dependabot-common 0.241.0 → 0.242.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8b85f6eea900488026cdee04e04dd5b51df99f8bafcff4c83ae83c5dfeb54c63
|
|
4
|
+
data.tar.gz: 30a4355a110f4be117fd9ece16d437f8a28704e75a7e0a62e4a5a5055c63e0cd
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c928acaa28bf821c081dd80afda5aa16551a09ab031a28ea60241742d23ffeb54186087fca915317d811b88881bbe6ce99f3b343f45d8efd538aee1c9b7524cd
|
|
7
|
+
data.tar.gz: a2a4d975f4010b24077d4b558f8d1e4806230411b0d98983c58c7df5be2dd41a2e39868c1a346132743de560fdf28a059cbbb5800bae3ac19333008db3504591
|
|
@@ -103,7 +103,7 @@ module Dependabot
|
|
|
103
103
|
sig { returns(T.nilable(T.any(T::Array[String], T::Hash[Symbol, T::Array[Integer]]))) }
|
|
104
104
|
attr_reader :reviewers
|
|
105
105
|
|
|
106
|
-
sig { returns(T.nilable(T::Array[String])) }
|
|
106
|
+
sig { returns(T.nilable(T.any(T::Array[String], T::Array[Integer]))) }
|
|
107
107
|
attr_reader :assignees
|
|
108
108
|
|
|
109
109
|
sig { returns(T.nilable(String)) }
|
|
@@ -150,8 +150,8 @@ module Dependabot
|
|
|
150
150
|
signature_key: T.nilable(String),
|
|
151
151
|
commit_message_options: T::Hash[Symbol, T.untyped],
|
|
152
152
|
vulnerabilities_fixed: T::Hash[String, String],
|
|
153
|
-
reviewers: T.nilable(T::Array[String]),
|
|
154
|
-
assignees: T.nilable(T::Array[String]),
|
|
153
|
+
reviewers: T.nilable(T.any(T::Array[String], T::Hash[Symbol, T::Array[Integer]])),
|
|
154
|
+
assignees: T.nilable(T.any(T::Array[String], T::Array[Integer])),
|
|
155
155
|
milestone: T.nilable(String),
|
|
156
156
|
branch_name_separator: String,
|
|
157
157
|
branch_name_prefix: String,
|
|
@@ -1,31 +1,51 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strong
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
require "sorbet-runtime"
|
|
4
5
|
require "dependabot/version"
|
|
5
6
|
|
|
6
7
|
module Dependabot
|
|
7
8
|
class SecurityAdvisory
|
|
8
|
-
|
|
9
|
-
:vulnerable_versions, :safe_versions,
|
|
10
|
-
:vulnerable_version_strings
|
|
9
|
+
extend T::Sig
|
|
11
10
|
|
|
11
|
+
sig { returns(String) }
|
|
12
|
+
attr_reader :dependency_name
|
|
13
|
+
|
|
14
|
+
sig { returns(String) }
|
|
15
|
+
attr_reader :package_manager
|
|
16
|
+
|
|
17
|
+
sig { returns(T::Array[Dependabot::Requirement]) }
|
|
18
|
+
attr_reader :vulnerable_versions
|
|
19
|
+
|
|
20
|
+
sig { returns(T::Array[Dependabot::Requirement]) }
|
|
21
|
+
attr_reader :safe_versions
|
|
22
|
+
|
|
23
|
+
sig { returns(T::Array[T.any(String, Dependabot::Requirement)]) }
|
|
24
|
+
attr_reader :vulnerable_version_strings
|
|
25
|
+
|
|
26
|
+
sig do
|
|
27
|
+
params(
|
|
28
|
+
dependency_name: String,
|
|
29
|
+
package_manager: String,
|
|
30
|
+
vulnerable_versions: T.nilable(T::Array[Dependabot::Requirement]),
|
|
31
|
+
safe_versions: T.nilable(T::Array[T.any(String, Dependabot::Requirement)])
|
|
32
|
+
)
|
|
33
|
+
.void
|
|
34
|
+
end
|
|
12
35
|
def initialize(dependency_name:, package_manager:,
|
|
13
36
|
vulnerable_versions: [], safe_versions: [])
|
|
14
37
|
@dependency_name = dependency_name
|
|
15
38
|
@package_manager = package_manager
|
|
16
|
-
@vulnerable_version_strings = vulnerable_versions || []
|
|
17
|
-
@vulnerable_versions = []
|
|
18
|
-
@safe_versions =
|
|
39
|
+
@vulnerable_version_strings = T.let(vulnerable_versions || [], T::Array[T.any(String, Dependabot::Requirement)])
|
|
40
|
+
@vulnerable_versions = T.let([], T::Array[Dependabot::Requirement])
|
|
41
|
+
@safe_versions = T.let([], T::Array[Dependabot::Requirement])
|
|
19
42
|
|
|
20
|
-
convert_string_version_requirements
|
|
43
|
+
convert_string_version_requirements(vulnerable_version_strings, safe_versions || [])
|
|
21
44
|
check_version_requirements
|
|
22
45
|
end
|
|
23
46
|
|
|
47
|
+
sig { params(version: Gem::Version).returns(T::Boolean) }
|
|
24
48
|
def vulnerable?(version)
|
|
25
|
-
unless version.is_a?(version_class) || version.instance_of?(Gem::Version)
|
|
26
|
-
raise ArgumentError, "must be a #{version_class}"
|
|
27
|
-
end
|
|
28
|
-
|
|
29
49
|
in_safe_range = safe_versions
|
|
30
50
|
.any? { |r| r.satisfied_by?(version) }
|
|
31
51
|
|
|
@@ -50,9 +70,10 @@ module Dependabot
|
|
|
50
70
|
#
|
|
51
71
|
# @param dependency [Dependabot::Dependency] Updated dependency
|
|
52
72
|
# @return [Boolean]
|
|
73
|
+
sig { params(dependency: Dependabot::Dependency).returns(T::Boolean) }
|
|
53
74
|
def fixed_by?(dependency)
|
|
54
75
|
# Handle case mismatch between the security advisory and parsed name
|
|
55
|
-
return false unless dependency_name.casecmp(dependency.name)
|
|
76
|
+
return false unless dependency_name.casecmp(dependency.name)&.zero?
|
|
56
77
|
return false unless package_manager == dependency.package_manager
|
|
57
78
|
# TODO: Support no previous version to the same level as dependency graph
|
|
58
79
|
# and security alerts. We currently ignore dependency updates without a
|
|
@@ -61,19 +82,20 @@ module Dependabot
|
|
|
61
82
|
return false unless version_class.correct?(dependency.previous_version)
|
|
62
83
|
|
|
63
84
|
# Ignore deps that weren't previously vulnerable
|
|
64
|
-
return false unless affects_version?(dependency.previous_version)
|
|
85
|
+
return false unless affects_version?(T.must(dependency.previous_version))
|
|
65
86
|
|
|
66
87
|
# Removing a dependency is a way to fix the vulnerability
|
|
67
88
|
return true if dependency.removed?
|
|
68
89
|
|
|
69
90
|
# Select deps that are now fixed
|
|
70
|
-
!affects_version?(dependency.version)
|
|
91
|
+
!affects_version?(T.must(dependency.version))
|
|
71
92
|
end
|
|
72
93
|
|
|
73
94
|
# Check if the version is affected by the advisory
|
|
74
95
|
#
|
|
75
96
|
# @param version [Dependabot::<Package Manager>::Version] version class
|
|
76
97
|
# @return [Boolean]
|
|
98
|
+
sig { params(version: T.any(String, Gem::Version)).returns(T::Boolean) }
|
|
77
99
|
def affects_version?(version)
|
|
78
100
|
return false unless version_class.correct?(version)
|
|
79
101
|
return false unless [*safe_versions, *vulnerable_versions].any?
|
|
@@ -96,7 +118,14 @@ module Dependabot
|
|
|
96
118
|
|
|
97
119
|
private
|
|
98
120
|
|
|
99
|
-
|
|
121
|
+
sig do
|
|
122
|
+
params(
|
|
123
|
+
vulnerable_version_strings: T::Array[T.any(String, Dependabot::Requirement)],
|
|
124
|
+
safe_versions: T::Array[T.any(String, Dependabot::Requirement)]
|
|
125
|
+
)
|
|
126
|
+
.void
|
|
127
|
+
end
|
|
128
|
+
def convert_string_version_requirements(vulnerable_version_strings, safe_versions)
|
|
100
129
|
@vulnerable_versions = vulnerable_version_strings.flat_map do |vuln_str|
|
|
101
130
|
next vuln_str unless vuln_str.is_a?(String)
|
|
102
131
|
|
|
@@ -110,6 +139,7 @@ module Dependabot
|
|
|
110
139
|
end
|
|
111
140
|
end
|
|
112
141
|
|
|
142
|
+
sig { void }
|
|
113
143
|
def check_version_requirements
|
|
114
144
|
unless vulnerable_versions.is_a?(Array) &&
|
|
115
145
|
vulnerable_versions.all? { |i| requirement_class <= i.class }
|
|
@@ -124,10 +154,12 @@ module Dependabot
|
|
|
124
154
|
end
|
|
125
155
|
end
|
|
126
156
|
|
|
157
|
+
sig { returns(T.class_of(Gem::Version)) }
|
|
127
158
|
def version_class
|
|
128
159
|
Utils.version_class_for_package_manager(package_manager)
|
|
129
160
|
end
|
|
130
161
|
|
|
162
|
+
sig { returns(T.class_of(Dependabot::Requirement)) }
|
|
131
163
|
def requirement_class
|
|
132
164
|
Utils.requirement_class_for_package_manager(package_manager)
|
|
133
165
|
end
|
|
@@ -10,10 +10,10 @@ module Dependabot
|
|
|
10
10
|
|
|
11
11
|
sig do
|
|
12
12
|
params(
|
|
13
|
-
versions_array: T::Array[T.any(Gem::Version, T::Hash[Symbol,
|
|
13
|
+
versions_array: T::Array[T.any(Gem::Version, T::Hash[Symbol, Gem::Version])],
|
|
14
14
|
security_advisories: T::Array[SecurityAdvisory]
|
|
15
15
|
)
|
|
16
|
-
.returns(T::Array[T.any(Gem::Version, T::Hash[Symbol,
|
|
16
|
+
.returns(T::Array[T.any(Gem::Version, T::Hash[Symbol, Gem::Version])])
|
|
17
17
|
end
|
|
18
18
|
def self.filter_vulnerable_versions(versions_array, security_advisories)
|
|
19
19
|
versions_array.reject do |v|
|
data/lib/dependabot.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-common
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.242.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-01-
|
|
11
|
+
date: 2024-01-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-sdk-codecommit
|
|
@@ -572,7 +572,7 @@ licenses:
|
|
|
572
572
|
- Nonstandard
|
|
573
573
|
metadata:
|
|
574
574
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
575
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
575
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.242.0
|
|
576
576
|
post_install_message:
|
|
577
577
|
rdoc_options: []
|
|
578
578
|
require_paths:
|