dependabot-cargo 0.81.0

data/lib/dependabot/cargo/metadata_finder.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require "excon"
+require "dependabot/metadata_finders/base"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module Cargo
+    class MetadataFinder < Dependabot::MetadataFinders::Base
+      SOURCE_KEYS = %w(repository homepage documentation).freeze
+
+      private
+
+      def look_up_source
+        case new_source_type
+        when "default" then find_source_from_crates_listing
+        when "git" then find_source_from_git_url
+        else raise "Unexpected source type: #{new_source_type}"
+        end
+      end
+
+      def new_source_type
+        sources =
+          dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
+
+        return "default" if sources.empty?
+        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
+
+        sources.first[:type] || sources.first.fetch("type")
+      end
+
+      def find_source_from_crates_listing
+        potential_source_urls =
+          SOURCE_KEYS.
+          map { |key| crates_listing.dig("crate", key) }.
+          compact
+
+        source_url = potential_source_urls.find { |url| Source.from_url(url) }
+        Source.from_url(source_url)
+      end
+
+      def find_source_from_git_url
+        info = dependency.requirements.map { |r| r[:source] }.compact.first
+
+        url = info[:url] || info.fetch("url")
+        Source.from_url(url)
+      end
+
+      def crates_listing
+        return @crates_listing unless @crates_listing.nil?
+
+        response = Excon.get(
+          "https://crates.io/api/v1/crates/#{dependency.name}",
+          idempotent: true,
+          **SharedHelpers.excon_defaults
+        )
+
+        @crates_listing = JSON.parse(response.body)
+      end
+    end
+  end
+end

data/lib/dependabot/cargo/requirement.rb

@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+
+################################################################################
+# For more details on rust version constraints, see:                           #
+# - https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html     #
+# - https://steveklabnik.github.io/semver/semver/index.html                    #
+################################################################################
+
+require "dependabot/utils"
+require "dependabot/cargo/version"
+
+module Dependabot
+  module Cargo
+    class Requirement < Gem::Requirement
+      quoted = OPS.keys.map { |k| Regexp.quote(k) }.join("|")
+      version_pattern = Cargo::Version::VERSION_PATTERN
+
+      PATTERN_RAW = "\\s*(#{quoted})?\\s*(#{version_pattern})\\s*"
+      PATTERN = /\A#{PATTERN_RAW}\z/.freeze
+
+      # Use Cargo::Version rather than Gem::Version to ensure that
+      # pre-release versions aren't transformed.
+      def self.parse(obj)
+        return ["=", Cargo::Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
+
+        unless (matches = PATTERN.match(obj.to_s))
+          msg = "Illformed requirement [#{obj.inspect}]"
+          raise BadRequirementError, msg
+        end
+
+        return DefaultRequirement if matches[1] == ">=" && matches[2] == "0"
+
+        [matches[1] || "=", Cargo::Version.new(matches[2])]
+      end
+
+      # For consistency with other langauges, we define a requirements array.
+      # Rust doesn't have an `OR` separator for requirements, so it always
+      # contains a single element.
+      def self.requirements_array(requirement_string)
+        [new(requirement_string)]
+      end
+
+      def initialize(*requirements)
+        requirements = requirements.flatten.flat_map do |req_string|
+          req_string.split(",").map do |r|
+            convert_rust_constraint_to_ruby_constraint(r.strip)
+          end
+        end
+
+        super(requirements)
+      end
+
+      private
+
+      def convert_rust_constraint_to_ruby_constraint(req_string)
+        req_string = req_string
+
+        if req_string.include?("*")
+          ruby_range(req_string.gsub(/(?:\.|^)[*]/, "").gsub(/^[^\d]/, ""))
+        elsif req_string.match?(/^~[^>]/) then convert_tilde_req(req_string)
+        elsif req_string.match?(/^[\d^]/) then convert_caret_req(req_string)
+        elsif req_string.match?(/[<=>]/) then req_string
+        else ruby_range(req_string)
+        end
+      end
+
+      def convert_tilde_req(req_string)
+        version = req_string.gsub(/^~/, "")
+        parts = version.split(".")
+        parts << "0" if parts.count < 3
+        "~> #{parts.join('.')}"
+      end
+
+      def ruby_range(req_string)
+        parts = req_string.split(".")
+
+        # If we have three or more parts then this is an exact match
+        return req_string if parts.count >= 3
+
+        # If we have no parts then the version is completely unlocked
+        return ">= 0" if parts.count.zero?
+
+        # If we have fewer than three parts we do a partial match
+        parts << "0"
+        "~> #{parts.join('.')}"
+      end
+
+      def convert_caret_req(req_string)
+        version = req_string.gsub(/^\^/, "")
+        parts = version.split(".")
+        first_non_zero = parts.find { |d| d != "0" }
+        first_non_zero_index =
+          first_non_zero ? parts.index(first_non_zero) : parts.count - 1
+        upper_bound = parts.map.with_index do |part, i|
+          if i < first_non_zero_index then part
+          elsif i == first_non_zero_index then (part.to_i + 1).to_s
+          else 0
+          end
+        end.join(".")
+
+        [">= #{version}", "< #{upper_bound}"]
+      end
+    end
+  end
+end
+
+Dependabot::Utils.
+  register_requirement_class("cargo", Dependabot::Cargo::Requirement)

data/lib/dependabot/cargo/update_checker.rb

@@ -0,0 +1,283 @@
+# frozen_string_literal: true
+
+require "excon"
+require "dependabot/git_commit_checker"
+require "dependabot/update_checkers"
+require "dependabot/update_checkers/base"
+
+module Dependabot
+  module Cargo
+    class UpdateChecker < Dependabot::UpdateCheckers::Base
+      require_relative "update_checker/requirements_updater"
+      require_relative "update_checker/version_resolver"
+      require_relative "update_checker/file_preparer"
+
+      def latest_version
+        return if path_dependency?
+
+        @latest_version =
+          if git_dependency?
+            latest_version_for_git_dependency
+          elsif git_subdependency?
+            # TODO: Dependabot can't update git sub-dependencies yet, because
+            # they can't be passed to GitCommitChecker.
+            nil
+          else
+            versions = available_versions
+            versions.reject!(&:prerelease?) unless wants_prerelease?
+            versions.reject! do |v|
+              ignore_reqs.any? { |r| r.satisfied_by?(v) }
+            end
+            versions.max
+          end
+      end
+
+      def latest_resolvable_version
+        return if path_dependency?
+
+        @latest_resolvable_version ||=
+          if git_dependency?
+            latest_resolvable_version_for_git_dependency
+          elsif git_subdependency?
+            # TODO: Dependabot can't update git sub-dependencies yet, because
+            # they can't be passed to GitCommitChecker.
+            nil
+          else
+            fetch_latest_resolvable_version(unlock_requirement: true)
+          end
+      end
+
+      def latest_resolvable_version_with_no_unlock
+        return if path_dependency?
+
+        @latest_resolvable_version_with_no_unlock ||=
+          if git_dependency?
+            latest_resolvable_commit_with_unchanged_git_source
+          else
+            fetch_latest_resolvable_version(unlock_requirement: false)
+          end
+      end
+
+      def updated_requirements
+        RequirementsUpdater.new(
+          requirements: dependency.requirements,
+          updated_source: updated_source,
+          latest_resolvable_version: latest_resolvable_version&.to_s,
+          latest_version: latest_version&.to_s,
+          library: library?,
+          update_strategy: requirement_update_strategy
+        ).updated_requirements
+      end
+
+      private
+
+      def latest_version_resolvable_with_full_unlock?
+        # Full unlock checks aren't implemented for Rust (yet)
+        false
+      end
+
+      def updated_dependencies_after_full_unlock
+        raise NotImplementedError
+      end
+
+      def library?
+        # If it has a lockfile, treat it as an application. Otherwise treat it
+        # as a library.
+        dependency_files.none? { |f| f.name == "Cargo.lock" }
+      end
+
+      def requirement_update_strategy
+        library? ? :bump_versions_if_necessary : :bump_versions
+      end
+
+      def latest_version_for_git_dependency
+        latest_git_version_sha
+      end
+
+      def latest_git_version_sha
+        # If the gem isn't pinned, the latest version is just the latest
+        # commit for the specified branch.
+        unless git_commit_checker.pinned?
+          return git_commit_checker.head_commit_for_current_branch
+        end
+
+        # If the dependency is pinned to a tag that looks like a version then
+        # we want to update that tag. The latest version will then be the SHA
+        # of the latest tag that looks like a version.
+        if git_commit_checker.pinned_ref_looks_like_version?
+          latest_tag = git_commit_checker.local_tag_for_latest_version
+          return latest_tag&.fetch(:commit_sha) || dependency.version
+        end
+
+        # If the dependency is pinned to a tag that doesn't look like a
+        # version then there's nothing we can do.
+        dependency.version
+      end
+
+      def latest_resolvable_version_for_git_dependency
+        # If the gem isn't pinned, the latest version is just the latest
+        # commit for the specified branch.
+        unless git_commit_checker.pinned?
+          return latest_resolvable_commit_with_unchanged_git_source
+        end
+
+        # If the dependency is pinned to a tag that looks like a version then
+        # we want to update that tag. The latest version will then be the SHA
+        # of the latest tag that looks like a version.
+        if git_commit_checker.pinned_ref_looks_like_version? &&
+           latest_git_tag_is_resolvable?
+          new_tag = git_commit_checker.local_tag_for_latest_version
+          return new_tag.fetch(:commit_sha)
+        end
+
+        # If the dependency is pinned then there's nothing we can do.
+        dependency.version
+      end
+
+      def latest_git_tag_is_resolvable?
+        return @git_tag_resolvable if @latest_git_tag_is_resolvable_checked
+
+        @latest_git_tag_is_resolvable_checked = true
+
+        return false if git_commit_checker.local_tag_for_latest_version.nil?
+
+        replacement_tag = git_commit_checker.local_tag_for_latest_version
+
+        prepared_files = FilePreparer.new(
+          dependency_files: dependency_files,
+          dependency: dependency,
+          unlock_requirement: true,
+          replacement_git_pin: replacement_tag.fetch(:tag)
+        ).prepared_dependency_files
+
+        VersionResolver.new(
+          dependency: dependency,
+          prepared_dependency_files: prepared_files,
+          original_dependency_files: dependency_files,
+          credentials: credentials
+        ).latest_resolvable_version
+        @git_tag_resolvable = true
+      rescue SharedHelpers::HelperSubprocessFailed => error
+        raise error unless error.message.include?("versions conflict")
+
+        @git_tag_resolvable = false
+      end
+
+      def latest_resolvable_commit_with_unchanged_git_source
+        fetch_latest_resolvable_version(unlock_requirement: false)
+      rescue SharedHelpers::HelperSubprocessFailed => error
+        # Resolution may fail, as Cargo updates straight to the tip of the
+        # branch. Just return `nil` if it does (so no update).
+        return if error.message.include?("versions conflict")
+
+        raise error
+      end
+
+      def fetch_latest_resolvable_version(unlock_requirement:)
+        prepared_files = FilePreparer.new(
+          dependency_files: dependency_files,
+          dependency: dependency,
+          unlock_requirement: unlock_requirement,
+          latest_allowable_version: latest_version
+        ).prepared_dependency_files
+
+        VersionResolver.new(
+          dependency: dependency,
+          prepared_dependency_files: prepared_files,
+          original_dependency_files: dependency_files,
+          credentials: credentials
+        ).latest_resolvable_version
+      end
+
+      def updated_source
+        # Never need to update source, unless a git_dependency
+        return dependency_source_details unless git_dependency?
+
+        # Update the git tag if updating a pinned version
+        if git_commit_checker.pinned_ref_looks_like_version? &&
+           latest_git_tag_is_resolvable?
+          new_tag = git_commit_checker.local_tag_for_latest_version
+          return dependency_source_details.merge(ref: new_tag.fetch(:tag))
+        end
+
+        # Otherwise return the original source
+        dependency_source_details
+      end
+
+      def dependency_source_details
+        sources =
+          dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
+
+        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
+
+        sources.first
+      end
+
+      def wants_prerelease?
+        if dependency.version &&
+           version_class.new(dependency.version).prerelease?
+          return true
+        end
+
+        dependency.requirements.any? do |req|
+          reqs = (req.fetch(:requirement) || "").split(",").map(&:strip)
+          reqs.any? { |r| r.match?(/[A-Za-z]/) }
+        end
+      end
+
+      def available_versions
+        crates_listing.
+          fetch("versions", []).
+          reject { |v| v["yanked"] }.
+          map { |v| version_class.new(v.fetch("num")) }
+      end
+
+      def git_dependency?
+        git_commit_checker.git_dependency?
+      end
+
+      def git_subdependency?
+        return false if dependency.top_level?
+
+        !version_class.correct?(dependency.version)
+      end
+
+      def path_dependency?
+        sources = dependency.requirements.
+                  map { |r| r.fetch(:source) }.uniq.compact
+
+        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
+
+        sources.first&.fetch(:type) == "path"
+      end
+
+      def git_commit_checker
+        @git_commit_checker ||=
+          GitCommitChecker.new(
+            dependency: dependency,
+            credentials: credentials
+          )
+      end
+
+      def crates_listing
+        return @crates_listing unless @crates_listing.nil?
+
+        response = Excon.get(
+          "https://crates.io/api/v1/crates/#{dependency.name}",
+          idempotent: true,
+          **SharedHelpers.excon_defaults
+        )
+
+        @crates_listing = JSON.parse(response.body)
+      rescue Excon::Error::Timeout
+        retrying ||= false
+        raise if retrying
+
+        retrying = true
+        sleep(rand(1.0..5.0)) && retry
+      end
+    end
+  end
+end
+
+Dependabot::UpdateCheckers.register("cargo", Dependabot::Cargo::UpdateChecker)