dependabot-common 0.214.0 → 0.216.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1fab7bc375e03e37b65e94e3e05e7c9ad945d982295b6c9a030083ed038dbaf3
-  data.tar.gz: 9924a1980357d1833988bd19a8119a05162a28cc20cbdf157626744ef93be0ba
+  metadata.gz: 645d08a2a5cfd122e1ec0bb4302d7c4e80bd0348e0c0e52d28dc210d196b963b
+  data.tar.gz: 25d81216a7b48d60b332d241e06f3a7dcc384b06ea3f5fac1dcc02949da226dc
 SHA512:
-  metadata.gz: 88069b0acbe42180a064046ab55cba565da0f9a3e00d40582a3fb406aee9e3b357cf8e3bdf34dc84da959c931c1519a87e02022e994baf947193f7d6fb949be8
-  data.tar.gz: 785cddd10adbed3413e7fdfcbfcc9b5fa00fde7a55f6e171db0c62f4e4a9f17000dc06d7e4c75d312fda6c7801e9fa6428642ea2b3473dc1b4d7f14e0a660bff
+  metadata.gz: 8ef726592da7c2ff04784322801d12902ab42613e53b084687acdbfb479982e60a5303cb6e7f249e5525547a7b7681af48c3afe9df16cfda435b771e5e3f84ad
+  data.tar.gz: ef3a1010b2dd5736c9595754b1eb1cf1cca4cd7eecdfae551b97a2d84c71952ccad43bedafab0f9b6cea07892afbff41b766d9d8941ae10bcd7eedb434970aa3

data/lib/dependabot/clients/azure.rb

@@ -192,6 +192,32 @@ module Dependabot
           "/pullrequests?api-version=5.0", content.to_json)
       end
 
+      def autocomplete_pull_request(pull_request_id, auto_complete_set_by, merge_commit_message,
+                                    delete_source_branch = true, squash_merge = true, merge_strategy = "squash",
+                                    trans_work_items = true, ignore_config_ids = [])
+
+        content = {
+          autoCompleteSetBy: {
+            id: auto_complete_set_by
+          },
+          completionOptions: {
+            mergeCommitMessage: merge_commit_message,
+            deleteSourceBranch: delete_source_branch,
+            squashMerge: squash_merge,
+            mergeStrategy: merge_strategy,
+            transitionWorkItems: trans_work_items,
+            autoCompleteIgnoreConfigIds: ignore_config_ids
+          }
+        }
+
+        response = patch(source.api_endpoint +
+                           source.organization + "/" + source.project +
+                           "/_apis/git/repositories/" + source.unscoped_repo +
+                           "/pullrequests/" + pull_request_id.to_s + "?api-version=5.1", content.to_json)
+
+        JSON.parse(response.body)
+      end
+
       def pull_request(pull_request_id)
         response = get(source.api_endpoint +
           source.organization + "/" + source.project +
@@ -217,6 +243,18 @@ module Dependabot
       end
       # rubocop:enable Metrics/ParameterLists
 
+      def compare(previous_tag, new_tag, type)
+        response = get(source.api_endpoint +
+                         source.organization + "/" + source.project +
+                         "/_apis/git/repositories/" + source.unscoped_repo +
+                         "/commits?searchCriteria.itemVersion.versionType=#{type}" \
+                         "&searchCriteria.itemVersion.version=#{previous_tag}" \
+                         "&searchCriteria.compareVersion.versionType=#{type}" \
+                         "&searchCriteria.compareVersion.version=#{new_tag}")
+
+        JSON.parse(response.body).fetch("value")
+      end
+
       def get(url)
         response = nil
 
@@ -279,6 +317,37 @@ module Dependabot
         response
       end
 
+      def patch(url, json)
+        response = nil
+
+        retry_connection_failures do
+          response = Excon.patch(
+            url,
+            body: json,
+            user: credentials&.fetch("username", nil),
+            password: credentials&.fetch("password", nil),
+            idempotent: true,
+            **SharedHelpers.excon_defaults(
+              headers: auth_header.merge(
+                {
+                  "Content-Type" => "application/json"
+                }
+              )
+            )
+          )
+
+          raise InternalServerError if response.status == 500
+          raise BadGateway if response.status == 502
+          raise ServiceNotAvailable if response.status == 503
+        end
+
+        raise Unauthorized if response.status == 401
+        raise Forbidden if response.status == 403
+        raise NotFound if response.status == 404
+
+        response
+      end
+
       private
 
       def retry_connection_failures

data/lib/dependabot/clients/bitbucket.rb

@@ -171,6 +171,8 @@ module Dependabot
         base_url = "https://api.bitbucket.org/2.0/user?fields=uuid"
         response = get(base_url)
         JSON.parse(response.body).fetch("uuid")
+      rescue Unauthorized
+        [nil]
       end
 
       def default_reviewers(repo)
@@ -205,7 +207,7 @@ module Dependabot
 
       def get(url)
         response = Excon.get(
-          url,
+          URI::DEFAULT_PARSER.escape(url),
           user: credentials&.fetch("username", nil),
           password: credentials&.fetch("password", nil),
           # Setting to false to prevent Excon retries, use BitbucketWithRetries for retries.

data/lib/dependabot/clients/github_with_retries.rb

@@ -6,16 +6,21 @@ module Dependabot
   module Clients
     class GithubWithRetries
       DEFAULT_OPEN_TIMEOUT_IN_SECONDS = 2
+      DEFAULT_READ_TIMEOUT_IN_SECONDS = 5
 
       def self.open_timeout_in_seconds
         ENV.fetch("DEPENDABOT_OPEN_TIMEOUT_IN_SECONDS", DEFAULT_OPEN_TIMEOUT_IN_SECONDS).to_i
       end
 
+      def self.read_timeout_in_seconds
+        ENV.fetch("DEPENDABOT_READ_TIMEOUT_IN_SECONDS", DEFAULT_READ_TIMEOUT_IN_SECONDS).to_i
+      end
+
       DEFAULT_CLIENT_ARGS = {
         connection_options: {
           request: {
             open_timeout: open_timeout_in_seconds,
-            timeout: 5
+            timeout: read_timeout_in_seconds
           }
         }
       }.freeze
@@ -84,6 +89,12 @@ module Dependabot
         access_tokens << nil if access_tokens.empty?
         access_tokens.uniq!
 
+        # Explicitly set the proxy if one is set in the environment
+        # as Faraday's find_proxy is very slow.
+        Octokit.configure do |c|
+          c.proxy = ENV["HTTPS_PROXY"] if ENV["HTTPS_PROXY"]
+        end
+
         Octokit.middleware = Faraday::RackBuilder.new do |builder|
           builder.use Faraday::Retry::Middleware, exceptions: RETRYABLE_ERRORS, max: max_retries || 3
 

data/lib/dependabot/config/file_fetcher.rb

@@ -40,7 +40,7 @@ module Dependabot
         end
 
         unless self.class.required_files_in?(fetched_files.map(&:name))
-          raise Dependabot::DependencyFileNotFound, self.class.required_files_message
+          raise Dependabot::DependencyFileNotFound.new(nil, self.class.required_files_message)
         end
 
         fetched_files

data/lib/dependabot/config/ignore_condition.rb

@@ -32,16 +32,19 @@ module Dependabot
       end
 
       def versions_by_type(dependency)
-        return [] unless dependency.version
+        version = correct_version_for(dependency)
+        return [] unless version
+
+        semver = version.to_semver
 
         transformed_update_types.flat_map do |t|
           case t
           when PATCH_VERSION_TYPE
-            ignore_patch(dependency.version)
+            ignore_patch(semver)
           when MINOR_VERSION_TYPE
-            ignore_minor(dependency.version)
+            ignore_minor(semver)
           when MAJOR_VERSION_TYPE
-            ignore_major(dependency.version)
+            ignore_major(semver)
           else
             []
           end
@@ -49,8 +52,6 @@ module Dependabot
       end
 
       def ignore_patch(version)
-        return [] unless rubygems_compatible?(version)
-
         parts = version.split(".")
         version_parts = parts.fill(0, parts.length...2)
         upper_parts = version_parts.first(1) + [version_parts[1].to_i + 1]
@@ -61,8 +62,6 @@ module Dependabot
       end
 
       def ignore_minor(version)
-        return [] unless rubygems_compatible?(version)
-
         parts = version.split(".")
         version_parts = parts.fill(0, parts.length...2)
         lower_parts = version_parts.first(1) + [version_parts[1].to_i + 1] + ["a"]
@@ -74,8 +73,6 @@ module Dependabot
       end
 
       def ignore_major(version)
-        return [] unless rubygems_compatible?(version)
-
         version_parts = version.split(".")
         lower_parts = [version_parts[0].to_i + 1] + ["a"]
         lower_bound = ">= #{lower_parts.join('.')}"
@@ -83,10 +80,20 @@ module Dependabot
         [lower_bound]
       end
 
-      def rubygems_compatible?(version)
-        return false if version.nil? || version.empty?
+      def correct_version_for(dependency)
+        version = dependency.version
+        return if version.nil? || version.empty?
+
+        version_class = version_class_for(dependency.package_manager)
+        return unless version_class.correct?(version)
+
+        version_class.new(version)
+      end
 
-        Gem::Version.correct?(version)
+      def version_class_for(package_manager)
+        Utils.version_class_for_package_manager(package_manager)
+      rescue StandardError
+        Dependabot::Version
       end
     end
   end

data/lib/dependabot/dependency.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require "rubygems_version_patch"
+require "dependabot/version"
 
 module Dependabot
   class Dependency
@@ -110,6 +110,67 @@ module Dependabot
       display_name_builder.call(name)
     end
 
+    def humanized_previous_version
+      # If we don't have a previous version, we *may* still be able to figure
+      # one out if a ref was provided and has been changed (in which case the
+      # previous ref was essentially the version).
+      if previous_version.nil?
+        return ref_changed? ? previous_ref : nil
+      end
+
+      if previous_version.match?(/^[0-9a-f]{40}/)
+        return previous_ref if ref_changed? && previous_ref
+
+        "`#{previous_version[0..6]}`"
+      elsif version == previous_version &&
+            package_manager == "docker"
+        digest = docker_digest_from_reqs(previous_requirements)
+        "`#{digest.split(':').last[0..6]}`"
+      else
+        previous_version
+      end
+    end
+
+    def humanized_version
+      return if removed?
+
+      if version.match?(/^[0-9a-f]{40}/)
+        return new_ref if ref_changed? && new_ref
+
+        "`#{version[0..6]}`"
+      elsif version == previous_version &&
+            package_manager == "docker"
+        digest = docker_digest_from_reqs(requirements)
+        "`#{digest.split(':').last[0..6]}`"
+      else
+        version
+      end
+    end
+
+    def docker_digest_from_reqs(requirements)
+      requirements.
+        filter_map { |r| r.dig(:source, "digest") || r.dig(:source, :digest) }.
+        first
+    end
+
+    def previous_ref
+      previous_refs = previous_requirements.filter_map do |r|
+        r.dig(:source, "ref") || r.dig(:source, :ref)
+      end.uniq
+      return previous_refs.first if previous_refs.count == 1
+    end
+
+    def new_ref
+      new_refs = requirements.filter_map do |r|
+        r.dig(:source, "ref") || r.dig(:source, :ref)
+      end.uniq
+      return new_refs.first if new_refs.count == 1
+    end
+
+    def ref_changed?
+      previous_ref != new_ref
+    end
+
     # Returns all detected versions of the dependency. Only ecosystems that
     # support this feature will return more than the current version.
     def all_versions
@@ -135,7 +196,7 @@ module Dependabot
     end
 
     def eql?(other)
-      self.==(other)
+      self == other
     end
 
     private

data/lib/dependabot/dependency_file.rb

@@ -87,7 +87,7 @@ module Dependabot
     end
 
     def eql?(other)
-      self.==(other)
+      self == other
     end
 
     def support_file?

data/lib/dependabot/errors.rb

@@ -80,7 +80,7 @@ module Dependabot
 
     def initialize(file_path, msg = nil)
       @file_path = file_path
-      super(msg)
+      super("#{file_path} not found" || msg)
     end
 
     def file_name

data/lib/dependabot/file_fetchers/base.rb

@@ -95,11 +95,17 @@ module Dependabot
       rescue Dependabot::SharedHelpers::HelperSubprocessFailed => e
         if e.message.include?("fatal: Remote branch #{target_branch} not found in upstream origin")
           raise Dependabot::BranchNotFound, target_branch
+        elsif e.message.include?("No space left on device")
+          raise Dependabot::OutOfDisk
         end
 
         raise Dependabot::RepoNotFound, source
       end
 
+      def package_manager_version
+        nil
+      end
+
       private
 
       def fetch_file_if_present(filename, fetch_submodules: false)
@@ -498,7 +504,7 @@ module Dependabot
           _fetch_file_content_from_github(path, repo, commit)
         when "gitlab"
           tmp = gitlab_client.get_file(repo, path, commit).content
-          Base64.decode64(tmp).force_encoding("UTF-8").encode
+          decode_binary_string(tmp)
         when "azure"
           azure_client.fetch_file_contents(commit, path)
         when "bitbucket"
@@ -534,7 +540,7 @@ module Dependabot
           # see https://github.blog/changelog/2022-05-03-increased-file-size-limit-when-retrieving-file-contents-via-rest-api/
           github_client.contents(repo, path: path, ref: commit, accept: "application/vnd.github.v3.raw")
         else
-          Base64.decode64(tmp.content).force_encoding("UTF-8").encode
+          decode_binary_string(tmp.content)
         end
       rescue Octokit::Forbidden => e
         raise unless e.message.include?("too_large")
@@ -549,7 +555,7 @@ module Dependabot
         tmp = github_client.blob(repo, file_details.sha)
         return tmp.content if tmp.encoding == "utf-8"
 
-        Base64.decode64(tmp.content).force_encoding("UTF-8").encode
+        decode_binary_string(tmp.content)
       end
       # rubocop:enable Metrics/AbcSize
 
@@ -607,7 +613,7 @@ module Dependabot
               CMD
             )
           rescue SharedHelpers::HelperSubprocessFailed => e
-            raise unless GIT_SUBMODULE_ERROR_REGEX && e.message.downcase.include?("submodule")
+            raise unless e.message.match(GIT_SUBMODULE_ERROR_REGEX) && e.message.downcase.include?("submodule")
 
             submodule_cloning_failed = true
             match = e.message.match(GIT_SUBMODULE_ERROR_REGEX)
@@ -652,6 +658,11 @@ module Dependabot
       # rubocop:enable Metrics/MethodLength
       # rubocop:enable Metrics/PerceivedComplexity
       # rubocop:enable Metrics/BlockLength
+
+      def decode_binary_string(str)
+        bom = (+"\xEF\xBB\xBF").force_encoding(Encoding::BINARY)
+        Base64.decode64(str).delete_prefix(bom).force_encoding("UTF-8").encode
+      end
     end
   end
 end

data/lib/dependabot/file_parsers/base/dependency_set.rb

@@ -117,19 +117,10 @@ module Dependabot
 
           # Produces a new dependency by merging the attributes of `old_dep` with those of
           # `new_dep`. Requirements and subdependency metadata will be combined and deduped.
-          # The version of the combined dependency is determined by the logic below.
+          # The version of the combined dependency is determined by the
+          # `#combined_version` method below.
           def combined_dependency(old_dep, new_dep)
-            version = if old_dep.top_level? # Prefer a direct dependency over a transitive one
-                        old_dep.version || new_dep.version
-                      elsif !version_class.correct?(new_dep.version)
-                        old_dep.version
-                      elsif !version_class.correct?(old_dep.version)
-                        new_dep.version
-                      elsif version_class.new(new_dep.version) > version_class.new(old_dep.version)
-                        old_dep.version
-                      else
-                        new_dep.version
-                      end
+            version = combined_version(old_dep, new_dep)
             requirements = (old_dep.requirements + new_dep.requirements).uniq
             subdependency_metadata = (
               (old_dep.subdependency_metadata || []) +
@@ -145,6 +136,22 @@ module Dependabot
             )
           end
 
+          def combined_version(old_dep, new_dep)
+            if old_dep.version.nil? ^ new_dep.version.nil?
+              [old_dep, new_dep].find(&:version).version
+            elsif old_dep.top_level? ^ new_dep.top_level? # Prefer a direct dependency over a transitive one
+              [old_dep, new_dep].find(&:top_level?).version
+            elsif !version_class.correct?(new_dep.version)
+              old_dep.version
+            elsif !version_class.correct?(old_dep.version)
+              new_dep.version
+            elsif version_class.new(new_dep.version) > version_class.new(old_dep.version)
+              old_dep.version
+            else
+              new_dep.version
+            end
+          end
+
           def version_class
             @version_class ||= Utils.version_class_for_package_manager(@combined.package_manager)
           end

data/lib/dependabot/file_parsers/base.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "dependabot/notifications"
-
 module Dependabot
   module FileParsers
     class Base

data/lib/dependabot/file_updaters/vendor_updater.rb

@@ -23,7 +23,8 @@ module Dependabot
           # rubocop:enable Performance/DeletePrefix
 
           status = SharedHelpers.run_shell_command(
-            "git status --untracked-files all --porcelain v1 #{relative_dir}"
+            "git status --untracked-files all --porcelain v1 #{relative_dir}",
+            fingerprint: "git status --untracked-files all --porcelain v1 <relative_dir>"
           )
           changed_paths = status.split("\n").map(&:split)
           changed_paths.map do |type, path|

data/lib/dependabot/git_commit_checker.rb

@@ -99,12 +99,10 @@ module Dependabot
       local_repo_git_metadata_fetcher.head_commit_for_ref(name)
     end
 
-    def local_tag_for_latest_version_matching_existing_precision
-      max_local_tag_for_current_precision(allowed_version_tags)
-    end
-
     def local_ref_for_latest_version_matching_existing_precision
-      max_local_tag_for_current_precision(allowed_version_refs)
+      allowed_refs = local_tag_for_pinned_sha ? allowed_version_tags : allowed_version_refs
+
+      max_local_tag_for_current_precision(allowed_refs)
     end
 
     def local_tag_for_latest_version
@@ -151,6 +149,8 @@ module Dependabot
     end
 
     def local_tag_for_pinned_sha
+      return unless pinned_ref_looks_like_commit_sha?
+
       commit_sha = dependency_source_details.fetch(:ref)
       most_specific_version_tag_for_sha(commit_sha)
     end

data/lib/dependabot/git_metadata_fetcher.rb

@@ -106,7 +106,7 @@ module Dependabot
 
     def fetch_raw_upload_pack_with_git_for(uri)
       service_pack_uri = uri
-      service_pack_uri += ".git" unless service_pack_uri.end_with?(".git")
+      service_pack_uri += ".git" unless service_pack_uri.end_with?(".git") || skip_git_suffix(uri)
 
       env = { "PATH" => ENV.fetch("PATH", nil) }
       command = "git ls-remote #{service_pack_uri}"
@@ -158,40 +158,45 @@ module Dependabot
     def service_pack_uri(uri)
       service_pack_uri = uri_with_auth(uri)
       service_pack_uri = service_pack_uri.gsub(%r{/$}, "")
-      service_pack_uri += ".git" unless service_pack_uri.end_with?(".git")
+      service_pack_uri += ".git" unless service_pack_uri.end_with?(".git") || skip_git_suffix(uri)
       service_pack_uri + "/info/refs?service=git-upload-pack"
     end
 
+    def skip_git_suffix(uri)
+      # TODO: Unlike the other providers (GitHub, GitLab, BitBucket), as of 2023-01-18 Azure DevOps does not support the
+      # ".git" suffix. It will return a 404.
+      # So skip adding ".git" if looks like an ADO URI.
+      # There's no access to the source object here, so have to check the URI instead.
+      # Even if we had the current source object, the URI may be for a dependency hosted elsewhere.
+      # Unfortunately as a consequence, urls pointing to Azure DevOps Server will not work.
+      # Only alternative is to remove the addition of ".git" suffix since the other providers
+      # (GitHub, GitLab, BitBucket) work with or without the suffix.
+      # That change has other ramifications, so it'd be better if Azure started supporting ".git"
+      # like all the other providers.
+      uri = "https://#{uri.split('git@').last.sub(%r{:/?}, '/')}" if uri.start_with?("git@")
+      uri = URI(uri)
+      hostname = uri.hostname.to_s
+      hostname == "dev.azure.com" || hostname.end_with?(".visualstudio.com")
+    end
+
+    # Add in username and password if present in credentials.
+    # Credentials are never present for production Dependabot.
     def uri_with_auth(uri)
-      bare_uri =
-        if uri.include?("git@") then uri.split("git@").last.sub(%r{:/?}, "/")
-        else
-          uri.sub(%r{.*?://}, "")
-        end
+      # Handle SCP-style git URIs
+      uri = "https://#{uri.split('git@').last.sub(%r{:/?}, '/')}" if uri.start_with?("git@")
+      uri = URI(uri)
       cred = credentials.select { |c| c["type"] == "git_source" }.
-             find { |c| bare_uri.start_with?(c["host"]) }
+             find { |c| uri.host == c["host"] }
 
-      scheme = scheme_for_uri(uri)
+      uri.scheme = "https" if uri.scheme != "http"
 
-      if bare_uri.match?(%r{[^/]+:[^/]+@})
-        # URI already has authentication details
-        "#{scheme}://#{bare_uri}"
-      elsif cred&.fetch("username", nil) && cred&.fetch("password", nil)
+      if !uri.password && cred&.fetch("username", nil) && cred&.fetch("password", nil)
         # URI doesn't have authentication details, but we have credentials
-        auth_string = "#{cred.fetch('username')}:#{cred.fetch('password')}"
-        "#{scheme}://#{auth_string}@#{bare_uri}"
-      else
-        # No credentials, so just return the http(s) URI
-        "#{scheme}://#{bare_uri}"
+        uri.user = URI.encode_www_form_component(cred["username"])
+        uri.password = URI.encode_www_form_component(cred["password"])
       end
-    end
 
-    def scheme_for_uri(uri)
-      if uri.match?(%r{^http://})
-        "http"
-      else
-        "https"
-      end
+      uri.to_s
     end
 
     def sha_for_update_pack_line(line)

data/lib/dependabot/group_rule.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Dependabot
+  class GroupRule
+    attr_reader :name
+
+    def initialize(name)
+      @name = name
+    end
+  end
+end

data/lib/dependabot/metadata_finders/README.md

@@ -45,7 +45,7 @@ and implement the following methods:
 
 | Method                 | Description             |
 |------------------------|-------------------------|
-| `#look_up_source`      | Private method that returns a `Dependabot::Source` object. Generally the source details are extracted from a source code URL provided by the language's dependency registry, but sometimes it's already know from parsing the dependency file. |
+| `#look_up_source`      | Private method that returns a `Dependabot::Source` object. Generally the source details are extracted from a source code URL provided by the language's dependency registry, but sometimes it's already available from parsing the dependency file. |
 
 To ensure the above are implemented, you should include
 `it_behaves_like "a dependency metadata finder"` in your specs for the new