dependabot-core 0.76.1

data/lib/dependabot/update_checkers/go/modules.rb

@@ -0,0 +1,112 @@
+# frozen_string_literal: true
+
+require "toml-rb"
+require "dependabot/update_checkers/base"
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+require "dependabot/utils/go/version"
+require "dependabot/utils/go/shared_helper"
+
+module Dependabot
+  module UpdateCheckers
+    module Go
+      class Modules < Dependabot::UpdateCheckers::Base
+        def latest_resolvable_version
+          @latest_resolvable_version ||=
+            version_class.new(find_latest_resolvable_version.gsub(/^v/, ""))
+        end
+
+        # This is currently used to short-circuit latest_resolvable_version,
+        # with the assumption that it'll be quicker than checking
+        # resolvability. As this is quite quick in Go anyway, we just alias.
+        def latest_version
+          latest_resolvable_version
+        end
+
+        def latest_resolvable_version_with_no_unlock
+          # Irrelevant, since Go modules uses a single dependency file
+          nil
+        end
+
+        def updated_requirements
+          dependency.requirements.map do |req|
+            req.merge(requirement: latest_version)
+          end
+        end
+
+        private
+
+        def find_latest_resolvable_version
+          SharedHelpers.in_a_temporary_directory do
+            SharedHelpers.with_git_configured(credentials: credentials) do
+              File.write("go.mod", go_mod.content)
+
+              SharedHelpers.run_helper_subprocess(
+                command: "GO111MODULE=on #{Utils::Go::SharedHelper.path}",
+                function: "getUpdatedVersion",
+                args: {
+                  dependency: {
+                    name: dependency.name,
+                    version: "v" + dependency.version,
+                    indirect: dependency.requirements.empty?
+                  }
+                }
+              )
+            end
+          end
+        end
+
+        def latest_version_resolvable_with_full_unlock?
+          # Full unlock checks aren't implemented for Go (yet)
+          false
+        end
+
+        def updated_dependencies_after_full_unlock
+          raise NotImplementedError
+        end
+
+        # Override the base class's check for whether this is a git dependency,
+        # since not all dep git dependencies have a SHA version (sometimes their
+        # version is the tag)
+        def existing_version_is_sha?
+          git_dependency?
+        end
+
+        def library?
+          dependency_files.none? { |f| f.type == "package_main" }
+        end
+
+        def version_from_tag(tag)
+          # To compare with the current version we either use the commit SHA
+          # (if that's what the parser picked up) of the tag name.
+          if dependency.version&.match?(/^[0-9a-f]{40}$/)
+            return tag&.fetch(:commit_sha)
+          end
+
+          tag&.fetch(:tag)
+        end
+
+        def git_dependency?
+          git_commit_checker.git_dependency?
+        end
+
+        def default_source
+          { type: "default", source: dependency.name }
+        end
+
+        def go_mod
+          @go_mod ||= dependency_files.find { |f| f.name == "go.mod" }
+        end
+
+        def git_commit_checker
+          @git_commit_checker ||=
+            GitCommitChecker.new(
+              dependency: dependency,
+              credentials: credentials,
+              ignored_versions: ignored_versions
+            )
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/java/gradle.rb

@@ -0,0 +1,148 @@
+# frozen_string_literal: true
+
+require "dependabot/update_checkers/base"
+require "dependabot/file_parsers/java/gradle"
+
+module Dependabot
+  module UpdateCheckers
+    module Java
+      class Gradle < Dependabot::UpdateCheckers::Base
+        require_relative "maven/requirements_updater"
+        require_relative "gradle/version_finder"
+        require_relative "gradle/multi_dependency_updater"
+
+        def latest_version
+          latest_version_details&.fetch(:version)
+        end
+
+        def latest_resolvable_version
+          # TODO: Resolve the build.gradle to find the latest version we could
+          # update to without updating any other dependencies at the same time.
+          #
+          # The above is hard. Currently we just return the latest version and
+          # hope (hence this package manager is in beta!)
+          return nil if version_comes_from_multi_dependency_property?
+          return nil if version_comes_from_dependency_set?
+
+          latest_version
+        end
+
+        def latest_resolvable_version_with_no_unlock
+          # Irrelevant, since Gradle has a single dependency file.
+          #
+          # For completeness we ought to resolve the build.gradle and return the
+          # latest version that satisfies the current constraint AND any
+          # constraints placed on it by other dependencies. Seeing as we're
+          # never going to take any action as a result, though, we just return
+          # nil.
+          nil
+        end
+
+        def updated_requirements
+          property_names =
+            declarations_using_a_property.
+            map { |req| req.dig(:metadata, :property_name) }
+
+          Maven::RequirementsUpdater.new(
+            requirements: dependency.requirements,
+            latest_version: latest_version&.to_s,
+            source_url: latest_version_details&.fetch(:source_url),
+            properties_to_update: property_names
+          ).updated_requirements
+        end
+
+        def requirements_unlocked_or_can_be?
+          # If the dependency version come from a property we couldn't
+          # interpolate then there's nothing we can do.
+          !dependency.version.include?("$")
+        end
+
+        private
+
+        def latest_version_resolvable_with_full_unlock?
+          unless version_comes_from_multi_dependency_property? ||
+                 version_comes_from_dependency_set?
+            return false
+          end
+
+          multi_dependency_updater.update_possible?
+        end
+
+        def updated_dependencies_after_full_unlock
+          multi_dependency_updater.updated_dependencies
+        end
+
+        def numeric_version_up_to_date?
+          return false unless version_class.correct?(dependency.version)
+
+          super
+        end
+
+        def numeric_version_can_update?(requirements_to_unlock:)
+          return false unless version_class.correct?(dependency.version)
+
+          super
+        end
+
+        def latest_version_details
+          @latest_version_details ||= version_finder.latest_version_details
+        end
+
+        def version_finder
+          @version_finder ||=
+            VersionFinder.new(
+              dependency: dependency,
+              dependency_files: dependency_files,
+              ignored_versions: ignored_versions
+            )
+        end
+
+        def multi_dependency_updater
+          @multi_dependency_updater ||=
+            MultiDependencyUpdater.new(
+              dependency: dependency,
+              dependency_files: dependency_files,
+              target_version_details: latest_version_details,
+              ignored_versions: ignored_versions
+            )
+        end
+
+        def version_comes_from_multi_dependency_property?
+          declarations_using_a_property.any? do |requirement|
+            property_name = requirement.fetch(:metadata).fetch(:property_name)
+
+            all_property_based_dependencies.any? do |dep|
+              next false if dep.name == dependency.name
+
+              dep.requirements.any? do |req|
+                req.dig(:metadata, :property_name) == property_name
+              end
+            end
+          end
+        end
+
+        def version_comes_from_dependency_set?
+          dependency.requirements.any? do |req|
+            req.dig(:metadata, :dependency_set)
+          end
+        end
+
+        def declarations_using_a_property
+          @declarations_using_a_property ||=
+            dependency.requirements.
+            select { |req| req.dig(:metadata, :property_name) }
+        end
+
+        def all_property_based_dependencies
+          @all_property_based_dependencies ||=
+            FileParsers::Java::Gradle.new(
+              dependency_files: dependency_files,
+              source: nil
+            ).parse.select do |dep|
+              dep.requirements.any? { |req| req.dig(:metadata, :property_name) }
+            end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/java/gradle/multi_dependency_updater.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+require "dependabot/file_parsers/java/gradle"
+require "dependabot/update_checkers/java/gradle"
+require "dependabot/update_checkers/java/maven/requirements_updater"
+
+module Dependabot
+  module UpdateCheckers
+    module Java
+      class Gradle
+        class MultiDependencyUpdater
+          require_relative "version_finder"
+
+          def initialize(dependency:, dependency_files:,
+                         target_version_details:, ignored_versions:)
+            @dependency       = dependency
+            @dependency_files = dependency_files
+            @target_version   = target_version_details&.fetch(:version)
+            @source_url       = target_version_details&.fetch(:source_url)
+            @ignored_versions = ignored_versions
+          end
+
+          def update_possible?
+            return false unless target_version
+
+            @update_possible ||=
+              dependencies_to_update.all? do |dep|
+                VersionFinder.new(
+                  dependency: dep,
+                  dependency_files: dependency_files,
+                  ignored_versions: ignored_versions
+                ).versions.
+                  map { |v| v.fetch(:version) }.
+                  include?(target_version)
+              end
+          end
+
+          def updated_dependencies
+            raise "Update not possible!" unless update_possible?
+
+            @updated_dependencies ||=
+              dependencies_to_update.map do |dep|
+                Dependency.new(
+                  name: dep.name,
+                  version: target_version.to_s,
+                  requirements: updated_requirements(dep),
+                  previous_version: dep.version,
+                  previous_requirements: dep.requirements,
+                  package_manager: dep.package_manager
+                )
+              end
+          end
+
+          private
+
+          attr_reader :dependency, :dependency_files, :target_version,
+                      :source_url, :ignored_versions
+
+          def dependencies_to_update
+            @dependencies_to_update ||=
+              FileParsers::Java::Gradle.new(
+                dependency_files: dependency_files,
+                source: nil
+              ).parse.select do |dep|
+                dep.requirements.any? do |r|
+                  tmp_p_name = r.dig(:metadata, :property_name)
+                  tmp_dep_set = r.dig(:metadata, :dependency_set)
+                  next true if property_name && tmp_p_name == property_name
+
+                  dependency_set && tmp_dep_set == dependency_set
+                end
+              end
+          end
+
+          def property_name
+            @property_name ||= dependency.requirements.
+                               find { |r| r.dig(:metadata, :property_name) }&.
+                               dig(:metadata, :property_name)
+          end
+
+          def dependency_set
+            @dependency_set ||= dependency.requirements.
+                                find { |r| r.dig(:metadata, :dependency_set) }&.
+                                dig(:metadata, :dependency_set)
+          end
+
+          def pom
+            dependency_files.find { |f| f.name == "pom.xml" }
+          end
+
+          def updated_requirements(dep)
+            @updated_requirements ||= {}
+            @updated_requirements[dep.name] ||=
+              Maven::RequirementsUpdater.new(
+                requirements: dep.requirements,
+                latest_version: target_version.to_s,
+                source_url: source_url,
+                properties_to_update: [property_name].compact
+              ).updated_requirements
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/java/gradle/version_finder.rb

@@ -0,0 +1,183 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+require "dependabot/shared_helpers"
+require "dependabot/file_parsers/java/gradle/repositories_finder"
+require "dependabot/update_checkers/java/gradle"
+require "dependabot/utils/java/version"
+require "dependabot/utils/java/requirement"
+
+module Dependabot
+  module UpdateCheckers
+    module Java
+      class Gradle
+        class VersionFinder
+          GOOGLE_MAVEN_REPO = "https://maven.google.com"
+          TYPE_SUFFICES = %w(jre android java).freeze
+
+          def initialize(dependency:, dependency_files:, ignored_versions:)
+            @dependency = dependency
+            @dependency_files = dependency_files
+            @ignored_versions = ignored_versions
+          end
+
+          def latest_version_details
+            possible_versions = versions
+
+            unless wants_prerelease?
+              possible_versions =
+                possible_versions.
+                reject { |v| v.fetch(:version).prerelease? }
+            end
+
+            unless wants_date_based_version?
+              possible_versions =
+                possible_versions.
+                reject { |v| v.fetch(:version) > version_class.new(1900) }
+            end
+
+            possible_versions =
+              possible_versions.
+              select { |v| matches_dependency_version_type?(v.fetch(:version)) }
+
+            ignored_versions.each do |req|
+              ignore_req = Utils::Java::Requirement.new(req.split(","))
+              possible_versions =
+                possible_versions.
+                reject { |v| ignore_req.satisfied_by?(v.fetch(:version)) }
+            end
+
+            possible_versions.last
+          end
+
+          def versions
+            version_details =
+              repository_urls.map do |url|
+                next google_version_details if url == GOOGLE_MAVEN_REPO
+
+                dependency_metadata(url).css("versions > version").
+                  select { |node| version_class.correct?(node.content) }.
+                  map { |node| version_class.new(node.content) }.
+                  map { |version| { version: version, source_url: url } }
+              end.flatten.compact
+
+            version_details.sort_by { |details| details.fetch(:version) }
+          end
+
+          private
+
+          attr_reader :dependency, :dependency_files, :ignored_versions
+
+          def wants_prerelease?
+            return false unless dependency.version
+            return false unless version_class.correct?(dependency.version)
+
+            version_class.new(dependency.version).prerelease?
+          end
+
+          def wants_date_based_version?
+            return false unless dependency.version
+            return false unless version_class.correct?(dependency.version)
+
+            version_class.new(dependency.version) >= version_class.new(100)
+          end
+
+          def google_version_details
+            url = GOOGLE_MAVEN_REPO
+            group_id, artifact_id = dependency.name.split(":")
+
+            dependency_metadata_url = "#{GOOGLE_MAVEN_REPO}/"\
+                                      "#{group_id.tr('.', '/')}/"\
+                                      "group-index.xml"
+
+            @google_version_details ||=
+              begin
+                response = Excon.get(
+                  dependency_metadata_url,
+                  idempotent: true,
+                  **SharedHelpers.excon_defaults
+                )
+                Nokogiri::XML(response.body)
+              end
+
+            xpath = "/#{group_id}/#{artifact_id}"
+            return unless @google_version_details.at_xpath(xpath)
+
+            @google_version_details.at_xpath(xpath).
+              attributes.fetch("versions").
+              value.split(",").
+              select { |v| version_class.correct?(v) }.
+              map { |v| version_class.new(v) }.
+              map { |version| { version: version, source_url: url } }
+          end
+
+          def dependency_metadata(repository_url)
+            @dependency_metadata ||= {}
+            @dependency_metadata[repository_url] ||=
+              begin
+                response = Excon.get(
+                  dependency_metadata_url(repository_url),
+                  idempotent: true,
+                  **SharedHelpers.excon_defaults
+                )
+                Nokogiri::XML(response.body)
+              rescue Excon::Error::Socket, Excon::Error::Timeout
+                namespace = FileParsers::Java::Gradle::RepositoriesFinder
+                central = namespace::CENTRAL_REPO_URL
+                raise if repository_url == central
+
+                Nokogiri::XML("")
+              end
+          end
+
+          def repository_urls
+            requirement_files =
+              dependency.requirements.
+              map { |r| r.fetch(:file) }.
+              map { |nm| dependency_files.find { |f| f.name == nm } }
+
+            @repository_urls ||=
+              requirement_files.flat_map do |target_file|
+                FileParsers::Java::Gradle::RepositoriesFinder.new(
+                  dependency_files: dependency_files,
+                  target_dependency_file: target_file
+                ).repository_urls
+              end.uniq
+          end
+
+          def matches_dependency_version_type?(comparison_version)
+            return true unless dependency.version
+
+            current_type =
+              TYPE_SUFFICES.
+              find { |t| dependency.version.split(/[.\-]/).include?(t) }
+
+            version_type =
+              TYPE_SUFFICES.
+              find { |t| comparison_version.to_s.split(/[.\-]/).include?(t) }
+
+            current_type == version_type
+          end
+
+          def pom
+            filename = dependency.requirements.first.fetch(:file)
+            dependency_files.find { |f| f.name == filename }
+          end
+
+          def dependency_metadata_url(repository_url)
+            group_id, artifact_id = dependency.name.split(":")
+
+            "#{repository_url}/"\
+            "#{group_id.tr('.', '/')}/"\
+            "#{artifact_id}/"\
+            "maven-metadata.xml"
+          end
+
+          def version_class
+            Utils::Java::Version
+          end
+        end
+      end
+    end
+  end
+end