Skip to content

Commit

Permalink
Support security updates for indirect deps
Browse files Browse the repository at this point in the history
  • Loading branch information
mctofu committed Dec 23, 2022
1 parent f1a8585 commit 3727e08
Show file tree
Hide file tree
Showing 4 changed files with 27 additions and 17 deletions.
7 changes: 6 additions & 1 deletion go_modules/lib/dependabot/go_modules/file_updater.rb
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ def self.updated_files_regex
def updated_dependency_files
updated_files = []

if go_mod && file_changed?(go_mod)
if go_mod && dependency_changed?(go_mod)
updated_files <<
updated_file(
file: go_mod,
Expand Down Expand Up @@ -56,6 +56,11 @@ def updated_dependency_files

private

def dependency_changed?(go_mod)
# file_changed? only checks for changed requirements. Need to check for indirect dep version changes too.
file_changed?(go_mod) || dependencies.any? { |dep| dep.previous_version != dep.version }
end

def check_required_files
return if go_mod

Expand Down
6 changes: 0 additions & 6 deletions go_modules/lib/dependabot/go_modules/update_checker.rb
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,6 @@ def latest_version
def lowest_resolvable_security_fix_version
raise "Dependency not vulnerable!" unless vulnerable?

unless dependency.top_level?
return unless dependency.version

return current_version
end

lowest_security_fix_version
end

Expand Down
13 changes: 13 additions & 0 deletions go_modules/spec/dependabot/go_modules/file_updater_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,19 @@
expect(updated_files.find { |f| f.name == "go.sum" }).to_not be_nil
end

context "with an indirect dependency update" do
let(:requirements) { [] }
let(:previous_requirements) { [] }

it "includes an updated go.mod" do
expect(updated_files.find { |f| f.name == "go.mod" }).to_not be_nil
end

it "includes an updated go.sum" do
expect(updated_files.find { |f| f.name == "go.sum" }).to_not be_nil
end
end

context "with an invalid module path" do
let(:stderr) do
<<~STDERR
Expand Down
18 changes: 8 additions & 10 deletions go_modules/spec/dependabot/go_modules/update_checker_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -63,12 +63,11 @@ module foobar
end
end

context "doesn't update indirect dependencies (not supported)" do
context "updates indirect dependencies" do
let(:requirements) { [] }
it do
is_expected.to eq(
Dependabot::GoModules::Version.new(dependency.version)
)

it "updates to the newer version" do
is_expected.to eq(Dependabot::GoModules::Version.new("1.1.0"))
end
end

Expand Down Expand Up @@ -123,12 +122,11 @@ module foobar
end
end

context "doesn't update indirect dependencies (not supported)" do
context "updates indirect dependencies" do
let(:requirements) { [] }
it do
is_expected.to eq(
Dependabot::GoModules::Version.new(dependency.version)
)

it "updates to the least new supported version" do
is_expected.to eq(Dependabot::GoModules::Version.new("1.0.5"))
end
end

Expand Down

0 comments on commit 3727e08

Please sign in to comment.