RubyGems - dependabot-common - Versions diffs - 0.124.1 → 0.124.2 - Mend

dependabot-common 0.124.1 → 0.124.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml +4 -4
data/lib/dependabot/security_advisory.rb +36 -0
data/lib/dependabot/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bd5f760de88f18b1b02d000700ee31816399598f649fb1c0dc517d9e4ee64f53
-  data.tar.gz: 66afb451c31cbcf860a06b605ccfc7303aea932ec52092f0c11206ae5f3d68e8
+  metadata.gz: f8c1c6ce7dbce6606fe13ea021cddbdf6cc73561227f1e944024b0cd59c066f8
+  data.tar.gz: 43be3e7cd0d8c583d2286a909d5c616b126eda8d1800db931ebf9ed66ee013bd
 SHA512:
-  metadata.gz: 9d83ee81a113febfbc73a802696a0cc2dbe0e09a3f55f86f7e601fe1f8e7692ff8c0bf21ddfa9c4e9d54b65327364a5cda53b3e1ee0c35483aaefa7239fc8f2c
-  data.tar.gz: 4dccba4c87d90ac14a87d8a2ef659da8c00746730c258b36b68b55bf76f15dce8914e61bce5a30c7b2de286093908c7b2e91bb59013b7cf86caa424921b78a9e
+  metadata.gz: d8a3a6a7ca1e6910132f9c102c13547310eb38e1ac899df526a7fe6bf0cb8ebc264962b3f5ff9376a77f85e5cc5f385de81d58a1ccbfd165c295a9c9c5270d96
+  data.tar.gz: 90c3aa1296c25e4616de3f29b83d5fb49c6dea2e05ccc12fa1c1f69d37342442cfc41acad10a9258d88352c21ff988a3417ae768fb559365873e317413194c23

data/lib/dependabot/security_advisory.rb CHANGED

@@ -43,6 +43,42 @@ module Dependabot
       safe_versions.any?
     end
+    def fixes_advisory?(dependency)
+      return false unless dependency_name == dependency.name
+      return false unless package_manager == dependency.package_manager
+      # TODO: Support no previous version to the same level as dependency graph
+      # and security alerts. We currently ignore dependency updates without a
+      # previous version because we don't know if the dependency was vulerable.
+      return false unless dependency.previous_version
+      return false unless version_class.correct?(dependency.previous_version)
+      # Ignore deps that weren't previously vulnerable
+      return false unless affects_version?(dependency.previous_version)
+      # Select deps that are now fixed
+      !affects_version?(dependency.version)
+    end
+    def affects_version?(version)
+      return false unless version_class.correct?(version)
+      return false unless [*safe_versions, *vulnerable_versions].any?
+      version = version_class.new(version)
+      # If version is known safe for this advisory, it's not vulnerable
+      return false if safe_versions.any? { |r| r.satisfied_by?(version) }
+      # If in the vulnerable range and not known safe, it's vulnerable
+      return true if vulnerable_versions.any? { |r| r.satisfied_by?(version) }
+      # If a vulnerable range present but not met, it's not vulnerable
+      return false if vulnerable_versions.any?
+      # Finally, if no vulnerable range provided, but a safe range provided,
+      # and this versions isn't included (checked earler), it's vulnerable
+      safe_versions.any?
+    end
     private
     def convert_string_version_requirements

data/lib/dependabot/version.rb CHANGED

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Dependabot
-  VERSION = "0.124.1"
+  VERSION = "0.124.2"
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.124.1
+  version: 0.124.2
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-10-22 00:00:00.000000000 Z
+date: 2020-10-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-codecommit