dependabot-cargo 0.81.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9a15f5a5286fc161d2f722711b599016486490abb64c446631eeed673a9a7742
+  data.tar.gz: d01689805661704379ea8b2ccd1795dd674fcf7c5c6a8c0de8680d64dfd08a31
+SHA512:
+  metadata.gz: e3bcff1df9f77bc8b94230cff603352c84dab68e7c4f2648c952e32b02ad2a186a2052e4cd5d862c7e59cb19c247e1772b720e3ccf69c81dbfd94943406151b0
+  data.tar.gz: cf7de24ba36776e1b0377caf4a73f99eeb172f432c32c2f9ae18dad0c04b08ea8b3652aee5319f4a2a70f12bc630ea7419ac40b75349c2217260a6bac0d46244

data/lib/dependabot/cargo.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+# These all need to be required so the various classes can be registered in a
+# lookup table of package manager names to concrete classes.
+require "dependabot/cargo/file_fetcher"
+require "dependabot/cargo/file_parser"
+require "dependabot/cargo/update_checker"
+require "dependabot/cargo/file_updater"
+require "dependabot/cargo/metadata_finder"
+require "dependabot/cargo/requirement"
+require "dependabot/cargo/version"

data/lib/dependabot/cargo/file_fetcher.rb

@@ -0,0 +1,241 @@
+# frozen_string_literal: true
+
+require "pathname"
+require "toml-rb"
+
+require "dependabot/file_fetchers"
+require "dependabot/file_fetchers/base"
+require "dependabot/cargo/file_parser"
+
+# Docs on Cargo workspaces:
+# https://doc.rust-lang.org/cargo/reference/manifest.html#the-workspace-section
+module Dependabot
+  module Cargo
+    class FileFetcher < Dependabot::FileFetchers::Base
+      def self.required_files_in?(filenames)
+        filenames.include?("Cargo.toml")
+      end
+
+      def self.required_files_message
+        "Repo must contain a Cargo.toml."
+      end
+
+      private
+
+      def fetch_files
+        fetched_files = []
+        fetched_files << cargo_toml
+        fetched_files << cargo_lock if cargo_lock
+        fetched_files << rust_toolchain if rust_toolchain
+        fetched_files += workspace_files
+        fetched_files += path_dependency_files
+        fetched_files
+      end
+
+      def workspace_files
+        @workspace_files ||=
+          fetch_workspace_files(
+            file: cargo_toml,
+            previously_fetched_files: []
+          )
+      end
+
+      def path_dependency_files
+        @path_dependency_files ||=
+          begin
+            fetched_path_dependency_files = []
+            [cargo_toml, *workspace_files].each do |file|
+              fetched_path_dependency_files +=
+                fetch_path_dependency_files(
+                  file: file,
+                  previously_fetched_files: [cargo_toml, *workspace_files] +
+                                            fetched_path_dependency_files
+                )
+            end
+
+            fetched_path_dependency_files
+          end
+      end
+
+      def fetch_workspace_files(file:, previously_fetched_files:)
+        current_dir = file.name.split("/")[0..-2].join("/")
+        current_dir = nil if current_dir == ""
+
+        workspace_dependency_paths_from_file(file).flat_map do |path|
+          path = File.join(current_dir, path) unless current_dir.nil?
+          path = Pathname.new(path).cleanpath.to_path
+
+          next if previously_fetched_files.map(&:name).include?(path)
+          next if file.name == path
+
+          fetched_file = fetch_file_from_host(path)
+          previously_fetched_files << fetched_file
+          grandchild_requirement_files =
+            fetch_workspace_files(
+              file: fetched_file,
+              previously_fetched_files: previously_fetched_files
+            )
+          [fetched_file, *grandchild_requirement_files]
+        end.compact
+      end
+
+      def fetch_path_dependency_files(
+        file:,
+        previously_fetched_files:
+      )
+        current_dir = file.name.split("/")[0..-2].join("/")
+        current_dir = nil if current_dir == ""
+
+        path_dependency_paths_from_file(file).flat_map do |path|
+          path = File.join(current_dir, path) unless current_dir.nil?
+          path = Pathname.new(path).cleanpath.to_path
+
+          next if previously_fetched_files.map(&:name).include?(path)
+          next if file.name == path
+
+          fetched_file = fetch_file_from_host(path, type: "path_dependency").
+                         tap { |f| f.support_file = true }
+          previously_fetched_files << fetched_file
+          grandchild_requirement_files =
+            fetch_path_dependency_files(
+              file: fetched_file,
+              previously_fetched_files: previously_fetched_files
+            )
+          [fetched_file, *grandchild_requirement_files]
+        rescue Dependabot::DependencyFileNotFound
+          raise if required_path?(file, path)
+        end.compact
+      end
+
+      def path_dependency_paths_from_file(file)
+        paths = []
+
+        # Paths specified in dependency declaration
+        Cargo::FileParser::DEPENDENCY_TYPES.each do |type|
+          parsed_file(file).fetch(type, {}).each do |_, details|
+            next unless details.is_a?(Hash)
+            next unless details["path"]
+
+            paths << File.join(details["path"], "Cargo.toml")
+          end
+        end
+
+        # Paths specified for target-specific dependencies
+        parsed_file(file).fetch("target", {}).each do |_, t_details|
+          Cargo::FileParser::DEPENDENCY_TYPES.each do |type|
+            t_details.fetch(type, {}).each do |_, details|
+              next unless details.is_a?(Hash)
+              next unless details["path"]
+
+              paths << File.join(details["path"], "Cargo.toml")
+            end
+          end
+        end
+
+        # Paths specified as replacements
+        parsed_file(file).fetch("replace", {}).each do |_, details|
+          next unless details.is_a?(Hash)
+          next unless details["path"]
+
+          paths << File.join(details["path"], "Cargo.toml")
+        end
+
+        paths
+      end
+
+      def workspace_dependency_paths_from_file(file)
+        workspace_paths = parsed_file(file).dig("workspace", "members")
+        return [] unless workspace_paths&.any?
+
+        # Expand any workspace paths that specify a `*`
+        workspace_paths = workspace_paths.flat_map do |path|
+          path.end_with?("*") ? expand_workspaces(path) : [path]
+        end
+
+        # Excluded paths, to be subtracted for the workspaces array
+        excluded_paths = parsed_file(file).dig("workspace", "excluded_paths")
+
+        (workspace_paths - (excluded_paths || [])).map do |path|
+          File.join(path, "Cargo.toml")
+        end
+      end
+
+      # Check whether a path is required or not. It will not be required if
+      # an alternative source (i.e., a git source) is also specified
+      # rubocop:disable Metrics/AbcSize
+      # rubocop:disable Metrics/CyclomaticComplexity
+      # rubocop:disable Metrics/PerceivedComplexity
+      def required_path?(file, path)
+        # Paths specified in dependency declaration
+        Cargo::FileParser::DEPENDENCY_TYPES.each do |type|
+          parsed_file(file).fetch(type, {}).each do |_, details|
+            next unless details.is_a?(Hash)
+            next unless details["path"]
+            next unless path == File.join(details["path"], "Cargo.toml")
+
+            return true if details["git"].nil?
+          end
+        end
+
+        # Paths specified for target-specific dependencies
+        parsed_file(file).fetch("target", {}).each do |_, t_details|
+          Cargo::FileParser::DEPENDENCY_TYPES.each do |type|
+            t_details.fetch(type, {}).each do |_, details|
+              next unless details.is_a?(Hash)
+              next unless details["path"]
+              next unless path == File.join(details["path"], "Cargo.toml")
+
+              return true if details["git"].nil?
+            end
+          end
+        end
+
+        # Paths specified as replacements
+        parsed_file(file).fetch("replace", {}).each do |_, details|
+          next unless details.is_a?(Hash)
+          next unless details["path"]
+          next unless path == File.join(details["path"], "Cargo.toml")
+
+          return true if details["git"].nil?
+        end
+
+        false
+      end
+      # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/CyclomaticComplexity
+      # rubocop:enable Metrics/PerceivedComplexity
+
+      def expand_workspaces(path)
+        path = Pathname.new(path).cleanpath.to_path
+        dir = directory.gsub(%r{(^/|/$)}, "")
+        unglobbed_path = path.split("*").first.gsub(%r{(?<=/)[^/]*$}, "")
+
+        repo_contents(dir: unglobbed_path, raise_errors: false).
+          select { |file| file.type == "dir" }.
+          map { |f| f.path.gsub(%r{^/?#{Regexp.escape(dir)}/?}, "") }.
+          select { |filename| File.fnmatch?(path, filename) }
+      end
+
+      def parsed_file(file)
+        TomlRB.parse(file.content)
+      rescue TomlRB::ParseError
+        raise Dependabot::DependencyFileNotParseable, file.path
+      end
+
+      def cargo_toml
+        @cargo_toml ||= fetch_file_from_host("Cargo.toml")
+      end
+
+      def cargo_lock
+        @cargo_lock ||= fetch_file_if_present("Cargo.lock")
+      end
+
+      def rust_toolchain
+        @rust_toolchain ||= fetch_file_if_present("rust-toolchain")&.
+                            tap { |f| f.support_file = true }
+      end
+    end
+  end
+end
+
+Dependabot::FileFetchers.register("cargo", Dependabot::Cargo::FileFetcher)

data/lib/dependabot/cargo/file_parser.rb

@@ -0,0 +1,214 @@
+# frozen_string_literal: true
+
+require "toml-rb"
+
+require "dependabot/dependency"
+require "dependabot/file_parsers"
+require "dependabot/file_parsers/base"
+require "dependabot/cargo/requirement"
+require "dependabot/cargo/version"
+require "dependabot/errors"
+
+# Relevant Cargo docs can be found at:
+# - https://doc.rust-lang.org/cargo/reference/manifest.html
+# - https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html
+module Dependabot
+  module Cargo
+    class FileParser < Dependabot::FileParsers::Base
+      require "dependabot/file_parsers/base/dependency_set"
+
+      DEPENDENCY_TYPES =
+        %w(dependencies dev-dependencies build-dependencies).freeze
+
+      def parse
+        check_rust_workspace_root
+
+        dependency_set = DependencySet.new
+        dependency_set += manifest_dependencies
+        dependency_set += lockfile_dependencies if lockfile
+
+        dependencies = dependency_set.dependencies
+
+        # TODO: Handle patched dependencies
+        dependencies.reject! { |d| patched_dependencies.include?(d.name) }
+
+        # TODO: Currently, Dependabot can't handle dependencies that have
+        # multiple source types. Fix that!
+        dependencies.reject do |dep|
+          dep.requirements.map { |r| r.dig(:source, :type) }.uniq.count > 1
+        end
+      end
+
+      private
+
+      def check_rust_workspace_root
+        cargo_toml = dependency_files.find { |f| f.name == "Cargo.toml" }
+        workspace_root = parsed_file(cargo_toml).dig("package", "workspace")
+        return unless workspace_root
+
+        msg = "This project is part of a Rust workspace but is not the "\
+              "workspace root."\
+
+        if cargo_toml.directory != "/"
+          msg += "Please update your settings so Dependabot points at the "\
+                 "workspace root instead of #{cargo_toml.directory}."
+        end
+        raise Dependabot::DependencyFileNotEvaluatable, msg
+      end
+
+      def manifest_dependencies
+        dependency_set = DependencySet.new
+
+        DEPENDENCY_TYPES.each do |type|
+          manifest_files.each do |file|
+            parsed_file(file).fetch(type, {}).each do |name, requirement|
+              next if lockfile && !version_from_lockfile(name, requirement)
+
+              dependency_set << Dependency.new(
+                name: name,
+                version: version_from_lockfile(name, requirement),
+                package_manager: "cargo",
+                requirements: [{
+                  requirement: requirement_from_declaration(requirement),
+                  file: file.name,
+                  groups: [type],
+                  source: source_from_declaration(requirement)
+                }]
+              )
+            end
+          end
+        end
+
+        dependency_set
+      end
+
+      def lockfile_dependencies
+        dependency_set = DependencySet.new
+        return dependency_set unless lockfile
+
+        parsed_file(lockfile).fetch("package", []).each do |package_details|
+          next unless package_details["source"]
+
+          # TODO: This isn't quite right, as it will only give us one
+          # version of each dependency (when in fact there are many)
+          dependency_set << Dependency.new(
+            name: package_details["name"],
+            version: version_from_lockfile_details(package_details),
+            package_manager: "cargo",
+            requirements: []
+          )
+        end
+
+        dependency_set
+      end
+
+      def patched_dependencies
+        root_manifest = manifest_files.find { |f| f.name == "Cargo.toml" }
+        return [] unless parsed_file(root_manifest)["patch"]
+
+        parsed_file(root_manifest)["patch"].values.flat_map(&:keys)
+      end
+
+      def requirement_from_declaration(declaration)
+        if declaration.is_a?(String)
+          return declaration == "" ? nil : declaration
+        end
+        unless declaration.is_a?(Hash)
+          raise "Unexpected dependency declaration: #{declaration}"
+        end
+        return declaration["version"] if declaration["version"]
+
+        nil
+      end
+
+      def source_from_declaration(declaration)
+        return if declaration.is_a?(String)
+        unless declaration.is_a?(Hash)
+          raise "Unexpected dependency declaration: #{declaration}"
+        end
+
+        return git_source_details(declaration) if declaration["git"]
+        return { type: "path" } if declaration["path"]
+      end
+
+      def version_from_lockfile(name, declaration)
+        return unless lockfile
+
+        candidate_packages =
+          parsed_file(lockfile).fetch("package", []).
+          select { |p| p["name"] == name }
+
+        if (req = requirement_from_declaration(declaration))
+          req = Cargo::Requirement.new(req)
+
+          candidate_packages =
+            candidate_packages.
+            select { |p| req.satisfied_by?(version_class.new(p["version"])) }
+        end
+
+        candidate_packages =
+          candidate_packages.
+          select do |p|
+            git_req?(declaration) ^ !p["source"]&.start_with?("git+")
+          end
+
+        package =
+          candidate_packages.
+          max_by { |p| version_class.new(p["version"]) }
+
+        return unless package
+
+        version_from_lockfile_details(package)
+      end
+
+      def git_req?(declaration)
+        source_from_declaration(declaration)&.fetch(:type, nil) == "git"
+      end
+
+      def git_source_details(declaration)
+        {
+          type: "git",
+          url: declaration["git"],
+          branch: declaration["branch"],
+          ref: declaration["tag"] || declaration["rev"]
+        }
+      end
+
+      def version_from_lockfile_details(package_details)
+        unless package_details["source"]&.start_with?("git+")
+          return package_details["version"]
+        end
+
+        package_details["source"].split("#").last
+      end
+
+      def check_required_files
+        raise "No Cargo.toml!" unless get_original_file("Cargo.toml")
+      end
+
+      def parsed_file(file)
+        @parsed_file ||= {}
+        @parsed_file[file.name] ||= TomlRB.parse(file.content)
+      rescue TomlRB::ParseError
+        raise Dependabot::DependencyFileNotParseable, file.path
+      end
+
+      def manifest_files
+        @manifest_files ||=
+          dependency_files.
+          select { |f| f.name.end_with?("Cargo.toml") }.
+          reject { |f| f.type == "path_dependency" }
+      end
+
+      def lockfile
+        @lockfile ||= get_original_file("Cargo.lock")
+      end
+
+      def version_class
+        Cargo::Version
+      end
+    end
+  end
+end
+
+Dependabot::FileParsers.register("cargo", Dependabot::Cargo::FileParser)