dependabot-core 0.84.1 → 0.85.0

data/lib/dependabot/file_updaters/java/maven/declaration_finder.rb

@@ -1,148 +0,0 @@
-# frozen_string_literal: true
-
-require "nokogiri"
-require "dependabot/file_updaters/java/maven"
-require "dependabot/file_parsers/java/maven"
-require "dependabot/file_parsers/java/maven/property_value_finder"
-
-module Dependabot
-  module FileUpdaters
-    module Java
-      class Maven
-        class DeclarationFinder
-          DECLARATION_REGEX =
-            %r{<parent>.*?</parent>|<dependency>.*?</dependency>|
-               <plugin>.*?</plugin>|<extension>.*?</extension>}mx.freeze
-
-          attr_reader :dependency, :declaring_requirement, :dependency_files
-
-          def initialize(dependency:, dependency_files:, declaring_requirement:)
-            @dependency            = dependency
-            @dependency_files      = dependency_files
-            @declaring_requirement = declaring_requirement
-          end
-
-          def declaration_strings
-            @declaration_strings ||= fetch_pom_declaration_strings
-          end
-
-          def declaration_nodes
-            declaration_strings.map do |declaration_string|
-              Nokogiri::XML(declaration_string)
-            end
-          end
-
-          private
-
-          def declaring_pom
-            filename = declaring_requirement.fetch(:file)
-            declaring_pom = dependency_files.find { |f| f.name == filename }
-            return declaring_pom if declaring_pom
-
-            raise "No pom found with name #{filename}!"
-          end
-
-          def dependency_name
-            dependency.name
-          end
-
-          def fetch_pom_declaration_strings
-            deep_find_declarations(declaring_pom.content).select do |nd|
-              node = Nokogiri::XML(nd)
-              node.remove_namespaces!
-              next false unless node_group_id(node)
-              next false unless node.at_xpath("./*/artifactId")
-
-              node_name = [
-                node_group_id(node),
-                evaluated_value(node.at_xpath("./*/artifactId").content.strip)
-              ].compact.join(":")
-
-              next false unless node_name == dependency_name
-              next false unless packaging_type_matches?(node)
-
-              declaring_requirement_matches?(node)
-            end
-          end
-
-          def node_group_id(node)
-            unless node.at_xpath("./*/groupId") || node.at_xpath("./plugin")
-              return
-            end
-            unless node.at_xpath("./*/groupId")
-              return "org.apache.maven.plugins"
-            end
-
-            evaluated_value(node.at_xpath("./*/groupId").content.strip)
-          end
-
-          def deep_find_declarations(string)
-            string.scan(DECLARATION_REGEX).flat_map do |matching_node|
-              [matching_node, *deep_find_declarations(matching_node[1..-1])]
-            end
-          end
-
-          def declaring_requirement_matches?(node)
-            node_requirement = node.at_css("version")&.content&.strip
-
-            if declaring_requirement.dig(:metadata, :property_name)
-              return false unless node_requirement
-
-              property_name =
-                node_requirement.
-                match(FileParsers::Java::Maven::PROPERTY_REGEX)&.
-                named_captures&.
-                fetch("property")
-
-              property_name == declaring_requirement[:metadata][:property_name]
-            else
-              node_requirement == declaring_requirement.fetch(:requirement)
-            end
-          end
-
-          def packaging_type_matches?(node)
-            type = declaring_requirement.dig(:metadata, :packaging_type)
-            type == packaging_type(node)
-          end
-
-          def packaging_type(dependency_node)
-            return "pom" if dependency_node.child.node_name == "parent"
-            return "jar" unless dependency_node.at_xpath("./*/type")
-
-            packaging_type_content = dependency_node.at_xpath("./*/type").
-                                     content.strip
-
-            evaluated_value(packaging_type_content)
-          end
-
-          def evaluated_value(value)
-            unless value.match?(FileParsers::Java::Maven::PROPERTY_REGEX)
-              return value
-            end
-
-            property_name =
-              value.match(FileParsers::Java::Maven::PROPERTY_REGEX).
-              named_captures.fetch("property")
-
-            property_value =
-              property_value_finder.
-              property_details(
-                property_name: property_name,
-                callsite_pom: declaring_pom
-              )&.fetch(:value)
-
-            return value unless property_value
-
-            value.gsub(FileParsers::Java::Maven::PROPERTY_REGEX, property_value)
-          end
-
-          def property_value_finder
-            @property_value_finder ||=
-              FileParsers::Java::Maven::PropertyValueFinder.
-              new(dependency_files: dependency_files)
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/file_updaters/java/maven/property_value_updater.rb

@@ -1,61 +0,0 @@
-# frozen_string_literal: true
-
-require "nokogiri"
-
-require "dependabot/dependency_file"
-require "dependabot/file_updaters/java/maven"
-require "dependabot/file_parsers/java/maven/property_value_finder"
-
-module Dependabot
-  module FileUpdaters
-    module Java
-      class Maven
-        class PropertyValueUpdater
-          def initialize(dependency_files:)
-            @dependency_files = dependency_files
-          end
-
-          def update_pomfiles_for_property_change(property_name:, callsite_pom:,
-                                                  updated_value:)
-            declaration_details = property_value_finder.property_details(
-              property_name: property_name,
-              callsite_pom: callsite_pom
-            )
-            node = declaration_details.fetch(:node)
-            filename = declaration_details.fetch(:file)
-
-            pom_to_update = dependency_files.find { |f| f.name == filename }
-            updated_content = pom_to_update.content.sub(
-              %r{<#{Regexp.quote(node.name)}>
-                 \s*#{Regexp.quote(node.content)}\s*
-                 </#{Regexp.quote(node.name)}>}xm,
-              "<#{node.name}>#{updated_value}</#{node.name}>"
-            )
-
-            updated_pomfiles = dependency_files.dup
-            updated_pomfiles[updated_pomfiles.index(pom_to_update)] =
-              update_file(file: pom_to_update, content: updated_content)
-
-            updated_pomfiles
-          end
-
-          private
-
-          attr_reader :dependency_files
-
-          def property_value_finder
-            @property_value_finder ||=
-              FileParsers::Java::Maven::PropertyValueFinder.
-              new(dependency_files: dependency_files)
-          end
-
-          def update_file(file:, content:)
-            updated_file = file.dup
-            updated_file.content = content
-            updated_file
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/metadata_finders/java/maven.rb

@@ -1,173 +0,0 @@
-# frozen_string_literal: true
-
-require "nokogiri"
-require "dependabot/metadata_finders/base"
-require "dependabot/file_fetchers/base"
-require "dependabot/file_parsers/java/maven"
-require "dependabot/file_parsers/java/maven/repositories_finder"
-
-module Dependabot
-  module MetadataFinders
-    module Java
-      class Maven < Dependabot::MetadataFinders::Base
-        DOT_SEPARATOR_REGEX = %r{\.(?:(?!\d+[.\/])+)}.freeze
-
-        private
-
-        def look_up_source
-          tmp_source = look_up_source_in_pom(dependency_pom_file)
-          return tmp_source if tmp_source
-
-          return unless (parent = parent_pom_file(dependency_pom_file))
-
-          tmp_source = look_up_source_in_pom(parent)
-          return unless tmp_source
-
-          artifact = dependency.name.split(":").last
-          return tmp_source if tmp_source.repo.end_with?(artifact)
-          return tmp_source if repo_has_subdir_for_dep?(tmp_source)
-        end
-
-        def repo_has_subdir_for_dep?(tmp_source)
-          @repo_has_subdir_for_dep ||= {}
-          if @repo_has_subdir_for_dep.key?(tmp_source)
-            return @repo_has_subdir_for_dep[tmp_source]
-          end
-
-          artifact = dependency.name.split(":").last
-          fetcher =
-            FileFetchers::Base.new(source: tmp_source, credentials: credentials)
-
-          @repo_has_subdir_for_dep[tmp_source] =
-            fetcher.send(:repo_contents, raise_errors: false).
-            select { |f| f.type == "dir" }.
-            any? { |f| artifact.end_with?(f.name) }
-        rescue Dependabot::RepoNotFound
-          @repo_has_subdir_for_dep[tmp_source] = false
-        end
-
-        def look_up_source_in_pom(pom)
-          potential_source_urls = [
-            pom.at_css("project > url")&.content,
-            pom.at_css("project > scm > url")&.content,
-            pom.at_css("project > issueManagement > url")&.content
-          ].compact
-
-          source_url = potential_source_urls.find { |url| Source.from_url(url) }
-          source_url ||= source_from_anywhere_in_pom(pom)
-          source_url = substitute_property_in_source_url(source_url, pom)
-
-          Source.from_url(source_url)
-        end
-
-        def substitute_property_in_source_url(source_url, pom)
-          return unless source_url
-          return source_url unless source_url.include?("${")
-
-          regex = FileParsers::Java::Maven::PROPERTY_REGEX
-          property_name = source_url.match(regex).named_captures["property"]
-          doc = pom.dup
-          doc.remove_namespaces!
-          nm = property_name.sub(/^pom\./, "").sub(/^project\./, "")
-          property_value =
-            loop do
-              candidate_node =
-                doc.at_xpath("/project/#{nm}") ||
-                doc.at_xpath("/project/properties/#{nm}") ||
-                doc.at_xpath("/project/profiles/profile/properties/#{nm}")
-              break candidate_node.content if candidate_node
-              break unless nm.match?(DOT_SEPARATOR_REGEX)
-
-              nm = nm.sub(DOT_SEPARATOR_REGEX, "/")
-            end
-
-          source_url.gsub("${#{property_name}}", property_value)
-        end
-
-        def source_from_anywhere_in_pom(pom)
-          github_urls = []
-          pom.to_s.scan(Source::SOURCE_REGEX) do
-            github_urls << Regexp.last_match.to_s
-          end
-
-          github_urls.find do |url|
-            repo = Source.from_url(url).repo
-            repo.end_with?(dependency.name.split(":").last)
-          end
-        end
-
-        def dependency_pom_file
-          return @dependency_pom_file unless @dependency_pom_file.nil?
-
-          artifact_id = dependency.name.split(":").last
-          response = Excon.get(
-            "#{maven_repo_dependency_url}/"\
-            "#{dependency.version}/"\
-            "#{artifact_id}-#{dependency.version}.pom",
-            headers: auth_details,
-            idempotent: true,
-            **SharedHelpers.excon_defaults
-          )
-
-          @dependency_pom_file = Nokogiri::XML(response.body)
-        rescue Excon::Error::Timeout
-          @dependency_pom_file = Nokogiri::XML("")
-        end
-
-        def parent_pom_file(pom)
-          doc = pom.dup
-          doc.remove_namespaces!
-          group_id = doc.at_xpath("/project/parent/groupId")&.content&.strip
-          artifact_id =
-            doc.at_xpath("/project/parent/artifactId")&.content&.strip
-          version = doc.at_xpath("/project/parent/version")&.content&.strip
-
-          return unless artifact_id && group_id && version
-
-          response = Excon.get(
-            "#{maven_repo_url}/#{group_id.tr('.', '/')}/#{artifact_id}/"\
-            "#{version}/"\
-            "#{artifact_id}-#{version}.pom",
-            headers: auth_details,
-            idempotent: true,
-            **SharedHelpers.excon_defaults
-          )
-
-          Nokogiri::XML(response.body)
-        end
-
-        def maven_repo_url
-          source = dependency.requirements.
-                   find { |r| r&.fetch(:source) }&.fetch(:source)
-
-          source&.fetch(:url, nil) ||
-            source&.fetch("url") ||
-            FileParsers::Java::Maven::RepositoriesFinder::CENTRAL_REPO_URL
-        end
-
-        def maven_repo_dependency_url
-          group_id, artifact_id = dependency.name.split(":")
-
-          "#{maven_repo_url}/#{group_id.tr('.', '/')}/#{artifact_id}"
-        end
-
-        def auth_details
-          cred =
-            credentials.select { |c| c["type"] == "maven_repository" }.
-            find do |c|
-              cred_url = c.fetch("url").gsub(%r{/+$}, "")
-              next false unless cred_url == maven_repo_url
-
-              c.fetch("username", nil)
-            end
-
-          return {} unless cred
-
-          token = cred.fetch("username") + ":" + cred.fetch("password")
-          encoded_token = Base64.encode64(token).delete("\n")
-          { "Authorization" => "Basic #{encoded_token}" }
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/update_checkers/java/maven.rb

@@ -1,159 +0,0 @@
-# frozen_string_literal: true
-
-require "dependabot/update_checkers/base"
-require "dependabot/file_parsers/java/maven/property_value_finder"
-
-module Dependabot
-  module UpdateCheckers
-    module Java
-      class Maven < Dependabot::UpdateCheckers::Base
-        require_relative "maven/requirements_updater"
-        require_relative "maven/version_finder"
-        require_relative "maven/property_updater"
-
-        def latest_version
-          latest_version_details&.fetch(:version)
-        end
-
-        def latest_resolvable_version
-          # Maven's version resolution algorithm is very simple: it just uses
-          # the version defined "closest", with the first declaration winning
-          # if two declarations are equally close. As a result, we can just
-          # return that latest version unless dealing with a property dep.
-          # https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Transitive_Dependencies
-          return nil if version_comes_from_multi_dependency_property?
-
-          latest_version
-        end
-
-        def latest_resolvable_version_with_no_unlock
-          # Irrelevant, since Maven has a single dependency file (the pom.xml).
-          #
-          # For completeness we ought to resolve the pom.xml and return the
-          # latest version that satisfies the current constraint AND any
-          # constraints placed on it by other dependencies. Seeing as we're
-          # never going to take any action as a result, though, we just return
-          # nil.
-          nil
-        end
-
-        def updated_requirements
-          property_names =
-            declarations_using_a_property.
-            map { |req| req.dig(:metadata, :property_name) }
-
-          RequirementsUpdater.new(
-            requirements: dependency.requirements,
-            latest_version: latest_version&.to_s,
-            source_url: latest_version_details&.fetch(:source_url),
-            properties_to_update: property_names
-          ).updated_requirements
-        end
-
-        def requirements_unlocked_or_can_be?
-          declarations_using_a_property.none? do |requirement|
-            prop_name = requirement.dig(:metadata, :property_name)
-            pom = dependency_files.find { |f| f.name == requirement[:file] }
-
-            declaration_pom_name =
-              property_value_finder.
-              property_details(property_name: prop_name, callsite_pom: pom)&.
-              fetch(:file)
-
-            declaration_pom_name == "remote_pom.xml" ||
-              declaration_pom_name.end_with?("pom_parent.xml")
-          end
-        end
-
-        private
-
-        def latest_version_resolvable_with_full_unlock?
-          return false unless version_comes_from_multi_dependency_property?
-
-          property_updater.update_possible?
-        end
-
-        def updated_dependencies_after_full_unlock
-          property_updater.updated_dependencies
-        end
-
-        def numeric_version_up_to_date?
-          return false unless version_class.correct?(dependency.version)
-
-          super
-        end
-
-        def numeric_version_can_update?(requirements_to_unlock:)
-          return false unless version_class.correct?(dependency.version)
-
-          super
-        end
-
-        def latest_version_details
-          @latest_version_details ||= version_finder.latest_version_details
-        end
-
-        def version_finder
-          @version_finder ||=
-            VersionFinder.new(
-              dependency: dependency,
-              dependency_files: dependency_files,
-              credentials: credentials,
-              ignored_versions: ignored_versions
-            )
-        end
-
-        def property_updater
-          @property_updater ||=
-            PropertyUpdater.new(
-              dependency: dependency,
-              dependency_files: dependency_files,
-              target_version_details: latest_version_details,
-              credentials: credentials,
-              ignored_versions: ignored_versions
-            )
-        end
-
-        def property_value_finder
-          @property_value_finder ||=
-            FileParsers::Java::Maven::PropertyValueFinder.
-            new(dependency_files: dependency_files)
-        end
-
-        def version_comes_from_multi_dependency_property?
-          declarations_using_a_property.any? do |requirement|
-            property_name = requirement.fetch(:metadata).fetch(:property_name)
-            property_source = requirement.fetch(:metadata).
-                              fetch(:property_source)
-
-            all_property_based_dependencies.any? do |dep|
-              next false if dep.name == dependency.name
-
-              dep.requirements.any? do |req|
-                next unless req.dig(:metadata, :property_name) == property_name
-
-                req.dig(:metadata, :property_source) == property_source
-              end
-            end
-          end
-        end
-
-        def declarations_using_a_property
-          @declarations_using_a_property ||=
-            dependency.requirements.
-            select { |req| req.dig(:metadata, :property_name) }
-        end
-
-        def all_property_based_dependencies
-          @all_property_based_dependencies ||=
-            FileParsers::Java::Maven.new(
-              dependency_files: dependency_files,
-              source: nil
-            ).parse.select do |dep|
-              dep.requirements.any? { |req| req.dig(:metadata, :property_name) }
-            end
-        end
-      end
-    end
-  end
-end