dependabot-core 0.76.1

data/lib/dependabot/file_parsers.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require "dependabot/file_parsers/ruby/bundler"
+require "dependabot/file_parsers/python/pip"
+require "dependabot/file_parsers/java_script/npm_and_yarn"
+require "dependabot/file_parsers/java/maven"
+require "dependabot/file_parsers/java/gradle"
+require "dependabot/file_parsers/php/composer"
+require "dependabot/file_parsers/git/submodules"
+require "dependabot/file_parsers/docker/docker"
+require "dependabot/file_parsers/elixir/hex"
+require "dependabot/file_parsers/rust/cargo"
+require "dependabot/file_parsers/dotnet/nuget"
+require "dependabot/file_parsers/go/dep"
+require "dependabot/file_parsers/go/modules"
+require "dependabot/file_parsers/elm/elm_package"
+
+module Dependabot
+  module FileParsers
+    @file_parsers = {
+      "bundler" => FileParsers::Ruby::Bundler,
+      "npm_and_yarn" => FileParsers::JavaScript::NpmAndYarn,
+      "maven" => FileParsers::Java::Maven,
+      "gradle" => FileParsers::Java::Gradle,
+      "pip" => FileParsers::Python::Pip,
+      "composer" => FileParsers::Php::Composer,
+      "submodules" => FileParsers::Git::Submodules,
+      "docker" => FileParsers::Docker::Docker,
+      "hex" => FileParsers::Elixir::Hex,
+      "cargo" => FileParsers::Rust::Cargo,
+      "nuget" => FileParsers::Dotnet::Nuget,
+      "dep" => FileParsers::Go::Dep,
+      "go_modules" => FileParsers::Go::Modules,
+      "elm-package" => FileParsers::Elm::ElmPackage
+    }
+
+    def self.for_package_manager(package_manager)
+      file_parser = @file_parsers[package_manager]
+      return file_parser if file_parser
+
+      raise "Unsupported package_manager #{package_manager}"
+    end
+
+    def self.register(package_manager, file_parser)
+      @file_parsers[package_manager] = file_parser
+    end
+  end
+end

data/lib/dependabot/file_parsers/README.md

@@ -0,0 +1,45 @@
+# File parsers
+
+File parsers take a set of dependency files and extract a list of dependencies
+for the project.
+
+There is a `Dependabot::FileParsers` class for each language Dependabot
+supports.
+
+## Public API
+
+Each `Dependabot::FileParsers` class implements the following methods:
+
+| Method              | Description                                                                                   |
+|---------------------|-----------------------------------------------------------------------------------------------|
+| `#parse`            | Returns an array of `Dependabot::Dependency` instances, representing the dependencies for the project. Each `Dependabot::Dependency` has a `name`, `version` and a `requirements` array |
+
+An integration might look as follows:
+
+```ruby
+require 'dependabot/file_parsers'
+
+files = fetcher.files
+
+parser_class = Dependabot::FileParsers::Ruby::Bundler
+source = Dependabot::Source.new(provider: 'github', repo: "gocardless/business")
+parser = parser_class.new(dependency_files: files, source: source)
+
+dependencies = parser.parse
+
+puts "Found the following dependencies: #{dependencies.map(&:name)}"
+```
+
+## Writing a file parser for a new language
+
+All new file parsers should inherit from `Dependabot::FileParsers::Base` and
+implement the following methods:
+
+| Method                  | Description                                                                                   |
+|-------------------------|-----------------------------------------------------------------------------------------------|
+| `#parse`                | See Public API section. |
+| `#check_required_files` | Raise a runtime error unless an appropriate set of files is provided. Private. |
+
+To ensure the above are implemented, you should include
+`it_behaves_like "a dependency file parser"` in your specs for the new file
+parser.

data/lib/dependabot/file_parsers/base.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Dependabot
+  module FileParsers
+    class Base
+      attr_reader :dependency_files, :credentials, :source
+
+      def initialize(dependency_files:, source:, credentials: [])
+        @dependency_files = dependency_files
+        @credentials = credentials
+        @source = source
+
+        check_required_files
+      end
+
+      def parse
+        raise NotImplementedError
+      end
+
+      private
+
+      def check_required_files
+        raise NotImplementedError
+      end
+
+      def get_original_file(filename)
+        dependency_files.find { |f| f.name == filename }
+      end
+    end
+  end
+end

data/lib/dependabot/file_parsers/base/dependency_set.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+require "dependabot/dependency"
+require "dependabot/file_parsers/base"
+require "dependabot/utils"
+
+module Dependabot
+  module FileParsers
+    class Base
+      class DependencySet
+        def initialize(dependencies = [])
+          unless dependencies.is_a?(Array) &&
+                 dependencies.all? { |dep| dep.is_a?(Dependency) }
+            raise ArgumentError, "must be an array of Dependency objects"
+          end
+
+          @dependencies = dependencies
+        end
+
+        attr_reader :dependencies
+
+        def <<(dep)
+          unless dep.is_a?(Dependency)
+            raise ArgumentError, "must be a Dependency object"
+          end
+
+          existing_dependency = dependencies.find { |d| d.name == dep.name }
+
+          return self if existing_dependency&.to_h == dep.to_h
+
+          if existing_dependency
+            dependencies[dependencies.index(existing_dependency)] =
+              combined_dependency(existing_dependency, dep)
+          else
+            dependencies << dep
+          end
+
+          self
+        end
+
+        def +(other)
+          unless other.is_a?(DependencySet)
+            raise ArgumentError, "must be a DependencySet"
+          end
+
+          other.dependencies.each { |dep| self << dep }
+          self
+        end
+
+        private
+
+        def combined_dependency(old_dep, new_dep)
+          package_manager = old_dep.package_manager
+          v_cls = Utils.version_class_for_package_manager(package_manager)
+
+          # If we already have a requirement use the existing version
+          # (if present). Otherwise, use whatever the lowest version is
+          new_version =
+            if old_dep.requirements.any? then old_dep.version || new_dep.version
+            elsif !v_cls.correct?(new_dep.version) then old_dep.version
+            elsif !v_cls.correct?(old_dep.version) then new_dep.version
+            elsif v_cls.new(new_dep.version) > v_cls.new(old_dep.version)
+              old_dep.version
+            else new_dep.version
+            end
+
+          Dependency.new(
+            name: old_dep.name,
+            version: new_version,
+            requirements: (old_dep.requirements + new_dep.requirements).uniq,
+            package_manager: package_manager
+          )
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_parsers/docker/docker.rb

@@ -0,0 +1,164 @@
+# frozen_string_literal: true
+
+require "docker_registry2"
+
+require "dependabot/dependency"
+require "dependabot/file_parsers/base"
+require "dependabot/errors"
+require "dependabot/utils/docker/credentials_finder"
+
+module Dependabot
+  module FileParsers
+    module Docker
+      class Docker < Dependabot::FileParsers::Base
+        require "dependabot/file_parsers/base/dependency_set"
+
+        # Detials of Docker regular expressions is at
+        # https://github.com/docker/distribution/blob/master/reference/regexp.go
+        DOMAIN_COMPONENT =
+          /(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])/.freeze
+        DOMAIN = /(?:#{DOMAIN_COMPONENT}(?:\.#{DOMAIN_COMPONENT})+)/.freeze
+        REGISTRY = /(?<registry>#{DOMAIN}(?::[0-9]+)?)/.freeze
+
+        NAME_COMPONENT = /(?:[a-z0-9]+(?:(?:[._]|__|[-]*)[a-z0-9]+)*)/.freeze
+        IMAGE = %r{(?<image>#{NAME_COMPONENT}(?:/#{NAME_COMPONENT})*)}.freeze
+
+        FROM = /[Ff][Rr][Oo][Mm]/.freeze
+        TAG = /:(?<tag>[\w][\w.-]{0,127})/.freeze
+        DIGEST = /@(?<digest>[^\s]+)/.freeze
+        NAME = /\s+AS\s+(?<name>[a-zA-Z0-9_-]+)/.freeze
+        FROM_LINE =
+          %r{^#{FROM}\s+(#{REGISTRY}/)?#{IMAGE}#{TAG}?#{DIGEST}?#{NAME}?}.freeze
+
+        AWS_ECR_URL = /dkr\.ecr\.(?<region>[^.]+).amazonaws\.com/.freeze
+
+        def parse
+          dependency_set = DependencySet.new
+
+          dockerfiles.each do |dockerfile|
+            dockerfile.content.each_line do |line|
+              next unless FROM_LINE.match?(line)
+
+              parsed_from_line = FROM_LINE.match(line).named_captures
+
+              version = version_from(parsed_from_line)
+              next unless version
+
+              dependency_set << Dependency.new(
+                name: parsed_from_line.fetch("image"),
+                version: version,
+                package_manager: "docker",
+                requirements: [
+                  requirement: nil,
+                  groups: [],
+                  file: dockerfile.name,
+                  source: source_from(parsed_from_line)
+                ]
+              )
+            end
+          end
+
+          dependency_set.dependencies
+        end
+
+        private
+
+        def dockerfiles
+          # The Docker file fetcher only fetches Dockerfiles, so no need to
+          # filter here
+          dependency_files
+        end
+
+        def version_from(parsed_from_line)
+          return parsed_from_line.fetch("tag") if parsed_from_line.fetch("tag")
+
+          version_from_digest(
+            registry: parsed_from_line.fetch("registry"),
+            image: parsed_from_line.fetch("image"),
+            digest: parsed_from_line.fetch("digest")
+          )
+        end
+
+        def source_from(parsed_from_line)
+          source = {}
+
+          if parsed_from_line.fetch("registry")
+            source[:registry] = parsed_from_line.fetch("registry")
+          end
+
+          if parsed_from_line.fetch("tag")
+            source[:tag] = parsed_from_line.fetch("tag")
+          end
+
+          if parsed_from_line.fetch("digest")
+            source[:digest] = parsed_from_line.fetch("digest")
+          end
+
+          source
+        end
+
+        def version_from_digest(registry:, image:, digest:)
+          return unless digest
+
+          repo = docker_repo_name(image, registry)
+          registry_client = docker_registry_client(registry)
+          registry_client.tags(repo).fetch("tags").find do |tag|
+            digest == registry_client.digest(repo, tag)
+          rescue DockerRegistry2::NotFound
+            # Shouldn't happen, but it does. Example of existing tag with
+            # no manifest is "library/python", "2-windowsservercore".
+            false
+          end
+        rescue DockerRegistry2::RegistryAuthenticationException,
+               RestClient::Forbidden
+          raise if standard_registry?(registry)
+
+          raise PrivateSourceAuthenticationFailure, registry
+        end
+
+        def docker_repo_name(image, registry)
+          return image unless standard_registry?(registry)
+          return image unless image.split("/").count < 2
+
+          "library/#{image}"
+        end
+
+        def docker_registry_client(registry)
+          if registry
+            credentials = registry_credentials(registry)
+
+            DockerRegistry2::Registry.new(
+              "https://#{registry}",
+              user: credentials&.fetch("username"),
+              password: credentials&.fetch("password")
+            )
+          else
+            DockerRegistry2::Registry.new("https://registry.hub.docker.com")
+          end
+        end
+
+        def registry_credentials(registry_url)
+          credentials_finder.credentials_for_registry(registry_url)
+        end
+
+        def credentials_finder
+          @credentials_finder ||=
+            Utils::Docker::CredentialsFinder.new(credentials)
+        end
+
+        def standard_registry?(registry)
+          return true if registry.nil?
+
+          registry == "registry.hub.docker.com"
+        end
+
+        def check_required_files
+          # Just check if there are any files at all.
+          return if dependency_files.any?
+
+          raise "No Dockerfile!"
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_parsers/dotnet/nuget.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+
+require "dependabot/dependency"
+require "dependabot/file_parsers/base"
+
+# For details on how dotnet handles version constraints, see:
+# https://docs.microsoft.com/en-us/nuget/reference/package-versioning
+module Dependabot
+  module FileParsers
+    module Dotnet
+      class Nuget < Dependabot::FileParsers::Base
+        require "dependabot/file_parsers/base/dependency_set"
+        require "dependabot/file_parsers/dotnet/nuget/project_file_parser"
+        require "dependabot/file_parsers/dotnet/nuget/packages_config_parser"
+
+        PACKAGE_CONF_DEPENDENCY_SELECTOR = "packages > packages"
+
+        def parse
+          dependency_set = DependencySet.new
+          dependency_set += project_file_dependencies
+          dependency_set += packages_config_dependencies
+          dependency_set.dependencies
+        end
+
+        private
+
+        def project_file_dependencies
+          dependency_set = DependencySet.new
+
+          (project_files + project_import_files).each do |file|
+            parser = project_file_parser
+            dependency_set += parser.dependency_set(project_file: file)
+          end
+
+          dependency_set
+        end
+
+        def packages_config_dependencies
+          dependency_set = DependencySet.new
+
+          packages_config_files.each do |file|
+            parser = PackagesConfigParser.new(packages_config: file)
+            dependency_set += parser.dependency_set
+          end
+
+          dependency_set
+        end
+
+        def project_file_parser
+          @project_file_parser ||=
+            ProjectFileParser.new(dependency_files: dependency_files)
+        end
+
+        def project_files
+          dependency_files.select { |df| df.name.match?(/\.[a-z]{2}proj$/) }
+        end
+
+        def packages_config_files
+          dependency_files.select do |f|
+            f.name.split("/").last.casecmp("packages.config").zero?
+          end
+        end
+
+        def project_import_files
+          dependency_files -
+            project_files -
+            packages_config_files -
+            [nuget_config]
+        end
+
+        def nuget_config
+          dependency_files.find { |f| f.name.casecmp("nuget.config").zero? }
+        end
+
+        def check_required_files
+          return if project_files.any? || packages_config_files.any?
+
+          raise "No project file or packages.config!"
+        end
+      end
+    end
+  end
+end