Merge pull request dependabot#4140 from jerbob92/feature/go-mod-repla…

…ce-support Ignore replaced dependencies in go.mod
Parnassius · Sep 29, 2021 · 18785ae · 18785ae
2 parents a5cc5a8 + 12b70d7
commit 18785ae
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 8 deletions.
diff --git a/go_modules/lib/dependabot/go_modules/file_parser.rb b/go_modules/lib/dependabot/go_modules/file_parser.rb
@@ -52,7 +52,7 @@ def dependency_from_details(details)
         Dependency.new(
           name: details["Path"],
           version: version,
-          requirements: details["Indirect"] ? [] : reqs,
+          requirements: details["Indirect"] || dependency_is_replaced(details) ? [] : reqs,
           package_manager: "go_modules"
         )
       end
@@ -92,6 +92,15 @@ def required_packages
 
       def local_replacements
         @local_replacements ||=
+          # Find all the local replacements, and return them with a stub path
+          # we can use in their place. Using generated paths is safer as it
+          # means we don't need to worry about references to parent
+          # directories, etc.
+          ReplaceStubber.new(repo_contents_path).stub_paths(manifest, go_mod.directory)
+      end
+
+      def manifest
+        @manifest ||=
           SharedHelpers.in_a_temporary_directory do |path|
             File.write("go.mod", go_mod.content)
 
@@ -106,12 +115,7 @@ def local_replacements
             stdout, stderr, status = Open3.capture3(env, command)
             handle_parser_error(path, stderr) unless status.success?
 
-            # Find all the local replacements, and return them with a stub path
-            # we can use in their place. Using generated paths is safer as it
-            # means we don't need to worry about references to parent
-            # directories, etc.
-            manifest = JSON.parse(stdout)
-            ReplaceStubber.new(repo_contents_path).stub_paths(manifest, go_mod.directory)
+            JSON.parse(stdout)
           end
       end
 
@@ -172,6 +176,24 @@ def skip_dependency?(dep)
           false
         end
       end
+
+      def dependency_is_replaced(details)
+        # Mark dependency as replaced if the requested dependency has a
+        # "replace" directive and that either has the same version, or no
+        # version mentioned. This mimics the behaviour of go get -u, and
+        # prevents that we change dependency versions without any impact since
+        # the actual version that is being imported is defined by the replace
+        # directive.
+        if manifest["Replace"]
+          dep_replace = manifest["Replace"].find do |replace|
+            replace["Old"]["Path"] == details["Path"] &&
+              (!replace["Old"]["Version"] || replace["Old"]["Version"] == details["Version"])
+          end
+
+          return true if dep_replace
+        end
+        false
+      end
     end
   end
 end

diff --git a/go_modules/spec/dependabot/go_modules/file_parser_spec.rb b/go_modules/spec/dependabot/go_modules/file_parser_spec.rb
@@ -47,7 +47,7 @@
         parser.parse.select(&:top_level?)
       end
 
-      its(:length) { is_expected.to eq(3) }
+      its(:length) { is_expected.to eq(2) }
 
       it "sets the package manager" do
         expect(dependencies.first.package_manager).to eq("go_modules")
@@ -130,6 +130,19 @@
       end
     end
 
+    describe "a dependency that is replaced" do
+      subject(:dependency) do
+        dependencies.find { |d| d.name == "rsc.io/qr" }
+      end
+
+      it "has the right details" do
+        expect(dependency).to be_a(Dependabot::Dependency)
+        expect(dependency.name).to eq("rsc.io/qr")
+        expect(dependency.version).to eq("0.1.0")
+        expect(dependency.requirements).to eq([])
+      end
+    end
+
     describe "a garbage go.mod" do
       let(:go_mod_content) { "not really a go.mod file :-/" }