Merge branch 'main' into harry/gdal-updates

dependabot · Jan 24, 2025 · b6c3f48 · b6c3f48
2 parents f373d7d + 687c0e5
commit b6c3f48
Show file tree

Hide file tree

Showing 7 changed files with 95 additions and 0 deletions.
diff --git a/bundler/lib/dependabot/bundler/update_checker/force_updater.rb b/bundler/lib/dependabot/bundler/update_checker/force_updater.rb
@@ -52,6 +52,9 @@ def update_multiple_dependencies?
 
         def force_update
           requirement = dependency.requirements.find { |req| req[:file] == gemfile.name }
+
+          valid_gem_version?(target_version)
+
           manifest_requirement_not_satisfied = requirement && !Requirement.satisfied_by?(requirement, target_version)
 
           if manifest_requirement_not_satisfied && requirements_update_strategy.lockfile_only?
@@ -80,6 +83,15 @@ def force_update
           end
         end
 
+        def valid_gem_version?(target_version)
+          # to rule out empty, non gem info ending up in as target_version
+          return true if target_version.is_a?(Gem::Version)
+
+          Dependabot.logger.warn("Bundler force update called with a non-Gem::Version #{target_version}")
+
+          raise Dependabot::DependencyFileNotResolvable
+        end
+
         def original_dependencies
           @original_dependencies ||=
             FileParser.new(

diff --git a/bundler/spec/dependabot/bundler/update_checker/force_updater_spec.rb b/bundler/spec/dependabot/bundler/update_checker/force_updater_spec.rb
@@ -264,6 +264,26 @@
       end
     end
 
+    context "when a gem has corresponding invalid gem info" do
+      let(:update_strategy) { Dependabot::RequirementsUpdateStrategy::LockfileOnly }
+      let(:dependency_files) { bundler_project_dependency_files("invalid_gem_information_in_gemfile") }
+      let(:target_version) { String(nil) }
+      let(:dependency_name) { "navbar" }
+      let(:requirements) do
+        [{
+          file: "Gemfile",
+          requirement: "0.1.0",
+          groups: [:default],
+          source: nil
+        }]
+      end
+
+      it "raises a resolvability error" do
+        expect { updater.updated_dependencies }
+          .to raise_error(Dependabot::DependencyFileNotResolvable)
+      end
+    end
+
     context "when peer dependencies in the Gemfile should update together, but not unlock git gems too" do
       let(:dependency_files) { bundler_project_dependency_files("top_level_update_with_git_gems") }
       let(:target_version) { "5.12.0" }

diff --git a/bundler/spec/fixtures/projects/bundler2/invalid_gem_information_in_gemfile/Gemfile b/bundler/spec/fixtures/projects/bundler2/invalid_gem_information_in_gemfile/Gemfile
@@ -0,0 +1,5 @@
+source "https://rubygems.org"
+
+gem "dummy-pkg-b", "1.0.0"
+
+gem "navbar", ""
diff --git a/bundler/spec/fixtures/projects/bundler2/invalid_gem_information_in_gemfile/Gemfile.lock b/bundler/spec/fixtures/projects/bundler2/invalid_gem_information_in_gemfile/Gemfile.lock
@@ -0,0 +1,5 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    navbar
+  
diff --git a/common/lib/dependabot/errors.rb b/common/lib/dependabot/errors.rb
@@ -85,6 +85,11 @@ def self.fetcher_error_details(error)
         "error-type": "path_dependencies_not_reachable",
         "error-detail": { dependencies: error.dependencies }
       }
+    when Dependabot::PrivateSourceAuthenticationFailure
+      {
+        "error-type": "private_source_authentication_failure",
+        "error-detail": { source: error.source }
+      }
     when Octokit::Unauthorized
       { "error-type": "octokit_unauthorized" }
     when Octokit::ServerError

diff --git a/go_modules/lib/dependabot/go_modules/file_updater/go_mod_updater.rb b/go_modules/lib/dependabot/go_modules/file_updater/go_mod_updater.rb
@@ -66,6 +66,12 @@ class GoModUpdater
           /Out of diskspace/
         ].freeze, T::Array[Regexp])
 
+        GO_LANG = "Go"
+
+        AMBIGUOUS_ERROR_MESSAGE = /ambiguous import: found package (?<package>.*) in multiple modules/
+
+        GO_VERSION_MISMATCH = /requires go (?<current_ver>.*) .*running go (?<req_ver>.*);/
+
         GO_MOD_VERSION = /^go 1\.\d+(\.\d+)?$/
 
         sig do
@@ -292,6 +298,8 @@ def substitute_all(substitutions)
           write_go_mod(body)
         end
 
+        # rubocop:disable Metrics/AbcSize
+        # rubocop:disable Metrics/PerceivedComplexity
         sig { params(stderr: String).returns(T.noreturn) }
         def handle_subprocess_error(stderr) # rubocop:disable Metrics/AbcSize
           stderr = stderr.gsub(Dir.getwd, "")
@@ -323,10 +331,21 @@ def handle_subprocess_error(stderr) # rubocop:disable Metrics/AbcSize
             raise Dependabot::OutOfDisk.new, error_message
           end
 
+          if (matches = stderr.match(AMBIGUOUS_ERROR_MESSAGE))
+            raise Dependabot::DependencyFileNotResolvable, matches[:package]
+          end
+
+          if (matches = stderr.match(GO_VERSION_MISMATCH))
+            raise Dependabot::ToolVersionNotSupported.new(GO_LANG, T.must(matches[:current_ver]),
+                                                          T.must(matches[:req_ver]))
+          end
+
           # We don't know what happened so we raise a generic error
           msg = stderr.lines.last(10).join.strip
           raise Dependabot::DependabotError, msg
         end
+        # rubocop:enable Metrics/AbcSize
+        # rubocop:enable Metrics/PerceivedComplexity
 
         sig { params(message: String, regex: Regexp).returns(String) }
         def filter_error_message(message:, regex:)

diff --git a/go_modules/spec/dependabot/go_modules/file_updater/go_mod_updater_spec.rb b/go_modules/spec/dependabot/go_modules/file_updater/go_mod_updater_spec.rb
@@ -953,6 +953,35 @@
           expect(error.message).to include("write error. Out of diskspace")
         end
       end
+
+      it "detects 'ambiguous package'" do
+        stderr = <<~ERROR
+          go: downloading google.golang.org/grpc v1.70.0
+          go: github.com/terraform-linters/tflint imports
+                  github.com/terraform-linters/tflint/cmd imports
+                  github.com/terraform-linters/tflint-ruleset-terraform/rules imports
+                  github.com/hashicorp/go-getter imports
+                  cloud.google.com/go/storage imports
+                  google.golang.org: ambiguous import: found package google.golang.org/grpc/stats/otl in multiple modules:
+                  google.golang.org/grpc v1.69.2 (/home/dependabot/go/pkg/mod/stats/opentelemetry)
+        ERROR
+
+        expect do
+          updater.send(:handle_subprocess_error, stderr)
+        end.to raise_error(Dependabot::DependencyFileNotResolvable)
+      end
+
+      it "detects 'ToolVersionNotSupported'" do
+        stderr = <<~ERROR
+          go: downloading google.golang.org/grpc v1.67.3
+          go: downloading google.golang.org/grpc v1.70.0
+          go: google.golang.org/grpc/stats/[email protected] requires go >= 1.22.7 (running go 1.22.5; CUAIN=local+auto)
+        ERROR
+
+        expect do
+          updater.send(:handle_subprocess_error, stderr)
+        end.to raise_error(Dependabot::ToolVersionNotSupported)
+      end
     end
   end
 end