Merge branch 'main' into remove-remaining-hardcoded-master-references

dependabot · Mar 7, 2024 · 1b4dc4b · 1b4dc4b
2 parents 4849c7b + dd20669
commit 1b4dc4b
Show file tree

Hide file tree

Showing 20 changed files with 78,859 additions and 30 deletions.
diff --git a/.rubocop.yml b/.rubocop.yml
@@ -1,6 +1,7 @@
 ---
 require:
   - rubocop-performance
+  - rubocop-rspec
   - rubocop-sorbet
 
 AllCops:
@@ -341,6 +342,15 @@ Sorbet/StrictSigil:
 Sorbet/StrongSigil:
   Exclude:
     - "**/spec/**/*"
+RSpec:
+  Include:
+    - "**/spec/**/*"
+
+# TODO: Fix these and re-enable
+RSpec/FilePath:
+  Enabled: false
+RSpec/SpecFilePathFormat:
+  Enabled: false
 
 # TODO these were temporarily disabled during the Ruby 2.7 -> 3.1 upgrade
 # in order to keep the upgrade diff small, they will be enabled/fixed in

diff --git a/Gemfile b/Gemfile
@@ -37,6 +37,7 @@ deps_shared_with_common = %w(
   rspec-sorbet
   rubocop
   rubocop-performance
+  rubocop-rspec
   rubocop-sorbet
   stackprof
   turbo_tests

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -288,9 +288,17 @@ GEM
       unicode-display_width (>= 2.4.0, < 3.0)
     rubocop-ast (1.30.0)
       parser (>= 3.2.1.0)
+    rubocop-capybara (2.20.0)
+      rubocop (~> 1.41)
+    rubocop-factory_bot (2.25.1)
+      rubocop (~> 1.41)
     rubocop-performance (1.19.1)
       rubocop (>= 1.7.0, < 2.0)
       rubocop-ast (>= 0.4.0)
+    rubocop-rspec (2.27.1)
+      rubocop (~> 1.40)
+      rubocop-capybara (~> 2.17)
+      rubocop-factory_bot (~> 2.22)
     rubocop-sorbet (0.7.6)
       rubocop (>= 0.90.0)
     ruby-progressbar (1.13.0)
@@ -381,6 +389,7 @@ DEPENDENCIES
   rspec-sorbet (~> 1.9.2)
   rubocop (~> 1.58.0)
   rubocop-performance (~> 1.19.0)
+  rubocop-rspec (~> 2.27.1)
   rubocop-sorbet (~> 0.7.3)
   sorbet (= 0.5.11274)
   stackprof (~> 0.2.16)

diff --git a/common/dependabot-common.gemspec b/common/dependabot-common.gemspec
@@ -52,6 +52,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "rspec-sorbet", "~> 1.9.2"
   spec.add_development_dependency "rubocop", "~> 1.58.0"
   spec.add_development_dependency "rubocop-performance", "~> 1.19.0"
+  spec.add_development_dependency "rubocop-rspec", "~> 2.27.1"
   spec.add_development_dependency "rubocop-sorbet", "~> 0.7.3"
   spec.add_development_dependency "stackprof", "~> 0.2.16"
   spec.add_development_dependency "turbo_tests", "~> 2.2.0"

diff --git a/common/lib/dependabot/pull_request_creator/message_builder/issue_linker.rb b/common/lib/dependabot/pull_request_creator/message_builder/issue_linker.rb
@@ -21,10 +21,10 @@ class IssueLinker
           /\[(?<tag>(?:\#|GH-)?\d+)\]\(\)/i
         ].freeze, T::Array[Regexp])
 
-        sig { returns(String) }
+        sig { returns(T.nilable(String)) }
         attr_reader :source_url
 
-        sig { params(source_url: String).void }
+        sig { params(source_url: T.nilable(String)).void }
         def initialize(source_url:)
           @source_url = source_url
         end
@@ -46,9 +46,18 @@ def link_issues(text:)
                      .match("#{REPO_REGEX}#{TAG_REGEX}")
                      &.named_captures
                      &.fetch("repo", nil)
-              source = repo ? "https://github.com/#{repo}" : source_url
 
-              "[#{repo ? (repo + tag) : tag}](#{source}/issues/#{number})"
+              source = if repo
+                         "https://github.com/#{repo}"
+                       elsif source_url
+                         source_url
+                       end
+
+              if source
+                "[#{repo ? (repo + tag) : tag}](#{source}/issues/#{number})"
+              else
+                issue_link
+              end
             end
           end
         end

diff --git a/go_modules/Dockerfile b/go_modules/Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.io/library/golang:1.22.0-bookworm as go
+FROM docker.io/library/golang:1.22.1-bookworm as go
 
 FROM ghcr.io/dependabot/dependabot-updater-core
 ARG TARGETARCH

diff --git a/nuget/lib/dependabot/nuget/update_checker.rb b/nuget/lib/dependabot/nuget/update_checker.rb
@@ -17,7 +17,8 @@ def latest_version
         # No need to find latest version for transitive dependencies unless they have a vulnerability.
         return dependency.version if !dependency.top_level? && !vulnerable?
 
-        @latest_version = latest_version_details&.fetch(:version)
+        # if no update sources have the requisite package, then we can only assume that the current version is correct
+        @latest_version = latest_version_details&.fetch(:version) || dependency.version
       end
 
       def latest_resolvable_version

diff --git a/nuget/lib/dependabot/nuget/update_checker/compatibility_checker.rb b/nuget/lib/dependabot/nuget/update_checker/compatibility_checker.rb
@@ -66,23 +66,31 @@ def project_tfms
       end
 
       def fetch_package_tfms(dependency_version)
-        nupkg_buffer = NupkgFetcher.fetch_nupkg_buffer(dependency_urls, dependency.name, dependency_version)
-        return [] unless nupkg_buffer
-
-        # Parse tfms from the folders beneath the lib folder
-        folder_name = "lib/"
-        tfms = Set.new
-        Zip::File.open_buffer(nupkg_buffer) do |zip|
-          lib_file_entries = zip.select { |entry| entry.name.start_with?(folder_name) }
-          # If there is no lib folder in this package, assume it is a development dependency
-          return nil if lib_file_entries.empty?
-
-          lib_file_entries.each do |entry|
-            _, tfm = entry.name.split("/").first(2)
-            tfms << tfm
+        cache = CacheManager.cache("compatibility_checker_tfms_cache")
+        key = "#{dependency.name}::#{dependency_version}"
+
+        cache[key] ||= begin
+          nupkg_buffer = NupkgFetcher.fetch_nupkg_buffer(dependency_urls, dependency.name, dependency_version)
+          return [] unless nupkg_buffer
+
+          # Parse tfms from the folders beneath the lib folder
+          folder_name = "lib/"
+          tfms = Set.new
+          Zip::File.open_buffer(nupkg_buffer) do |zip|
+            lib_file_entries = zip.select { |entry| entry.name.start_with?(folder_name) }
+            # If there is no lib folder in this package, assume it is a development dependency
+            return nil if lib_file_entries.empty?
+
+            lib_file_entries.each do |entry|
+              _, tfm = entry.name.split("/").first(2)
+              tfms << tfm
+            end
           end
+
+          tfms.to_a
         end
-        tfms.to_a
+
+        cache[key]
       end
     end
   end

diff --git a/nuget/lib/dependabot/nuget/update_checker/nupkg_fetcher.rb b/nuget/lib/dependabot/nuget/update_checker/nupkg_fetcher.rb
@@ -111,7 +111,13 @@ def self.fetch_stream(stream_url, auth_header, max_redirects = 5)
         current_redirects = 0
 
         loop do
-          response = fetch_url_with_auth(current_url, auth_header)
+          # Directly download the stream without any additional settings _except_ for `omit_default_port: true` which
+          # is necessary to not break the URL signing that some NuGet feeds use.
+          response = Excon.get(
+            current_url,
+            headers: auth_header,
+            omit_default_port: true
+          )
 
           # redirect the HTTP response as appropriate based on documentation here:
           # https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections

diff --git a/nuget/spec/dependabot/nuget/update_checker_spec.rb b/nuget/spec/dependabot/nuget/update_checker_spec.rb
@@ -56,6 +56,10 @@ def nuspec_url(name, version)
     "https://api.nuget.org/v3-flatcontainer/#{name.downcase}/#{version}/#{name.downcase}.nuspec"
   end
 
+  def registration_index_url(name)
+    "https://api.nuget.org/v3/registration5-gz-semver2/#{name.downcase}/index.json"
+  end
+
   describe "up_to_date?" do
     subject(:up_to_date?) { checker.up_to_date? }
 
@@ -103,6 +107,17 @@ def nuspec_url(name, version)
 
       expect(checker.latest_version).to eq("dummy_version")
     end
+
+    context "the package could not be found on any source" do
+      before do
+        stub_request(:get, registration_index_url("microsoft.extensions.dependencymodel"))
+          .to_return(status: 404)
+      end
+
+      it "reports the current version" do
+        expect(checker.latest_version).to eq("1.1.1")
+      end
+    end
   end
 
   describe "#lowest_security_fix_version" do

diff --git a/silent/tests/testdata/su-err-all-versions-ignored-rebase.txt b/silent/tests/testdata/su-err-all-versions-ignored-rebase.txt
@@ -0,0 +1,43 @@
+# Testing that Dependabot raises an error when all versions are ignored on a rebase.
+
+! dependabot update -f input.yml --local . --updater-image ghcr.io/dependabot/dependabot-updater-silent
+stderr all_versions_ignored
+stderr 'All updates for dependency-a were ignored'
+stdout '{"data":{"error-type":"all_versions_ignored","error-details":null},"type":"record_update_job_error"}'
+! stdout create_pull_request
+
+-- manifest.json --
+{
+  "dependency-a": { "version": "1.2.3" }
+}
+
+-- dependency-a --
+{
+  "versions": [
+    "1.2.4"
+  ]
+}
+
+-- input.yml --
+job:
+  package-manager: "silent"
+  dependencies:
+    - dependency-a
+  source:
+    directory: "/"
+    provider: example
+    hostname: example.com
+    api-endpoint: https://example.com/api/v3
+    repo: dependabot/smoke-tests
+  security-advisories:
+    - dependency-name: dependency-a
+      affected-versions:
+        - <= 1.2.3
+      patched-versions: []
+      unaffected-versions: []
+  security-updates-only: true
+  updating-a-pull-request: true
+  ignore-conditions:
+    - dependency-name: dependency-a
+      version-requirement: "> 1.0.0"
+      source: input file