don't attempt to update a package if no versions could be found (#8502)

* only report a dependency if one of the repos returns search results This will prevent reporting a dependency that doesn't exist on any of the repos and therefore can't be updated.
dependabot · Dec 5, 2023 · 7b3b9b1 · 7b3b9b1
1 parent 5cf31a7
commit 7b3b9b1
Show file tree

Hide file tree

Showing 6 changed files with 376 additions and 1 deletion.
diff --git a/nuget/lib/dependabot/nuget/file_parser/project_file_parser.rb b/nuget/lib/dependabot/nuget/file_parser/project_file_parser.rb
@@ -16,6 +16,7 @@ class FileParser
       class ProjectFileParser
         require "dependabot/file_parsers/base/dependency_set"
         require_relative "property_value_finder"
+        require_relative "../update_checker/repository_finder"
 
         DEPENDENCY_SELECTOR = "ItemGroup > PackageReference, " \
                               "ItemGroup > GlobalPackageReference, " \
@@ -38,6 +39,10 @@ def self.dependency_set_cache
           CacheManager.cache("project_file_dependency_set")
         end
 
+        def self.dependency_url_search_cache
+          CacheManager.cache("dependency_url_search_cache")
+        end
+
         def initialize(dependency_files:, credentials:)
           @dependency_files       = dependency_files
           @credentials            = credentials
@@ -261,12 +266,53 @@ def build_dependency(name, req, version, prop_name, project_file, dev: false)
             requirement[:metadata] = { property_name: root_prop_name }
           end
 
-          Dependency.new(
+          dependency = Dependency.new(
             name: name,
             version: version,
             package_manager: "nuget",
             requirements: [requirement]
           )
+
+          # only include dependency if one of the sources has it
+          return unless dependency_has_search_results?(dependency)
+
+          dependency
+        end
+
+        def dependency_has_search_results?(dependency)
+          nuget_configs = dependency_files.select { |f| f.name.casecmp?("nuget.config") }
+          dependency_urls = UpdateChecker::RepositoryFinder.new(
+            dependency: dependency,
+            credentials: credentials,
+            config_files: nuget_configs
+          ).dependency_urls
+          if dependency_urls.empty?
+            dependency_urls = [UpdateChecker::RepositoryFinder.get_default_repository_details(dependency.name)]
+          end
+          dependency_urls_with_package = dependency_urls.select do |dependency_url|
+            response = execute_search_for_dependency_url(dependency_url)
+            next unless response.status == 200
+
+            body = JSON.parse(response.body)
+            data = body["data"]
+            next unless data.length.positive?
+
+            found_matching_result = data.any? { |result| result["id"].casecmp?(dependency.name) }
+            found_matching_result
+          end
+
+          dependency_urls_with_package.any?
+        end
+
+        def execute_search_for_dependency_url(dependency_url)
+          search_url = dependency_url.fetch(:search_url)
+          cache = ProjectFileParser.dependency_url_search_cache
+          cache[search_url] ||= Dependabot::RegistryClient.get(
+            url: search_url,
+            headers: dependency_url.fetch(:auth_header)
+          )
+
+          cache[search_url]
         end
 
         def dependency_name(dependency_node, project_file)