tests for grouped security update rebases (dependabot#8909)

Qureshi2131 · Jan 29, 2024 · aca169f · aca169f
1 parent e2aa39c
commit aca169f
Show file tree

Hide file tree

Showing 10 changed files with 303 additions and 2 deletions.
diff --git a/silent/lib/dependabot/silent/update_checker.rb b/silent/lib/dependabot/silent/update_checker.rb
@@ -16,6 +16,14 @@ def latest_version
       versions.max.to_s
     end
 
+    def latest_version_resolvable_with_full_unlock?
+      # For ecosystems that have lockfiles, the updater allows an ecosystem to try progressively
+      # more aggressive approaches to dependency unlocking. This method represents the most aggressive
+      # approach that allows for updating all dependencies to try to get the target dependency to update.
+      # We're going to let the specs handle testing that logic, returning false here.
+      false
+    end
+
     def lowest_security_fix_version
       versions = available_versions
       versions = filter_lower_versions(versions)
@@ -48,7 +56,7 @@ def updated_requirements
     private
 
     def git_dependency?
-      dependency.version.length == 40
+      dependency.version&.length == 40
     end
 
     def next_git_version

diff --git a/silent/tests/testdata/err-fetching.txt b/silent/tests/testdata/err-fetching.txt
@@ -0,0 +1,14 @@
+! dependabot update -f input.yml --local . --updater-image ghcr.io/dependabot/dependabot-updater-silent
+stderr 'dependency_file_not_found'
+stderr 'Error during file fetching; aborting: No files found in /'
+stdout 'mark_as_processed'
+
+-- input.yml --
+job:
+  package-manager: "silent"
+  source:
+    directory: "/"
+    provider: example
+    hostname: example.com
+    api-endpoint: https://example.com/api/v3
+    repo: dependabot/smoke-tests
diff --git a/silent/tests/testdata/su-err-all-versions-ignored.txt b/silent/tests/testdata/su-err-all-versions-ignored.txt
@@ -0,0 +1,66 @@
+# Testing that Dependabot raises an error when all versions are ignored.
+
+! dependabot update -f input-1.yml --local . --updater-image ghcr.io/dependabot/dependabot-updater-silent
+stderr all_versions_ignored
+stderr 'Dependabot cannot update to the required version as all versions were ignored for dependency-a'
+stdout '{"data":{"error-type":"all_versions_ignored","error-details":{"dependency-name":"dependency-a"}},"type":"record_update_job_error"}'
+! stdout create_pull_request
+
+# Ignore conditions do not apply to security updates.
+
+dependabot update -f input-2.yml --local . --updater-image ghcr.io/dependabot/dependabot-updater-silent
+stdout -count=1 create_pull_request
+
+-- manifest.json --
+{
+  "dependency-a": { "version": "1.2.3" }
+}
+
+-- dependency-a --
+{
+  "versions": [
+    "1.2.4"
+  ]
+}
+
+-- input-1.yml --
+job:
+  package-manager: "silent"
+  dependencies:
+    - dependency-a
+  source:
+    directory: "/"
+    provider: example
+    hostname: example.com
+    api-endpoint: https://example.com/api/v3
+    repo: dependabot/smoke-tests
+  security-advisories:
+    - dependency-name: dependency-a
+      affected-versions:
+        - <= 1.2.3
+      patched-versions: []
+      unaffected-versions: []
+  security-updates-only: true
+  allowed-updates:
+    - dependency-name: dependency-b
+
+-- input-2.yml --
+job:
+  package-manager: "silent"
+  dependencies:
+    - dependency-a
+  source:
+    directory: "/"
+    provider: example
+    hostname: example.com
+    api-endpoint: https://example.com/api/v3
+    repo: dependabot/smoke-tests
+  security-advisories:
+    - dependency-name: dependency-a
+      affected-versions:
+        - <= 1.2.3
+      patched-versions: []
+      unaffected-versions: []
+  security-updates-only: true
+  ignore-conditions:
+    - dependency-name: dependency-a
diff --git a/silent/tests/testdata/su-not-found.txt → silent/tests/testdata/su-err-not-found.txt b/silent/tests/testdata/su-not-found.txt → silent/tests/testdata/su-err-not-found.txt
@@ -4,6 +4,8 @@ stderr 'Dependabot can''t find a published or compatible non-vulnerable version
 stdout {"data":{"error-type":"security_update_not_found","error-details":{"dependency-name":"dependency-a","dependency-version":"1.2.3"}},"type":"record_update_job_error"}
 ! stdout create_pull_request
 
+# Since dependency-a doesn't have any updates, the security update is not found.
+
 -- manifest.json --
 {
   "dependency-a": { "version": "1.2.3" },

diff --git a/silent/tests/testdata/su-not-possible.txt → ...nt/tests/testdata/su-err-not-possible.txt b/silent/tests/testdata/su-not-possible.txt → ...nt/tests/testdata/su-err-not-possible.txt
@@ -3,12 +3,23 @@ stderr security_update_not_possible
 stdout '{"data":{"error-type":"security_update_not_possible","error-details":{"conflicting-dependencies":\[\],"dependency-name":"dependency-a","latest-resolvable-version":"","lowest-non-vulnerable-version":""}},"type":"record_update_job_error"}'
 ! stdout create_pull_request
 
+# Since there are no updates for dependency-a that are not vulnerable, the security update is not possible.
+
 -- manifest.json --
 {
   "dependency-a": { "version": "1.2.3" },
   "dependency-b": { "version": "2.3.4" }
 }
 
+-- dependency-a --
+{
+  "versions": [
+    "1.2.4",
+    "1.3.0",
+    "2.0.0"
+  ]
+}
+
 -- dependency-b --
 {
   "versions": [
@@ -31,7 +42,7 @@ job:
   security-advisories:
     - dependency-name: dependency-a
       affected-versions:
-        - <= 1.2.3
+        - <= 9.0.0
       patched-versions: []
       unaffected-versions: []
   security-updates-only: true
diff --git a/silent/tests/testdata/su-err-not-supported.txt b/silent/tests/testdata/su-err-not-supported.txt
@@ -0,0 +1,31 @@
+! dependabot update -f input.yml --local . --updater-image ghcr.io/dependabot/dependabot-updater-silent
+stderr dependency_file_not_supported
+stdout '{"data":{"error-type":"dependency_file_not_supported","error-details":{"dependency-name":"dependency-a"}},"type":"record_update_job_error"}'
+! stdout create_pull_request
+
+# Can't tell what version dependency-a is at, so it can't be updated. Similar to if
+# in requirements.txt you set a dependency requirement to *.
+
+-- manifest.json --
+{
+  "dependency-a": { "version": null }
+}
+
+-- input.yml --
+job:
+  package-manager: "silent"
+  dependencies:
+    - dependency-a
+  source:
+    directory: "/"
+    provider: example
+    hostname: example.com
+    api-endpoint: https://example.com/api/v3
+    repo: dependabot/smoke-tests
+  security-advisories:
+    - dependency-name: dependency-a
+      affected-versions:
+        - <= 1.2.3
+      patched-versions: []
+      unaffected-versions: []
+  security-updates-only: true
diff --git a/silent/tests/testdata/su-not-vulnerable.txt → .../tests/testdata/su-err-not-vulnerable.txt b/silent/tests/testdata/su-not-vulnerable.txt → .../tests/testdata/su-err-not-vulnerable.txt
diff --git a/silent/tests/testdata/su-group-default-rebase-multidir.txt b/silent/tests/testdata/su-group-default-rebase-multidir.txt
@@ -0,0 +1,86 @@
+dependabot update -f input.yml --local . --updater-image ghcr.io/dependabot/dependabot-updater-silent
+stderr 'created \| dependency-a \( from 1.2.3 to 1.2.4 \), dependency-c \( from 3.3.4 to 4.0.0 \), dependency-a \( from 1.2.3 to 1.2.4 \)'
+pr-created foo/expected.json bar/expected.json
+
+-- foo/manifest.json --
+{
+  "dependency-a": { "version": "1.2.3" },
+  "dependency-b": { "version": "2.3.4" },
+  "dependency-c": { "version": "3.3.4" }
+}
+
+-- bar/manifest.json --
+{
+  "dependency-a": { "version": "1.2.3" },
+  "dependency-b": { "version": "2.3.4" }
+}
+
+-- foo/expected.json --
+{
+  "dependency-a": { "version": "1.2.4" },
+  "dependency-b": { "version": "2.3.4" },
+  "dependency-c": { "version": "4.0.0" }
+}
+
+-- bar/expected.json --
+{
+  "dependency-a": { "version": "1.2.4" },
+  "dependency-b": { "version": "2.3.4" }
+}
+
+-- dependency-a --
+{
+  "versions": [
+    "1.2.3",
+    "1.2.4",
+    "1.2.5"
+  ]
+}
+
+-- dependency-b --
+{
+  "versions": [
+    "2.3.4",
+    "2.3.5",
+    "2.3.6",
+    "3.0.0"
+  ]
+}
+
+-- dependency-c --
+{
+  "versions": [
+    "3.3.4",
+    "4.0.0",
+    "5.0.0"
+  ]
+}
+
+-- input.yml --
+job:
+  package-manager: "silent"
+  dependencies:
+    - dependency-a
+    - dependency-c
+  source:
+    directories:
+      - /foo
+      - /bar
+    provider: example
+    hostname: example.com
+    api-endpoint: https://example.com/api/v3
+    repo: dependabot/smoke-tests
+  security-advisories:
+    - dependency-name: dependency-a
+      affected-versions:
+        - < 1.2.4
+      patched-versions: []
+      unaffected-versions: []
+    - dependency-name: dependency-c
+      affected-versions:
+        - < 4.0.0
+      patched-versions: []
+      unaffected-versions: []
+  security-updates-only: true
+  updating-a-pull-request: true
+  grouped-update: true
diff --git a/silent/tests/testdata/su-group-rebase-default.txt b/silent/tests/testdata/su-group-rebase-default.txt
@@ -0,0 +1,61 @@
+dependabot update -f input.yml --local . --updater-image ghcr.io/dependabot/dependabot-updater-silent
+stderr 'created \| dependency-a \( from 1.2.3 to 1.2.4 \), dependency-b \( from 2.3.4 to 2.3.5 \)'
+pr-created expected.json
+
+-- manifest.json --
+{
+  "dependency-a": { "version": "1.2.3" },
+  "dependency-b": { "version": "2.3.4" }
+}
+
+-- expected.json --
+{
+  "dependency-a": { "version": "1.2.4" },
+  "dependency-b": { "version": "2.3.5" }
+}
+
+-- dependency-a --
+{
+  "versions": [
+    "1.2.3",
+    "1.2.4",
+    "1.2.5"
+  ]
+}
+
+-- dependency-b --
+{
+  "versions": [
+    "2.3.4",
+    "2.3.5",
+    "2.3.6",
+    "3.0.0"
+  ]
+}
+
+-- input.yml --
+job:
+  package-manager: "silent"
+  dependencies:
+    - dependency-a
+    - dependency-b
+  source:
+    directory: "/"
+    provider: example
+    hostname: example.com
+    api-endpoint: https://example.com/api/v3
+    repo: dependabot/smoke-tests
+  security-advisories:
+    - dependency-name: dependency-a
+      affected-versions:
+        - < 1.2.4
+      patched-versions: []
+      unaffected-versions: []
+    - dependency-name: dependency-b
+      affected-versions:
+        - < 2.3.5
+      patched-versions: []
+      unaffected-versions: []
+  security-updates-only: true
+  updating-a-pull-request: true
+  grouped-update: true
diff --git a/silent/tests/testdata/vu-update-not-possible.txt b/silent/tests/testdata/vu-update-not-possible.txt
@@ -0,0 +1,22 @@
+dependabot update -f input.yml --local . --updater-image ghcr.io/dependabot/dependabot-updater-silent
+stderr 'Requirements to unlock update_not_possible'
+! stdout 'create_pull_request'
+stdout 'mark_as_processed'
+
+-- manifest.json --
+{
+  "dependency-a": { "version": "1.2.3" }
+}
+
+-- dependency-a.json --
+This isn't JSON
+
+-- input.yml --
+job:
+  package-manager: "silent"
+  source:
+    directory: "/"
+    provider: example
+    hostname: example.com
+    api-endpoint: https://example.com/api/v3
+    repo: dependabot/smoke-tests