RubyGems - dependabot-bundler - Versions diffs - 0.95.5 → 0.95.6 - Mend

dependabot-bundler 0.95.5 → 0.95.6

Files changed (36) hide show

data/lib/dependabot/bundler/file_fetcher/path_gemspec_finder.rb DELETED Viewed

@@ -1,112 +0,0 @@
-# frozen_string_literal: true
-require "pathname"
-require "parser/current"
-require "dependabot/bundler/file_fetcher"
-require "dependabot/errors"
-module Dependabot
-  module Bundler
-    class FileFetcher
-      # Finds the paths of any gemspecs declared using `path: ` in the
-      # passed Gemfile.
-      class PathGemspecFinder
-        def initialize(gemfile:)
-          @gemfile = gemfile
-        end
-        def path_gemspec_paths
-          ast = Parser::CurrentRuby.parse(gemfile.content)
-          find_path_gemspec_paths(ast)
-        rescue Parser::SyntaxError
-          raise Dependabot::DependencyFileNotParseable, gemfile.path
-        end
-        private
-        attr_reader :gemfile
-        # rubocop:disable Security/Eval
-        def find_path_gemspec_paths(node)
-          return [] unless node.is_a?(Parser::AST::Node)
-          if declares_path_dependency?(node)
-            path_node = path_node_for_gem_declaration(node)
-            begin
-              # We use eval here, but we know what we're doing. The
-              # FileFetchers helper method should only ever be run in an
-              # isolated environment
-              path = eval(path_node.loc.expression.source)
-            rescue StandardError
-              return []
-            end
-            return [clean_path(path)]
-          end
-          relevant_child_nodes(node).flat_map do |child_node|
-            find_path_gemspec_paths(child_node)
-          end
-        end
-        # rubocop:enable Security/Eval
-        def current_dir
-          @current_dir ||= gemfile.name.rpartition("/").first
-          @current_dir = nil if @current_dir == ""
-          @current_dir
-        end
-        def declares_path_dependency?(node)
-          return false unless node.is_a?(Parser::AST::Node)
-          return false unless node.children[1] == :gem
-          !path_node_for_gem_declaration(node).nil?
-        end
-        def clean_path(path)
-          if Pathname.new(path).absolute?
-            base_path = Pathname.new(File.expand_path(Dir.pwd))
-            path = Pathname.new(path).relative_path_from(base_path).to_s
-          end
-          path = File.join(current_dir, path) unless current_dir.nil?
-          Pathname.new(path).cleanpath
-        end
-        # rubocop:disable Security/Eval
-        def relevant_child_nodes(node)
-          return [] unless node.is_a?(Parser::AST::Node)
-          return node.children unless node.type == :if
-          begin
-            if eval(node.children.first.loc.expression.source)
-              [node.children[1]]
-            else
-              [node.children[2]]
-            end
-          rescue StandardError
-            return node.children
-          end
-        end
-        # rubocop:enable Security/Eval
-        def path_node_for_gem_declaration(node)
-          return unless node.children.last.type == :hash
-          kwargs_node = node.children.last
-          path_hash_pair =
-            kwargs_node.children.
-            find { |hash_pair| key_from_hash_pair(hash_pair) == :path }
-          return unless path_hash_pair
-          path_hash_pair.children.last
-        end
-        def key_from_hash_pair(node)
-          node.children.first.children.first.to_sym
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/bundler/file_fetcher/require_relative_finder.rb DELETED Viewed

@@ -1,65 +0,0 @@
-# frozen_string_literal: true
-require "pathname"
-require "parser/current"
-require "dependabot/bundler/file_fetcher"
-require "dependabot/errors"
-module Dependabot
-  module Bundler
-    class FileFetcher
-      # Finds the paths of any files included using `require_relative` in the
-      # passed file.
-      class RequireRelativeFinder
-        def initialize(file:)
-          @file = file
-        end
-        def require_relative_paths
-          ast = Parser::CurrentRuby.parse(file.content)
-          find_require_relative_paths(ast)
-        rescue Parser::SyntaxError
-          raise Dependabot::DependencyFileNotParseable, file.path
-        end
-        private
-        attr_reader :file
-        # rubocop:disable Security/Eval
-        def find_require_relative_paths(node)
-          return [] unless node.is_a?(Parser::AST::Node)
-          if declares_require_relative?(node)
-            # We use eval here, but we know what we're doing. The FileFetchers
-            # helper method should only ever be run in an isolated environment
-            source = node.children[2].loc.expression.source
-            begin
-              path = eval(source)
-            rescue StandardError
-              return []
-            end
-            path = File.join(current_dir, path) unless current_dir.nil?
-            return [Pathname.new(path + ".rb").cleanpath.to_path]
-          end
-          node.children.flat_map do |child_node|
-            find_require_relative_paths(child_node)
-          end
-        end
-        # rubocop:enable Security/Eval
-        def current_dir
-          @current_dir ||= file.name.split("/")[0..-2].last
-        end
-        def declares_require_relative?(node)
-          return false unless node.is_a?(Parser::AST::Node)
-          node.children[1] == :require_relative
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/bundler/file_parser.rb DELETED Viewed

@@ -1,297 +0,0 @@
-# frozen_string_literal: true
-require "dependabot/dependency"
-require "dependabot/file_parsers"
-require "dependabot/file_parsers/base"
-require "dependabot/bundler/file_updater/lockfile_updater"
-require "dependabot/bundler/version"
-require "dependabot/shared_helpers"
-require "dependabot/errors"
-module Dependabot
-  module Bundler
-    class FileParser < Dependabot::FileParsers::Base
-      require "dependabot/file_parsers/base/dependency_set"
-      require "dependabot/bundler/file_parser/file_preparer"
-      require "dependabot/bundler/file_parser/gemfile_checker"
-      def parse
-        dependency_set = DependencySet.new
-        dependency_set += gemfile_dependencies
-        dependency_set += gemspec_dependencies
-        dependency_set += lockfile_dependencies
-        dependency_set.dependencies
-      end
-      private
-      # Can't be a constant because some of these don't exist in bundler
-      # 1.15, which Heroku uses, which causes an exception on boot.
-      def sources
-        [
-          NilClass,
-          ::Bundler::Source::Rubygems,
-          ::Bundler::Source::Git,
-          ::Bundler::Source::Path,
-          ::Bundler::Source::Gemspec,
-          ::Bundler::Source::Metadata
-        ]
-      end
-      def gemfile_dependencies
-        dependencies = DependencySet.new
-        return dependencies unless gemfile
-        [gemfile, *evaled_gemfiles].each do |file|
-          parsed_gemfile.each do |dep|
-            next unless dependency_in_gemfile?(gemfile: file, dependency: dep)
-            dependencies <<
-              Dependency.new(
-                name: dep.name,
-                version: dependency_version(dep.name)&.to_s,
-                requirements: [{
-                  requirement: dep.requirement.to_s,
-                  groups: dep.groups,
-                  source: source_for(dep),
-                  file: file.name
-                }],
-                package_manager: "bundler"
-              )
-          end
-        end
-        dependencies
-      end
-      def gemspec_dependencies
-        dependencies = DependencySet.new
-        gemspecs.each do |gemspec|
-          parsed_gemspec(gemspec).dependencies.each do |dependency|
-            dependencies <<
-              Dependency.new(
-                name: dependency.name,
-                version: dependency_version(dependency.name)&.to_s,
-                requirements: [{
-                  requirement: dependency.requirement.to_s,
-                  groups: dependency.runtime? ? ["runtime"] : ["development"],
-                  source: nil,
-                  file: gemspec.name
-                }],
-                package_manager: "bundler"
-              )
-          end
-        end
-        dependencies
-      end
-      def lockfile_dependencies
-        dependencies = DependencySet.new
-        return dependencies unless lockfile
-        # Create a DependencySet where each element has no requirement. Any
-        # requirements will be added when combining the DependencySet with
-        # other DependencySets.
-        parsed_lockfile.specs.each do |dependency|
-          next if dependency.source.is_a?(::Bundler::Source::Path)
-          dependencies <<
-            Dependency.new(
-              name: dependency.name,
-              version: dependency_version(dependency.name)&.to_s,
-              requirements: [],
-              package_manager: "bundler"
-            )
-        end
-        dependencies
-      end
-      def parsed_gemfile
-        base_directory = dependency_files.first.directory
-        @parsed_gemfile ||=
-          SharedHelpers.in_a_temporary_directory(base_directory) do
-            write_temporary_dependency_files
-            SharedHelpers.in_a_forked_process do
-              ::Bundler.instance_variable_set(:@root, Pathname.new(Dir.pwd))
-              ::Bundler::Definition.build(gemfile.name, nil, {}).
-                dependencies.
-                select(&:current_platform?).
-                # We can't dump gemspec sources, and we wouldn't bump them
-                # anyway, so we filter them out.
-                reject { |dep| dep.source.is_a?(::Bundler::Source::Gemspec) }
-            end
-          end
-      rescue SharedHelpers::ChildProcessFailed => error
-        msg = error.error_class + " with message: " +
-              error.error_message.force_encoding("UTF-8").encode
-        raise Dependabot::DependencyFileNotEvaluatable, msg
-      end
-      def parsed_gemspec(file)
-        @parsed_gemspecs ||= {}
-        @parsed_gemspecs[file.name] ||=
-          SharedHelpers.in_a_temporary_directory do
-            [file, *imported_ruby_files].each do |f|
-              path = f.name
-              FileUtils.mkdir_p(Pathname.new(path).dirname)
-              File.write(path, f.content)
-            end
-            SharedHelpers.in_a_forked_process do
-              ::Bundler.instance_variable_set(:@root, Pathname.new(Dir.pwd))
-              ::Bundler.load_gemspec_uncached(file.name)
-            end
-          end
-      rescue SharedHelpers::ChildProcessFailed => error
-        msg = error.error_class + " with message: " + error.error_message
-        raise Dependabot::DependencyFileNotEvaluatable, msg
-      end
-      def prepared_dependency_files
-        @prepared_dependency_files ||=
-          FilePreparer.new(dependency_files: dependency_files).
-          prepared_dependency_files
-      end
-      def write_temporary_dependency_files
-        prepared_dependency_files.each do |file|
-          path = file.name
-          FileUtils.mkdir_p(Pathname.new(path).dirname)
-          File.write(path, file.content)
-        end
-      end
-      def check_required_files
-        file_names = dependency_files.map(&:name)
-        return if file_names.any? do |name|
-          name.end_with?(".gemspec") && !name.include?("/")
-        end
-        return if gemfile
-        raise "A gemspec or Gemfile must be provided!"
-      end
-      def source_for(dependency)
-        source = dependency.source
-        if lockfile && default_rubygems?(source)
-          # If there's a lockfile and the Gemfile doesn't have anything
-          # interesting to say about the source, check that.
-          source = source_from_lockfile(dependency.name)
-        end
-        raise "Bad source: #{source}" unless sources.include?(source.class)
-        return nil if default_rubygems?(source)
-        details = { type: source.class.name.split("::").last.downcase }
-        if source.is_a?(::Bundler::Source::Git)
-          details.merge!(git_source_details(source))
-        end
-        if source.is_a?(::Bundler::Source::Rubygems)
-          details[:url] = source.remotes.first.to_s
-        end
-        details
-      end
-      def git_source_details(source)
-        {
-          url: source.uri,
-          branch: source.branch || "master",
-          ref: source.ref
-        }
-      end
-      def default_rubygems?(source)
-        return true if source.nil?
-        return false unless source.is_a?(::Bundler::Source::Rubygems)
-        source.remotes.any? { |r| r.to_s.include?("rubygems.org") }
-      end
-      def dependency_version(dependency_name)
-        return unless lockfile
-        spec = parsed_lockfile.specs.find { |s| s.name == dependency_name }
-        # Not all files in the Gemfile will appear in the Gemfile.lock. For
-        # instance, if a gem specifies `platform: [:windows]`, and the
-        # Gemfile.lock is generated on a Linux machine, the gem will be not
-        # appear in the lockfile.
-        return unless spec
-        # If the source is Git we're better off knowing the SHA-1 than the
-        # version.
-        if spec.source.instance_of?(::Bundler::Source::Git)
-          return spec.source.revision
-        end
-        spec.version
-      end
-      def source_from_lockfile(dependency_name)
-        parsed_lockfile.specs.find { |s| s.name == dependency_name }&.source
-      end
-      def dependency_in_gemfile?(gemfile:, dependency:)
-        GemfileChecker.new(
-          dependency: dependency,
-          gemfile: gemfile
-        ).includes_dependency?
-      end
-      def gemfile
-        @gemfile ||= get_original_file("Gemfile") ||
-                     get_original_file("gems.rb")
-      end
-      def evaled_gemfiles
-        dependency_files.
-          reject { |f| f.name.end_with?(".gemspec") }.
-          reject { |f| f.name.end_with?(".lock") }.
-          reject { |f| f.name.end_with?(".ruby-version") }.
-          reject { |f| f.name == "Gemfile" }.
-          reject { |f| f.name == "gems.rb" }.
-          reject { |f| f.name == "gems.locked" }
-      end
-      def lockfile
-        @lockfile ||= get_original_file("Gemfile.lock") ||
-                      get_original_file("gems.locked")
-      end
-      def parsed_lockfile
-        @parsed_lockfile ||=
-          ::Bundler::LockfileParser.new(sanitized_lockfile_content)
-      end
-      def sanitized_lockfile_content
-        regex = FileUpdater::LockfileUpdater::LOCKFILE_ENDING
-        lockfile.content.gsub(regex, "")
-      end
-      def gemspecs
-        # Path gemspecs are excluded (they're supporting files)
-        @gemspecs ||= prepared_dependency_files.
-                      select { |file| file.name.end_with?(".gemspec") }.
-                      reject(&:support_file?)
-      end
-      def imported_ruby_files
-        dependency_files.
-          select { |f| f.name.end_with?(".rb") }.
-          reject { |f| f.name == "gems.rb" }
-      end
-    end
-  end
-end
-Dependabot::FileParsers.
-  register("bundler", Dependabot::Bundler::FileParser)