dependabot-common 0.236.0 → 0.237.0

data/lib/dependabot/shared_helpers.rb

@@ -1,4 +1,4 @@
-# typed: false
+# typed: strict
 # frozen_string_literal: true
 
 require "digest"
@@ -8,6 +8,7 @@ require "fileutils"
 require "json"
 require "open3"
 require "shellwords"
+require "sorbet-runtime"
 require "tmpdir"
 
 require "dependabot/simple_instrumentor"
@@ -18,20 +19,34 @@ require "dependabot"
 
 module Dependabot
   module SharedHelpers
-    GIT_CONFIG_GLOBAL_PATH = File.expand_path(".gitconfig", Utils::BUMP_TMP_DIR_PATH)
-    USER_AGENT = "dependabot-core/#{Dependabot::VERSION} " \
-                 "#{Excon::USER_AGENT} ruby/#{RUBY_VERSION} " \
-                 "(#{RUBY_PLATFORM}) " \
-                 "(+https://github.com/dependabot/dependabot-core)".freeze
+    extend T::Sig
+
+    GIT_CONFIG_GLOBAL_PATH = T.let(File.expand_path(".gitconfig", Utils::BUMP_TMP_DIR_PATH), String)
+    USER_AGENT = T.let(
+      "dependabot-core/#{Dependabot::VERSION} " \
+      "#{Excon::USER_AGENT} ruby/#{RUBY_VERSION} " \
+      "(#{RUBY_PLATFORM}) " \
+      "(+https://github.com/dependabot/dependabot-core)".freeze,
+      String
+    )
     SIGKILL = 9
 
+    sig do
+      type_parameters(:T)
+        .params(
+          directory: String,
+          repo_contents_path: T.nilable(String),
+          block: T.proc.params(arg0: T.any(Pathname, String)).returns(T.type_parameter(:T))
+        )
+        .returns(T.type_parameter(:T))
+    end
     def self.in_a_temporary_repo_directory(directory = "/", repo_contents_path = nil, &block)
       if repo_contents_path
         # If a workspace has been defined to allow orcestration of the git repo
         # by the runtime we should defer to it, otherwise we prepare the folder
         # for direct use and yield.
         if Dependabot::Workspace.active_workspace
-          Dependabot::Workspace.active_workspace.change(&block)
+          T.must(Dependabot::Workspace.active_workspace).change(&block)
         else
           path = Pathname.new(File.join(repo_contents_path, directory)).expand_path
           reset_git_repo(repo_contents_path)
@@ -46,9 +61,18 @@ module Dependabot
       end
     end
 
-    def self.in_a_temporary_directory(directory = "/")
+    sig do
+      type_parameters(:T)
+        .params(
+          directory: String,
+          _block: T.proc.params(arg0: T.any(Pathname, String)).returns(T.type_parameter(:T))
+        )
+        .returns(T.type_parameter(:T))
+    end
+    def self.in_a_temporary_directory(directory = "/", &_block)
       FileUtils.mkdir_p(Utils::BUMP_TMP_DIR_PATH)
       tmp_dir = Dir.mktmpdir(Utils::BUMP_TMP_FILE_PREFIX, Utils::BUMP_TMP_DIR_PATH)
+      path = Pathname.new(File.join(tmp_dir, directory)).expand_path
 
       begin
         path = Pathname.new(File.join(tmp_dir, directory)).expand_path
@@ -60,28 +84,59 @@ module Dependabot
     end
 
     class HelperSubprocessFailed < Dependabot::DependabotError
-      attr_reader :error_class, :error_context, :trace
+      extend T::Sig
+
+      sig { returns(String) }
+      attr_reader :error_class
+
+      sig { returns(T::Hash[Symbol, String]) }
+      attr_reader :error_context
+
+      sig { returns(T.nilable(T::Array[String])) }
+      attr_reader :trace
 
+      sig do
+        params(
+          message: String,
+          error_context: T::Hash[Symbol, String],
+          error_class: T.nilable(String),
+          trace: T.nilable(T::Array[String])
+        ).void
+      end
       def initialize(message:, error_context:, error_class: nil, trace: nil)
         super(message)
-        @error_class = error_class || "HelperSubprocessFailed"
+        @error_class = T.let(error_class || "HelperSubprocessFailed", String)
         @error_context = error_context
-        @fingerprint = error_context[:fingerprint] || error_context[:command]
+        @fingerprint = T.let(error_context[:fingerprint] || error_context[:command], T.nilable(String))
         @trace = trace
       end
 
+      sig { returns(T::Hash[Symbol, T.untyped]) }
       def raven_context
         { fingerprint: [@fingerprint], extra: @error_context.except(:stderr_output, :fingerprint) }
       end
     end
 
     # Escapes all special characters, e.g. = & | <>
+    sig { params(command: String).returns(String) }
     def self.escape_command(command)
       command_parts = command.split.map(&:strip).reject(&:empty?)
       Shellwords.join(command_parts)
     end
 
     # rubocop:disable Metrics/MethodLength
+    # rubocop:disable Metrics/AbcSize
+    sig do
+      params(
+        command: String,
+        function: String,
+        args: T.any(T::Array[String], T::Hash[Symbol, String]),
+        env: T.nilable(T::Hash[String, String]),
+        stderr_to_stdout: T::Boolean,
+        allow_unsafe_shell_command: T::Boolean
+      )
+        .returns(T.nilable(T.any(String, T::Hash[String, T.untyped], T::Array[T::Hash[String, T.untyped]])))
+    end
     def self.run_helper_subprocess(command:, function:, args:, env: nil,
                                    stderr_to_stdout: false,
                                    allow_unsafe_shell_command: false)
@@ -95,11 +150,11 @@ module Dependabot
       if ENV["DEBUG_FUNCTION"] == function
         puts helper_subprocess_bash_command(stdin_data: stdin_data, command: cmd, env: env)
         # Pause execution so we can run helpers inside the temporary directory
-        debugger # rubocop:disable Lint/Debugger
+        T.unsafe(self).debugger
       end
 
       env_cmd = [env, cmd].compact
-      stdout, stderr, process = Open3.capture3(*env_cmd, stdin_data: stdin_data)
+      stdout, stderr, process = T.unsafe(Open3).capture3(*env_cmd, stdin_data: stdin_data)
       time_taken = Time.now - start
 
       if ENV["DEBUG_HELPERS"] == "true"
@@ -126,24 +181,27 @@ module Dependabot
 
       check_out_of_memory_error(stderr, error_context)
 
-      response = JSON.parse(stdout)
-      return response["result"] if process.success?
-
-      raise HelperSubprocessFailed.new(
-        message: response["error"],
-        error_class: response["error_class"],
-        error_context: error_context,
-        trace: response["trace"]
-      )
-    rescue JSON::ParserError
-      raise HelperSubprocessFailed.new(
-        message: stdout || "No output from command",
-        error_class: "JSON::ParserError",
-        error_context: error_context
-      )
+      begin
+        response = JSON.parse(stdout)
+        return response["result"] if process.success?
+
+        raise HelperSubprocessFailed.new(
+          message: response["error"],
+          error_class: response["error_class"],
+          error_context: error_context,
+          trace: response["trace"]
+        )
+      rescue JSON::ParserError
+        raise HelperSubprocessFailed.new(
+          message: stdout || "No output from command",
+          error_class: "JSON::ParserError",
+          error_context: error_context
+        )
+      end
     end
 
     # rubocop:enable Metrics/MethodLength
+    sig { params(stderr: T.nilable(String), error_context: T::Hash[Symbol, String]).void }
     def self.check_out_of_memory_error(stderr, error_context)
       return unless stderr&.include?("JavaScript heap out of memory")
 
@@ -154,12 +212,14 @@ module Dependabot
       )
     end
 
+    sig { returns(T::Array[T.class_of(Excon::Middleware::Base)]) }
     def self.excon_middleware
-      Excon.defaults[:middlewares] +
+      T.must(T.cast(Excon.defaults, T::Hash[Symbol, T::Array[T.class_of(Excon::Middleware::Base)]])[:middlewares]) +
         [Excon::Middleware::Decompress] +
         [Excon::Middleware::RedirectFollower]
     end
 
+    sig { params(headers: T.nilable(T::Hash[String, String])).returns(T::Hash[String, String]) }
     def self.excon_headers(headers = nil)
       headers ||= {}
       {
@@ -167,9 +227,10 @@ module Dependabot
       }.merge(headers)
     end
 
+    sig { params(options: T.nilable(T::Hash[Symbol, T.untyped])).returns(T::Hash[Symbol, T.untyped]) }
     def self.excon_defaults(options = nil)
       options ||= {}
-      headers = options.delete(:headers)
+      headers = T.cast(options.delete(:headers), T.nilable(T::Hash[String, String]))
       {
         instrumentor: Dependabot::SimpleInstrumentor,
         connect_timeout: 5,
@@ -182,7 +243,15 @@ module Dependabot
       }.merge(options)
     end
 
-    def self.with_git_configured(credentials:)
+    sig do
+      type_parameters(:T)
+        .params(
+          credentials: T::Array[T::Hash[String, String]],
+          _block: T.proc.returns(T.type_parameter(:T))
+        )
+        .returns(T.type_parameter(:T))
+    end
+    def self.with_git_configured(credentials:, &_block)
       safe_directories = find_safe_directories
 
       FileUtils.mkdir_p(Utils::BUMP_TMP_DIR_PATH)
@@ -203,18 +272,20 @@ module Dependabot
     end
 
     # Handle SCP-style git URIs
+    sig { params(uri: String).returns(String) }
     def self.scp_to_standard(uri)
       return uri unless uri.start_with?("git@")
 
-      "https://#{uri.split('git@').last.sub(%r{:/?}, '/')}"
+      "https://#{T.must(uri.split('git@').last).sub(%r{:/?}, '/')}"
     end
 
+    sig { returns(String) }
     def self.credential_helper_path
       File.join(__dir__, "../../bin/git-credential-store-immutable")
     end
 
-    # rubocop:disable Metrics/AbcSize
     # rubocop:disable Metrics/PerceivedComplexity
+    sig { params(credentials: T::Array[T::Hash[String, String]], safe_directories: T::Array[String]).void }
     def self.configure_git_to_use_https_with_credentials(credentials, safe_directories)
       File.open(GIT_CONFIG_GLOBAL_PATH, "w") do |file|
         file << "# Generated by dependabot/dependabot-core"
@@ -274,6 +345,7 @@ module Dependabot
     # rubocop:enable Metrics/AbcSize
     # rubocop:enable Metrics/PerceivedComplexity
 
+    sig { params(host: String).void }
     def self.configure_git_to_use_https(host)
       # NOTE: we use --global here (rather than --system) so that Dependabot
       # can be run without privileged access
@@ -299,6 +371,7 @@ module Dependabot
       )
     end
 
+    sig { params(path: String).void }
     def self.reset_git_repo(path)
       Dir.chdir(path) do
         run_shell_command("git reset HEAD --hard")
@@ -306,6 +379,7 @@ module Dependabot
       end
     end
 
+    sig { returns(T::Array[String]) }
     def self.find_safe_directories
       # to preserve safe directories from global .gitconfig
       output, process = Open3.capture2("git config --global --get-all safe.directory")
@@ -314,6 +388,15 @@ module Dependabot
       safe_directories
     end
 
+    sig do
+      params(
+        command: String,
+        allow_unsafe_shell_command: T::Boolean,
+        env: T.nilable(T::Hash[String, String]),
+        fingerprint: T.nilable(String),
+        stderr_to_stdout: T::Boolean
+      ).returns(String)
+    end
     def self.run_shell_command(command,
                                allow_unsafe_shell_command: false,
                                env: {},
@@ -347,6 +430,7 @@ module Dependabot
       )
     end
 
+    sig { params(command: String, stdin_data: String, env: T.nilable(T::Hash[String, String])).returns(String) }
     def self.helper_subprocess_bash_command(command:, stdin_data:, env:)
       escaped_stdin_data = stdin_data.gsub("\"", "\\\"")
       env_keys = env ? env.compact.map { |k, v| "#{k}=#{v}" }.join(" ") + " " : ""

data/lib/dependabot/simple_instrumentor.rb

@@ -1,16 +1,35 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 module Dependabot
   module SimpleInstrumentor
     class << self
-      attr_accessor :events, :subscribers
+      extend T::Sig
+      extend T::Generic
+
+      sig { returns(T.nilable(T::Array[T.proc.params(name: String, params: T::Hash[Symbol, T.untyped]).void])) }
+      attr_accessor :subscribers
 
+      sig { params(block: T.proc.params(name: String, params: T::Hash[Symbol, T.untyped]).void).void }
       def subscribe(&block)
-        @subscribers ||= []
+        @subscribers ||= T.let(
+          [],
+          T.nilable(T::Array[T.proc.params(name: String, params: T::Hash[Symbol, T.untyped]).void])
+        )
         @subscribers << block
       end
 
+      sig do
+        type_parameters(:T)
+          .params(
+            name: String,
+            params: T::Hash[Symbol, T.untyped],
+            block: T.proc.returns(T.type_parameter(:T))
+          )
+          .returns(T.nilable(T.type_parameter(:T)))
+      end
       def instrument(name, params = {}, &block)
         @subscribers&.each { |s| s.call(name, params) }
         yield if block

data/lib/dependabot/source.rb

@@ -1,8 +1,12 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 module Dependabot
   class Source
+    extend T::Sig
+
     GITHUB_SOURCE = %r{
       (?<provider>github)
       (?:\.com)[/:]
@@ -59,24 +63,48 @@ module Dependabot
       (?:#{CODECOMMIT_SOURCE})
     /x
 
-    IGNORED_PROVIDER_HOSTS = %w(gitbox.apache.org svn.apache.org fuchsia.googlesource.com).freeze
+    IGNORED_PROVIDER_HOSTS = T.let(%w(gitbox.apache.org svn.apache.org fuchsia.googlesource.com).freeze,
+                                   T::Array[String])
+
+    sig { returns(String) }
+    attr_accessor :provider
+
+    sig { returns(String) }
+    attr_accessor :repo
+
+    sig { returns(T.nilable(String)) }
+    attr_accessor :directory
 
-    attr_accessor :provider, :repo, :directory, :branch, :commit,
-                  :hostname, :api_endpoint
+    sig { returns(T.nilable(T::Array[String])) }
+    attr_accessor :directories
 
+    sig { returns(T.nilable(String)) }
+    attr_accessor :branch
+
+    sig { returns(T.nilable(String)) }
+    attr_accessor :commit
+
+    sig { returns(String) }
+    attr_accessor :hostname
+
+    sig { returns(T.nilable(String)) }
+    attr_accessor :api_endpoint
+
+    sig { params(url_string: T.nilable(String)).returns(T.nilable(Source)) }
     def self.from_url(url_string)
       return github_enterprise_from_url(url_string) unless url_string&.match?(SOURCE_REGEX)
 
-      captures = url_string.match(SOURCE_REGEX).named_captures
+      captures = T.must(url_string.match(SOURCE_REGEX)).named_captures
 
       new(
-        provider: captures.fetch("provider"),
-        repo: captures.fetch("repo").delete_suffix(".git").delete_suffix("."),
+        provider: T.must(captures.fetch("provider")),
+        repo: T.must(captures.fetch("repo")).delete_suffix(".git").delete_suffix("."),
         directory: captures.fetch("directory"),
         branch: captures.fetch("branch")
       )
     end
 
+    sig { params(url_string: T.nilable(String)).returns(T.nilable(Source)) }
     def self.github_enterprise_from_url(url_string)
       captures = url_string&.match(GITHUB_ENTERPRISE_SOURCE)&.named_captures
       return unless captures
@@ -88,7 +116,7 @@ module Dependabot
 
       new(
         provider: "github",
-        repo: captures.fetch("repo").delete_suffix(".git").delete_suffix("."),
+        repo: T.must(captures.fetch("repo")).delete_suffix(".git").delete_suffix("."),
         directory: captures.fetch("directory"),
         branch: captures.fetch("branch"),
         hostname: captures.fetch("host"),
@@ -96,18 +124,30 @@ module Dependabot
       )
     end
 
+    sig { params(base_url: String).returns(T::Boolean) }
     def self.github_enterprise?(base_url)
       resp = Excon.get(File.join(base_url, "status"))
       resp.status == 200 &&
         # Alternatively: resp.headers["Server"] == "GitHub.com", but this
         # currently doesn't work with development environments
-        resp.headers["X-GitHub-Request-Id"] &&
-        !resp.headers["X-GitHub-Request-Id"].empty?
+        ((resp.headers["X-GitHub-Request-Id"] && !resp.headers["X-GitHub-Request-Id"]&.empty?) || false)
     rescue StandardError
       false
     end
 
-    def initialize(provider:, repo:, directory: nil, branch: nil, commit: nil,
+    sig do
+      params(
+        provider: String,
+        repo: String,
+        directory: T.nilable(String),
+        directories: T.nilable(T::Array[String]),
+        branch: T.nilable(String),
+        commit: T.nilable(String),
+        hostname: T.nilable(String),
+        api_endpoint: T.nilable(String)
+      ).void
+    end
+    def initialize(provider:, repo:, directory: nil, directories: nil, branch: nil, commit: nil,
                    hostname: nil, api_endpoint: nil)
       if (hostname.nil? ^ api_endpoint.nil?) && (provider != "codecommit")
         msg = "Both hostname and api_endpoint must be specified if either " \
@@ -119,16 +159,19 @@ module Dependabot
       @provider = provider
       @repo = repo
       @directory = directory
+      @directories = directories
       @branch = branch
       @commit = commit
-      @hostname = hostname || default_hostname(provider)
-      @api_endpoint = api_endpoint || default_api_endpoint(provider)
+      @hostname = T.let(hostname || default_hostname(provider), String)
+      @api_endpoint = T.let(api_endpoint || default_api_endpoint(provider), T.nilable(String))
     end
 
+    sig { returns(String) }
     def url
       "https://" + hostname + "/" + repo
     end
 
+    sig { returns(String) }
     def url_with_directory
       return url if [nil, ".", "/"].include?(directory)
 
@@ -149,25 +192,29 @@ module Dependabot
       end
     end
 
+    sig { returns(String) }
     def organization
-      repo.split("/").first
+      T.must(repo.split("/").first)
     end
 
+    sig { returns(String) }
     def project
       raise "Project is an Azure DevOps concept only" unless provider == "azure"
 
       parts = repo.split("/_git/")
-      return parts.first.split("/").last if parts.first.split("/").count == 2
+      return T.must(T.must(parts.first).split("/").last) if parts.first&.split("/")&.count == 2
 
-      parts.last
+      T.must(parts.last)
     end
 
+    sig { returns(String) }
     def unscoped_repo
-      repo.split("/").last
+      T.must(repo.split("/").last)
     end
 
     private
 
+    sig { params(provider: String).returns(String) }
     def default_hostname(provider)
       case provider
       when "github" then "github.com"
@@ -179,6 +226,7 @@ module Dependabot
       end
     end
 
+    sig { params(provider: String).returns(T.nilable(String)) }
     def default_api_endpoint(provider)
       case provider
       when "github" then "https://api.github.com/"

data/lib/dependabot/update_checkers/version_filters.rb

@@ -1,9 +1,20 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 module Dependabot
   module UpdateCheckers
     module VersionFilters
+      extend T::Sig
+
+      sig do
+        params(
+          versions_array: T::Array[T.any(Gem::Version, T::Hash[Symbol, String])],
+          security_advisories: T::Array[SecurityAdvisory]
+        )
+          .returns(T::Array[T.any(Gem::Version, T::Hash[Symbol, String])])
+      end
       def self.filter_vulnerable_versions(versions_array, security_advisories)
         versions_array.reject do |v|
           security_advisories.any? do |a|

data/lib/dependabot/utils.rb

@@ -5,6 +5,7 @@ require "tmpdir"
 require "set"
 require "sorbet-runtime"
 require "dependabot/version"
+require "dependabot/config/file"
 
 # TODO: in due course, these "registries" should live in a wrapper gem, not
 #       dependabot-core.
@@ -22,11 +23,13 @@ module Dependabot
       version_class = @version_classes[package_manager]
       return version_class if version_class
 
-      raise "Unsupported package_manager #{package_manager}"
+      raise "Unregistered package_manager #{package_manager}"
     end
 
     sig { params(package_manager: String, version_class: T.class_of(Dependabot::Version)).void }
     def self.register_version_class(package_manager, version_class)
+      validate_package_manager!(package_manager)
+
       @version_classes[package_manager] = version_class
     end
 
@@ -37,11 +40,13 @@ module Dependabot
       requirement_class = @requirement_classes[package_manager]
       return requirement_class if requirement_class
 
-      raise "Unsupported package_manager #{package_manager}"
+      raise "Unregistered package_manager #{package_manager}"
     end
 
     sig { params(package_manager: String, requirement_class: T.class_of(Gem::Requirement)).void }
     def self.register_requirement_class(package_manager, requirement_class)
+      validate_package_manager!(package_manager)
+
       @requirement_classes[package_manager] = requirement_class
     end
 
@@ -54,7 +59,21 @@ module Dependabot
 
     sig { params(package_manager: String).void }
     def self.register_always_clone(package_manager)
+      validate_package_manager!(package_manager)
+
       @cloning_package_managers << package_manager
     end
+
+    sig { params(package_manager: String).void }
+    def self.validate_package_manager!(package_manager)
+      # Official package manager
+      return if Config::File::PACKAGE_MANAGER_LOOKUP.invert.key?(package_manager)
+
+      # Used by specs
+      return if package_manager == "dummy"
+
+      raise "Unsupported package_manager #{package_manager}"
+    end
+    private_class_method :validate_package_manager!
   end
 end

data/lib/dependabot/workspace/base.rb

@@ -1,29 +1,53 @@
-# typed: false
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 module Dependabot
   module Workspace
     class Base
-      attr_reader :change_attempts, :path
+      extend T::Sig
+      extend T::Helpers
+      extend T::Generic
+
+      abstract!
+
+      sig { returns(T::Array[Dependabot::Workspace::ChangeAttempt]) }
+      attr_reader :change_attempts
 
+      sig { returns(T.any(Pathname, String)) }
+      attr_reader :path
+
+      sig { params(path: T.any(Pathname, String)).void }
       def initialize(path)
         @path = path
-        @change_attempts = []
+        @change_attempts = T.let([], T::Array[Dependabot::Workspace::ChangeAttempt])
       end
 
+      sig { returns(T::Boolean) }
       def changed?
         changes.any?
       end
 
+      sig { returns(T::Array[Dependabot::Workspace::ChangeAttempt]) }
       def changes
         change_attempts.select(&:success?)
       end
 
+      sig { returns(T::Array[Dependabot::Workspace::ChangeAttempt]) }
       def failed_change_attempts
         change_attempts.select(&:error?)
       end
 
-      def change(memo = nil)
+      sig do
+        type_parameters(:T)
+          .params(
+            memo: T.nilable(String),
+            _blk: T.proc.params(arg0: T.any(Pathname, String)).returns(T.type_parameter(:T))
+          )
+          .returns(T.type_parameter(:T))
+      end
+      def change(memo = nil, &_blk)
         Dir.chdir(path) { yield(path) }
       rescue StandardError => e
         capture_failed_change_attempt(memo, e)
@@ -31,17 +55,28 @@ module Dependabot
         raise e
       end
 
+      sig do
+        abstract.params(memo: T.nilable(String)).returns(T.nilable(T::Array[Dependabot::Workspace::ChangeAttempt]))
+      end
       def store_change(memo = nil); end
 
-      def to_patch
-        ""
-      end
+      sig { abstract.returns(String) }
+      def to_patch; end
 
+      sig { abstract.returns(NilClass) }
       def reset!; end
 
       protected
 
+      sig do
+        abstract
+          .params(memo: T.nilable(String), error: T.nilable(StandardError))
+          .returns(T.nilable(T::Array[Dependabot::Workspace::ChangeAttempt]))
+      end
       def capture_failed_change_attempt(memo = nil, error = nil); end
+
+      sig { abstract.returns(String) }
+      def clean; end
     end
   end
 end