dependabot-nuget 0.237.0 → 0.238.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d633bba8c781dee126f8f39e1646bf6fa77624c4154f599c379a7a2597ca2ab5
-  data.tar.gz: 1b6363c64e9ec7d3d9b44d3c5eb62a4065bbfe57da21e48e95a2b45a7ecd7c3e
+  metadata.gz: 4d913e6e79cd35b4a00551789e2d9fbea3a71476b76a12f64adfc3427cf419b1
+  data.tar.gz: 103b3ed625f8a89133b2c53b6a49941826cf3663de6897e9baad943a78fa37c7
 SHA512:
-  metadata.gz: fbf7eb348c2a69d39eb4058efa0c68da4bfd8cac52646fa6230ed9dcc4efbe1c5ac216f03d67249b8fc48fe542790cac2e6b360e7725f7d2f8f7edb023d2cb4d
-  data.tar.gz: 9f96e9f0a24581bed453c8c16246d01c5f284e52e1972614be5b0dadea10c8de2351ec06d37c59872066bf07ea0e5605c0549437b53c883d1ebebf9689525ec8
+  metadata.gz: c820263ed7825b8f7270693513d8ebab3ee73169318ca5113c75cad689887b5b42c1731fd6496e12033ba7a3ff0d3a59752b7bc512e64ae93baf4a520d485a83
+  data.tar.gz: 7ce94d621ef880f809124364816e19aa8cb1fe1975967d8eb907cf40b1573ff2c3fe4c8fad91631f5f545433813252736c3c1db17228366dea8950f0ab50ac9a

data/lib/dependabot/nuget/cache_manager.rb

@@ -0,0 +1,22 @@
+# typed: true
+# frozen_string_literal: true
+
+require "dependabot/file_fetchers"
+require "dependabot/file_fetchers/base"
+require "set"
+
+module Dependabot
+  module Nuget
+    class CacheManager
+      def self.caching_disabled?
+        ENV["DEPENDABOT_NUGET_CACHE_DISABLED"] == "true"
+      end
+
+      def self.cache(name)
+        @cache ||= {}
+        @cache[name] ||= {}
+        @cache[name]
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/file_fetcher/import_paths_finder.rb

@@ -39,6 +39,21 @@ module Dependabot
           nodes.compact
         end
 
+        def project_file_paths
+          doc = Nokogiri::XML(project_file.content)
+          doc.remove_namespaces!
+          nodes = doc.xpath("/Project/ItemGroup/ProjectFile").map do |node|
+            attribute = node.attribute("Include")
+            next unless attribute
+
+            path = attribute.value.strip.tr("\\", "/")
+            path = File.join(current_dir, path) unless current_dir.nil?
+            Pathname.new(path).cleanpath.to_path
+          end
+
+          nodes.compact
+        end
+
         private
 
         attr_reader :project_file

data/lib/dependabot/nuget/file_fetcher.rb

@@ -15,22 +15,27 @@ module Dependabot
       require_relative "file_fetcher/import_paths_finder"
       require_relative "file_fetcher/sln_project_paths_finder"
 
+      BUILD_FILE_NAMES = /^Directory\.Build\.(props|targets)$/i # Directory.Build.props, Directory.Build.targets
+
       def self.required_files_in?(filenames)
         return true if filenames.any? { |f| f.match?(/^packages\.config$/i) }
         return true if filenames.any? { |f| f.end_with?(".sln") }
         return true if filenames.any? { |f| f.match?("^src$") }
+        return true if filenames.any? { |f| f.end_with?(".proj") }
 
         filenames.any? { |name| name.match?(%r{^[^/]*\.[a-z]{2}proj$}) }
       end
 
       def self.required_files_message
-        "Repo must contain a .(cs|vb|fs)proj file or a packages.config."
+        "Repo must contain a .proj file, .(cs|vb|fs)proj file, or a packages.config."
       end
 
+      # rubocop:disable Metrics/AbcSize
       sig { override.returns(T::Array[DependencyFile]) }
       def fetch_files
         fetched_files = []
         fetched_files += project_files
+        fetched_files += project_files.filter_map { |f| directory_packages_props_file_from_project_file(f) }
         fetched_files += directory_build_files
         fetched_files += imported_property_files
 
@@ -40,7 +45,10 @@ module Dependabot
         fetched_files << dotnet_tools_json if dotnet_tools_json
         fetched_files << packages_props if packages_props
 
-        fetched_files = fetched_files.uniq
+        # dedup files based on their absolute path
+        fetched_files = fetched_files.uniq do |fetched_file|
+          Pathname.new(File.join(fetched_file.directory, fetched_file.name)).cleanpath.to_path
+        end
 
         if project_files.none? && packages_config_files.none?
           raise @missing_sln_project_file_errors.first if @missing_sln_project_file_errors&.any?
@@ -53,6 +61,7 @@ module Dependabot
 
         fetched_files
       end
+      # rubocop:enable Metrics/AbcSize
 
       private
 
@@ -60,10 +69,9 @@ module Dependabot
         @project_files ||=
           begin
             project_files = []
-            project_files << csproj_file if csproj_file
-            project_files << vbproj_file if vbproj_file
-            project_files << fsproj_file if fsproj_file
-            project_files << directory_packages_props_file if directory_packages_props_file
+            project_files += csproj_file
+            project_files += vbproj_file
+            project_files += fsproj_file
 
             project_files += sln_project_files
             project_files
@@ -112,49 +120,37 @@ module Dependabot
         @directory_build_files ||= fetch_directory_build_files
       end
 
+      # rubocop:disable Metrics/AbcSize
       def fetch_directory_build_files
-        attempted_paths = []
+        attempted_dirs = []
         directory_build_files = []
-
-        # Don't need to insert "." here, because Directory.Build.props files
-        # can only be used by project files (not packages.config ones)
-        project_files.map { |f| File.dirname(f.name) }.uniq.map do |dir|
-          possible_paths = dir.split("/").flat_map.with_index do |_, i|
-            base = dir.split("/").first(i + 1).join("/")
-            possible_build_file_paths(base)
+        directory_path = Pathname.new(directory)
+
+        # find all build files (Directory.Build.props/.targets) relative to the given project file
+        project_files.map { |f| File.dirname(File.join(f.directory, f.name)) }.uniq.each do |dir|
+          # Simulate MSBuild walking up the directory structure looking for a file
+          possible_dirs = dir.split("/").map.with_index do |_, i|
+            candidate_dir = dir.split("/").first(i + 1).join("/")
+            candidate_dir = "/#{candidate_dir}" unless candidate_dir.start_with?("/")
+            candidate_dir
           end.reverse
 
-          possible_paths += [
-            "Directory.Build.props",
-            "Directory.build.props",
-            "Directory.Packages.props",
-            "Directory.packages.props",
-            "Directory.Build.targets",
-            "Directory.build.targets"
-          ]
-
-          possible_paths.each do |path|
-            break if attempted_paths.include?(path)
-
-            attempted_paths << path
-            file = fetch_file_if_present(path)
-            directory_build_files << file if file
+          possible_dirs.each do |possible_dir|
+            break if attempted_dirs.include?(possible_dir)
+
+            attempted_dirs << possible_dir
+            relative_possible_dir = Pathname.new(possible_dir).relative_path_from(directory_path).to_s
+            build_files = repo_contents(dir: relative_possible_dir).select { |f| f.name.match?(BUILD_FILE_NAMES) }
+            directory_build_files += build_files.map do |file|
+              possible_file = File.join(relative_possible_dir, file.name).delete_prefix("/")
+              fetch_file_from_host(possible_file)
+            end
           end
         end
 
         directory_build_files
       end
-
-      def possible_build_file_paths(base)
-        [
-          Pathname.new(base + "/Directory.Build.props").cleanpath.to_path,
-          Pathname.new(base + "/Directory.build.props").cleanpath.to_path,
-          Pathname.new(base + "/Directory.Packages.props").cleanpath.to_path,
-          Pathname.new(base + "/Directory.packages.props").cleanpath.to_path,
-          Pathname.new(base + "/Directory.Build.targets").cleanpath.to_path,
-          Pathname.new(base + "/Directory.build.targets").cleanpath.to_path
-        ]
-      end
+      # rubocop:enable Metrics/AbcSize
 
       def sln_project_files
         return [] unless sln_files
@@ -189,35 +185,42 @@ module Dependabot
       end
 
       def csproj_file
-        @csproj_file ||=
-          begin
-            file = repo_contents.find { |f| f.name.end_with?(".csproj") }
-            fetch_file_from_host(file.name) if file
-          end
+        @csproj_file ||= find_and_fetch_with_suffix(".csproj")
       end
 
       def vbproj_file
-        @vbproj_file ||=
-          begin
-            file = repo_contents.find { |f| f.name.end_with?(".vbproj") }
-            fetch_file_from_host(file.name) if file
-          end
+        @vbproj_file ||= find_and_fetch_with_suffix(".vbproj")
       end
 
       def fsproj_file
-        @fsproj_file ||=
-          begin
-            file = repo_contents.find { |f| f.name.end_with?(".fsproj") }
-            fetch_file_from_host(file.name) if file
-          end
+        @fsproj_file ||= find_and_fetch_with_suffix(".fsproj")
       end
 
-      def directory_packages_props_file
-        @directory_packages_props_file ||=
-          begin
-            file = repo_contents.find { |f| f.name.casecmp?("directory.packages.props") }
-            fetch_file_from_host(file.name) if file
+      def directory_packages_props_file_from_project_file(project_file)
+        # walk up the tree from each project file stopping at the first `Directory.Packages.props` file found
+        # https://learn.microsoft.com/en-us/nuget/consume-packages/central-package-management#central-package-management-rules
+
+        found_directory_packages_props_file = nil
+        directory_path = Pathname.new(directory)
+        full_project_dir = File.dirname(File.join(project_file.directory, project_file.name))
+        full_project_dir.split("/").each.with_index do |_, i|
+          break if found_directory_packages_props_file
+
+          base = full_project_dir.split("/").first(i + 1).join("/")
+          candidate_file_path = Pathname.new(base + "/Directory.Packages.props").cleanpath.to_path
+          candidate_directory = Pathname.new(File.dirname(candidate_file_path))
+          relative_candidate_directory = candidate_directory.relative_path_from(directory_path)
+          candidate_file = repo_contents(dir: relative_candidate_directory).find do |f|
+            f.name.casecmp?("Directory.Packages.props")
           end
+          found_directory_packages_props_file = fetch_file_from_host(candidate_file.name) if candidate_file
+        end
+
+        found_directory_packages_props_file
+      end
+
+      def find_and_fetch_with_suffix(suffix)
+        repo_contents.select { |f| f.name.end_with?(suffix) }.map { |f| fetch_file_from_host(f.name) }
       end
 
       def nuget_config_files
@@ -286,7 +289,8 @@ module Dependabot
       def fetch_imported_property_files(file:, previously_fetched_files:)
         paths =
           ImportPathsFinder.new(project_file: file).import_paths +
-          ImportPathsFinder.new(project_file: file).project_reference_paths
+          ImportPathsFinder.new(project_file: file).project_reference_paths +
+          ImportPathsFinder.new(project_file: file).project_file_paths
 
         paths.flat_map do |path|
           next if previously_fetched_files.map(&:name).include?(path)

data/lib/dependabot/nuget/file_parser/dotnet_tools_json_parser.rb

@@ -51,7 +51,8 @@ module Dependabot
         attr_reader :dotnet_tools_json
 
         def parsed_dotnet_tools_json
-          @parsed_dotnet_tools_json ||= JSON.parse(dotnet_tools_json.content)
+          # Remove BOM if present as JSON should be UTF-8
+          @parsed_dotnet_tools_json ||= JSON.parse(dotnet_tools_json.content.delete_prefix("\uFEFF"))
         rescue JSON::ParserError
           raise Dependabot::DependencyFileNotParseable, dotnet_tools_json.path
         end

data/lib/dependabot/nuget/file_parser/global_json_parser.rb

@@ -48,7 +48,8 @@ module Dependabot
         attr_reader :global_json
 
         def parsed_global_json
-          @parsed_global_json ||= JSON.parse(global_json.content)
+          # Remove BOM if present as JSON should be UTF-8
+          @parsed_global_json ||= JSON.parse(global_json.content.delete_prefix("\uFEFF"))
         rescue JSON::ParserError
           raise Dependabot::DependencyFileNotParseable, global_json.path
         end

data/lib/dependabot/nuget/file_parser/packages_config_parser.rb

@@ -5,6 +5,7 @@ require "nokogiri"
 
 require "dependabot/dependency"
 require "dependabot/nuget/file_parser"
+require "dependabot/nuget/cache_manager"
 
 # For details on packages.config files see:
 # https://docs.microsoft.com/en-us/nuget/reference/packages-config
@@ -16,11 +17,32 @@ module Dependabot
 
         DEPENDENCY_SELECTOR = "packages > package"
 
+        def self.dependency_set_cache
+          CacheManager.cache("packages_config_dependency_set")
+        end
+
         def initialize(packages_config:)
           @packages_config = packages_config
         end
 
         def dependency_set
+          return parse_dependencies if CacheManager.caching_disabled?
+
+          key = "#{packages_config.name.downcase}::#{packages_config.content.hash}"
+          cache = PackagesConfigParser.dependency_set_cache
+
+          cache[key] ||= parse_dependencies
+
+          dependency_set = Dependabot::FileParsers::Base::DependencySet.new
+          dependency_set += cache[key]
+          dependency_set
+        end
+
+        private
+
+        attr_reader :packages_config
+
+        def parse_dependencies
           dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
           doc = Nokogiri::XML(packages_config.content)
@@ -43,10 +65,6 @@ module Dependabot
           dependency_set
         end
 
-        private
-
-        attr_reader :packages_config
-
         def dependency_name(dependency_node)
           dependency_node.attribute("id")&.value&.strip ||
             dependency_node.at_xpath("./id")&.content&.strip