dependabot-bundler 0.138.1 → 0.138.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '098bacb84fe60a2f7e46f7f272f89623567b18cd9ce7f21b9450c6ced8c43ce3'
-  data.tar.gz: f13d6f9506e266880ded948007e0df3050962a16efa6ec323e870804dbce5b93
+  metadata.gz: 2eb2653cea8a396b9d65f20ea24e8680bdcb0909c2e28ad045beca904f2a984b
+  data.tar.gz: d7ffc19ecc9db88a04e5222f132e18f94f353eb806ef454d0e958c531531dbd5
 SHA512:
-  metadata.gz: 672c92cf4c9dbafd99e67516d085c8a81ab9cedfc4ef0c1b9e1d1fc70706e19698013ccf546c653bddc857b9a58debd5112ad2c2dddd40abc02d5afac8c3c0fa
-  data.tar.gz: a89c52b1b2b0b7a7cd14b2d9186d6b10d29e63bc29bf890b4e2e74931eaa1ce828e5e8e2117079887bcbee5c85dacf5903092f75febb430c3ef7f107c0c6151d
+  metadata.gz: 28ea0b95452a1c7bc2cf7fe5d3c211c678a89d5b062f7184dc23fd06dd5f8df8a61ccd9e66abb3a807fc10958f74623245ef4809830600a44ce6472095ce369a
+  data.tar.gz: 46c21b5dbc8ddaac57a40c1a6e48c16427562c829d6b29879a5b1b6d77b9d3c16ebdef515ef32c6f71d4c57c4feeed57ff22ee7f78a6839991e3444cefd44181

data/helpers/v2/.gitignore

@@ -1,5 +1,4 @@
-/.bundle/*
-!/.bundle/config
+/.bundle
 /.env
 /tmp
 /dependabot-*.gem

data/helpers/v2/build

@@ -10,7 +10,6 @@ fi
 
 helpers_dir="$(dirname "${BASH_SOURCE[0]}")"
 cp -r \
-  "$helpers_dir/.bundle" \
   "$helpers_dir/lib" \
   "$helpers_dir/run.rb" \
   "$helpers_dir/Gemfile" \
@@ -20,4 +19,5 @@ cd "$install_dir"
 
 # NOTE: Sets `BUNDLED WITH` to match the installed v1 version in Gemfile.lock
 # forcing specs and native helpers to run with the same version
-BUNDLER_VERSION=2 bundle install
+BUNDLER_VERSION=2 bundle config set --local path ".bundle"
+BUNDLER_VERSION=2 bundle install --without test

data/helpers/v2/lib/functions.rb

@@ -1,12 +1,20 @@
+require "functions/file_parser"
+
 module Functions
   class NotImplementedError < StandardError; end
 
   def self.parsed_gemfile(lockfile_name:, gemfile_name:, dir:)
-    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+    set_bundler_flags_and_credentials(dir: dir, credentials: [],
+      using_bundler2: false)
+    FileParser.new(lockfile_name: lockfile_name).
+      parsed_gemfile(gemfile_name: gemfile_name)
   end
 
   def self.parsed_gemspec(lockfile_name:, gemspec_name:, dir:)
-    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+    set_bundler_flags_and_credentials(dir: dir, credentials: [],
+      using_bundler2: false)
+    FileParser.new(lockfile_name: lockfile_name).
+      parsed_gemspec(gemspec_name: gemspec_name)
   end
 
   def self.vendor_cache_dir(dir:)
@@ -57,7 +65,47 @@ module Functions
 
   def self.set_bundler_flags_and_credentials(dir:, credentials:,
                                              using_bundler2:)
-    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+    dir = dir ? Pathname.new(dir) : dir
+    Bundler.instance_variable_set(:@root, dir)
+
+    # Remove installed gems from the default Rubygems index
+    Gem::Specification.all =
+      Gem::Specification.send(:default_stubs, "*.gemspec")
+
+    # Set auth details
+    relevant_credentials(credentials).each do |cred|
+      token = cred["token"] ||
+              "#{cred['username']}:#{cred['password']}"
+
+      Bundler.settings.set_command_option(
+        cred.fetch("host"),
+        token.gsub("@", "%40F").gsub("?", "%3F")
+      )
+    end
+
+    # NOTE: Prevent bundler from printing resolution information
+    Bundler.ui = Bundler::UI::Silent.new
+
+    # Use HTTPS for GitHub if lockfile
+    Bundler.settings.set_command_option("forget_cli_options", "true")
+    Bundler.settings.set_command_option("github.https", "true")
+  end
+
+  def self.relevant_credentials(credentials)
+    [
+      *git_source_credentials(credentials),
+      *private_registry_credentials(credentials)
+    ].select { |cred| cred["password"] || cred["token"] }
+  end
+
+  def self.private_registry_credentials(credentials)
+    credentials.
+      select { |cred| cred["type"] == "rubygems_server" }
+  end
+
+  def self.git_source_credentials(credentials)
+    credentials.
+      select { |cred| cred["type"] == "git_source" }
   end
 
   def self.conflicting_dependencies(dir:, dependency_name:, target_version:,

data/helpers/v2/lib/functions/file_parser.rb

@@ -0,0 +1,106 @@
+module Functions
+  class FileParser
+    def initialize(lockfile_name:)
+      @lockfile_name = lockfile_name
+    end
+
+    attr_reader :lockfile_name
+
+    def parsed_gemfile(gemfile_name:)
+      Bundler::Definition.build(gemfile_name, nil, {}).
+        dependencies.select(&:current_platform?).
+        reject { |dep| dep.source.is_a?(Bundler::Source::Gemspec) }.
+        map(&method(:serialize_bundler_dependency))
+    end
+
+    def parsed_gemspec(gemspec_name:)
+      Bundler.load_gemspec_uncached(gemspec_name).
+        dependencies.
+        map(&method(:serialize_bundler_dependency))
+    end
+
+    private
+
+    def lockfile
+      return @lockfile if defined?(@lockfile)
+
+      @lockfile =
+        begin
+          return unless lockfile_name && File.exist?(lockfile_name)
+
+          File.read(lockfile_name)
+        end
+    end
+
+    def parsed_lockfile
+      return unless lockfile
+
+      @parsed_lockfile ||= Bundler::LockfileParser.new(lockfile)
+    end
+
+    def source_from_lockfile(dependency_name)
+      parsed_lockfile&.specs.find { |s| s.name == dependency_name }&.source
+    end
+
+    def source_for(dependency)
+      source = dependency.source
+      if lockfile && default_rubygems?(source)
+        # If there's a lockfile and the Gemfile doesn't have anything
+        # interesting to say about the source, check that.
+        source = source_from_lockfile(dependency.name)
+      end
+      raise "Bad source: #{source}" unless sources.include?(source.class)
+
+      return nil if default_rubygems?(source)
+
+      details = { type: source.class.name.split("::").last.downcase }
+      if source.is_a?(Bundler::Source::Git)
+        details.merge!(git_source_details(source))
+      end
+      if source.is_a?(Bundler::Source::Rubygems)
+        details[:url] = source.remotes.first.to_s
+      end
+      details
+    end
+
+    # TODO: Remove default `master` branch
+    def git_source_details(source)
+      {
+        url: source.uri,
+        branch: source.branch || "master",
+        ref: source.ref || "master"
+      }
+    end
+
+    def default_rubygems?(source)
+      return true if source.nil?
+      return false unless source.is_a?(Bundler::Source::Rubygems)
+
+      source.remotes.any? { |r| r.to_s.include?("rubygems.org") }
+    end
+
+    def serialize_bundler_dependency(dependency)
+      {
+        name: dependency.name,
+        requirement: dependency.requirement,
+        groups: dependency.groups,
+        source: source_for(dependency),
+        type: dependency.type
+      }
+    end
+
+    # Can't be a constant because some of these don't exist in bundler
+    # 1.15, which used to cause issues on Heroku (causing exception on boot).
+    # TODO: Check if this will be an issue with multiple bundler versions
+    def sources
+      [
+        NilClass,
+        Bundler::Source::Rubygems,
+        Bundler::Source::Git,
+        Bundler::Source::Path,
+        Bundler::Source::Gemspec,
+        Bundler::Source::Metadata
+      ]
+    end
+  end
+end

data/helpers/v2/monkey_patches/definition_bundler_version_patch.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require "bundler/definition"
+
+# Ignore the Bundler version specified in the Gemfile (since the only Bundler
+# version available to us is the one we're using).
+module BundlerDefinitionBundlerVersionPatch
+  def expanded_dependencies
+    @expanded_dependencies ||=
+      expand_dependencies(dependencies + metadata_dependencies, @remote).
+      reject { |d| d.name == "bundler" }
+  end
+end
+
+Bundler::Definition.prepend(BundlerDefinitionBundlerVersionPatch)

data/helpers/v2/monkey_patches/definition_ruby_version_patch.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require "bundler/definition"
+
+module BundlerDefinitionRubyVersionPatch
+  def index
+    @index ||= super.tap do
+      if ruby_version
+        requested_version = ruby_version.to_gem_version_with_patchlevel
+        sources.metadata_source.specs <<
+          Gem::Specification.new("ruby\0", requested_version)
+      end
+
+      sources.metadata_source.specs <<
+        Gem::Specification.new("ruby\0", "2.5.3p105")
+    end
+  end
+end
+
+Bundler::Definition.prepend(BundlerDefinitionRubyVersionPatch)

data/helpers/v2/monkey_patches/git_source_patch.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require "bundler/source"
+
+module Bundler
+  class Source
+    class Git
+      class GitProxy
+        private
+
+        # Bundler allows ssh authentication when talking to GitHub but there's
+        # no way for Dependabot to do so (it doesn't have any ssh keys).
+        # Instead, we convert all `git@github.com:` URLs to use HTTPS.
+        def configured_uri_for(uri)
+          uri = uri.gsub(%r{git@(.*?):/?}, 'https://\1/')
+          if /https?:/ =~ uri
+            remote = Bundler::URI(uri)
+            config_auth = Bundler.settings[remote.to_s] || Bundler.settings[remote.host]
+            remote.userinfo ||= config_auth
+            remote.to_s
+          else
+            uri
+          end
+        end
+      end
+    end
+  end
+end
+
+module Bundler
+  class Source
+    class Git < Path
+      private
+
+      def serialize_gemspecs_in(destination)
+        original_load_paths = $LOAD_PATH.dup
+        reduced_load_paths = original_load_paths.
+                             reject { |p| p.include?("/gems/") }
+
+        $LOAD_PATH.shift until $LOAD_PATH.empty?
+        reduced_load_paths.each { |p| $LOAD_PATH << p }
+
+        if destination.relative?
+          destination = destination.expand_path(Bundler.root)
+        end
+        Dir["#{destination}/#{@glob}"].each do |spec_path|
+          # Evaluate gemspecs and cache the result. Gemspecs
+          # in git might require git or other dependencies.
+          # The gemspecs we cache should already be evaluated.
+          spec = Bundler.load_gemspec(spec_path)
+          next unless spec
+
+          Bundler.rubygems.set_installed_by_version(spec)
+          Bundler.rubygems.validate(spec)
+          File.open(spec_path, "wb") { |file| file.write(spec.to_ruby) }
+        end
+        $LOAD_PATH.shift until $LOAD_PATH.empty?
+        original_load_paths.each { |p| $LOAD_PATH << p }
+      end
+    end
+  end
+end

data/helpers/v2/spec/functions/file_parser_spec.rb

@@ -0,0 +1,142 @@
+# frozen_string_literal: true
+
+require "native_spec_helper"
+require "shared_contexts"
+
+RSpec.describe Functions::FileParser do
+  include_context "in a temporary bundler directory"
+
+  let(:dependency_source) do
+    described_class.new(
+      lockfile_name: "Gemfile.lock"
+    )
+  end
+
+  let(:project_name) { "gemfile" }
+
+  describe "#parsed_gemfile" do
+    subject(:parsed_gemfile) do
+      in_tmp_folder do
+        dependency_source.parsed_gemfile(gemfile_name: "Gemfile")
+      end
+    end
+
+    it "parses gemfile" do
+      parsed_gemfile = [
+        {
+          groups: [:default],
+          name: "business",
+          requirement: Gem::Requirement.new("~> 1.4.0"),
+          source: nil,
+          type: :runtime
+        },
+        {
+          groups: [:default],
+          name: "statesman",
+          requirement: Gem::Requirement.new("~> 1.2.0"),
+          source: nil,
+          type: :runtime
+        }
+      ]
+      is_expected.to eq(parsed_gemfile)
+    end
+
+    context "with a git source" do
+      let(:project_name) { "git_source" }
+
+      it "parses gemfile" do
+        parsed_gemfile = [
+          {
+            groups: [:default],
+            name: "business",
+            requirement: Gem::Requirement.new("~> 1.6.0"),
+            source: {
+              branch: "master",
+              ref: "a1b78a9",
+              type: "git",
+              url: "git@github.com:gocardless/business"
+            },
+            type: :runtime
+          },
+          {
+            groups: [:default],
+            name: "statesman",
+            requirement: Gem::Requirement.new("~> 1.2.0"),
+            source: nil,
+            type: :runtime
+          },
+          {
+            groups: [:default],
+            name: "prius",
+            requirement:  Gem::Requirement.new(">= 0"),
+            source: {
+              branch: "master",
+              ref: "master",
+              type: "git",
+              url: "https://github.com/gocardless/prius"
+            },
+            type: :runtime
+          },
+          {
+            groups: [:default],
+            name: "que",
+            requirement:  Gem::Requirement.new(">= 0"),
+            source: {
+              branch: "master",
+              ref: "v0.11.6",
+              type: "git",
+              url: "git@github.com:chanks/que"
+            },
+            type: :runtime
+          },
+          {
+            groups: [:default],
+            name: "uk_phone_numbers",
+            requirement:  Gem::Requirement.new(">= 0"),
+            source: {
+              branch: "master",
+              ref: "master",
+              type: "git",
+              url: "http://github.com/gocardless/uk_phone_numbers"
+            },
+            type: :runtime
+          }
+        ]
+        is_expected.to eq(parsed_gemfile)
+      end
+    end
+  end
+
+  describe "#parsed_gemspec" do
+    let!(:gemspec_fixture) do
+      fixture("ruby", "gemspecs", "exact")
+    end
+
+    subject(:parsed_gemspec) do
+      in_tmp_folder do |tmp_path|
+        File.write(File.join(tmp_path, "test.gemspec"), gemspec_fixture)
+        dependency_source.parsed_gemspec(gemspec_name: "test.gemspec")
+      end
+    end
+
+    it "parses gemspec" do
+      parsed_gemspec = [
+        {
+          groups: nil,
+          name: "business",
+          requirement: Gem::Requirement.new("= 1.0.0"),
+          source: nil,
+          type: :runtime
+        },
+        {
+          groups: nil,
+          name: "statesman",
+          requirement: Gem::Requirement.new("= 1.0.0"),
+          source: nil,
+          type: :runtime
+        }
+      ]
+      is_expected.to eq(parsed_gemspec)
+    end
+  end
+end

data/helpers/v2/spec/functions_spec.rb

@@ -5,8 +5,6 @@ require "native_spec_helper"
 RSpec.describe Functions do
   # Verify v1 method signatures are exist, but raise as NYI
   {
-    parsed_gemfile: [ :lockfile_name, :gemfile_name, :dir ],
-    parsed_gemspec: [ :lockfile_name, :gemspec_name, :dir ],
     vendor_cache_dir: [ :dir ],
     update_lockfile: [ :dir, :gemfile_name, :lockfile_name, :using_bundler2, :credentials, :dependencies ],
     force_update: [ :dir, :dependency_name, :target_version, :gemfile_name, :lockfile_name, :using_bundler2,
@@ -19,7 +17,6 @@ RSpec.describe Functions do
                       :dir, :credentials],
     jfrog_source: [:dir, :gemfile_name, :credentials, :using_bundler2],
     git_specs: [:dir, :gemfile_name, :credentials, :using_bundler2],
-    set_bundler_flags_and_credentials: [:dir, :credentials, :using_bundler2],
     conflicting_dependencies: [:dir, :dependency_name, :target_version, :lockfile_name, :using_bundler2, :credentials]
   }.each do |function, kwargs|
     describe "::#{function}" do

data/helpers/v2/spec/native_spec_helper.rb

@@ -5,8 +5,7 @@ require "webmock/rspec"
 require "byebug"
 
 $LOAD_PATH.unshift(File.expand_path("../lib", __dir__))
-# TODO: Fork `v1/monkey_patches` into `v2/monkey_patches` ?
-$LOAD_PATH.unshift(File.expand_path("../../v1/monkey_patches", __dir__))
+$LOAD_PATH.unshift(File.expand_path("../monkey_patches", __dir__))
 
 # Bundler monkey patches
 require "definition_ruby_version_patch"

data/helpers/v2/spec/shared_contexts.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require "tmpdir"
+require "bundler/compact_index_client"
+require "bundler/compact_index_client/updater"
+
+TMP_DIR_PATH = File.expand_path("../tmp", __dir__)
+
+RSpec.shared_context "in a temporary bundler directory" do
+  let(:project_name) { "gemfile" }
+
+  let(:tmp_path) do
+    Dir.mkdir(TMP_DIR_PATH) unless Dir.exist?(TMP_DIR_PATH)
+    dir = Dir.mktmpdir("native_helper_spec_", TMP_DIR_PATH)
+    Pathname.new(dir).expand_path
+  end
+
+  before do
+    project_dependency_files(project_name).each do |file|
+      File.write(File.join(tmp_path, file[:name]), file[:content])
+    end
+  end
+
+  def in_tmp_folder(&block)
+    Dir.chdir(tmp_path, &block)
+  end
+end
+
+RSpec.shared_context "without caching rubygems" do
+  before do
+    # Stub Bundler to stop it using a cached versions of Rubygems
+    allow_any_instance_of(Bundler::CompactIndexClient::Updater).
+      to receive(:etag_for).and_return("")
+  end
+end
+
+RSpec.shared_context "stub rubygems compact index" do
+  include_context "without caching rubygems"
+
+  before do
+    # Stub the Rubygems index
+    stub_request(:get, "https://index.rubygems.org/versions").
+      to_return(
+        status: 200,
+        body: fixture("ruby", "rubygems_responses", "index")
+      )
+
+    # Stub the Rubygems response for each dependency we have a fixture for
+    fixtures =
+      Dir[File.join("../../spec", "fixtures", "ruby", "rubygems_responses", "info-*")]
+    fixtures.each do |path|
+      dep_name = path.split("/").last.gsub("info-", "")
+      stub_request(:get, "https://index.rubygems.org/info/#{dep_name}").
+        to_return(
+          status: 200,
+          body: fixture("ruby", "rubygems_responses", "info-#{dep_name}")
+        )
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-bundler
 version: !ruby/object:Gem::Version
-  version: 0.138.1
+  version: 0.138.2
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-03-17 00:00:00.000000000 Z
+date: 2021-03-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.138.1
+        version: 0.138.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.138.1
+        version: 0.138.2
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -206,14 +206,19 @@ files:
 - helpers/v1/spec/functions/version_resolver_spec.rb
 - helpers/v1/spec/native_spec_helper.rb
 - helpers/v1/spec/shared_contexts.rb
-- helpers/v2/.bundle/config
 - helpers/v2/.gitignore
 - helpers/v2/Gemfile
 - helpers/v2/build
 - helpers/v2/lib/functions.rb
+- helpers/v2/lib/functions/file_parser.rb
+- helpers/v2/monkey_patches/definition_bundler_version_patch.rb
+- helpers/v2/monkey_patches/definition_ruby_version_patch.rb
+- helpers/v2/monkey_patches/git_source_patch.rb
 - helpers/v2/run.rb
+- helpers/v2/spec/functions/file_parser_spec.rb
 - helpers/v2/spec/functions_spec.rb
 - helpers/v2/spec/native_spec_helper.rb
+- helpers/v2/spec/shared_contexts.rb
 - lib/dependabot/bundler.rb
 - lib/dependabot/bundler/file_fetcher.rb
 - lib/dependabot/bundler/file_fetcher/child_gemfile_finder.rb

data/helpers/v2/.bundle/config

@@ -1,2 +0,0 @@
----
-BUNDLE_PATH: ".bundle"