From f3327e0253050d7caedded68a426af14c0021bc4 Mon Sep 17 00:00:00 2001
From: "S.Sandhu" <167903774+sachin-sandhu@users.noreply.github.com>
Date: Fri, 24 Jan 2025 10:39:58 -0500
Subject: [PATCH 1/3] Adds handler for null versions reqs ending up in
 requirements (#11396)

Adds handler for null versions reqs ending up in requirements (#11396)
---
 .../bundler/update_checker/force_updater.rb   | 12 +++++++++++
 .../update_checker/force_updater_spec.rb      | 20 +++++++++++++++++++
 .../Gemfile                                   |  5 +++++
 .../Gemfile.lock                              |  5 +++++
 4 files changed, 42 insertions(+)
 create mode 100644 bundler/spec/fixtures/projects/bundler2/invalid_gem_information_in_gemfile/Gemfile
 create mode 100644 bundler/spec/fixtures/projects/bundler2/invalid_gem_information_in_gemfile/Gemfile.lock

diff --git a/bundler/lib/dependabot/bundler/update_checker/force_updater.rb b/bundler/lib/dependabot/bundler/update_checker/force_updater.rb
index ac56292191..039a89debe 100644
--- a/bundler/lib/dependabot/bundler/update_checker/force_updater.rb
+++ b/bundler/lib/dependabot/bundler/update_checker/force_updater.rb
@@ -52,6 +52,9 @@ def update_multiple_dependencies?
 
         def force_update
           requirement = dependency.requirements.find { |req| req[:file] == gemfile.name }
+
+          valid_gem_version?(target_version)
+
           manifest_requirement_not_satisfied = requirement && !Requirement.satisfied_by?(requirement, target_version)
 
           if manifest_requirement_not_satisfied && requirements_update_strategy.lockfile_only?
@@ -80,6 +83,15 @@ def force_update
           end
         end
 
+        def valid_gem_version?(target_version)
+          # to rule out empty, non gem info ending up in as target_version
+          return true if target_version.is_a?(Gem::Version)
+
+          Dependabot.logger.warn("Bundler force update called with a non-Gem::Version #{target_version}")
+
+          raise Dependabot::DependencyFileNotResolvable
+        end
+
         def original_dependencies
           @original_dependencies ||=
             FileParser.new(
diff --git a/bundler/spec/dependabot/bundler/update_checker/force_updater_spec.rb b/bundler/spec/dependabot/bundler/update_checker/force_updater_spec.rb
index 0ca94d6b20..f619df05a1 100644
--- a/bundler/spec/dependabot/bundler/update_checker/force_updater_spec.rb
+++ b/bundler/spec/dependabot/bundler/update_checker/force_updater_spec.rb
@@ -264,6 +264,26 @@
       end
     end
 
+    context "when a gem has corresponding invalid gem info" do
+      let(:update_strategy) { Dependabot::RequirementsUpdateStrategy::LockfileOnly }
+      let(:dependency_files) { bundler_project_dependency_files("invalid_gem_information_in_gemfile") }
+      let(:target_version) { String(nil) }
+      let(:dependency_name) { "navbar" }
+      let(:requirements) do
+        [{
+          file: "Gemfile",
+          requirement: "0.1.0",
+          groups: [:default],
+          source: nil
+        }]
+      end
+
+      it "raises a resolvability error" do
+        expect { updater.updated_dependencies }
+          .to raise_error(Dependabot::DependencyFileNotResolvable)
+      end
+    end
+
     context "when peer dependencies in the Gemfile should update together, but not unlock git gems too" do
       let(:dependency_files) { bundler_project_dependency_files("top_level_update_with_git_gems") }
       let(:target_version) { "5.12.0" }
diff --git a/bundler/spec/fixtures/projects/bundler2/invalid_gem_information_in_gemfile/Gemfile b/bundler/spec/fixtures/projects/bundler2/invalid_gem_information_in_gemfile/Gemfile
new file mode 100644
index 0000000000..3a3eabc7a0
--- /dev/null
+++ b/bundler/spec/fixtures/projects/bundler2/invalid_gem_information_in_gemfile/Gemfile
@@ -0,0 +1,5 @@
+source "https://rubygems.org"
+
+gem "dummy-pkg-b", "1.0.0"
+
+gem "navbar", ""
diff --git a/bundler/spec/fixtures/projects/bundler2/invalid_gem_information_in_gemfile/Gemfile.lock b/bundler/spec/fixtures/projects/bundler2/invalid_gem_information_in_gemfile/Gemfile.lock
new file mode 100644
index 0000000000..237948ea8a
--- /dev/null
+++ b/bundler/spec/fixtures/projects/bundler2/invalid_gem_information_in_gemfile/Gemfile.lock
@@ -0,0 +1,5 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    navbar
+  

From 99c445d9c0676aceb7efc43ac4eb01570f136488 Mon Sep 17 00:00:00 2001
From: "Brett V. Forsgren" <brettfo@microsoft.com>
Date: Thu, 23 Jan 2025 13:40:12 -0700
Subject: [PATCH 2/3] report `private_source_authentication_failure` during
 fetch

---
 common/lib/dependabot/errors.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/common/lib/dependabot/errors.rb b/common/lib/dependabot/errors.rb
index bd2664fa1a..8597d4fe8c 100644
--- a/common/lib/dependabot/errors.rb
+++ b/common/lib/dependabot/errors.rb
@@ -85,6 +85,11 @@ def self.fetcher_error_details(error)
         "error-type": "path_dependencies_not_reachable",
         "error-detail": { dependencies: error.dependencies }
       }
+    when Dependabot::PrivateSourceAuthenticationFailure
+      {
+        "error-type": "private_source_authentication_failure",
+        "error-detail": { source: error.source }
+      }
     when Octokit::Unauthorized
       { "error-type": "octokit_unauthorized" }
     when Octokit::ServerError

From 687c0e58d7e87f4ef1cca9ba8731576b3f208915 Mon Sep 17 00:00:00 2001
From: "S.Sandhu" <167903774+sachin-sandhu@users.noreply.github.com>
Date: Fri, 24 Jan 2025 13:43:05 -0500
Subject: [PATCH 3/3] Adds error handlers for gp_modules major exceptions
 (#11403)

---
 .../go_modules/file_updater/go_mod_updater.rb | 19 ++++++++++++
 .../file_updater/go_mod_updater_spec.rb       | 29 +++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/go_modules/lib/dependabot/go_modules/file_updater/go_mod_updater.rb b/go_modules/lib/dependabot/go_modules/file_updater/go_mod_updater.rb
index 28ed8b2629..96959a57b9 100644
--- a/go_modules/lib/dependabot/go_modules/file_updater/go_mod_updater.rb
+++ b/go_modules/lib/dependabot/go_modules/file_updater/go_mod_updater.rb
@@ -66,6 +66,12 @@ class GoModUpdater
           /Out of diskspace/
         ].freeze, T::Array[Regexp])
 
+        GO_LANG = "Go"
+
+        AMBIGUOUS_ERROR_MESSAGE = /ambiguous import: found package (?<package>.*) in multiple modules/
+
+        GO_VERSION_MISMATCH = /requires go (?<current_ver>.*) .*running go (?<req_ver>.*);/
+
         GO_MOD_VERSION = /^go 1\.\d+(\.\d+)?$/
 
         sig do
@@ -292,6 +298,8 @@ def substitute_all(substitutions)
           write_go_mod(body)
         end
 
+        # rubocop:disable Metrics/AbcSize
+        # rubocop:disable Metrics/PerceivedComplexity
         sig { params(stderr: String).returns(T.noreturn) }
         def handle_subprocess_error(stderr) # rubocop:disable Metrics/AbcSize
           stderr = stderr.gsub(Dir.getwd, "")
@@ -323,10 +331,21 @@ def handle_subprocess_error(stderr) # rubocop:disable Metrics/AbcSize
             raise Dependabot::OutOfDisk.new, error_message
           end
 
+          if (matches = stderr.match(AMBIGUOUS_ERROR_MESSAGE))
+            raise Dependabot::DependencyFileNotResolvable, matches[:package]
+          end
+
+          if (matches = stderr.match(GO_VERSION_MISMATCH))
+            raise Dependabot::ToolVersionNotSupported.new(GO_LANG, T.must(matches[:current_ver]),
+                                                          T.must(matches[:req_ver]))
+          end
+
           # We don't know what happened so we raise a generic error
           msg = stderr.lines.last(10).join.strip
           raise Dependabot::DependabotError, msg
         end
+        # rubocop:enable Metrics/AbcSize
+        # rubocop:enable Metrics/PerceivedComplexity
 
         sig { params(message: String, regex: Regexp).returns(String) }
         def filter_error_message(message:, regex:)
diff --git a/go_modules/spec/dependabot/go_modules/file_updater/go_mod_updater_spec.rb b/go_modules/spec/dependabot/go_modules/file_updater/go_mod_updater_spec.rb
index 209a3119e0..70a290f588 100644
--- a/go_modules/spec/dependabot/go_modules/file_updater/go_mod_updater_spec.rb
+++ b/go_modules/spec/dependabot/go_modules/file_updater/go_mod_updater_spec.rb
@@ -953,6 +953,35 @@
           expect(error.message).to include("write error. Out of diskspace")
         end
       end
+
+      it "detects 'ambiguous package'" do
+        stderr = <<~ERROR
+          go: downloading google.golang.org/grpc v1.70.0
+          go: github.com/terraform-linters/tflint imports
+                  github.com/terraform-linters/tflint/cmd imports
+                  github.com/terraform-linters/tflint-ruleset-terraform/rules imports
+                  github.com/hashicorp/go-getter imports
+                  cloud.google.com/go/storage imports
+                  google.golang.org: ambiguous import: found package google.golang.org/grpc/stats/otl in multiple modules:
+                  google.golang.org/grpc v1.69.2 (/home/dependabot/go/pkg/mod/stats/opentelemetry)
+        ERROR
+
+        expect do
+          updater.send(:handle_subprocess_error, stderr)
+        end.to raise_error(Dependabot::DependencyFileNotResolvable)
+      end
+
+      it "detects 'ToolVersionNotSupported'" do
+        stderr = <<~ERROR
+          go: downloading google.golang.org/grpc v1.67.3
+          go: downloading google.golang.org/grpc v1.70.0
+          go: google.golang.org/grpc/stats/otl@v0.0.0-87961b3 requires go >= 1.22.7 (running go 1.22.5; CUAIN=local+auto)
+        ERROR
+
+        expect do
+          updater.send(:handle_subprocess_error, stderr)
+        end.to raise_error(Dependabot::ToolVersionNotSupported)
+      end
     end
   end
 end