sachin-sandhu
commented
2 weeks ago Preface: This issue was detected while assessing JSON parsing related issues in Sentry DELTAFORCE-YZ8. This issue is specific to Nuget ecosystem (can be filtered with gh.dependabot_api.update_config.package_manager:nuget )
Issue: While updating Nuget ecosystem related dependencies, :dependabot: parses valid proj (csproj, vsproj) files to extract dependencies for update. While updating, :dependabot: will fetch latest version from registry for update. While receiving response, it was found that some responses were returned as non parsable JSON objects. The error response generally is
unexpected token at <?xml version="1.0" encoding="utf-8"?><Error><Code>BlobNotFound</Code><Message>The specified blob does not exist.
RequestId:3c379ef9-701e-0037-105e-c76f5b000000
Time:2024-06-26T00:18:34.3882498Z</Message></Error>After further evaluation, it was found that issue was related to specific names (i.e
INFO Checking if Microsoft.NET.Sdk.Worker needs updating ERROR Error processing Microsoft.NET.Sdk.Worker (JSON::ParserError)).
While searching for dependency, no references to this named dependency was found in project repo itself. However, this name was found as an attribute for project. <Project Sdk="Microsoft.NET.Sdk.Worker"> link . To test this, a test repo was created at https://github.com/dsp-testing/nuget_repo . :dependabot: updates were tested with both with <Project Sdk="Microsoft.NET.Sdk.Worker"> and without the attribute <Project>
Results: Job with attribute. attached job - with_attribute.txt
Results: Job without attribute. attached job - without_attribute.txt
Fix: It seems that project attribute is parsed as a valid dependency by file_parser. Adjusting the parser should fix this issue.
Sentry Issue: DELTAFORCE-YZ8