dependabot-nuget 0.80.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 07c225b6dcae09a617444df10ca1f5fc0aaf1ae159ba376d980c84d26a758f39
+  data.tar.gz: 7a304f35e363cc2a6f40b7c040bba03b14b848add5e5048e9bdbab8ae68c2aab
+SHA512:
+  metadata.gz: da29d11282b5b11e47a33066c43172b82386203939acc7241496a05ca2b97a91a2aedab4c71123fe006e11bd0f745f14f52e2de5abf00164205917c34f401672
+  data.tar.gz: a5996018d925129d2940ee06c7b7382885d13b0ec6fb95b82c4d09fb0bd4987a8af97d5575d86892a8b59687ab25419015d55fc4d55b12b7766f8f656421a131

data/lib/dependabot/nuget/file_fetcher/import_paths_finder.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+require "pathname"
+
+require "dependabot/nuget/file_fetcher"
+
+module Dependabot
+  module Nuget
+    class FileFetcher
+      class ImportPathsFinder
+        def initialize(project_file:)
+          @project_file = project_file
+        end
+
+        def import_paths
+          doc = Nokogiri::XML(project_file.content)
+          doc.remove_namespaces!
+          doc.xpath("/Project/Import").map do |import_node|
+            path = import_node.attribute("Project").value.strip.tr("\\", "/")
+            path = File.join(current_dir, path) unless current_dir.nil?
+            Pathname.new(path).cleanpath.to_path
+          end
+        end
+
+        def project_reference_paths
+          doc = Nokogiri::XML(project_file.content)
+          doc.remove_namespaces!
+          doc.xpath("/Project/ItemGroup/ProjectReference").map do |node|
+            path = node.attribute("Include").value.strip.tr("\\", "/")
+            path = File.join(current_dir, path) unless current_dir.nil?
+            Pathname.new(path).cleanpath.to_path
+          end
+        end
+
+        private
+
+        attr_reader :project_file
+
+        def current_dir
+          parts = project_file.name.split("/")[0..-2]
+          return if parts.empty?
+
+          parts.join("/")
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/file_fetcher/sln_project_paths_finder.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require "pathname"
+require "dependabot/nuget/file_fetcher"
+
+module Dependabot
+  module Nuget
+    class FileFetcher
+      class SlnProjectPathsFinder
+        PROJECT_PATH_REGEX =
+          /(?<=["'])[^"']*?\.(?:vb|cs|fs)proj(?=["'])/.freeze
+
+        def initialize(sln_file:)
+          @sln_file = sln_file
+        end
+
+        def project_paths
+          paths = []
+          sln_file_lines = sln_file.content.lines
+
+          sln_file_lines.each_with_index do |line, index|
+            next unless line.match?(/^\s*Project/)
+
+            # Don't know how to handle multi-line project declarations yet
+            next unless sln_file_lines[index + 1]&.match?(/^\s*EndProject/)
+
+            path = line.split('"')[5]
+            path = path.tr("\\", "/")
+
+            # If the path doesn't have an extension it's probably a directory
+            next unless path.match?(/\.[a-z]{2}proj$/)
+
+            path = File.join(current_dir, path) unless current_dir.nil?
+            paths << Pathname.new(path).cleanpath.to_path
+          end
+
+          paths
+        end
+
+        private
+
+        attr_reader :sln_file
+
+        def current_dir
+          parts = sln_file.name.split("/")[0..-2]
+          return if parts.empty?
+
+          parts.join("/")
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/file_fetcher.rb

@@ -0,0 +1,216 @@
+# frozen_string_literal: true
+
+require "dependabot/file_fetchers"
+require "dependabot/file_fetchers/base"
+
+module Dependabot
+  module Nuget
+    class FileFetcher < Dependabot::FileFetchers::Base
+      require_relative "file_fetcher/import_paths_finder"
+      require_relative "file_fetcher/sln_project_paths_finder"
+
+      def self.required_files_in?(filenames)
+        return true if filenames.any? { |f| f.match?(/^packages\.config$/i) }
+        return true if filenames.any? { |f| f.end_with?(".sln") }
+
+        filenames.any? { |name| name.match?(%r{^[^/]*\.[a-z]{2}proj$}) }
+      end
+
+      def self.required_files_message
+        "Repo must contain a .(cs|vb|fs)proj file or a packages.config."
+      end
+
+      private
+
+      def fetch_files
+        fetched_files = []
+        fetched_files += project_files
+        fetched_files += directory_build_props_files
+        fetched_files += imported_property_files
+
+        fetched_files += packages_config_files
+        fetched_files << nuget_config if nuget_config
+
+        fetched_files = fetched_files.uniq
+
+        if project_files.none? && packages_config_files.none?
+          raise(
+            Dependabot::DependencyFileNotFound,
+            File.join(directory, "<anything>.(cs|vb|fs)proj")
+          )
+        end
+
+        fetched_files
+      end
+
+      def project_files
+        @project_files ||=
+          begin
+            project_files = []
+            project_files << csproj_file if csproj_file
+            project_files << vbproj_file if vbproj_file
+            project_files << fsproj_file if fsproj_file
+
+            project_files += sln_project_files
+            project_files
+          end
+      rescue Octokit::NotFound, Gitlab::Error::NotFound
+        raise(
+          Dependabot::DependencyFileNotFound,
+          File.join(directory, "<anything>.(cs|vb|fs)proj")
+        )
+      end
+
+      def packages_config_files
+        return @packages_config_files if @packages_config_files
+
+        candidate_paths =
+          [*project_files.map { |f| File.dirname(f.name) }, "."].uniq
+
+        @packages_config_files ||=
+          candidate_paths.map do |dir|
+            file = repo_contents(dir: dir).
+                   find { |f| f.name.casecmp("packages.config").zero? }
+            fetch_file_from_host(File.join(dir, file.name)) if file
+          end.compact
+      end
+
+      def sln_file
+        return unless sln_file_name
+
+        @sln_file ||= fetch_file_from_host(sln_file_name)
+      end
+
+      def sln_file_name
+        sln_files = repo_contents.select { |f| f.name.end_with?(".sln") }
+
+        # If there are no sln files, just return `nil`
+        return if sln_files.none?
+
+        # Use the biggest sln file
+        sln_files.max_by(&:size).name
+      end
+
+      def directory_build_props_files
+        return @directory_build_props_files if @directory_build_checked
+
+        @directory_build_checked = true
+        attempted_paths = []
+        @directory_build_props_files = []
+
+        # Don't need to insert "." here, because Directory.Build.props files
+        # can only be used by project files (not packages.config ones)
+        project_files.map { |f| File.dirname(f.name) }.uniq.map do |dir|
+          possible_paths = dir.split("/").map.with_index do |_, i|
+            base = dir.split("/").first(i + 1).join("/")
+            Pathname.new(base + "/Directory.Build.props").cleanpath.to_path
+          end.reverse + ["Directory.Build.props"]
+
+          possible_paths.each do |path|
+            break if attempted_paths.include?(path)
+
+            attempted_paths << path
+            @directory_build_props_files << fetch_file_from_host(path)
+          rescue Dependabot::DependencyFileNotFound
+            next
+          end
+        end
+
+        @directory_build_props_files
+      end
+
+      def sln_project_files
+        return [] unless sln_file
+
+        @sln_project_files ||=
+          begin
+            paths = SlnProjectPathsFinder.
+                    new(sln_file: sln_file).
+                    project_paths
+
+            paths.map do |path|
+              fetch_file_from_host(path)
+            rescue Dependabot::DependencyFileNotFound
+              # Don't worry about missing files too much for now (at least
+              # until we start resolving properties)
+              nil
+            end.compact
+          end
+      end
+
+      def csproj_file
+        @csproj_file ||=
+          begin
+            file = repo_contents.find { |f| f.name.end_with?(".csproj") }
+            fetch_file_from_host(file.name) if file
+          end
+      end
+
+      def vbproj_file
+        @vbproj_file ||=
+          begin
+            file = repo_contents.find { |f| f.name.end_with?(".vbproj") }
+            fetch_file_from_host(file.name) if file
+          end
+      end
+
+      def fsproj_file
+        @fsproj_file ||=
+          begin
+            file = repo_contents.find { |f| f.name.end_with?(".fsproj") }
+            fetch_file_from_host(file.name) if file
+          end
+      end
+
+      def nuget_config
+        @nuget_config ||=
+          begin
+            file = repo_contents.
+                   find { |f| f.name.casecmp("nuget.config").zero? }
+            file = fetch_file_from_host(file.name) if file
+            file&.tap { |f| f.support_file = true }
+          end
+      end
+
+      def imported_property_files
+        imported_property_files = []
+
+        [*project_files, *directory_build_props_files].each do |proj_file|
+          previously_fetched_files = project_files + imported_property_files
+          imported_property_files +=
+            fetch_imported_property_files(
+              file: proj_file,
+              previously_fetched_files: previously_fetched_files
+            )
+        end
+
+        imported_property_files
+      end
+
+      def fetch_imported_property_files(file:, previously_fetched_files:)
+        paths =
+          ImportPathsFinder.new(project_file: file).import_paths +
+          ImportPathsFinder.new(project_file: file).project_reference_paths
+
+        paths.flat_map do |path|
+          next if previously_fetched_files.map(&:name).include?(path)
+          next if file.name == path
+          next if path.include?("$(")
+
+          fetched_file = fetch_file_from_host(path)
+          grandchild_property_files = fetch_imported_property_files(
+            file: fetched_file,
+            previously_fetched_files: previously_fetched_files + [file]
+          )
+          [fetched_file, *grandchild_property_files]
+        rescue Dependabot::DependencyFileNotFound
+          # Don't worry about missing files too much for now (at least
+          # until we start resolving properties)
+          nil
+        end.compact
+      end
+    end
+  end
+end
+
+Dependabot::FileFetchers.register("nuget", Dependabot::Nuget::FileFetcher)

data/lib/dependabot/nuget/file_parser/packages_config_parser.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+
+require "dependabot/dependency"
+require "dependabot/nuget/file_parser"
+
+# For details on packages.config files see:
+# https://docs.microsoft.com/en-us/nuget/reference/packages-config
+module Dependabot
+  module Nuget
+    class FileParser
+      class PackagesConfigParser
+        require "dependabot/file_parsers/base/dependency_set"
+
+        DEPENDENCY_SELECTOR = "packages > package"
+
+        def initialize(packages_config:)
+          @packages_config = packages_config
+        end
+
+        def dependency_set
+          dependency_set = Dependabot::FileParsers::Base::DependencySet.new
+
+          doc = Nokogiri::XML(packages_config.content)
+          doc.remove_namespaces!
+          doc.css(DEPENDENCY_SELECTOR).each do |dependency_node|
+            dependency_set <<
+              Dependency.new(
+                name: dependency_name(dependency_node),
+                version: dependency_version(dependency_node),
+                package_manager: "nuget",
+                requirements: [{
+                  requirement: dependency_version(dependency_node),
+                  file: packages_config.name,
+                  groups: [],
+                  source: nil
+                }]
+              )
+          end
+
+          dependency_set
+        end
+
+        private
+
+        attr_reader :packages_config
+
+        def dependency_name(dependency_node)
+          dependency_node.attribute("id")&.value&.strip ||
+            dependency_node.at_xpath("./id")&.content&.strip
+        end
+
+        def dependency_version(dependency_node)
+          # Ranges and wildcards aren't allowed in a packages.config - the
+          # specified requirement is always an exact version.
+          dependency_node.attribute("version")&.value&.strip ||
+            dependency_node.at_xpath("./version")&.content&.strip
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/file_parser/project_file_parser.rb

@@ -0,0 +1,154 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+
+require "dependabot/dependency"
+require "dependabot/nuget/file_parser"
+
+# For details on how dotnet handles version constraints, see:
+# https://docs.microsoft.com/en-us/nuget/reference/package-versioning
+module Dependabot
+  module Nuget
+    class FileParser
+      class ProjectFileParser
+        require "dependabot/file_parsers/base/dependency_set"
+        require_relative "property_value_finder"
+
+        DEPENDENCY_SELECTOR = "ItemGroup > PackageReference, "\
+                              "ItemGroup > Dependency, "\
+                              "ItemGroup > DevelopmentDependency"
+
+        PROPERTY_REGEX      = /\$\((?<property>.*?)\)/.freeze
+
+        def initialize(dependency_files:)
+          @dependency_files = dependency_files
+        end
+
+        def dependency_set(project_file:)
+          dependency_set = Dependabot::FileParsers::Base::DependencySet.new
+
+          doc = Nokogiri::XML(project_file.content)
+          doc.remove_namespaces!
+          doc.css(DEPENDENCY_SELECTOR).each do |dependency_node|
+            name = dependency_name(dependency_node, project_file)
+            req = dependency_requirement(dependency_node, project_file)
+            version = dependency_version(dependency_node, project_file)
+            prop_name = req_property_name(dependency_node)
+
+            dependency =
+              build_dependency(name, req, version, prop_name, project_file)
+            dependency_set << dependency if dependency
+          end
+
+          dependency_set
+        end
+
+        private
+
+        attr_reader :dependency_files
+
+        def build_dependency(name, req, version, prop_name, project_file)
+          return unless name
+
+          # Exclude any dependencies specified using interpolation
+          return if [name, req, version].any? { |s| s&.include?("%(") }
+
+          requirement = {
+            requirement: req,
+            file: project_file.name,
+            groups: [],
+            source: nil
+          }
+
+          if prop_name
+            # Get the root property name unless no details could be found,
+            # in which case use the top-level name to ease debugging
+            root_prop_name = details_for_property(prop_name, project_file)&.
+                             fetch(:root_property_name) || prop_name
+            requirement[:metadata] = { property_name: root_prop_name }
+          end
+
+          Dependency.new(
+            name: name,
+            version: version,
+            package_manager: "nuget",
+            requirements: [requirement]
+          )
+        end
+
+        def dependency_name(dependency_node, project_file)
+          raw_name =
+            dependency_node.attribute("Include")&.value&.strip ||
+            dependency_node.at_xpath("./Include")&.content&.strip
+          return unless raw_name
+
+          evaluated_value(raw_name, project_file)
+        end
+
+        def dependency_requirement(dependency_node, project_file)
+          raw_requirement =
+            dependency_node.attribute("Version")&.value&.strip ||
+            dependency_node.at_xpath("./Version")&.content&.strip
+          return unless raw_requirement
+
+          evaluated_value(raw_requirement, project_file)
+        end
+
+        def dependency_version(dependency_node, project_file)
+          requirement = dependency_requirement(dependency_node, project_file)
+          return unless requirement
+
+          # Remove brackets if present
+          version = requirement.gsub(/[\(\)\[\]]/, "").strip
+
+          # We don't know the version for range requirements or wildcard
+          # requirements, so return `nil` for these.
+          return if version.include?(",") || version.include?("*") ||
+                    version == ""
+
+          version
+        end
+
+        def req_property_name(dependency_node)
+          raw_requirement =
+            dependency_node.attribute("Version")&.value&.strip ||
+            dependency_node.at_xpath("./Version")&.content&.strip
+          return unless raw_requirement
+
+          return unless raw_requirement.match?(PROPERTY_REGEX)
+
+          raw_requirement.
+            match(PROPERTY_REGEX).
+            named_captures.fetch("property")
+        end
+
+        def evaluated_value(value, project_file)
+          return value unless value.match?(PROPERTY_REGEX)
+
+          property_name = value.match(PROPERTY_REGEX).
+                          named_captures.fetch("property")
+          property_details = details_for_property(property_name, project_file)
+
+          # Don't halt parsing for a missing property value until we're
+          # confident we're fetching property values correctly
+          return value unless property_details&.fetch(:value)
+
+          value.gsub(PROPERTY_REGEX, property_details&.fetch(:value))
+        end
+
+        def details_for_property(property_name, project_file)
+          property_value_finder.
+            property_details(
+              property_name: property_name,
+              callsite_file: project_file
+            )
+        end
+
+        def property_value_finder
+          @property_value_finder ||=
+            PropertyValueFinder.new(dependency_files: dependency_files)
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/file_parser/property_value_finder.rb

@@ -0,0 +1,129 @@
+# frozen_string_literal: true
+
+require "dependabot/nuget/file_fetcher/import_paths_finder"
+require "dependabot/nuget/file_parser"
+
+# For docs, see:
+# - https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-properties
+# - https://docs.microsoft.com/en-us/visualstudio/msbuild/customize-your-build
+module Dependabot
+  module Nuget
+    class FileParser
+      class PropertyValueFinder
+        PROPERTY_REGEX = /\$\((?<property>.*?)\)/.freeze
+
+        def initialize(dependency_files:)
+          @dependency_files = dependency_files
+        end
+
+        def property_details(property_name:, callsite_file:, stack: [])
+          stack += [[property_name, callsite_file.name]]
+
+          node_details = deep_find_prop_node(
+            property: property_name,
+            file: callsite_file
+          )
+
+          node_details ||=
+            find_property_in_directory_build_props(
+              property: property_name,
+              callsite_file: callsite_file
+            )
+
+          return unless node_details
+          return node_details unless node_details[:value] =~ PROPERTY_REGEX
+
+          check_next_level_of_stack(node_details, stack)
+        end
+
+        def check_next_level_of_stack(node_details, stack)
+          property_name = node_details.fetch(:value).
+                          match(PROPERTY_REGEX).
+                          named_captures.fetch("property")
+          callsite_file = dependency_files.
+                          find { |f| f.name == node_details.fetch(:file) }
+
+          if stack.include?([property_name, callsite_file.name])
+            raise "Circular reference!"
+          end
+
+          property_details(
+            property_name: property_name,
+            callsite_file: callsite_file,
+            stack: stack
+          )
+        end
+
+        private
+
+        attr_reader :dependency_files
+
+        def deep_find_prop_node(property:, file:)
+          doc = Nokogiri::XML(file.content)
+          doc.remove_namespaces!
+          node = doc.at_xpath(property_xpath(property))
+
+          # If we found a value for the property, return it
+          if node
+            return node_details(file: file, node: node, property: property)
+          end
+
+          # Otherwise, we need to look in an imported file
+          import_path_finder =
+            Nuget::FileFetcher::ImportPathsFinder.
+            new(project_file: file)
+
+          import_paths = [
+            *import_path_finder.import_paths,
+            *import_path_finder.project_reference_paths
+          ]
+
+          file = import_paths.
+                 map { |p| dependency_files.find { |f| f.name == p } }.
+                 compact.
+                 find { |f| deep_find_prop_node(property: property, file: f) }
+
+          return unless file
+
+          deep_find_prop_node(property: property, file: file)
+        end
+
+        def find_property_in_directory_build_props(property:, callsite_file:)
+          file = buildfile_for_project(callsite_file)
+          return unless file
+
+          deep_find_prop_node(property: property, file: file)
+        end
+
+        def buildfile_for_project(project_file)
+          dir = File.dirname(project_file.name)
+
+          # Nuget walks up the directory structure looking for a
+          # Directory.Build.props file
+          possible_paths = dir.split("/").map.with_index do |_, i|
+            base = dir.split("/").first(i + 1).join("/")
+            Pathname.new(base + "/Directory.Build.props").cleanpath.to_path
+          end.reverse + ["Directory.Build.props"]
+
+          path = possible_paths.uniq.
+                 find { |p| dependency_files.find { |f| f.name == p } }
+
+          dependency_files.find { |f| f.name == path }
+        end
+
+        def property_xpath(property_name)
+          "/Project/PropertyGroup/#{property_name}"
+        end
+
+        def node_details(file:, node:, property:)
+          {
+            file: file.name,
+            node: node,
+            value: node.content.strip,
+            root_property_name: property
+          }
+        end
+      end
+    end
+  end
+end