dependabot-bundler 0.94.0

data/lib/dependabot/bundler/file_parser/file_preparer.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+require "dependabot/dependency_file"
+require "dependabot/bundler/file_parser"
+require "dependabot/bundler/file_updater/gemspec_sanitizer"
+
+module Dependabot
+  module Bundler
+    class FileParser
+      class FilePreparer
+        def initialize(dependency_files:)
+          @dependency_files = dependency_files
+        end
+
+        def prepared_dependency_files
+          files = []
+
+          gemspecs.compact.each do |file|
+            files << DependencyFile.new(
+              name: file.name,
+              content: sanitize_gemspec_content(file.content),
+              directory: file.directory,
+              support_file: file.support_file?
+            )
+          end
+
+          files += [
+            gemfile,
+            *evaled_gemfiles,
+            lockfile,
+            ruby_version_file,
+            *imported_ruby_files
+          ].compact
+        end
+
+        private
+
+        attr_reader :dependency_files
+
+        def gemfile
+          dependency_files.find { |f| f.name == "Gemfile" } ||
+            dependency_files.find { |f| f.name == "gems.rb" }
+        end
+
+        def evaled_gemfiles
+          dependency_files.
+            reject { |f| f.name.end_with?(".gemspec") }.
+            reject { |f| f.name.end_with?(".lock") }.
+            reject { |f| f.name.end_with?(".ruby-version") }.
+            reject { |f| f.name == "Gemfile" }.
+            reject { |f| f.name == "gems.rb" }.
+            reject { |f| f.name == "gems.locked" }
+        end
+
+        def lockfile
+          dependency_files.find { |f| f.name == "Gemfile.lock" } ||
+            dependency_files.find { |f| f.name == "gems.locked" }
+        end
+
+        def gemspecs
+          dependency_files.select { |f| f.name.end_with?(".gemspec") }
+        end
+
+        def ruby_version_file
+          dependency_files.find { |f| f.name == ".ruby-version" }
+        end
+
+        def imported_ruby_files
+          dependency_files.
+            select { |f| f.name.end_with?(".rb") }.
+            reject { |f| f.name == "gems.rb" }
+        end
+
+        def sanitize_gemspec_content(gemspec_content)
+          # No need to set the version correctly - this is just an update
+          # check so we're not going to persist any changes to the lockfile.
+          FileUpdater::GemspecSanitizer.
+            new(replacement_version: "0.0.1").
+            rewrite(gemspec_content)
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bundler/file_parser/gemfile_checker.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require "parser/current"
+require "dependabot/bundler/file_parser"
+
+module Dependabot
+  module Bundler
+    class FileParser
+      # Checks whether a dependency is declared in a Gemfile
+      class GemfileChecker
+        def initialize(dependency:, gemfile:)
+          @dependency = dependency
+          @gemfile = gemfile
+        end
+
+        def includes_dependency?
+          return false unless Parser::CurrentRuby.parse(gemfile.content)
+
+          Parser::CurrentRuby.parse(gemfile.content).children.any? do |node|
+            deep_check_for_gem(node)
+          end
+        end
+
+        private
+
+        attr_reader :dependency, :gemfile
+
+        def deep_check_for_gem(node)
+          return true if declares_targeted_gem?(node)
+          return false unless node.is_a?(Parser::AST::Node)
+
+          node.children.any? do |child_node|
+            deep_check_for_gem(child_node)
+          end
+        end
+
+        def declares_targeted_gem?(node)
+          return false unless node.is_a?(Parser::AST::Node)
+          return false unless node.children[1] == :gem
+
+          node.children[2].children.first == dependency.name
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bundler/file_updater.rb

@@ -0,0 +1,125 @@
+# frozen_string_literal: true
+
+require "dependabot/file_updaters"
+require "dependabot/file_updaters/base"
+
+module Dependabot
+  module Bundler
+    class FileUpdater < Dependabot::FileUpdaters::Base
+      require_relative "file_updater/gemfile_updater"
+      require_relative "file_updater/gemspec_updater"
+      require_relative "file_updater/lockfile_updater"
+
+      def self.updated_files_regex
+        [
+          /^Gemfile$/,
+          /^Gemfile\.lock$/,
+          /^gems\.rb$/,
+          /^gems\.locked$/,
+          /^*\.gemspec$/
+        ]
+      end
+
+      def updated_dependency_files
+        updated_files = []
+
+        if gemfile && file_changed?(gemfile)
+          updated_files <<
+            updated_file(
+              file: gemfile,
+              content: updated_gemfile_content(gemfile)
+            )
+        end
+
+        if lockfile && dependencies.any?(&:appears_in_lockfile?)
+          updated_files <<
+            updated_file(file: lockfile, content: updated_lockfile_content)
+        end
+
+        top_level_gemspecs.each do |file|
+          next unless file_changed?(file)
+
+          updated_files <<
+            updated_file(file: file, content: updated_gemspec_content(file))
+        end
+
+        evaled_gemfiles.each do |file|
+          next unless file_changed?(file)
+
+          updated_files <<
+            updated_file(file: file, content: updated_gemfile_content(file))
+        end
+
+        updated_files
+      end
+
+      private
+
+      def check_required_files
+        file_names = dependency_files.map(&:name)
+
+        if lockfile && !gemfile
+          raise "A Gemfile must be provided if a lockfile is!"
+        end
+
+        return if file_names.any? { |name| name.match?(%r{^[^/]*\.gemspec$}) }
+        return if gemfile
+
+        raise "A gemspec or Gemfile must be provided!"
+      end
+
+      def gemfile
+        @gemfile ||= get_original_file("Gemfile") ||
+                     get_original_file("gems.rb")
+      end
+
+      def lockfile
+        @lockfile ||= get_original_file("Gemfile.lock") ||
+                      get_original_file("gems.locked")
+      end
+
+      def evaled_gemfiles
+        @evaled_gemfiles ||=
+          dependency_files.
+          reject { |f| f.name.end_with?(".gemspec") }.
+          reject { |f| f.name.end_with?(".lock") }.
+          reject { |f| f.name.end_with?(".ruby-version") }.
+          reject { |f| f.name == "Gemfile" }.
+          reject { |f| f.name == "gems.rb" }.
+          reject { |f| f.name == "gems.locked" }
+      end
+
+      def updated_gemfile_content(file)
+        GemfileUpdater.new(
+          dependencies: dependencies,
+          gemfile: file
+        ).updated_gemfile_content
+      end
+
+      def updated_gemspec_content(gemspec)
+        GemspecUpdater.new(
+          dependencies: dependencies,
+          gemspec: gemspec
+        ).updated_gemspec_content
+      end
+
+      def updated_lockfile_content
+        @updated_lockfile_content ||=
+          LockfileUpdater.new(
+            dependencies: dependencies,
+            dependency_files: dependency_files,
+            credentials: credentials
+          ).updated_lockfile_content
+      end
+
+      def top_level_gemspecs
+        dependency_files.
+          select { |file| file.name.end_with?(".gemspec") }.
+          reject(&:support_file?)
+      end
+    end
+  end
+end
+
+Dependabot::FileUpdaters.
+  register("bundler", Dependabot::Bundler::FileUpdater)

data/lib/dependabot/bundler/file_updater/gemfile_updater.rb

@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+
+require "dependabot/bundler/file_updater"
+
+module Dependabot
+  module Bundler
+    class FileUpdater
+      class GemfileUpdater
+        require_relative "git_pin_replacer"
+        require_relative "git_source_remover"
+        require_relative "requirement_replacer"
+
+        def initialize(dependencies:, gemfile:)
+          @dependencies = dependencies
+          @gemfile = gemfile
+        end
+
+        def updated_gemfile_content
+          content = gemfile.content
+
+          dependencies.each do |dependency|
+            content = replace_gemfile_version_requirement(
+              dependency,
+              gemfile,
+              content
+            )
+
+            if remove_git_source?(dependency)
+              content = remove_gemfile_git_source(dependency, content)
+            end
+
+            if update_git_pin?(dependency)
+              content = update_gemfile_git_pin(dependency, gemfile, content)
+            end
+          end
+
+          content
+        end
+
+        private
+
+        attr_reader :dependencies, :gemfile
+
+        def replace_gemfile_version_requirement(dependency, file, content)
+          return content unless requirement_changed?(file, dependency)
+
+          updated_requirement =
+            dependency.requirements.
+            find { |r| r[:file] == file.name }.
+            fetch(:requirement)
+
+          previous_requirement =
+            dependency.previous_requirements.
+            find { |r| r[:file] == file.name }.
+            fetch(:requirement)
+
+          RequirementReplacer.new(
+            dependency: dependency,
+            file_type: :gemfile,
+            updated_requirement: updated_requirement,
+            previous_requirement: previous_requirement
+          ).rewrite(content)
+        end
+
+        def requirement_changed?(file, dependency)
+          changed_requirements =
+            dependency.requirements - dependency.previous_requirements
+
+          changed_requirements.any? { |f| f[:file] == file.name }
+        end
+
+        def remove_git_source?(dependency)
+          old_gemfile_req =
+            dependency.previous_requirements.
+            find { |f| %w(Gemfile gems.rb).include?(f[:file]) }
+
+          return false unless old_gemfile_req&.dig(:source, :type) == "git"
+
+          new_gemfile_req =
+            dependency.requirements.
+            find { |f| %w(Gemfile gems.rb).include?(f[:file]) }
+
+          new_gemfile_req[:source].nil?
+        end
+
+        def update_git_pin?(dependency)
+          new_gemfile_req =
+            dependency.requirements.
+            find { |f| %w(Gemfile gems.rb).include?(f[:file]) }
+          return false unless new_gemfile_req&.dig(:source, :type) == "git"
+
+          # If the new requirement is a git dependency with a ref then there's
+          # no harm in doing an update
+          new_gemfile_req.dig(:source, :ref)
+        end
+
+        def remove_gemfile_git_source(dependency, content)
+          GitSourceRemover.new(dependency: dependency).rewrite(content)
+        end
+
+        def update_gemfile_git_pin(dependency, file, content)
+          new_pin =
+            dependency.requirements.
+            find { |f| f[:file] == file.name }.
+            fetch(:source).fetch(:ref)
+
+          GitPinReplacer.
+            new(dependency: dependency, new_pin: new_pin).
+            rewrite(content)
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bundler/file_updater/gemspec_dependency_name_finder.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require "parser/current"
+require "dependabot/bundler/file_updater"
+
+module Dependabot
+  module Bundler
+    class FileUpdater
+      class GemspecDependencyNameFinder
+        attr_reader :gemspec_content
+
+        def initialize(gemspec_content:)
+          @gemspec_content = gemspec_content
+        end
+
+        # rubocop:disable Security/Eval
+        def dependency_name
+          ast = Parser::CurrentRuby.parse(gemspec_content)
+          dependency_name_node = find_dependency_name_node(ast)
+          return unless dependency_name_node
+
+          begin
+            eval(dependency_name_node.children[2].loc.expression.source)
+          rescue StandardError
+            nil # If we can't evaluate the expression just return nil
+          end
+        end
+        # rubocop:enable Security/Eval
+
+        private
+
+        def find_dependency_name_node(node)
+          return unless node.is_a?(Parser::AST::Node)
+          return node if declares_dependency_name?(node)
+
+          node.children.find do |cn|
+            dependency_name_node = find_dependency_name_node(cn)
+            break dependency_name_node if dependency_name_node
+          end
+        end
+
+        def declares_dependency_name?(node)
+          return false unless node.is_a?(Parser::AST::Node)
+
+          node.children[1] == :name=
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bundler/file_updater/gemspec_sanitizer.rb

@@ -0,0 +1,296 @@
+# frozen_string_literal: true
+
+require "parser/current"
+require "dependabot/bundler/file_updater"
+
+module Dependabot
+  module Bundler
+    class FileUpdater
+      class GemspecSanitizer
+        UNNECESSARY_ASSIGNMENTS = %i(
+          bindir=
+          cert_chain=
+          email=
+          executables=
+          extra_rdoc_files=
+          homepage=
+          license=
+          licenses=
+          metadata=
+          post_install_message=
+          rdoc_options=
+        ).freeze
+
+        attr_reader :replacement_version
+
+        def initialize(replacement_version:)
+          @replacement_version = replacement_version
+        end
+
+        def rewrite(content)
+          buffer = Parser::Source::Buffer.new("(gemspec_content)")
+          buffer.source = content
+          ast = Parser::CurrentRuby.new.parse(buffer)
+
+          Rewriter.
+            new(replacement_version: replacement_version).
+            rewrite(buffer, ast)
+        end
+
+        class Rewriter < Parser::TreeRewriter
+          def initialize(replacement_version:)
+            @replacement_version = replacement_version
+          end
+
+          def on_send(node)
+            # Wrap any `require` or `require_relative` calls in a rescue
+            # block, as we might not have the required files
+            wrap_require(node) if requires_file?(node)
+
+            # Remove any assignments to a VERSION constant (or similar), as
+            # that constant probably comes from a required file
+            replace_version_assignments(node)
+
+            # Replace the `s.files= ...` assignment with a blank array, as
+            # occassionally a File.open(..).readlines pattern is used
+            replace_file_assignments(node)
+
+            # Replace the `s.require_path= ...` assignment, as
+            # occassionally a Dir['lib'] pattern is used
+            replace_require_paths_assignments(node)
+
+            # Replace any `File.read(...)` calls with a dummy string
+            replace_file_reads(node)
+
+            # Remove the arguments from any `Find.find(...)` calls
+            remove_find_dot_find_args(node)
+
+            remove_unnecessary_assignments(node)
+          end
+
+          private
+
+          attr_reader :replacement_version
+
+          def requires_file?(node)
+            %i(require require_relative).include?(node.children[1])
+          end
+
+          def wrap_require(node)
+            replace(
+              node.loc.expression,
+              "begin\n"\
+              "#{node.loc.expression.source_line}\n"\
+              "rescue LoadError\n"\
+              "end"
+            )
+          end
+
+          def replace_version_assignments(node)
+            return unless node.is_a?(Parser::AST::Node)
+
+            if node_assigns_to_version_constant?(node)
+              return replace_constant(node)
+            end
+
+            node.children.each { |child| replace_version_assignments(child) }
+          end
+
+          def replace_file_assignments(node)
+            return unless node.is_a?(Parser::AST::Node)
+
+            if node_assigns_files_to_var?(node)
+              return replace_file_assignment(node)
+            end
+
+            node.children.each { |child| replace_file_assignments(child) }
+          end
+
+          def replace_require_paths_assignments(node)
+            return unless node.is_a?(Parser::AST::Node)
+
+            if node_assigns_require_paths?(node)
+              return replace_require_paths_assignment(node)
+            end
+
+            node.children.each do |child|
+              replace_require_paths_assignments(child)
+            end
+          end
+
+          def node_assigns_to_version_constant?(node)
+            return false unless node.is_a?(Parser::AST::Node)
+            return false unless node.children.first.is_a?(Parser::AST::Node)
+            return false unless node.children.first&.type == :lvar
+
+            return true if node.children[1] == :version=
+            return true if node_is_version_constant?(node.children.last)
+            return true if node_calls_version_constant?(node.children.last)
+
+            node_interpolates_version_constant?(node.children.last)
+          end
+
+          def node_assigns_files_to_var?(node)
+            return false unless node.is_a?(Parser::AST::Node)
+            return false unless node.children.first.is_a?(Parser::AST::Node)
+            return false unless node.children.first&.type == :lvar
+            return false unless node.children[1] == :files=
+
+            node.children[2]&.type == :send
+          end
+
+          def node_assigns_require_paths?(node)
+            return false unless node.is_a?(Parser::AST::Node)
+            return false unless node.children.first.is_a?(Parser::AST::Node)
+            return false unless node.children.first&.type == :lvar
+
+            node.children[1] == :require_paths=
+          end
+
+          def replace_file_reads(node)
+            return unless node.is_a?(Parser::AST::Node)
+            return if node.children[1] == :version=
+            return replace_file_read(node) if node_reads_a_file?(node)
+            return replace_file_readlines(node) if node_uses_readlines?(node)
+
+            node.children.each { |child| replace_file_reads(child) }
+          end
+
+          def node_reads_a_file?(node)
+            return false unless node.is_a?(Parser::AST::Node)
+            return false unless node.children.first.is_a?(Parser::AST::Node)
+            return false unless node.children.first&.type == :const
+            return false unless node.children.first.children.last == :File
+
+            node.children[1] == :read
+          end
+
+          def node_uses_readlines?(node)
+            return false unless node.is_a?(Parser::AST::Node)
+            return false unless node.children.first.is_a?(Parser::AST::Node)
+            return false unless node.children.first&.type == :const
+            return false unless node.children.first.children.last == :File
+
+            node.children[1] == :readlines
+          end
+
+          def remove_find_dot_find_args(node)
+            return unless node.is_a?(Parser::AST::Node)
+            return if node.children[1] == :version=
+            return remove_find_args(node) if node_calls_find_dot_find?(node)
+
+            node.children.each { |child| remove_find_dot_find_args(child) }
+          end
+
+          def node_calls_find_dot_find?(node)
+            return false unless node.is_a?(Parser::AST::Node)
+            return false unless node.children.first.is_a?(Parser::AST::Node)
+            return false unless node.children.first&.type == :const
+            return false unless node.children.first.children.last == :Find
+
+            node.children[1] == :find
+          end
+
+          def remove_unnecessary_assignments(node)
+            return unless node.is_a?(Parser::AST::Node)
+
+            if unnecessary_assignment?(node) &&
+               node.children.last&.location&.respond_to?(:heredoc_end)
+              range_to_remove = node.loc.expression.join(
+                node.children.last.location.heredoc_end
+              )
+              return replace(range_to_remove, '"sanitized"')
+            elsif unnecessary_assignment?(node)
+              return replace(node.loc.expression, '"sanitized"')
+            end
+
+            node.children.each do |child|
+              remove_unnecessary_assignments(child)
+            end
+          end
+
+          def unnecessary_assignment?(node)
+            return false unless node.is_a?(Parser::AST::Node)
+            return false unless node.children.first.is_a?(Parser::AST::Node)
+            return false unless node.children.first&.type == :lvar
+
+            UNNECESSARY_ASSIGNMENTS.include?(node.children[1])
+          end
+
+          def node_is_version_constant?(node)
+            return false unless node.is_a?(Parser::AST::Node)
+            return false unless node.type == :const
+
+            node.children.last.to_s.match?(/version/i)
+          end
+
+          def node_calls_version_constant?(node)
+            return false unless node.is_a?(Parser::AST::Node)
+            return false unless node.type == :send
+
+            node.children.any? { |n| node_is_version_constant?(n) }
+          end
+
+          def node_interpolates_version_constant?(node)
+            return false unless node.is_a?(Parser::AST::Node)
+            return false unless node.type == :dstr
+
+            node.children.
+              select { |n| n.type == :begin }.
+              flat_map(&:children).
+              any? { |n| node_is_version_constant?(n) }
+          end
+
+          def replace_constant(node)
+            case node.children.last&.type
+            when :str, :int then nil # no-op
+            when :const, :send, :lvar
+              replace(
+                node.children.last.loc.expression,
+                %("#{replacement_version}")
+              )
+            when :dstr
+              node.children.last.children.
+                select { |n| n.type == :begin }.
+                flat_map(&:children).
+                select { |n| node_is_version_constant?(n) }.
+                each do |n|
+                  replace(
+                    n.loc.expression,
+                    %("#{replacement_version}")
+                  )
+                end
+            else
+              raise "Unexpected node type #{node.children.last&.type}"
+            end
+          end
+
+          def replace_file_assignment(node)
+            replace(node.children.last.loc.expression, "[]")
+          end
+
+          def replace_require_paths_assignment(node)
+            replace(node.children.last.loc.expression, "['lib']")
+          end
+
+          def replace_file_read(node)
+            replace(node.loc.expression, '"text"')
+          end
+
+          def replace_file_readlines(node)
+            replace(node.loc.expression, '["text"]')
+          end
+
+          def remove_find_args(node)
+            last_arg = node.children.last
+
+            range_to_remove =
+              last_arg.loc.expression.join(node.children[2].loc.begin.begin)
+
+            remove(range_to_remove)
+          end
+        end
+      end
+    end
+  end
+end