search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.71k stars 1.02k forks source link

Dependabot searching for sub-directory with same name as repo when repo root is configured #8601

Open lily-es opened 11 months ago

lily-es commented 11 months ago

Is there an existing issue for this?

Package ecosystem

Gradle

Package manager version

No response

Language version

Kotlin 1.9.21

Manifest location and content before the Dependabot update

Manifests are located in repo root /, as well as sub-directories. Here is the content of /settings.gradle.kts:

plugins {
    id("com.gradle.enterprise") version "3.16"
}

rootProject.name = "oslonokkelen-backend"

//Include all sub-projects
include("blablabla-one")
include("blablabla-two")
include("blablabla-three")
include("blablabla-four")

Here is the content of /build.gradle.kts:

import com.adarshr.gradle.testlogger.TestLoggerExtension
import com.adarshr.gradle.testlogger.TestLoggerPlugin
import com.adarshr.gradle.testlogger.theme.ThemeType
import org.jetbrains.kotlin.gradle.dsl.jvm.JvmTargetValidationMode
import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
import org.jetbrains.kotlin.gradle.tasks.KotlinJvmCompile
import org.jlleitschuh.gradle.ktlint.KtlintExtension

plugins {
    id("idea")
    id("com.google.cloud.tools.jib") version "3.4.0" apply false
    id("com.github.johnrengelman.shadow") version "8.1.1" apply false
    id("org.jetbrains.kotlin.jvm") version "1.9.21"
    id("com.adarshr.test-logger") version "4.0.0"
    id("com.google.protobuf") version "0.9.4" apply false
    id("org.jlleitschuh.gradle.ktlint") version "12.0.2"
}

val javaProjections =
    listOf(
        "blablabla-one",
        "blablabla-two",
        "blablabla-three",
        "blablabla-four"
    )

subprojects {
    project.tasks.withType<Copy>().configureEach {
        duplicatesStrategy = DuplicatesStrategy.WARN
    }
    project.tasks.withType<Jar>().configureEach {
        duplicatesStrategy = DuplicatesStrategy.WARN
    }

    if (project.name in javaProjections) {
        apply(plugin = "kotlin")

        tasks.test {
            useJUnitPlatform()
            reports {
                html.required.set(true)
                junitXml.required.set(true)
            }
        }

        if (!project.name.contains("protobuf")) {
            apply(plugin = "org.jlleitschuh.gradle.ktlint")
            configure<KtlintExtension> {
                outputToConsole.set(true)

                filter {
                    exclude("**/generated/**")
                }
            }
        }
    }
}

allprojects {
    tasks.withType<JavaCompile>().configureEach {
        sourceCompatibility = JavaVersion.VERSION_18.toString()
        targetCompatibility = JavaVersion.VERSION_18.toString()
    }
    tasks.withType<KotlinCompile>().configureEach {
        kotlinOptions.jvmTarget = JavaVersion.VERSION_18.toString()
    }
    tasks.withType<KotlinJvmCompile>().configureEach {
        jvmTargetValidationMode.set(JvmTargetValidationMode.ERROR)
    }
}

allprojects {
    apply(plugin = "java")
    apply(plugin = "idea")
    apply(plugin = "com.adarshr.test-logger")

    group = "XXXXXX"
    version = "1.0.0-SNAPSHOT"

    repositories {
        mavenCentral()
        maven { setUrl("https://jitpack.io") }
    }
}

Here is the content of /blablabla-one/build.gradle.kts, the manifest for one of the sub-projects:

plugins {
    `java-library`
    `java-test-fixtures`
}

val coroutineVersion = "1.7.3"
val slf4jVersion = "2.0.9"

dependencies {
    implementation("org.slf4j:slf4j-api:$slf4jVersion")
    api("io.dropwizard.metrics:metrics-healthchecks:4.2.23")
    testImplementation("org.slf4j:slf4j-simple:$slf4jVersion")
    testImplementation("org.junit.jupiter:junit-jupiter:5.10.1")
    testImplementation("org.assertj:assertj-core:3.24.2")
    implementation("org.jetbrains.kotlinx:kotlinx-coroutines-core:$coroutineVersion")
    testImplementation("org.jetbrains.kotlinx:kotlinx-coroutines-test:$coroutineVersion")
}

We have alot more than three sub-projects and I dont believe that the number or content of the manifest files for these sub-projects is irrelevant, so I have just selected one as the example.

dependabot.yml content

# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

version: 2
updates:
  - package-ecosystem: "gradle"
    open-pull-requests-limit: 10
    directory: "/"
    schedule:
      interval: "weekly"
      day: "sunday"

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "sunday"

  - package-ecosystem: "docker"
    directory: "docker"
    schedule:
      interval: "weekly"
      day: "sunday"

Updated dependency

None, no PR is created

What you expected to see, versus what you actually saw

Expected dependabot to successfully search through and create PRs for security updates. Instead, this error is displayed. image

Note that oslonokkelen-backend/ is appended before the manifest settings.gradle.kts. The correct path to the manifest is /settings.gradle.kts. This is the bug. Nowhere have we configured dependabot to run in a sub-directory. This happens with all vulnerabilities that are found for gradle. Clicking try again will not fix it, and the log looks pretty much the same.

This only seems to happen on the page for a detected vulnerability. Standard scanning for version updates is not affected by this sub-directory bug and they do run weekly successfully. If I were to guess, I would think that the problem lies with the vulnerability scanning algorithm that is creating vulnerabilities for out repo with the wrong information. New vulnerabilities are detected and they show up in the Dependabot alerts page, but they all display this error. Triggering a version update manually through the "Check for updates" button in the Dependecy graph page works. Also, when the vulnerability is removed by manually updating the relevant packages, the issue does dissapear.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

Update log


  proxy | 2023/12/12 13:50:37 proxy starting, commit: 02a8910b917eff32ef3fe812e35a131d6286bc20
  proxy | 2023/12/12 13:50:37 Listening (:1080)
updater | 2023-12-12T13:50:39.589340281 [761402441:main:WARN:src/devices/src/legacy/serial.rs:222] Detached the serial input due to peer close/error.
updater | time="2023-12-12T13:50:45Z" level=info msg="guest starting" commit=eb5aa56302357f07a0e790713fa099f11a1af831
updater | time="2023-12-12T13:50:45Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=761402441 updater_timeout=45m0s updater_version=f7c9d9070e7f43d0d59e0692019a0537d3449f4b-gradle
updater | 2023/12/12 13:50:52 INFO Raven 3.1.2 ready to catch errors
updater | 2023/12/12 13:50:59 INFO <job_761402441> Starting job processing
  proxy | 2023/12/12 13:51:00 [002] GET https://api.github.com:443/repos/XXXXX/oslonokkelen-backend
  proxy | 2023/12/12 13:51:00 [002] * authenticating github api request with token for api.github.com
  proxy | 2023/12/12 13:51:00 [002] 200 https://api.github.com:443/repos/XXXXX/oslonokkelen-backend
  proxy | 2023/12/12 13:51:01 [004] GET https://api.github.com:443/repos/XXXXX/oslonokkelen-backend/git/refs/heads/master
  proxy | 2023/12/12 13:51:01 [004] * authenticating github api request with token for api.github.com
  proxy | 2023/12/12 13:51:01 [004] 200 https://api.github.com:443/repos/XXXXX/oslonokkelen-backend/git/refs/heads/master
  proxy | 2023/12/12 13:51:01 [006] GET https://api.github.com:443/repos/XXXXX/oslonokkelen-backend/contents/oslonokkelen-backend?ref=a98a904c2235d3b69bf3cb066dee36d8a4e5caf7
  proxy | 2023/12/12 13:51:01 [006] * authenticating github api request with token for api.github.com
  proxy | 2023/12/12 13:51:01 [006] 404 https://api.github.com:443/repos/XXXXX/oslonokkelen-backend/contents/oslonokkelen-backend?ref=a98a904c2235d3b69bf3cb066dee36d8a4e5caf7
updater | 2023/12/12 13:51:01 ERROR <job_761402441> Error during file fetching; aborting: Dependabot::DirectoryNotFound
updater | 2023/12/12 13:51:01 INFO <job_761402441> Finished job processing
updater | 2023/12/12 13:51:01 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +---------------------+
updater | |       Errors        |
updater | +---------------------+
updater | | directory_not_found |
updater | +---------------------+
updater | time="2023-12-12T13:51:01Z" level=info msg="task complete" container_id=job-761402441-file-fetcher exit_code=0 job_id=761402441 step=fetcher
updater | time="2023-12-12T13:51:02Z" level=warning msg="failed during fetch, skipping updater" job_id=761402441

It seems like the issue is that dependabot is trying to fetch the contents of the sub-directory /oslonokkelen-backend, when this directory does not exist. The corresponding lines from the logs of a successful update look like this:

  proxy | 2023/12/12 13:44:48 [006] GET https://api.github.com:443/repos/XXXXX/oslonokkelen-backend/contents/?ref=a98a904c2235d3b69bf3cb066dee36d8a4e5caf7
  proxy | 2023/12/12 13:44:48 [006] * authenticating github api request with token for api.github.com
  proxy | 2023/12/12 13:44:48 [006] 200 https://api.github.com:443/repos/XXXXX/oslonokkelen-backend/contents/?ref=a98a904c2235d3b69bf3cb066dee36d8a4e5caf7

Smallest manifest that reproduces the issue

Unsure what could be the cause here, so I cant really narrow it down.

lily-es commented 4 months ago

Any update for this issue? This means that dependabot security updates are not working whatsoever for the affected repo