dependabot-composer 0.89.0

data/helpers/php/.php_cs

@@ -0,0 +1,34 @@
+<?php
+
+$finder = PhpCsFixer\Finder::create()
+    ->in(__DIR__ . '/src')
+    ->in(__DIR__ . '/bin');
+
+return PhpCsFixer\Config::create()
+    ->setRules([
+        '@Symfony' => true,
+        'array_syntax' => ['syntax' => 'short'],
+        'blank_line_after_opening_tag' => true,
+        'concat_space' => ['spacing' => 'one'],
+        'declare_strict_types' => true,
+        'increment_style' => ['style' => 'post'],
+        'is_null' => ['use_yoda_style' => false],
+        'list_syntax' => ['syntax' => 'short'],
+        'method_argument_space' => ['ensure_fully_multiline' => true],
+        'modernize_types_casting' => true,
+        'no_multiline_whitespace_before_semicolons' => true,
+        'no_useless_else' => true,
+        'no_useless_return' => true,
+        'ordered_imports' => true,
+        'phpdoc_align' => false,
+        'phpdoc_order' => true,
+        'php_unit_construct' => true,
+        'php_unit_dedicate_assert' => true,
+        'single_line_comment_style' => true,
+        'ternary_to_null_coalescing' => true,
+        'yoda_style' => false,
+        'void_return' => true,
+    ])
+    ->setFinder($finder)
+    ->setUsingCache(true)
+    ->setRiskyAllowed(true);

data/helpers/setup.sh

@@ -0,0 +1,4 @@
+php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
+php -r "if (hash_file('SHA384', 'composer-setup.php') === '544e09ee996cdf60ece3804abc52599c22b1f40f4323403c44d44fdfdd586475ca9813a858088ffbc1f233e9b180f061') { echo 'Installer verified'; } else { echo hash_file('SHA384', 'composer-setup.php'); unlink('composer-setup.php'); } echo PHP_EOL;"
+php composer-setup.php
+php -r "unlink('composer-setup.php');"

data/helpers/src/DependabotInstallationManager.php

@@ -0,0 +1,61 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Dependabot\PHP;
+
+use Composer\DependencyResolver\Operation\InstallOperation;
+use Composer\DependencyResolver\Operation\UninstallOperation;
+use Composer\DependencyResolver\Operation\UpdateOperation;
+use Composer\Installer\InstallationManager;
+use Composer\Package\PackageInterface;
+use Composer\Repository\RepositoryInterface;
+
+class DependabotInstallationManager extends InstallationManager
+{
+    private $installed = [];
+    private $updated = [];
+    private $uninstalled = [];
+
+    public function install(RepositoryInterface $repo, InstallOperation $operation): void
+    {
+        parent::install($repo, $operation);
+        $this->installed[] = $operation->getPackage();
+    }
+
+    public function update(RepositoryInterface $repo, UpdateOperation $operation): void
+    {
+        parent::update($repo, $operation);
+        $this->updated[] = [$operation->getInitialPackage(), $operation->getTargetPackage()];
+    }
+
+    public function uninstall(RepositoryInterface $repo, UninstallOperation $operation): void
+    {
+        parent::uninstall($repo, $operation);
+        $this->uninstalled[] = $operation->getPackage();
+    }
+
+    /**
+     * @return PackageInterface[]
+     */
+    public function getInstalledPackages(): array
+    {
+        return $this->installed;
+    }
+
+    /**
+     * @return PackageInterface[]
+     */
+    public function getUpdatedPackages(): array
+    {
+        return $this->updated;
+    }
+
+    /**
+     * @return PackageInterface[]
+     */
+    public function getUninstalledPackages(): array
+    {
+        return $this->uninstalled;
+    }
+}

data/helpers/src/DependabotPluginManager.php

@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Dependabot\PHP;
+
+use Composer\Package\PackageInterface;
+use Composer\Plugin\PluginManager;
+
+class DependabotPluginManager extends PluginManager
+{
+    public function registerPackage(PackageInterface $package, $failOnMissingClasses = false): void
+    {
+        // This package does some setup for PHP_CodeSniffer, but errors out the
+        // install if Symfony isn't installed (which it won't be for a lockfile
+        // only install run). Safe to ignore
+        if (strpos($package->getName(), 'phpcodesniffer') !== false) {
+            return;
+        }
+
+        parent::registerPackage($package, $failOnMissingClasses);
+    }
+}

data/helpers/src/ExceptionIO.php

@@ -0,0 +1,25 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Dependabot\PHP;
+
+use Composer\IO\NullIO;
+
+class ExceptionIO extends NullIO
+{
+    private $raise_next_error = false;
+
+    public function writeError($messages, $newline = true, $verbosity = self::NORMAL): void
+    {
+        if (is_array($messages)) {
+            return;
+        }
+        if ($this->raise_next_error) {
+            throw new \RuntimeException('Your requirements could not be resolved to an installable set of packages.' . $messages);
+        }
+        if (strpos($messages, 'Your requirements could not be resolved') !== false) {
+            $this->raise_next_error = true;
+        }
+    }
+}

data/helpers/src/Hasher.php

@@ -0,0 +1,21 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Dependabot\PHP;
+
+use Composer\Factory;
+
+class Hasher
+{
+    public static function getContentHash(array $args): ?string
+    {
+        [$workingDirectory] = $args;
+
+        $io = new ExceptionIO();
+        $composer = Factory::create($io, $workingDirectory . '/composer.json');
+        $locker = $composer->getLocker();
+
+        return $locker->getContentHash(file_get_contents(Factory::getComposerFile()));
+    }
+}

data/helpers/src/UpdateChecker.php

@@ -0,0 +1,123 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Dependabot\PHP;
+
+use Composer\Factory;
+use Composer\Installer;
+use Composer\Package\PackageInterface;
+
+class UpdateChecker
+{
+    public static function getLatestResolvableVersion(array $args): ?string
+    {
+        [$workingDirectory, $dependencyName, $gitCredentials, $registryCredentials] = $args;
+
+        $io = new ExceptionIO();
+        $composer = Factory::create($io, $workingDirectory . '/composer.json');
+        $config = $composer->getConfig();
+        $httpBasicCredentials = [];
+
+        foreach ($gitCredentials as &$cred) {
+            $httpBasicCredentials[$cred['host']] = [
+                'username' => $cred['username'],
+                'password' => $cred['password'],
+            ];
+        }
+
+        foreach ($registryCredentials as &$cred) {
+            $httpBasicCredentials[$cred['registry']] = [
+                'username' => $cred['username'],
+                'password' => $cred['password'],
+            ];
+        }
+
+        if ($httpBasicCredentials) {
+            $config->merge(
+                [
+                    'config' => [
+                        'http-basic' => $httpBasicCredentials,
+                    ],
+                ]
+            );
+            $io->loadConfiguration($config);
+        }
+
+        $installationManager = new DependabotInstallationManager();
+        $install = new Installer(
+            $io,
+            $config,
+            $composer->getPackage(),
+            $composer->getDownloadManager(),
+            $composer->getRepositoryManager(),
+            $composer->getLocker(),
+            $installationManager,
+            $composer->getEventDispatcher(),
+            $composer->getAutoloadGenerator()
+        );
+
+        // For all potential options, see UpdateCommand in composer
+        $install
+            ->setDryRun(true)
+            ->setUpdate(true)
+            ->setDevMode(true)
+            ->setUpdateWhitelist([$dependencyName])
+            ->setWhitelistTransitiveDependencies(true)
+            ->setExecuteOperations(false)
+            ->setDumpAutoloader(false)
+            ->setRunScripts(false);
+
+        /*
+         * If a platform is set we assume people know what they are doing and we respect the setting.
+         * If no platform is set we ignore it so that the php we run as doesn't interfere
+         */
+        if ($config->get('platform') === []) {
+            $install->setIgnorePlatformRequirements(true);
+        }
+
+        $install->run();
+
+        $installedPackages = $installationManager->getInstalledPackages();
+
+        $updatedPackage = current(array_filter($installedPackages, function (PackageInterface $package) use ($dependencyName) {
+            return $package->getName() == $dependencyName;
+        }));
+
+        // We found the package in the list of updated packages. Return its version.
+        if ($updatedPackage) {
+            return preg_replace('/^([v])/', '', $updatedPackage->getPrettyVersion());
+        }
+
+        // We didn't find the package in the list of updated packages. Check if
+        // it was replaced by another package (in which case we can ignore).
+        foreach ($composer->getPackage()->getReplaces() as $link) {
+            if ($link->getTarget() == $dependencyName) {
+                return null;
+            }
+        }
+        foreach ($installedPackages as $package) {
+            foreach ($package->getReplaces() as $link) {
+                if ($link->getTarget() == $dependencyName) {
+                    return null;
+                }
+            }
+        }
+
+        // Similarly, check if the package was provided by any other package.
+        foreach ($composer->getPackage()->getProvides() as $link) {
+            if ($link->getTarget() == $dependencyName) {
+                return preg_replace('/^([v])/', '', $link->getPrettyConstraint());
+            }
+        }
+        foreach ($installedPackages as $package) {
+            foreach ($package->getProvides() as $link) {
+                if ($link->getTarget() == $dependencyName) {
+                    return preg_replace('/^([v])/', '', $link->getPrettyConstraint());
+                }
+            }
+        }
+
+        throw new \RuntimeException('Package not found in updated packages!');
+    }
+}

data/helpers/src/Updater.php

@@ -0,0 +1,97 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Dependabot\PHP;
+
+use Composer\Factory;
+use Composer\Installer;
+
+class Updater
+{
+    public static function update(array $args): array
+    {
+        [$workingDirectory, $dependencyName, $dependencyVersion, $gitCredentials, $registryCredentials] = $args;
+
+        // Change working directory to the one provided, this ensures that we
+        // install dependencies into the working dir, rather than a vendor folder
+        // in the root of the project
+        $originalDir = getcwd();
+        chdir($workingDirectory);
+
+        $io = new ExceptionIO();
+        $composer = Factory::create($io);
+        $config = $composer->getConfig();
+        $httpBasicCredentials = [];
+
+        $pm = new DependabotPluginManager($io, $composer, null, false);
+        $composer->setPluginManager($pm);
+        $pm->loadInstalledPlugins();
+
+        foreach ($gitCredentials as &$cred) {
+            $httpBasicCredentials[$cred['host']] = [
+                'username' => $cred['username'],
+                'password' => $cred['password'],
+            ];
+        }
+
+        foreach ($registryCredentials as &$cred) {
+            $httpBasicCredentials[$cred['registry']] = [
+                'username' => $cred['username'],
+                'password' => $cred['password'],
+            ];
+        }
+
+        if ($httpBasicCredentials) {
+            $config->merge(
+                [
+                    'config' => [
+                        'http-basic' => $httpBasicCredentials,
+                    ],
+                ]
+            );
+            $io->loadConfiguration($config);
+        }
+
+        $install = new Installer(
+            $io,
+            $config,
+            $composer->getPackage(),
+            $composer->getDownloadManager(),
+            $composer->getRepositoryManager(),
+            $composer->getLocker(),
+            $composer->getInstallationManager(),
+            $composer->getEventDispatcher(),
+            $composer->getAutoloadGenerator()
+        );
+
+        // For all potential options, see UpdateCommand in composer
+        $install
+            ->setWriteLock(true)
+            ->setUpdate(true)
+            ->setDevMode(true)
+            ->setUpdateWhitelist([$dependencyName])
+            ->setWhitelistTransitiveDependencies(true)
+            ->setExecuteOperations(false)
+            ->setDumpAutoloader(false)
+            ->setRunScripts(false);
+
+        /*
+         * If a platform is set we assume people know what they are doing and we respect the setting.
+         * If no platform is set we ignore it so that the php we run as doesn't interfere
+         */
+        if ($config->get('platform') === []) {
+            $install->setIgnorePlatformRequirements(true);
+        }
+
+        $install->run();
+
+        $result = [
+            'composer.lock' => file_get_contents('composer.lock'),
+        ];
+
+        chdir($originalDir);
+
+        return $result;
+    }
+}

data/lib/dependabot/composer.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+# These all need to be required so the various classes can be registered in a
+# lookup table of package manager names to concrete classes.
+require "dependabot/composer/file_fetcher"
+require "dependabot/composer/file_parser"
+require "dependabot/composer/update_checker"
+require "dependabot/composer/file_updater"
+require "dependabot/composer/metadata_finder"
+require "dependabot/composer/requirement"
+require "dependabot/composer/version"

data/lib/dependabot/composer/file_fetcher.rb

@@ -0,0 +1,132 @@
+# frozen_string_literal: true
+
+require "dependabot/file_fetchers"
+require "dependabot/file_fetchers/base"
+
+module Dependabot
+  module Composer
+    class FileFetcher < Dependabot::FileFetchers::Base
+      def self.required_files_in?(filenames)
+        filenames.include?("composer.json")
+      end
+
+      def self.required_files_message
+        "Repo must contain a composer.json."
+      end
+
+      private
+
+      def fetch_files
+        fetched_files = []
+        fetched_files << composer_json
+        fetched_files << composer_lock if composer_lock
+        fetched_files << auth_json if auth_json
+        fetched_files += path_dependencies
+        fetched_files
+      end
+
+      def composer_json
+        @composer_json ||= fetch_file_from_host("composer.json")
+      end
+
+      def composer_lock
+        return @composer_lock if @composer_lock_lookup_attempted
+
+        @composer_lock_lookup_attempted = true
+        @composer_lock ||= fetch_file_if_present("composer.lock")
+      end
+
+      # Note: This is fetched but currently unused
+      def auth_json
+        @auth_json ||= fetch_file_if_present("auth.json")&.
+                       tap { |f| f.support_file = true }
+      end
+
+      def path_dependencies
+        @path_dependencies ||=
+          begin
+            composer_json_files = []
+            unfetchable_deps = []
+
+            path_sources.each do |path|
+              directories = path.end_with?("*") ? expand_path(path) : [path]
+
+              directories.each do |dir|
+                file = File.join(dir, "composer.json")
+
+                begin
+                  composer_json_files << fetch_file_with_root_fallback(file)
+                rescue Dependabot::DependencyFileNotFound
+                  # Collected, but currently ignored
+                  unfetchable_deps << file
+                end
+              end
+            end
+
+            # Mark the path dependencies as support files - we don't currently
+            # parse or update them.
+            composer_json_files.tap do |files|
+              files.each { |f| f.support_file = true }
+            end
+          end
+      end
+
+      def path_sources
+        @path_sources ||=
+          JSON.parse(composer_json.content).
+          fetch("repositories", []).
+          select { |details| details["type"] == "path" }.
+          map { |details| details["url"] }
+      rescue JSON::ParserError
+        raise Dependabot::DependencyFileNotParseable, composer_json.path
+      end
+
+      def expand_path(path)
+        repo_contents(dir: path.gsub(/\*$/, "")).
+          select { |file| file.type == "dir" }.
+          map { |f| path.gsub(/\*$/, f.name) }
+      rescue Octokit::NotFound, Gitlab::Error::NotFound
+        # If there's no lockfile, or if none of the dependencies are path
+        # dependencies, then we can ignore failures to find path deps
+        return [] unless composer_lock&.content&.include?('"path"')
+
+        # Otherwise, we don't know what to do. For now, just raise. If we see
+        # this in the wild we can make a call on the correct handling
+        raise if directory == "/"
+
+        # If the directory isn't found at the full path, try looking for it
+        # at the root of the repository.
+        depth = directory.gsub(%r{^/}, "").gsub(%r{/$}, "").split("/").count
+        dir = "../" * depth + path.gsub(/\*$/, "")
+
+        repo_contents(dir: dir).
+          select { |file| file.type == "dir" }.
+          map { |f| path.gsub(/\*$/, f.name) }
+      end
+
+      def fetch_file_with_root_fallback(filename, type: "file")
+        path = Pathname.new(File.join(directory, filename)).cleanpath.to_path
+
+        begin
+          fetch_file_from_host(filename, type: type)
+        rescue Dependabot::DependencyFileNotFound
+          # If the file isn't found at the full path, try looking for it
+          # without considering the directory (i.e., check if the path should
+          # have been relevative to the root of the repository).
+          cleaned_filename = Pathname.new(filename).cleanpath.to_path
+
+          DependencyFile.new(
+            name: cleaned_filename,
+            content: fetch_file_content(cleaned_filename),
+            directory: directory,
+            type: type
+          )
+        end
+      rescue Octokit::NotFound, Gitlab::Error::NotFound
+        raise Dependabot::DependencyFileNotFound, path
+      end
+    end
+  end
+end
+
+Dependabot::FileFetchers.register("composer", Dependabot::Composer::FileFetcher)