Ruby gems - dependabot-core - Versions diffs - 0.93.17 → 0.94.0 - Diffend - OSS supply chain security and management platform

dependabot-core 0.93.17 → 0.94.0

Files changed (39) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 84b1870f3566af63ba843602b5a9ba9f7808b9c2723f107c2a9248521027a5de
-  data.tar.gz: 9607e739d3771adc073f735964be2ffbbd2229b3d7517ece8572e44e5a5c3165
+  metadata.gz: 12e493715e112615890a2889982a5570f4c92546f032b4e142d517401812642a
+  data.tar.gz: d7fda6c2fd269825ea84f2f8f17aea6d64ace86b4a2bdf61e0e24fafd753d5bd
 SHA512:
-  metadata.gz: 2f139202aeebfb1a94c020c0cc9b6e72e9df1950e5cfa860db8db7aca901330c8982c56bec6a09e6b9fcce8ef299e5c52dee2a811d85ac42bb16058f3b4d1df8
-  data.tar.gz: dd73927e2a1bd3dd9363d66dbd5580c1fae50ffd4641e369d967a2a6644b39ccdea2a84d8b856ffdfcbdcdb53cb4fca938757045088b4e33d5461b544c425283
+  metadata.gz: 2be2d07ee3b2430bb1bf4668251075d5fe39dc8a550383271b3fc00e3644ac8936bca38246acf586644cd22952b39fff36fba2abeb359e5b58c43661cfd9b8a2
+  data.tar.gz: e0cb7269cbfe36a507c866436624c39a7fb00c7667b5b728073ad0b68d271fd286ecc7958edd88bca350741cf12befeffdfd51a4859983246d3f022ca7742c7e

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,7 @@
+## v0.94.0, 1 February 2019
+- Reorg bundler
 ## v0.93.17, 1 February 2019
 - JS: Better detection of whether an npm registry needs auth

data/lib/dependabot/dependency.rb CHANGED Viewed

@@ -4,6 +4,19 @@ require "rubygems_version_patch"
 module Dependabot
   class Dependency
+    @production_checks = {}
+    def self.production_check_for_package_manager(package_manager)
+      production_check = @production_checks[package_manager]
+      return production_check if production_check
+      raise "Unsupported package_manager #{package_manager}"
+    end
+    def self.register_production_check(package_manager, production_check)
+      @production_checks[package_manager] = production_check
+    end
     attr_reader :name, :version, :requirements, :package_manager,
                 :previous_version, :previous_requirements
@@ -39,33 +52,15 @@ module Dependabot
       previous_version || (version && previous_requirements.nil?)
     end
-    # rubocop:disable Metrics/CyclomaticComplexity
-    # rubocop:disable Metrics/PerceivedComplexity
     def production?
       return true unless top_level?
       groups = requirements.flat_map { |r| r.fetch(:groups).map(&:to_s) }
-      case package_manager
-      when "hex" then groups.empty? || groups.any? { |g| g.include?("prod") }
-      when "npm_and_yarn"
-        groups.include?("optionalDependencies") ||
-          groups.include?("dependencies")
-      when "composer" then groups.include?("runtime")
-      when "pip"
-        groups.empty? ||
-          groups.include?("default") ||
-          groups.include?("dependencies")
-      when "bundler"
-        groups.empty? ||
-          groups.include?("runtime") ||
-          groups.include?("default") ||
-          groups.any? { |g| g.include?("prod") }
-      else true
-      end
+      self.class.
+        production_check_for_package_manager(package_manager).
+        call(groups)
     end
-    # rubocop:enable Metrics/CyclomaticComplexity
-    # rubocop:enable Metrics/PerceivedComplexity
     def display_name
       return name unless %w(maven gradle).include?(package_manager)

data/lib/dependabot/file_fetchers.rb CHANGED Viewed

@@ -1,12 +1,8 @@
 # frozen_string_literal: true
-require "dependabot/file_fetchers/ruby/bundler"
 module Dependabot
   module FileFetchers
-    @file_fetchers = {
-      "bundler" => FileFetchers::Ruby::Bundler
-    }
+    @file_fetchers = {}
     def self.for_package_manager(package_manager)
       file_fetcher = @file_fetchers[package_manager]

data/lib/dependabot/file_parsers.rb CHANGED Viewed

@@ -1,12 +1,8 @@
 # frozen_string_literal: true
-require "dependabot/file_parsers/ruby/bundler"
 module Dependabot
   module FileParsers
-    @file_parsers = {
-      "bundler" => FileParsers::Ruby::Bundler
-    }
+    @file_parsers = {}
     def self.for_package_manager(package_manager)
       file_parser = @file_parsers[package_manager]

data/lib/dependabot/file_updaters.rb CHANGED Viewed

@@ -1,12 +1,8 @@
 # frozen_string_literal: true
-require "dependabot/file_updaters/ruby/bundler"
 module Dependabot
   module FileUpdaters
-    @file_updaters = {
-      "bundler" => FileUpdaters::Ruby::Bundler
-    }
+    @file_updaters = {}
     def self.for_package_manager(package_manager)
       file_updater = @file_updaters[package_manager]

data/lib/dependabot/metadata_finders.rb CHANGED Viewed

@@ -1,12 +1,8 @@
 # frozen_string_literal: true
-require "dependabot/metadata_finders/ruby/bundler"
 module Dependabot
   module MetadataFinders
-    @metadata_finders = {
-      "bundler" => MetadataFinders::Ruby::Bundler
-    }
+    @metadata_finders = {}
     def self.for_package_manager(package_manager)
       metadata_finder = @metadata_finders[package_manager]

data/lib/dependabot/pull_request_creator/labeler.rb CHANGED Viewed

@@ -9,23 +9,19 @@ module Dependabot
   class PullRequestCreator
     class Labeler
       DEPENDENCIES_LABEL_REGEX = %r{^[^/]*dependenc[^/]+$}i.freeze
-      LANGUAGE_LABEL_DETAILS = {
-        "bundler" => { name: "ruby", colour: "ce2d2d" },
-        "submodules" => { name: "submodules", colour: "000000" },
-        "docker" => { name: "docker", colour: "21ceff" },
-        "terraform" => { name: "terraform", colour: "5C4EE5" },
-        "nuget" => { name: ".NET", colour: "7121c6" },
-        "maven" => { name: "java", colour: "ffa221" },
-        "gradle" => { name: "java", colour: "ffa221" },
-        "npm_and_yarn" => { name: "javascript", colour: "168700" },
-        "pip" => { name: "python", colour: "2b67c6" },
-        "composer" => { name: "php", colour: "45229e" },
-        "hex" => { name: "elixir", colour: "9380dd" },
-        "cargo" => { name: "rust", colour: "000000" },
-        "dep" => { name: "go", colour: "16e2e2" },
-        "go_modules" => { name: "go", colour: "16e2e2" },
-        "elm" => { name: "elm", colour: "76d3f2" }
-      }.freeze
+      @label_details = {}
+      def self.label_details_for_package_manager(package_manager)
+        label_details = @label_details[package_manager]
+        return label_details if label_details
+        raise "Unsupported package_manager #{package_manager}"
+      end
+      def self.register_label_details(package_manager, label_details)
+        @label_details[package_manager] = label_details
+      end
       def initialize(source:, custom_labels:, credentials:, dependencies:,
                      includes_security_fixes:, label_language:)
@@ -199,7 +195,9 @@ module Dependabot
       end
       def language_label
-        label_name = LANGUAGE_LABEL_DETAILS.fetch(package_manager).fetch(:name)
+        label_name =
+          self.class.label_details_for_package_manager(package_manager).
+          fetch(:name)
         labels.find { |l| l.casecmp(label_name).zero? }
       end
@@ -304,12 +302,14 @@ module Dependabot
       end
       def create_github_language_label
-        langauge_name = LANGUAGE_LABEL_DETAILS.fetch(package_manager).
-                        fetch(:name)
+        langauge_name =
+          self.class.label_details_for_package_manager(package_manager).
+          fetch(:name)
         github_client_for_source.add_label(
           source.repo,
           langauge_name,
-          LANGUAGE_LABEL_DETAILS.fetch(package_manager).fetch(:colour),
+          self.class.label_details_for_package_manager(package_manager).
+            fetch(:colour),
           description: "Pull requests that update #{langauge_name.capitalize} "\
                        "code",
           accept: "application/vnd.github.symmetra-preview+json"
@@ -322,12 +322,14 @@ module Dependabot
       end
       def create_gitlab_language_label
-        langauge_name = LANGUAGE_LABEL_DETAILS.fetch(package_manager).
-                        fetch(:name)
+        langauge_name =
+          self.class.label_details_for_package_manager(package_manager).
+          fetch(:name)
         gitlab_client_for_source.create_label(
           source.repo,
           langauge_name,
-          "#" + LANGUAGE_LABEL_DETAILS.fetch(package_manager).fetch(:colour)
+          "#" + self.class.label_details_for_package_manager(package_manager).
+                fetch(:colour)
         )
         @labels = [*@labels, langauge_name].uniq
       end

data/lib/dependabot/update_checkers.rb CHANGED Viewed

@@ -1,12 +1,8 @@
 # frozen_string_literal: true
-require "dependabot/update_checkers/ruby/bundler"
 module Dependabot
   module UpdateCheckers
-    @update_checkers = {
-      "bundler" => UpdateCheckers::Ruby::Bundler
-    }
+    @update_checkers = {}
     def self.for_package_manager(package_manager)
       update_checker = @update_checkers[package_manager]

data/lib/dependabot/utils.rb CHANGED Viewed

@@ -1,16 +1,10 @@
 # frozen_string_literal: true
-require "dependabot/utils/ruby/requirement"
 # TODO: in due course, these "registries" should live in a wrapper gem, not
 #       dependabot-core.
 module Dependabot
   module Utils
-    @version_classes = {
-      "bundler" => Gem::Version,
-      "submodules" => Gem::Version,
-      "docker" => Gem::Version
-    }
+    @version_classes = {}
     def self.version_class_for_package_manager(package_manager)
       version_class = @version_classes[package_manager]
@@ -23,11 +17,7 @@ module Dependabot
       @version_classes[package_manager] = version_class
     end
-    @requirement_classes = {
-      "bundler" => Utils::Ruby::Requirement,
-      "submodules" => Utils::Ruby::Requirement,
-      "docker" => Utils::Ruby::Requirement
-    }
+    @requirement_classes = {}
     def self.requirement_class_for_package_manager(package_manager)
       requirement_class = @requirement_classes[package_manager]

data/lib/dependabot/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Dependabot
-  VERSION = "0.93.17"
+  VERSION = "0.94.0"
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-core
 version: !ruby/object:Gem::Version
-  version: 0.93.17
+  version: 0.94.0
 platform: ruby
 authors:
 - Dependabot
@@ -313,30 +313,13 @@ files:
 - lib/dependabot/file_fetchers.rb
 - lib/dependabot/file_fetchers/README.md
 - lib/dependabot/file_fetchers/base.rb
-- lib/dependabot/file_fetchers/ruby/bundler.rb
-- lib/dependabot/file_fetchers/ruby/bundler/child_gemfile_finder.rb
-- lib/dependabot/file_fetchers/ruby/bundler/gemspec_finder.rb
-- lib/dependabot/file_fetchers/ruby/bundler/path_gemspec_finder.rb
-- lib/dependabot/file_fetchers/ruby/bundler/require_relative_finder.rb
 - lib/dependabot/file_parsers.rb
 - lib/dependabot/file_parsers/README.md
 - lib/dependabot/file_parsers/base.rb
 - lib/dependabot/file_parsers/base/dependency_set.rb
-- lib/dependabot/file_parsers/ruby/bundler.rb
-- lib/dependabot/file_parsers/ruby/bundler/file_preparer.rb
-- lib/dependabot/file_parsers/ruby/bundler/gemfile_checker.rb
 - lib/dependabot/file_updaters.rb
 - lib/dependabot/file_updaters/README.md
 - lib/dependabot/file_updaters/base.rb
-- lib/dependabot/file_updaters/ruby/bundler.rb
-- lib/dependabot/file_updaters/ruby/bundler/gemfile_updater.rb
-- lib/dependabot/file_updaters/ruby/bundler/gemspec_dependency_name_finder.rb
-- lib/dependabot/file_updaters/ruby/bundler/gemspec_sanitizer.rb
-- lib/dependabot/file_updaters/ruby/bundler/gemspec_updater.rb
-- lib/dependabot/file_updaters/ruby/bundler/git_pin_replacer.rb
-- lib/dependabot/file_updaters/ruby/bundler/git_source_remover.rb
-- lib/dependabot/file_updaters/ruby/bundler/lockfile_updater.rb
-- lib/dependabot/file_updaters/ruby/bundler/requirement_replacer.rb
 - lib/dependabot/git_commit_checker.rb
 - lib/dependabot/metadata_finders.rb
 - lib/dependabot/metadata_finders/README.md
@@ -345,7 +328,6 @@ files:
 - lib/dependabot/metadata_finders/base/changelog_pruner.rb
 - lib/dependabot/metadata_finders/base/commits_finder.rb
 - lib/dependabot/metadata_finders/base/release_finder.rb
-- lib/dependabot/metadata_finders/ruby/bundler.rb
 - lib/dependabot/pull_request_creator.rb
 - lib/dependabot/pull_request_creator/branch_namer.rb
 - lib/dependabot/pull_request_creator/commit_signer.rb
@@ -360,16 +342,7 @@ files:
 - lib/dependabot/update_checkers.rb
 - lib/dependabot/update_checkers/README.md
 - lib/dependabot/update_checkers/base.rb
-- lib/dependabot/update_checkers/ruby/bundler.rb
-- lib/dependabot/update_checkers/ruby/bundler/file_preparer.rb
-- lib/dependabot/update_checkers/ruby/bundler/force_updater.rb
-- lib/dependabot/update_checkers/ruby/bundler/latest_version_finder.rb
-- lib/dependabot/update_checkers/ruby/bundler/requirements_updater.rb
-- lib/dependabot/update_checkers/ruby/bundler/ruby_requirement_setter.rb
-- lib/dependabot/update_checkers/ruby/bundler/shared_bundler_helpers.rb
-- lib/dependabot/update_checkers/ruby/bundler/version_resolver.rb
 - lib/dependabot/utils.rb
-- lib/dependabot/utils/ruby/requirement.rb
 - lib/dependabot/version.rb
 - lib/rubygems_version_patch.rb
 homepage: https://github.com/dependabot/dependabot-core

data/lib/dependabot/file_fetchers/ruby/bundler.rb DELETED Viewed

@@ -1,215 +0,0 @@
-# frozen_string_literal: true
-require "dependabot/file_fetchers/base"
-require "dependabot/file_updaters/ruby/bundler/lockfile_updater"
-require "dependabot/errors"
-module Dependabot
-  module FileFetchers
-    module Ruby
-      class Bundler < Dependabot::FileFetchers::Base
-        require "dependabot/file_fetchers/ruby/bundler/gemspec_finder"
-        require "dependabot/file_fetchers/ruby/bundler/path_gemspec_finder"
-        require "dependabot/file_fetchers/ruby/bundler/child_gemfile_finder"
-        require "dependabot/file_fetchers/ruby/bundler/require_relative_finder"
-        def self.required_files_in?(filenames)
-          if filenames.any? { |name| name.match?(%r{^[^/]*\.gemspec$}) }
-            return true
-          end
-          filenames.include?("Gemfile") || filenames.include?("gems.rb")
-        end
-        def self.required_files_message
-          "Repo must contain either a Gemfile, a gemspec, or a gems.rb."
-        end
-        private
-        def fetch_files
-          fetched_files = []
-          fetched_files << gemfile if gemfile
-          fetched_files << lockfile if gemfile && lockfile
-          fetched_files += child_gemfiles
-          fetched_files += gemspecs
-          fetched_files << ruby_version_file if ruby_version_file
-          fetched_files += path_gemspecs
-          fetched_files += require_relative_files(fetched_files)
-          fetched_files = uniq_files(fetched_files)
-          check_required_files_present
-          unless self.class.required_files_in?(fetched_files.map(&:name))
-            raise "Invalid set of files: #{fetched_files.map(&:name)}"
-          end
-          fetched_files
-        end
-        def uniq_files(fetched_files)
-          uniq_files = fetched_files.reject(&:support_file?).uniq
-          uniq_files += fetched_files.
-                        reject { |f| uniq_files.map(&:name).include?(f.name) }
-        end
-        def check_required_files_present
-          return if gemfile || gemspecs.any?
-          path = Pathname.new(File.join(directory, "Gemfile")).
-                 cleanpath.to_path
-          raise Dependabot::DependencyFileNotFound, path
-        end
-        def gemfile
-          @gemfile ||= fetch_file_if_present("gems.rb") ||
-                       fetch_file_if_present("Gemfile")
-        end
-        def lockfile
-          @lockfile ||= fetch_file_if_present("gems.locked") ||
-                        fetch_file_if_present("Gemfile.lock")
-        end
-        def gemspecs
-          return @gemspecs if defined?(@gemspecs)
-          gemspecs_paths =
-            gemspec_directories.
-            flat_map do |d|
-              repo_contents(dir: d).
-                select { |f| f.name.end_with?(".gemspec") }.
-                map { |f| File.join(d, f.name) }
-            end
-          @gemspecs = gemspecs_paths.map { |n| fetch_file_from_host(n) }
-        rescue Octokit::NotFound
-          []
-        end
-        def gemspec_directories
-          gemfiles = ([gemfile] + child_gemfiles).compact
-          directories =
-            gemfiles.flat_map do |file|
-              GemspecFinder.new(gemfile: file).gemspec_directories
-            end.uniq
-          directories.empty? ? ["."] : directories
-        end
-        def ruby_version_file
-          return unless gemfile
-          return unless gemfile.content.include?(".ruby-version")
-          @ruby_version_file ||=
-            fetch_file_if_present(".ruby-version")&.
-            tap { |f| f.support_file = true }
-        end
-        def path_gemspecs
-          gemspec_files = []
-          unfetchable_gems = []
-          path_gemspec_paths.each do |path|
-            # Get any gemspecs at the path itself
-            gemspecs_at_path = fetch_gemspecs_from_directory(path)
-            # Get any gemspecs nested one level deeper
-            nested_directories =
-              repo_contents(dir: path).
-              select { |f| f.type == "dir" }
-            nested_directories.each do |dir|
-              dir_path = File.join(path, dir.name)
-              gemspecs_at_path += fetch_gemspecs_from_directory(dir_path)
-            end
-            # Add the fetched gemspecs to the main array, and note an error if
-            # none were found for this path
-            gemspec_files += gemspecs_at_path
-            unfetchable_gems << path.basename.to_s if gemspecs_at_path.empty?
-          rescue Octokit::NotFound, Gitlab::Error::NotFound
-            unfetchable_gems << path.basename.to_s
-          end
-          if unfetchable_gems.any?
-            raise Dependabot::PathDependenciesNotReachable, unfetchable_gems
-          end
-          gemspec_files.tap { |ar| ar.each { |f| f.support_file = true } }
-        end
-        def path_gemspec_paths
-          fetch_path_gemspec_paths.map { |path| Pathname.new(path) }
-        end
-        def require_relative_files(files)
-          ruby_files =
-            files.select { |f| f.name.end_with?(".rb", "Gemfile", ".gemspec") }
-          paths = ruby_files.flat_map do |file|
-            RequireRelativeFinder.new(file: file).require_relative_paths
-          end
-          @require_relative_files ||=
-            paths.map { |path| fetch_file_from_host(path) }.
-            tap { |req_files| req_files.each { |f| f.support_file = true } }
-        end
-        def fetch_gemspecs_from_directory(dir_path)
-          repo_contents(dir: dir_path).
-            select { |f| f.name.end_with?(".gemspec") }.
-            map { |f| File.join(dir_path, f.name) }.
-            map { |fp| fetch_file_from_host(fp) }
-        end
-        def fetch_path_gemspec_paths
-          if lockfile
-            parsed_lockfile = ::Bundler::LockfileParser.new(
-              sanitized_lockfile_content
-            )
-            parsed_lockfile.specs.
-              select { |s| s.source.instance_of?(::Bundler::Source::Path) }.
-              map { |s| s.source.path }.uniq
-          else
-            gemfiles = ([gemfile] + child_gemfiles).compact
-            gemfiles.flat_map do |file|
-              PathGemspecFinder.new(gemfile: file).path_gemspec_paths
-            end.uniq
-          end
-        rescue ::Bundler::LockfileError
-          raise Dependabot::DependencyFileNotParseable, lockfile.path
-        end
-        def child_gemfiles
-          return [] unless gemfile
-          @child_gemfiles ||=
-            fetch_child_gemfiles(file: gemfile, previously_fetched_files: [])
-        end
-        def sanitized_lockfile_content
-          regex = FileUpdaters::Ruby::Bundler::LockfileUpdater::LOCKFILE_ENDING
-          lockfile.content.gsub(regex, "")
-        end
-        def fetch_child_gemfiles(file:, previously_fetched_files:)
-          paths = ChildGemfileFinder.new(gemfile: file).child_gemfile_paths
-          paths.flat_map do |path|
-            next if previously_fetched_files.map(&:name).include?(path)
-            next if file.name == path
-            fetched_file = fetch_file_from_host(path)
-            grandchild_gemfiles = fetch_child_gemfiles(
-              file: fetched_file,
-              previously_fetched_files: previously_fetched_files + [file]
-            )
-            [fetched_file, *grandchild_gemfiles]
-          end.compact
-        end
-      end
-    end
-  end
-end