dependabot-core 0.84.1 → 0.85.0

data/lib/dependabot/file_parsers/java/maven/property_value_finder.rb

@@ -1,166 +0,0 @@
-# frozen_string_literal: true
-
-require "nokogiri"
-
-require "dependabot/dependency_file"
-require "dependabot/file_parsers/java/maven"
-require "dependabot/shared_helpers"
-
-# For documentation, see:
-# - http://maven.apache.org/guides/introduction/introduction-to-the-pom.html
-# - http://maven.apache.org/pom.html#Properties
-module Dependabot
-  module FileParsers
-    module Java
-      class Maven
-        class PropertyValueFinder
-          require_relative "repositories_finder"
-
-          DOT_SEPARATOR_REGEX = %r{\.(?:(?!\d+[.\/])+)}.freeze
-
-          def initialize(dependency_files:)
-            @dependency_files = dependency_files
-          end
-
-          def property_details(property_name:, callsite_pom:)
-            pom = callsite_pom
-            doc = Nokogiri::XML(pom.content)
-            doc.remove_namespaces!
-
-            # Loop through the paths that would satisfy this property name,
-            # looking for one that exists in this POM
-            nm = sanitize_property_name(property_name)
-            node =
-              loop do
-                candidate_node =
-                  doc.at_xpath("/project/#{nm}") ||
-                  doc.at_xpath("/project/properties/#{nm}") ||
-                  doc.at_xpath("/project/profiles/profile/properties/#{nm}")
-                break candidate_node if candidate_node
-                break unless nm.match?(DOT_SEPARATOR_REGEX)
-
-                nm = nm.sub(DOT_SEPARATOR_REGEX, "/")
-              end
-
-            # If we found a property, return it
-            if node
-              return { file: pom.name, node: node, value: node.content.strip }
-            end
-
-            # Otherwise, look for a value in this pom's parent
-            return unless (parent = parent_pom(pom))
-
-            property_details(
-              property_name: property_name,
-              callsite_pom: parent
-            )
-          end
-
-          private
-
-          attr_reader :dependency_files
-
-          def internal_dependency_poms
-            return @internal_dependency_poms if @internal_dependency_poms
-
-            @internal_dependency_poms = {}
-            dependency_files.each do |pom|
-              doc = Nokogiri::XML(pom.content)
-              group_id    = doc.at_css("project > groupId") ||
-                            doc.at_css("project > parent > groupId")
-              artifact_id = doc.at_css("project > artifactId")
-
-              next unless group_id && artifact_id
-
-              dependency_name = [
-                group_id.content.strip,
-                artifact_id.content.strip
-              ].join(":")
-
-              @internal_dependency_poms[dependency_name] = pom
-            end
-
-            @internal_dependency_poms
-          end
-
-          def sanitize_property_name(property_name)
-            property_name.sub(/^pom\./, "").sub(/^project\./, "")
-          end
-
-          def parent_pom(pom)
-            doc = Nokogiri::XML(pom.content)
-            doc.remove_namespaces!
-            group_id = doc.at_xpath("/project/parent/groupId")&.content&.strip
-            artifact_id =
-              doc.at_xpath("/project/parent/artifactId")&.content&.strip
-            version = doc.at_xpath("/project/parent/version")&.content&.strip
-
-            return unless group_id && artifact_id
-
-            name = [group_id, artifact_id].join(":")
-
-            if internal_dependency_poms[name]
-              return internal_dependency_poms[name]
-            end
-
-            return unless version && !version.include?(",")
-
-            fetch_remote_parent_pom(group_id, artifact_id, version, pom)
-          end
-
-          def parent_repository_urls(pom)
-            repositories_finder.repository_urls(
-              pom: pom,
-              exclude_inherited: true
-            )
-          end
-
-          def repositories_finder
-            @repositories_finder ||=
-              RepositoriesFinder.new(
-                dependency_files: dependency_files,
-                evaluate_properties: false
-              )
-          end
-
-          def fetch_remote_parent_pom(group_id, artifact_id, version, pom)
-            parent_repository_urls(pom).each do |base_url|
-              url = remote_pom_url(group_id, artifact_id, version, base_url)
-
-              @maven_responses ||= {}
-              @maven_responses[url] ||= Excon.get(
-                url,
-                idempotent: true,
-                **SharedHelpers.excon_defaults
-              )
-              next unless @maven_responses[url].status == 200
-              next unless pom?(@maven_responses[url].body)
-
-              dependency_file = DependencyFile.new(
-                name: "remote_pom.xml",
-                content: @maven_responses[url].body
-              )
-
-              return dependency_file
-            rescue Excon::Error::Socket, Excon::Error::Timeout
-              nil
-            end
-
-            # If a parent POM couldn't be found, return `nil`
-            nil
-          end
-
-          def remote_pom_url(group_id, artifact_id, version, base_repo_url)
-            "#{base_repo_url}/"\
-            "#{group_id.tr('.', '/')}/#{artifact_id}/#{version}/"\
-            "#{artifact_id}-#{version}.pom"
-          end
-
-          def pom?(content)
-            !Nokogiri::XML(content).at_css("project > artifactId").nil?
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/file_parsers/java/maven/repositories_finder.rb

@@ -1,188 +0,0 @@
-# frozen_string_literal: true
-
-require "nokogiri"
-
-require "dependabot/dependency_file"
-require "dependabot/file_parsers/java/maven"
-require "dependabot/shared_helpers"
-require "dependabot/errors"
-
-# For documentation, see:
-# - http://maven.apache.org/pom.html#Repositories
-# - http://maven.apache.org/guides/mini/guide-multiple-repositories.html
-module Dependabot
-  module FileParsers
-    module Java
-      class Maven
-        class RepositoriesFinder
-          require_relative "property_value_finder"
-          # In theory we should check the artifact type and either look in
-          # <repositories> or <pluginRepositories>. In practice it's unlikely
-          # anyone makes this distinction.
-          REPOSITORY_SELECTOR = "repositories > repository, "\
-                                "pluginRepositories > pluginRepository"
-
-          # The Central Repository is included in the Super POM, which is
-          # always inherited from.
-          CENTRAL_REPO_URL = "https://repo.maven.apache.org/maven2"
-
-          def initialize(dependency_files:, evaluate_properties: true)
-            @dependency_files = dependency_files
-
-            # We need the option not to evaluate properties so as not to have a
-            # circular dependency between this class and the PropertyValueFinder
-            # class
-            @evaluate_properties = evaluate_properties
-          end
-
-          # Collect all repository URLs from this POM and its parents
-          def repository_urls(pom:, exclude_inherited: false)
-            repo_urls_in_pom =
-              Nokogiri::XML(pom.content).
-              css(REPOSITORY_SELECTOR).
-              map { |node| node.at_css("url").content.strip.gsub(%r{/$}, "") }.
-              reject { |url| contains_property?(url) && !evaluate_properties? }.
-              select { |url| url.start_with?("http") }.
-              map { |url| evaluated_value(url, pom) }
-
-            return repo_urls_in_pom + [CENTRAL_REPO_URL] if exclude_inherited
-
-            unless (parent = parent_pom(pom, repo_urls_in_pom))
-              return repo_urls_in_pom + [CENTRAL_REPO_URL]
-            end
-
-            repo_urls_in_pom + repository_urls(pom: parent)
-          end
-
-          private
-
-          attr_reader :dependency_files
-
-          def evaluate_properties?
-            @evaluate_properties
-          end
-
-          def parent_pom(pom, repo_urls)
-            doc = Nokogiri::XML(pom.content)
-            doc.remove_namespaces!
-            group_id = doc.at_xpath("/project/parent/groupId")&.content&.strip
-            artifact_id =
-              doc.at_xpath("/project/parent/artifactId")&.content&.strip
-            version = doc.at_xpath("/project/parent/version")&.content&.strip
-
-            return unless group_id && artifact_id
-
-            name = [group_id, artifact_id].join(":")
-
-            if internal_dependency_poms[name]
-              return internal_dependency_poms[name]
-            end
-
-            return unless version && !version.include?(",")
-
-            fetch_remote_parent_pom(group_id, artifact_id, version, repo_urls)
-          end
-
-          def internal_dependency_poms
-            return @internal_dependency_poms if @internal_dependency_poms
-
-            @internal_dependency_poms = {}
-            dependency_files.each do |pom|
-              doc = Nokogiri::XML(pom.content)
-              group_id    = doc.at_css("project > groupId") ||
-                            doc.at_css("project > parent > groupId")
-              artifact_id = doc.at_css("project > artifactId")
-
-              next unless group_id && artifact_id
-
-              dependency_name = [
-                group_id.content.strip,
-                artifact_id.content.strip
-              ].join(":")
-
-              @internal_dependency_poms[dependency_name] = pom
-            end
-
-            @internal_dependency_poms
-          end
-
-          def fetch_remote_parent_pom(group_id, artifact_id, version, repo_urls)
-            (repo_urls + [CENTRAL_REPO_URL]).uniq.each do |base_url|
-              url = remote_pom_url(group_id, artifact_id, version, base_url)
-
-              @maven_responses ||= {}
-              @maven_responses[url] ||= Excon.get(
-                url,
-                idempotent: true,
-                **SharedHelpers.excon_defaults
-              )
-              next unless @maven_responses[url].status == 200
-              next unless pom?(@maven_responses[url].body)
-
-              dependency_file = DependencyFile.new(
-                name: "remote_pom.xml",
-                content: @maven_responses[url].body
-              )
-
-              return dependency_file
-            rescue Excon::Error::Socket, Excon::Error::Timeout
-              nil
-            end
-
-            # If a parent POM couldn't be found, return `nil`
-            nil
-          end
-
-          def remote_pom_url(group_id, artifact_id, version, base_repo_url)
-            "#{base_repo_url}/"\
-            "#{group_id.tr('.', '/')}/#{artifact_id}/#{version}/"\
-            "#{artifact_id}-#{version}.pom"
-          end
-
-          def contains_property?(value)
-            value.match?(property_regex)
-          end
-
-          def evaluated_value(value, pom)
-            return value unless contains_property?(value)
-
-            property_name = value.match(property_regex).
-                            named_captures.fetch("property")
-            property_value = value_for_property(property_name, pom)
-
-            value.gsub(property_regex, property_value)
-          end
-
-          def value_for_property(property_name, pom)
-            value =
-              property_value_finder.
-              property_details(
-                property_name: property_name,
-                callsite_pom: pom
-              )&.fetch(:value)
-
-            return value if value
-
-            msg = "Property not found: #{property_name}"
-            raise DependencyFileNotEvaluatable, msg
-          end
-
-          # Cached, since this can makes calls to the registry (to get property
-          # values from parent POMs)
-          def property_value_finder
-            @property_value_finder ||=
-              PropertyValueFinder.new(dependency_files: dependency_files)
-          end
-
-          def property_regex
-            FileParsers::Java::Maven::PROPERTY_REGEX
-          end
-
-          def pom?(content)
-            !Nokogiri::XML(content).at_css("project > artifactId").nil?
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/file_updaters/java/maven.rb

@@ -1,155 +0,0 @@
-# frozen_string_literal: true
-
-require "nokogiri"
-require "dependabot/file_updaters/base"
-
-module Dependabot
-  module FileUpdaters
-    module Java
-      class Maven < Dependabot::FileUpdaters::Base
-        require_relative "maven/declaration_finder"
-        require_relative "maven/property_value_updater"
-
-        def self.updated_files_regex
-          [/^pom\.xml$/, %r{/pom\.xml$}]
-        end
-
-        def updated_dependency_files
-          updated_files = dependency_files.dup
-
-          # Loop through each of the changed requirements, applying changes to
-          # all pomfiles for that change. Note that the logic is different here
-          # to other languages because Java has property inheritance across
-          # files
-          dependencies.each do |dependency|
-            updated_files = update_pomfiles_for_dependency(
-              pomfiles: updated_files,
-              dependency: dependency
-            )
-          end
-
-          updated_files.select! { |f| f.name.end_with?("pom.xml") }
-          updated_files.reject! { |f| original_pomfiles.include?(f) }
-
-          raise "No files changed!" if updated_files.none?
-          if updated_files.any? { |f| f.name.end_with?("pom_parent.xml") }
-            raise "Updated a supporting POM!"
-          end
-
-          updated_files
-        end
-
-        private
-
-        def check_required_files
-          raise "No pom.xml!" unless get_original_file("pom.xml")
-        end
-
-        def update_pomfiles_for_dependency(pomfiles:, dependency:)
-          files = pomfiles.dup
-
-          # The UpdateChecker ensures the order of requirements is preserved
-          # when updating, so we can zip them together in new/old pairs.
-          reqs = dependency.requirements.zip(dependency.previous_requirements).
-                 reject { |new_req, old_req| new_req == old_req }
-
-          # Loop through each changed requirement and update the pomfiles
-          reqs.each do |new_req, old_req|
-            raise "Bad req match" unless new_req[:file] == old_req[:file]
-            next if new_req[:requirement] == old_req[:requirement]
-
-            if new_req.dig(:metadata, :property_name)
-              files = update_pomfiles_for_property_change(files, new_req)
-              pom = files.find { |f| f.name == new_req.fetch(:file) }
-              files[files.index(pom)] =
-                remove_property_suffix_in_pom(dependency, pom, old_req)
-            else
-              pom = files.find { |f| f.name == new_req.fetch(:file) }
-              files[files.index(pom)] =
-                update_version_in_pom(dependency, pom, old_req, new_req)
-            end
-          end
-
-          files
-        end
-
-        def update_pomfiles_for_property_change(pomfiles, req)
-          property_name = req.fetch(:metadata).fetch(:property_name)
-
-          PropertyValueUpdater.new(dependency_files: pomfiles).
-            update_pomfiles_for_property_change(
-              property_name: property_name,
-              callsite_pom: pomfiles.find { |f| f.name == req.fetch(:file) },
-              updated_value: req.fetch(:requirement)
-            )
-        end
-
-        def update_version_in_pom(dependency, pom, previous_req, requirement)
-          updated_content = pom.content
-
-          original_pom_declarations(dependency, previous_req).each do |old_dec|
-            updated_content = updated_content.gsub(
-              old_dec,
-              updated_pom_declaration(old_dec, previous_req, requirement)
-            )
-          end
-
-          raise "Expected content to change!" if updated_content == pom.content
-
-          updated_file(file: pom, content: updated_content)
-        end
-
-        def remove_property_suffix_in_pom(dep, pom, req)
-          updated_content = pom.content
-
-          original_pom_declarations(dep, req).each do |old_declaration|
-            updated_content = updated_content.gsub(old_declaration) do |old_dec|
-              version_string =
-                old_dec.match(%r{(?<=\<version\>).*(?=\</version\>)})
-              cleaned_version_string = version_string.to_s.gsub(/(?<=\}).*/, "")
-
-              old_dec.gsub(
-                "<version>#{version_string}</version>",
-                "<version>#{cleaned_version_string}</version>"
-              )
-            end
-          end
-
-          updated_file(file: pom, content: updated_content)
-        end
-
-        def original_pom_declarations(dependency, requirement)
-          declaration_finder(dependency, requirement).declaration_strings
-        end
-
-        # The declaration finder may need to make remote calls (to get parent
-        # POMs if it's searching for the value of a property), so we cache it.
-        def declaration_finder(dependency, requirement)
-          @declaration_finders ||= {}
-          @declaration_finders[dependency.hash + requirement.hash] ||=
-            begin
-              DeclarationFinder.new(
-                dependency: dependency,
-                declaring_requirement: requirement,
-                dependency_files: dependency_files
-              )
-            end
-        end
-
-        def updated_pom_declaration(old_declaration, previous_req, requirement)
-          original_req_string = previous_req.fetch(:requirement)
-
-          old_declaration.gsub(
-            %r{<version>\s*#{Regexp.quote(original_req_string)}\s*</version>},
-            "<version>#{requirement.fetch(:requirement)}</version>"
-          )
-        end
-
-        def original_pomfiles
-          @original_pomfiles ||=
-            dependency_files.select { |f| f.name.end_with?("pom.xml") }
-        end
-      end
-    end
-  end
-end