dependabot-core 0.76.1

data/lib/dependabot/update_checkers/elixir/hex/file_preparer.rb

@@ -0,0 +1,193 @@
+# frozen_string_literal: true
+
+require "dependabot/dependency_file"
+require "dependabot/update_checkers/elixir/hex"
+require "dependabot/file_updaters/elixir/hex/mixfile_requirement_updater"
+require "dependabot/file_updaters/elixir/hex/mixfile_git_pin_updater"
+require "dependabot/file_updaters/elixir/hex/mixfile_sanitizer"
+require "dependabot/utils/elixir/version"
+
+module Dependabot
+  module UpdateCheckers
+    module Elixir
+      class Hex
+        # This class takes a set of dependency files and sanitizes them for use
+        # in UpdateCheckers::Elixir::Hex.
+        class FilePreparer
+          def initialize(dependency_files:, dependency:,
+                         unlock_requirement: true,
+                         replacement_git_pin: nil,
+                         latest_allowable_version: nil)
+            @dependency_files = dependency_files
+            @dependency = dependency
+            @unlock_requirement = unlock_requirement
+            @replacement_git_pin = replacement_git_pin
+            @latest_allowable_version = latest_allowable_version
+          end
+
+          def prepared_dependency_files
+            files = []
+            files += mixfiles.map do |file|
+              DependencyFile.new(
+                name: file.name,
+                content: mixfile_content_for_update_check(file),
+                directory: file.directory
+              )
+            end
+            files << lockfile if lockfile
+            files += support_files
+            files
+          end
+
+          private
+
+          attr_reader :dependency_files, :dependency, :replacement_git_pin,
+                      :latest_allowable_version
+
+          def unlock_requirement?
+            @unlock_requirement
+          end
+
+          def replace_git_pin?
+            !replacement_git_pin.nil?
+          end
+
+          def mixfile_content_for_update_check(file)
+            content = file.content
+
+            unless dependency_appears_in_file?(file.name)
+              return sanitize_mixfile(content)
+            end
+
+            content = relax_version(content, filename: file.name)
+            if replace_git_pin?
+              content = replace_git_pin(content, filename: file.name)
+            end
+
+            sanitize_mixfile(content)
+          end
+
+          def relax_version(content, filename:)
+            old_requirement =
+              dependency.requirements.find { |r| r.fetch(:file) == filename }.
+              fetch(:requirement)
+
+            FileUpdaters::Elixir::Hex::MixfileRequirementUpdater.new(
+              dependency_name: dependency.name,
+              mixfile_content: content,
+              previous_requirement: old_requirement,
+              updated_requirement: updated_version_requirement_string(filename),
+              insert_if_bare: true
+            ).updated_content
+          end
+
+          def updated_version_requirement_string(filename)
+            lower_bound_req = updated_version_req_lower_bound(filename)
+
+            return lower_bound_req if latest_allowable_version.nil?
+            unless version_class.correct?(latest_allowable_version)
+              return lower_bound_req
+            end
+
+            lower_bound_req + " and <= #{latest_allowable_version}"
+          end
+
+          # rubocop:disable Metrics/AbcSize
+          # rubocop:disable Metrics/PerceivedComplexity
+          def updated_version_req_lower_bound(filename)
+            original_req = dependency.requirements.
+                           find { |r| r.fetch(:file) == filename }&.
+                           fetch(:requirement)
+
+            if original_req && !unlock_requirement? then original_req
+            elsif dependency.version&.match?(/^[0-9a-f]{40}$/) then ">= 0"
+            elsif dependency.version then ">= #{dependency.version}"
+            else
+              version_for_requirement =
+                dependency.requirements.map { |r| r[:requirement] }.compact.
+                reject { |req_string| req_string.start_with?("<") }.
+                select { |req_string| req_string.match?(version_regex) }.
+                map { |req_string| req_string.match(version_regex) }.
+                select { |version| version_class.correct?(version.to_s) }.
+                max_by { |version| version_class.new(version.to_s) }
+
+              return ">= 0" unless version_for_requirement
+
+              # Elixir requires that versions are specified to three places
+              # when used with a >= specifier
+              parts = version_for_requirement.to_s.split(".")
+              parts << "0" while parts.count < 3
+              ">= #{parts.join('.')}"
+            end
+          end
+          # rubocop:enable Metrics/AbcSize
+          # rubocop:enable Metrics/PerceivedComplexity
+
+          def replace_git_pin(content, filename:)
+            old_pin =
+              dependency.requirements.find { |r| r.fetch(:file) == filename }&.
+              dig(:source, :ref)
+
+            return content unless old_pin
+            return content if old_pin == replacement_git_pin
+
+            FileUpdaters::Elixir::Hex::MixfileGitPinUpdater.new(
+              dependency_name: dependency.name,
+              mixfile_content: content,
+              previous_pin: old_pin,
+              updated_pin: replacement_git_pin
+            ).updated_content
+          end
+
+          def sanitize_mixfile(content)
+            FileUpdaters::Elixir::Hex::MixfileSanitizer.new(
+              mixfile_content: content
+            ).sanitized_content
+          end
+
+          def mixfiles
+            mixfiles =
+              dependency_files.
+              select { |f| f.name.end_with?("mix.exs") }
+            raise "No mix.exs!" if mixfiles.none?
+
+            mixfiles
+          end
+
+          def lockfile
+            @lockfile ||= dependency_files.find { |f| f.name == "mix.lock" }
+          end
+
+          def support_files
+            @support_files ||= dependency_files.select(&:support_file)
+          end
+
+          def wants_prerelease?
+            current_version = dependency.version
+            if current_version &&
+               version_class.correct?(current_version) &&
+               version_class.new(current_version).prerelease?
+              return true
+            end
+
+            dependency.requirements.any? do |req|
+              req[:requirement].match?(/\d-[A-Za-z0-9]/)
+            end
+          end
+
+          def version_class
+            Utils::Elixir::Version
+          end
+
+          def version_regex
+            version_class::VERSION_PATTERN
+          end
+
+          def dependency_appears_in_file?(file_name)
+            dependency.requirements.any? { |r| r[:file] == file_name }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/elixir/hex/requirements_updater.rb

@@ -0,0 +1,177 @@
+# frozen_string_literal: true
+
+require "dependabot/utils/elixir/version"
+require "dependabot/utils/elixir/requirement"
+require "dependabot/update_checkers/elixir/hex"
+
+module Dependabot
+  module UpdateCheckers
+    module Elixir
+      class Hex
+        class RequirementsUpdater
+          OPERATORS = />=|<=|>|<|==|~>/.freeze
+          AND_SEPARATOR = /\s+and\s+/.freeze
+          OR_SEPARATOR = /\s+or\s+/.freeze
+          SEPARATOR = /#{AND_SEPARATOR}|#{OR_SEPARATOR}/.freeze
+
+          def initialize(requirements:, latest_resolvable_version:,
+                         updated_source:)
+            @requirements = requirements
+            @updated_source = updated_source
+
+            return unless latest_resolvable_version
+            unless Utils::Elixir::Version.correct?(latest_resolvable_version)
+              return
+            end
+
+            @latest_resolvable_version =
+              Utils::Elixir::Version.new(latest_resolvable_version)
+          end
+
+          def updated_requirements
+            requirements.map { |req| updated_mixfile_requirement(req) }
+          end
+
+          private
+
+          attr_reader :requirements, :latest_resolvable_version, :updated_source
+
+          # rubocop:disable Metrics/AbcSize
+          # rubocop:disable PerceivedComplexity
+          def updated_mixfile_requirement(req)
+            req = update_source(req)
+            return req unless latest_resolvable_version && req[:requirement]
+            return req if req_satisfied_by_latest_resolvable?(req[:requirement])
+
+            or_string_reqs = req[:requirement].split(OR_SEPARATOR)
+            last_string_reqs = or_string_reqs.last.split(AND_SEPARATOR).
+                               map(&:strip)
+
+            new_requirement =
+              if last_string_reqs.any? { |r| r.match(/^(?:\d|=)/) }
+                exact_req = last_string_reqs.find { |r| r.match(/^(?:\d|=)/) }
+                update_exact_version(exact_req, latest_resolvable_version).to_s
+              elsif last_string_reqs.any? { |r| r.start_with?("~>") }
+                tw_req = last_string_reqs.find { |r| r.start_with?("~>") }
+                update_twiddle_version(tw_req, latest_resolvable_version).to_s
+              else
+                update_mixfile_range(last_string_reqs).map(&:to_s).join(" and ")
+              end
+
+            if or_string_reqs.count > 1
+              new_requirement = req[:requirement] + " or " + new_requirement
+            end
+
+            req.merge(requirement: new_requirement)
+          end
+          # rubocop:enable Metrics/AbcSize
+          # rubocop:enable PerceivedComplexity
+
+          def update_source(requirement_hash)
+            # Only git sources ever need to be updated. Anything else should be
+            # left alone.
+            unless requirement_hash.dig(:source, :type) == "git"
+              return requirement_hash
+            end
+
+            requirement_hash.merge(source: updated_source)
+          end
+
+          def req_satisfied_by_latest_resolvable?(requirement_string)
+            ruby_requirements(requirement_string).
+              any? { |r| r.satisfied_by?(latest_resolvable_version) }
+          end
+
+          def ruby_requirements(requirement_string)
+            requirement_class.requirements_array(requirement_string)
+          end
+
+          def update_exact_version(previous_req, new_version)
+            op = previous_req.match(OPERATORS).to_s
+            old_version =
+              Utils::Elixir::Version.new(previous_req.gsub(OPERATORS, ""))
+            updated_version = at_same_precision(new_version, old_version)
+            "#{op} #{updated_version}".strip
+          end
+
+          def update_twiddle_version(previous_req, new_version)
+            previous_req = requirement_class.new(previous_req)
+            old_version = previous_req.requirements.first.last
+            updated_version = at_same_precision(new_version, old_version)
+            requirement_class.new("~> #{updated_version}")
+          end
+
+          def update_mixfile_range(requirements)
+            requirements = requirements.map { |r| requirement_class.new(r) }
+            updated_requirements =
+              requirements.flat_map do |r|
+                next r if r.satisfied_by?(latest_resolvable_version)
+
+                case op = r.requirements.first.first
+                when "<", "<="
+                  [update_greatest_version(r, latest_resolvable_version)]
+                when "!="
+                  []
+                else
+                  raise "Unexpected operation for unsatisfied Gemfile "\
+                        "requirement: #{op}"
+                end
+              end
+
+            binding_requirements(updated_requirements)
+          end
+
+          def at_same_precision(new_version, old_version)
+            precision = old_version.to_s.split(".").count
+            new_version.to_s.split(".").first(precision).join(".")
+          end
+
+          # Updates the version in a "<" or "<=" constraint to allow the given
+          # version
+          def update_greatest_version(requirement, version_to_be_permitted)
+            if version_to_be_permitted.is_a?(String)
+              version_to_be_permitted =
+                Utils::Elixir::Version.new(version_to_be_permitted)
+            end
+            op, version = requirement.requirements.first
+            version = version.release if version.prerelease?
+
+            index_to_update =
+              version.segments.map.with_index { |seg, i| seg.zero? ? 0 : i }.max
+
+            new_segments = version.segments.map.with_index do |_, index|
+              if index < index_to_update
+                version_to_be_permitted.segments[index]
+              elsif index == index_to_update
+                version_to_be_permitted.segments[index] + 1
+              else 0
+              end
+            end
+
+            requirement_class.new("#{op} #{new_segments.join('.')}")
+          end
+
+          def binding_requirements(requirements)
+            grouped_by_operator =
+              requirements.group_by { |r| r.requirements.first.first }
+
+            binding_reqs = grouped_by_operator.flat_map do |operator, reqs|
+              case operator
+              when "<", "<=" then reqs.min_by { |r| r.requirements.first.last }
+              when ">", ">=" then reqs.max_by { |r| r.requirements.first.last }
+              else requirements
+              end
+            end.uniq
+
+            binding_reqs << requirement_class.new if binding_reqs.empty?
+            binding_reqs.sort_by { |r| r.requirements.first.last }
+          end
+
+          def requirement_class
+            Utils::Elixir::Requirement
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/elixir/hex/version_resolver.rb

@@ -0,0 +1,175 @@
+# frozen_string_literal: true
+
+require "dependabot/utils/elixir/version"
+require "dependabot/update_checkers/elixir/hex"
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+
+module Dependabot
+  module UpdateCheckers
+    module Elixir
+      class Hex
+        class VersionResolver
+          def initialize(dependency:, credentials:,
+                         original_dependency_files:, prepared_dependency_files:)
+            @dependency = dependency
+            @original_dependency_files = original_dependency_files
+            @prepared_dependency_files = prepared_dependency_files
+            @credentials = credentials
+          end
+
+          def latest_resolvable_version
+            @latest_resolvable_version ||= fetch_latest_resolvable_version
+          end
+
+          private
+
+          attr_reader :dependency, :credentials,
+                      :original_dependency_files, :prepared_dependency_files
+
+          def fetch_latest_resolvable_version
+            latest_resolvable_version =
+              SharedHelpers.in_a_temporary_directory do
+                write_temporary_dependency_files
+                FileUtils.cp(
+                  elixir_helper_check_update_path,
+                  "check_update.exs"
+                )
+
+                SharedHelpers.with_git_configured(credentials: credentials) do
+                  run_elixir_update_checker
+                end
+              end
+
+            return if latest_resolvable_version.nil?
+            if latest_resolvable_version.match?(/^[0-9a-f]{40}$/)
+              return latest_resolvable_version
+            end
+
+            version_class.new(latest_resolvable_version)
+          rescue SharedHelpers::HelperSubprocessFailed => error
+            handle_hex_errors(error)
+          end
+
+          def run_elixir_update_checker
+            SharedHelpers.run_helper_subprocess(
+              env: mix_env,
+              command: "mix run #{elixir_helper_path}",
+              function: "get_latest_resolvable_version",
+              args: [Dir.pwd,
+                     dependency.name,
+                     organization_credentials],
+              popen_opts: { err: %i(child out) }
+            )
+          end
+
+          def handle_hex_errors(error)
+            if error.message.include?("No authenticated organization found")
+              org = error.message.match(/found for ([a-z_]+)\./).captures.first
+              raise Dependabot::PrivateSourceAuthenticationFailure, org
+            end
+
+            if error.message.include?("Failed to fetch record for")
+              org_match = error.message.match(%r{for 'hexpm:([a-z_]+)/})
+              org = org_match&.captures&.first
+              raise Dependabot::PrivateSourceAuthenticationFailure, org if org
+            end
+
+            # TODO: This isn't pretty. It would be much nicer to catch the
+            # warnings as part of the Elixir module.
+            return error_result(error) if includes_result?(error)
+
+            # Ignore dependencies which don't resolve due to mis-matching
+            # environment specifications.
+            # TODO: Update the environment specifications instead
+            return if error.message.include?("Dependencies have diverged")
+
+            check_original_requirements_resolvable
+            raise error
+          end
+
+          def error_result(error)
+            return false unless includes_result?(error)
+
+            result_json = error.message&.split("\n")&.last
+            result = JSON.parse(result_json)["result"]
+            return version_class.new(result) if version_class.correct?(result)
+
+            result
+          end
+
+          def includes_result?(error)
+            result = error.message&.split("\n")&.last
+            return false unless result
+
+            JSON.parse(error.message&.split("\n")&.last)["result"]
+            true
+          rescue JSON::ParserError
+            false
+          end
+
+          def check_original_requirements_resolvable
+            SharedHelpers.in_a_temporary_directory do
+              write_temporary_dependency_files(prepared: false)
+              FileUtils.cp(
+                elixir_helper_check_update_path,
+                "check_update.exs"
+              )
+
+              SharedHelpers.with_git_configured(credentials: credentials) do
+                run_elixir_update_checker
+              end
+            end
+
+            true
+          rescue SharedHelpers::HelperSubprocessFailed => error
+            raise Dependabot::DependencyFileNotResolvable, error.message
+          end
+
+          def write_temporary_dependency_files(prepared: true)
+            files = if prepared then prepared_dependency_files
+                    else original_dependency_files
+                    end
+
+            files.each do |file|
+              path = file.name
+              FileUtils.mkdir_p(Pathname.new(path).dirname)
+              File.write(path, file.content)
+            end
+          end
+
+          def version_class
+            Utils::Elixir::Version
+          end
+
+          def mix_env
+            {
+              "MIX_EXS" => File.join(project_root, "helpers/elixir/mix.exs"),
+              "MIX_LOCK" => File.join(project_root, "helpers/elixir/mix.lock"),
+              "MIX_DEPS" => File.join(project_root, "helpers/elixir/deps"),
+              "MIX_QUIET" => "1"
+            }
+          end
+
+          def elixir_helper_path
+            File.join(project_root, "helpers/elixir/bin/run.exs")
+          end
+
+          def elixir_helper_check_update_path
+            File.join(project_root, "helpers/elixir/bin/check_update.exs")
+          end
+
+          def project_root
+            File.join(File.dirname(__FILE__), "../../../../..")
+          end
+
+          def organization_credentials
+            credentials.
+              select { |cred| cred["type"] == "hex_organization" }.
+              flat_map { |cred| [cred["organization"], cred["token"]] }
+          end
+        end
+      end
+    end
+  end
+end