dependabot-cargo 0.81.0

data/lib/dependabot/cargo/update_checker/file_preparer.rb

@@ -0,0 +1,200 @@
+# frozen_string_literal: true
+
+require "toml-rb"
+require "dependabot/dependency_file"
+require "dependabot/cargo/file_parser"
+require "dependabot/cargo/update_checker"
+
+module Dependabot
+  module Cargo
+    class UpdateChecker
+      # This class takes a set of dependency files and sanitizes them for use
+      # in UpdateCheckers::Rust::Cargo.
+      class FilePreparer
+        def initialize(dependency_files:, dependency:,
+                       unlock_requirement: true,
+                       replacement_git_pin: nil,
+                       latest_allowable_version: nil)
+          @dependency_files         = dependency_files
+          @dependency               = dependency
+          @unlock_requirement       = unlock_requirement
+          @replacement_git_pin      = replacement_git_pin
+          @latest_allowable_version = latest_allowable_version
+        end
+
+        def prepared_dependency_files
+          files = []
+          files += manifest_files.map do |file|
+            DependencyFile.new(
+              name: file.name,
+              content: manifest_content_for_update_check(file),
+              directory: file.directory
+            )
+          end
+          files << lockfile if lockfile
+          files << toolchain if toolchain
+          files
+        end
+
+        private
+
+        attr_reader :dependency_files, :dependency, :replacement_git_pin,
+                    :latest_allowable_version
+
+        def unlock_requirement?
+          @unlock_requirement
+        end
+
+        def replace_git_pin?
+          !replacement_git_pin.nil?
+        end
+
+        def manifest_content_for_update_check(file)
+          content = file.content
+
+          unless file.support_file?
+            content = replace_version_constraint(content, file.name)
+            content = replace_git_pin(content) if replace_git_pin?
+          end
+
+          content = replace_ssh_urls(content)
+
+          content
+        end
+
+        # Note: We don't need to care about formatting in this method, since
+        # we're only using the manifest to find the latest resolvable version
+        def replace_version_constraint(content, filename)
+          parsed_manifest = TomlRB.parse(content)
+
+          Cargo::FileParser::DEPENDENCY_TYPES.each do |type|
+            next unless (req = parsed_manifest.dig(type, dependency.name))
+
+            updated_req = temporary_requirement_for_resolution(filename)
+
+            if req.is_a?(Hash)
+              parsed_manifest[type][dependency.name]["version"] = updated_req
+            else
+              parsed_manifest[type][dependency.name] = updated_req
+            end
+          end
+
+          TomlRB.dump(parsed_manifest)
+        end
+
+        def replace_git_pin(content)
+          parsed_manifest = TomlRB.parse(content)
+
+          Cargo::FileParser::DEPENDENCY_TYPES.each do |type|
+            next unless (req = parsed_manifest.dig(type, dependency.name))
+            next unless req.is_a?(Hash)
+            next unless [req["tag"], req["rev"]].compact.uniq.count == 1
+
+            if req["tag"]
+              parsed_manifest[type][dependency.name]["tag"] =
+                replacement_git_pin
+            end
+
+            if req["rev"]
+              parsed_manifest[type][dependency.name]["rev"] =
+                replacement_git_pin
+            end
+          end
+
+          TomlRB.dump(parsed_manifest)
+        end
+
+        def replace_ssh_urls(content)
+          parsed_manifest = TomlRB.parse(content)
+
+          Cargo::FileParser::DEPENDENCY_TYPES.each do |type|
+            (parsed_manifest[type] || {}).each do |_, details|
+              next unless details.is_a?(Hash)
+              next unless details["git"]
+
+              details["git"] = details["git"].
+                               gsub(%r{ssh://git@(.*?)/}, 'https://\1/')
+            end
+          end
+
+          TomlRB.dump(parsed_manifest)
+        end
+
+        def temporary_requirement_for_resolution(filename)
+          original_req = dependency.requirements.
+                         find { |r| r.fetch(:file) == filename }&.
+                         fetch(:requirement)
+
+          lower_bound_req =
+            if original_req && !unlock_requirement?
+              original_req
+            else
+              ">= #{lower_bound_version}"
+            end
+
+          unless Cargo::Version.correct?(latest_allowable_version) &&
+                 Cargo::Version.new(latest_allowable_version) >=
+                 Cargo::Version.new(lower_bound_version)
+            return lower_bound_req
+          end
+
+          lower_bound_req + ", <= #{latest_allowable_version}"
+        end
+
+        def lower_bound_version
+          @lower_bound_version ||=
+            if git_dependency? && git_dependency_version
+              git_dependency_version
+            elsif !git_dependency? && dependency.version
+              dependency.version
+            else
+              version_from_requirement =
+                dependency.requirements.map { |r| r.fetch(:requirement) }.
+                compact.
+                flat_map { |req_str| Cargo::Requirement.new(req_str) }.
+                flat_map(&:requirements).
+                reject { |req_array| req_array.first.start_with?("<") }.
+                map(&:last).
+                max&.to_s
+
+              version_from_requirement || 0
+            end
+        end
+
+        def git_dependency_version
+          return unless lockfile
+
+          TomlRB.parse(lockfile.content).
+            fetch("package", []).
+            select { |p| p["name"] == dependency.name }.
+            find { |p| p["source"].end_with?(dependency.version) }.
+            fetch("version")
+        end
+
+        def manifest_files
+          @manifest_files ||=
+            dependency_files.select { |f| f.name.end_with?("Cargo.toml") }
+
+          raise "No Cargo.toml!" if @manifest_files.none?
+
+          @manifest_files
+        end
+
+        def lockfile
+          @lockfile ||= dependency_files.find { |f| f.name == "Cargo.lock" }
+        end
+
+        def toolchain
+          @toolchain ||=
+            dependency_files.find { |f| f.name == "rust-toolchain" }
+        end
+
+        def git_dependency?
+          GitCommitChecker.
+            new(dependency: dependency, credentials: []).
+            git_dependency?
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/cargo/update_checker/requirements_updater.rb

@@ -0,0 +1,173 @@
+# frozen_string_literal: true
+
+################################################################################
+# For more details on rust version constraints, see:                           #
+# - https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html     #
+# - https://steveklabnik.github.io/semver/semver/index.html                    #
+################################################################################
+
+require "dependabot/cargo/update_checker"
+require "dependabot/cargo/requirement"
+require "dependabot/cargo/version"
+
+module Dependabot
+  module Cargo
+    class UpdateChecker
+      class RequirementsUpdater
+        class UnfixableRequirement < StandardError; end
+
+        VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-*]+)*/.freeze
+        ALLOWED_UPDATE_STRATEGIES =
+          %i(bump_versions bump_versions_if_necessary).freeze
+
+        def initialize(requirements:, updated_source:, update_strategy:,
+                       library:, latest_version:, latest_resolvable_version:)
+          @requirements = requirements
+          @updated_source = updated_source
+          @update_strategy = update_strategy
+          @library = library
+
+          check_update_strategy
+
+          if latest_version && version_class.correct?(latest_version)
+            @latest_version = version_class.new(latest_version)
+          end
+
+          return unless latest_resolvable_version
+          return unless version_class.correct?(latest_resolvable_version)
+
+          @latest_resolvable_version =
+            version_class.new(latest_resolvable_version)
+        end
+
+        def updated_requirements
+          # Note: Order is important here. The FileUpdater needs the updated
+          # requirement at index `i` to correspond to the previous requirement
+          # at the same index.
+          requirements.map do |req|
+            req = req.merge(source: updated_source)
+            next req unless latest_resolvable_version
+            next req if req[:requirement].nil?
+
+            # TODO: Add a widen_ranges options
+            if update_strategy == :bump_versions_if_necessary
+              update_version_requirement_if_needed(req)
+            else
+              update_version_requirement(req)
+            end
+          end
+        end
+
+        private
+
+        attr_reader :requirements, :updated_source, :update_strategy,
+                    :latest_version, :latest_resolvable_version
+
+        def library?
+          @library
+        end
+
+        def check_update_strategy
+          return if ALLOWED_UPDATE_STRATEGIES.include?(update_strategy)
+
+          raise "Unknown update strategy: #{update_strategy}"
+        end
+
+        def target_version
+          library? ? latest_version : latest_resolvable_version
+        end
+
+        def update_version_requirement(req)
+          string_reqs = req[:requirement].split(",").map(&:strip)
+
+          new_requirement =
+            if (exact_req = exact_req(string_reqs))
+              # If there's an exact version, just return that
+              # (it will dominate any other requirements)
+              update_version_string(exact_req)
+            elsif (req_to_update = non_range_req(string_reqs)) &&
+                  update_version_string(req_to_update) != req_to_update
+              # If a ~, ^, or * range needs to be updated, just return that
+              # (it will dominate any other requirements)
+              update_version_string(req_to_update)
+            else
+              # Otherwise, we must have a range requirement that needs
+              # updating. Update it, but keep other requirements too
+              update_range_requirements(string_reqs)
+            end
+
+          req.merge(requirement: new_requirement)
+        end
+
+        def update_version_requirement_if_needed(req)
+          string_reqs = req[:requirement].split(",").map(&:strip)
+          ruby_reqs = string_reqs.map { |r| Cargo::Requirement.new(r) }
+
+          return req if ruby_reqs.all? { |r| r.satisfied_by?(target_version) }
+
+          update_version_requirement(req)
+        end
+
+        def update_version_string(req_string)
+          req_string.sub(VERSION_REGEX) do |old_version|
+            # For pre-release versions, just use the full version string
+            next target_version.to_s if old_version.match?(/\d-/)
+
+            old_parts = old_version.split(".")
+            new_parts = target_version.to_s.split(".").
+                        first(old_parts.count)
+            new_parts.map.with_index do |part, i|
+              old_parts[i] == "*" ? "*" : part
+            end.join(".")
+          end
+        end
+
+        def non_range_req(string_reqs)
+          string_reqs.find { |r| r.include?("*") || r.match?(/^[\d~^]/) }
+        end
+
+        def exact_req(string_reqs)
+          string_reqs.find { |r| Cargo::Requirement.new(r).exact? }
+        end
+
+        def update_range_requirements(string_reqs)
+          string_reqs.map do |req|
+            next req unless req.match?(/[<>]/)
+
+            ruby_req = Cargo::Requirement.new(req)
+            next req if ruby_req.satisfied_by?(target_version)
+
+            raise UnfixableRequirement if req.start_with?(">")
+
+            req.sub(VERSION_REGEX) do |old_version|
+              update_greatest_version(old_version, target_version)
+            end
+          end.join(", ")
+        rescue UnfixableRequirement
+          :unfixable
+        end
+
+        def update_greatest_version(old_version, version_to_be_permitted)
+          version = version_class.new(old_version)
+          version = version.release if version.prerelease?
+
+          index_to_update =
+            version.segments.map.with_index { |seg, i| seg.zero? ? 0 : i }.max
+
+          version.segments.map.with_index do |_, index|
+            if index < index_to_update
+              version_to_be_permitted.segments[index]
+            elsif index == index_to_update
+              version_to_be_permitted.segments[index] + 1
+            else 0
+            end
+          end.join(".")
+        end
+
+        def version_class
+          Cargo::Version
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/cargo/update_checker/version_resolver.rb

@@ -0,0 +1,239 @@
+# frozen_string_literal: true
+
+require "toml-rb"
+require "dependabot/shared_helpers"
+require "dependabot/cargo/update_checker"
+require "dependabot/cargo/version"
+require "dependabot/errors"
+
+module Dependabot
+  module Cargo
+    class UpdateChecker
+      class VersionResolver
+        BRANCH_NOT_FOUND_REGEX =
+          /failed to find branch `(?<branch>[^`]+)`/.freeze
+
+        def initialize(dependency:, credentials:,
+                       original_dependency_files:, prepared_dependency_files:)
+          @dependency = dependency
+          @prepared_dependency_files = prepared_dependency_files
+          @original_dependency_files = original_dependency_files
+          @credentials = credentials
+        end
+
+        def latest_resolvable_version
+          @latest_resolvable_version ||= fetch_latest_resolvable_version
+        end
+
+        private
+
+        attr_reader :dependency, :credentials,
+                    :prepared_dependency_files, :original_dependency_files
+
+        def fetch_latest_resolvable_version
+          base_directory = prepared_dependency_files.first.directory
+          SharedHelpers.in_a_temporary_directory(base_directory) do
+            write_temporary_dependency_files
+
+            SharedHelpers.with_git_configured(credentials: credentials) do
+              # Shell out to Cargo, which handles everything for us, and does
+              # so without doing an install (so it's fast).
+              command = "cargo update -p #{dependency_spec} --verbose"
+              run_cargo_command(command)
+            end
+
+            new_lockfile_content = File.read("Cargo.lock")
+            updated_version = get_version_from_lockfile(new_lockfile_content)
+
+            return if updated_version.nil?
+            return updated_version if git_dependency?
+
+            version_class.new(updated_version)
+          end
+        rescue SharedHelpers::HelperSubprocessFailed => error
+          handle_cargo_errors(error)
+        end
+
+        def get_version_from_lockfile(lockfile_content)
+          versions = TomlRB.parse(lockfile_content).fetch("package").
+                     select { |p| p["name"] == dependency.name }
+
+          updated_version =
+            if dependency.top_level?
+              versions.max_by { |p| version_class.new(p.fetch("version")) }
+            else
+              versions.min_by { |p| version_class.new(p.fetch("version")) }
+            end
+
+          if git_dependency?
+            updated_version.fetch("source").split("#").last
+          else
+            updated_version.fetch("version")
+          end
+        end
+
+        def dependency_spec
+          spec = dependency.name
+
+          if git_dependency?
+            spec += ":#{git_dependency_version}" if git_dependency_version
+          elsif dependency.version
+            spec += ":#{dependency.version}"
+          end
+
+          spec
+        end
+
+        def run_cargo_command(command)
+          raw_response = nil
+          IO.popen(command, err: %i(child out)) do |process|
+            raw_response = process.read
+          end
+
+          # Raise an error with the output from the shell session if Cargo
+          # returns a non-zero status
+          return if $CHILD_STATUS.success?
+
+          raise SharedHelpers::HelperSubprocessFailed.new(
+            raw_response,
+            command
+          )
+        end
+
+        def write_temporary_dependency_files(prepared: true)
+          write_manifest_files(prepared: prepared)
+
+          File.write(lockfile.name, lockfile.content) if lockfile
+          File.write(toolchain.name, toolchain.content) if toolchain
+        end
+
+        def handle_cargo_errors(error)
+          if error.message.include?("does not have these features")
+            # TODO: Ideally we should update the declaration not to ask
+            # for the specified features
+            return nil
+          end
+
+          if error.message.match?(BRANCH_NOT_FOUND_REGEX)
+            branch = error.message.match(BRANCH_NOT_FOUND_REGEX).
+                     named_captures.fetch("branch")
+            raise Dependabot::BranchNotFound, branch
+          end
+
+          if resolvability_error?(error.message)
+            raise Dependabot::DependencyFileNotResolvable, error.message
+          end
+
+          raise error
+        end
+
+        def resolvability_error?(message)
+          return true if message.include?("failed to parse lock")
+          return true if message.include?("believes it's in a workspace")
+          return true if message.include?("wasn't a root")
+          return true if message.include?("requires a nightly version")
+          return true if message.match?(/feature `[^\`]+` is required/)
+
+          !original_requirements_resolvable?
+        end
+
+        def original_requirements_resolvable?
+          base_directory = original_dependency_files.first.directory
+          SharedHelpers.in_a_temporary_directory(base_directory) do
+            write_temporary_dependency_files(prepared: false)
+
+            SharedHelpers.with_git_configured(credentials: credentials) do
+              command = "cargo update -p #{dependency_spec} --verbose"
+              run_cargo_command(command)
+            end
+          end
+
+          true
+        rescue SharedHelpers::HelperSubprocessFailed => error
+          raise unless error.message.include?("no matching version") ||
+                       error.message.include?("failed to select a version")
+
+          false
+        end
+
+        def write_manifest_files(prepared: true)
+          manifest_files = if prepared then prepared_manifest_files
+                           else original_manifest_files
+                           end
+
+          manifest_files.each do |file|
+            path = file.name
+            dir = Pathname.new(path).dirname
+            FileUtils.mkdir_p(dir)
+            File.write(file.name, sanitized_manifest_content(file.content))
+
+            FileUtils.mkdir_p(File.join(dir, "src"))
+            File.write(File.join(dir, "src/lib.rs"), dummy_app_content)
+            File.write(File.join(dir, "src/main.rs"), dummy_app_content)
+          end
+        end
+
+        def git_dependency_version
+          return unless lockfile
+
+          TomlRB.parse(lockfile.content).
+            fetch("package", []).
+            select { |p| p["name"] == dependency.name }.
+            find { |p| p["source"].end_with?(dependency.version) }.
+            fetch("version")
+        end
+
+        def dummy_app_content
+          %{fn main() {\nprintln!("Hello, world!");\n}}
+        end
+
+        def sanitized_manifest_content(content)
+          object = TomlRB.parse(content)
+
+          package_name = object.dig("package", "name")
+          return content unless package_name&.match?(/[\{\}]/)
+
+          if lockfile
+            raise "Sanitizing name for pkg with lockfile. Investigate!"
+          end
+
+          object["package"]["name"] = "sanitized"
+          TomlRB.dump(object)
+        end
+
+        def prepared_manifest_files
+          @prepared_manifest_files ||=
+            prepared_dependency_files.
+            select { |f| f.name.end_with?("Cargo.toml") }
+        end
+
+        def original_manifest_files
+          @original_manifest_files ||=
+            original_dependency_files.
+            select { |f| f.name.end_with?("Cargo.toml") }
+        end
+
+        def lockfile
+          @lockfile ||= prepared_dependency_files.
+                        find { |f| f.name == "Cargo.lock" }
+        end
+
+        def toolchain
+          @toolchain ||= prepared_dependency_files.
+                         find { |f| f.name == "rust-toolchain" }
+        end
+
+        def git_dependency?
+          GitCommitChecker.new(
+            dependency: dependency,
+            credentials: credentials
+          ).git_dependency?
+        end
+
+        def version_class
+          Cargo::Version
+        end
+      end
+    end
+  end
+end