dependabot-core 0.76.1

data/lib/dependabot/file_parsers/java/maven.rb

@@ -0,0 +1,252 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+
+require "dependabot/dependency"
+require "dependabot/file_parsers/base"
+require "dependabot/errors"
+
+# The best Maven documentation is at:
+# - http://maven.apache.org/pom.html
+module Dependabot
+  module FileParsers
+    module Java
+      class Maven < Dependabot::FileParsers::Base
+        require "dependabot/file_parsers/base/dependency_set"
+        require_relative "maven/property_value_finder"
+
+        # The following "dependencies" are candidates for updating:
+        # - The project's parent
+        # - Any dependencies (incl. those in dependencyManagement or plugins)
+        # - Any plugins (incl. those in pluginManagement)
+        # - Any extensions
+        DEPENDENCY_SELECTOR = "project > parent, "\
+                              "dependencies > dependency, "\
+                              "extensions > extension"
+        PLUGIN_SELECTOR     = "plugins > plugin"
+
+        # Regex to get the property name from a declaration that uses a property
+        PROPERTY_REGEX      = /\$\{(?<property>.*?)\}/.freeze
+
+        def parse
+          dependency_set = DependencySet.new
+          pomfiles.each { |pom| dependency_set += pomfile_dependencies(pom) }
+          dependency_set.dependencies
+        end
+
+        private
+
+        def pomfile_dependencies(pom)
+          dependency_set = DependencySet.new
+
+          errors = []
+          doc = Nokogiri::XML(pom.content)
+          doc.remove_namespaces!
+
+          doc.css(DEPENDENCY_SELECTOR).each do |dependency_node|
+            dep = dependency_from_dependency_node(pom, dependency_node)
+            dependency_set << dep if dep
+          rescue DependencyFileNotEvaluatable => error
+            errors << error
+          end
+
+          doc.css(PLUGIN_SELECTOR).each do |dependency_node|
+            dep = dependency_from_plugin_node(pom, dependency_node)
+            dependency_set << dep if dep
+          rescue DependencyFileNotEvaluatable => error
+            errors << error
+          end
+
+          raise errors.first if errors.any? && dependency_set.dependencies.none?
+
+          dependency_set
+        end
+
+        def dependency_from_dependency_node(pom, dependency_node)
+          return unless (name = dependency_name(dependency_node, pom))
+          return if internal_dependency_names.include?(name)
+
+          build_dependency(pom, dependency_node, name)
+        end
+
+        def dependency_from_plugin_node(pom, dependency_node)
+          return unless (name = plugin_name(dependency_node, pom))
+          return if internal_dependency_names.include?(name)
+
+          build_dependency(pom, dependency_node, name)
+        end
+
+        def build_dependency(pom, dependency_node, name)
+          property_details =
+            {
+              property_name: version_property_name(dependency_node),
+              property_source: property_source(dependency_node, pom)
+            }.compact
+
+          Dependency.new(
+            name: name,
+            version: dependency_version(pom, dependency_node),
+            package_manager: "maven",
+            requirements: [{
+              requirement: dependency_requirement(pom, dependency_node),
+              file: pom.name,
+              groups: [],
+              source: nil,
+              metadata: {
+                packaging_type: packaging_type(pom, dependency_node)
+              }.merge(property_details)
+            }]
+          )
+        end
+
+        def dependency_name(dependency_node, pom)
+          return unless dependency_node.at_xpath("./groupId")
+          return unless dependency_node.at_xpath("./artifactId")
+
+          [
+            evaluated_value(
+              dependency_node.at_xpath("./groupId").content.strip,
+              pom
+            ),
+            evaluated_value(
+              dependency_node.at_xpath("./artifactId").content.strip,
+              pom
+            )
+          ].join(":")
+        end
+
+        def plugin_name(dependency_node, pom)
+          return unless plugin_group_id(pom, dependency_node)
+          return unless dependency_node.at_xpath("./artifactId")
+
+          [
+            plugin_group_id(pom, dependency_node),
+            evaluated_value(
+              dependency_node.at_xpath("./artifactId").content.strip,
+              pom
+            )
+          ].join(":")
+        end
+
+        def plugin_group_id(pom, node)
+          return "org.apache.maven.plugins" unless node.at_xpath("./groupId")
+
+          evaluated_value(
+            node.at_xpath("./groupId").content.strip,
+            pom
+          )
+        end
+
+        def dependency_version(pom, dependency_node)
+          requirement = dependency_requirement(pom, dependency_node)
+          return nil unless requirement
+
+          # If a range is specified then we can't tell the exact version
+          return nil if requirement.include?(",")
+
+          # Remove brackets if present (and not denoting a range)
+          requirement.gsub(/[\(\)\[\]]/, "").strip
+        end
+
+        def dependency_requirement(pom, dependency_node)
+          return unless dependency_node.at_xpath("./version")
+
+          version_content = dependency_node.at_xpath("./version").content.strip
+          version_content = evaluated_value(version_content, pom)
+
+          version_content.empty? ? nil : version_content
+        end
+
+        def packaging_type(pom, dependency_node)
+          return "pom" if dependency_node.node_name == "parent"
+          return "jar" unless dependency_node.at_xpath("./type")
+
+          packaging_type_content = dependency_node.at_xpath("./type").
+                                   content.strip
+
+          evaluated_value(packaging_type_content, pom)
+        end
+
+        def version_property_name(dependency_node)
+          return unless dependency_node.at_xpath("./version")
+
+          version_content = dependency_node.at_xpath("./version").content.strip
+
+          return unless version_content.match?(PROPERTY_REGEX)
+
+          version_content.
+            match(PROPERTY_REGEX).
+            named_captures.fetch("property")
+        end
+
+        def evaluated_value(value, pom)
+          return value unless value.match?(PROPERTY_REGEX)
+
+          property_name = value.match(PROPERTY_REGEX).
+                          named_captures.fetch("property")
+          property_value = value_for_property(property_name, pom)
+
+          value.gsub(PROPERTY_REGEX, property_value)
+        end
+
+        def property_source(dependency_node, pom)
+          property_name = version_property_name(dependency_node)
+          return unless property_name
+
+          declaring_pom =
+            property_value_finder.
+            property_details(property_name: property_name, callsite_pom: pom)&.
+            fetch(:file)
+
+          return declaring_pom if declaring_pom
+
+          msg = "Property not found: #{property_name}"
+          raise DependencyFileNotEvaluatable, msg
+        end
+
+        def value_for_property(property_name, pom)
+          value =
+            property_value_finder.
+            property_details(property_name: property_name, callsite_pom: pom)&.
+            fetch(:value)
+
+          return value if value
+
+          msg = "Property not found: #{property_name}"
+          raise DependencyFileNotEvaluatable, msg
+        end
+
+        # Cached, since this can makes calls to the registry (to get property
+        # values from parent POMs)
+        def property_value_finder
+          @property_value_finder ||=
+            PropertyValueFinder.new(dependency_files: dependency_files)
+        end
+
+        def pomfiles
+          # Note: this (correctly) excludes any parent POMs that were downloaded
+          @pomfiles ||=
+            dependency_files.select { |f| f.name.end_with?("pom.xml") }
+        end
+
+        def internal_dependency_names
+          @internal_dependency_names ||=
+            dependency_files.map do |pom|
+              doc = Nokogiri::XML(pom.content)
+              group_id    = doc.at_css("project > groupId") ||
+                            doc.at_css("project > parent > groupId")
+              artifact_id = doc.at_css("project > artifactId")
+
+              next unless group_id && artifact_id
+
+              [group_id.content.strip, artifact_id.content.strip].join(":")
+            end.compact
+        end
+
+        def check_required_files
+          raise "No pom.xml!" unless get_original_file("pom.xml")
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_parsers/java/maven/property_value_finder.rb

@@ -0,0 +1,166 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+
+require "dependabot/dependency_file"
+require "dependabot/file_parsers/java/maven"
+require "dependabot/shared_helpers"
+
+# For documentation, see:
+# - http://maven.apache.org/guides/introduction/introduction-to-the-pom.html
+# - http://maven.apache.org/pom.html#Properties
+module Dependabot
+  module FileParsers
+    module Java
+      class Maven
+        class PropertyValueFinder
+          require_relative "repositories_finder"
+
+          DOT_SEPARATOR_REGEX = %r{\.(?:(?!\d+[.\/])+)}.freeze
+
+          def initialize(dependency_files:)
+            @dependency_files = dependency_files
+          end
+
+          def property_details(property_name:, callsite_pom:)
+            pom = callsite_pom
+            doc = Nokogiri::XML(pom.content)
+            doc.remove_namespaces!
+
+            # Loop through the paths that would satisfy this property name,
+            # looking for one that exists in this POM
+            nm = sanitize_property_name(property_name)
+            node =
+              loop do
+                candidate_node =
+                  doc.at_xpath("/project/#{nm}") ||
+                  doc.at_xpath("/project/properties/#{nm}") ||
+                  doc.at_xpath("/project/profiles/profile/properties/#{nm}")
+                break candidate_node if candidate_node
+                break unless nm.match?(DOT_SEPARATOR_REGEX)
+
+                nm = nm.sub(DOT_SEPARATOR_REGEX, "/")
+              end
+
+            # If we found a property, return it
+            if node
+              return { file: pom.name, node: node, value: node.content.strip }
+            end
+
+            # Otherwise, look for a value in this pom's parent
+            return unless (parent = parent_pom(pom))
+
+            property_details(
+              property_name: property_name,
+              callsite_pom: parent
+            )
+          end
+
+          private
+
+          attr_reader :dependency_files
+
+          def internal_dependency_poms
+            return @internal_dependency_poms if @internal_dependency_poms
+
+            @internal_dependency_poms = {}
+            dependency_files.each do |pom|
+              doc = Nokogiri::XML(pom.content)
+              group_id    = doc.at_css("project > groupId") ||
+                            doc.at_css("project > parent > groupId")
+              artifact_id = doc.at_css("project > artifactId")
+
+              next unless group_id && artifact_id
+
+              dependency_name = [
+                group_id.content.strip,
+                artifact_id.content.strip
+              ].join(":")
+
+              @internal_dependency_poms[dependency_name] = pom
+            end
+
+            @internal_dependency_poms
+          end
+
+          def sanitize_property_name(property_name)
+            property_name.sub(/^pom\./, "").sub(/^project\./, "")
+          end
+
+          def parent_pom(pom)
+            doc = Nokogiri::XML(pom.content)
+            doc.remove_namespaces!
+            group_id = doc.at_xpath("/project/parent/groupId")&.content&.strip
+            artifact_id =
+              doc.at_xpath("/project/parent/artifactId")&.content&.strip
+            version = doc.at_xpath("/project/parent/version")&.content&.strip
+
+            return unless group_id && artifact_id
+
+            name = [group_id, artifact_id].join(":")
+
+            if internal_dependency_poms[name]
+              return internal_dependency_poms[name]
+            end
+
+            return unless version && !version.include?(",")
+
+            fetch_remote_parent_pom(group_id, artifact_id, version, pom)
+          end
+
+          def parent_repository_urls(pom)
+            repositories_finder.repository_urls(
+              pom: pom,
+              exclude_inherited: true
+            )
+          end
+
+          def repositories_finder
+            @repositories_finder ||=
+              RepositoriesFinder.new(
+                dependency_files: dependency_files,
+                evaluate_properties: false
+              )
+          end
+
+          def fetch_remote_parent_pom(group_id, artifact_id, version, pom)
+            parent_repository_urls(pom).each do |base_url|
+              url = remote_pom_url(group_id, artifact_id, version, base_url)
+
+              @maven_responses ||= {}
+              @maven_responses[url] ||= Excon.get(
+                url,
+                idempotent: true,
+                **SharedHelpers.excon_defaults
+              )
+              next unless @maven_responses[url].status == 200
+              next unless pom?(@maven_responses[url].body)
+
+              dependency_file = DependencyFile.new(
+                name: "remote_pom.xml",
+                content: @maven_responses[url].body
+              )
+
+              return dependency_file
+            rescue Excon::Error::Socket, Excon::Error::Timeout
+              nil
+            end
+
+            # If a parent POM couldn't be found, return `nil`
+            nil
+          end
+
+          def remote_pom_url(group_id, artifact_id, version, base_repo_url)
+            "#{base_repo_url}/"\
+            "#{group_id.tr('.', '/')}/#{artifact_id}/#{version}/"\
+            "#{artifact_id}-#{version}.pom"
+          end
+
+          def pom?(content)
+            !Nokogiri::XML(content).at_css("project > artifactId").nil?
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_parsers/java/maven/repositories_finder.rb

@@ -0,0 +1,188 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+
+require "dependabot/dependency_file"
+require "dependabot/file_parsers/java/maven"
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+
+# For documentation, see:
+# - http://maven.apache.org/pom.html#Repositories
+# - http://maven.apache.org/guides/mini/guide-multiple-repositories.html
+module Dependabot
+  module FileParsers
+    module Java
+      class Maven
+        class RepositoriesFinder
+          require_relative "property_value_finder"
+          # In theory we should check the artifact type and either look in
+          # <repositories> or <pluginRepositories>. In practice it's unlikely
+          # anyone makes this distinction.
+          REPOSITORY_SELECTOR = "repositories > repository, "\
+                                "pluginRepositories > pluginRepository"
+
+          # The Central Repository is included in the Super POM, which is
+          # always inherited from.
+          CENTRAL_REPO_URL = "https://repo.maven.apache.org/maven2"
+
+          def initialize(dependency_files:, evaluate_properties: true)
+            @dependency_files = dependency_files
+
+            # We need the option not to evaluate properties so as not to have a
+            # circular dependency between this class and the PropertyValueFinder
+            # class
+            @evaluate_properties = evaluate_properties
+          end
+
+          # Collect all repository URLs from this POM and its parents
+          def repository_urls(pom:, exclude_inherited: false)
+            repo_urls_in_pom =
+              Nokogiri::XML(pom.content).
+              css(REPOSITORY_SELECTOR).
+              map { |node| node.at_css("url").content.strip.gsub(%r{/$}, "") }.
+              reject { |url| contains_property?(url) && !evaluate_properties? }.
+              select { |url| url.start_with?("http") }.
+              map { |url| evaluated_value(url, pom) }
+
+            return repo_urls_in_pom + [CENTRAL_REPO_URL] if exclude_inherited
+
+            unless (parent = parent_pom(pom, repo_urls_in_pom))
+              return repo_urls_in_pom + [CENTRAL_REPO_URL]
+            end
+
+            repo_urls_in_pom + repository_urls(pom: parent)
+          end
+
+          private
+
+          attr_reader :dependency_files
+
+          def evaluate_properties?
+            @evaluate_properties
+          end
+
+          def parent_pom(pom, repo_urls)
+            doc = Nokogiri::XML(pom.content)
+            doc.remove_namespaces!
+            group_id = doc.at_xpath("/project/parent/groupId")&.content&.strip
+            artifact_id =
+              doc.at_xpath("/project/parent/artifactId")&.content&.strip
+            version = doc.at_xpath("/project/parent/version")&.content&.strip
+
+            return unless group_id && artifact_id
+
+            name = [group_id, artifact_id].join(":")
+
+            if internal_dependency_poms[name]
+              return internal_dependency_poms[name]
+            end
+
+            return unless version && !version.include?(",")
+
+            fetch_remote_parent_pom(group_id, artifact_id, version, repo_urls)
+          end
+
+          def internal_dependency_poms
+            return @internal_dependency_poms if @internal_dependency_poms
+
+            @internal_dependency_poms = {}
+            dependency_files.each do |pom|
+              doc = Nokogiri::XML(pom.content)
+              group_id    = doc.at_css("project > groupId") ||
+                            doc.at_css("project > parent > groupId")
+              artifact_id = doc.at_css("project > artifactId")
+
+              next unless group_id && artifact_id
+
+              dependency_name = [
+                group_id.content.strip,
+                artifact_id.content.strip
+              ].join(":")
+
+              @internal_dependency_poms[dependency_name] = pom
+            end
+
+            @internal_dependency_poms
+          end
+
+          def fetch_remote_parent_pom(group_id, artifact_id, version, repo_urls)
+            (repo_urls + [CENTRAL_REPO_URL]).uniq.each do |base_url|
+              url = remote_pom_url(group_id, artifact_id, version, base_url)
+
+              @maven_responses ||= {}
+              @maven_responses[url] ||= Excon.get(
+                url,
+                idempotent: true,
+                **SharedHelpers.excon_defaults
+              )
+              next unless @maven_responses[url].status == 200
+              next unless pom?(@maven_responses[url].body)
+
+              dependency_file = DependencyFile.new(
+                name: "remote_pom.xml",
+                content: @maven_responses[url].body
+              )
+
+              return dependency_file
+            rescue Excon::Error::Socket, Excon::Error::Timeout
+              nil
+            end
+
+            # If a parent POM couldn't be found, return `nil`
+            nil
+          end
+
+          def remote_pom_url(group_id, artifact_id, version, base_repo_url)
+            "#{base_repo_url}/"\
+            "#{group_id.tr('.', '/')}/#{artifact_id}/#{version}/"\
+            "#{artifact_id}-#{version}.pom"
+          end
+
+          def contains_property?(value)
+            value.match?(property_regex)
+          end
+
+          def evaluated_value(value, pom)
+            return value unless contains_property?(value)
+
+            property_name = value.match(property_regex).
+                            named_captures.fetch("property")
+            property_value = value_for_property(property_name, pom)
+
+            value.gsub(property_regex, property_value)
+          end
+
+          def value_for_property(property_name, pom)
+            value =
+              property_value_finder.
+              property_details(
+                property_name: property_name,
+                callsite_pom: pom
+              )&.fetch(:value)
+
+            return value if value
+
+            msg = "Property not found: #{property_name}"
+            raise DependencyFileNotEvaluatable, msg
+          end
+
+          # Cached, since this can makes calls to the registry (to get property
+          # values from parent POMs)
+          def property_value_finder
+            @property_value_finder ||=
+              PropertyValueFinder.new(dependency_files: dependency_files)
+          end
+
+          def property_regex
+            FileParsers::Java::Maven::PROPERTY_REGEX
+          end
+
+          def pom?(content)
+            !Nokogiri::XML(content).at_css("project > artifactId").nil?
+          end
+        end
+      end
+    end
+  end
+end