dependabot-common 0.315.0 → 0.317.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 68238b0440934d660fcb680bd94b21397bf3396c0e4467fbd88fd21a23453a6f
-  data.tar.gz: d263bcc8392bbad1168f031af2bdbf243190ab91ab1f019a7206c1af76f95652
+  metadata.gz: a8d358807ceadc833ed82dcedc73266e3561d9b717ce53ae649ca51000c69312
+  data.tar.gz: d31ca9ca6aa26c1547bf9670a5addd1010d14731aa1f86cb42f58393aae945c7
 SHA512:
-  metadata.gz: 3165f873c2ff8492dc8f7ee6cfe0a136d664cf35653f9856ebc80f6c5c0fce35e287950be698263f62152affc82859d8808edb0bd2355d12f481193e9c463cb2
-  data.tar.gz: 5692d5ad262572fc9cc91095010ed4b2381335d98d1064ee078c845cb9b17a060be52dd48d0ff72dc82526fd9bd1ed8c5dcd1551822be4c1e5c7f763df46c69e
+  metadata.gz: b2cac731eb951f4c7bf1f7756f8024593105964a0c09270415d5af834147807f979c8372a1b904f38e517c9725a76020e5f51d258bc21a2ac1a99459d2abc1ab
+  data.tar.gz: 0cadb251db30a331dead18251239b36862fa6c113f645e9300e4365903262f4fcf7816da49ba937aaf1552f0362879f9907c3e7c12fdd2e80b30efa73c5c85ac

data/lib/dependabot/git_commit_checker.rb

@@ -100,6 +100,17 @@ module Dependabot
       local_repo_git_metadata_fetcher.head_commit_for_ref_sha(T.must(ref))
     end
 
+    sig { returns(Excon::Response) }
+    def ref_details_for_pinned_ref
+      T.must(T.let(
+               GitMetadataFetcher.new(
+                 url: dependency.source_details&.fetch(:url, nil),
+                 credentials: credentials
+               ).ref_details_for_pinned_ref(ref_pinned),
+               T.nilable(Excon::Response)
+             ))
+    end
+
     sig { params(ref: String).returns(T::Boolean) }
     def ref_looks_like_commit_sha?(ref)
       ref.match?(/^[0-9a-f]{6,40}$/)
@@ -618,6 +629,12 @@ module Dependabot
           T.nilable(Dependabot::GitMetadataFetcher)
         )
     end
+
+    sig { returns(String) }
+    def ref_pinned
+      dependency.source_details&.fetch(:ref, nil) ||
+        dependency.source_details&.fetch(:branch, nil) || "HEAD"
+    end
   end
   # rubocop:enable Metrics/ClassLength
 end

data/lib/dependabot/git_metadata_fetcher.rb

@@ -5,7 +5,7 @@ require "excon"
 require "open3"
 require "ostruct"
 require "sorbet-runtime"
-
+require "tmpdir"
 require "dependabot/errors"
 require "dependabot/git_ref"
 require "dependabot/git_tag_with_detail"
@@ -118,6 +118,37 @@ module Dependabot
       result_lines
     end
 
+    sig { params(uri: String).returns(String) }
+    def fetch_tags_with_detail(uri)
+      response_with_git = fetch_tags_with_detail_from_git_for(uri)
+      return response_with_git.body if response_with_git.status == 200
+
+      raise Dependabot::GitDependenciesNotReachable, [uri] unless uri.match?(KNOWN_HOSTS)
+
+      if response_with_git.status < 400
+        raise "Unexpected response: #{response_with_git.status} - #{response_with_git.body}"
+      end
+
+      if uri.match?(/github\.com/i)
+        response = response_with_git.data
+        response[:response_headers] = response[:headers] unless response.nil?
+        raise Octokit::Error.from_response(response)
+      end
+
+      raise "Server error at #{uri}: #{response_with_git.body}" if response_with_git.status >= 500
+
+      raise Dependabot::GitDependenciesNotReachable, [uri]
+    rescue Excon::Error::Socket, Excon::Error::Timeout
+      raise if uri.match?(KNOWN_HOSTS)
+
+      raise Dependabot::GitDependenciesNotReachable, [uri]
+    end
+
+    sig { params(ref: String).returns(Excon::Response) }
+    def ref_details_for_pinned_ref(ref)
+      Dependabot::RegistryClient.get(url: provider_url(ref))
+    end
+
     private
 
     sig { returns(String) }
@@ -293,54 +324,57 @@ module Dependabot
       raise Dependabot::GitDependenciesNotReachable, [url]
     end
 
-    sig { params(uri: String).returns(String) }
-    def fetch_tags_with_detail(uri)
-      response = fetch_raw_upload_pack_for(uri)
-      return response.body if response.status == 200
-
-      response_with_git = fetch_tags_with_detail_from_git_for(uri)
-      return response_with_git.body if response_with_git.status == 200
-
-      raise Dependabot::GitDependenciesNotReachable, [uri] unless uri.match?(KNOWN_HOSTS)
-
-      raise "Unexpected response: #{response.status} - #{response.body}" if response.status < 400
-
-      if uri.match?(/github\.com/i)
-        response = response.data
-        response[:response_headers] = response[:headers]
-        raise Octokit::Error.from_response(response)
+    # Added method to fetch tags with their creation dates from a git repository. In case
+    # private registry is used, it will clone the repository and fetch tags with their creation dates.
+    sig { params(uri: String).returns(T.untyped) }
+    def fetch_tags_with_detail_from_git_for(uri)
+      uri_ending_with_git = uri
+      uri_ending_with_git += ".git" unless uri_ending_with_git.end_with?(".git") || skip_git_suffix(uri)
+
+      Dir.mktmpdir do |dir|
+        # Clone the repository into a temporary directory
+        clone_command = "git clone --bare #{uri_ending_with_git} #{dir}"
+        env = { "PATH" => ENV.fetch("PATH", nil), "GIT_TERMINAL_PROMPT" => "0" }
+        clone_command = SharedHelpers.escape_command(clone_command)
+
+        _stdout, stderr, process = Open3.capture3(env, clone_command)
+        return OpenStruct.new(body: stderr, status: 500) unless process.success?
+
+        # Change to the cloned repository directory
+        Dir.chdir(dir) do
+          # Fetch tags and their creation dates
+          tags_command = 'git for-each-ref --format="%(refname:short) %(creatordate:short)" refs/tags'
+          tags_stdout, stderr, process = Open3.capture3(env, tags_command)
+
+          return OpenStruct.new(body: stderr, status: 500) unless process.success?
+
+          # Parse and sort tags by creation date
+          tags = tags_stdout.lines.map do |line|
+            tag, date = line.strip.split(" ", 2)
+            { tag: tag, date: date }
+          end
+          sorted_tags = tags.sort_by { |tag| tag[:date] }
+
+          # Format the output as a string
+          formatted_output = sorted_tags.map { |tag| "#{tag[:tag]} #{tag[:date]}" }.join("\n")
+          return OpenStruct.new(body: formatted_output, status: 200)
+        end
       end
-
-      raise "Server error at #{uri}: #{response.body}" if response.status >= 500
-
-      raise Dependabot::GitDependenciesNotReachable, [uri]
-    rescue Excon::Error::Socket, Excon::Error::Timeout
-      raise if uri.match?(KNOWN_HOSTS)
-
-      raise Dependabot::GitDependenciesNotReachable, [uri]
+    rescue Errno::ENOENT => e # Thrown when `git` isn't installed
+      OpenStruct.new(body: e.message, status: 500)
     end
 
-    sig { params(uri: String).returns(T.untyped) }
-    def fetch_tags_with_detail_from_git_for(uri)
-      complete_uri = uri
-      complete_uri += ".git" unless complete_uri.end_with?(".git") || skip_git_suffix(uri)
+    sig do
+      params(ref: String).returns(String)
+    end
+    def provider_url(ref)
+      provider_url = url.gsub(/\.git$/, "")
 
-      env = { "PATH" => ENV.fetch("PATH", nil), "GIT_TERMINAL_PROMPT" => "0" }
-      command = "git for-each-ref --format=\"%(refname:short) %(creatordate:short)\" refs/tags #{complete_uri}"
-      command = SharedHelpers.escape_command(command)
+      api_url = {
+        github: provider_url.gsub("github.com", "api.github.com/repos")
+      }.freeze
 
-      begin
-        stdout, stderr, process = Open3.capture3(env, command)
-        # package the command response like a HTTP response so error handling remains unchanged
-      rescue Errno::ENOENT => e # thrown when `git` isn't installed...
-        OpenStruct.new(body: e.message, status: 500)
-      else
-        if process.success?
-          OpenStruct.new(body: stdout, status: 200)
-        else
-          OpenStruct.new(body: stderr, status: 500)
-        end
-      end
+      "#{api_url[:github]}/commits?per_page=100&sha=#{ref}"
     end
   end
 end

data/lib/dependabot/git_tag_with_detail.rb

@@ -10,16 +10,16 @@ module Dependabot
     sig { returns(String) }
     attr_accessor :tag
 
-    sig { returns(String) }
+    sig { returns(T.nilable(String)) }
     attr_accessor :release_date
 
     sig do
       params(
         tag: String,
-        release_date: String
+        release_date: T.nilable(String)
       ).void
     end
-    def initialize(tag:, release_date:)
+    def initialize(tag:, release_date: nil)
       @tag = tag
       @release_date = release_date
     end

data/lib/dependabot/package/package_release.rb

@@ -23,6 +23,7 @@ module Dependabot
           url: T.nilable(String),
           package_type: T.nilable(String),
           language: T.nilable(Dependabot::Package::PackageLanguage),
+          tag: T.nilable(String),
           details: T::Hash[String, T.untyped]
         ).void
       end
@@ -36,6 +37,7 @@ module Dependabot
         url: nil,
         package_type: nil,
         language: nil,
+        tag: nil,
         details: {}
       )
         @version = T.let(version, Dependabot::Version)
@@ -47,6 +49,7 @@ module Dependabot
         @url = T.let(url, T.nilable(String))
         @package_type = T.let(package_type, T.nilable(String))
         @language = T.let(language, T.nilable(Dependabot::Package::PackageLanguage))
+        @tag = T.let(tag, T.nilable(String))
         @details = T.let(details, T::Hash[String, T.untyped])
       end
 
@@ -77,6 +80,9 @@ module Dependabot
       sig { returns(T.nilable(Dependabot::Package::PackageLanguage)) }
       attr_reader :language
 
+      sig { returns(T.nilable(String)) }
+      attr_reader :tag
+
       sig { returns(T::Hash[String, T.untyped]) }
       attr_reader :details
 

data/lib/dependabot.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.315.0"
+  VERSION = "0.317.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.315.0
+  version: 0.317.0
 platform: ruby
 authors:
 - Dependabot
@@ -625,7 +625,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.315.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.317.0
 rdoc_options: []
 require_paths:
 - lib