Merge pull request #15075 from dependabot/brrygrdn/handle-unexpected-external-code

brrygrdn · web-flow · commit 88d7c4763deb · 2026-05-21T15:23:09.000+01:00
[Graph Job] Do not treat `Dependabot::UnexpectedExternalCode` as a hard failure
diff --git a/updater/lib/dependabot/update_graph_processor.rb b/updater/lib/dependabot/update_graph_processor.rb
@@ -76,7 +76,7 @@ def run
     attr_reader :error_handler
 
     sig { params(branch: String, directory: String).void }
-    def process_directory(branch:, directory:)
+    def process_directory(branch:, directory:) # rubocop:disable Metrics/MethodLength
       directory_source = create_source_for(directory)
       directory_dependency_files = dependency_files_for(directory)
 
@@ -93,6 +93,36 @@ def process_directory(branch:, directory:)
 
       Dependabot.logger.info("Dependency submission payload:\n#{JSON.pretty_generate(submission.payload)}")
       service.create_dependency_submission(dependency_submission: submission)
+    rescue Dependabot::UnexpectedExternalCode
+      # If this has been raised, then the directory is trying to use a private registry with an ecosystem
+      # that requires the `insecure-external-code-execution: allow` flag.
+      #
+      # The default policy is denied, so this outcome represents a misconfiguration for the directory.
+      # We should record this failure and allow other directories in the job to continue, as they may
+      # not be misconfigured.
+      Dependabot.logger.info(<<~LOG)
+        Skipping directory #{directory} — Dependabot refused to execute external code
+
+        This directory is configured to use a private registry but does not allow insecure code execution via your Dependabot configuration.
+
+        Please set `insecure-external-code-execution: allow` in the config if you trust your dependencies'
+        supply chain or remove the private registry from this directory.
+      LOG
+      service.record_update_job_error(
+        error_type: "unexpected_external_code",
+        error_details: { message: "Cannot process directory #{directory} without external code execution" }
+      )
+
+      return unless Dependabot::Environment.github_actions?
+
+      service.create_dependency_submission(
+        dependency_submission: empty_submission(
+          branch,
+          T.must(directory_source),
+          GithubApi::DependencySubmission::SnapshotStatus::FAILED,
+          "unexpected_external_code"
+        )
+      )
     rescue Dependabot::ApiError, Excon::Error::Socket, Excon::Error::Timeout, OpenSSL::SSL::SSLError
       # If the submission API is down, we should raise this as a specific error type for visibility.
       error_handler.handle_job_error(
diff --git a/updater/spec/dependabot/update_graph_processor_spec.rb b/updater/spec/dependabot/update_graph_processor_spec.rb
@@ -791,4 +791,99 @@ def fetch_subdependencies(_dependency)
       update_graph_processor.run
     end
   end
+
+  context "when external code execution is rejected" do
+    let(:directories) { [dir1, dir2] }
+    let(:dir1) { "/" }
+    let(:dir2) { "/subproject" }
+    let(:repo_contents_path) { build_tmp_repo("bundler/original", path: "") }
+
+    let(:dependency_files) do
+      [
+        Dependabot::DependencyFile.new(
+          name: "Gemfile",
+          content: fixture("bundler/original/Gemfile"),
+          directory: dir1
+        ),
+        Dependabot::DependencyFile.new(
+          name: "Gemfile.lock",
+          content: fixture("bundler/original/Gemfile.lock"),
+          directory: dir1
+        ),
+        Dependabot::DependencyFile.new(
+          name: "Gemfile",
+          content: fixture("bundler/original/Gemfile"),
+          directory: dir2
+        ),
+        Dependabot::DependencyFile.new(
+          name: "Gemfile.lock",
+          content: fixture("bundler/original/Gemfile.lock"),
+          directory: dir2
+        )
+      ]
+    end
+
+    before do
+      allow(Dependabot::FileParsers).to receive(:for_package_manager)
+        .and_raise(Dependabot::UnexpectedExternalCode)
+    end
+
+    context "when executing standalone" do
+      before do
+        allow(Dependabot::Environment).to receive(:github_actions?).and_return(false)
+      end
+
+      it "records an error for each directory" do
+        expect(service).to receive(:record_update_job_error).with(
+          error_type: "unexpected_external_code",
+          error_details: { message: "Cannot process directory / without external code execution" }
+        )
+        expect(service).to receive(:record_update_job_error).with(
+          error_type: "unexpected_external_code",
+          error_details: { message: "Cannot process directory /subproject without external code execution" }
+        )
+
+        update_graph_processor.run
+      end
+
+      it "does not send any dependency submissions" do
+        expect(service).not_to receive(:create_dependency_submission)
+
+        update_graph_processor.run
+      end
+
+      it "does not halt processing of remaining directories" do
+        call_count = 0
+        allow(service).to receive(:record_update_job_error) { call_count += 1 }
+
+        update_graph_processor.run
+
+        expect(call_count).to eq(2)
+      end
+    end
+
+    context "when executing in GitHub Actions" do
+      before do
+        allow(Dependabot::Environment).to receive(:github_actions?).and_return(true)
+      end
+
+      it "sends a FAILED empty submission for each directory" do
+        expect(service).to receive(:create_dependency_submission).twice do |args|
+          payload = args[:dependency_submission].payload
+          expect(payload[:metadata][:status]).to eql(
+            GithubApi::DependencySubmission::SnapshotStatus::FAILED.serialize
+          )
+          expect(payload[:metadata][:reason]).to eql("unexpected_external_code")
+        end
+
+        update_graph_processor.run
+      end
+
+      it "records an error for each directory" do
+        expect(service).to receive(:record_update_job_error).twice
+
+        update_graph_processor.run
+      end
+    end
+  end
 end
