dependabot-core 0.76.1

data/lib/dependabot/file_parsers/ruby/bundler/file_preparer.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+require "dependabot/dependency_file"
+require "dependabot/file_parsers/ruby/bundler"
+require "dependabot/file_updaters/ruby/bundler/gemspec_sanitizer"
+
+module Dependabot
+  module FileParsers
+    module Ruby
+      class Bundler
+        class FilePreparer
+          def initialize(dependency_files:)
+            @dependency_files = dependency_files
+          end
+
+          def prepared_dependency_files
+            files = []
+
+            gemspecs.compact.each do |file|
+              files << DependencyFile.new(
+                name: file.name,
+                content: sanitize_gemspec_content(file.content),
+                directory: file.directory
+              )
+            end
+
+            files += [
+              gemfile,
+              *evaled_gemfiles,
+              lockfile,
+              ruby_version_file,
+              *imported_ruby_files
+            ].compact
+          end
+
+          private
+
+          attr_reader :dependency_files
+
+          def gemfile
+            dependency_files.find { |f| f.name == "Gemfile" } ||
+              dependency_files.find { |f| f.name == "gems.rb" }
+          end
+
+          def evaled_gemfiles
+            dependency_files.
+              reject { |f| f.name.end_with?(".gemspec") }.
+              reject { |f| f.name.end_with?(".lock") }.
+              reject { |f| f.name.end_with?(".ruby-version") }.
+              reject { |f| f.name == "Gemfile" }.
+              reject { |f| f.name == "gems.rb" }.
+              reject { |f| f.name == "gems.locked" }
+          end
+
+          def lockfile
+            dependency_files.find { |f| f.name == "Gemfile.lock" } ||
+              dependency_files.find { |f| f.name == "gems.locked" }
+          end
+
+          def gemspecs
+            dependency_files.select { |f| f.name.end_with?(".gemspec") }
+          end
+
+          def ruby_version_file
+            dependency_files.find { |f| f.name == ".ruby-version" }
+          end
+
+          def imported_ruby_files
+            dependency_files.
+              select { |f| f.name.end_with?(".rb") }.
+              reject { |f| f.name == "gems.rb" }
+          end
+
+          def sanitize_gemspec_content(gemspec_content)
+            # No need to set the version correctly - this is just an update
+            # check so we're not going to persist any changes to the lockfile.
+            FileUpdaters::Ruby::Bundler::GemspecSanitizer.
+              new(replacement_version: "0.0.1").
+              rewrite(gemspec_content)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_parsers/ruby/bundler/gemfile_checker.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require "parser/current"
+require "dependabot/file_parsers/ruby/bundler"
+
+module Dependabot
+  module FileParsers
+    module Ruby
+      class Bundler
+        # Checks whether a dependency is declared in a Gemfile
+        class GemfileChecker
+          def initialize(dependency:, gemfile:)
+            @dependency = dependency
+            @gemfile = gemfile
+          end
+
+          def includes_dependency?
+            return false unless Parser::CurrentRuby.parse(gemfile.content)
+
+            Parser::CurrentRuby.parse(gemfile.content).children.any? do |node|
+              deep_check_for_gem(node)
+            end
+          end
+
+          private
+
+          attr_reader :dependency, :gemfile
+
+          def deep_check_for_gem(node)
+            return true if declares_targeted_gem?(node)
+            return false unless node.is_a?(Parser::AST::Node)
+
+            node.children.any? do |child_node|
+              deep_check_for_gem(child_node)
+            end
+          end
+
+          def declares_targeted_gem?(node)
+            return false unless node.is_a?(Parser::AST::Node)
+            return false unless node.children[1] == :gem
+
+            node.children[2].children.first == dependency.name
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_parsers/rust/cargo.rb

@@ -0,0 +1,213 @@
+# frozen_string_literal: true
+
+require "toml-rb"
+
+require "dependabot/dependency"
+require "dependabot/file_parsers/base"
+require "dependabot/utils/rust/requirement"
+require "dependabot/utils/rust/version"
+require "dependabot/errors"
+
+# Relevant Cargo docs can be found at:
+# - https://doc.rust-lang.org/cargo/reference/manifest.html
+# - https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html
+module Dependabot
+  module FileParsers
+    module Rust
+      class Cargo < Dependabot::FileParsers::Base
+        require "dependabot/file_parsers/base/dependency_set"
+
+        DEPENDENCY_TYPES =
+          %w(dependencies dev-dependencies build-dependencies).freeze
+
+        def parse
+          check_rust_workspace_root
+
+          dependency_set = DependencySet.new
+          dependency_set += manifest_dependencies
+          dependency_set += lockfile_dependencies if lockfile
+
+          dependencies = dependency_set.dependencies
+
+          # TODO: Handle patched dependencies
+          dependencies.reject! { |d| patched_dependencies.include?(d.name) }
+
+          # TODO: Currently, Dependabot can't handle dependencies that have
+          # multiple source types. Fix that!
+          dependencies.reject do |dep|
+            dep.requirements.map { |r| r.dig(:source, :type) }.uniq.count > 1
+          end
+        end
+
+        private
+
+        def check_rust_workspace_root
+          cargo_toml = dependency_files.find { |f| f.name == "Cargo.toml" }
+          workspace_root = parsed_file(cargo_toml).dig("package", "workspace")
+          return unless workspace_root
+
+          msg = "This project is part of a Rust workspace but is not the "\
+                "workspace root."\
+
+          if cargo_toml.directory != "/"
+            msg += "Please update your settings so Dependabot points at the "\
+                   "workspace root instead of #{cargo_toml.directory}."
+          end
+          raise Dependabot::DependencyFileNotEvaluatable, msg
+        end
+
+        def manifest_dependencies
+          dependency_set = DependencySet.new
+
+          DEPENDENCY_TYPES.each do |type|
+            manifest_files.each do |file|
+              parsed_file(file).fetch(type, {}).each do |name, requirement|
+                next if lockfile && !version_from_lockfile(name, requirement)
+
+                dependency_set << Dependency.new(
+                  name: name,
+                  version: version_from_lockfile(name, requirement),
+                  package_manager: "cargo",
+                  requirements: [{
+                    requirement: requirement_from_declaration(requirement),
+                    file: file.name,
+                    groups: [type],
+                    source: source_from_declaration(requirement)
+                  }]
+                )
+              end
+            end
+          end
+
+          dependency_set
+        end
+
+        def lockfile_dependencies
+          dependency_set = DependencySet.new
+          return dependency_set unless lockfile
+
+          parsed_file(lockfile).fetch("package", []).each do |package_details|
+            next unless package_details["source"]
+
+            # TODO: This isn't quite right, as it will only give us one
+            # version of each dependency (when in fact there are many)
+            dependency_set << Dependency.new(
+              name: package_details["name"],
+              version: version_from_lockfile_details(package_details),
+              package_manager: "cargo",
+              requirements: []
+            )
+          end
+
+          dependency_set
+        end
+
+        def patched_dependencies
+          root_manifest = manifest_files.find { |f| f.name == "Cargo.toml" }
+          return [] unless parsed_file(root_manifest)["patch"]
+
+          parsed_file(root_manifest)["patch"].values.flat_map(&:keys)
+        end
+
+        def requirement_from_declaration(declaration)
+          if declaration.is_a?(String)
+            return declaration == "" ? nil : declaration
+          end
+          unless declaration.is_a?(Hash)
+            raise "Unexpected dependency declaration: #{declaration}"
+          end
+          return declaration["version"] if declaration["version"]
+
+          nil
+        end
+
+        def source_from_declaration(declaration)
+          return if declaration.is_a?(String)
+          unless declaration.is_a?(Hash)
+            raise "Unexpected dependency declaration: #{declaration}"
+          end
+
+          return git_source_details(declaration) if declaration["git"]
+          return { type: "path" } if declaration["path"]
+        end
+
+        def version_from_lockfile(name, declaration)
+          return unless lockfile
+
+          candidate_packages =
+            parsed_file(lockfile).fetch("package", []).
+            select { |p| p["name"] == name }
+
+          if (req = requirement_from_declaration(declaration))
+            req = Utils::Rust::Requirement.new(req)
+
+            candidate_packages =
+              candidate_packages.
+              select { |p| req.satisfied_by?(version_class.new(p["version"])) }
+          end
+
+          candidate_packages =
+            candidate_packages.
+            select do |p|
+              git_req?(declaration) ^ !p["source"]&.start_with?("git+")
+            end
+
+          package =
+            candidate_packages.
+            max_by { |p| version_class.new(p["version"]) }
+
+          return unless package
+
+          version_from_lockfile_details(package)
+        end
+
+        def git_req?(declaration)
+          source_from_declaration(declaration)&.fetch(:type, nil) == "git"
+        end
+
+        def git_source_details(declaration)
+          {
+            type: "git",
+            url: declaration["git"],
+            branch: declaration["branch"],
+            ref: declaration["tag"] || declaration["rev"]
+          }
+        end
+
+        def version_from_lockfile_details(package_details)
+          unless package_details["source"]&.start_with?("git+")
+            return package_details["version"]
+          end
+
+          package_details["source"].split("#").last
+        end
+
+        def check_required_files
+          raise "No Cargo.toml!" unless get_original_file("Cargo.toml")
+        end
+
+        def parsed_file(file)
+          @parsed_file ||= {}
+          @parsed_file[file.name] ||= TomlRB.parse(file.content)
+        rescue TomlRB::ParseError
+          raise Dependabot::DependencyFileNotParseable, file.path
+        end
+
+        def manifest_files
+          @manifest_files ||=
+            dependency_files.
+            select { |f| f.name.end_with?("Cargo.toml") }.
+            reject { |f| f.type == "path_dependency" }
+        end
+
+        def lockfile
+          @lockfile ||= get_original_file("Cargo.lock")
+        end
+
+        def version_class
+          Utils::Rust::Version
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_updaters.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require "dependabot/file_updaters/ruby/bundler"
+require "dependabot/file_updaters/python/pip"
+require "dependabot/file_updaters/java_script/npm_and_yarn"
+require "dependabot/file_updaters/java/maven"
+require "dependabot/file_updaters/java/gradle"
+require "dependabot/file_updaters/php/composer"
+require "dependabot/file_updaters/git/submodules"
+require "dependabot/file_updaters/docker/docker"
+require "dependabot/file_updaters/elixir/hex"
+require "dependabot/file_updaters/rust/cargo"
+require "dependabot/file_updaters/dotnet/nuget"
+require "dependabot/file_updaters/go/dep"
+require "dependabot/file_updaters/go/modules"
+require "dependabot/file_updaters/elm/elm_package"
+
+module Dependabot
+  module FileUpdaters
+    @file_updaters = {
+      "bundler" => FileUpdaters::Ruby::Bundler,
+      "npm_and_yarn" => FileUpdaters::JavaScript::NpmAndYarn,
+      "maven" => FileUpdaters::Java::Maven,
+      "gradle" => FileUpdaters::Java::Gradle,
+      "pip" => FileUpdaters::Python::Pip,
+      "composer" => FileUpdaters::Php::Composer,
+      "submodules" => FileUpdaters::Git::Submodules,
+      "docker" => FileUpdaters::Docker::Docker,
+      "hex" => FileUpdaters::Elixir::Hex,
+      "cargo" => FileUpdaters::Rust::Cargo,
+      "nuget" => FileUpdaters::Dotnet::Nuget,
+      "dep" => FileUpdaters::Go::Dep,
+      "go_modules" => FileUpdaters::Go::Modules,
+      "elm-package" => FileUpdaters::Elm::ElmPackage
+    }
+
+    def self.for_package_manager(package_manager)
+      file_updater = @file_updaters[package_manager]
+      return file_updater if file_updater
+
+      raise "Unsupported package_manager #{package_manager}"
+    end
+
+    def self.register(package_manager, file_updater)
+      @file_updaters[package_manager] = file_updater
+    end
+  end
+end

data/lib/dependabot/file_updaters/README.md

@@ -0,0 +1,58 @@
+# File updaters
+
+File updaters update a dependency file to use the latest version of a given
+dependency. They rely on information provided to them by update checkers.
+
+There is a `Dependabot::FileUpdaters` class for each language Dependabot
+supports.
+
+## Public API
+
+Each `Dependabot::FileUpdaters` class implements the following methods:
+
+| Method                       | Description                                                                                   |
+|------------------------------|-----------------------------------------------------------------------------------------------|
+| `.updated_files_regex`       | An array of regular expressions matching the names of the files this class updates. Intended to be used by integrators when checking whether a commit may cause merge-conflicts with a dependency update pull request. |
+| `#updated_dependency_files`  | Returns an array of updated `Dependabot::DependencyFile` instances, with their content updated to include the updated dependency. |
+
+An integration might look as follows:
+
+```ruby
+require 'dependabot/file_updaters'
+
+unless update_checker.can_update?(requirements_to_update: :own)
+  raise "Dependency doesn't need update!"
+end
+dependencies = update_checker.updated_dependencies(requirements_to_update: :own)
+
+file_updater_class = Dependabot::FileUpdaters::Ruby::Bundler
+file_updater = file_updater_class.new(
+  dependencies: dependencies,
+  dependency_files: files,
+  credentials: [{
+    "type" => "git_source",
+    "host" => "github.com",
+    "username" => "x-access-token",
+    "password" => "token"
+  }]
+)
+
+file_updater.updated_dependency_files.each do |file|
+  puts "Updated #{file.name} with new content:\n\n#{file.content}"
+end
+```
+
+## Writing a file updater for a new language
+
+All new file updaters should inherit from `Dependabot::FileUpdaters::Base` and
+implement the following methods:
+
+| Method                      | Description             |
+|-----------------------------|-------------------------|
+| `.updated_files_regex`      | See Public API section. |
+| `#updated_dependency_files` | See Public API section. |
+
+To ensure the above are implemented, you should include
+`it_behaves_like "a dependency file updater"` in your specs for the new file
+updater.
+