dependabot-common 0.95.36 → 0.95.37

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d7db5f548a509fa4a954f5dfc09a8060fa2fa1d66894841a322cca8b318735e2
-  data.tar.gz: ea1c16837ad111d6bfd7bd0f29accc8970514916dcb0610bceb9b80d079c5c38
+  metadata.gz: 0f84e3f8b023a6cf787eca7dc3ed71b932495d297d8b36c732427998dd243c87
+  data.tar.gz: a60c2c05ab9c9107513daf426405881603d3dc6ceb68d0ed20c39f856fa94ab7
 SHA512:
-  metadata.gz: 11f31cbda75c5525f50277fd340664f7cc0cd4ad51ff466fb1450fb275d006338234723db123a0e6cfc37f449ee365988a59d6e6715edbdda81ab492e7c15f54
-  data.tar.gz: 95dbed990f5ffe66e8ecf352a6906b1481a1d424bf9be8007cf8472525837998b77f6cf49f0e5bc6845019f790d1c7ad024cb415b3295be2f4581a889e064933
+  metadata.gz: b9cd41a89bb9ba29d7fd78c96e064585a29ffb86fb7174cf79d1fc015ce3cbb304210095b2c5cac385b0370cb5818ba89c8768e990ec0a89d8f980b816291a28
+  data.tar.gz: cfb13c360a37753c3a1373b93b1ff00b9f1705016defa754169008a263e1d767233c27ae1f7fdb3bdd9a8cc251fbc02da97b491c17ac59a853c5e51c7daa1dab

data/lib/dependabot/git_commit_checker.rb

@@ -7,12 +7,13 @@ require "dependabot/metadata_finders"
 require "dependabot/errors"
 require "dependabot/utils"
 require "dependabot/source"
+require "dependabot/dependency"
+require "dependabot/git_metadata_fetcher"
 
 # rubocop:disable Metrics/ClassLength
 module Dependabot
   class GitCommitChecker
     VERSION_REGEX = /(?<version>[0-9]+\.[0-9]+(?:\.[a-zA-Z0-9\-]+)*)$/.freeze
-    KNOWN_HOSTS = /github\.com|bitbucket\.org|gitlab.com/.freeze
 
     def initialize(dependency:, credentials:, ignored_versions: [],
                    requirement_class: nil, version_class: nil)
@@ -137,99 +138,19 @@ module Dependabot
     end
 
     def local_upload_pack
-      @local_upload_pack ||=
-        fetch_upload_pack_for(dependency_source_details.fetch(:url))
+      local_repo_git_metadata_fetcher.upload_pack
     end
 
     def local_tags
-      return [] unless local_upload_pack
+      tags = local_repo_git_metadata_fetcher.tags
 
-      tags_for_upload_pack(local_upload_pack)
-    end
-
-    def tags_for_upload_pack(upload_pack)
-      peeled_lines = []
-      unpeeled_lines = []
-
-      upload_pack.lines.each do |line|
-        next unless line.split(" ").last.start_with?("refs/tags")
-
-        if line.strip.end_with?("^{}") then peeled_lines << line
-        else unpeeled_lines << line
+      if dependency_source_details&.fetch(:ref, nil)&.start_with?("tags/")
+        tags = tags.map do |tag|
+          tag.dup.tap { |t| t.name = "tags/#{tag.name}" }
         end
       end
 
-      unpeeled_lines.map do |line|
-        tag_name    = line.split(" refs/tags/").last.strip
-        tag_sha     = sha_for_update_pack_line(line)
-        peeled_line = peeled_lines.find do |pl|
-          pl.split(" refs/tags/").last.strip == "#{tag_name}^{}"
-        end
-
-        commit_sha =
-          peeled_line ? sha_for_update_pack_line(peeled_line) : tag_sha
-
-        if dependency_source_details&.fetch(:ref, nil)&.start_with?("tags/")
-          tag_name = "tags/#{tag_name}"
-        end
-
-        OpenStruct.new(name: tag_name, tag_sha: tag_sha, commit_sha: commit_sha)
-      end
-    end
-
-    # rubocop:disable Metrics/CyclomaticComplexity
-    # rubocop:disable Metrics/PerceivedComplexity
-    def fetch_upload_pack_for(uri)
-      response = Excon.get(
-        service_pack_uri(uri),
-        idempotent: true,
-        **SharedHelpers.excon_defaults
-      )
-
-      return response.body if response.status == 200
-      if response.status >= 500 && uri.match?(KNOWN_HOSTS)
-        raise "Server error at #{uri}: #{response.body}"
-      end
-
-      raise Dependabot::GitDependenciesNotReachable, [uri]
-    rescue Excon::Error::Socket, Excon::Error::Timeout
-      retry_count ||= 0
-      retry_count += 1
-
-      sleep(rand(0.9)) && retry if retry_count < 2 && uri.match?(KNOWN_HOSTS)
-      raise if uri.match?(KNOWN_HOSTS)
-
-      raise Dependabot::GitDependenciesNotReachable, [uri]
-    end
-    # rubocop:enable Metrics/CyclomaticComplexity
-    # rubocop:enable Metrics/PerceivedComplexity
-
-    def service_pack_uri(uri)
-      service_pack_uri = uri_with_auth(uri)
-      service_pack_uri = service_pack_uri.gsub(%r{/$}, "")
-      service_pack_uri += ".git" unless service_pack_uri.end_with?(".git")
-      service_pack_uri + "/info/refs?service=git-upload-pack"
-    end
-
-    def uri_with_auth(uri)
-      bare_uri =
-        if uri.include?("git@") then uri.split("git@").last.sub(":", "/")
-        else uri.sub(%r{.*?://}, "")
-        end
-      cred = credentials.select { |c| c["type"] == "git_source" }.
-             find { |c| bare_uri.start_with?(c["host"]) }
-
-      if bare_uri.match?(%r{[^/]+:[^/]+@})
-        # URI already has authentication details
-        "https://#{bare_uri}"
-      elsif cred
-        # URI doesn't have authentication details, but we have credentials
-        auth_string = "#{cred.fetch('username')}:#{cred.fetch('password')}"
-        "https://#{auth_string}@#{bare_uri}"
-      else
-        # No credentials, so just return the https URI
-        "https://#{bare_uri}"
-      end
+      tags
     end
 
     def commit_included_in_tag?(tag:, commit:, allow_identical: false)
@@ -363,9 +284,17 @@ module Dependabot
     end
 
     def listing_tags
-      return [] unless listing_upload_pack
+      return [] unless listing_source_url
 
-      tags_for_upload_pack(listing_upload_pack)
+      tags = listing_repo_git_metadata_fetcher.tags
+
+      if dependency_source_details&.fetch(:ref, nil)&.start_with?("tags/")
+        tags = tags.map do |tag|
+          tag.dup.tap { |t| t.name = "tags/#{tag.name}" }
+        end
+      end
+
+      tags
     rescue GitDependenciesNotReachable
       []
     end
@@ -373,7 +302,7 @@ module Dependabot
     def listing_upload_pack
       return unless listing_source_url
 
-      @listing_upload_pack ||= fetch_upload_pack_for(listing_source_url)
+      listing_repo_git_metadata_fetcher.upload_pack
     end
 
     def ignore_reqs
@@ -414,6 +343,22 @@ module Dependabot
     def sha_for_update_pack_line(line)
       line.split(" ").first.chars.last(40).join
     end
+
+    def local_repo_git_metadata_fetcher
+      @local_repo_git_metadata_fetcher ||=
+        GitMetadataFetcher.new(
+          url: dependency_source_details.fetch(:url),
+          credentials: credentials
+        )
+    end
+
+    def listing_repo_git_metadata_fetcher
+      @listing_repo_git_metadata_fetcher ||=
+        GitMetadataFetcher.new(
+          url: listing_source_url,
+          credentials: credentials
+        )
+    end
   end
 end
 # rubocop:enable Metrics/ClassLength

data/lib/dependabot/git_metadata_fetcher.rb

@@ -0,0 +1,115 @@
+# frozen_string_literal: true
+
+require "excon"
+require "dependabot/errors"
+
+module Dependabot
+  class GitMetadataFetcher
+    KNOWN_HOSTS = /github\.com|bitbucket\.org|gitlab.com/.freeze
+
+    def initialize(url:, credentials:)
+      @url = url
+      @credentials = credentials
+    end
+
+    def upload_pack
+      @upload_pack ||= fetch_upload_pack_for(url)
+    end
+
+    def tags
+      return [] unless upload_pack
+
+      @tags ||= tags_for_upload_pack(upload_pack)
+    end
+
+    private
+
+    attr_reader :url, :credentials
+
+    # rubocop:disable Metrics/CyclomaticComplexity
+    # rubocop:disable Metrics/PerceivedComplexity
+    def fetch_upload_pack_for(uri)
+      response = Excon.get(
+        service_pack_uri(uri),
+        idempotent: true,
+        **SharedHelpers.excon_defaults
+      )
+
+      return response.body if response.status == 200
+      if response.status >= 500 && uri.match?(KNOWN_HOSTS)
+        raise "Server error at #{uri}: #{response.body}"
+      end
+
+      raise Dependabot::GitDependenciesNotReachable, [uri]
+    rescue Excon::Error::Socket, Excon::Error::Timeout
+      retry_count ||= 0
+      retry_count += 1
+
+      sleep(rand(0.9)) && retry if retry_count < 2 && uri.match?(KNOWN_HOSTS)
+      raise if uri.match?(KNOWN_HOSTS)
+
+      raise Dependabot::GitDependenciesNotReachable, [uri]
+    end
+    # rubocop:enable Metrics/CyclomaticComplexity
+    # rubocop:enable Metrics/PerceivedComplexity
+
+    def tags_for_upload_pack(upload_pack)
+      peeled_lines = []
+
+      result = upload_pack.lines.each_with_object({}) do |line, res|
+        next unless line.split(" ").last.start_with?("refs/tags")
+
+        peeled_lines << line && next if line.strip.end_with?("^{}")
+
+        tag_name = line.split(" refs/tags/").last.strip
+        sha = sha_for_update_pack_line(line)
+
+        res[tag_name] =
+          OpenStruct.new(name: tag_name, tag_sha: sha, commit_sha: sha)
+      end
+
+      # Loop through the peeled lines, updating the commit_sha for any matching
+      # tags in our results hash
+      peeled_lines.each do |line|
+        tag_name = line.split(" refs/tags/").last.strip.gsub(/\^{}$/, "")
+        next unless result[tag_name]
+
+        result[tag_name].commit_sha = sha_for_update_pack_line(line)
+      end
+
+      result.values
+    end
+
+    def service_pack_uri(uri)
+      service_pack_uri = uri_with_auth(uri)
+      service_pack_uri = service_pack_uri.gsub(%r{/$}, "")
+      service_pack_uri += ".git" unless service_pack_uri.end_with?(".git")
+      service_pack_uri + "/info/refs?service=git-upload-pack"
+    end
+
+    def uri_with_auth(uri)
+      bare_uri =
+        if uri.include?("git@") then uri.split("git@").last.sub(":", "/")
+        else uri.sub(%r{.*?://}, "")
+        end
+      cred = credentials.select { |c| c["type"] == "git_source" }.
+             find { |c| bare_uri.start_with?(c["host"]) }
+
+      if bare_uri.match?(%r{[^/]+:[^/]+@})
+        # URI already has authentication details
+        "https://#{bare_uri}"
+      elsif cred
+        # URI doesn't have authentication details, but we have credentials
+        auth_string = "#{cred.fetch('username')}:#{cred.fetch('password')}"
+        "https://#{auth_string}@#{bare_uri}"
+      else
+        # No credentials, so just return the https URI
+        "https://#{bare_uri}"
+      end
+    end
+
+    def sha_for_update_pack_line(line)
+      line.split(" ").first.chars.last(40).join
+    end
+  end
+end

data/lib/dependabot/metadata_finders/base/commits_finder.rb

@@ -4,6 +4,7 @@ require "dependabot/clients/github_with_retries"
 require "dependabot/clients/gitlab"
 require "dependabot/clients/bitbucket"
 require "dependabot/shared_helpers"
+require "dependabot/git_metadata_fetcher"
 require "dependabot/metadata_finders/base"
 
 module Dependabot
@@ -125,21 +126,11 @@ module Dependabot
         def fetch_dependency_tags
           return [] unless source
 
-          case source.provider
-          when "github"
-            github_client.tags(source.repo, per_page: 100).map(&:name)
-          when "bitbucket"
-            bitbucket_client.tags(source.repo).map { |tag| tag["name"] }
-          when "gitlab"
-            gitlab_client.tags(source.repo).map(&:name)
-          when "azure"
-            [] # TODO: Fetch Azure tags
-          else raise "Unexpected source provider '#{source.provider}'"
-          end
-        rescue Octokit::NotFound, Gitlab::Error::NotFound,
-               Dependabot::Clients::Bitbucket::NotFound,
-               Dependabot::Clients::Bitbucket::Unauthorized,
-               Dependabot::Clients::Bitbucket::Forbidden
+          GitMetadataFetcher.
+            new(url: source.url, credentials: credentials).
+            tags.
+            map(&:name)
+        rescue Dependabot::GitDependenciesNotReachable
           []
         end
 

data/lib/dependabot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.95.36"
+  VERSION = "0.95.37"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.95.36
+  version: 0.95.37
 platform: ruby
 authors:
 - Dependabot
@@ -328,6 +328,7 @@ files:
 - lib/dependabot/file_updaters/README.md
 - lib/dependabot/file_updaters/base.rb
 - lib/dependabot/git_commit_checker.rb
+- lib/dependabot/git_metadata_fetcher.rb
 - lib/dependabot/metadata_finders.rb
 - lib/dependabot/metadata_finders/README.md
 - lib/dependabot/metadata_finders/base.rb