dependabot-core 0.76.1

data/lib/dependabot/update_checkers/rust/cargo/requirements_updater.rb

@@ -0,0 +1,175 @@
+# frozen_string_literal: true
+
+################################################################################
+# For more details on rust version constraints, see:                           #
+# - https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html     #
+# - https://steveklabnik.github.io/semver/semver/index.html                    #
+################################################################################
+
+require "dependabot/update_checkers/rust/cargo"
+require "dependabot/utils/rust/requirement"
+require "dependabot/utils/rust/version"
+
+module Dependabot
+  module UpdateCheckers
+    module Rust
+      class Cargo
+        class RequirementsUpdater
+          class UnfixableRequirement < StandardError; end
+
+          VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-*]+)*/.freeze
+          ALLOWED_UPDATE_STRATEGIES =
+            %i(bump_versions bump_versions_if_necessary).freeze
+
+          def initialize(requirements:, updated_source:, update_strategy:,
+                         library:, latest_version:, latest_resolvable_version:)
+            @requirements = requirements
+            @updated_source = updated_source
+            @update_strategy = update_strategy
+            @library = library
+
+            check_update_strategy
+
+            if latest_version && version_class.correct?(latest_version)
+              @latest_version = version_class.new(latest_version)
+            end
+
+            return unless latest_resolvable_version
+            return unless version_class.correct?(latest_resolvable_version)
+
+            @latest_resolvable_version =
+              version_class.new(latest_resolvable_version)
+          end
+
+          def updated_requirements
+            # Note: Order is important here. The FileUpdater needs the updated
+            # requirement at index `i` to correspond to the previous requirement
+            # at the same index.
+            requirements.map do |req|
+              req = req.merge(source: updated_source)
+              next req unless latest_resolvable_version
+              next req if req[:requirement].nil?
+
+              # TODO: Add a widen_ranges options
+              if update_strategy == :bump_versions_if_necessary
+                update_version_requirement_if_needed(req)
+              else
+                update_version_requirement(req)
+              end
+            end
+          end
+
+          private
+
+          attr_reader :requirements, :updated_source, :update_strategy,
+                      :latest_version, :latest_resolvable_version
+
+          def library?
+            @library
+          end
+
+          def check_update_strategy
+            return if ALLOWED_UPDATE_STRATEGIES.include?(update_strategy)
+
+            raise "Unknown update strategy: #{update_strategy}"
+          end
+
+          def target_version
+            library? ? latest_version : latest_resolvable_version
+          end
+
+          def update_version_requirement(req)
+            string_reqs = req[:requirement].split(",").map(&:strip)
+
+            new_requirement =
+              if (exact_req = exact_req(string_reqs))
+                # If there's an exact version, just return that
+                # (it will dominate any other requirements)
+                update_version_string(exact_req)
+              elsif (req_to_update = non_range_req(string_reqs)) &&
+                    update_version_string(req_to_update) != req_to_update
+                # If a ~, ^, or * range needs to be updated, just return that
+                # (it will dominate any other requirements)
+                update_version_string(req_to_update)
+              else
+                # Otherwise, we must have a range requirement that needs
+                # updating. Update it, but keep other requirements too
+                update_range_requirements(string_reqs)
+              end
+
+            req.merge(requirement: new_requirement)
+          end
+
+          def update_version_requirement_if_needed(req)
+            string_reqs = req[:requirement].split(",").map(&:strip)
+            ruby_reqs = string_reqs.map { |r| Utils::Rust::Requirement.new(r) }
+
+            return req if ruby_reqs.all? { |r| r.satisfied_by?(target_version) }
+
+            update_version_requirement(req)
+          end
+
+          def update_version_string(req_string)
+            req_string.sub(VERSION_REGEX) do |old_version|
+              # For pre-release versions, just use the full version string
+              next target_version.to_s if old_version.match?(/\d-/)
+
+              old_parts = old_version.split(".")
+              new_parts = target_version.to_s.split(".").
+                          first(old_parts.count)
+              new_parts.map.with_index do |part, i|
+                old_parts[i] == "*" ? "*" : part
+              end.join(".")
+            end
+          end
+
+          def non_range_req(string_reqs)
+            string_reqs.find { |r| r.include?("*") || r.match?(/^[\d~^]/) }
+          end
+
+          def exact_req(string_reqs)
+            string_reqs.find { |r| Utils::Rust::Requirement.new(r).exact? }
+          end
+
+          def update_range_requirements(string_reqs)
+            string_reqs.map do |req|
+              next req unless req.match?(/[<>]/)
+
+              ruby_req = Utils::Rust::Requirement.new(req)
+              next req if ruby_req.satisfied_by?(target_version)
+
+              raise UnfixableRequirement if req.start_with?(">")
+
+              req.sub(VERSION_REGEX) do |old_version|
+                update_greatest_version(old_version, target_version)
+              end
+            end.join(", ")
+          rescue UnfixableRequirement
+            :unfixable
+          end
+
+          def update_greatest_version(old_version, version_to_be_permitted)
+            version = version_class.new(old_version)
+            version = version.release if version.prerelease?
+
+            index_to_update =
+              version.segments.map.with_index { |seg, i| seg.zero? ? 0 : i }.max
+
+            version.segments.map.with_index do |_, index|
+              if index < index_to_update
+                version_to_be_permitted.segments[index]
+              elsif index == index_to_update
+                version_to_be_permitted.segments[index] + 1
+              else 0
+              end
+            end.join(".")
+          end
+
+          def version_class
+            Utils::Rust::Version
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/rust/cargo/version_resolver.rb

@@ -0,0 +1,242 @@
+# frozen_string_literal: true
+
+require "toml-rb"
+require "dependabot/shared_helpers"
+require "dependabot/file_parsers/rust/cargo"
+require "dependabot/update_checkers/rust/cargo"
+require "dependabot/utils/rust/version"
+require "dependabot/errors"
+
+module Dependabot
+  module UpdateCheckers
+    module Rust
+      class Cargo
+        class VersionResolver
+          BRANCH_NOT_FOUND_REGEX =
+            /failed to find branch `(?<branch>[^`]+)`/.freeze
+
+          def initialize(dependency:, credentials:,
+                         original_dependency_files:, prepared_dependency_files:)
+            @dependency = dependency
+            @prepared_dependency_files = prepared_dependency_files
+            @original_dependency_files = original_dependency_files
+            @credentials = credentials
+          end
+
+          def latest_resolvable_version
+            @latest_resolvable_version ||= fetch_latest_resolvable_version
+          end
+
+          private
+
+          attr_reader :dependency, :credentials,
+                      :prepared_dependency_files, :original_dependency_files
+
+          def fetch_latest_resolvable_version
+            base_directory = prepared_dependency_files.first.directory
+            SharedHelpers.in_a_temporary_directory(base_directory) do
+              write_temporary_dependency_files
+
+              SharedHelpers.with_git_configured(credentials: credentials) do
+                # Shell out to Cargo, which handles everything for us, and does
+                # so without doing an install (so it's fast).
+                command = "cargo update -p #{dependency_spec} --verbose"
+                run_cargo_command(command)
+              end
+
+              new_lockfile_content = File.read("Cargo.lock")
+              updated_version = get_version_from_lockfile(new_lockfile_content)
+
+              return if updated_version.nil?
+              return updated_version if git_dependency?
+
+              version_class.new(updated_version)
+            end
+          rescue SharedHelpers::HelperSubprocessFailed => error
+            handle_cargo_errors(error)
+          end
+
+          def get_version_from_lockfile(lockfile_content)
+            versions = TomlRB.parse(lockfile_content).fetch("package").
+                       select { |p| p["name"] == dependency.name }
+
+            updated_version =
+              if dependency.top_level?
+                versions.max_by { |p| version_class.new(p.fetch("version")) }
+              else
+                versions.min_by { |p| version_class.new(p.fetch("version")) }
+              end
+
+            if git_dependency?
+              updated_version.fetch("source").split("#").last
+            else
+              updated_version.fetch("version")
+            end
+          end
+
+          def dependency_spec
+            spec = dependency.name
+
+            if git_dependency?
+              spec += ":#{git_dependency_version}" if git_dependency_version
+            elsif dependency.version
+              spec += ":#{dependency.version}"
+            end
+
+            spec
+          end
+
+          def run_cargo_command(command)
+            raw_response = nil
+            IO.popen(command, err: %i(child out)) do |process|
+              raw_response = process.read
+            end
+
+            # Raise an error with the output from the shell session if Cargo
+            # returns a non-zero status
+            return if $CHILD_STATUS.success?
+
+            raise SharedHelpers::HelperSubprocessFailed.new(
+              raw_response,
+              command
+            )
+          end
+
+          def write_temporary_dependency_files(prepared: true)
+            write_manifest_files(prepared: prepared)
+
+            File.write(lockfile.name, lockfile.content) if lockfile
+            File.write(toolchain.name, toolchain.content) if toolchain
+          end
+
+          def handle_cargo_errors(error)
+            if error.message.include?("does not have these features")
+              # TODO: Ideally we should update the declaration not to ask
+              # for the specified features
+              return nil
+            end
+
+            if error.message.match?(BRANCH_NOT_FOUND_REGEX)
+              branch = error.message.match(BRANCH_NOT_FOUND_REGEX).
+                       named_captures.fetch("branch")
+              raise Dependabot::BranchNotFound, branch
+            end
+
+            if resolvability_error?(error.message)
+              raise Dependabot::DependencyFileNotResolvable, error.message
+            end
+
+            raise error
+          end
+
+          def resolvability_error?(message)
+            return true if message.include?("failed to parse lock")
+            return true if message.include?("believes it's in a workspace")
+            return true if message.include?("wasn't a root")
+            return true if message.include?("requires a nightly version")
+            return true if message.match?(/feature `[^\`]+` is required/)
+
+            !original_requirements_resolvable?
+          end
+
+          def original_requirements_resolvable?
+            base_directory = original_dependency_files.first.directory
+            SharedHelpers.in_a_temporary_directory(base_directory) do
+              write_temporary_dependency_files(prepared: false)
+
+              SharedHelpers.with_git_configured(credentials: credentials) do
+                command = "cargo update -p #{dependency_spec} --verbose"
+                run_cargo_command(command)
+              end
+            end
+
+            true
+          rescue SharedHelpers::HelperSubprocessFailed => error
+            raise unless error.message.include?("no matching version") ||
+                         error.message.include?("failed to select a version")
+
+            false
+          end
+
+          def write_manifest_files(prepared: true)
+            manifest_files = if prepared then prepared_manifest_files
+                             else original_manifest_files
+                             end
+
+            manifest_files.each do |file|
+              path = file.name
+              dir = Pathname.new(path).dirname
+              FileUtils.mkdir_p(dir)
+              File.write(file.name, sanitized_manifest_content(file.content))
+
+              FileUtils.mkdir_p(File.join(dir, "src"))
+              File.write(File.join(dir, "src/lib.rs"), dummy_app_content)
+              File.write(File.join(dir, "src/main.rs"), dummy_app_content)
+            end
+          end
+
+          def git_dependency_version
+            return unless lockfile
+
+            TomlRB.parse(lockfile.content).
+              fetch("package", []).
+              select { |p| p["name"] == dependency.name }.
+              find { |p| p["source"].end_with?(dependency.version) }.
+              fetch("version")
+          end
+
+          def dummy_app_content
+            %{fn main() {\nprintln!("Hello, world!");\n}}
+          end
+
+          def sanitized_manifest_content(content)
+            object = TomlRB.parse(content)
+
+            package_name = object.dig("package", "name")
+            return content unless package_name&.match?(/[\{\}]/)
+
+            if lockfile
+              raise "Sanitizing name for pkg with lockfile. Investigate!"
+            end
+
+            object["package"]["name"] = "sanitized"
+            TomlRB.dump(object)
+          end
+
+          def prepared_manifest_files
+            @prepared_manifest_files ||=
+              prepared_dependency_files.
+              select { |f| f.name.end_with?("Cargo.toml") }
+          end
+
+          def original_manifest_files
+            @original_manifest_files ||=
+              original_dependency_files.
+              select { |f| f.name.end_with?("Cargo.toml") }
+          end
+
+          def lockfile
+            @lockfile ||= prepared_dependency_files.
+                          find { |f| f.name == "Cargo.lock" }
+          end
+
+          def toolchain
+            @toolchain ||= prepared_dependency_files.
+                           find { |f| f.name == "rust-toolchain" }
+          end
+
+          def git_dependency?
+            GitCommitChecker.new(
+              dependency: dependency,
+              credentials: credentials
+            ).git_dependency?
+          end
+
+          def version_class
+            Utils::Rust::Version
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/utils.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+require "dependabot/utils/dotnet/version"
+require "dependabot/utils/elixir/version"
+require "dependabot/utils/java/version"
+require "dependabot/utils/java_script/version"
+require "dependabot/utils/php/version"
+require "dependabot/utils/python/version"
+require "dependabot/utils/rust/version"
+require "dependabot/utils/go/version"
+require "dependabot/utils/elm/version"
+
+require "dependabot/utils/dotnet/requirement"
+require "dependabot/utils/elixir/requirement"
+require "dependabot/utils/java/requirement"
+require "dependabot/utils/java_script/requirement"
+require "dependabot/utils/php/requirement"
+require "dependabot/utils/python/requirement"
+require "dependabot/utils/ruby/requirement"
+require "dependabot/utils/rust/requirement"
+require "dependabot/utils/go/requirement"
+require "dependabot/utils/elm/requirement"
+
+# TODO: in due course, these "registries" should live in a wrapper gem, not
+#       dependabot-core.
+module Dependabot
+  module Utils
+    @version_classes = {
+      "bundler" => Gem::Version,
+      "submodules" => Gem::Version,
+      "docker" => Gem::Version,
+      "nuget" => Utils::Dotnet::Version,
+      "maven" => Utils::Java::Version,
+      "gradle" => Utils::Java::Version,
+      "npm_and_yarn" => Utils::JavaScript::Version,
+      "pip" => Utils::Python::Version,
+      "composer" => Utils::Php::Version,
+      "hex" => Utils::Elixir::Version,
+      "cargo" => Utils::Rust::Version,
+      "dep" => Utils::Go::Version,
+      "go_modules" => Utils::Go::Version,
+      "elm-package" => Utils::Elm::Version
+    }
+
+    def self.version_class_for_package_manager(package_manager)
+      version_class = @version_classes[package_manager]
+      return version_class if version_class
+
+      raise "Unsupported package_manager #{package_manager}"
+    end
+
+    def self.register_version_class(package_manager, version_class)
+      @version_classes[package_manager] = version_class
+    end
+
+    @requirement_classes = {
+      "bundler" => Utils::Ruby::Requirement,
+      "submodules" => Utils::Ruby::Requirement,
+      "docker" => Utils::Ruby::Requirement,
+      "nuget" => Utils::Dotnet::Requirement,
+      "maven" => Utils::Java::Requirement,
+      "gradle" => Utils::Java::Requirement,
+      "npm_and_yarn" => Utils::JavaScript::Requirement,
+      "pip" => Utils::Python::Requirement,
+      "composer" => Utils::Php::Requirement,
+      "hex" => Utils::Elixir::Requirement,
+      "cargo" => Utils::Rust::Requirement,
+      "dep" => Utils::Go::Requirement,
+      "go_modules" => Utils::Go::Requirement,
+      "elm-package" => Utils::Elm::Requirement
+    }
+
+    def self.requirement_class_for_package_manager(package_manager)
+      requirement_class = @requirement_classes[package_manager]
+      return requirement_class if requirement_class
+
+      raise "Unsupported package_manager #{package_manager}"
+    end
+
+    def self.register_requirement_class(package_manager, requirement_class)
+      @requirement_classes[package_manager] = requirement_class
+    end
+  end
+end