Merge pull request step-security#2605 from vamshi-stepsecurity/bug/pdpr/support-dpb-directories

handle mulitple directories to add scenario

Author: vamshi-stepsecurity

remediation/dependabot/dependabotconfig.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"sort"
 	"strings"
 
 	dependabot "github.com/paulvollmer/dependabot-config-go"
@@ -314,6 +315,11 @@ func UpdateDependabotConfig(dependabotConfig string) (*UpdateDependabotConfigRes
 		updatesLastLine := findLastLine(updatesNode)
 		lineOffset := 0
 
+		// First pass: collect directories to append per existing config entry.
+		// This avoids calling replaceSequence multiple times on the same YAML
+		// node, which would corrupt line positions.
+		dirsToAppend := map[int][]string{} // cfg.Updates index -> dirs to add
+		var newEntries []Ecosystem
 		for _, eco := range updateDependabotConfigRequest.Ecosystems {
 			updateAlreadyExist := false
 			for _, update := range cfg.Updates {
@@ -324,50 +330,63 @@ func UpdateDependabotConfig(dependabotConfig string) (*UpdateDependabotConfigRes
 			}
 
 			if !updateAlreadyExist {
-				// If an existing entry uses directories (plural) for the same ecosystem,
-				// append the new directory to that list instead of creating a new entry.
-				appendedToDirectories := false
+				appended := false
 				for i, update := range cfg.Updates {
 					if update.PackageEcosystem == eco.PackageEcosystem && len(update.Directories) > 0 {
-						entryNode := updatesNode.Content[i]
-						dirsNode := findMappingValue(entryNode, "directories")
-						if dirsNode != nil {
-							newDirs := append(update.Directories, eco.Directory)
-							newLines, netChange, ch := replaceSequence(inputLines, dirsNode, newDirs, lineOffset)
-							if ch {
-								inputLines = newLines
-								lineOffset += netChange
-								response.IsChanged = true
-							}
-							appendedToDirectories = true
-						}
+						dirsToAppend[i] = append(dirsToAppend[i], eco.Directory)
+						appended = true
 						break
 					}
 				}
+				if !appended {
+					newEntries = append(newEntries, eco)
+				}
+			}
+		}
 
-				if !appendedToDirectories {
-					item := ecosystemToExtendedUpdate(eco)
-					items := []ExtendedUpdate{item}
-					addedItem, err := yaml.Marshal(items)
-					if err != nil {
-						return nil, fmt.Errorf("failed to marshal update items: %v", err)
-					}
-					data, err := addIndentation(string(addedItem), indentation)
-					if err != nil {
-						return nil, fmt.Errorf("failed to add indentation: %v", err)
-					}
-
-					// Trim trailing newline to avoid double blank lines when content
-					// follows after the updates section (e.g. registries block).
-					dataLines := strings.Split(strings.TrimRight(data, "\n"), "\n")
-					insertAt := updatesLastLine + lineOffset
-					inputLines = insertAfterLine(inputLines, insertAt, dataLines)
-					lineOffset += len(dataLines)
+		// Apply collected directory appends — one replaceSequence call per entry.
+		// Sort indices so we process top-to-bottom; lineOffset stays correct.
+		sortedIndices := make([]int, 0, len(dirsToAppend))
+		for i := range dirsToAppend {
+			sortedIndices = append(sortedIndices, i)
+		}
+		sort.Ints(sortedIndices)
+		for _, i := range sortedIndices {
+			dirs := dirsToAppend[i]
+			entryNode := updatesNode.Content[i]
+			dirsNode := findMappingValue(entryNode, "directories")
+			if dirsNode != nil {
+				newDirs := uniqueStrings(append(cfg.Updates[i].Directories, dirs...))
+				newLines, netChange, ch := replaceSequence(inputLines, dirsNode, newDirs, lineOffset)
+				if ch {
+					inputLines = newLines
+					lineOffset += netChange
 					response.IsChanged = true
 				}
 			}
 		}
 
+		for _, eco := range newEntries {
+			item := ecosystemToExtendedUpdate(eco)
+			items := []ExtendedUpdate{item}
+			addedItem, err := yaml.Marshal(items)
+			if err != nil {
+				return nil, fmt.Errorf("failed to marshal update items: %v", err)
+			}
+			data, err := addIndentation(string(addedItem), indentation)
+			if err != nil {
+				return nil, fmt.Errorf("failed to add indentation: %v", err)
+			}
+
+			// Trim trailing newline to avoid double blank lines when content
+			// follows after the updates section (e.g. registries block).
+			dataLines := strings.Split(strings.TrimRight(data, "\n"), "\n")
+			insertAt := updatesLastLine + lineOffset
+			inputLines = insertAfterLine(inputLines, insertAt, dataLines)
+			lineOffset += len(dataLines)
+			response.IsChanged = true
+		}
+
 		response.FinalOutput = strings.Join(inputLines, "\n")
 		if !strings.HasSuffix(response.FinalOutput, "\n") {
 			response.FinalOutput += "\n"
@@ -402,3 +421,16 @@ func addIndentation(data string, indentation int) (string, error) {
 
 	return finalData.String(), nil
 }
+
+// uniqueStrings removes duplicate strings from a slice while preserving order.
+func uniqueStrings(s []string) []string {
+	seen := map[string]bool{}
+	result := make([]string, 0, len(s))
+	for _, v := range s {
+		if !seen[v] {
+			seen[v] = true
+			result = append(result, v)
+		}
+	}
+	return result
+}

remediation/dependabot/dependabotconfig_test.go

@@ -246,6 +246,27 @@ func TestGroups(t *testing.T) {
 			subtractive: false,
 			isChanged:   true,
 		},
+		{
+			// Additive — three docker directories appended to the same docker entry,
+			// three npm directories appended to the same npm entry, plus a new pip
+			// ecosystem that doesn't exist in the config (gets added as new entry).
+			// Verifies collect-then-apply dedup, sorted index processing across
+			// multiple entries, and new entry insertion with registries, comments,
+			// and labels preserved.
+			inputFileName:  "directories-append-multiple.yml",
+			outputFileName: "directories-append-multiple.yml",
+			ecosystems: []Ecosystem{
+				{PackageEcosystem: "docker", Directory: "/api", Interval: "daily"},
+				{PackageEcosystem: "docker", Directory: "/shared", Interval: "daily"},
+				{PackageEcosystem: "docker", Directory: "/workers", Interval: "daily"},
+				{PackageEcosystem: "npm", Directory: "/backend", Interval: "weekly"},
+				{PackageEcosystem: "npm", Directory: "/api-client", Interval: "weekly"},
+				{PackageEcosystem: "npm", Directory: "/common", Interval: "weekly"},
+				{PackageEcosystem: "pip", Directory: "/backend", Interval: "weekly"},
+			},
+			subtractive: false,
+			isChanged:   true,
+		},
 	}
 
 	for _, test := range tests {
@@ -829,6 +850,24 @@ func TestUpdateSubtractiveFields(t *testing.T) {
 			},
 			isChanged: true,
 		},
+		{
+			// Subtractive — three docker directories appended to docker entry,
+			// three npm directories appended to npm entry, plus a new pip ecosystem
+			// (gets added). Docker interval changed from daily to weekly.
+			// Verifies merged replaceSequence across multiple entries, new entry
+			// insertion, and preservation of registries, comments, and labels.
+			fileName: "subtractive-directories-append-multiple.yml",
+			ecosystems: []Ecosystem{
+				{PackageEcosystem: "docker", Directory: "/api", Interval: "weekly"},
+				{PackageEcosystem: "docker", Directory: "/shared", Interval: "weekly"},
+				{PackageEcosystem: "docker", Directory: "/workers", Interval: "weekly"},
+				{PackageEcosystem: "npm", Directory: "/backend", Interval: "daily"},
+				{PackageEcosystem: "npm", Directory: "/api-client", Interval: "daily"},
+				{PackageEcosystem: "npm", Directory: "/common", Interval: "daily"},
+				{PackageEcosystem: "pip", Directory: "/backend", Interval: "weekly"},
+			},
+			isChanged: true,
+		},
 		{
 			// Subtractive — update all library-supported fields: scalars (interval,
 			// rebase-strategy, target-branch, versioning-strategy, milestone,

testfiles/dependabotfiles/input/directories-append-multiple.yml

@@ -0,0 +1,36 @@
+version: 2
+registries:
+  docker-hub:
+    type: docker-registry
+    url: https://registry.hub.docker.com
+    username: octocat
+    password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+updates:
+  # Docker images — scanned across multiple service roots
+  - package-ecosystem: docker
+    directories:
+      - /
+      - /app
+    schedule:
+      interval: daily
+    labels:
+      - "docker"
+      - "dependencies"
+  # GitHub Actions kept up to date
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    # Keep CI actions up to date automatically
+    labels:
+      - "ci"
+  # npm packages across frontend services
+  - package-ecosystem: npm
+    directories:
+      - /frontend
+      - /admin
+      - /shared-ui
+    schedule:
+      interval: weekly
+    labels:
+      - "javascript"

testfiles/dependabotfiles/input/subtractive-directories-append-multiple.yml

@@ -0,0 +1,36 @@
+version: 2
+registries:
+  docker-hub:
+    type: docker-registry
+    url: https://registry.hub.docker.com
+    username: octocat
+    password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+updates:
+  # Docker images — scanned across multiple service roots
+  - package-ecosystem: docker
+    directories:
+      - /
+      - /app
+    schedule:
+      interval: daily
+    labels:
+      - "docker"
+      - "dependencies"
+  # GitHub Actions kept up to date
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    # Keep CI actions up to date automatically
+    labels:
+      - "ci"
+  # npm packages across frontend services
+  - package-ecosystem: npm
+    directories:
+      - /frontend
+      - /admin
+      - /shared-ui
+    schedule:
+      interval: weekly
+    labels:
+      - "javascript"

testfiles/dependabotfiles/output/directories-append-multiple.yml

@@ -0,0 +1,47 @@
+version: 2
+registries:
+  docker-hub:
+    type: docker-registry
+    url: https://registry.hub.docker.com
+    username: octocat
+    password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+updates:
+  # Docker images — scanned across multiple service roots
+  - package-ecosystem: docker
+    directories:
+      - /
+      - /app
+      - /api
+      - /shared
+      - /workers
+    schedule:
+      interval: daily
+    labels:
+      - "docker"
+      - "dependencies"
+  # GitHub Actions kept up to date
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    # Keep CI actions up to date automatically
+    labels:
+      - "ci"
+  # npm packages across frontend services
+  - package-ecosystem: npm
+    directories:
+      - /frontend
+      - /admin
+      - /shared-ui
+      - /backend
+      - /api-client
+      - /common
+    schedule:
+      interval: weekly
+    labels:
+      - "javascript"
+
+  - package-ecosystem: pip
+    directory: /backend
+    schedule:
+      interval: weekly

testfiles/dependabotfiles/output/subtractive-directories-append-multiple.yml

@@ -0,0 +1,47 @@
+version: 2
+registries:
+  docker-hub:
+    type: docker-registry
+    url: https://registry.hub.docker.com
+    username: octocat
+    password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+updates:
+  # Docker images — scanned across multiple service roots
+  - package-ecosystem: docker
+    directories:
+      - /
+      - /app
+      - /api
+      - /shared
+      - /workers
+    schedule:
+      interval: weekly
+    labels:
+      - "docker"
+      - "dependencies"
+  # GitHub Actions kept up to date
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    # Keep CI actions up to date automatically
+    labels:
+      - "ci"
+  # npm packages across frontend services
+  - package-ecosystem: npm
+    directories:
+      - /frontend
+      - /admin
+      - /shared-ui
+      - /backend
+      - /api-client
+      - /common
+    schedule:
+      interval: daily
+    labels:
+      - "javascript"
+
+  - package-ecosystem: pip
+    directory: /backend
+    schedule:
+      interval: weekly