[^>]*?Name="[^"]*?"[^>]*?>
+          /mx.freeze
 
         attr_reader :dependency_name, :declaring_requirement,
                     :dependency_files
@@ -33,6 +44,7 @@ module Dependabot
 
         def declaration_strings
           @declaration_strings ||= fetch_declaration_strings
+          @declaration_strings += fetch_sdk_strings
         end
 
         def declaration_nodes
@@ -72,6 +84,10 @@ module Dependabot
         # rubocop:enable Metrics/PerceivedComplexity
         # rubocop:enable Metrics/CyclomaticComplexity
 
+        def fetch_sdk_strings
+          sdk_project_strings + sdk_sdk_strings + sdk_import_strings
+        end
+
         # rubocop:disable Metrics/PerceivedComplexity
         def get_node_version_value(node)
           attribute = "Version"
@@ -95,6 +111,71 @@ module Dependabot
 
           raise "No file found with name #{filename}!"
         end
+
+        def sdk_import_strings
+          sdk_strings(SDK_IMPORT_REGEX, "Import", "Sdk", "Version")
+        end
+
+        def parse_element(string, name)
+          xml = string
+          xml += "</#{name}>" unless string.end_with?("/>")
+          node = Nokogiri::XML(xml)
+          node.remove_namespaces!
+          node.at_xpath("/#{name}")
+        end
+
+        def get_attribute_value_nocase(element, name)
+          value = element.attribute(name)&.value ||
+                  element.attribute(name.downcase)&.value ||
+                  element.attribute(name.upcase)&.value
+          value&.strip
+        end
+
+        def desired_sdk_reference?(sdk_reference, dep_name, dep_version)
+          parts = sdk_reference.split("/")
+          parts.length == 2 && parts[0]&.downcase == dep_name && parts[1] == dep_version
+        end
+
+        def sdk_project_strings
+          dep_name = dependency_name&.downcase
+          dep_version = declaring_requirement.fetch(:requirement)
+          strings = []
+          declaring_file.content.scan(SDK_PROJECT_REGEX).each do |string|
+            element = parse_element(string, "Project")
+            next unless element
+
+            sdk_references = get_attribute_value_nocase(element, "Sdk")
+            next unless sdk_references&.include?("/")
+
+            sdk_references.split(";").each do |sdk_reference|
+              strings << sdk_reference if desired_sdk_reference?(sdk_reference, dep_name, dep_version)
+            end
+          end
+          strings.uniq
+        end
+
+        def sdk_sdk_strings
+          sdk_strings(SDK_SDK_REGEX, "Sdk", "Name", "Version")
+        end
+
+        def sdk_strings(regex, element_name, name_attribute, version_attribute)
+          dep_name = dependency_name&.downcase
+          dep_version = declaring_requirement.fetch(:requirement)
+          strings = []
+          declaring_file.content.scan(regex).each do |string|
+            element = parse_element(string, element_name)
+            next unless element
+
+            node_name = get_attribute_value_nocase(element, name_attribute)&.downcase
+            next unless node_name == dep_name
+
+            node_version = get_attribute_value_nocase(element, version_attribute)
+            next unless node_version == dep_version
+
+            strings << string
+          end
+          strings
+        end
       end
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-nuget
 version: !ruby/object:Gem::Version
-  version: 0.166.1
+  version: 0.167.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-11-14 00:00:00.000000000 Z
+date: 2021-11-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.166.1
+        version: 0.167.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.166.1
+        version: 0.167.0
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement