From 3727e082bcf0dc603004da4bf91ecaf42fba4403 Mon Sep 17 00:00:00 2001 From: David McIntosh <804610+mctofu@users.noreply.github.com> Date: Fri, 23 Dec 2022 14:34:36 -0800 Subject: [PATCH] Support security updates for indirect deps --- .../lib/dependabot/go_modules/file_updater.rb | 7 ++++++- .../dependabot/go_modules/update_checker.rb | 6 ------ .../dependabot/go_modules/file_updater_spec.rb | 13 +++++++++++++ .../go_modules/update_checker_spec.rb | 18 ++++++++---------- 4 files changed, 27 insertions(+), 17 deletions(-) diff --git a/go_modules/lib/dependabot/go_modules/file_updater.rb b/go_modules/lib/dependabot/go_modules/file_updater.rb index 8b1f66a735d..04dfc3ec9e7 100644 --- a/go_modules/lib/dependabot/go_modules/file_updater.rb +++ b/go_modules/lib/dependabot/go_modules/file_updater.rb @@ -28,7 +28,7 @@ def self.updated_files_regex def updated_dependency_files updated_files = [] - if go_mod && file_changed?(go_mod) + if go_mod && dependency_changed?(go_mod) updated_files << updated_file( file: go_mod, @@ -56,6 +56,11 @@ def updated_dependency_files private + def dependency_changed?(go_mod) + # file_changed? only checks for changed requirements. Need to check for indirect dep version changes too. + file_changed?(go_mod) || dependencies.any? { |dep| dep.previous_version != dep.version } + end + def check_required_files return if go_mod diff --git a/go_modules/lib/dependabot/go_modules/update_checker.rb b/go_modules/lib/dependabot/go_modules/update_checker.rb index b92291a391d..bc030865a42 100644 --- a/go_modules/lib/dependabot/go_modules/update_checker.rb +++ b/go_modules/lib/dependabot/go_modules/update_checker.rb @@ -26,12 +26,6 @@ def latest_version def lowest_resolvable_security_fix_version raise "Dependency not vulnerable!" unless vulnerable? - unless dependency.top_level? - return unless dependency.version - - return current_version - end - lowest_security_fix_version end diff --git a/go_modules/spec/dependabot/go_modules/file_updater_spec.rb b/go_modules/spec/dependabot/go_modules/file_updater_spec.rb index 1e833fa0df4..554c814ff82 100644 --- a/go_modules/spec/dependabot/go_modules/file_updater_spec.rb +++ b/go_modules/spec/dependabot/go_modules/file_updater_spec.rb @@ -84,6 +84,19 @@ expect(updated_files.find { |f| f.name == "go.sum" }).to_not be_nil end + context "with an indirect dependency update" do + let(:requirements) { [] } + let(:previous_requirements) { [] } + + it "includes an updated go.mod" do + expect(updated_files.find { |f| f.name == "go.mod" }).to_not be_nil + end + + it "includes an updated go.sum" do + expect(updated_files.find { |f| f.name == "go.sum" }).to_not be_nil + end + end + context "with an invalid module path" do let(:stderr) do <<~STDERR diff --git a/go_modules/spec/dependabot/go_modules/update_checker_spec.rb b/go_modules/spec/dependabot/go_modules/update_checker_spec.rb index 980136f1710..e8a8a7405d0 100644 --- a/go_modules/spec/dependabot/go_modules/update_checker_spec.rb +++ b/go_modules/spec/dependabot/go_modules/update_checker_spec.rb @@ -63,12 +63,11 @@ module foobar end end - context "doesn't update indirect dependencies (not supported)" do + context "updates indirect dependencies" do let(:requirements) { [] } - it do - is_expected.to eq( - Dependabot::GoModules::Version.new(dependency.version) - ) + + it "updates to the newer version" do + is_expected.to eq(Dependabot::GoModules::Version.new("1.1.0")) end end @@ -123,12 +122,11 @@ module foobar end end - context "doesn't update indirect dependencies (not supported)" do + context "updates indirect dependencies" do let(:requirements) { [] } - it do - is_expected.to eq( - Dependabot::GoModules::Version.new(dependency.version) - ) + + it "updates to the least new supported version" do + is_expected.to eq(Dependabot::GoModules::Version.new("1.0.5")) end end