dependabot-common 0.95.1 → 0.95.2

data/lib/dependabot/pull_request_creator.rb

@@ -0,0 +1,155 @@
+# frozen_string_literal: true
+
+require "dependabot/metadata_finders"
+
+module Dependabot
+  class PullRequestCreator
+    require "dependabot/pull_request_creator/github"
+    require "dependabot/pull_request_creator/gitlab"
+    require "dependabot/pull_request_creator/message_builder"
+    require "dependabot/pull_request_creator/branch_namer"
+    require "dependabot/pull_request_creator/labeler"
+
+    class RepoNotFound < StandardError; end
+    class RepoArchived < StandardError; end
+    class NoHistoryInCommon < StandardError; end
+
+    attr_reader :source, :dependencies, :files, :base_commit,
+                :credentials, :pr_message_footer, :custom_labels,
+                :author_details, :signature_key, :vulnerabilities_fixed,
+                :reviewers, :assignees, :milestone, :branch_name_separator
+
+    def initialize(source:, base_commit:, dependencies:, files:, credentials:,
+                   pr_message_footer: nil, custom_labels: nil,
+                   author_details: nil, signature_key: nil,
+                   reviewers: nil, assignees: nil, milestone: nil,
+                   vulnerabilities_fixed: {}, branch_name_separator: "/",
+                   label_language: false)
+      @dependencies          = dependencies
+      @source                = source
+      @base_commit           = base_commit
+      @files                 = files
+      @credentials           = credentials
+      @pr_message_footer     = pr_message_footer
+      @author_details        = author_details
+      @signature_key         = signature_key
+      @custom_labels         = custom_labels
+      @reviewers             = reviewers
+      @assignees             = assignees
+      @milestone             = milestone
+      @vulnerabilities_fixed = vulnerabilities_fixed
+      @branch_name_separator = branch_name_separator
+      @label_language        = label_language
+
+      check_dependencies_have_previous_version
+    end
+
+    def check_dependencies_have_previous_version
+      return if library? && dependencies.all? { |d| requirements_changed?(d) }
+      return if dependencies.all?(&:previous_version)
+
+      raise "Dependencies must have a previous version or changed " \
+            "requirement to have a pull request created for them!"
+    end
+
+    def create
+      case source.provider
+      when "github" then github_creator.create
+      when "gitlab" then gitlab_creator.create
+      else raise "Unsupported provider #{source.provider}"
+      end
+    end
+
+    private
+
+    def label_language?
+      @label_language
+    end
+
+    def github_creator
+      Github.new(
+        source: source,
+        branch_name: branch_namer.new_branch_name,
+        base_commit: base_commit,
+        credentials: credentials,
+        files: files,
+        commit_message: message_builder.commit_message,
+        pr_description: message_builder.pr_message,
+        pr_name: message_builder.pr_name,
+        author_details: author_details,
+        signature_key: signature_key,
+        labeler: labeler,
+        reviewers: reviewers,
+        assignees: assignees,
+        milestone: milestone
+      )
+    end
+
+    def gitlab_creator
+      Gitlab.new(
+        source: source,
+        branch_name: branch_namer.new_branch_name,
+        base_commit: base_commit,
+        credentials: credentials,
+        files: files,
+        commit_message: message_builder.commit_message,
+        pr_description: message_builder.pr_message,
+        pr_name: message_builder.pr_name,
+        author_details: author_details,
+        labeler: labeler,
+        approvers: reviewers,
+        assignee: assignees&.first,
+        milestone: milestone
+      )
+    end
+
+    def message_builder
+      @message_builder ||
+        MessageBuilder.new(
+          source: source,
+          dependencies: dependencies,
+          files: files,
+          credentials: credentials,
+          author_details: author_details,
+          pr_message_footer: pr_message_footer,
+          vulnerabilities_fixed: vulnerabilities_fixed
+        )
+    end
+
+    def branch_namer
+      @branch_namer ||=
+        BranchNamer.new(
+          dependencies: dependencies,
+          files: files,
+          target_branch: source.branch,
+          separator: branch_name_separator
+        )
+    end
+
+    def labeler
+      @labeler ||=
+        Labeler.new(
+          source: source,
+          custom_labels: custom_labels,
+          credentials: credentials,
+          includes_security_fixes: includes_security_fixes?,
+          dependencies: dependencies,
+          label_language: label_language?
+        )
+    end
+
+    def library?
+      return true if files.any? { |file| file.name.end_with?(".gemspec") }
+
+      dependencies.none?(&:appears_in_lockfile?)
+    end
+
+    def includes_security_fixes?
+      vulnerabilities_fixed.values.flatten.any?
+    end
+
+    def requirements_changed?(dependency)
+      (dependency.requirements - dependency.previous_requirements).any?
+    end
+  end
+end

data/lib/dependabot/pull_request_creator/branch_namer.rb

@@ -0,0 +1,170 @@
+# frozen_string_literal: true
+
+require "dependabot/metadata_finders"
+require "dependabot/pull_request_creator"
+
+module Dependabot
+  class PullRequestCreator
+    class BranchNamer
+      attr_reader :dependencies, :files, :target_branch, :separator
+
+      def initialize(dependencies:, files:, target_branch:, separator: "/")
+        @dependencies  = dependencies
+        @files         = files
+        @target_branch = target_branch
+        @separator     = separator
+      end
+
+      # rubocop:disable Metrics/AbcSize
+      # rubocop:disable Metrics/PerceivedComplexity
+      # rubocop:disable Metrics/CyclomaticComplexity
+      def new_branch_name
+        @name ||=
+          if dependencies.count > 1 && updating_a_property?
+            property_name
+          elsif dependencies.count > 1 && updating_a_dependency_set?
+            dependency_set.fetch(:group)
+          elsif dependencies.count > 1
+            dependencies.map(&:name).join("-and-").tr(":", "-")
+          elsif library? && ref_changed?(dependencies.first)
+            dep = dependencies.first
+            "#{dep.name.tr(':', '-')}-#{new_ref(dep)}"
+          elsif library?
+            dep = dependencies.first
+            "#{dep.name.tr(':', '-')}-#{sanitized_requirement(dep)}"
+          else
+            dep = dependencies.first
+            "#{dep.name.tr(':', '-')}-#{new_version(dep)}"
+          end
+
+        branch_name = File.join(prefixes, @name).gsub(%r{/\.}, "/dot-")
+
+        # Some users need branch names without slashes
+        branch_name.gsub("/", separator)
+      end
+      # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/PerceivedComplexity
+      # rubocop:enable Metrics/CyclomaticComplexity
+
+      private
+
+      def prefixes
+        [
+          "dependabot",
+          package_manager,
+          files.first.directory.tr(" ", "-"),
+          target_branch
+        ].compact
+      end
+
+      def package_manager
+        dependencies.first.package_manager
+      end
+
+      def updating_a_property?
+        dependencies.first.
+          requirements.
+          any? { |r| r.dig(:metadata, :property_name) }
+      end
+
+      def updating_a_dependency_set?
+        dependencies.first.
+          requirements.
+          any? { |r| r.dig(:metadata, :dependency_set) }
+      end
+
+      def property_name
+        @property_name ||= dependencies.first.requirements.
+                           find { |r| r.dig(:metadata, :property_name) }&.
+                           dig(:metadata, :property_name)
+
+        raise "No property name!" unless @property_name
+
+        @property_name
+      end
+
+      def dependency_set
+        @dependency_set ||= dependencies.first.requirements.
+                            find { |r| r.dig(:metadata, :dependency_set) }&.
+                            dig(:metadata, :dependency_set)
+
+        raise "No dependency set!" unless @dependency_set
+
+        @dependency_set
+      end
+
+      def sanitized_requirement(dependency)
+        new_library_requirement(dependency).
+          delete(" ").
+          gsub("!=", "neq-").
+          gsub(">=", "gte-").
+          gsub("<=", "lte-").
+          gsub("~>", "tw-").
+          gsub("^", "tw-").
+          gsub("||", "or-").
+          gsub("~", "approx-").
+          gsub("~=", "tw-").
+          gsub(/==*/, "eq-").
+          gsub(">", "gt-").
+          gsub("<", "lt-").
+          gsub("*", "star").
+          gsub(",", "-and-")
+      end
+
+      def new_version(dependency)
+        if dependency.version.match?(/^[0-9a-f]{40}$/)
+          return new_ref(dependency) if ref_changed?(dependency)
+
+          dependency.version[0..6]
+        elsif dependency.version == dependency.previous_version &&
+              package_manager == "docker"
+          dependency.requirements.
+            map { |r| r.dig(:source, "digest") || r.dig(:source, :digest) }.
+            compact.first.split(":").last[0..6]
+        else
+          dependency.version
+        end
+      end
+
+      def previous_ref(dependency)
+        dependency.previous_requirements.map do |r|
+          r.dig(:source, "ref") || r.dig(:source, :ref)
+        end.compact.first
+      end
+
+      def new_ref(dependency)
+        dependency.requirements.map do |r|
+          r.dig(:source, "ref") || r.dig(:source, :ref)
+        end.compact.first
+      end
+
+      def ref_changed?(dependency)
+        previous_ref(dependency) && new_ref(dependency) &&
+          previous_ref(dependency) != new_ref(dependency)
+      end
+
+      def new_library_requirement(dependency)
+        updated_reqs =
+          dependency.requirements - dependency.previous_requirements
+
+        gemspec =
+          updated_reqs.find { |r| r[:file].match?(%r{^[^/]*\.gemspec$}) }
+        return gemspec[:requirement] if gemspec
+
+        updated_reqs.first[:requirement]
+      end
+
+      def library?
+        if files.map(&:name).any? { |name| name.end_with?(".gemspec") }
+          return true
+        end
+
+        dependencies.none?(&:appears_in_lockfile?)
+      end
+
+      def requirements_changed?(dependency)
+        (dependency.requirements - dependency.previous_requirements).any?
+      end
+    end
+  end
+end

data/lib/dependabot/pull_request_creator/commit_signer.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require "time"
+require "gpgme"
+require "tmpdir"
+require "dependabot/pull_request_creator"
+
+module Dependabot
+  class PullRequestCreator
+    class CommitSigner
+      attr_reader :author_details, :commit_message, :tree_sha, :parent_sha,
+                  :signature_key
+
+      def initialize(author_details:, commit_message:, tree_sha:, parent_sha:,
+                     signature_key:)
+        @author_details = author_details
+        @commit_message = commit_message
+        @tree_sha = tree_sha
+        @parent_sha = parent_sha
+        @signature_key = signature_key
+      end
+
+      def signature
+        email = author_details[:email]
+
+        dir = Dir.mktmpdir
+
+        GPGME::Engine.home_dir = dir
+        GPGME::Key.import(signature_key)
+
+        crypto = GPGME::Crypto.new(armor: true)
+        opts = { mode: GPGME::SIG_MODE_DETACH, signer: email }
+        crypto.sign(commit_object, opts).to_s
+      rescue Errno::ENOTEMPTY
+        FileUtils.remove_entry(dir, true)
+        # This appears to be a Ruby bug which occurs very rarely
+        raise if @retrying
+
+        @retrying = true
+        retry
+      ensure
+        FileUtils.remove_entry(dir, true)
+      end
+
+      private
+
+      def commit_object
+        time_str = Time.parse(author_details[:date]).strftime("%s %z")
+        name = author_details[:name]
+        email = author_details[:email]
+
+        [
+          "tree #{tree_sha}",
+          "parent #{parent_sha}",
+          "author #{name} <#{email}> #{time_str}",
+          "committer #{name} <#{email}> #{time_str}",
+          "",
+          commit_message
+        ].join("\n")
+      end
+    end
+  end
+end

data/lib/dependabot/pull_request_creator/github.rb

@@ -0,0 +1,277 @@
+# frozen_string_literal: true
+
+require "octokit"
+require "securerandom"
+require "dependabot/clients/github_with_retries"
+require "dependabot/pull_request_creator"
+require "dependabot/pull_request_creator/commit_signer"
+
+module Dependabot
+  class PullRequestCreator
+    class Github
+      attr_reader :source, :branch_name, :base_commit, :credentials,
+                  :files, :pr_description, :pr_name, :commit_message,
+                  :author_details, :signature_key,
+                  :labeler, :reviewers, :assignees, :milestone
+
+      def initialize(source:, branch_name:, base_commit:, credentials:,
+                     files:, commit_message:, pr_description:, pr_name:,
+                     author_details:, signature_key:,
+                     labeler:, reviewers:, assignees:, milestone:)
+        @source         = source
+        @branch_name    = branch_name
+        @base_commit    = base_commit
+        @credentials    = credentials
+        @files          = files
+        @commit_message = commit_message
+        @pr_description = pr_description
+        @pr_name        = pr_name
+        @author_details = author_details
+        @signature_key  = signature_key
+        @labeler        = labeler
+        @reviewers      = reviewers
+        @assignees      = assignees
+        @milestone      = milestone
+      end
+
+      def create
+        return if branch_exists? && pull_request_exists?
+
+        commit = create_commit
+        branch = create_or_update_branch(commit)
+        return unless branch
+
+        pull_request = create_pull_request
+        return unless pull_request
+
+        annotate_pull_request(pull_request)
+
+        pull_request
+      rescue Octokit::Error => error
+        handle_error(error)
+      end
+
+      private
+
+      def github_client_for_source
+        @github_client_for_source ||=
+          Dependabot::Clients::GithubWithRetries.for_source(
+            source: source,
+            credentials: credentials
+          )
+      end
+
+      def branch_exists?
+        @branch_ref ||=
+          github_client_for_source.ref(source.repo, "heads/#{branch_name}")
+        if @branch_ref.is_a?(Array)
+          @branch_ref.any? { |r| r.ref == "refs/heads/#{branch_name}" }
+        else
+          @branch_ref.ref == "refs/heads/#{branch_name}"
+        end
+      rescue Octokit::NotFound
+        false
+      end
+
+      def pull_request_exists?
+        github_client_for_source.pull_requests(
+          source.repo,
+          head: "#{source.repo.split('/').first}:#{branch_name}",
+          state: "all"
+        ).any?
+      rescue Octokit::InternalServerError
+        # A GitHub bug sometimes means adding `state: all` causes problems.
+        # In that case, fall back to making two separate requests.
+        open_prs = github_client_for_source.pull_requests(
+          source.repo,
+          head: "#{source.repo.split('/').first}:#{branch_name}",
+          state: "open"
+        )
+
+        closed_prs = github_client_for_source.pull_requests(
+          source.repo,
+          head: "#{source.repo.split('/').first}:#{branch_name}",
+          state: "closed"
+        )
+
+        [*open_prs, *closed_prs].any?
+      end
+
+      def repo_exists?
+        github_client_for_source.repo(source.repo)
+        true
+      rescue Octokit::NotFound
+        false
+      end
+
+      def create_commit
+        tree = create_tree
+
+        options = author_details&.any? ? { author: author_details } : {}
+
+        if options[:author]&.any? && signature_key
+          options[:author][:date] = Time.now.utc.iso8601
+          options[:signature] = commit_signature(tree, options[:author])
+        end
+
+        github_client_for_source.create_commit(
+          source.repo,
+          commit_message,
+          tree.sha,
+          base_commit,
+          options
+        )
+      end
+
+      def create_tree
+        file_trees = files.map do |file|
+          if file.type == "submodule"
+            {
+              path: file.path.sub(%r{^/}, ""),
+              mode: "160000",
+              type: "commit",
+              sha: file.content
+            }
+          else
+            {
+              path: file.path.sub(%r{^/}, ""),
+              mode: "100644",
+              type: "blob",
+              content: file.content
+            }
+          end
+        end
+
+        github_client_for_source.create_tree(
+          source.repo,
+          file_trees,
+          base_tree: base_commit
+        )
+      end
+
+      def create_or_update_branch(commit)
+        branch_exists? ? update_branch(commit) : create_branch(commit)
+      rescue Octokit::UnprocessableEntity
+        # A race condition may cause GitHub to fail here, in which case we retry
+        retry_count ||= 0
+        retry_count += 1
+        retry unless retry_count >= 2
+      end
+
+      def create_branch(commit)
+        github_client_for_source.create_ref(
+          source.repo,
+          "heads/#{branch_name}",
+          commit.sha
+        )
+      rescue Octokit::UnprocessableEntity => error
+        # Return quietly in the case of a race
+        return nil if error.message.match?(/Reference already exists/i)
+        raise if @retrying_branch_creation
+
+        @retrying_branch_creation = true
+
+        # Branch creation will fail if a branch called `dependabot` already
+        # exists, since git won't be able to create a folder with the same name
+        @branch_name = SecureRandom.hex[0..3] + @branch_name
+        retry
+      end
+
+      def update_branch(commit)
+        github_client_for_source.update_ref(
+          source.repo,
+          "heads/#{branch_name}",
+          commit.sha,
+          true
+        )
+      end
+
+      def annotate_pull_request(pull_request)
+        labeler.label_pull_request(pull_request.number)
+        add_reviewers_to_pull_request(pull_request) if reviewers&.any?
+        add_assignees_to_pull_request(pull_request) if assignees&.any?
+        add_milestone_to_pull_request(pull_request) if milestone
+      end
+
+      def add_reviewers_to_pull_request(pull_request)
+        reviewers_hash =
+          Hash[reviewers.keys.map { |k| [k.to_sym, reviewers[k]] }]
+
+        github_client_for_source.request_pull_request_review(
+          source.repo,
+          pull_request.number,
+          reviewers: reviewers_hash[:reviewers] || [],
+          team_reviewers: reviewers_hash[:team_reviewers] || []
+        )
+      rescue Octokit::UnprocessableEntity => error
+        return if error.message.include?("not a collaborator")
+        return if error.message.include?("Could not resolve to a node")
+
+        raise
+      end
+
+      def add_assignees_to_pull_request(pull_request)
+        github_client_for_source.add_assignees(
+          source.repo,
+          pull_request.number,
+          assignees
+        )
+      end
+
+      def add_milestone_to_pull_request(pull_request)
+        github_client_for_source.update_issue(
+          source.repo,
+          pull_request.number,
+          milestone: milestone
+        )
+      end
+
+      def create_pull_request
+        github_client_for_source.create_pull_request(
+          source.repo,
+          source.branch || default_branch,
+          branch_name,
+          pr_name,
+          pr_description
+        )
+      rescue Octokit::UnprocessableEntity => error
+        # Ignore races that we lose
+        raise unless error.message.include?("pull request already exists")
+      end
+
+      def default_branch
+        @default_branch ||=
+          github_client_for_source.repository(source.repo).default_branch
+      end
+
+      def commit_signature(tree, author_details_with_date)
+        CommitSigner.new(
+          author_details: author_details_with_date,
+          commit_message: commit_message,
+          tree_sha: tree.sha,
+          parent_sha: base_commit,
+          signature_key: signature_key
+        ).signature
+      end
+
+      def handle_error(error)
+        case error
+        when Octokit::Forbidden
+          raise error unless error.message.include?("Repository was archived")
+
+          raise RepoArchived, error.message
+        when Octokit::NotFound
+          raise error if repo_exists?
+
+          raise RepoNotFound, error.message
+        when Octokit::UnprocessableEntity
+          raise error unless error.message.include?("no history in common")
+
+          raise NoHistoryInCommon, error.message
+        else
+          raise error
+        end
+      end
+    end
+  end
+end