dependabot-core 0.80.1 → 0.81.0

data/lib/dependabot/file_parsers/rust/cargo.rb

@@ -1,213 +0,0 @@
-# frozen_string_literal: true
-
-require "toml-rb"
-
-require "dependabot/dependency"
-require "dependabot/file_parsers/base"
-require "dependabot/utils/rust/requirement"
-require "dependabot/utils/rust/version"
-require "dependabot/errors"
-
-# Relevant Cargo docs can be found at:
-# - https://doc.rust-lang.org/cargo/reference/manifest.html
-# - https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html
-module Dependabot
-  module FileParsers
-    module Rust
-      class Cargo < Dependabot::FileParsers::Base
-        require "dependabot/file_parsers/base/dependency_set"
-
-        DEPENDENCY_TYPES =
-          %w(dependencies dev-dependencies build-dependencies).freeze
-
-        def parse
-          check_rust_workspace_root
-
-          dependency_set = DependencySet.new
-          dependency_set += manifest_dependencies
-          dependency_set += lockfile_dependencies if lockfile
-
-          dependencies = dependency_set.dependencies
-
-          # TODO: Handle patched dependencies
-          dependencies.reject! { |d| patched_dependencies.include?(d.name) }
-
-          # TODO: Currently, Dependabot can't handle dependencies that have
-          # multiple source types. Fix that!
-          dependencies.reject do |dep|
-            dep.requirements.map { |r| r.dig(:source, :type) }.uniq.count > 1
-          end
-        end
-
-        private
-
-        def check_rust_workspace_root
-          cargo_toml = dependency_files.find { |f| f.name == "Cargo.toml" }
-          workspace_root = parsed_file(cargo_toml).dig("package", "workspace")
-          return unless workspace_root
-
-          msg = "This project is part of a Rust workspace but is not the "\
-                "workspace root."\
-
-          if cargo_toml.directory != "/"
-            msg += "Please update your settings so Dependabot points at the "\
-                   "workspace root instead of #{cargo_toml.directory}."
-          end
-          raise Dependabot::DependencyFileNotEvaluatable, msg
-        end
-
-        def manifest_dependencies
-          dependency_set = DependencySet.new
-
-          DEPENDENCY_TYPES.each do |type|
-            manifest_files.each do |file|
-              parsed_file(file).fetch(type, {}).each do |name, requirement|
-                next if lockfile && !version_from_lockfile(name, requirement)
-
-                dependency_set << Dependency.new(
-                  name: name,
-                  version: version_from_lockfile(name, requirement),
-                  package_manager: "cargo",
-                  requirements: [{
-                    requirement: requirement_from_declaration(requirement),
-                    file: file.name,
-                    groups: [type],
-                    source: source_from_declaration(requirement)
-                  }]
-                )
-              end
-            end
-          end
-
-          dependency_set
-        end
-
-        def lockfile_dependencies
-          dependency_set = DependencySet.new
-          return dependency_set unless lockfile
-
-          parsed_file(lockfile).fetch("package", []).each do |package_details|
-            next unless package_details["source"]
-
-            # TODO: This isn't quite right, as it will only give us one
-            # version of each dependency (when in fact there are many)
-            dependency_set << Dependency.new(
-              name: package_details["name"],
-              version: version_from_lockfile_details(package_details),
-              package_manager: "cargo",
-              requirements: []
-            )
-          end
-
-          dependency_set
-        end
-
-        def patched_dependencies
-          root_manifest = manifest_files.find { |f| f.name == "Cargo.toml" }
-          return [] unless parsed_file(root_manifest)["patch"]
-
-          parsed_file(root_manifest)["patch"].values.flat_map(&:keys)
-        end
-
-        def requirement_from_declaration(declaration)
-          if declaration.is_a?(String)
-            return declaration == "" ? nil : declaration
-          end
-          unless declaration.is_a?(Hash)
-            raise "Unexpected dependency declaration: #{declaration}"
-          end
-          return declaration["version"] if declaration["version"]
-
-          nil
-        end
-
-        def source_from_declaration(declaration)
-          return if declaration.is_a?(String)
-          unless declaration.is_a?(Hash)
-            raise "Unexpected dependency declaration: #{declaration}"
-          end
-
-          return git_source_details(declaration) if declaration["git"]
-          return { type: "path" } if declaration["path"]
-        end
-
-        def version_from_lockfile(name, declaration)
-          return unless lockfile
-
-          candidate_packages =
-            parsed_file(lockfile).fetch("package", []).
-            select { |p| p["name"] == name }
-
-          if (req = requirement_from_declaration(declaration))
-            req = Utils::Rust::Requirement.new(req)
-
-            candidate_packages =
-              candidate_packages.
-              select { |p| req.satisfied_by?(version_class.new(p["version"])) }
-          end
-
-          candidate_packages =
-            candidate_packages.
-            select do |p|
-              git_req?(declaration) ^ !p["source"]&.start_with?("git+")
-            end
-
-          package =
-            candidate_packages.
-            max_by { |p| version_class.new(p["version"]) }
-
-          return unless package
-
-          version_from_lockfile_details(package)
-        end
-
-        def git_req?(declaration)
-          source_from_declaration(declaration)&.fetch(:type, nil) == "git"
-        end
-
-        def git_source_details(declaration)
-          {
-            type: "git",
-            url: declaration["git"],
-            branch: declaration["branch"],
-            ref: declaration["tag"] || declaration["rev"]
-          }
-        end
-
-        def version_from_lockfile_details(package_details)
-          unless package_details["source"]&.start_with?("git+")
-            return package_details["version"]
-          end
-
-          package_details["source"].split("#").last
-        end
-
-        def check_required_files
-          raise "No Cargo.toml!" unless get_original_file("Cargo.toml")
-        end
-
-        def parsed_file(file)
-          @parsed_file ||= {}
-          @parsed_file[file.name] ||= TomlRB.parse(file.content)
-        rescue TomlRB::ParseError
-          raise Dependabot::DependencyFileNotParseable, file.path
-        end
-
-        def manifest_files
-          @manifest_files ||=
-            dependency_files.
-            select { |f| f.name.end_with?("Cargo.toml") }.
-            reject { |f| f.type == "path_dependency" }
-        end
-
-        def lockfile
-          @lockfile ||= get_original_file("Cargo.lock")
-        end
-
-        def version_class
-          Utils::Rust::Version
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/file_updaters/rust/cargo.rb

@@ -1,83 +0,0 @@
-# frozen_string_literal: true
-
-require "toml-rb"
-require "dependabot/git_commit_checker"
-require "dependabot/file_updaters/base"
-require "dependabot/file_parsers/rust/cargo"
-require "dependabot/shared_helpers"
-
-module Dependabot
-  module FileUpdaters
-    module Rust
-      class Cargo < Dependabot::FileUpdaters::Base
-        require_relative "cargo/manifest_updater"
-        require_relative "cargo/lockfile_updater"
-
-        def self.updated_files_regex
-          [
-            /^Cargo\.toml$/,
-            /^Cargo\.lock$/
-          ]
-        end
-
-        def updated_dependency_files
-          # Returns an array of updated files. Only files that have been updated
-          # should be returned.
-          updated_files = []
-
-          manifest_files.each do |file|
-            next unless file_changed?(file)
-
-            updated_files <<
-              updated_file(
-                file: file,
-                content: updated_manifest_content(file)
-              )
-          end
-
-          if lockfile && updated_lockfile_content != lockfile.content
-            updated_files <<
-              updated_file(file: lockfile, content: updated_lockfile_content)
-          end
-
-          raise "No files changed!" if updated_files.empty?
-
-          updated_files
-        end
-
-        private
-
-        def check_required_files
-          raise "No Cargo.toml!" unless get_original_file("Cargo.toml")
-        end
-
-        def updated_manifest_content(file)
-          ManifestUpdater.new(
-            dependencies: dependencies,
-            manifest: file
-          ).updated_manifest_content
-        end
-
-        def updated_lockfile_content
-          @updated_lockfile_content ||=
-            LockfileUpdater.new(
-              dependencies: dependencies,
-              dependency_files: dependency_files,
-              credentials: credentials
-            ).updated_lockfile_content
-        end
-
-        def manifest_files
-          @manifest_files ||=
-            dependency_files.
-            select { |f| f.name.end_with?("Cargo.toml") }.
-            reject { |f| f.type == "path_dependency" }
-        end
-
-        def lockfile
-          @lockfile ||= get_original_file("Cargo.lock")
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/file_updaters/rust/cargo/lockfile_updater.rb

@@ -1,251 +0,0 @@
-# frozen_string_literal: true
-
-require "toml-rb"
-require "dependabot/git_commit_checker"
-require "dependabot/file_updaters/rust/cargo"
-require "dependabot/file_updaters/rust/cargo/manifest_updater"
-require "dependabot/file_parsers/rust/cargo"
-require "dependabot/shared_helpers"
-
-module Dependabot
-  module FileUpdaters
-    module Rust
-      class Cargo
-        class LockfileUpdater
-          def initialize(dependencies:, dependency_files:, credentials:)
-            @dependencies = dependencies
-            @dependency_files = dependency_files
-            @credentials = credentials
-          end
-
-          def updated_lockfile_content
-            base_directory = dependency_files.first.directory
-            SharedHelpers.in_a_temporary_directory(base_directory) do
-              write_temporary_dependency_files
-
-              SharedHelpers.with_git_configured(credentials: credentials) do
-                # Shell out to Cargo, which handles everything for us, and does
-                # so without doing an install (so it's fast).
-                command = "cargo update -p #{dependency_spec}"
-                run_shell_command(command)
-              end
-
-              updated_lockfile = File.read("Cargo.lock")
-              updated_lockfile = post_process_lockfile(updated_lockfile)
-
-              if updated_lockfile.include?(desired_lockfile_content)
-                next updated_lockfile
-              end
-
-              raise "Failed to update #{dependency.name}!"
-            end
-          rescue Dependabot::SharedHelpers::HelperSubprocessFailed => error
-            handle_cargo_error(error)
-          end
-
-          private
-
-          attr_reader :dependencies, :dependency_files, :credentials
-
-          # Currently, there will only be a single updated dependency
-          def dependency
-            dependencies.first
-          end
-
-          def handle_cargo_error(error)
-            raise unless error.message.include?("no matching version")
-            raise if error.message.include?("`#{dependency.name}`")
-
-            raise Dependabot::DependencyFileNotResolvable, error.message
-          end
-
-          def dependency_spec
-            spec = dependency.name
-
-            if git_dependency?
-              spec += ":#{git_previous_version}" if git_previous_version
-            elsif dependency.previous_version
-              spec += ":#{dependency.previous_version}"
-            end
-
-            spec
-          end
-
-          def git_previous_version
-            TomlRB.parse(lockfile.content).
-              fetch("package", []).
-              select { |p| p["name"] == dependency.name }.
-              find { |p| p["source"].end_with?(dependency.previous_version) }.
-              fetch("version")
-          end
-
-          def desired_lockfile_content
-            return dependency.version if git_dependency?
-
-            %(name = "#{dependency.name}"\nversion = "#{dependency.version}")
-          end
-
-          def run_shell_command(command)
-            raw_response = nil
-            IO.popen(command, err: %i(child out)) do |process|
-              raw_response = process.read
-            end
-
-            # Raise an error with the output from the shell session if Cargo
-            # returns a non-zero status
-            return if $CHILD_STATUS.success?
-
-            raise SharedHelpers::HelperSubprocessFailed.new(
-              raw_response,
-              command
-            )
-          end
-
-          def write_temporary_dependency_files
-            write_temporary_manifest_files
-            write_temporary_path_dependency_files
-
-            File.write(lockfile.name, lockfile.content)
-            File.write(toolchain.name, toolchain.content) if toolchain
-          end
-
-          def write_temporary_manifest_files
-            manifest_files.each do |file|
-              path = file.name
-              dir = Pathname.new(path).dirname
-              FileUtils.mkdir_p(Pathname.new(path).dirname)
-              File.write(file.name, prepared_manifest_content(file))
-
-              FileUtils.mkdir_p(File.join(dir, "src"))
-              File.write(File.join(dir, "src/lib.rs"), dummy_app_content)
-              File.write(File.join(dir, "src/main.rs"), dummy_app_content)
-            end
-          end
-
-          def write_temporary_path_dependency_files
-            path_dependency_files.each do |file|
-              path = file.name
-              dir = Pathname.new(path).dirname
-              FileUtils.mkdir_p(Pathname.new(path).dirname)
-              File.write(file.name, prepared_path_dependency_content(file))
-
-              FileUtils.mkdir_p(File.join(dir, "src"))
-              File.write(File.join(dir, "src/lib.rs"), dummy_app_content)
-              File.write(File.join(dir, "src/main.rs"), dummy_app_content)
-            end
-          end
-
-          def prepared_manifest_content(file)
-            content = updated_manifest_content(file)
-            content = pin_version(content) unless git_dependency?
-            content = replace_ssh_urls(content)
-            content
-          end
-
-          def prepared_path_dependency_content(file)
-            content = file.content.dup
-            content = replace_ssh_urls(content)
-            content
-          end
-
-          def updated_manifest_content(file)
-            ManifestUpdater.new(
-              dependencies: dependencies,
-              manifest: file
-            ).updated_manifest_content
-          end
-
-          def pin_version(content)
-            parsed_manifest = TomlRB.parse(content)
-
-            FileParsers::Rust::Cargo::DEPENDENCY_TYPES.each do |type|
-              next unless (req = parsed_manifest.dig(type, dependency.name))
-
-              updated_req = "=#{dependency.version}"
-
-              if req.is_a?(Hash)
-                parsed_manifest[type][dependency.name]["version"] = updated_req
-              else
-                parsed_manifest[type][dependency.name] = updated_req
-              end
-            end
-
-            TomlRB.dump(parsed_manifest)
-          end
-
-          def replace_ssh_urls(content)
-            git_ssh_requirements_to_swap.each do |ssh_url, https_url|
-              content = content.gsub(ssh_url, https_url)
-            end
-            content
-          end
-
-          def post_process_lockfile(content)
-            git_ssh_requirements_to_swap.each do |ssh_url, https_url|
-              content = content.gsub(https_url, ssh_url)
-            end
-
-            content
-          end
-
-          def git_ssh_requirements_to_swap
-            if @git_ssh_requirements_to_swap
-              return @git_ssh_requirements_to_swap
-            end
-
-            @git_ssh_requirements_to_swap = {}
-
-            [*manifest_files, *path_dependency_files].each do |manifest|
-              parsed_manifest = TomlRB.parse(manifest.content)
-
-              FileParsers::Rust::Cargo::DEPENDENCY_TYPES.each do |type|
-                (parsed_manifest[type] || {}).each do |_, details|
-                  next unless details.is_a?(Hash)
-                  next unless details["git"]&.match?(%r{ssh://git@(.*?)/})
-
-                  @git_ssh_requirements_to_swap[details["git"]] =
-                    details["git"].gsub(%r{ssh://git@(.*?)/}, 'https://\1/')
-                end
-              end
-            end
-
-            @git_ssh_requirements_to_swap
-          end
-
-          def dummy_app_content
-            %{fn main() {\nprintln!("Hello, world!");\n}}
-          end
-
-          def git_dependency?
-            GitCommitChecker.new(
-              dependency: dependency,
-              credentials: credentials
-            ).git_dependency?
-          end
-
-          def manifest_files
-            @manifest_files ||=
-              dependency_files.
-              select { |f| f.name.end_with?("Cargo.toml") }.
-              reject { |f| f.type == "path_dependency" }
-          end
-
-          def path_dependency_files
-            @path_dependency_files ||=
-              dependency_files.
-              select { |f| f.type == "path_dependency" }
-          end
-
-          def lockfile
-            @lockfile ||= dependency_files.find { |f| f.name == "Cargo.lock" }
-          end
-
-          def toolchain
-            @toolchain ||=
-              dependency_files.find { |f| f.name == "rust-toolchain" }
-          end
-        end
-      end
-    end
-  end
-end