dependabot-core 0.87.15 → 0.88.0

data/helpers/elixir/bin/run.exs

@@ -1,76 +0,0 @@
-defmodule DependencyHelper do
-  def main() do
-    IO.read(:stdio, :all)
-    |> Jason.decode!()
-    |> run()
-    |> case do
-      {output, 0} ->
-        if output =~ "No authenticated organization found" do
-          {:error, output}
-        else
-          {:ok, :erlang.binary_to_term(output)}
-        end
-
-      {error, 1} -> {:error, error}
-    end
-    |> handle_result()
-  end
-
-  defp handle_result({:ok, {:ok, result}}) do
-    encode_and_write(%{"result" => result})
-  end
-
-  defp handle_result({:ok, {:error, reason}}) do
-    encode_and_write(%{"error" => reason})
-    System.halt(1)
-  end
-
-  defp handle_result({:error, reason}) do
-    encode_and_write(%{"error" => reason})
-    System.halt(1)
-  end
-
-  defp encode_and_write(content) do
-    content
-    |> Jason.encode!()
-    |> IO.write()
-  end
-
-  defp run(%{"function" => "parse", "args" => [dir]}) do
-    run_script("parse_deps.exs", dir)
-  end
-
-  defp run(%{"function" => "get_latest_resolvable_version", "args" => [dir, dependency_name, credentials]}) do
-    run_script("check_update.exs", dir, [dependency_name] ++ credentials)
-  end
-
-  defp run(%{"function" => "get_updated_lockfile", "args" => [dir, dependency_name, credentials]}) do
-    run_script("do_update.exs", dir, [dependency_name] ++ credentials)
-  end
-
-  defp run_script(script, dir, args \\ []) do
-    args = [
-      "run",
-      "--no-deps-check",
-      "--no-start",
-      "--no-compile",
-      "--no-elixir-version-check",
-      script
-    ] ++ args
-
-    System.cmd(
-      "mix",
-      args,
-      [
-        cd: dir,
-        env: %{
-          "MIX_EXS" => nil,
-          "MIX_LOCK" => nil,
-          "MIX_DEPS" => nil
-        }
-      ]
-    )
-  end
-end
-
-DependencyHelper.main()

data/helpers/elixir/mix.exs

@@ -1,21 +0,0 @@
-defmodule DependabotCore.Mixfile do
-  use Mix.Project
-
-  def project do
-    [app: :dependabot_core,
-     version: "0.1.0",
-     elixir: "~> 1.5",
-     start_permanent: Mix.env == :prod,
-     lockfile: System.get_env("MIX_LOCK") || "mix.lock",
-     deps_path: System.get_env("MIX_DEPS") || "deps",
-     deps: deps()]
-  end
-
-  def application do
-    [extra_applications: [:logger]]
-  end
-
-  defp deps() do
-    [{:jason, "~> 1.0-rc"}]
-  end
-end

data/helpers/elixir/mix.lock

@@ -1,3 +0,0 @@
-%{
-  "jason": {:hex, :jason, "1.1.2", "b03dedea67a99223a2eaf9f1264ce37154564de899fd3d8b9a21b1a6fd64afe7", [:mix], [{:decimal, "~> 1.0", [hex: :decimal, repo: "hexpm", optional: true]}], "hexpm"},
-}

data/lib/dependabot/file_fetchers/elixir/hex.rb

@@ -1,78 +0,0 @@
-# frozen_string_literal: true
-
-require "dependabot/file_fetchers/base"
-
-module Dependabot
-  module FileFetchers
-    module Elixir
-      class Hex < Dependabot::FileFetchers::Base
-        APPS_PATH_REGEX = /apps_path:\s*"(?<path>.*?)"/m.freeze
-        STRING_ARG = %{(?:["'](.*?)["'])}
-        EVAL_FILE = /Code\.eval_file\(#{STRING_ARG}(?:\s*,\s*#{STRING_ARG})?\)/.
-                    freeze
-
-        def self.required_files_in?(filenames)
-          filenames.include?("mix.exs")
-        end
-
-        def self.required_files_message
-          "Repo must contain a mix.exs."
-        end
-
-        private
-
-        def fetch_files
-          fetched_files = []
-          fetched_files << mixfile
-          fetched_files << lockfile if lockfile
-          fetched_files += subapp_mixfiles
-          fetched_files += evaled_files
-          fetched_files
-        end
-
-        def mixfile
-          @mixfile ||= fetch_file_from_host("mix.exs")
-        end
-
-        def lockfile
-          return @lockfile if @lockfile_lookup_attempted
-
-          @lockfile_lookup_attempted = true
-          @lockfile ||= fetch_file_from_host("mix.lock")
-        rescue Dependabot::DependencyFileNotFound
-          nil
-        end
-
-        def subapp_mixfiles
-          apps_path = mixfile.content.match(APPS_PATH_REGEX)&.
-                      named_captures&.fetch("path")
-          return [] unless apps_path
-
-          app_directories = repo_contents(dir: apps_path).
-                            select { |f| f.type == "dir" }
-
-          app_directories.map do |dir|
-            fetch_file_from_host("#{dir.path}/mix.exs")
-          rescue Dependabot::DependencyFileNotFound
-            # If the folder doesn't have a mix.exs it *might* be because it's
-            # not an app. Ignore the fact we couldn't fetch one and proceed with
-            # updating (it will blow up later if there are problems)
-            nil
-          end.compact
-        rescue Octokit::NotFound, Gitlab::Error::NotFound
-          # If the path specified in apps_path doesn't exist then it's not being
-          # used. We can just return an empty array of subapp files.
-          []
-        end
-
-        def evaled_files
-          mixfile.content.scan(EVAL_FILE).map do |eval_file_args|
-            path = Pathname.new(File.join(*eval_file_args.reverse)).
-                   cleanpath.to_path
-            fetch_file_from_host(path).tap { |f| f.support_file = true }
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/file_parsers/elixir/hex.rb

@@ -1,134 +0,0 @@
-# frozen_string_literal: true
-
-require "dependabot/dependency"
-require "dependabot/file_parsers/base"
-require "dependabot/file_fetchers/elixir/hex"
-require "dependabot/shared_helpers"
-require "dependabot/errors"
-
-# For docs, see https://hexdocs.pm/mix/Mix.Tasks.Deps.html
-module Dependabot
-  module FileParsers
-    module Elixir
-      class Hex < Dependabot::FileParsers::Base
-        require "dependabot/file_parsers/base/dependency_set"
-
-        def parse
-          dependency_set = DependencySet.new
-
-          dependency_details.each do |dep|
-            git_dependency = dep["source"]&.fetch("type") == "git"
-
-            dependency_set <<
-              Dependency.new(
-                name: dep["name"],
-                version: git_dependency ? dep["checksum"] : dep["version"],
-                requirements: [{
-                  requirement: dep["requirement"],
-                  groups: dep["groups"],
-                  source: dep["source"] && symbolize_keys(dep["source"]),
-                  file: dep["from"]
-                }],
-                package_manager: "hex"
-              )
-          end
-
-          dependency_set.dependencies.sort_by(&:name)
-        end
-
-        private
-
-        def dependency_details
-          SharedHelpers.in_a_temporary_directory do
-            write_sanitized_mixfiles
-            write_supporting_files
-            File.write("mix.lock", lockfile.content) if lockfile
-            FileUtils.cp(elixir_helper_parse_deps_path, "parse_deps.exs")
-
-            SharedHelpers.run_helper_subprocess(
-              env: mix_env,
-              command: "mix run #{elixir_helper_path}",
-              function: "parse",
-              args: [Dir.pwd],
-              popen_opts: { err: %i(child out) }
-            )
-          end
-        rescue Dependabot::SharedHelpers::HelperSubprocessFailed => error
-          result_json =
-            error.message.lines.
-            drop_while { |l| !l.start_with?('{"result":') }.
-            join
-
-          if result_json.empty?
-            raise DependencyFileNotEvaluatable, error.message
-          end
-
-          JSON.parse(result_json).fetch("result")
-        end
-
-        def write_sanitized_mixfiles
-          mixfiles.each do |file|
-            path = file.name
-            FileUtils.mkdir_p(Pathname.new(path).dirname)
-            File.write(path, sanitize_mixfile(file.content))
-          end
-        end
-
-        def write_supporting_files
-          dependency_files.select(&:support_file).each do |file|
-            path = file.name
-            FileUtils.mkdir_p(Pathname.new(path).dirname)
-            File.write(path, file.content)
-          end
-        end
-
-        def sanitize_mixfile(content)
-          content.
-            gsub(/File\.read!\(.*?\)/, '"0.0.1"').
-            gsub(/File\.read\(.*?\)/, '{:ok, "0.0.1"}')
-        end
-
-        def mix_env
-          {
-            "MIX_EXS" => File.join(project_root, "helpers/elixir/mix.exs"),
-            "MIX_LOCK" => File.join(project_root, "helpers/elixir/mix.lock"),
-            "MIX_DEPS" => File.join(project_root, "helpers/elixir/deps"),
-            "MIX_QUIET" => "1"
-          }
-        end
-
-        def elixir_helper_path
-          File.join(project_root, "helpers/elixir/bin/run.exs")
-        end
-
-        def elixir_helper_parse_deps_path
-          File.join(project_root, "helpers/elixir/bin/parse_deps.exs")
-        end
-
-        def required_files
-          Dependabot::FileFetchers::Elixir::Hex.required_files
-        end
-
-        def check_required_files
-          raise "No mixfile!" if mixfiles.none?
-        end
-
-        def project_root
-          File.join(File.dirname(__FILE__), "../../../..")
-        end
-
-        def symbolize_keys(hash)
-          Hash[hash.keys.map { |k| [k.to_sym, hash[k]] }]
-        end
-
-        def mixfiles
-          dependency_files.select { |f| f.name.end_with?("mix.exs") }
-        end
-
-        def lockfile
-          @lockfile ||= get_original_file("mix.lock")
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/file_updaters/elixir/hex.rb

@@ -1,71 +0,0 @@
-# frozen_string_literal: true
-
-require "dependabot/file_updaters/base"
-require "dependabot/utils/elixir/version"
-require "dependabot/shared_helpers"
-
-module Dependabot
-  module FileUpdaters
-    module Elixir
-      class Hex < Base
-        require_relative "hex/mixfile_updater"
-        require_relative "hex/lockfile_updater"
-
-        def self.updated_files_regex
-          [
-            /^mix\.exs$/,
-            /^mix\.lock$/
-          ]
-        end
-
-        def updated_dependency_files
-          updated_files = []
-
-          mixfiles.each do |file|
-            if file_changed?(file)
-              updated_files <<
-                updated_file(file: file, content: updated_mixfile_content(file))
-            end
-          end
-
-          if lockfile
-            updated_files <<
-              updated_file(file: lockfile, content: updated_lockfile_content)
-          end
-
-          updated_files
-        end
-
-        private
-
-        def check_required_files
-          raise "No mix.exs!" unless get_original_file("mix.exs")
-        end
-
-        def updated_mixfile_content(file)
-          MixfileUpdater.new(
-            dependencies: dependencies,
-            mixfile: file
-          ).updated_mixfile_content
-        end
-
-        def updated_lockfile_content
-          @updated_lockfile_content ||=
-            LockfileUpdater.new(
-              dependencies: dependencies,
-              dependency_files: dependency_files,
-              credentials: credentials
-            ).updated_lockfile_content
-        end
-
-        def mixfiles
-          dependency_files.select { |f| f.name.end_with?("mix.exs") }
-        end
-
-        def lockfile
-          @lockfile ||= get_original_file("mix.lock")
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/file_updaters/elixir/hex/lockfile_updater.rb

@@ -1,147 +0,0 @@
-# frozen_string_literal: true
-
-require "dependabot/file_updaters/elixir/hex"
-require "dependabot/file_updaters/elixir/hex/mixfile_updater"
-require "dependabot/file_updaters/elixir/hex/mixfile_sanitizer"
-require "dependabot/file_updaters/elixir/hex/mixfile_requirement_updater"
-require "dependabot/utils/elixir/version"
-require "dependabot/shared_helpers"
-
-module Dependabot
-  module FileUpdaters
-    module Elixir
-      class Hex
-        class LockfileUpdater
-          def initialize(dependencies:, dependency_files:, credentials:)
-            @dependencies = dependencies
-            @dependency_files = dependency_files
-            @credentials = credentials
-          end
-
-          def updated_lockfile_content
-            @updated_lockfile_content ||=
-              SharedHelpers.in_a_temporary_directory do
-                write_temporary_dependency_files
-                FileUtils.cp(elixir_helper_do_update_path, "do_update.exs")
-
-                SharedHelpers.with_git_configured(credentials: credentials) do
-                  SharedHelpers.run_helper_subprocess(
-                    env: mix_env,
-                    command: "mix run #{elixir_helper_path}",
-                    function: "get_updated_lockfile",
-                    args: [Dir.pwd, dependency.name, organization_credentials]
-                  )
-                end
-              end
-
-            post_process_lockfile(@updated_lockfile_content)
-          end
-
-          private
-
-          attr_reader :dependencies, :dependency_files, :credentials
-
-          def dependency
-            # For now, we'll only ever be updating a single dep for Elixir
-            dependencies.first
-          end
-
-          def post_process_lockfile(content)
-            return content unless lockfile.content.start_with?("%{\"")
-            return content if content.start_with?("%{\"")
-
-            # Substitute back old file beginning and ending
-            content.sub(/\A%\{\n  "/, "%{\"").sub(/\},\n\}/, "}}")
-          end
-
-          def write_temporary_dependency_files
-            mixfiles.each do |file|
-              path = file.name
-              FileUtils.mkdir_p(Pathname.new(path).dirname)
-              File.write(path, mixfile_content_for_lockfile_generation(file))
-            end
-
-            File.write("mix.lock", lockfile.content)
-
-            dependency_files.select(&:support_file).each do |file|
-              path = file.name
-              FileUtils.mkdir_p(Pathname.new(path).dirname)
-              File.write(path, file.content)
-            end
-          end
-
-          def mixfile_content_for_lockfile_generation(file)
-            content = updated_mixfile_content(file)
-            content = lock_mixfile_dependency_versions(content, file.name)
-            sanitize_mixfile(content)
-          end
-
-          def updated_mixfile_content(file)
-            MixfileUpdater.new(
-              dependencies: dependencies,
-              mixfile: file
-            ).updated_mixfile_content
-          end
-
-          def lock_mixfile_dependency_versions(mixfile_content, filename)
-            dependencies.
-              reduce(mixfile_content.dup) do |content, dep|
-                # Run on the updated mixfile content, so we're updating from the
-                # updated requirements
-                req_details = dep.requirements.find { |r| r[:file] == filename }
-
-                next content unless req_details
-                next content unless Utils::Elixir::Version.correct?(dep.version)
-
-                MixfileRequirementUpdater.new(
-                  dependency_name: dep.name,
-                  mixfile_content: content,
-                  previous_requirement: req_details.fetch(:requirement),
-                  updated_requirement: dep.version,
-                  insert_if_bare: true
-                ).updated_content
-              end
-          end
-
-          def sanitize_mixfile(content)
-            MixfileSanitizer.new(mixfile_content: content).sanitized_content
-          end
-
-          def mix_env
-            {
-              "MIX_EXS" => File.join(project_root, "helpers/elixir/mix.exs"),
-              "MIX_LOCK" => File.join(project_root, "helpers/elixir/mix.lock"),
-              "MIX_DEPS" => File.join(project_root, "helpers/elixir/deps"),
-              "MIX_QUIET" => "1"
-            }
-          end
-
-          def elixir_helper_path
-            File.join(project_root, "helpers/elixir/bin/run.exs")
-          end
-
-          def elixir_helper_do_update_path
-            File.join(project_root, "helpers/elixir/bin/do_update.exs")
-          end
-
-          def project_root
-            File.join(File.dirname(__FILE__), "../../../../..")
-          end
-
-          def mixfiles
-            dependency_files.select { |f| f.name.end_with?("mix.exs") }
-          end
-
-          def lockfile
-            @lockfile ||= dependency_files.find { |f| f.name == "mix.lock" }
-          end
-
-          def organization_credentials
-            credentials.select { |cred| cred["type"] == "hex_organization" }.
-              flat_map { |cred| [cred["organization"], cred["token"]] }
-          end
-        end
-      end
-    end
-  end
-end