Merge pull request #592 from dependabot/go-support

Add support for Go (dep)

.circleci/config.yml

@@ -2,7 +2,7 @@ version: 2
 jobs:
   build:
     docker:
-      - image: dependabot/dependabot-core:0.1.21
+      - image: dependabot/dependabot-core:0.1.22
     working_directory: ~/dependabot-core
     steps:
       - checkout

Dockerfile

@@ -79,6 +79,17 @@ RUN echo "deb http://ppa.launchpad.net/ondrej/php/ubuntu bionic main" >> /etc/ap
     && mv composer.phar /usr/local/bin/composer
 
 
+### GO
+
+RUN curl -O https://dl.google.com/go/go1.10.3.linux-amd64.tar.gz \
+    && tar xvf go1.10.3.linux-amd64.tar.gz \
+    && wget https://github.com/golang/dep/releases/download/v0.4.1/dep-linux-amd64 \
+    && mv dep-linux-amd64 go/bin/dep \
+    && chmod +x go/bin/dep \
+    && mv go /root
+ENV PATH=/root/go/bin:$PATH
+
+
 ### Elixir
 
 # Install Erlang, Elixir and Hex

lib/dependabot/file_fetchers.rb

@@ -11,6 +11,7 @@
 require "dependabot/file_fetchers/elixir/hex"
 require "dependabot/file_fetchers/rust/cargo"
 require "dependabot/file_fetchers/dotnet/nuget"
+require "dependabot/file_fetchers/go/dep"
 
 module Dependabot
   module FileFetchers
@@ -28,6 +29,7 @@ def self.for_package_manager(package_manager)
       when "hex" then FileFetchers::Elixir::Hex
       when "cargo" then FileFetchers::Rust::Cargo
       when "nuget" then FileFetchers::Dotnet::Nuget
+      when "dep" then FileFetchers::Go::Dep
       else raise "Unsupported package_manager #{package_manager}"
       end
     end

lib/dependabot/file_fetchers/go/dep.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require "dependabot/file_fetchers/base"
+
+module Dependabot
+  module FileFetchers
+    module Go
+      class Dep < Dependabot::FileFetchers::Base
+        def self.required_files_in?(filenames)
+          (%w(Gopkg.toml Gopkg.lock) - filenames).empty?
+        end
+
+        def self.required_files_message
+          "Repo must contain a Gopkg.toml and Gopkg.lock."
+        end
+
+        private
+
+        def fetch_files
+          fetched_files = []
+          fetched_files << manifest
+          fetched_files << lockfile
+          fetched_files
+        end
+
+        def manifest
+          @manifest ||= fetch_file_from_host("Gopkg.toml")
+        end
+
+        def lockfile
+          @lockfile ||= fetch_file_from_host("Gopkg.lock")
+        end
+      end
+    end
+  end
+end

lib/dependabot/file_parsers.rb

@@ -11,6 +11,7 @@
 require "dependabot/file_parsers/elixir/hex"
 require "dependabot/file_parsers/rust/cargo"
 require "dependabot/file_parsers/dotnet/nuget"
+require "dependabot/file_parsers/go/dep"
 
 module Dependabot
   module FileParsers
@@ -28,6 +29,7 @@ def self.for_package_manager(package_manager)
       when "hex" then FileParsers::Elixir::Hex
       when "cargo" then FileParsers::Rust::Cargo
       when "nuget" then FileParsers::Dotnet::Nuget
+      when "dep" then FileParsers::Go::Dep
       else raise "Unsupported package_manager #{package_manager}"
       end
     end

lib/dependabot/file_parsers/go/dep.rb

@@ -0,0 +1,134 @@
+# frozen_string_literal: true
+
+require "toml-rb"
+
+require "dependabot/errors"
+require "dependabot/dependency"
+require "dependabot/file_parsers/base"
+
+# Relevant dep docs can be found at:
+# - https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md
+# - https://github.com/golang/dep/blob/master/docs/Gopkg.lock.md
+module Dependabot
+  module FileParsers
+    module Go
+      class Dep < Dependabot::FileParsers::Base
+        require "dependabot/file_parsers/base/dependency_set"
+
+        REQUIREMENT_TYPES = %w(constraint override).freeze
+
+        def parse
+          dependency_set = DependencySet.new
+          dependency_set += manifest_dependencies
+          dependency_set += lockfile_dependencies
+          dependency_set.dependencies
+        end
+
+        private
+
+        def manifest_dependencies
+          dependency_set = DependencySet.new
+
+          REQUIREMENT_TYPES.each do |type|
+            parsed_file(manifest).fetch(type, []).each do |details|
+              dependency_set << Dependency.new(
+                name: details.fetch("name"),
+                version: nil,
+                package_manager: "dep",
+                requirements: [{
+                  requirement: requirement_from_declaration(details),
+                  file: manifest.name,
+                  groups: [],
+                  source: source_from_declaration(details)
+                }]
+              )
+            end
+          end
+
+          dependency_set
+        end
+
+        def lockfile_dependencies
+          dependency_set = DependencySet.new
+
+          parsed_file(lockfile).fetch("projects", []).each do |details|
+            dependency_set << Dependency.new(
+              name: details.fetch("name"),
+              version: version_from_lockfile(details),
+              package_manager: "dep",
+              requirements: []
+            )
+          end
+
+          dependency_set
+        end
+
+        def version_from_lockfile(details)
+          details["version"]&.sub(/^v?/, "") || details.fetch("revision")
+        end
+
+        def requirement_from_declaration(declaration)
+          unless declaration.is_a?(Hash)
+            raise "Unexpected dependency declaration: #{declaration}"
+          end
+
+          declaration["version"]
+        end
+
+        def source_from_declaration(declaration)
+          unless declaration.is_a?(Hash)
+            raise "Unexpected dependency declaration: #{declaration}"
+          end
+
+          source = declaration["source"] || declaration["name"]
+
+          git_source = git_source(source)
+
+          if git_source && (declaration["branch"] || declaration["revision"])
+            {
+              type: "git",
+              url: git_source.url,
+              branch: declaration["branch"],
+              ref: declaration["revision"]
+            }
+          else
+            {
+              type: "default",
+              source: source
+            }
+          end
+        end
+
+        def git_source(path)
+          updated_path = path.gsub(%r{^golang\.org/x}, "github.com/golang")
+
+          # Currently, Dependabot::Source.new will return `nil` if it can't find
+          # a git SCH associated with a path. If it is ever extended to handle
+          # non-git sources we'll need to add an additional check here.
+          Source.from_url(updated_path)
+        end
+
+        def parsed_file(file)
+          @parsed_file ||= {}
+          @parsed_file[file.name] ||= TomlRB.parse(file.content)
+        rescue TomlRB::ParseError
+          raise Dependabot::DependencyFileNotParseable, file.path
+        end
+
+        def manifest
+          @manifest ||= get_original_file("Gopkg.toml")
+        end
+
+        def lockfile
+          @lockfile ||= get_original_file("Gopkg.lock")
+        end
+
+        def check_required_files
+          %w(Gopkg.toml Gopkg.lock).each do |filename|
+            raise "No #{filename}!" unless get_original_file(filename)
+          end
+        end
+      end
+    end
+  end
+end

lib/dependabot/file_updaters.rb

@@ -11,6 +11,7 @@
 require "dependabot/file_updaters/elixir/hex"
 require "dependabot/file_updaters/rust/cargo"
 require "dependabot/file_updaters/dotnet/nuget"
+require "dependabot/file_updaters/go/dep"
 
 module Dependabot
   module FileUpdaters
@@ -28,6 +29,7 @@ def self.for_package_manager(package_manager)
       when "hex" then FileUpdaters::Elixir::Hex
       when "cargo" then FileUpdaters::Rust::Cargo
       when "nuget" then FileUpdaters::Dotnet::Nuget
+      when "dep" then FileUpdaters::Go::Dep
       else raise "Unsupported package_manager #{package_manager}"
       end
     end

lib/dependabot/file_updaters/go/dep.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+require "dependabot/shared_helpers"
+require "dependabot/file_updaters/base"
+
+module Dependabot
+  module FileUpdaters
+    module Go
+      class Dep < Dependabot::FileUpdaters::Base
+        require_relative "dep/manifest_updater"
+        require_relative "dep/lockfile_updater"
+
+        def self.updated_files_regex
+          [
+            /^Gopkg\.toml$/,
+            /^Gopkg\.lock$/
+          ]
+        end
+
+        def updated_dependency_files
+          updated_files = []
+
+          if file_changed?(manifest)
+            updated_files <<
+              updated_file(
+                file: manifest,
+                content: updated_manifest_content
+              )
+          end
+
+          if lockfile
+            updated_files <<
+              updated_file(file: lockfile, content: updated_lockfile_content)
+          end
+
+          raise "No files changed!" if updated_files.none?
+
+          updated_files
+        end
+
+        private
+
+        def check_required_files
+          raise "No Gopkg.toml!" unless get_original_file("Gopkg.toml")
+        end
+
+        def manifest
+          @manifest ||= get_original_file("Gopkg.toml")
+        end
+
+        def lockfile
+          @lockfile ||= get_original_file("Gopkg.lock")
+        end
+
+        def updated_manifest_content
+          ManifestUpdater.new(
+            dependencies: dependencies,
+            manifest: manifest
+          ).updated_manifest_content
+        end
+
+        def updated_lockfile_content
+          LockfileUpdater.new(
+            dependencies: dependencies,
+            dependency_files: dependency_files,
+            credentials: credentials
+          ).updated_lockfile_content
+        end
+      end
+    end
+  end
+end