Check Gopkg.toml constraints too

2019-01-24 14:24:57 +01:00 · 2019-01-24 14:24:57 +01:00 · a4a31b7e80
parent ce15a110de
commit a4a31b7e80
4 changed files with 61 additions and 27 deletions
--- a/src/dependency-check-gopkg.ts
+++ b/src/dependency-check-gopkg.ts
@ -4,7 +4,31 @@ import toml from 'toml'
 import { AnalysisResult } from './analysis-result'
 import { createAnnotation } from './annotation-result'
 import { AnnotationSource } from './annotation-source'
-import { Dependency } from './dependency'
+import { Dependency, GitRefType } from './dependency'
+
+type RawGopkgRefType = 'version' | 'branch' | 'revision'
+
+interface GopkgLockProject {
+  digest: string,
+  name: string,
+  source?: string,
+  packages: string[],
+  pruneopts?: string,
+
+  revision: string,
+  branch?: string,
+  version?: string,
+}
+
+interface GopkgTomlOverride {
+  name: string,
+  source?: string,
+  metadata?: any,
+
+  revision?: string,
+  branch?: string,
+  version?: string,
+}

 export async function checkGopkgFileAsync(
  analysisResult: AnalysisResult,
@ -23,46 +47,52 @@ export async function checkGopkgFileAsync(

  const gopkgTomlContents = Buffer.from(gopkgTomlContentsResponse.data.content, 'base64').toString('utf8')
  const gopkgLockContents = Buffer.from(gopkgLockContentsResponse.data.content, 'base64').toString('utf8')
-  const gopkgLockContentsToml = toml.parse(gopkgLockContents)
+  const gopkgTomlContentsJson = toml.parse(gopkgTomlContents)
+  const gopkgLockContentsJson = toml.parse(gopkgLockContents)

  await checkGoDependenciesAsync(
    gopkgTomlContents, gopkgLockContents,
-    getDependenciesFromGopkg(gopkgLockContentsToml),
+    getDependenciesFromGopkg(gopkgTomlContentsJson, gopkgLockContentsJson),
    gopkgTomlFilename, gopkgLockFilename,
    analysisResult)
 }

-interface GopkgLockProject {
-  digest: string,
-  name: string,
-  source?: string,
-  packages: string[],
-  pruneopts?: string,
-
-  revision: string,
-  branch?: string,
-  version?: string,
-}
-
-function getDependenciesFromGopkg(gopkgLockContentsToml: any): Dependency[] {
+function getDependenciesFromGopkg(gopkgTomlContentsJson: any, gopkgLockContentsJson: any): Dependency[] {
  const dependencies: Dependency[] = []

-  for (const tomlDep of gopkgLockContentsToml.projects as GopkgLockProject[]) {
-    const rawRefType = getRawRefType(tomlDep)
+  for (const tomlDep of gopkgLockContentsJson.projects as GopkgLockProject[]) {
+    const rawRefType = getRawRefType(gopkgTomlContentsJson, tomlDep)
    dependencies.push({
      name: tomlDep.name,
      url: tomlDep.source ? tomlDep.source : tomlDep.name,

      rawRefType,
      refName: rawRefType ? (tomlDep as any)[rawRefType] : undefined,
-      refType: getRefType(tomlDep),
+      refType: getRefType(rawRefType),
    })
  }

  return dependencies
 }

-function getRawRefType(tomlDep: GopkgLockProject): string | undefined {
+function getRawRefType(gopkgTomlContentsJson: any, tomlDep: GopkgLockProject): RawGopkgRefType | undefined {
+  const findConstraint =
+    (constraints: GopkgTomlOverride[], depName: string) =>
+      (constraints ? constraints.find((o: GopkgTomlOverride) => o.name === depName) : undefined)
+
+  const constraint: GopkgTomlOverride | undefined =
+    findConstraint(gopkgTomlContentsJson.constraint, tomlDep.name) ||
+    findConstraint(gopkgTomlContentsJson.override, tomlDep.name)
+  if (constraint) {
+    if (constraint.version) {
+      return 'version'
+    } else if (constraint.branch) {
+      return 'branch'
+    } else if (constraint.revision) {
+      return 'revision'
+    }
+  }
+
  if (tomlDep.version) {
    return 'version'
  } else if (tomlDep.branch) {
@ -74,8 +104,8 @@ function getRawRefType(tomlDep: GopkgLockProject): string | undefined {
  return undefined
 }

-function getRefType(tomlDep: GopkgLockProject): 'commit' | 'tag' | 'branch' | 'unknown' {
-  switch (getRawRefType(tomlDep)) {
+function getRefType(rawRefType: RawGopkgRefType | undefined): GitRefType | undefined {
+  switch (rawRefType) {
    case 'version':
      return 'tag'
    case 'branch':
@ -83,7 +113,7 @@ function getRefType(tomlDep: GopkgLockProject): 'commit' | 'tag' | 'branch' | 'u
    case 'revision':
      return 'commit'
    default:
-      return 'unknown'
+      return undefined
  }
 }

--- a/src/dependency-check-json.ts
+++ b/src/dependency-check-json.ts
@ -103,7 +103,7 @@ async function checkDependenciesAsync(
                    `${url} is not a deterministic dependency locator.
 If the branch advances, it will be impossible to rebuild the same output in the future.`,
      )
-    } else if (refType === 'unknown') {
+    } else if (refType === undefined) {
      newAnnotation('failure', `Dependency is locked with an unknown ref-spec (\`${tag}\`).`,
                    `Please check that the tag \`${tag}\` exists in the target repository ${address}.`,
      )
--- a/src/dependency.ts
+++ b/src/dependency.ts
@ -1,7 +1,9 @@
+export type GitRefType = 'commit' | 'tag' | 'branch'
+
 export interface Dependency {
  name: string
  url: string
  rawRefType?: string,
-  refType?: 'commit' | 'tag' | 'branch' | 'unknown'
+  refType?: GitRefType | undefined
  refName?: string
 }
--- a/src/utils.ts
+++ b/src/utils.ts
@ -1,6 +1,8 @@
 import Octokit from '@octokit/rest'
 import { Context } from 'probot'

+import { GitRefType } from './dependency'
+
 export function findLineInFileContent(contents: string, substring: string): number {
  const index = contents.indexOf(substring)
  if (index < 0) {
@ -25,7 +27,7 @@ export async function slowGetRefTypeAsync(
  context: Context,
  address: string,
  tag: string,
-): Promise<'commit' | 'tag' | 'branch' | 'unknown'> {
+): Promise<GitRefType | undefined> {
  if (!tag) {
    return 'branch'
  }
@ -65,7 +67,7 @@ export async function slowGetRefTypeAsync(
    }

    // probably not existing?
-    return 'unknown'
+    return undefined
  }

  // Educated guess