RubyGems - dependabot-core - Versions diffs - 0.93.17 → 0.94.0 - Mend

dependabot-core 0.93.17 → 0.94.0

Files changed (39) hide show

data/lib/dependabot/file_fetchers/ruby/bundler/child_gemfile_finder.rb DELETED Viewed

@@ -1,70 +0,0 @@
-# frozen_string_literal: true
-require "pathname"
-require "parser/current"
-require "dependabot/file_fetchers/ruby/bundler"
-require "dependabot/errors"
-module Dependabot
-  module FileFetchers
-    module Ruby
-      class Bundler
-        # Finds the paths of any Gemfiles declared using `eval_gemfile` in the
-        # passed Gemfile.
-        class ChildGemfileFinder
-          def initialize(gemfile:)
-            @gemfile = gemfile
-          end
-          def child_gemfile_paths
-            ast = Parser::CurrentRuby.parse(gemfile.content)
-            find_child_gemfile_paths(ast)
-          rescue Parser::SyntaxError
-            raise Dependabot::DependencyFileNotParseable, gemfile.path
-          end
-          private
-          attr_reader :gemfile
-          # rubocop:disable Security/Eval
-          def find_child_gemfile_paths(node)
-            return [] unless node.is_a?(Parser::AST::Node)
-            if declares_eval_gemfile?(node)
-              # We use eval here, but we know what we're doing. The FileFetchers
-              # helper method should only ever be run in an isolated environment
-              source = node.children[2].loc.expression.source
-              begin
-                path = eval(source)
-              rescue StandardError
-                return []
-              end
-              if Pathname.new(path).absolute?
-                base_path = Pathname.new(File.expand_path(Dir.pwd))
-                path = Pathname.new(path).relative_path_from(base_path).to_s
-              end
-              path = File.join(current_dir, path) unless current_dir.nil?
-              return [Pathname.new(path).cleanpath.to_path]
-            end
-            node.children.flat_map do |child_node|
-              find_child_gemfile_paths(child_node)
-            end
-          end
-          # rubocop:enable Security/Eval
-          def current_dir
-            @current_dir ||= gemfile.name.split("/")[0..-2].last
-          end
-          def declares_eval_gemfile?(node)
-            return false unless node.is_a?(Parser::AST::Node)
-            node.children[1] == :eval_gemfile
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/file_fetchers/ruby/bundler/gemspec_finder.rb DELETED Viewed

@@ -1,98 +0,0 @@
-# frozen_string_literal: true
-require "pathname"
-require "parser/current"
-require "dependabot/file_fetchers/ruby/bundler"
-require "dependabot/errors"
-module Dependabot
-  module FileFetchers
-    module Ruby
-      class Bundler
-        # Finds the directories of any gemspecs declared using `gemspec` in the
-        # passed Gemfile.
-        class GemspecFinder
-          def initialize(gemfile:)
-            @gemfile = gemfile
-          end
-          def gemspec_directories
-            ast = Parser::CurrentRuby.parse(gemfile.content)
-            find_gemspec_paths(ast)
-          rescue Parser::SyntaxError
-            raise Dependabot::DependencyFileNotParseable, gemfile.path
-          end
-          private
-          attr_reader :gemfile
-          # rubocop:disable Security/Eval
-          def find_gemspec_paths(node)
-            return [] unless node.is_a?(Parser::AST::Node)
-            if declares_gemspec_dependency?(node)
-              path_node = path_node_for_gem_declaration(node)
-              return [clean_path(".")] unless path_node
-              begin
-                # We use eval here, but we know what we're doing. The
-                # FileFetchers helper method should only ever be run in an
-                # isolated environment
-                path = eval(path_node.loc.expression.source)
-              rescue StandardError
-                return []
-              end
-              return [clean_path(path)]
-            end
-            node.children.flat_map do |child_node|
-              find_gemspec_paths(child_node)
-            end
-          end
-          # rubocop:enable Security/Eval
-          def current_dir
-            @current_dir ||= gemfile.name.rpartition("/").first
-            @current_dir = nil if @current_dir == ""
-            @current_dir
-          end
-          def declares_gemspec_dependency?(node)
-            return false unless node.is_a?(Parser::AST::Node)
-            node.children[1] == :gemspec
-          end
-          def clean_path(path)
-            if Pathname.new(path).absolute?
-              base_path = Pathname.new(File.expand_path(Dir.pwd))
-              path = Pathname.new(path).relative_path_from(base_path).to_s
-            end
-            path = File.join(current_dir, path) unless current_dir.nil?
-            Pathname.new(path).cleanpath
-          end
-          def path_node_for_gem_declaration(node)
-            return unless node.children.last.is_a?(Parser::AST::Node)
-            return unless node.children.last.type == :hash
-            kwargs_node = node.children.last
-            path_hash_pair =
-              kwargs_node.children.
-              find { |hash_pair| key_from_hash_pair(hash_pair) == :path }
-            return unless path_hash_pair
-            path_hash_pair.children.last
-          end
-          def key_from_hash_pair(node)
-            node.children.first.children.first.to_sym
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/file_fetchers/ruby/bundler/path_gemspec_finder.rb DELETED Viewed

@@ -1,114 +0,0 @@
-# frozen_string_literal: true
-require "pathname"
-require "parser/current"
-require "dependabot/file_fetchers/ruby/bundler"
-require "dependabot/errors"
-module Dependabot
-  module FileFetchers
-    module Ruby
-      class Bundler
-        # Finds the paths of any gemspecs declared using `path: ` in the
-        # passed Gemfile.
-        class PathGemspecFinder
-          def initialize(gemfile:)
-            @gemfile = gemfile
-          end
-          def path_gemspec_paths
-            ast = Parser::CurrentRuby.parse(gemfile.content)
-            find_path_gemspec_paths(ast)
-          rescue Parser::SyntaxError
-            raise Dependabot::DependencyFileNotParseable, gemfile.path
-          end
-          private
-          attr_reader :gemfile
-          # rubocop:disable Security/Eval
-          def find_path_gemspec_paths(node)
-            return [] unless node.is_a?(Parser::AST::Node)
-            if declares_path_dependency?(node)
-              path_node = path_node_for_gem_declaration(node)
-              begin
-                # We use eval here, but we know what we're doing. The
-                # FileFetchers helper method should only ever be run in an
-                # isolated environment
-                path = eval(path_node.loc.expression.source)
-              rescue StandardError
-                return []
-              end
-              return [clean_path(path)]
-            end
-            relevant_child_nodes(node).flat_map do |child_node|
-              find_path_gemspec_paths(child_node)
-            end
-          end
-          # rubocop:enable Security/Eval
-          def current_dir
-            @current_dir ||= gemfile.name.rpartition("/").first
-            @current_dir = nil if @current_dir == ""
-            @current_dir
-          end
-          def declares_path_dependency?(node)
-            return false unless node.is_a?(Parser::AST::Node)
-            return false unless node.children[1] == :gem
-            !path_node_for_gem_declaration(node).nil?
-          end
-          def clean_path(path)
-            if Pathname.new(path).absolute?
-              base_path = Pathname.new(File.expand_path(Dir.pwd))
-              path = Pathname.new(path).relative_path_from(base_path).to_s
-            end
-            path = File.join(current_dir, path) unless current_dir.nil?
-            Pathname.new(path).cleanpath
-          end
-          # rubocop:disable Security/Eval
-          def relevant_child_nodes(node)
-            return [] unless node.is_a?(Parser::AST::Node)
-            return node.children unless node.type == :if
-            begin
-              if eval(node.children.first.loc.expression.source)
-                [node.children[1]]
-              else
-                [node.children[2]]
-              end
-            rescue StandardError
-              return node.children
-            end
-          end
-          # rubocop:enable Security/Eval
-          def path_node_for_gem_declaration(node)
-            return unless node.children.last.type == :hash
-            kwargs_node = node.children.last
-            path_hash_pair =
-              kwargs_node.children.
-              find { |hash_pair| key_from_hash_pair(hash_pair) == :path }
-            return unless path_hash_pair
-            path_hash_pair.children.last
-          end
-          def key_from_hash_pair(node)
-            node.children.first.children.first.to_sym
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/file_fetchers/ruby/bundler/require_relative_finder.rb DELETED Viewed

@@ -1,67 +0,0 @@
-# frozen_string_literal: true
-require "pathname"
-require "parser/current"
-require "dependabot/file_fetchers/ruby/bundler"
-require "dependabot/errors"
-module Dependabot
-  module FileFetchers
-    module Ruby
-      class Bundler
-        # Finds the paths of any files included using `require_relative` in the
-        # passed file.
-        class RequireRelativeFinder
-          def initialize(file:)
-            @file = file
-          end
-          def require_relative_paths
-            ast = Parser::CurrentRuby.parse(file.content)
-            find_require_relative_paths(ast)
-          rescue Parser::SyntaxError
-            raise Dependabot::DependencyFileNotParseable, file.path
-          end
-          private
-          attr_reader :file
-          # rubocop:disable Security/Eval
-          def find_require_relative_paths(node)
-            return [] unless node.is_a?(Parser::AST::Node)
-            if declares_require_relative?(node)
-              # We use eval here, but we know what we're doing. The FileFetchers
-              # helper method should only ever be run in an isolated environment
-              source = node.children[2].loc.expression.source
-              begin
-                path = eval(source)
-              rescue StandardError
-                return []
-              end
-              path = File.join(current_dir, path) unless current_dir.nil?
-              return [Pathname.new(path + ".rb").cleanpath.to_path]
-            end
-            node.children.flat_map do |child_node|
-              find_require_relative_paths(child_node)
-            end
-          end
-          # rubocop:enable Security/Eval
-          def current_dir
-            @current_dir ||= file.name.split("/")[0..-2].last
-          end
-          def declares_require_relative?(node)
-            return false unless node.is_a?(Parser::AST::Node)
-            node.children[1] == :require_relative
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/file_parsers/ruby/bundler.rb DELETED Viewed

@@ -1,294 +0,0 @@
-# frozen_string_literal: true
-require "dependabot/dependency"
-require "dependabot/file_parsers/base"
-require "dependabot/file_updaters/ruby/bundler/lockfile_updater"
-require "dependabot/shared_helpers"
-require "dependabot/errors"
-module Dependabot
-  module FileParsers
-    module Ruby
-      class Bundler < Dependabot::FileParsers::Base
-        require "dependabot/file_parsers/base/dependency_set"
-        require "dependabot/file_parsers/ruby/bundler/file_preparer"
-        require "dependabot/file_parsers/ruby/bundler/gemfile_checker"
-        def parse
-          dependency_set = DependencySet.new
-          dependency_set += gemfile_dependencies
-          dependency_set += gemspec_dependencies
-          dependency_set += lockfile_dependencies
-          dependency_set.dependencies
-        end
-        private
-        # Can't be a constant because some of these don't exist in bundler
-        # 1.15, which Heroku uses, which causes an exception on boot.
-        def sources
-          [
-            NilClass,
-            ::Bundler::Source::Rubygems,
-            ::Bundler::Source::Git,
-            ::Bundler::Source::Path,
-            ::Bundler::Source::Gemspec,
-            ::Bundler::Source::Metadata
-          ]
-        end
-        def gemfile_dependencies
-          dependencies = DependencySet.new
-          return dependencies unless gemfile
-          [gemfile, *evaled_gemfiles].each do |file|
-            parsed_gemfile.each do |dep|
-              next unless dependency_in_gemfile?(gemfile: file, dependency: dep)
-              dependencies <<
-                Dependency.new(
-                  name: dep.name,
-                  version: dependency_version(dep.name)&.to_s,
-                  requirements: [{
-                    requirement: dep.requirement.to_s,
-                    groups: dep.groups,
-                    source: source_for(dep),
-                    file: file.name
-                  }],
-                  package_manager: "bundler"
-                )
-            end
-          end
-          dependencies
-        end
-        def gemspec_dependencies
-          dependencies = DependencySet.new
-          gemspecs.each do |gemspec|
-            parsed_gemspec(gemspec).dependencies.each do |dependency|
-              dependencies <<
-                Dependency.new(
-                  name: dependency.name,
-                  version: dependency_version(dependency.name)&.to_s,
-                  requirements: [{
-                    requirement: dependency.requirement.to_s,
-                    groups: dependency.runtime? ? ["runtime"] : ["development"],
-                    source: nil,
-                    file: gemspec.name
-                  }],
-                  package_manager: "bundler"
-                )
-            end
-          end
-          dependencies
-        end
-        def lockfile_dependencies
-          dependencies = DependencySet.new
-          return dependencies unless lockfile
-          # Create a DependencySet where each element has no requirement. Any
-          # requirements will be added when combining the DependencySet with
-          # other DependencySets.
-          parsed_lockfile.specs.each do |dependency|
-            next if dependency.source.is_a?(::Bundler::Source::Path)
-            dependencies <<
-              Dependency.new(
-                name: dependency.name,
-                version: dependency_version(dependency.name)&.to_s,
-                requirements: [],
-                package_manager: "bundler"
-              )
-          end
-          dependencies
-        end
-        def parsed_gemfile
-          base_directory = dependency_files.first.directory
-          @parsed_gemfile ||=
-            SharedHelpers.in_a_temporary_directory(base_directory) do
-              write_temporary_dependency_files
-              SharedHelpers.in_a_forked_process do
-                ::Bundler.instance_variable_set(:@root, Pathname.new(Dir.pwd))
-                ::Bundler::Definition.build(gemfile.name, nil, {}).
-                  dependencies.
-                  select(&:current_platform?).
-                  # We can't dump gemspec sources, and we wouldn't bump them
-                  # anyway, so we filter them out.
-                  reject { |dep| dep.source.is_a?(::Bundler::Source::Gemspec) }
-              end
-            end
-        rescue SharedHelpers::ChildProcessFailed => error
-          msg = error.error_class + " with message: " +
-                error.error_message.force_encoding("UTF-8").encode
-          raise Dependabot::DependencyFileNotEvaluatable, msg
-        end
-        def parsed_gemspec(file)
-          @parsed_gemspecs ||= {}
-          @parsed_gemspecs[file.name] ||=
-            SharedHelpers.in_a_temporary_directory do
-              [file, *imported_ruby_files].each do |f|
-                path = f.name
-                FileUtils.mkdir_p(Pathname.new(path).dirname)
-                File.write(path, f.content)
-              end
-              SharedHelpers.in_a_forked_process do
-                ::Bundler.instance_variable_set(:@root, Pathname.new(Dir.pwd))
-                ::Bundler.load_gemspec_uncached(file.name)
-              end
-            end
-        rescue SharedHelpers::ChildProcessFailed => error
-          msg = error.error_class + " with message: " + error.error_message
-          raise Dependabot::DependencyFileNotEvaluatable, msg
-        end
-        def prepared_dependency_files
-          @prepared_dependency_files ||=
-            FilePreparer.new(dependency_files: dependency_files).
-            prepared_dependency_files
-        end
-        def write_temporary_dependency_files
-          prepared_dependency_files.each do |file|
-            path = file.name
-            FileUtils.mkdir_p(Pathname.new(path).dirname)
-            File.write(path, file.content)
-          end
-        end
-        def check_required_files
-          file_names = dependency_files.map(&:name)
-          return if file_names.any? do |name|
-            name.end_with?(".gemspec") && !name.include?("/")
-          end
-          return if gemfile
-          raise "A gemspec or Gemfile must be provided!"
-        end
-        def source_for(dependency)
-          source = dependency.source
-          if lockfile && default_rubygems?(source)
-            # If there's a lockfile and the Gemfile doesn't have anything
-            # interesting to say about the source, check that.
-            source = source_from_lockfile(dependency.name)
-          end
-          raise "Bad source: #{source}" unless sources.include?(source.class)
-          return nil if default_rubygems?(source)
-          details = { type: source.class.name.split("::").last.downcase }
-          if source.is_a?(::Bundler::Source::Git)
-            details.merge!(git_source_details(source))
-          end
-          if source.is_a?(::Bundler::Source::Rubygems)
-            details[:url] = source.remotes.first.to_s
-          end
-          details
-        end
-        def git_source_details(source)
-          {
-            url: source.uri,
-            branch: source.branch || "master",
-            ref: source.ref
-          }
-        end
-        def default_rubygems?(source)
-          return true if source.nil?
-          return false unless source.is_a?(::Bundler::Source::Rubygems)
-          source.remotes.any? { |r| r.to_s.include?("rubygems.org") }
-        end
-        def dependency_version(dependency_name)
-          return unless lockfile
-          spec = parsed_lockfile.specs.find { |s| s.name == dependency_name }
-          # Not all files in the Gemfile will appear in the Gemfile.lock. For
-          # instance, if a gem specifies `platform: [:windows]`, and the
-          # Gemfile.lock is generated on a Linux machine, the gem will be not
-          # appear in the lockfile.
-          return unless spec
-          # If the source is Git we're better off knowing the SHA-1 than the
-          # version.
-          if spec.source.instance_of?(::Bundler::Source::Git)
-            return spec.source.revision
-          end
-          spec.version
-        end
-        def source_from_lockfile(dependency_name)
-          parsed_lockfile.specs.find { |s| s.name == dependency_name }&.source
-        end
-        def dependency_in_gemfile?(gemfile:, dependency:)
-          GemfileChecker.new(
-            dependency: dependency,
-            gemfile: gemfile
-          ).includes_dependency?
-        end
-        def gemfile
-          @gemfile ||= get_original_file("Gemfile") ||
-                       get_original_file("gems.rb")
-        end
-        def evaled_gemfiles
-          dependency_files.
-            reject { |f| f.name.end_with?(".gemspec") }.
-            reject { |f| f.name.end_with?(".lock") }.
-            reject { |f| f.name.end_with?(".ruby-version") }.
-            reject { |f| f.name == "Gemfile" }.
-            reject { |f| f.name == "gems.rb" }.
-            reject { |f| f.name == "gems.locked" }
-        end
-        def lockfile
-          @lockfile ||= get_original_file("Gemfile.lock") ||
-                        get_original_file("gems.locked")
-        end
-        def parsed_lockfile
-          @parsed_lockfile ||=
-            ::Bundler::LockfileParser.new(sanitized_lockfile_content)
-        end
-        def sanitized_lockfile_content
-          regex = FileUpdaters::Ruby::Bundler::LockfileUpdater::LOCKFILE_ENDING
-          lockfile.content.gsub(regex, "")
-        end
-        def gemspecs
-          # Path gemspecs are excluded (they're supporting files)
-          @gemspecs ||= prepared_dependency_files.
-                        select { |file| file.name.end_with?(".gemspec") }.
-                        reject(&:support_file?)
-        end
-        def imported_ruby_files
-          dependency_files.
-            select { |f| f.name.end_with?(".rb") }.
-            reject { |f| f.name == "gems.rb" }
-        end
-      end
-    end
-  end
-end