dependabot-common 0.122.1 → 0.124.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of dependabot-common might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/lib/dependabot/pull_request_creator.rb +1 -7
- data/lib/dependabot/pull_request_creator/branch_namer.rb +5 -5
- data/lib/dependabot/pull_request_creator/message_builder.rb +9 -1
- data/lib/dependabot/security_advisory.rb +36 -0
- data/lib/dependabot/shared_helpers.rb +11 -26
- data/lib/dependabot/update_checkers/base.rb +6 -0
- data/lib/dependabot/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f8c1c6ce7dbce6606fe13ea021cddbdf6cc73561227f1e944024b0cd59c066f8
|
|
4
|
+
data.tar.gz: 43be3e7cd0d8c583d2286a909d5c616b126eda8d1800db931ebf9ed66ee013bd
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d8a3a6a7ca1e6910132f9c102c13547310eb38e1ac899df526a7fe6bf0cb8ebc264962b3f5ff9376a77f85e5cc5f385de81d58a1ccbfd165c295a9c9c5270d96
|
|
7
|
+
data.tar.gz: 90c3aa1296c25e4616de3f29b83d5fb49c6dea2e05ccc12fa1c1f69d37342442cfc41acad10a9258d88352c21ff988a3417ae768fb559365873e317413194c23
|
|
@@ -73,7 +73,7 @@ module Dependabot
|
|
|
73
73
|
end
|
|
74
74
|
|
|
75
75
|
def check_dependencies_have_previous_version
|
|
76
|
-
return if
|
|
76
|
+
return if dependencies.all? { |d| requirements_changed?(d) }
|
|
77
77
|
return if dependencies.all?(&:previous_version)
|
|
78
78
|
|
|
79
79
|
raise "Dependencies must have a previous version or changed " \
|
|
@@ -214,12 +214,6 @@ module Dependabot
|
|
|
214
214
|
)
|
|
215
215
|
end
|
|
216
216
|
|
|
217
|
-
def library?
|
|
218
|
-
return true if files.any? { |file| file.name.end_with?(".gemspec") }
|
|
219
|
-
|
|
220
|
-
dependencies.any? { |d| !d.appears_in_lockfile? }
|
|
221
|
-
end
|
|
222
|
-
|
|
223
217
|
def includes_security_fixes?
|
|
224
218
|
vulnerabilities_fixed.values.flatten.any?
|
|
225
219
|
end
|
|
@@ -165,12 +165,12 @@ module Dependabot
|
|
|
165
165
|
updated_reqs.first[:requirement]
|
|
166
166
|
end
|
|
167
167
|
|
|
168
|
-
# TODO:
|
|
169
|
-
#
|
|
170
|
-
#
|
|
168
|
+
# TODO: Bring this in line with existing library checks that we do in the
|
|
169
|
+
# update checkers, which are also overriden by passing an explicit
|
|
170
|
+
# `requirements_update_strategy`.
|
|
171
|
+
#
|
|
172
|
+
# TODO re-use in MessageBuilder
|
|
171
173
|
def library?
|
|
172
|
-
return true if files.map(&:name).any? { |nm| nm.end_with?(".gemspec") }
|
|
173
|
-
|
|
174
174
|
dependencies.any? { |d| !d.appears_in_lockfile? }
|
|
175
175
|
end
|
|
176
176
|
|
|
@@ -459,8 +459,16 @@ module Dependabot
|
|
|
459
459
|
previous_ref(dependency) != new_ref(dependency)
|
|
460
460
|
end
|
|
461
461
|
|
|
462
|
+
# TODO: Bring this in line with existing library checks that we do in the
|
|
463
|
+
# update checkers, which are also overriden by passing an explicit
|
|
464
|
+
# `requirements_update_strategy`.
|
|
465
|
+
#
|
|
466
|
+
# TODO re-use in BranchNamer
|
|
462
467
|
def library?
|
|
463
|
-
|
|
468
|
+
# Reject any nested child gemspecs/vendored git dependencies
|
|
469
|
+
root_files = files.map(&:name).
|
|
470
|
+
select { |p| Pathname.new(p).dirname.to_s == "." }
|
|
471
|
+
return true if root_files.select { |nm| nm.end_with?(".gemspec") }.any?
|
|
464
472
|
|
|
465
473
|
dependencies.any? { |d| previous_version(d).nil? }
|
|
466
474
|
end
|
|
@@ -43,6 +43,42 @@ module Dependabot
|
|
|
43
43
|
safe_versions.any?
|
|
44
44
|
end
|
|
45
45
|
|
|
46
|
+
def fixes_advisory?(dependency)
|
|
47
|
+
return false unless dependency_name == dependency.name
|
|
48
|
+
return false unless package_manager == dependency.package_manager
|
|
49
|
+
# TODO: Support no previous version to the same level as dependency graph
|
|
50
|
+
# and security alerts. We currently ignore dependency updates without a
|
|
51
|
+
# previous version because we don't know if the dependency was vulerable.
|
|
52
|
+
return false unless dependency.previous_version
|
|
53
|
+
return false unless version_class.correct?(dependency.previous_version)
|
|
54
|
+
|
|
55
|
+
# Ignore deps that weren't previously vulnerable
|
|
56
|
+
return false unless affects_version?(dependency.previous_version)
|
|
57
|
+
|
|
58
|
+
# Select deps that are now fixed
|
|
59
|
+
!affects_version?(dependency.version)
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
def affects_version?(version)
|
|
63
|
+
return false unless version_class.correct?(version)
|
|
64
|
+
return false unless [*safe_versions, *vulnerable_versions].any?
|
|
65
|
+
|
|
66
|
+
version = version_class.new(version)
|
|
67
|
+
|
|
68
|
+
# If version is known safe for this advisory, it's not vulnerable
|
|
69
|
+
return false if safe_versions.any? { |r| r.satisfied_by?(version) }
|
|
70
|
+
|
|
71
|
+
# If in the vulnerable range and not known safe, it's vulnerable
|
|
72
|
+
return true if vulnerable_versions.any? { |r| r.satisfied_by?(version) }
|
|
73
|
+
|
|
74
|
+
# If a vulnerable range present but not met, it's not vulnerable
|
|
75
|
+
return false if vulnerable_versions.any?
|
|
76
|
+
|
|
77
|
+
# Finally, if no vulnerable range provided, but a safe range provided,
|
|
78
|
+
# and this versions isn't included (checked earler), it's vulnerable
|
|
79
|
+
safe_versions.any?
|
|
80
|
+
end
|
|
81
|
+
|
|
46
82
|
private
|
|
47
83
|
|
|
48
84
|
def convert_string_version_requirements
|
|
@@ -57,34 +57,12 @@ module Dependabot
|
|
|
57
57
|
end
|
|
58
58
|
end
|
|
59
59
|
|
|
60
|
-
def self.in_a_forked_process
|
|
61
|
-
read, write = IO.pipe
|
|
62
|
-
|
|
63
|
-
pid = fork do
|
|
64
|
-
read.close
|
|
65
|
-
result = yield
|
|
66
|
-
rescue Exception => e # rubocop:disable Lint/RescueException
|
|
67
|
-
result = { _error_details: { error_class: e.class.to_s,
|
|
68
|
-
error_message: e.message,
|
|
69
|
-
error_backtrace: e.backtrace } }
|
|
70
|
-
ensure
|
|
71
|
-
Marshal.dump(result, write)
|
|
72
|
-
exit!(0)
|
|
73
|
-
end
|
|
74
|
-
|
|
75
|
-
write.close
|
|
76
|
-
result = read.read
|
|
77
|
-
Process.wait(pid)
|
|
78
|
-
result = Marshal.load(result) # rubocop:disable Security/MarshalLoad
|
|
79
|
-
|
|
80
|
-
return result unless result.is_a?(Hash) && result[:_error_details]
|
|
81
|
-
|
|
82
|
-
raise ChildProcessFailed, result[:_error_details]
|
|
83
|
-
end
|
|
84
|
-
|
|
85
60
|
class HelperSubprocessFailed < StandardError
|
|
86
|
-
|
|
61
|
+
attr_reader :error_class, :error_context
|
|
62
|
+
|
|
63
|
+
def initialize(message:, error_context:, error_class: nil)
|
|
87
64
|
super(message)
|
|
65
|
+
@error_class = error_class || ""
|
|
88
66
|
@error_context = error_context
|
|
89
67
|
@command = error_context[:command]
|
|
90
68
|
end
|
|
@@ -110,6 +88,11 @@ module Dependabot
|
|
|
110
88
|
stdout, stderr, process = Open3.capture3(*env_cmd, stdin_data: stdin_data)
|
|
111
89
|
time_taken = Time.now - start
|
|
112
90
|
|
|
91
|
+
if ENV["DEBUG_HELPERS"] == "true"
|
|
92
|
+
puts stdout
|
|
93
|
+
puts stderr
|
|
94
|
+
end
|
|
95
|
+
|
|
113
96
|
# Some package managers output useful stuff to stderr instead of stdout so
|
|
114
97
|
# we want to parse this, most package manager will output garbage here so
|
|
115
98
|
# would mess up json response from stdout
|
|
@@ -129,11 +112,13 @@ module Dependabot
|
|
|
129
112
|
|
|
130
113
|
raise HelperSubprocessFailed.new(
|
|
131
114
|
message: response["error"],
|
|
115
|
+
error_class: response["error_class"],
|
|
132
116
|
error_context: error_context
|
|
133
117
|
)
|
|
134
118
|
rescue JSON::ParserError
|
|
135
119
|
raise HelperSubprocessFailed.new(
|
|
136
120
|
message: stdout || "No output from command",
|
|
121
|
+
error_class: "JSON::ParserError",
|
|
137
122
|
error_context: error_context
|
|
138
123
|
)
|
|
139
124
|
end
|
|
@@ -79,6 +79,12 @@ module Dependabot
|
|
|
79
79
|
raise NotImplementedError
|
|
80
80
|
end
|
|
81
81
|
|
|
82
|
+
# Lowest available security fix version not checking resolvability
|
|
83
|
+
# @return [Dependabot::<package manager>::Version, #to_s] version class
|
|
84
|
+
def lowest_security_fix_version
|
|
85
|
+
raise NotImplementedError
|
|
86
|
+
end
|
|
87
|
+
|
|
82
88
|
def lowest_resolvable_security_fix_version
|
|
83
89
|
raise NotImplementedError
|
|
84
90
|
end
|
data/lib/dependabot/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-common
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.124.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-10-
|
|
11
|
+
date: 2020-10-26 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-sdk-codecommit
|