dependabot-core 0.76.1

data/lib/dependabot/metadata_finders/rust/cargo.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require "excon"
+require "dependabot/metadata_finders/base"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module MetadataFinders
+    module Rust
+      class Cargo < Dependabot::MetadataFinders::Base
+        SOURCE_KEYS = %w(repository homepage documentation).freeze
+
+        private
+
+        def look_up_source
+          case new_source_type
+          when "default" then find_source_from_crates_listing
+          when "git" then find_source_from_git_url
+          else raise "Unexpected source type: #{new_source_type}"
+          end
+        end
+
+        def new_source_type
+          sources =
+            dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
+
+          return "default" if sources.empty?
+          raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
+
+          sources.first[:type] || sources.first.fetch("type")
+        end
+
+        def find_source_from_crates_listing
+          potential_source_urls =
+            SOURCE_KEYS.
+            map { |key| crates_listing.dig("crate", key) }.
+            compact
+
+          source_url = potential_source_urls.find { |url| Source.from_url(url) }
+          Source.from_url(source_url)
+        end
+
+        def find_source_from_git_url
+          info = dependency.requirements.map { |r| r[:source] }.compact.first
+
+          url = info[:url] || info.fetch("url")
+          Source.from_url(url)
+        end
+
+        def crates_listing
+          return @crates_listing unless @crates_listing.nil?
+
+          response = Excon.get(
+            "https://crates.io/api/v1/crates/#{dependency.name}",
+            idempotent: true,
+            **SharedHelpers.excon_defaults
+          )
+
+          @crates_listing = JSON.parse(response.body)
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/pull_request_creator.rb

@@ -0,0 +1,151 @@
+# frozen_string_literal: true
+
+require "dependabot/metadata_finders"
+
+module Dependabot
+  class PullRequestCreator
+    require "dependabot/pull_request_creator/github"
+    require "dependabot/pull_request_creator/gitlab"
+    require "dependabot/pull_request_creator/message_builder"
+    require "dependabot/pull_request_creator/branch_namer"
+    require "dependabot/pull_request_creator/labeler"
+
+    attr_reader :source, :dependencies, :files, :base_commit,
+                :credentials, :pr_message_footer, :custom_labels,
+                :author_details, :signature_key, :vulnerabilities_fixed,
+                :reviewers, :assignees, :milestone, :branch_name_separator
+
+    def initialize(source:, base_commit:, dependencies:, files:, credentials:,
+                   pr_message_footer: nil, custom_labels: nil,
+                   author_details: nil, signature_key: nil,
+                   reviewers: nil, assignees: nil, milestone: nil,
+                   vulnerabilities_fixed: {}, branch_name_separator: "/",
+                   label_language: false)
+      @dependencies          = dependencies
+      @source                = source
+      @base_commit           = base_commit
+      @files                 = files
+      @credentials           = credentials
+      @pr_message_footer     = pr_message_footer
+      @author_details        = author_details
+      @signature_key         = signature_key
+      @custom_labels         = custom_labels
+      @reviewers             = reviewers
+      @assignees             = assignees
+      @milestone             = milestone
+      @vulnerabilities_fixed = vulnerabilities_fixed
+      @branch_name_separator = branch_name_separator
+      @label_language        = label_language
+
+      check_dependencies_have_previous_version
+    end
+
+    def check_dependencies_have_previous_version
+      return if library? && dependencies.all? { |d| requirements_changed?(d) }
+      return if dependencies.all?(&:previous_version)
+
+      raise "Dependencies must have a previous version or changed " \
+            "requirement to have a pull request created for them!"
+    end
+
+    def create
+      case source.provider
+      when "github" then github_creator.create
+      when "gitlab" then gitlab_creator.create
+      else raise "Unsupported provider #{source.provider}"
+      end
+    end
+
+    private
+
+    def label_language?
+      @label_language
+    end
+
+    def github_creator
+      Github.new(
+        source: source,
+        branch_name: branch_namer.new_branch_name,
+        base_commit: base_commit,
+        credentials: credentials,
+        files: files,
+        commit_message: message_builder.commit_message,
+        pr_description: message_builder.pr_message,
+        pr_name: message_builder.pr_name,
+        author_details: author_details,
+        signature_key: signature_key,
+        labeler: labeler,
+        reviewers: reviewers,
+        assignees: assignees,
+        milestone: milestone
+      )
+    end
+
+    def gitlab_creator
+      Gitlab.new(
+        source: source,
+        branch_name: branch_namer.new_branch_name,
+        base_commit: base_commit,
+        credentials: credentials,
+        files: files,
+        commit_message: message_builder.commit_message,
+        pr_description: message_builder.pr_message,
+        pr_name: message_builder.pr_name,
+        author_details: author_details,
+        labeler: labeler,
+        assignee: assignees&.first
+      )
+    end
+
+    def message_builder
+      @message_builder ||
+        MessageBuilder.new(
+          source: source,
+          dependencies: dependencies,
+          files: files,
+          credentials: credentials,
+          author_details: author_details,
+          pr_message_footer: pr_message_footer,
+          vulnerabilities_fixed: vulnerabilities_fixed
+        )
+    end
+
+    def branch_namer
+      @branch_namer ||=
+        BranchNamer.new(
+          dependencies: dependencies,
+          files: files,
+          target_branch: source.branch,
+          separator: branch_name_separator
+        )
+    end
+
+    def labeler
+      @labeler ||=
+        Labeler.new(
+          source: source,
+          custom_labels: custom_labels,
+          credentials: credentials,
+          includes_security_fixes: includes_security_fixes?,
+          dependencies: dependencies,
+          label_language: label_language?
+        )
+    end
+
+    def library?
+      if files.map(&:name).any? { |name| name.match?(%r{^[^/]*\.gemspec$}) }
+        return true
+      end
+
+      dependencies.none?(&:appears_in_lockfile?)
+    end
+
+    def includes_security_fixes?
+      vulnerabilities_fixed.values.flatten.any?
+    end
+
+    def requirements_changed?(dependency)
+      (dependency.requirements - dependency.previous_requirements).any?
+    end
+  end
+end

data/lib/dependabot/pull_request_creator/branch_namer.rb

@@ -0,0 +1,170 @@
+# frozen_string_literal: true
+
+require "dependabot/metadata_finders"
+require "dependabot/pull_request_creator"
+
+module Dependabot
+  class PullRequestCreator
+    class BranchNamer
+      attr_reader :dependencies, :files, :target_branch, :separator
+
+      def initialize(dependencies:, files:, target_branch:, separator: "/")
+        @dependencies  = dependencies
+        @files         = files
+        @target_branch = target_branch
+        @separator     = separator
+      end
+
+      # rubocop:disable Metrics/AbcSize
+      # rubocop:disable Metrics/PerceivedComplexity
+      # rubocop:disable Metrics/CyclomaticComplexity
+      def new_branch_name
+        @name ||=
+          if dependencies.count > 1 && updating_a_property?
+            property_name
+          elsif dependencies.count > 1 && updating_a_dependency_set?
+            dependency_set.fetch(:group)
+          elsif dependencies.count > 1
+            dependencies.map(&:name).join("-and-").tr(":", "-")
+          elsif library? && ref_changed?(dependencies.first)
+            dep = dependencies.first
+            "#{dep.name.tr(':', '-')}-#{new_ref(dep)}"
+          elsif library?
+            dep = dependencies.first
+            "#{dep.name.tr(':', '-')}-#{sanitized_requirement(dep)}"
+          else
+            dep = dependencies.first
+            "#{dep.name.tr(':', '-')}-#{new_version(dep)}"
+          end
+
+        branch_name = File.join(prefixes, @name).gsub(%r{/\.}, "/dot-")
+
+        # Some users need branch names without slashes
+        branch_name.gsub("/", separator)
+      end
+      # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/PerceivedComplexity
+      # rubocop:enable Metrics/CyclomaticComplexity
+
+      private
+
+      def prefixes
+        [
+          "dependabot",
+          package_manager,
+          files.first.directory.tr(" ", "-"),
+          target_branch
+        ].compact
+      end
+
+      def package_manager
+        dependencies.first.package_manager
+      end
+
+      def updating_a_property?
+        dependencies.first.
+          requirements.
+          any? { |r| r.dig(:metadata, :property_name) }
+      end
+
+      def updating_a_dependency_set?
+        dependencies.first.
+          requirements.
+          any? { |r| r.dig(:metadata, :dependency_set) }
+      end
+
+      def property_name
+        @property_name ||= dependencies.first.requirements.
+                           find { |r| r.dig(:metadata, :property_name) }&.
+                           dig(:metadata, :property_name)
+
+        raise "No property name!" unless @property_name
+
+        @property_name
+      end
+
+      def dependency_set
+        @dependency_set ||= dependencies.first.requirements.
+                            find { |r| r.dig(:metadata, :dependency_set) }&.
+                            dig(:metadata, :dependency_set)
+
+        raise "No dependency set!" unless @dependency_set
+
+        @dependency_set
+      end
+
+      def sanitized_requirement(dependency)
+        new_library_requirement(dependency).
+          delete(" ").
+          gsub("!=", "neq-").
+          gsub(">=", "gte-").
+          gsub("<=", "lte-").
+          gsub("~>", "tw-").
+          gsub("^", "tw-").
+          gsub("||", "or-").
+          gsub("~", "approx-").
+          gsub("~=", "tw-").
+          gsub(/==*/, "eq-").
+          gsub(">", "gt-").
+          gsub("<", "lt-").
+          gsub("*", "star").
+          gsub(",", "-and-")
+      end
+
+      def new_version(dependency)
+        if dependency.version.match?(/^[0-9a-f]{40}$/)
+          return new_ref(dependency) if ref_changed?(dependency)
+
+          dependency.version[0..6]
+        elsif dependency.version == dependency.previous_version &&
+              package_manager == "docker"
+          dependency.requirements.
+            map { |r| r.dig(:source, "digest") || r.dig(:source, :digest) }.
+            compact.first.split(":").last[0..6]
+        else
+          dependency.version
+        end
+      end
+
+      def previous_ref(dependency)
+        dependency.previous_requirements.map do |r|
+          r.dig(:source, "ref") || r.dig(:source, :ref)
+        end.compact.first
+      end
+
+      def new_ref(dependency)
+        dependency.requirements.map do |r|
+          r.dig(:source, "ref") || r.dig(:source, :ref)
+        end.compact.first
+      end
+
+      def ref_changed?(dependency)
+        previous_ref(dependency) && new_ref(dependency) &&
+          previous_ref(dependency) != new_ref(dependency)
+      end
+
+      def new_library_requirement(dependency)
+        updated_reqs =
+          dependency.requirements - dependency.previous_requirements
+
+        gemspec =
+          updated_reqs.find { |r| r[:file].match?(%r{^[^/]*\.gemspec$}) }
+        return gemspec[:requirement] if gemspec
+
+        updated_reqs.first[:requirement]
+      end
+
+      def library?
+        if files.map(&:name).any? { |name| name.match?(%r{^[^/]*\.gemspec$}) }
+          return true
+        end
+
+        dependencies.none?(&:appears_in_lockfile?)
+      end
+
+      def requirements_changed?(dependency)
+        (dependency.requirements - dependency.previous_requirements).any?
+      end
+    end
+  end
+end

data/lib/dependabot/pull_request_creator/commit_signer.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require "time"
+require "gpgme"
+require "tmpdir"
+require "dependabot/pull_request_creator"
+
+module Dependabot
+  class PullRequestCreator
+    class CommitSigner
+      attr_reader :author_details, :commit_message, :tree_sha, :parent_sha,
+                  :signature_key
+
+      def initialize(author_details:, commit_message:, tree_sha:, parent_sha:,
+                     signature_key:)
+        @author_details = author_details
+        @commit_message = commit_message
+        @tree_sha = tree_sha
+        @parent_sha = parent_sha
+        @signature_key = signature_key
+      end
+
+      def signature
+        email = author_details[:email]
+
+        dir = Dir.mktmpdir
+
+        GPGME::Engine.home_dir = dir
+        GPGME::Key.import(signature_key)
+
+        crypto = GPGME::Crypto.new(armor: true)
+        opts = { mode: GPGME::SIG_MODE_DETACH, signer: email }
+        crypto.sign(commit_object, opts).to_s
+      rescue Errno::ENOTEMPTY
+        FileUtils.remove_entry(dir, true)
+        # This appears to be a Ruby bug which occurs very rarely
+        raise if @retrying
+
+        @retrying = true
+        retry
+      ensure
+        FileUtils.remove_entry(dir, true)
+      end
+
+      private
+
+      def commit_object
+        time_str = Time.parse(author_details[:date]).strftime("%s %z")
+        name = author_details[:name]
+        email = author_details[:email]
+
+        [
+          "tree #{tree_sha}",
+          "parent #{parent_sha}",
+          "author #{name} <#{email}> #{time_str}",
+          "committer #{name} <#{email}> #{time_str}",
+          "",
+          commit_message
+        ].join("\n")
+      end
+    end
+  end
+end