dependabot-common 0.123.1 → 0.124.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of dependabot-common might be problematic. Click here for more details.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 50e57b1a257d59576c24575a534069736197b6113cc7dd40cb893c3fd956163a
|
|
4
|
+
data.tar.gz: bbf0c5e4ddf71645bd79bce4926bcb4f8b57f3e511ae575d2db7843ee48a2110
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 73a199310a81d48b0c9325f6ff8568192cce7fbd89e9fd432a75636ff24d4bbe80e38f00ecaa61f1f80579c075e87872022a71b7fdfab345f0a75ea3248fa210
|
|
7
|
+
data.tar.gz: ef8e642c0cb9de980c1f07a766b6f61113353ca80e10fd0d82a1ac87a32f282a408e4a00f9cb1c1cd6829e039ae41eea9f0a51120a9e514b74f2bbcc7ccac42a
|
|
@@ -18,7 +18,10 @@ module Dependabot
|
|
|
18
18
|
return [] unless repo_contents_path && vendor_dir
|
|
19
19
|
|
|
20
20
|
Dir.chdir(repo_contents_path) do
|
|
21
|
-
relative_dir = vendor_dir.
|
|
21
|
+
relative_dir = Pathname.new(vendor_dir).relative_path_from(
|
|
22
|
+
repo_contents_path
|
|
23
|
+
)
|
|
24
|
+
|
|
22
25
|
status = SharedHelpers.run_shell_command(
|
|
23
26
|
"git status --untracked-files=all --porcelain=v1 #{relative_dir}"
|
|
24
27
|
)
|
|
@@ -31,8 +34,14 @@ module Dependabot
|
|
|
31
34
|
encoding = Dependabot::DependencyFile::ContentEncoding::BASE64
|
|
32
35
|
encoded_content = Base64.encode64(encoded_content) unless deleted
|
|
33
36
|
end
|
|
37
|
+
|
|
38
|
+
project_root =
|
|
39
|
+
Pathname.new(File.expand_path(File.join(Dir.pwd, base_directory)))
|
|
40
|
+
file_path =
|
|
41
|
+
Pathname.new(path).expand_path.relative_path_from(project_root)
|
|
42
|
+
|
|
34
43
|
Dependabot::DependencyFile.new(
|
|
35
|
-
name:
|
|
44
|
+
name: file_path.to_s,
|
|
36
45
|
content: encoded_content,
|
|
37
46
|
directory: base_directory,
|
|
38
47
|
deleted: deleted,
|
|
@@ -43,6 +43,51 @@ module Dependabot
|
|
|
43
43
|
safe_versions.any?
|
|
44
44
|
end
|
|
45
45
|
|
|
46
|
+
# Check if the advisory is fixed by the updated dependency
|
|
47
|
+
#
|
|
48
|
+
# @param dependency [Dependabot::Dependency] Updated dependency
|
|
49
|
+
# @return [Boolean]
|
|
50
|
+
def fixed_by?(dependency)
|
|
51
|
+
# Handle case mismatch between the security advisory and parsed name
|
|
52
|
+
return false unless dependency_name.downcase == dependency.name.downcase
|
|
53
|
+
return false unless package_manager == dependency.package_manager
|
|
54
|
+
# TODO: Support no previous version to the same level as dependency graph
|
|
55
|
+
# and security alerts. We currently ignore dependency updates without a
|
|
56
|
+
# previous version because we don't know if the dependency was vulerable.
|
|
57
|
+
return false unless dependency.previous_version
|
|
58
|
+
return false unless version_class.correct?(dependency.previous_version)
|
|
59
|
+
|
|
60
|
+
# Ignore deps that weren't previously vulnerable
|
|
61
|
+
return false unless affects_version?(dependency.previous_version)
|
|
62
|
+
|
|
63
|
+
# Select deps that are now fixed
|
|
64
|
+
!affects_version?(dependency.version)
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
# Check if the version is affected by the advisory
|
|
68
|
+
#
|
|
69
|
+
# @param version [Dependabot::<Package Manager>::Version] version class
|
|
70
|
+
# @return [Boolean]
|
|
71
|
+
def affects_version?(version)
|
|
72
|
+
return false unless version_class.correct?(version)
|
|
73
|
+
return false unless [*safe_versions, *vulnerable_versions].any?
|
|
74
|
+
|
|
75
|
+
version = version_class.new(version)
|
|
76
|
+
|
|
77
|
+
# If version is known safe for this advisory, it's not vulnerable
|
|
78
|
+
return false if safe_versions.any? { |r| r.satisfied_by?(version) }
|
|
79
|
+
|
|
80
|
+
# If in the vulnerable range and not known safe, it's vulnerable
|
|
81
|
+
return true if vulnerable_versions.any? { |r| r.satisfied_by?(version) }
|
|
82
|
+
|
|
83
|
+
# If a vulnerable range present but not met, it's not vulnerable
|
|
84
|
+
return false if vulnerable_versions.any?
|
|
85
|
+
|
|
86
|
+
# Finally, if no vulnerable range provided, but a safe range provided,
|
|
87
|
+
# and this versions isn't included (checked earler), it's vulnerable
|
|
88
|
+
safe_versions.any?
|
|
89
|
+
end
|
|
90
|
+
|
|
46
91
|
private
|
|
47
92
|
|
|
48
93
|
def convert_string_version_requirements
|
|
@@ -42,6 +42,9 @@ module Dependabot
|
|
|
42
42
|
path = Pathname.new(File.join(repo_contents_path, directory)).
|
|
43
43
|
expand_path
|
|
44
44
|
reset_git_repo(repo_contents_path)
|
|
45
|
+
# Handle missing directories by creating an empty one and relying on the
|
|
46
|
+
# file fetcher to raise a DependencyFileNotFound error
|
|
47
|
+
FileUtils.mkdir_p(path) unless Dir.exist?(path)
|
|
45
48
|
Dir.chdir(path) { yield(path) }
|
|
46
49
|
else
|
|
47
50
|
in_a_temporary_directory(directory, &block)
|
|
@@ -58,13 +61,14 @@ module Dependabot
|
|
|
58
61
|
end
|
|
59
62
|
|
|
60
63
|
class HelperSubprocessFailed < StandardError
|
|
61
|
-
attr_reader :error_class, :error_context
|
|
64
|
+
attr_reader :error_class, :error_context, :trace
|
|
62
65
|
|
|
63
|
-
def initialize(message:, error_context:, error_class: nil)
|
|
66
|
+
def initialize(message:, error_context:, error_class: nil, trace: nil)
|
|
64
67
|
super(message)
|
|
65
68
|
@error_class = error_class || ""
|
|
66
69
|
@error_context = error_context
|
|
67
70
|
@command = error_context[:command]
|
|
71
|
+
@trace = trace
|
|
68
72
|
end
|
|
69
73
|
|
|
70
74
|
def raven_context
|
|
@@ -113,7 +117,8 @@ module Dependabot
|
|
|
113
117
|
raise HelperSubprocessFailed.new(
|
|
114
118
|
message: response["error"],
|
|
115
119
|
error_class: response["error_class"],
|
|
116
|
-
error_context: error_context
|
|
120
|
+
error_context: error_context,
|
|
121
|
+
trace: response["trace"]
|
|
117
122
|
)
|
|
118
123
|
rescue JSON::ParserError
|
|
119
124
|
raise HelperSubprocessFailed.new(
|
|
@@ -79,6 +79,12 @@ module Dependabot
|
|
|
79
79
|
raise NotImplementedError
|
|
80
80
|
end
|
|
81
81
|
|
|
82
|
+
# Lowest available security fix version not checking resolvability
|
|
83
|
+
# @return [Dependabot::<package manager>::Version, #to_s] version class
|
|
84
|
+
def lowest_security_fix_version
|
|
85
|
+
raise NotImplementedError
|
|
86
|
+
end
|
|
87
|
+
|
|
82
88
|
def lowest_resolvable_security_fix_version
|
|
83
89
|
raise NotImplementedError
|
|
84
90
|
end
|
data/lib/dependabot/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-common
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.124.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-10-
|
|
11
|
+
date: 2020-10-30 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-sdk-codecommit
|
|
@@ -438,7 +438,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
438
438
|
- !ruby/object:Gem::Version
|
|
439
439
|
version: 2.7.3
|
|
440
440
|
requirements: []
|
|
441
|
-
rubygems_version: 3.1.
|
|
441
|
+
rubygems_version: 3.1.4
|
|
442
442
|
signing_key:
|
|
443
443
|
specification_version: 4
|
|
444
444
|
summary: Shared code used between Dependabot package managers
|