dependabot-common 0.334.0 → 0.336.0

data/lib/dependabot/dependency_graphers/base.rb

@@ -0,0 +1,129 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  module DependencyGraphers
+    class Base
+      extend T::Sig
+      extend T::Helpers
+
+      PURL_TEMPLATE = "pkg:%<type>s/%<name>s%<version>s"
+
+      abstract!
+
+      sig { returns(T::Boolean) }
+      attr_reader :prepared
+
+      sig do
+        params(file_parser: Dependabot::FileParsers::Base).void
+      end
+      def initialize(file_parser:)
+        @file_parser = file_parser
+        @dependencies = T.let([], T::Array[Dependabot::Dependency])
+        @prepared = T.let(false, T::Boolean)
+      end
+
+      # Each grapher must implement a heuristic to determine which dependency file should be used as the owner
+      # of the resolved_dependencies.
+      #
+      # Conventionally, this is the lockfile for the file set but some parses may only include the manifest
+      # so this method should take into account the correct priority based on which files were parsed.
+      sig { abstract.returns(Dependabot::DependencyFile) }
+      def relevant_dependency_file; end
+
+      # A grapher may override this method if it needs to perform extra steps around the normal file parser for
+      # the ecosystem.
+      sig { void }
+      def prepare!
+        @dependencies = @file_parser.parse
+        @prepared = true
+      end
+
+      sig { returns(T::Hash[String, T.untyped]) }
+      def resolved_dependencies
+        prepare! unless prepared
+
+        @dependencies.each_with_object({}) do |dep, resolved|
+          resolved[dep.name] = {
+            package_url: build_purl(dep),
+            relationship: relationship_for(dep),
+            scope: scope_for(dep),
+            dependencies: fetch_subdependencies(dep),
+            metadata: {}
+          }
+        end
+      end
+
+      private
+
+      sig { returns(Dependabot::FileParsers::Base) }
+      attr_reader :file_parser
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def dependency_files
+        file_parser.dependency_files
+      end
+
+      # Each grapher is expected to implement a method to look up the parents of a given dependency.
+      #
+      # The strategy that should be used is highly dependent on the ecosystem, in some cases the parser
+      # may be able to set this information in the dependency.metadata collection, in others the grapher
+      # will need to run additional native commands.
+      sig { abstract.params(dependency: Dependabot::Dependency).returns(T::Array[String]) }
+      def fetch_subdependencies(dependency); end
+
+      # Each grapher is expected to implement a method to map the various package managers it supports to
+      # the correct Package-URL type, see:
+      #   https://github.com/package-url/purl-spec/blob/main/PURL-TYPES.rst
+      sig { abstract.params(dependency: Dependabot::Dependency).returns(String) }
+      def purl_pkg_for(dependency); end
+
+      # Our basic strategy is just to use the dependency name, but specific graphers may need to override this
+      # to meet formal specifics
+      sig { params(dependency: Dependabot::Dependency).returns(String) }
+      def purl_name_for(dependency)
+        dependency.name
+      end
+
+      # We should ensure we don't include an `@` if there isn't a resolved version, but some ecosystems
+      # specifically include the `v` or allow certain prefixes
+      sig { params(dependency: Dependabot::Dependency).returns(String) }
+      def purl_version_for(dependency)
+        return "" unless dependency.version
+
+        "@#{dependency.version}"
+      end
+
+      # Generate a purl for the provided Dependency object
+      sig { params(dependency: Dependabot::Dependency).returns(String) }
+      def build_purl(dependency)
+        format(
+          PURL_TEMPLATE,
+          type: purl_pkg_for(dependency),
+          name: purl_name_for(dependency),
+          version: purl_version_for(dependency)
+        )
+      end
+
+      sig { params(dep: Dependabot::Dependency).returns(String) }
+      def relationship_for(dep)
+        if dep.top_level?
+          "direct"
+        else
+          "indirect"
+        end
+      end
+
+      sig { params(dependency: Dependabot::Dependency).returns(String) }
+      def scope_for(dependency)
+        if dependency.production?
+          "runtime"
+        else
+          "development"
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/dependency_graphers/generic.rb

@@ -0,0 +1,76 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/dependency_graphers/base"
+
+module Dependabot
+  module DependencyGraphers
+    class Generic < Base
+      extend T::Sig
+      extend T::Helpers
+
+      # Our generic strategy is to use the right-most file in the dependency file list on the
+      # assumption that this is normally the lockfile.
+      #
+      # This isn't a durable strategy but it's good enough to allow most ecosystems to 'just work'
+      # as we roll out ecosystem-specific graphers.
+      sig { override.returns(Dependabot::DependencyFile) }
+      def relevant_dependency_file
+        T.must(filtered_dependency_files.last)
+      end
+
+      private
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def filtered_dependency_files
+        dependency_files.reject { |f| f.support_file? || f.vendored_file? }
+      end
+
+      # Our generic strategy is to check if the parser has attached a `depends_on` key to the Dependency's
+      # metadata, but in most cases this will be empty.
+      sig { override.params(dependency: Dependabot::Dependency).returns(T::Array[String]) }
+      def fetch_subdependencies(dependency)
+        dependency.metadata.fetch(:depends_on, [])
+      end
+
+      # TODO: Delegate this to ecosystem-specific base classes
+      sig { override.params(dependency: Dependabot::Dependency).returns(String) }
+      def purl_pkg_for(dependency)
+        case dependency.package_manager
+        when "bundler"
+          "gem"
+        when "npm_and_yarn", "bun"
+          "npm"
+        when "maven", "gradle"
+          "maven"
+        when "pip", "uv"
+          "pypi"
+        when "cargo"
+          "cargo"
+        when "hex"
+          "hex"
+        when "composer"
+          "composer"
+        when "nuget"
+          "nuget"
+        when "go_modules"
+          "golang"
+        when "docker"
+          "docker"
+        when "github_actions"
+          "github"
+        when "terraform"
+          "terraform"
+        when "pub"
+          "pub"
+        when "elm"
+          "elm"
+        else
+          "generic"
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/dependency_graphers.rb

@@ -0,0 +1,33 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/dependency_graphers/base"
+require "dependabot/dependency_graphers/generic"
+
+module Dependabot
+  module DependencyGraphers
+    extend T::Sig
+
+    @graphers = T.let({}, T::Hash[String, T.class_of(Base)])
+
+    sig { params(package_manager: String).returns(T.class_of(Base)) }
+    def self.for_package_manager(package_manager)
+      grapher = @graphers[package_manager]
+      return grapher if grapher
+
+      # If an ecosystem has not defined its own graphing strategy, then we use
+      # a best-effort generic while we are rolling out graphing capabilities.
+      #
+      # This approach allows us to assess the quality of data from the ecosystem's
+      # parser and triage the scope of work to implement the non-generic class.
+      Generic
+    end
+
+    sig { params(package_manager: String, grapher: T.class_of(Base)).void }
+    def self.register(package_manager, grapher)
+      @graphers[package_manager] = grapher
+    end
+  end
+end

data/lib/dependabot/file_fetchers/base.rb

@@ -307,8 +307,12 @@ module Dependabot
         )
           .returns(T::Array[T.untyped])
       end
-      def repo_contents(dir: ".", ignore_base_directory: false,
-                        raise_errors: true, fetch_submodules: false)
+      def repo_contents(
+        dir: ".",
+        ignore_base_directory: false,
+        raise_errors: true,
+        fetch_submodules: false
+      )
         dir = File.join(directory, dir) unless ignore_base_directory
         path = Pathname.new(dir).cleanpath.to_path.gsub(%r{^/*}, "")
 
@@ -316,8 +320,11 @@ module Dependabot
         @repo_contents[dir.to_s] ||= if repo_contents_path
                                        _cloned_repo_contents(path)
                                      else
-                                       _fetch_repo_contents(path, raise_errors: raise_errors,
-                                                                  fetch_submodules: fetch_submodules)
+                                       _fetch_repo_contents(
+                                         path,
+                                         raise_errors: raise_errors,
+                                         fetch_submodules: fetch_submodules
+                                       )
                                      end
       end
 

data/lib/dependabot/file_filtering.rb

@@ -29,8 +29,10 @@ module Dependabot
       return true if normalized_path == pattern || normalized_path == normalized_pattern
 
       # Directory prefix match: check if path is inside an excluded directory
-      normalized_path.start_with?("#{pattern}#{File::SEPARATOR}",
-                                  "#{normalized_pattern}#{File::SEPARATOR}")
+      normalized_path.start_with?(
+        "#{pattern}#{File::SEPARATOR}",
+        "#{normalized_pattern}#{File::SEPARATOR}"
+      )
     end
 
     # Check for recursive pattern matches (patterns ending with /**)
@@ -81,9 +83,11 @@ module Dependabot
 
     # Helper method to check if a file path should be excluded
     sig do
-      params(path: String,
-             context: String,
-             exclude_paths: T.nilable(T::Array[String])).returns(T::Boolean)
+      params(
+        path: String,
+        context: String,
+        exclude_paths: T.nilable(T::Array[String])
+      ).returns(T::Boolean)
     end
     def self.should_exclude_path?(path, context, exclude_paths)
       return false unless Dependabot::Experiments.enabled?(:enable_exclude_paths_subdirectory_manifest_files)

data/lib/dependabot/file_parsers/base.rb

@@ -39,8 +39,14 @@ module Dependabot
         )
           .void
       end
-      def initialize(dependency_files:, source:, repo_contents_path: nil,
-                     credentials: [], reject_external_code: false, options: {})
+      def initialize(
+        dependency_files:,
+        source:,
+        repo_contents_path: nil,
+        credentials: [],
+        reject_external_code: false,
+        options: {}
+      )
         @dependency_files = dependency_files
         @repo_contents_path = repo_contents_path
         @credentials = credentials

data/lib/dependabot/file_updaters/artifact_updater.rb

@@ -82,6 +82,7 @@ module Dependabot
 
       sig { returns(T.nilable(String)) }
       attr_reader :repo_contents_path
+
       sig { returns(T.nilable(String)) }
       attr_reader :target_directory
 

data/lib/dependabot/git_commit_checker.rb

@@ -38,9 +38,14 @@ module Dependabot
       )
         .void
     end
-    def initialize(dependency:, credentials:,
-                   ignored_versions: [], raise_on_ignored: false,
-                   consider_version_branches_pinned: false, dependency_source_details: nil)
+    def initialize(
+      dependency:,
+      credentials:,
+      ignored_versions: [],
+      raise_on_ignored: false,
+      consider_version_branches_pinned: false,
+      dependency_source_details: nil
+    )
       @dependency = dependency
       @credentials = credentials
       @ignored_versions = ignored_versions
@@ -102,13 +107,15 @@ module Dependabot
 
     sig { returns(Excon::Response) }
     def ref_details_for_pinned_ref
-      T.must(T.let(
-               GitMetadataFetcher.new(
-                 url: dependency.source_details&.fetch(:url, nil),
-                 credentials: credentials
-               ).ref_details_for_pinned_ref(ref_pinned),
-               T.nilable(Excon::Response)
-             ))
+      T.must(
+        T.let(
+          GitMetadataFetcher.new(
+            url: dependency.source_details&.fetch(:url, nil),
+            credentials: credentials
+          ).ref_details_for_pinned_ref(ref_pinned),
+          T.nilable(Excon::Response)
+        )
+      )
     end
 
     sig { params(ref: String).returns(T::Boolean) }

data/lib/dependabot/git_metadata_fetcher.rb

@@ -97,8 +97,10 @@ module Dependabot
 
     sig { returns(T::Array[GitTagWithDetail]) }
     def refs_for_tag_with_detail
-      @refs_for_tag_with_detail ||= T.let(parse_refs_for_tag_with_detail,
-                                          T.nilable(T::Array[GitTagWithDetail]))
+      @refs_for_tag_with_detail ||= T.let(
+        parse_refs_for_tag_with_detail,
+        T.nilable(T::Array[GitTagWithDetail])
+      )
     end
 
     sig { returns(T::Array[GitTagWithDetail]) }

data/lib/dependabot/metadata_finders/base/changelog_finder.rb

@@ -48,8 +48,12 @@ module Dependabot
           )
             .void
         end
-        def initialize(source:, dependency:, credentials:,
-                       suggested_changelog_url: nil)
+        def initialize(
+          source:,
+          dependency:,
+          credentials:,
+          suggested_changelog_url: nil
+        )
           @source = source
           @dependency = dependency
           @credentials = credentials

data/lib/dependabot/metadata_finders/base/changelog_pruner.rb

@@ -47,8 +47,10 @@ module Dependabot
               if T.must(old_version_changelog_line) < T.must(new_version_changelog_line)
                 Range.new(old_version_changelog_line, -1)
               else
-                Range.new(new_version_changelog_line,
-                          T.must(old_version_changelog_line) - 1)
+                Range.new(
+                  new_version_changelog_line,
+                  T.must(old_version_changelog_line) - 1
+                )
               end
             elsif old_version_changelog_line
               return if T.must(old_version_changelog_line).zero?

data/lib/dependabot/notices.rb

@@ -40,9 +40,13 @@ module Dependabot
       ).void
     end
     def initialize(
-      mode:, type:, package_manager_name:,
-      title: "", description: "",
-      show_in_pr: false, show_alert: false
+      mode:,
+      type:,
+      package_manager_name:,
+      title: "",
+      description: "",
+      show_in_pr: false,
+      show_alert: false
     )
       @mode = mode
       @type = type

data/lib/dependabot/package/release_cooldown_options.rb

@@ -19,8 +19,12 @@ module Dependabot
         ).void
       end
       def initialize(
-        default_days: 0, semver_major_days: 0, semver_minor_days: 0, semver_patch_days: 0,
-        include: [], exclude: []
+        default_days: 0,
+        semver_major_days: 0,
+        semver_minor_days: 0,
+        semver_patch_days: 0,
+        include: [],
+        exclude: []
       )
         default_days ||= 0
         semver_major_days ||= 0

data/lib/dependabot/pull_request_creator/azure.rb

@@ -74,9 +74,21 @@ module Dependabot
         )
           .void
       end
-      def initialize(source:, branch_name:, base_commit:, credentials:,
-                     files:, commit_message:, pr_description:, pr_name:,
-                     author_details:, labeler:, reviewers: nil, assignees: nil, work_item: nil)
+      def initialize(
+        source:,
+        branch_name:,
+        base_commit:,
+        credentials:,
+        files:,
+        commit_message:,
+        pr_description:,
+        pr_name:,
+        author_details:,
+        labeler:,
+        reviewers: nil,
+        assignees: nil,
+        work_item: nil
+      )
         @source         = source
         @branch_name    = branch_name
         @base_commit    = base_commit

data/lib/dependabot/pull_request_creator/bitbucket.rb

@@ -65,9 +65,19 @@ module Dependabot
         )
           .void
       end
-      def initialize(source:, branch_name:, base_commit:, credentials:,
-                     files:, commit_message:, pr_description:, pr_name:,
-                     author_details:, labeler: nil, work_item: nil)
+      def initialize(
+        source:,
+        branch_name:,
+        base_commit:,
+        credentials:,
+        files:,
+        commit_message:,
+        pr_description:,
+        pr_name:,
+        author_details:,
+        labeler: nil,
+        work_item: nil
+      )
         @source         = source
         @branch_name    = branch_name
         @base_commit    = base_commit

data/lib/dependabot/pull_request_creator/branch_namer/base.rb

@@ -38,8 +38,14 @@ module Dependabot
           )
             .void
         end
-        def initialize(dependencies:, files:, target_branch:, separator: "/",
-                       prefix: "dependabot", max_length: nil)
+        def initialize(
+          dependencies:,
+          files:,
+          target_branch:,
+          separator: "/",
+          prefix: "dependabot",
+          max_length: nil
+        )
           @dependencies      = dependencies
           @files             = files
           @target_branch     = target_branch

data/lib/dependabot/pull_request_creator/branch_namer/dependency_group_strategy.rb

@@ -23,8 +23,16 @@ module Dependabot
           )
             .void
         end
-        def initialize(dependencies:, files:, target_branch:, dependency_group:, includes_security_fixes:,
-                       separator: "/", prefix: "dependabot", max_length: nil)
+        def initialize(
+          dependencies:,
+          files:,
+          target_branch:,
+          dependency_group:,
+          includes_security_fixes:,
+          separator: "/",
+          prefix: "dependabot",
+          max_length: nil
+        )
           super(
             dependencies: dependencies,
             files: files,
@@ -76,9 +84,11 @@ module Dependabot
         sig { returns(T.nilable(String)) }
         def dependency_digest
           @dependency_digest ||= T.let(
-            Digest::MD5.hexdigest(dependencies.map do |dependency|
-                                    "#{dependency.name}-#{dependency.removed? ? 'removed' : dependency.version}"
-                                  end.sort.join(",")).slice(0, 10),
+            Digest::MD5.hexdigest(
+              dependencies.map do |dependency|
+                "#{dependency.name}-#{dependency.removed? ? 'removed' : dependency.version}"
+              end.sort.join(",")
+            ).slice(0, 10),
             T.nilable(String)
           )
         end

data/lib/dependabot/pull_request_creator/branch_namer/multi_ecosystem_strategy.rb

@@ -23,8 +23,16 @@ module Dependabot
           )
             .void
         end
-        def initialize(dependencies:, files:, target_branch:, includes_security_fixes:, multi_ecosystem_name:,
-                       separator: "/", prefix: "dependabot", max_length: nil)
+        def initialize(
+          dependencies:,
+          files:,
+          target_branch:,
+          includes_security_fixes:,
+          multi_ecosystem_name:,
+          separator: "/",
+          prefix: "dependabot",
+          max_length: nil
+        )
           super(
             dependencies: dependencies,
             files: files,
@@ -68,9 +76,11 @@ module Dependabot
         sig { returns(T.nilable(String)) }
         def dependency_digest
           @dependency_digest ||= T.let(
-            Digest::MD5.hexdigest(dependencies.map do |dependency|
-                                    "#{dependency.name}-#{dependency.removed? ? 'removed' : dependency.version}"
-                                  end.sort.join(",")).slice(0, 10),
+            Digest::MD5.hexdigest(
+              dependencies.map do |dependency|
+                "#{dependency.name}-#{dependency.removed? ? 'removed' : dependency.version}"
+              end.sort.join(",")
+            ).slice(0, 10),
             T.nilable(String)
           )
         end

data/lib/dependabot/pull_request_creator/branch_namer/solo_strategy.rb

@@ -75,10 +75,12 @@ module Dependabot
         sig { returns(String) }
         def property_name
           @property_name ||=
-            T.let(T.must(dependencies.first).requirements
-                                .find { |r| r.dig(:metadata, :property_name) }
-                                &.dig(:metadata, :property_name),
-                  T.nilable(String))
+            T.let(
+              T.must(dependencies.first).requirements
+                                              .find { |r| r.dig(:metadata, :property_name) }
+                                              &.dig(:metadata, :property_name),
+              T.nilable(String)
+            )
 
           raise "No property name!" unless @property_name
 
@@ -215,9 +217,11 @@ module Dependabot
         sig { returns(T.nilable(String)) }
         def dependency_digest
           T.let(
-            Digest::MD5.hexdigest(dependencies.map do |dependency|
-              "#{dependency.name}-#{dependency.removed? ? 'removed' : dependency.version}"
-            end.sort.join(",")).slice(0, 10),
+            Digest::MD5.hexdigest(
+              dependencies.map do |dependency|
+                "#{dependency.name}-#{dependency.removed? ? 'removed' : dependency.version}"
+              end.sort.join(",")
+            ).slice(0, 10),
             T.nilable(String)
           )
         end

data/lib/dependabot/pull_request_creator/branch_namer.rb

@@ -56,8 +56,17 @@ module Dependabot
         )
           .void
       end
-      def initialize(dependencies:, files:, target_branch:, dependency_group: nil, separator: "/",
-                     prefix: "dependabot", max_length: nil, includes_security_fixes: false, multi_ecosystem_name: nil)
+      def initialize(
+        dependencies:,
+        files:,
+        target_branch:,
+        dependency_group: nil,
+        separator: "/",
+        prefix: "dependabot",
+        max_length: nil,
+        includes_security_fixes: false,
+        multi_ecosystem_name: nil
+      )
         @dependencies  = dependencies
         @files         = files
         @target_branch = target_branch