RubyGems - dependabot-core - Versions diffs - 0.93.17 → 0.94.0 - Mend

dependabot-core 0.93.17 → 0.94.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

data/lib/dependabot/file_fetchers/ruby/bundler/child_gemfile_finder.rb DELETED Viewed

@@ -1,70 +0,0 @@
-# frozen_string_literal: true
-require "pathname"
-require "parser/current"
-require "dependabot/file_fetchers/ruby/bundler"
-require "dependabot/errors"
-module Dependabot
-  module FileFetchers
-    module Ruby
-      class Bundler
-        # Finds the paths of any Gemfiles declared using `eval_gemfile` in the
-        # passed Gemfile.
-        class ChildGemfileFinder
-          def initialize(gemfile:)
-            @gemfile = gemfile
-          end
-          def child_gemfile_paths
-            ast = Parser::CurrentRuby.parse(gemfile.content)
-            find_child_gemfile_paths(ast)
-          rescue Parser::SyntaxError
-            raise Dependabot::DependencyFileNotParseable, gemfile.path
-          end
-          private
-          attr_reader :gemfile
-          # rubocop:disable Security/Eval
-          def find_child_gemfile_paths(node)
-            return [] unless node.is_a?(Parser::AST::Node)
-            if declares_eval_gemfile?(node)
-              # We use eval here, but we know what we're doing. The FileFetchers
-              # helper method should only ever be run in an isolated environment
-              source = node.children[2].loc.expression.source
-              begin
-                path = eval(source)
-              rescue StandardError
-                return []
-              end
-              if Pathname.new(path).absolute?
-                base_path = Pathname.new(File.expand_path(Dir.pwd))
-                path = Pathname.new(path).relative_path_from(base_path).to_s
-              end
-              path = File.join(current_dir, path) unless current_dir.nil?
-              return [Pathname.new(path).cleanpath.to_path]
-            end
-            node.children.flat_map do |child_node|
-              find_child_gemfile_paths(child_node)
-            end
-          end
-          # rubocop:enable Security/Eval
-          def current_dir
-            @current_dir ||= gemfile.name.split("/")[0..-2].last
-          end
-          def declares_eval_gemfile?(node)
-            return false unless node.is_a?(Parser::AST::Node)
-            node.children[1] == :eval_gemfile
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/file_fetchers/ruby/bundler/gemspec_finder.rb DELETED Viewed

@@ -1,98 +0,0 @@
-# frozen_string_literal: true
-require "pathname"
-require "parser/current"
-require "dependabot/file_fetchers/ruby/bundler"
-require "dependabot/errors"
-module Dependabot
-  module FileFetchers
-    module Ruby
-      class Bundler
-        # Finds the directories of any gemspecs declared using `gemspec` in the
-        # passed Gemfile.
-        class GemspecFinder
-          def initialize(gemfile:)
-            @gemfile = gemfile
-          end
-          def gemspec_directories
-            ast = Parser::CurrentRuby.parse(gemfile.content)
-            find_gemspec_paths(ast)
-          rescue Parser::SyntaxError
-            raise Dependabot::DependencyFileNotParseable, gemfile.path
-          end
-          private
-          attr_reader :gemfile
-          # rubocop:disable Security/Eval
-          def find_gemspec_paths(node)
-            return [] unless node.is_a?(Parser::AST::Node)
-            if declares_gemspec_dependency?(node)
-              path_node = path_node_for_gem_declaration(node)
-              return [clean_path(".")] unless path_node
-              begin
-                # We use eval here, but we know what we're doing. The
-                # FileFetchers helper method should only ever be run in an
-                # isolated environment
-                path = eval(path_node.loc.expression.source)
-              rescue StandardError
-                return []
-              end
-              return [clean_path(path)]
-            end
-            node.children.flat_map do |child_node|
-              find_gemspec_paths(child_node)
-            end
-          end
-          # rubocop:enable Security/Eval
-          def current_dir
-            @current_dir ||= gemfile.name.rpartition("/").first
-            @current_dir = nil if @current_dir == ""
-            @current_dir
-          end
-          def declares_gemspec_dependency?(node)
-            return false unless node.is_a?(Parser::AST::Node)
-            node.children[1] == :gemspec
-          end
-          def clean_path(path)
-            if Pathname.new(path).absolute?
-              base_path = Pathname.new(File.expand_path(Dir.pwd))
-              path = Pathname.new(path).relative_path_from(base_path).to_s
-            end
-            path = File.join(current_dir, path) unless current_dir.nil?
-            Pathname.new(path).cleanpath
-          end
-          def path_node_for_gem_declaration(node)
-            return unless node.children.last.is_a?(Parser::AST::Node)
-            return unless node.children.last.type == :hash
-            kwargs_node = node.children.last
-            path_hash_pair =
-              kwargs_node.children.
-              find { |hash_pair| key_from_hash_pair(hash_pair) == :path }
-            return unless path_hash_pair
-            path_hash_pair.children.last
-          end
-          def key_from_hash_pair(node)
-            node.children.first.children.first.to_sym
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/file_fetchers/ruby/bundler/path_gemspec_finder.rb DELETED Viewed

@@ -1,114 +0,0 @@
-# frozen_string_literal: true
-require "pathname"
-require "parser/current"
-require "dependabot/file_fetchers/ruby/bundler"
-require "dependabot/errors"
-module Dependabot
-  module FileFetchers
-    module Ruby
-      class Bundler
-        # Finds the paths of any gemspecs declared using `path: ` in the
-        # passed Gemfile.
-        class PathGemspecFinder
-          def initialize(gemfile:)
-            @gemfile = gemfile
-          end
-          def path_gemspec_paths
-            ast = Parser::CurrentRuby.parse(gemfile.content)
-            find_path_gemspec_paths(ast)
-          rescue Parser::SyntaxError
-            raise Dependabot::DependencyFileNotParseable, gemfile.path
-          end
-          private
-          attr_reader :gemfile
-          # rubocop:disable Security/Eval
-          def find_path_gemspec_paths(node)
-            return [] unless node.is_a?(Parser::AST::Node)
-            if declares_path_dependency?(node)
-              path_node = path_node_for_gem_declaration(node)
-              begin
-                # We use eval here, but we know what we're doing. The
-                # FileFetchers helper method should only ever be run in an
-                # isolated environment
-                path = eval(path_node.loc.expression.source)
-              rescue StandardError
-                return []
-              end
-              return [clean_path(path)]
-            end
-            relevant_child_nodes(node).flat_map do |child_node|
-              find_path_gemspec_paths(child_node)
-            end
-          end
-          # rubocop:enable Security/Eval
-          def current_dir
-            @current_dir ||= gemfile.name.rpartition("/").first
-            @current_dir = nil if @current_dir == ""
-            @current_dir
-          end
-          def declares_path_dependency?(node)
-            return false unless node.is_a?(Parser::AST::Node)
-            return false unless node.children[1] == :gem
-            !path_node_for_gem_declaration(node).nil?
-          end
-          def clean_path(path)
-            if Pathname.new(path).absolute?
-              base_path = Pathname.new(File.expand_path(Dir.pwd))
-              path = Pathname.new(path).relative_path_from(base_path).to_s
-            end
-            path = File.join(current_dir, path) unless current_dir.nil?
-            Pathname.new(path).cleanpath
-          end
-          # rubocop:disable Security/Eval
-          def relevant_child_nodes(node)
-            return [] unless node.is_a?(Parser::AST::Node)
-            return node.children unless node.type == :if
-            begin
-              if eval(node.children.first.loc.expression.source)
-                [node.children[1]]
-              else
-                [node.children[2]]
-              end
-            rescue StandardError
-              return node.children
-            end
-          end
-          # rubocop:enable Security/Eval
-          def path_node_for_gem_declaration(node)
-            return unless node.children.last.type == :hash
-            kwargs_node = node.children.last
-            path_hash_pair =
-              kwargs_node.children.
-              find { |hash_pair| key_from_hash_pair(hash_pair) == :path }
-            return unless path_hash_pair
-            path_hash_pair.children.last
-          end
-          def key_from_hash_pair(node)
-            node.children.first.children.first.to_sym
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/file_fetchers/ruby/bundler/require_relative_finder.rb DELETED Viewed

@@ -1,67 +0,0 @@
-# frozen_string_literal: true
-require "pathname"
-require "parser/current"
-require "dependabot/file_fetchers/ruby/bundler"
-require "dependabot/errors"
-module Dependabot
-  module FileFetchers
-    module Ruby
-      class Bundler
-        # Finds the paths of any files included using `require_relative` in the
-        # passed file.
-        class RequireRelativeFinder
-          def initialize(file:)
-            @file = file
-          end
-          def require_relative_paths
-            ast = Parser::CurrentRuby.parse(file.content)
-            find_require_relative_paths(ast)
-          rescue Parser::SyntaxError
-            raise Dependabot::DependencyFileNotParseable, file.path
-          end
-          private
-          attr_reader :file
-          # rubocop:disable Security/Eval
-          def find_require_relative_paths(node)
-            return [] unless node.is_a?(Parser::AST::Node)
-            if declares_require_relative?(node)
-              # We use eval here, but we know what we're doing. The FileFetchers
-              # helper method should only ever be run in an isolated environment
-              source = node.children[2].loc.expression.source
-              begin
-                path = eval(source)
-              rescue StandardError
-                return []
-              end
-              path = File.join(current_dir, path) unless current_dir.nil?
-              return [Pathname.new(path + ".rb").cleanpath.to_path]
-            end
-            node.children.flat_map do |child_node|
-              find_require_relative_paths(child_node)
-            end
-          end
-          # rubocop:enable Security/Eval
-          def current_dir
-            @current_dir ||= file.name.split("/")[0..-2].last
-          end
-          def declares_require_relative?(node)
-            return false unless node.is_a?(Parser::AST::Node)
-            node.children[1] == :require_relative
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/file_parsers/ruby/bundler.rb DELETED Viewed

@@ -1,294 +0,0 @@
-# frozen_string_literal: true
-require "dependabot/dependency"
-require "dependabot/file_parsers/base"
-require "dependabot/file_updaters/ruby/bundler/lockfile_updater"
-require "dependabot/shared_helpers"
-require "dependabot/errors"
-module Dependabot
-  module FileParsers
-    module Ruby
-      class Bundler < Dependabot::FileParsers::Base
-        require "dependabot/file_parsers/base/dependency_set"
-        require "dependabot/file_parsers/ruby/bundler/file_preparer"
-        require "dependabot/file_parsers/ruby/bundler/gemfile_checker"
-        def parse
-          dependency_set = DependencySet.new
-          dependency_set += gemfile_dependencies
-          dependency_set += gemspec_dependencies
-          dependency_set += lockfile_dependencies
-          dependency_set.dependencies
-        end
-        private
-        # Can't be a constant because some of these don't exist in bundler
-        # 1.15, which Heroku uses, which causes an exception on boot.
-        def sources
-          [
-            NilClass,
-            ::Bundler::Source::Rubygems,
-            ::Bundler::Source::Git,
-            ::Bundler::Source::Path,
-            ::Bundler::Source::Gemspec,
-            ::Bundler::Source::Metadata
-          ]
-        end
-        def gemfile_dependencies
-          dependencies = DependencySet.new
-          return dependencies unless gemfile
-          [gemfile, *evaled_gemfiles].each do |file|
-            parsed_gemfile.each do |dep|
-              next unless dependency_in_gemfile?(gemfile: file, dependency: dep)
-              dependencies <<
-                Dependency.new(
-                  name: dep.name,
-                  version: dependency_version(dep.name)&.to_s,
-                  requirements: [{
-                    requirement: dep.requirement.to_s,
-                    groups: dep.groups,
-                    source: source_for(dep),
-                    file: file.name
-                  }],
-                  package_manager: "bundler"
-                )
-            end
-          end
-          dependencies
-        end
-        def gemspec_dependencies
-          dependencies = DependencySet.new
-          gemspecs.each do |gemspec|
-            parsed_gemspec(gemspec).dependencies.each do |dependency|
-              dependencies <<
-                Dependency.new(
-                  name: dependency.name,
-                  version: dependency_version(dependency.name)&.to_s,
-                  requirements: [{
-                    requirement: dependency.requirement.to_s,
-                    groups: dependency.runtime? ? ["runtime"] : ["development"],
-                    source: nil,
-                    file: gemspec.name
-                  }],
-                  package_manager: "bundler"
-                )
-            end
-          end
-          dependencies
-        end
-        def lockfile_dependencies
-          dependencies = DependencySet.new
-          return dependencies unless lockfile
-          # Create a DependencySet where each element has no requirement. Any
-          # requirements will be added when combining the DependencySet with
-          # other DependencySets.
-          parsed_lockfile.specs.each do |dependency|
-            next if dependency.source.is_a?(::Bundler::Source::Path)
-            dependencies <<
-              Dependency.new(
-                name: dependency.name,
-                version: dependency_version(dependency.name)&.to_s,
-                requirements: [],
-                package_manager: "bundler"
-              )
-          end
-          dependencies
-        end
-        def parsed_gemfile
-          base_directory = dependency_files.first.directory
-          @parsed_gemfile ||=
-            SharedHelpers.in_a_temporary_directory(base_directory) do
-              write_temporary_dependency_files
-              SharedHelpers.in_a_forked_process do
-                ::Bundler.instance_variable_set(:@root, Pathname.new(Dir.pwd))
-                ::Bundler::Definition.build(gemfile.name, nil, {}).
-                  dependencies.
-                  select(&:current_platform?).
-                  # We can't dump gemspec sources, and we wouldn't bump them
-                  # anyway, so we filter them out.
-                  reject { |dep| dep.source.is_a?(::Bundler::Source::Gemspec) }
-              end
-            end
-        rescue SharedHelpers::ChildProcessFailed => error
-          msg = error.error_class + " with message: " +
-                error.error_message.force_encoding("UTF-8").encode
-          raise Dependabot::DependencyFileNotEvaluatable, msg
-        end
-        def parsed_gemspec(file)
-          @parsed_gemspecs ||= {}
-          @parsed_gemspecs[file.name] ||=
-            SharedHelpers.in_a_temporary_directory do
-              [file, *imported_ruby_files].each do |f|
-                path = f.name
-                FileUtils.mkdir_p(Pathname.new(path).dirname)
-                File.write(path, f.content)
-              end
-              SharedHelpers.in_a_forked_process do
-                ::Bundler.instance_variable_set(:@root, Pathname.new(Dir.pwd))
-                ::Bundler.load_gemspec_uncached(file.name)
-              end
-            end
-        rescue SharedHelpers::ChildProcessFailed => error
-          msg = error.error_class + " with message: " + error.error_message
-          raise Dependabot::DependencyFileNotEvaluatable, msg
-        end
-        def prepared_dependency_files
-          @prepared_dependency_files ||=
-            FilePreparer.new(dependency_files: dependency_files).
-            prepared_dependency_files
-        end
-        def write_temporary_dependency_files
-          prepared_dependency_files.each do |file|
-            path = file.name
-            FileUtils.mkdir_p(Pathname.new(path).dirname)
-            File.write(path, file.content)
-          end
-        end
-        def check_required_files
-          file_names = dependency_files.map(&:name)
-          return if file_names.any? do |name|
-            name.end_with?(".gemspec") && !name.include?("/")
-          end
-          return if gemfile
-          raise "A gemspec or Gemfile must be provided!"
-        end
-        def source_for(dependency)
-          source = dependency.source
-          if lockfile && default_rubygems?(source)
-            # If there's a lockfile and the Gemfile doesn't have anything
-            # interesting to say about the source, check that.
-            source = source_from_lockfile(dependency.name)
-          end
-          raise "Bad source: #{source}" unless sources.include?(source.class)
-          return nil if default_rubygems?(source)
-          details = { type: source.class.name.split("::").last.downcase }
-          if source.is_a?(::Bundler::Source::Git)
-            details.merge!(git_source_details(source))
-          end
-          if source.is_a?(::Bundler::Source::Rubygems)
-            details[:url] = source.remotes.first.to_s
-          end
-          details
-        end
-        def git_source_details(source)
-          {
-            url: source.uri,
-            branch: source.branch || "master",
-            ref: source.ref
-          }
-        end
-        def default_rubygems?(source)
-          return true if source.nil?
-          return false unless source.is_a?(::Bundler::Source::Rubygems)
-          source.remotes.any? { |r| r.to_s.include?("rubygems.org") }
-        end
-        def dependency_version(dependency_name)
-          return unless lockfile
-          spec = parsed_lockfile.specs.find { |s| s.name == dependency_name }
-          # Not all files in the Gemfile will appear in the Gemfile.lock. For
-          # instance, if a gem specifies `platform: [:windows]`, and the
-          # Gemfile.lock is generated on a Linux machine, the gem will be not
-          # appear in the lockfile.
-          return unless spec
-          # If the source is Git we're better off knowing the SHA-1 than the
-          # version.
-          if spec.source.instance_of?(::Bundler::Source::Git)
-            return spec.source.revision
-          end
-          spec.version
-        end
-        def source_from_lockfile(dependency_name)
-          parsed_lockfile.specs.find { |s| s.name == dependency_name }&.source
-        end
-        def dependency_in_gemfile?(gemfile:, dependency:)
-          GemfileChecker.new(
-            dependency: dependency,
-            gemfile: gemfile
-          ).includes_dependency?
-        end
-        def gemfile
-          @gemfile ||= get_original_file("Gemfile") ||
-                       get_original_file("gems.rb")
-        end
-        def evaled_gemfiles
-          dependency_files.
-            reject { |f| f.name.end_with?(".gemspec") }.
-            reject { |f| f.name.end_with?(".lock") }.
-            reject { |f| f.name.end_with?(".ruby-version") }.
-            reject { |f| f.name == "Gemfile" }.
-            reject { |f| f.name == "gems.rb" }.
-            reject { |f| f.name == "gems.locked" }
-        end
-        def lockfile
-          @lockfile ||= get_original_file("Gemfile.lock") ||
-                        get_original_file("gems.locked")
-        end
-        def parsed_lockfile
-          @parsed_lockfile ||=
-            ::Bundler::LockfileParser.new(sanitized_lockfile_content)
-        end
-        def sanitized_lockfile_content
-          regex = FileUpdaters::Ruby::Bundler::LockfileUpdater::LOCKFILE_ENDING
-          lockfile.content.gsub(regex, "")
-        end
-        def gemspecs
-          # Path gemspecs are excluded (they're supporting files)
-          @gemspecs ||= prepared_dependency_files.
-                        select { |file| file.name.end_with?(".gemspec") }.
-                        reject(&:support_file?)
-        end
-        def imported_ruby_files
-          dependency_files.
-            select { |f| f.name.end_with?(".rb") }.
-            reject { |f| f.name == "gems.rb" }
-        end
-      end
-    end
-  end
-end