dependabot-common 0.237.0 → 0.239.0

data/lib/dependabot/errors.rb

@@ -1,10 +1,224 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "sorbet-runtime"
 require "dependabot/utils"
 
 module Dependabot
+  extend T::Sig
+
+  # rubocop:disable Metrics/MethodLength
+  sig { params(error: StandardError).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+  def self.fetcher_error_details(error)
+    case error
+    when Dependabot::ToolVersionNotSupported
+      {
+        "error-type": "tool_version_not_supported",
+        "error-detail": {
+          "tool-name": error.tool_name,
+          "detected-version": error.detected_version,
+          "supported-versions": error.supported_versions
+        }
+      }
+    when Dependabot::BranchNotFound
+      {
+        "error-type": "branch_not_found",
+        "error-detail": { "branch-name": error.branch_name }
+      }
+    when Dependabot::DirectoryNotFound
+      {
+        "error-type": "directory_not_found",
+        "error-detail": { "directory-name": error.directory_name }
+      }
+    when Dependabot::RepoNotFound
+      # This happens if the repo gets removed after a job gets kicked off.
+      # This also happens when a configured personal access token is not authz'd to fetch files from the job repo.
+      {
+        "error-type": "job_repo_not_found",
+        "error-detail": { message: error.message }
+      }
+    when Dependabot::DependencyFileNotParseable
+      {
+        "error-type": "dependency_file_not_parseable",
+        "error-detail": {
+          message: error.message,
+          "file-path": error.file_path
+        }
+      }
+    when Dependabot::DependencyFileNotFound
+      {
+        "error-type": "dependency_file_not_found",
+        "error-detail": { "file-path": error.file_path }
+      }
+    when Dependabot::OutOfDisk
+      {
+        "error-type": "out_of_disk",
+        "error-detail": {}
+      }
+    when Dependabot::PathDependenciesNotReachable
+      {
+        "error-type": "path_dependencies_not_reachable",
+        "error-detail": { dependencies: error.dependencies }
+      }
+    when Octokit::Unauthorized
+      { "error-type": "octokit_unauthorized" }
+    when Octokit::ServerError
+      # If we get a 500 from GitHub there's very little we can do about it,
+      # and responsibility for fixing it is on them, not us. As a result we
+      # quietly log these as errors
+      { "error-type": "server_error" }
+    when *Octokit::RATE_LIMITED_ERRORS
+      # If we get a rate-limited error we let dependabot-api handle the
+      # retry by re-enqueing the update job after the reset
+      {
+        "error-type": "octokit_rate_limited",
+        "error-detail": {
+          "rate-limit-reset": T.cast(error, Octokit::Error).response_headers["X-RateLimit-Reset"]
+        }
+      }
+    end
+  end
+
+  sig { params(error: StandardError).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+  def self.parser_error_details(error)
+    case error
+    when Dependabot::DependencyFileNotEvaluatable
+      {
+        "error-type": "dependency_file_not_evaluatable",
+        "error-detail": { message: error.message }
+      }
+    when Dependabot::DependencyFileNotResolvable
+      {
+        "error-type": "dependency_file_not_resolvable",
+        "error-detail": { message: error.message }
+      }
+    when Dependabot::BranchNotFound
+      {
+        "error-type": "branch_not_found",
+        "error-detail": { "branch-name": error.branch_name }
+      }
+    when Dependabot::DependencyFileNotParseable
+      {
+        "error-type": "dependency_file_not_parseable",
+        "error-detail": {
+          message: error.message,
+          "file-path": error.file_path
+        }
+      }
+    when Dependabot::DependencyFileNotFound
+      {
+        "error-type": "dependency_file_not_found",
+        "error-detail": { "file-path": error.file_path }
+      }
+    when Dependabot::PathDependenciesNotReachable
+      {
+        "error-type": "path_dependencies_not_reachable",
+        "error-detail": { dependencies: error.dependencies }
+      }
+    when Dependabot::PrivateSourceAuthenticationFailure
+      {
+        "error-type": "private_source_authentication_failure",
+        "error-detail": { source: error.source }
+      }
+    when Dependabot::GitDependenciesNotReachable
+      {
+        "error-type": "git_dependencies_not_reachable",
+        "error-detail": { "dependency-urls": error.dependency_urls }
+      }
+    when Dependabot::NotImplemented
+      {
+        "error-type": "not_implemented",
+        "error-detail": {
+          message: error.message
+        }
+      }
+    when Octokit::ServerError
+      # If we get a 500 from GitHub there's very little we can do about it,
+      # and responsibility for fixing it is on them, not us. As a result we
+      # quietly log these as errors
+      { "error-type": "server_error" }
+    end
+  end
+
+  sig { params(error: StandardError).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+  def self.updater_error_details(error)
+    case error
+    when Dependabot::DependencyFileNotResolvable
+      {
+        "error-type": "dependency_file_not_resolvable",
+        "error-detail": { message: error.message }
+      }
+    when Dependabot::DependencyFileNotEvaluatable
+      {
+        "error-type": "dependency_file_not_evaluatable",
+        "error-detail": { message: error.message }
+      }
+    when Dependabot::GitDependenciesNotReachable
+      {
+        "error-type": "git_dependencies_not_reachable",
+        "error-detail": { "dependency-urls": error.dependency_urls }
+      }
+    when Dependabot::MisconfiguredTooling
+      {
+        "error-type": "misconfigured_tooling",
+        "error-detail": { "tool-name": error.tool_name, message: error.tool_message }
+      }
+    when Dependabot::GitDependencyReferenceNotFound
+      {
+        "error-type": "git_dependency_reference_not_found",
+        "error-detail": { dependency: error.dependency }
+      }
+    when Dependabot::PrivateSourceAuthenticationFailure
+      {
+        "error-type": "private_source_authentication_failure",
+        "error-detail": { source: error.source }
+      }
+    when Dependabot::PrivateSourceTimedOut
+      {
+        "error-type": "private_source_timed_out",
+        "error-detail": { source: error.source }
+      }
+    when Dependabot::PrivateSourceCertificateFailure
+      {
+        "error-type": "private_source_certificate_failure",
+        "error-detail": { source: error.source }
+      }
+    when Dependabot::MissingEnvironmentVariable
+      {
+        "error-type": "missing_environment_variable",
+        "error-detail": {
+          "environment-variable": error.environment_variable
+        }
+      }
+    when Dependabot::GoModulePathMismatch
+      {
+        "error-type": "go_module_path_mismatch",
+        "error-detail": {
+          "declared-path": error.declared_path,
+          "discovered-path": error.discovered_path,
+          "go-mod": error.go_mod
+        }
+      }
+    when Dependabot::NotImplemented
+      {
+        "error-type": "not_implemented",
+        "error-detail": {
+          message: error.message
+        }
+      }
+    when *Octokit::RATE_LIMITED_ERRORS
+      # If we get a rate-limited error we let dependabot-api handle the
+      # retry by re-enqueing the update job after the reset
+      {
+        "error-type": "octokit_rate_limited",
+        "error-detail": {
+          "rate-limit-reset": T.cast(error, Octokit::Error).response_headers["X-RateLimit-Reset"]
+        }
+      }
+    end
+  end
+  # rubocop:enable Metrics/MethodLength
+
   class DependabotError < StandardError
     extend T::Sig
 
@@ -109,6 +323,31 @@ module Dependabot
   # File level errors #
   #####################
 
+  class MisconfiguredTooling < DependabotError
+    extend T::Sig
+
+    sig { returns(String) }
+    attr_reader :tool_name
+
+    sig { returns(String) }
+    attr_reader :tool_message
+
+    sig do
+      params(
+        tool_name: String,
+        tool_message: String
+      ).void
+    end
+    def initialize(tool_name, tool_message)
+      @tool_name = tool_name
+      @tool_message = tool_message
+
+      msg = "Dependabot detected that #{tool_name} is misconfigured in this repository. " \
+            "Running `#{tool_name.downcase}` results in the following error: #{tool_message}"
+      super(msg)
+    end
+  end
+
   class ToolVersionNotSupported < DependabotError
     extend T::Sig
 
@@ -142,23 +381,28 @@ module Dependabot
   class DependencyFileNotFound < DependabotError
     extend T::Sig
 
-    sig { returns(String) }
+    sig { returns(T.nilable(String)) }
     attr_reader :file_path
 
+    sig { params(file_path: T.nilable(String), msg: T.nilable(String)).void }
     def initialize(file_path, msg = nil)
       @file_path = file_path
       super(msg || "#{file_path} not found")
     end
 
-    sig { returns(String) }
+    sig { returns(T.nilable(String)) }
     def file_name
-      T.must(file_path.split("/").last)
+      return unless file_path
+
+      T.must(file_path).split("/").last
     end
 
-    sig { returns(String) }
+    sig { returns(T.nilable(String)) }
     def directory
       # Directory should always start with a `/`
-      T.must(file_path.split("/")[0..-2]).join("/").sub(%r{^/*}, "/")
+      return unless file_path
+
+      T.must(T.must(file_path).split("/")[0..-2]).join("/").sub(%r{^/*}, "/")
     end
   end
 
@@ -200,8 +444,9 @@ module Dependabot
     sig { returns(String) }
     attr_reader :source
 
+    sig { params(source: T.nilable(String)).void }
     def initialize(source)
-      @source = T.let(sanitize_source(source), String)
+      @source = T.let(sanitize_source(T.must(source)), String)
       msg = "The following source could not be reached as it requires " \
             "authentication (and any provided details were invalid or lacked " \
             "the required permissions): #{@source}"

data/lib/dependabot/experiments.rb

@@ -1,18 +1,25 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 module Dependabot
   module Experiments
-    @experiments = {}
+    extend T::Sig
+
+    @experiments = T.let({}, T::Hash[T.any(String, Symbol), T.untyped])
 
+    sig { returns(T::Hash[T.any(String, Symbol), T.untyped]) }
     def self.reset!
       @experiments = {}
     end
 
+    sig { params(name: T.any(String, Symbol), value: T.untyped).void }
     def self.register(name, value)
       @experiments[name.to_sym] = value
     end
 
+    sig { params(name: T.any(String, Symbol)).returns(T::Boolean) }
     def self.enabled?(name)
       !!@experiments[name.to_sym]
     end

data/lib/dependabot/file_updaters/base.rb

@@ -73,7 +73,7 @@ module Dependabot
 
       sig { params(file: Dependabot::DependencyFile, dependency: Dependabot::Dependency).returns(T::Boolean) }
       def requirement_changed?(file, dependency)
-        changed_requirements = dependency.requirements - dependency.previous_requirements
+        changed_requirements = dependency.requirements - T.must(dependency.previous_requirements)
 
         changed_requirements.any? { |f| f[:file] == file.name }
       end

data/lib/dependabot/git_commit_checker.rb

@@ -153,6 +153,12 @@ module Dependabot
       @local_tag_for_pinned_sha = most_specific_version_tag_for_sha(ref) if pinned_ref_looks_like_commit_sha?
     end
 
+    def version_for_pinned_sha
+      return unless local_tag_for_pinned_sha && version_class.correct?(local_tag_for_pinned_sha)
+
+      version_class.new(local_tag_for_pinned_sha)
+    end
+
     def git_repo_reachable?
       local_upload_pack
       true

data/lib/dependabot/git_metadata_fetcher.rb

@@ -1,49 +1,73 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "excon"
 require "open3"
+require "sorbet-runtime"
+
 require "dependabot/errors"
+require "dependabot/git_ref"
 
 module Dependabot
   class GitMetadataFetcher
+    extend T::Sig
+
     KNOWN_HOSTS = /github\.com|bitbucket\.org|gitlab.com/i
 
+    sig do
+      params(
+        url: String,
+        credentials: T::Array[T::Hash[String, String]]
+      )
+        .void
+    end
     def initialize(url:, credentials:)
       @url = url
       @credentials = credentials
     end
 
+    sig { returns(T.nilable(String)) }
     def upload_pack
-      @upload_pack ||= fetch_upload_pack_for(url)
+      @upload_pack ||= T.let(fetch_upload_pack_for(url), T.nilable(String))
     rescue Octokit::ClientError
       raise Dependabot::GitDependenciesNotReachable, [url]
     end
 
+    sig { returns(T::Array[GitRef]) }
     def tags
       return [] unless upload_pack
 
-      @tags ||= tags_for_upload_pack.map do |ref|
-        OpenStruct.new(
-          name: ref.name,
-          tag_sha: ref.ref_sha,
-          commit_sha: ref.commit_sha
-        )
-      end
+      @tags ||= T.let(
+        tags_for_upload_pack.map do |ref|
+          GitRef.new(
+            name: ref.name,
+            tag_sha: ref.ref_sha,
+            commit_sha: ref.commit_sha
+          )
+        end,
+        T.nilable(T::Array[GitRef])
+      )
     end
 
+    sig { returns(T::Array[GitRef]) }
     def tags_for_upload_pack
-      @tags_for_upload_pack ||= refs_for_upload_pack.select { |ref| ref.ref_type == :tag }
+      @tags_for_upload_pack ||= T.let(
+        refs_for_upload_pack.select { |ref| ref.ref_type == RefType::Tag },
+        T.nilable(T::Array[GitRef])
+      )
     end
 
+    sig { returns(T::Array[GitRef]) }
     def refs_for_upload_pack
-      @refs_for_upload_pack ||= parse_refs_for_upload_pack
+      @refs_for_upload_pack ||= T.let(parse_refs_for_upload_pack, T.nilable(T::Array[GitRef]))
     end
 
+    sig { returns(T::Array[String]) }
     def ref_names
       refs_for_upload_pack.map(&:name)
     end
 
+    sig { params(ref: String).returns(T.nilable(String)) }
     def head_commit_for_ref(ref)
       if ref == "HEAD"
         # Remove the opening clause of the upload pack as this isn't always
@@ -51,8 +75,8 @@ module Dependabot
         # causes problems for our `sha_for_update_pack_line` logic. The format
         # of this opening clause is documented at
         # https://git-scm.com/docs/http-protocol#_smart_server_response
-        line = upload_pack.gsub(/^[0-9a-f]{4}# service=git-upload-pack/, "")
-                          .lines.find { |l| l.include?(" HEAD") }
+        line = T.must(upload_pack).gsub(/^[0-9a-f]{4}# service=git-upload-pack/, "")
+                .lines.find { |l| l.include?(" HEAD") }
         return sha_for_update_pack_line(line) if line
       end
 
@@ -61,6 +85,7 @@ module Dependabot
         &.commit_sha
     end
 
+    sig { params(ref: String).returns(T.nilable(String)) }
     def head_commit_for_ref_sha(ref)
       refs_for_upload_pack
         .find { |r| r.ref_sha == ref }
@@ -69,8 +94,13 @@ module Dependabot
 
     private
 
-    attr_reader :url, :credentials
+    sig { returns(String) }
+    attr_reader :url
+
+    sig { returns(T::Array[T::Hash[String, String]]) }
+    attr_reader :credentials
 
+    sig { params(uri: String).returns(String) }
     def fetch_upload_pack_for(uri)
       response = fetch_raw_upload_pack_for(uri)
       return response.body if response.status == 200
@@ -97,6 +127,7 @@ module Dependabot
       raise Dependabot::GitDependenciesNotReachable, [uri]
     end
 
+    sig { params(uri: String).returns(Excon::Response) }
     def fetch_raw_upload_pack_for(uri)
       url = service_pack_uri(uri)
       url = url.rpartition("@").tap { |a| a.first.gsub!("@", "%40") }.join
@@ -107,6 +138,7 @@ module Dependabot
       )
     end
 
+    sig { params(uri: String).returns(T.untyped) }
     def fetch_raw_upload_pack_with_git_for(uri)
       service_pack_uri = uri
       service_pack_uri += ".git" unless service_pack_uri.end_with?(".git") || skip_git_suffix(uri)
@@ -129,11 +161,12 @@ module Dependabot
       end
     end
 
+    sig { returns(T::Array[GitRef]) }
     def parse_refs_for_upload_pack
       peeled_lines = []
 
-      result = upload_pack.lines.each_with_object({}) do |line, res|
-        full_ref_name = line.split.last
+      result = T.must(upload_pack).lines.each_with_object({}) do |line, res|
+        full_ref_name = T.must(line.split.last)
         next unless full_ref_name.start_with?("refs/tags", "refs/heads")
 
         (peeled_lines << line) && next if line.strip.end_with?("^{}")
@@ -141,10 +174,10 @@ module Dependabot
         ref_name = full_ref_name.sub(%r{^refs/(tags|heads)/}, "").strip
         sha = sha_for_update_pack_line(line)
 
-        res[ref_name] = OpenStruct.new(
+        res[ref_name] = GitRef.new(
           name: ref_name,
           ref_sha: sha,
-          ref_type: full_ref_name.start_with?("refs/tags") ? :tag : :head,
+          ref_type: full_ref_name.start_with?("refs/tags") ? RefType::Tag : RefType::Head,
           commit_sha: sha
         )
       end
@@ -162,6 +195,7 @@ module Dependabot
       result.values
     end
 
+    sig { params(uri: String).returns(String) }
     def service_pack_uri(uri)
       service_pack_uri = uri_with_auth(uri)
       service_pack_uri = service_pack_uri.gsub(%r{/$}, "")
@@ -169,6 +203,7 @@ module Dependabot
       service_pack_uri + "/info/refs?service=git-upload-pack"
     end
 
+    sig { params(uri: String).returns(T::Boolean) }
     def skip_git_suffix(uri)
       # TODO: Unlike the other providers (GitHub, GitLab, BitBucket), as of 2023-01-18 Azure DevOps does not support the
       # ".git" suffix. It will return a 404.
@@ -188,6 +223,7 @@ module Dependabot
 
     # Add in username and password if present in credentials.
     # Credentials are never present for production Dependabot.
+    sig { params(uri: String).returns(String) }
     def uri_with_auth(uri)
       uri = SharedHelpers.scp_to_standard(uri)
       uri = URI(uri)
@@ -196,7 +232,7 @@ module Dependabot
 
       uri.scheme = "https" if uri.scheme != "http"
 
-      if !uri.password && cred&.fetch("username", nil) && cred&.fetch("password", nil)
+      if !uri.password && cred && cred.fetch("username", nil) && cred.fetch("password", nil)
         # URI doesn't have authentication details, but we have credentials
         uri.user = URI.encode_www_form_component(cred["username"])
         uri.password = URI.encode_www_form_component(cred["password"])
@@ -205,10 +241,12 @@ module Dependabot
       uri.to_s
     end
 
+    sig { params(line: String).returns(String) }
     def sha_for_update_pack_line(line)
-      line.split.first.chars.last(40).join
+      T.must(line.split.first).chars.last(40).join
     end
 
+    sig { returns(T::Hash[Symbol, T.untyped]) }
     def excon_defaults
       # Some git hosts are slow when returning a large number of tags
       SharedHelpers.excon_defaults(read_timeout: 20)

data/lib/dependabot/git_ref.rb

@@ -0,0 +1,71 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  class GitRef
+    extend T::Sig
+
+    sig { returns(String) }
+    attr_accessor :name
+
+    sig { returns(String) }
+    attr_accessor :commit_sha
+
+    sig { returns(T.nilable(String)) }
+    attr_reader :tag_sha
+
+    sig { returns(T.nilable(String)) }
+    attr_reader :ref_sha
+
+    sig { returns(T.nilable(RefType)) }
+    attr_reader :ref_type
+
+    sig do
+      params(
+        name: String,
+        commit_sha: String,
+        tag_sha: T.nilable(String),
+        ref_sha: T.nilable(String),
+        ref_type: T.nilable(RefType)
+      )
+        .void
+    end
+    def initialize(name:, commit_sha:, tag_sha: nil, ref_sha: nil, ref_type: nil)
+      @name = name
+      @commit_sha = commit_sha
+      @ref_sha = ref_sha
+      @tag_sha = tag_sha
+      @ref_type = ref_type
+    end
+
+    sig { params(other: BasicObject).returns(T::Boolean) }
+    def ==(other)
+      case other
+      when GitRef
+        to_h == other.to_h
+      else
+        false
+      end
+    end
+
+    sig { returns(T::Hash[Symbol, T.nilable(String)]) }
+    def to_h
+      {
+        name: name,
+        commit_sha: commit_sha,
+        tag_sha: tag_sha,
+        ref_sha: ref_sha,
+        ref_type: ref_type
+      }.compact
+    end
+  end
+
+  class RefType < T::Enum
+    enums do
+      Tag = new
+      Head = new
+    end
+  end
+end

data/lib/dependabot/metadata_finders.rb

@@ -1,10 +1,16 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+require "dependabot/metadata_finders/base"
+
 module Dependabot
   module MetadataFinders
-    @metadata_finders = {}
+    extend T::Sig
+
+    @metadata_finders = T.let({}, T::Hash[String, T.class_of(Dependabot::MetadataFinders::Base)])
 
+    sig { params(package_manager: String).returns(T.class_of(Dependabot::MetadataFinders::Base)) }
     def self.for_package_manager(package_manager)
       metadata_finder = @metadata_finders[package_manager]
       return metadata_finder if metadata_finder
@@ -12,6 +18,7 @@ module Dependabot
       raise "Unsupported package_manager #{package_manager}"
     end
 
+    sig { params(package_manager: String, metadata_finder: T.class_of(Dependabot::MetadataFinders::Base)).void }
     def self.register(package_manager, metadata_finder)
       @metadata_finders[package_manager] = metadata_finder
     end