Merge pull request #1193 from dependabot/go-handle-local-replacements

Go (modules): handle local module replacements
dependabot · Jun 7, 2019 · a785958 · a785958
2 parents 985205d + 3f7a96a
commit a785958
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 3 deletions.
diff --git a/go_modules/lib/dependabot/go_modules/file_parser.rb b/go_modules/lib/dependabot/go_modules/file_parser.rb
@@ -17,7 +17,7 @@ def parse
         dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
         i = 0
-        chunks = module_info(go_mod).lines.
+        chunks = module_info.lines.
                  group_by { |line| line == "{\n" ? i += 1 : i }
         deps = chunks.values.map { |chunk| JSON.parse(chunk.join) }
 
@@ -65,11 +65,19 @@ def dependency_from_details(details)
         )
       end
 
-      def module_info(go_mod)
+      def module_info
         @module_info ||=
           SharedHelpers.in_a_temporary_directory do |path|
             SharedHelpers.with_git_configured(credentials: credentials) do
-              File.write("go.mod", go_mod.content)
+              # Create a fake empty module for each local module so that
+              # `go list` works, even if some modules have been `replace`d with
+              # a local module that we don't have access to.
+              local_replacements.each do |_, stub_path|
+                Dir.mkdir(stub_path) unless Dir.exist?(stub_path)
+                FileUtils.touch(File.join(stub_path, "go.mod"))
+              end
+
+              File.write("go.mod", go_mod_content)
 
               command = "go mod edit -print > /dev/null"
               command += " && go list -m -json all"
@@ -89,6 +97,36 @@ def module_info(go_mod)
           end
       end
 
+      def local_replacements
+        @local_replacements ||=
+          SharedHelpers.in_a_temporary_directory do |path|
+            File.write("go.mod", go_mod.content)
+
+            # Parse the go.mod to get a JSON representation of the replace
+            # directives
+            command = "go mod edit -json"
+            env = { "GO111MODULE" => "on" }
+            stdout, stderr, status = Open3.capture3(env, command)
+            handle_parser_error(path, stderr) unless status.success?
+
+            # Find all the local replacements, and return them with a stub path
+            # we can use in their place. Using generated paths is safer as it
+            # means we don't need to worry about references to parent
+            # directories, etc.
+            (JSON.parse(stdout)["Replace"] || []).
+              map { |r| r["New"]["Path"] }.
+              compact.
+              select { |p| p.start_with?(".") || p.start_with?("/") }.
+              map { |p| [p, "./" + Digest::SHA2.hexdigest(p)] }
+          end
+      end
+
+      def go_mod_content
+        local_replacements.reduce(go_mod.content) do |body, (path, stub_path)|
+          body.sub(path, stub_path)
+        end
+      end
+
       GIT_ERROR_REGEX = /go: .*: git fetch .*: exit status 128/.freeze
 
       # rubocop:disable Metrics/AbcSize

diff --git a/go_modules/spec/dependabot/go_modules/file_parser_spec.rb b/go_modules/spec/dependabot/go_modules/file_parser_spec.rb
@@ -204,5 +204,21 @@
           end
       end
     end
+
+    describe "a dependency replaced by a local override" do
+      let(:go_mod_content) do
+        go_mod = fixture("go_mods", go_mod_fixture_name)
+        go_mod.sub("=> github.com/rsc/qr v0.2.0", "=> ./foo/bar/baz")
+      end
+
+      subject(:dependency) do
+        dependencies.find { |d| d.name == "rsc.io/qr" }
+      end
+
+      it "has the right details" do
+        expect(dependency).to be_a(Dependabot::Dependency)
+        expect(dependency.name).to eq("rsc.io/qr")
+      end
+    end
   end
 end