dependabot-core 0.76.1

data/lib/dependabot/update_checkers/java/maven.rb

@@ -0,0 +1,159 @@
+# frozen_string_literal: true
+
+require "dependabot/update_checkers/base"
+require "dependabot/file_parsers/java/maven/property_value_finder"
+
+module Dependabot
+  module UpdateCheckers
+    module Java
+      class Maven < Dependabot::UpdateCheckers::Base
+        require_relative "maven/requirements_updater"
+        require_relative "maven/version_finder"
+        require_relative "maven/property_updater"
+
+        def latest_version
+          latest_version_details&.fetch(:version)
+        end
+
+        def latest_resolvable_version
+          # Maven's version resolution algorithm is very simple: it just uses
+          # the version defined "closest", with the first declaration winning
+          # if two declarations are equally close. As a result, we can just
+          # return that latest version unless dealing with a property dep.
+          # https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Transitive_Dependencies
+          return nil if version_comes_from_multi_dependency_property?
+
+          latest_version
+        end
+
+        def latest_resolvable_version_with_no_unlock
+          # Irrelevant, since Maven has a single dependency file (the pom.xml).
+          #
+          # For completeness we ought to resolve the pom.xml and return the
+          # latest version that satisfies the current constraint AND any
+          # constraints placed on it by other dependencies. Seeing as we're
+          # never going to take any action as a result, though, we just return
+          # nil.
+          nil
+        end
+
+        def updated_requirements
+          property_names =
+            declarations_using_a_property.
+            map { |req| req.dig(:metadata, :property_name) }
+
+          RequirementsUpdater.new(
+            requirements: dependency.requirements,
+            latest_version: latest_version&.to_s,
+            source_url: latest_version_details&.fetch(:source_url),
+            properties_to_update: property_names
+          ).updated_requirements
+        end
+
+        def requirements_unlocked_or_can_be?
+          declarations_using_a_property.none? do |requirement|
+            prop_name = requirement.dig(:metadata, :property_name)
+            pom = dependency_files.find { |f| f.name == requirement[:file] }
+
+            declaration_pom_name =
+              property_value_finder.
+              property_details(property_name: prop_name, callsite_pom: pom)&.
+              fetch(:file)
+
+            declaration_pom_name == "remote_pom.xml" ||
+              declaration_pom_name.end_with?("pom_parent.xml")
+          end
+        end
+
+        private
+
+        def latest_version_resolvable_with_full_unlock?
+          return false unless version_comes_from_multi_dependency_property?
+
+          property_updater.update_possible?
+        end
+
+        def updated_dependencies_after_full_unlock
+          property_updater.updated_dependencies
+        end
+
+        def numeric_version_up_to_date?
+          return false unless version_class.correct?(dependency.version)
+
+          super
+        end
+
+        def numeric_version_can_update?(requirements_to_unlock:)
+          return false unless version_class.correct?(dependency.version)
+
+          super
+        end
+
+        def latest_version_details
+          @latest_version_details ||= version_finder.latest_version_details
+        end
+
+        def version_finder
+          @version_finder ||=
+            VersionFinder.new(
+              dependency: dependency,
+              dependency_files: dependency_files,
+              credentials: credentials,
+              ignored_versions: ignored_versions
+            )
+        end
+
+        def property_updater
+          @property_updater ||=
+            PropertyUpdater.new(
+              dependency: dependency,
+              dependency_files: dependency_files,
+              target_version_details: latest_version_details,
+              credentials: credentials,
+              ignored_versions: ignored_versions
+            )
+        end
+
+        def property_value_finder
+          @property_value_finder ||=
+            FileParsers::Java::Maven::PropertyValueFinder.
+            new(dependency_files: dependency_files)
+        end
+
+        def version_comes_from_multi_dependency_property?
+          declarations_using_a_property.any? do |requirement|
+            property_name = requirement.fetch(:metadata).fetch(:property_name)
+            property_source = requirement.fetch(:metadata).
+                              fetch(:property_source)
+
+            all_property_based_dependencies.any? do |dep|
+              next false if dep.name == dependency.name
+
+              dep.requirements.any? do |req|
+                next unless req.dig(:metadata, :property_name) == property_name
+
+                req.dig(:metadata, :property_source) == property_source
+              end
+            end
+          end
+        end
+
+        def declarations_using_a_property
+          @declarations_using_a_property ||=
+            dependency.requirements.
+            select { |req| req.dig(:metadata, :property_name) }
+        end
+
+        def all_property_based_dependencies
+          @all_property_based_dependencies ||=
+            FileParsers::Java::Maven.new(
+              dependency_files: dependency_files,
+              source: nil
+            ).parse.select do |dep|
+              dep.requirements.any? { |req| req.dig(:metadata, :property_name) }
+            end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/java/maven/property_updater.rb

@@ -0,0 +1,127 @@
+# frozen_string_literal: true
+
+require "dependabot/file_parsers/java/maven"
+require "dependabot/update_checkers/java/maven"
+require "dependabot/update_checkers/java/maven/requirements_updater"
+require "dependabot/file_updaters/java/maven/declaration_finder"
+
+module Dependabot
+  module UpdateCheckers
+    module Java
+      class Maven
+        class PropertyUpdater
+          require_relative "version_finder"
+
+          def initialize(dependency:, dependency_files:, credentials:,
+                         target_version_details:, ignored_versions:)
+            @dependency       = dependency
+            @dependency_files = dependency_files
+            @credentials      = credentials
+            @ignored_versions = ignored_versions
+            @target_version   = target_version_details&.fetch(:version)
+            @source_url       = target_version_details&.fetch(:source_url)
+          end
+
+          def update_possible?
+            return false unless target_version
+
+            @update_possible ||=
+              dependencies_using_property.all? do |dep|
+                versions = VersionFinder.new(
+                  dependency: dep,
+                  dependency_files: dependency_files,
+                  credentials: credentials,
+                  ignored_versions: ignored_versions
+                ).versions.map { |v| v.fetch(:version) }
+
+                versions.include?(target_version) || versions.none?
+              end
+          end
+
+          def updated_dependencies
+            raise "Update not possible!" unless update_possible?
+
+            @updated_dependencies ||=
+              dependencies_using_property.map do |dep|
+                Dependency.new(
+                  name: dep.name,
+                  version: updated_version(dep),
+                  requirements: updated_requirements(dep),
+                  previous_version: dep.version,
+                  previous_requirements: dep.requirements,
+                  package_manager: dep.package_manager
+                )
+              end
+          end
+
+          private
+
+          attr_reader :dependency, :dependency_files, :target_version,
+                      :source_url, :credentials, :ignored_versions
+
+          def dependencies_using_property
+            @dependencies_using_property ||=
+              FileParsers::Java::Maven.new(
+                dependency_files: dependency_files,
+                source: nil
+              ).parse.select do |dep|
+                dep.requirements.any? do |r|
+                  next unless r.dig(:metadata, :property_name) == property_name
+
+                  r.dig(:metadata, :property_source) == property_source
+                end
+              end
+          end
+
+          def property_name
+            @property_name ||= dependency.requirements.
+                               find { |r| r.dig(:metadata, :property_name) }&.
+                               dig(:metadata, :property_name)
+
+            raise "No requirement with a property name!" unless @property_name
+
+            @property_name
+          end
+
+          def property_source
+            @property_source ||=
+              dependency.requirements.
+              find { |r| r.dig(:metadata, :property_name) == property_name }&.
+              dig(:metadata, :property_source)
+          end
+
+          def version_string(dep)
+            declaring_requirement =
+              dep.requirements.
+              find { |r| r.dig(:metadata, :property_name) == property_name }
+
+            FileUpdaters::Java::Maven::DeclarationFinder.new(
+              dependency: dep,
+              declaring_requirement: declaring_requirement,
+              dependency_files: dependency_files
+            ).declaration_nodes.first.at_css("version")&.content
+          end
+
+          def pom
+            dependency_files.find { |f| f.name == "pom.xml" }
+          end
+
+          def updated_version(dep)
+            version_string(dep).gsub("${#{property_name}}", target_version.to_s)
+          end
+
+          def updated_requirements(dep)
+            @updated_requirements ||= {}
+            @updated_requirements[dep.name] ||=
+              RequirementsUpdater.new(
+                requirements: dep.requirements,
+                latest_version: updated_version(dep),
+                source_url: source_url,
+                properties_to_update: [property_name]
+              ).updated_requirements
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/java/maven/requirements_updater.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+#######################################################
+# For more details on Maven version constraints, see: #
+# https://maven.apache.org/pom.html#Dependencies      #
+#######################################################
+
+require "dependabot/update_checkers/java/maven"
+require "dependabot/utils/java/version"
+require "dependabot/utils/java/requirement"
+
+module Dependabot
+  module UpdateCheckers
+    module Java
+      class Maven
+        class RequirementsUpdater
+          def initialize(requirements:, latest_version:, source_url:,
+                         properties_to_update:)
+            @requirements = requirements
+            @source_url = source_url
+            @properties_to_update = properties_to_update
+            return unless latest_version
+
+            @latest_version = version_class.new(latest_version)
+          end
+
+          def updated_requirements
+            return requirements unless latest_version
+
+            # Note: Order is important here. The FileUpdater needs the updated
+            # requirement at index `i` to correspond to the previous requirement
+            # at the same index.
+            requirements.map do |req|
+              next req if req.fetch(:requirement).nil?
+              next req if req.fetch(:requirement).include?(",")
+
+              property_name = req.dig(:metadata, :property_name)
+              if property_name && !properties_to_update.include?(property_name)
+                next req
+              end
+
+              new_req = update_requirement(req[:requirement])
+              req.merge(requirement: new_req, source: updated_source)
+            end
+          end
+
+          private
+
+          attr_reader :requirements, :latest_version, :source_url,
+                      :properties_to_update
+
+          def update_requirement(req_string)
+            if req_string.include?(".+")
+              update_dynamic_requirement(req_string)
+            else
+              # Since range requirements are excluded this must be exact
+              update_exact_requirement(req_string)
+            end
+          end
+
+          def update_exact_requirement(req_string)
+            old_version = requirement_class.new(req_string).
+                          requirements.first.last
+            req_string.gsub(old_version.to_s, latest_version.to_s)
+          end
+
+          # This is really only a Gradle thing, but Gradle relies on this
+          # RequirementsUpdater too
+          def update_dynamic_requirement(req_string)
+            precision = req_string.split(".").take_while { |s| s != "+" }.count
+
+            version_parts = latest_version.segments.first(precision)
+
+            version_parts.join(".") + ".+"
+          end
+
+          def version_class
+            Utils::Java::Version
+          end
+
+          def requirement_class
+            Utils::Java::Requirement
+          end
+
+          def updated_source
+            { type: "maven_repo", url: source_url }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/java/maven/version_finder.rb

@@ -0,0 +1,225 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+require "dependabot/shared_helpers"
+require "dependabot/file_parsers/java/maven/repositories_finder"
+require "dependabot/update_checkers/java/maven"
+require "dependabot/utils/java/version"
+require "dependabot/utils/java/requirement"
+
+module Dependabot
+  module UpdateCheckers
+    module Java
+      class Maven
+        class VersionFinder
+          TYPE_SUFFICES = %w(jre android java).freeze
+
+          def initialize(dependency:, dependency_files:, credentials:,
+                         ignored_versions:)
+            @dependency       = dependency
+            @dependency_files = dependency_files
+            @credentials      = credentials
+            @ignored_versions = ignored_versions
+            @forbidden_urls   = []
+          end
+
+          def latest_version_details
+            possible_versions = versions
+
+            unless wants_prerelease?
+              possible_versions =
+                possible_versions.
+                reject { |v| v.fetch(:version).prerelease? }
+            end
+
+            unless wants_date_based_version?
+              possible_versions =
+                possible_versions.
+                reject { |v| v.fetch(:version) > version_class.new(1900) }
+            end
+
+            possible_versions =
+              possible_versions.
+              select { |v| matches_dependency_version_type?(v.fetch(:version)) }
+
+            ignored_versions.each do |req|
+              ignore_req = Utils::Java::Requirement.new(req.split(","))
+              possible_versions =
+                possible_versions.
+                reject { |v| ignore_req.satisfied_by?(v.fetch(:version)) }
+            end
+
+            possible_versions.reverse.find { |v| released?(v.fetch(:version)) }
+          end
+
+          def versions
+            version_details =
+              repositories.map do |repository_details|
+                url = repository_details.fetch("url")
+                dependency_metadata(repository_details).
+                  css("versions > version").
+                  select { |node| version_class.correct?(node.content) }.
+                  map { |node| version_class.new(node.content) }.
+                  map { |version| { version: version, source_url: url } }
+              end.flatten
+
+            if version_details.none? && forbidden_urls.any?
+              raise PrivateSourceAuthenticationFailure, forbidden_urls.first
+            end
+
+            version_details.sort_by { |details| details.fetch(:version) }
+          end
+
+          private
+
+          attr_reader :dependency, :dependency_files, :credentials,
+                      :ignored_versions, :forbidden_urls
+
+          def wants_prerelease?
+            return false unless dependency.version
+            return false unless version_class.correct?(dependency.version)
+
+            version_class.new(dependency.version).prerelease?
+          end
+
+          def wants_date_based_version?
+            return false unless dependency.version
+            return false unless version_class.correct?(dependency.version)
+
+            version_class.new(dependency.version) >= version_class.new(100)
+          end
+
+          def released?(version)
+            repositories.any? do |repository_details|
+              url = repository_details.fetch("url")
+              response = Excon.get(
+                dependency_files_url(url, version),
+                user: repository_details.fetch("username"),
+                password: repository_details.fetch("password"),
+                idempotent: true,
+                **SharedHelpers.excon_defaults
+              )
+
+              artifact_id = dependency.name.split(":").last
+              type = dependency.requirements.first.
+                     dig(:metadata, :packaging_type)
+              response.body.include?("#{artifact_id}-#{version}.#{type}")
+            rescue Excon::Error::Socket, Excon::Error::Timeout
+              false
+            end
+          end
+
+          def dependency_metadata(repository_details)
+            @dependency_metadata ||= {}
+            @dependency_metadata[repository_details.hash] ||=
+              begin
+                response = Excon.get(
+                  dependency_metadata_url(repository_details.fetch("url")),
+                  user: repository_details.fetch("username"),
+                  password: repository_details.fetch("password"),
+                  idempotent: true,
+                  **SharedHelpers.excon_defaults
+                )
+                check_response(response, repository_details.fetch("url"))
+                Nokogiri::XML(response.body)
+              rescue Excon::Error::Socket, Excon::Error::Timeout
+                central =
+                  FileParsers::Java::Maven::RepositoriesFinder::CENTRAL_REPO_URL
+                raise if repository_details.fetch("url") == central
+
+                Nokogiri::XML("")
+              end
+          end
+
+          def check_response(response, repository_url)
+            central =
+              FileParsers::Java::Maven::RepositoriesFinder::CENTRAL_REPO_URL
+
+            return unless [401, 403].include?(response.status)
+            return if @forbidden_urls.include?(repository_url)
+            return if repository_url == central
+
+            @forbidden_urls << repository_url
+          end
+
+          def repositories
+            return @repositories if @repositories
+
+            details = pom_repository_details + credentials_repository_details
+
+            @repositories =
+              details.reject do |repo|
+                next if repo["password"]
+
+                # Reject this entry if an identical one with a password exists
+                details.any? { |r| r["url"] == repo["url"] && r["password"] }
+              end
+          end
+
+          def pom_repository_details
+            @pom_repository_details ||=
+              FileParsers::Java::Maven::RepositoriesFinder.
+              new(dependency_files: dependency_files).
+              repository_urls(pom: pom).
+              map do |url|
+                { "url" => url, "username" => nil, "password" => nil }
+              end
+          end
+
+          def credentials_repository_details
+            credentials.
+              select { |cred| cred["type"] == "maven_repository" }.
+              map do |cred|
+                {
+                  "url" => cred.fetch("url").gsub(%r{/+$}, ""),
+                  "username" => cred.fetch("username", nil),
+                  "password" => cred.fetch("password", nil)
+                }
+              end
+          end
+
+          def matches_dependency_version_type?(comparison_version)
+            return true unless dependency.version
+
+            current_type =
+              TYPE_SUFFICES.
+              find { |t| dependency.version.split(/[.\-]/).include?(t) }
+
+            version_type =
+              TYPE_SUFFICES.
+              find { |t| comparison_version.to_s.split(/[.\-]/).include?(t) }
+
+            current_type == version_type
+          end
+
+          def pom
+            filename = dependency.requirements.first.fetch(:file)
+            dependency_files.find { |f| f.name == filename }
+          end
+
+          def dependency_metadata_url(repository_url)
+            group_id, artifact_id = dependency.name.split(":")
+
+            "#{repository_url}/"\
+            "#{group_id.tr('.', '/')}/"\
+            "#{artifact_id}/"\
+            "maven-metadata.xml"
+          end
+
+          def dependency_files_url(repository_url, version)
+            group_id, artifact_id = dependency.name.split(":")
+
+            "#{repository_url}/"\
+            "#{group_id.tr('.', '/')}/"\
+            "#{artifact_id}/"\
+            "#{version}/"
+          end
+
+          def version_class
+            Utils::Java::Version
+          end
+        end
+      end
+    end
+  end
+end