dependabot-core 0.76.1

data/lib/dependabot/file_parsers/elm/elm_package.rb

@@ -0,0 +1,136 @@
+# frozen_string_literal: true
+
+require "dependabot/dependency"
+require "dependabot/errors"
+require "dependabot/file_parsers/base"
+require "dependabot/utils/elm/requirement"
+
+module Dependabot
+  module FileParsers
+    module Elm
+      class ElmPackage < Dependabot::FileParsers::Base
+        require "dependabot/file_parsers/base/dependency_set"
+
+        DEPENDENCY_TYPES = %w(dependencies test-dependencies).freeze
+
+        def parse
+          dependency_set = DependencySet.new
+
+          dependency_set += elm_package_dependencies if elm_package
+          dependency_set += elm_json_dependencies if elm_json
+
+          dependency_set.dependencies.sort_by(&:name)
+        end
+
+        private
+
+        def elm_package_dependencies
+          dependency_set = DependencySet.new
+
+          parsed_package_file.fetch("dependencies").each do |name, req|
+            dependency_set <<
+              Dependency.new(
+                name: name,
+                version: version_for(req)&.to_s,
+                requirements: [{
+                  requirement: req, # 4.0 <= v <= 4.0
+                  groups: [], # we don't have this (its dev vs non-dev)
+                  source: nil, # elm-package only has elm-package sources
+                  file: "elm-package.json"
+                }],
+                package_manager: "elm-package"
+              )
+          end
+
+          dependency_set
+        end
+
+        # For docs on elm.json, see:
+        # https://github.com/elm/compiler/blob/master/docs/elm.json/application.md
+        # https://github.com/elm/compiler/blob/master/docs/elm.json/package.md
+        def elm_json_dependencies
+          dependency_set = DependencySet.new
+
+          DEPENDENCY_TYPES.each do |dep_type|
+            if repo_type == "application"
+              dependencies_hash = parsed_elm_json.fetch(dep_type, {})
+              dependencies_hash.fetch("direct", {}).each do |name, req|
+                dependency_set << build_elm_json_dependency(
+                  name: name, group: dep_type, requirement: req, direct: true
+                )
+              end
+              dependencies_hash.fetch("indirect", {}).each do |name, req|
+                dependency_set << build_elm_json_dependency(
+                  name: name, group: dep_type, requirement: req, direct: false
+                )
+              end
+            elsif repo_type == "package"
+              parsed_elm_json.fetch(dep_type, {}).each do |name, req|
+                dependency_set << build_elm_json_dependency(
+                  name: name, group: dep_type, requirement: req, direct: true
+                )
+              end
+            else raise "Unexpected repo type for Elm repo: #{repo_type}"
+            end
+          end
+
+          dependency_set
+        end
+
+        def build_elm_json_dependency(name:, group:, requirement:, direct:)
+          requirements = [{
+            requirement: requirement,
+            groups: [group],
+            source: nil,
+            file: "elm.json"
+          }]
+
+          Dependency.new(
+            name: name,
+            version: version_for(requirement)&.to_s,
+            requirements: direct ? requirements : [],
+            package_manager: "elm-package"
+          )
+        end
+
+        def repo_type
+          parsed_elm_json.fetch("type")
+        end
+
+        def check_required_files
+          return if elm_json || elm_package
+
+          raise "No elm.json or elm-package.json!"
+        end
+
+        def version_for(version_requirement)
+          req = Dependabot::Utils::Elm::Requirement.new(version_requirement)
+
+          return unless req.exact?
+
+          req.requirements.first.last
+        end
+
+        def parsed_package_file
+          @parsed_package_file ||= JSON.parse(elm_package.content)
+        rescue JSON::ParserError
+          raise Dependabot::DependencyFileNotParseable, elm_package.path
+        end
+
+        def parsed_elm_json
+          @parsed_elm_json ||= JSON.parse(elm_json.content)
+        rescue JSON::ParserError
+          raise Dependabot::DependencyFileNotParseable, elm_json.path
+        end
+
+        def elm_package
+          @elm_package ||= get_original_file("elm-package.json")
+        end
+
+        def elm_json
+          @elm_json ||= get_original_file("elm.json")
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_parsers/git/submodules.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+require "parseconfig"
+require "dependabot/dependency"
+require "dependabot/file_parsers/base"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module FileParsers
+    module Git
+      class Submodules < Dependabot::FileParsers::Base
+        def parse
+          SharedHelpers.in_a_temporary_directory do
+            File.write(".gitmodules", gitmodules_file.content)
+
+            ParseConfig.new(".gitmodules").params.map do |_, params|
+              branch = params["branch"]
+
+              Dependency.new(
+                name: params["path"],
+                version: submodule_sha(params["path"]),
+                package_manager: "submodules",
+                requirements: [{
+                  requirement: nil,
+                  file: ".gitmodules",
+                  source: {
+                    type: "git",
+                    url: absolute_url(params["url"]),
+                    branch: branch,
+                    ref: branch
+                  },
+                  groups: []
+                }]
+              )
+            end
+          end
+        end
+
+        private
+
+        def absolute_url(url)
+          # Submodules can be specified with a relative URL (e.g., ../repo.git)
+          # which we want to expand out into a full URL if present.
+          return url unless url.start_with?("../", "./")
+
+          path = Pathname.new(File.join(source.repo, url))
+          "https://#{source.hostname}/#{path.cleanpath}"
+        end
+
+        def submodule_sha(path)
+          submodule = dependency_files.find { |f| f.name == path }
+          raise "Submodule not found #{path}" unless submodule
+
+          submodule.content
+        end
+
+        def gitmodules_file
+          @gitmodules_file ||= get_original_file(".gitmodules")
+        end
+
+        def check_required_files
+          %w(.gitmodules).each do |filename|
+            raise "No #{filename}!" unless get_original_file(filename)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_parsers/go/dep.rb

@@ -0,0 +1,163 @@
+# frozen_string_literal: true
+
+require "toml-rb"
+
+require "dependabot/errors"
+require "dependabot/dependency"
+require "dependabot/shared_helpers"
+require "dependabot/source"
+
+require "dependabot/file_parsers/base"
+require "dependabot/utils/go/requirement"
+require "dependabot/utils/go/path_converter"
+
+# Relevant dep docs can be found at:
+# - https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md
+# - https://github.com/golang/dep/blob/master/docs/Gopkg.lock.md
+module Dependabot
+  module FileParsers
+    module Go
+      class Dep < Dependabot::FileParsers::Base
+        require "dependabot/file_parsers/base/dependency_set"
+
+        REQUIREMENT_TYPES = %w(constraint override).freeze
+
+        def parse
+          dependency_set = DependencySet.new
+          dependency_set += manifest_dependencies
+          dependency_set += lockfile_dependencies
+          dependency_set.dependencies
+        end
+
+        private
+
+        def manifest_dependencies
+          dependency_set = DependencySet.new
+
+          REQUIREMENT_TYPES.each do |type|
+            parsed_file(manifest).fetch(type, []).each do |details|
+              next if lockfile && !appears_in_lockfile?(details.fetch("name"))
+              next if missing_version_in_manifest_and_lockfile(details)
+
+              dependency_set << Dependency.new(
+                name: details.fetch("name"),
+                version: nil,
+                package_manager: "dep",
+                requirements: [{
+                  requirement: requirement_from_declaration(details),
+                  file: manifest.name,
+                  groups: [],
+                  source: source_from_declaration(details)
+                }]
+              )
+            end
+          end
+
+          dependency_set
+        end
+
+        def lockfile_dependencies
+          dependency_set = DependencySet.new
+
+          parsed_file(lockfile).fetch("projects", []).each do |details|
+            dependency_set << Dependency.new(
+              name: details.fetch("name"),
+              version: version_from_lockfile(details),
+              package_manager: "dep",
+              requirements: []
+            )
+          end
+
+          dependency_set
+        end
+
+        def version_from_lockfile(details)
+          details["version"]&.sub(/^v?/, "") || details.fetch("revision")
+        end
+
+        def requirement_from_declaration(declaration)
+          unless declaration.is_a?(Hash)
+            raise "Unexpected dependency declaration: #{declaration}"
+          end
+
+          return if git_declaration?(declaration)
+
+          declaration["version"]
+        end
+
+        def source_from_declaration(declaration)
+          source = declaration["source"] || declaration["name"]
+
+          git_source_url = git_source(source)
+
+          if git_source_url && git_declaration?(declaration)
+            {
+              type: "git",
+              url: git_source_url,
+              branch: declaration["branch"],
+              ref: declaration["revision"] || declaration["version"]
+            }
+          elsif git_declaration?(declaration)
+            raise "No git source for a git declaration!"
+          else
+            {
+              type: "default",
+              source: source
+            }
+          end
+        end
+
+        def appears_in_lockfile?(dependency_name)
+          parsed_file(lockfile).fetch("projects", []).
+            any? { |details| details["name"] == dependency_name }
+        end
+
+        def git_declaration?(declaration)
+          return true if declaration["branch"] || declaration["revision"]
+          return false unless declaration["version"]
+          return false unless declaration["version"].match?(/^[A-Za-z0-9]/)
+
+          Utils::Go::Requirement.new(declaration["version"])
+          false
+        rescue Gem::Requirement::BadRequirementError
+          true
+        end
+
+        def git_source(path)
+          Dependabot::Utils::Go::PathConverter.git_url_for_path(path)
+        end
+
+        def parsed_file(file)
+          @parsed_file ||= {}
+          @parsed_file[file.name] ||= TomlRB.parse(file.content)
+        rescue TomlRB::ParseError
+          raise Dependabot::DependencyFileNotParseable, file.path
+        end
+
+        def manifest
+          @manifest ||= get_original_file("Gopkg.toml")
+        end
+
+        def lockfile
+          @lockfile ||= get_original_file("Gopkg.lock")
+        end
+
+        def check_required_files
+          %w(Gopkg.toml Gopkg.lock).each do |filename|
+            raise "No #{filename}!" unless get_original_file(filename)
+          end
+        end
+
+        def missing_version_in_manifest_and_lockfile(declaration)
+          return false if git_declaration?(declaration)
+
+          lockfile_decl =
+            parsed_file(lockfile).
+            fetch("projects", []).
+            find { |details| details["name"] == declaration["name"] }
+          lockfile_decl&.fetch("version", nil).nil?
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_parsers/go/modules.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require "dependabot/file_parsers/base"
+
+module Dependabot
+  module FileParsers
+    module Go
+      class Modules < Dependabot::FileParsers::Base
+        require_relative "modules/go_mod_parser"
+
+        def parse
+          go_mod_dependencies.dependencies
+        end
+
+        private
+
+        def go_mod_dependencies
+          @go_mod_dependencies ||=
+            Modules::GoModParser.
+            new(dependency_files: dependency_files, credentials: credentials).
+            dependency_set
+        end
+
+        def go_mod
+          @go_mod ||= get_original_file("go.mod")
+        end
+
+        def check_required_files
+          raise "No go.mod!" unless go_mod
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_parsers/go/modules/go_mod_parser.rb

@@ -0,0 +1,134 @@
+# frozen_string_literal: true
+
+require "open3"
+require "dependabot/dependency"
+require "dependabot/file_parsers/base/dependency_set"
+require "dependabot/file_parsers/go/modules"
+require "dependabot/utils/go/path_converter"
+require "dependabot/errors"
+
+module Dependabot
+  module FileParsers
+    module Go
+      class Modules
+        class GoModParser
+          GIT_VERSION_REGEX = /^v\d+\.\d+\.\d+-.*-(?<sha>[0-9a-f]{12})$/.freeze
+
+          def initialize(dependency_files:, credentials:)
+            @dependency_files = dependency_files
+            @credentials = credentials
+          end
+
+          def dependency_set
+            dependencies = Dependabot::FileParsers::Base::DependencySet.new
+
+            i = 0
+            chunks = module_info(go_mod).lines.
+                     group_by { |line| line == "{\n" ? i += 1 : i }
+            deps = chunks.values.map { |chunk| JSON.parse(chunk.join) }
+
+            deps.each do |dep|
+              # The project itself appears in this list as "Main"
+              next if dep["Main"]
+
+              dependency = dependency_from_details(dep)
+              dependencies << dependency if dependency
+            end
+
+            dependencies
+          end
+
+          private
+
+          attr_reader :dependency_files, :credentials
+
+          def dependency_from_details(details)
+            source =
+              if rev_identifier?(details) then git_source(details)
+              else { type: "default", source: details["Path"] }
+              end
+
+            version = details["Version"]&.sub(/^v?/, "")
+
+            reqs = [{
+              requirement: rev_identifier?(details) ? nil : details["Version"],
+              file: go_mod.name,
+              source: source,
+              groups: []
+            }]
+
+            Dependency.new(
+              name: details["Path"],
+              version: version,
+              requirements: details["Indirect"] ? [] : reqs,
+              package_manager: "dep"
+            )
+          end
+
+          def module_info(go_mod)
+            @module_info ||=
+              SharedHelpers.in_a_temporary_directory do |path|
+                SharedHelpers.with_git_configured(credentials: credentials) do
+                  File.write("go.mod", go_mod.content)
+
+                  command = "GO111MODULE=on go mod edit -print > /dev/null"
+                  command += " && GO111MODULE=on go list -m -json all"
+                  stdout, stderr, status = Open3.capture3(command)
+                  handle_parser_error(path, stderr) unless status.success?
+                  stdout
+                end
+              end
+          end
+
+          def handle_parser_error(path, stderr)
+            case stderr
+            when /go: .*: unknown revision/
+              line = stderr.lines.grep(/unknown revision/).first
+              raise Dependabot::DependencyFileNotResolvable, line.strip
+            when /go: .*: unrecognized import path/
+              line = stderr.lines.grep(/unrecognized import/).first
+              raise Dependabot::DependencyFileNotResolvable, line.strip
+            when /go: errors parsing go.mod/
+              msg = stderr.gsub(path.to_s, "").strip
+              raise Dependabot::DependencyFileNotParseable.new(go_mod.path, msg)
+            else
+              msg = stderr.gsub(path.to_s, "").strip
+              raise Dependabot::DependencyFileNotParseable.new(go_mod.path, msg)
+            end
+          end
+
+          def rev_identifier?(dep)
+            dep["Version"]&.match?(GIT_VERSION_REGEX)
+          end
+
+          def git_source(dep)
+            url = Utils::Go::PathConverter.git_url_for_path(dep["Path"])
+
+            # Currently, we have no way of knowing whether the commit tagged
+            # is being used because a branch is being followed or because a
+            # particular ref is in use. We *assume* that a particular ref is in
+            # use (which means we'll only propose updates when its included in
+            # a release)
+            {
+              type: "git",
+              url: url || dep["Path"],
+              ref: git_revision(dep),
+              branch: nil
+            }
+          end
+
+          def git_revision(dep)
+            raw_version = dep.fetch("Version")
+            return raw_version unless raw_version.match?(GIT_VERSION_REGEX)
+
+            raw_version.match(GIT_VERSION_REGEX).named_captures.fetch("sha")
+          end
+
+          def go_mod
+            @go_mod ||= dependency_files.find { |f| f.name == "go.mod" }
+          end
+        end
+      end
+    end
+  end
+end