dependabot-core 0.83.2 → 0.84.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7cc523139eab2f6d894afd461ef4edc6c8b40b34a6dbe708fc28b9bf9a9f6d9d
-  data.tar.gz: f4097498fa7a9d69b3ee097df38c44a976e7fbfb5699f51b91e0373b4dd8161a
+  metadata.gz: 2880406c8c17102a5713287fd3ab34721ca7e5563a0313efc6e15ff2b621bff5
+  data.tar.gz: ea431d85e1adf3c90c3666af8391e90481e6fe4b1a0c4da5e20dca3469fee0fe
 SHA512:
-  metadata.gz: e862129876b49b7fa5f95f7eea565ad65b6802ea7e6975651fc8fce33a590da1d20ce5a50ff3c8c710cdb69a3dee8222b2c6dde88695731517e586fbd0c74689
-  data.tar.gz: d4ab7597f3d11fdaaec2009510de6bee55809521129c05f17ef5d92896c866fb61f6232a9080b8da51534cf0ee0efca438b49bbb4db48af257e04837ba068ef8
+  metadata.gz: 8a7f8734af8757aabb9e338de4857db4f8b9c45ee69db2742d7df1851c63e294c6adb90d574d609f2c72407e4cd0e2713dfbb1d0dd595e9a66510061e5a40045
+  data.tar.gz: b46aba02cc071a14ce688a30a565533dd21aafd35a0b46fd5e1a457df4eb6e2d783bd9bed04f0b2a268e1b4e6f48df6373a7dceb13535e440641fb74d52293da

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+## v0.84.0, 14 December 2018
+
+- Move Gradle into separate gem
+- Add safeguard for not filtering releases by nil
+
 ## v0.83.2, 14 December 2018
 
 - Rust: Handle unfetchable git refs better

data/lib/dependabot/file_fetchers.rb

@@ -3,7 +3,6 @@
 require "dependabot/file_fetchers/ruby/bundler"
 require "dependabot/file_fetchers/java_script/npm_and_yarn"
 require "dependabot/file_fetchers/java/maven"
-require "dependabot/file_fetchers/java/gradle"
 require "dependabot/file_fetchers/php/composer"
 require "dependabot/file_fetchers/elixir/hex"
 require "dependabot/file_fetchers/go/dep"
@@ -15,7 +14,6 @@ module Dependabot
       "bundler" => FileFetchers::Ruby::Bundler,
       "npm_and_yarn" => FileFetchers::JavaScript::NpmAndYarn,
       "maven" => FileFetchers::Java::Maven,
-      "gradle" => FileFetchers::Java::Gradle,
       "composer" => FileFetchers::Php::Composer,
       "hex" => FileFetchers::Elixir::Hex,
       "dep" => FileFetchers::Go::Dep,

data/lib/dependabot/file_parsers.rb

@@ -3,7 +3,6 @@
 require "dependabot/file_parsers/ruby/bundler"
 require "dependabot/file_parsers/java_script/npm_and_yarn"
 require "dependabot/file_parsers/java/maven"
-require "dependabot/file_parsers/java/gradle"
 require "dependabot/file_parsers/php/composer"
 require "dependabot/file_parsers/elixir/hex"
 require "dependabot/file_parsers/go/dep"
@@ -15,7 +14,6 @@ module Dependabot
       "bundler" => FileParsers::Ruby::Bundler,
       "npm_and_yarn" => FileParsers::JavaScript::NpmAndYarn,
       "maven" => FileParsers::Java::Maven,
-      "gradle" => FileParsers::Java::Gradle,
       "composer" => FileParsers::Php::Composer,
       "hex" => FileParsers::Elixir::Hex,
       "dep" => FileParsers::Go::Dep,

data/lib/dependabot/file_updaters.rb

@@ -3,7 +3,6 @@
 require "dependabot/file_updaters/ruby/bundler"
 require "dependabot/file_updaters/java_script/npm_and_yarn"
 require "dependabot/file_updaters/java/maven"
-require "dependabot/file_updaters/java/gradle"
 require "dependabot/file_updaters/php/composer"
 require "dependabot/file_updaters/elixir/hex"
 require "dependabot/file_updaters/go/dep"
@@ -15,7 +14,6 @@ module Dependabot
       "bundler" => FileUpdaters::Ruby::Bundler,
       "npm_and_yarn" => FileUpdaters::JavaScript::NpmAndYarn,
       "maven" => FileUpdaters::Java::Maven,
-      "gradle" => FileUpdaters::Java::Gradle,
       "composer" => FileUpdaters::Php::Composer,
       "hex" => FileUpdaters::Elixir::Hex,
       "dep" => FileUpdaters::Go::Dep,

data/lib/dependabot/metadata_finders.rb

@@ -13,7 +13,6 @@ module Dependabot
       "bundler" => MetadataFinders::Ruby::Bundler,
       "npm_and_yarn" => MetadataFinders::JavaScript::NpmAndYarn,
       "maven" => MetadataFinders::Java::Maven,
-      "gradle" => MetadataFinders::Java::Maven,
       "composer" => MetadataFinders::Php::Composer,
       "hex" => MetadataFinders::Elixir::Hex,
       "dep" => MetadataFinders::Go::Dep,

data/lib/dependabot/metadata_finders/base/release_finder.rb

@@ -96,10 +96,14 @@ module Dependabot
         end
 
         def filter_releases_using_previous_release(releases)
+          return releases if releases.index(previous_release).nil?
+
           releases.first(releases.index(previous_release))
         end
 
         def filter_releases_using_updated_release(releases)
+          return releases if releases.index(updated_release).nil?
+
           releases[releases.index(updated_release)..-1]
         end
 

data/lib/dependabot/update_checkers.rb

@@ -3,7 +3,6 @@
 require "dependabot/update_checkers/ruby/bundler"
 require "dependabot/update_checkers/java_script/npm_and_yarn"
 require "dependabot/update_checkers/java/maven"
-require "dependabot/update_checkers/java/gradle"
 require "dependabot/update_checkers/php/composer"
 require "dependabot/update_checkers/elixir/hex"
 require "dependabot/update_checkers/go/dep"
@@ -15,7 +14,6 @@ module Dependabot
       "bundler" => UpdateCheckers::Ruby::Bundler,
       "npm_and_yarn" => UpdateCheckers::JavaScript::NpmAndYarn,
       "maven" => UpdateCheckers::Java::Maven,
-      "gradle" => UpdateCheckers::Java::Gradle,
       "composer" => UpdateCheckers::Php::Composer,
       "hex" => UpdateCheckers::Elixir::Hex,
       "dep" => UpdateCheckers::Go::Dep,

data/lib/dependabot/utils.rb

@@ -22,7 +22,6 @@ module Dependabot
       "submodules" => Gem::Version,
       "docker" => Gem::Version,
       "maven" => Utils::Java::Version,
-      "gradle" => Utils::Java::Version,
       "npm_and_yarn" => Utils::JavaScript::Version,
       "composer" => Utils::Php::Version,
       "hex" => Utils::Elixir::Version,
@@ -46,7 +45,6 @@ module Dependabot
       "submodules" => Utils::Ruby::Requirement,
       "docker" => Utils::Ruby::Requirement,
       "maven" => Utils::Java::Requirement,
-      "gradle" => Utils::Java::Requirement,
       "npm_and_yarn" => Utils::JavaScript::Requirement,
       "composer" => Utils::Php::Requirement,
       "hex" => Utils::Elixir::Requirement,

data/lib/dependabot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.83.2"
+  VERSION = "0.84.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-core
 version: !ruby/object:Gem::Version
-  version: 0.83.2
+  version: 0.84.0
 platform: ruby
 authors:
 - Dependabot
@@ -378,8 +378,6 @@ files:
 - lib/dependabot/file_fetchers/elixir/hex.rb
 - lib/dependabot/file_fetchers/go/dep.rb
 - lib/dependabot/file_fetchers/go/modules.rb
-- lib/dependabot/file_fetchers/java/gradle.rb
-- lib/dependabot/file_fetchers/java/gradle/settings_file_parser.rb
 - lib/dependabot/file_fetchers/java/maven.rb
 - lib/dependabot/file_fetchers/java_script/npm_and_yarn.rb
 - lib/dependabot/file_fetchers/java_script/npm_and_yarn/path_dependency_builder.rb
@@ -396,9 +394,6 @@ files:
 - lib/dependabot/file_parsers/go/dep.rb
 - lib/dependabot/file_parsers/go/modules.rb
 - lib/dependabot/file_parsers/go/modules/go_mod_parser.rb
-- lib/dependabot/file_parsers/java/gradle.rb
-- lib/dependabot/file_parsers/java/gradle/property_value_finder.rb
-- lib/dependabot/file_parsers/java/gradle/repositories_finder.rb
 - lib/dependabot/file_parsers/java/maven.rb
 - lib/dependabot/file_parsers/java/maven/property_value_finder.rb
 - lib/dependabot/file_parsers/java/maven/repositories_finder.rb
@@ -421,9 +416,6 @@ files:
 - lib/dependabot/file_updaters/go/dep/manifest_updater.rb
 - lib/dependabot/file_updaters/go/modules.rb
 - lib/dependabot/file_updaters/go/modules/go_mod_updater.rb
-- lib/dependabot/file_updaters/java/gradle.rb
-- lib/dependabot/file_updaters/java/gradle/dependency_set_updater.rb
-- lib/dependabot/file_updaters/java/gradle/property_value_updater.rb
 - lib/dependabot/file_updaters/java/maven.rb
 - lib/dependabot/file_updaters/java/maven/declaration_finder.rb
 - lib/dependabot/file_updaters/java/maven/property_value_updater.rb
@@ -436,6 +428,7 @@ files:
 - lib/dependabot/file_updaters/php/composer.rb
 - lib/dependabot/file_updaters/php/composer/lockfile_updater.rb
 - lib/dependabot/file_updaters/php/composer/manifest_updater.rb
+- lib/dependabot/file_updaters/ruby/.DS_Store
 - lib/dependabot/file_updaters/ruby/bundler.rb
 - lib/dependabot/file_updaters/ruby/bundler/gemfile_updater.rb
 - lib/dependabot/file_updaters/ruby/bundler/gemspec_dependency_name_finder.rb
@@ -483,9 +476,6 @@ files:
 - lib/dependabot/update_checkers/go/dep/requirements_updater.rb
 - lib/dependabot/update_checkers/go/dep/version_resolver.rb
 - lib/dependabot/update_checkers/go/modules.rb
-- lib/dependabot/update_checkers/java/gradle.rb
-- lib/dependabot/update_checkers/java/gradle/multi_dependency_updater.rb
-- lib/dependabot/update_checkers/java/gradle/version_finder.rb
 - lib/dependabot/update_checkers/java/maven.rb
 - lib/dependabot/update_checkers/java/maven/property_updater.rb
 - lib/dependabot/update_checkers/java/maven/requirements_updater.rb
@@ -543,7 +533,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: 2.7.3
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.7
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: Automated dependency management

data/lib/dependabot/file_fetchers/java/gradle.rb

@@ -1,56 +0,0 @@
-# frozen_string_literal: true
-
-require "dependabot/file_fetchers/base"
-
-module Dependabot
-  module FileFetchers
-    module Java
-      class Gradle < Dependabot::FileFetchers::Base
-        require_relative "gradle/settings_file_parser"
-
-        def self.required_files_in?(filenames)
-          filenames.include?("build.gradle")
-        end
-
-        def self.required_files_message
-          "Repo must contain a build.gradle."
-        end
-
-        private
-
-        def fetch_files
-          fetched_files = []
-          fetched_files << buildfile
-          fetched_files += subproject_buildfiles
-          fetched_files
-        end
-
-        def buildfile
-          @buildfile ||= fetch_file_from_host("build.gradle")
-        end
-
-        def subproject_buildfiles
-          return [] unless settings_file
-
-          subproject_paths =
-            SettingsFileParser.
-            new(settings_file: settings_file).
-            subproject_paths
-
-          subproject_paths.map do |path|
-            fetch_file_from_host(File.join(path, "build.gradle"))
-          rescue Dependabot::DependencyFileNotFound
-            # Gradle itself doesn't worry about missing subprojects, so we don't
-            nil
-          end.compact
-        end
-
-        def settings_file
-          @settings_file ||= fetch_file_from_host("settings.gradle")
-        rescue Dependabot::DependencyFileNotFound
-          nil
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/file_fetchers/java/gradle/settings_file_parser.rb

@@ -1,66 +0,0 @@
-# frozen_string_literal: true
-
-require "dependabot/file_fetchers/java/gradle"
-
-module Dependabot
-  module FileFetchers
-    module Java
-      class Gradle
-        class SettingsFileParser
-          INCLUDE_ARGS_REGEX =
-            /(?:^|\s)include(?:\(|\s)(\s*[^\s,\)]+(?:,\s*[^\s,\)]+)*)/.freeze
-
-          def initialize(settings_file:)
-            @settings_file = settings_file
-          end
-
-          def subproject_paths
-            subprojects = []
-
-            comment_free_content.scan(function_regex("include")) do
-              args = Regexp.last_match.named_captures.fetch("args")
-              args = args.split(",")
-              args = args.map { |p| p.gsub(/["']/, "").strip }.compact
-              subprojects += args
-            end
-
-            subprojects = subprojects.uniq
-
-            subproject_dirs = subprojects.map do |proj|
-              if comment_free_content.match?(project_dir_regex(proj))
-                comment_free_content.match(project_dir_regex(proj)).
-                  named_captures.fetch("path").sub(%r{^/}, "")
-              else
-                proj.tr(":", "/").sub(%r{^/}, "")
-              end
-            end
-
-            subproject_dirs.uniq
-          end
-
-          private
-
-          attr_reader :settings_file
-
-          def comment_free_content
-            settings_file.content.
-              gsub(%r{(?<=^|\s)//.*$}, "\n").
-              gsub(%r{(?<=^|\s)/\*.*?\*/}m, "")
-          end
-
-          def function_regex(function_name)
-            /
-              (?:^|\s)#{Regexp.quote(function_name)}(?:\(|\s)
-              (?<args>\s*[^\s,\)]+(?:,\s*[^\s,\)]+)*)
-            /mx
-          end
-
-          def project_dir_regex(proj)
-            prefixed_proj = Regexp.quote(":#{proj.gsub(/^:/, '')}")
-            /['"]#{prefixed_proj}['"].*dir\s*=.*['"](?<path>.*?)['"]/i
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/file_parsers/java/gradle.rb

@@ -1,236 +0,0 @@
-# frozen_string_literal: true
-
-require "dependabot/dependency"
-require "dependabot/file_parsers/base"
-require "dependabot/shared_helpers"
-
-# The best Gradle documentation is at:
-# - https://docs.gradle.org/current/dsl/org.gradle.api.artifacts.dsl.
-#   DependencyHandler.html
-module Dependabot
-  module FileParsers
-    module Java
-      class Gradle < Dependabot::FileParsers::Base
-        require "dependabot/file_parsers/base/dependency_set"
-        require_relative "gradle/property_value_finder"
-
-        PROPERTY_REGEX =
-          /
-            (?:\$\{property\((?<property_name>[^:\s]*?)\)\})|
-            (?:\$\{(?<property_name>[^:\s]*?)\})|
-            (?:\$(?<property_name>[^:\s]*))
-          /x.freeze
-
-        PART = %r{[^\s,@'":/\\]+}.freeze
-        VSN_PART = %r{[^\s,'":/\\]+}.freeze
-        DEPENDENCY_DECLARATION_REGEX =
-          /(?:\(|\s)\s*['"](?<declaration>#{PART}:#{PART}:#{VSN_PART})['"]/.
-          freeze
-        DEPENDENCY_SET_DECLARATION_REGEX =
-          /(?:^|\s)dependencySet\((?<arguments>[^\)]+)\)\s*\{/.freeze
-        DEPENDENCY_SET_ENTRY_REGEX = /entry\s+['"](?<name>#{PART})['"]/.freeze
-
-        def parse
-          dependency_set = DependencySet.new
-          buildfiles.each do |buildfile|
-            dependency_set += buildfile_dependencies(buildfile)
-          end
-          dependency_set.dependencies
-        end
-
-        private
-
-        def map_value_regex(key)
-          /(?:^|\s|,|\()#{Regexp.quote(key)}:\s*['"](?<value>[^'"]+)['"]/
-        end
-
-        def buildfile_dependencies(buildfile)
-          dependency_set = DependencySet.new
-
-          dependency_set += shortform_buildfile_dependencies(buildfile)
-          dependency_set += keyword_arg_buildfile_dependencies(buildfile)
-          dependency_set += dependency_set_dependencies(buildfile)
-
-          dependency_set
-        end
-
-        def shortform_buildfile_dependencies(buildfile)
-          dependency_set = DependencySet.new
-
-          prepared_content(buildfile).scan(DEPENDENCY_DECLARATION_REGEX) do
-            declaration = Regexp.last_match.named_captures.fetch("declaration")
-
-            group, name, version = declaration.split(":")
-            details = { group: group, name: name, version: version }
-
-            dep = dependency_from(details_hash: details, buildfile: buildfile)
-            dependency_set << dep if dep
-          end
-
-          dependency_set
-        end
-
-        def keyword_arg_buildfile_dependencies(buildfile)
-          dependency_set = DependencySet.new
-
-          prepared_content(buildfile).lines.each do |line|
-            name    = argument_from_string(line, "name")
-            group   = argument_from_string(line, "group")
-            version = argument_from_string(line, "version")
-            next unless name && group && version
-
-            details = { name: name, group: group, version: version }
-
-            dep = dependency_from(details_hash: details, buildfile: buildfile)
-            dependency_set << dep if dep
-          end
-
-          dependency_set
-        end
-
-        def dependency_set_dependencies(buildfile)
-          dependency_set = DependencySet.new
-
-          dependency_set_blocks = []
-
-          prepared_content(buildfile).scan(DEPENDENCY_SET_DECLARATION_REGEX) do
-            mch = Regexp.last_match
-            dependency_set_blocks <<
-              {
-                arguments: mch.named_captures.fetch("arguments"),
-                block: mch.post_match[0..closing_bracket_index(mch.post_match)]
-              }
-          end
-
-          dependency_set_blocks.each do |blk|
-            group   = argument_from_string(blk[:arguments], "group")
-            version = argument_from_string(blk[:arguments], "version")
-
-            next unless group && version
-
-            blk[:block].scan(DEPENDENCY_SET_ENTRY_REGEX).flatten.each do |name|
-              dep = dependency_from(
-                details_hash: { group: group, name: name, version: version },
-                buildfile: buildfile,
-                in_dependency_set: true
-              )
-              dependency_set << dep if dep
-            end
-          end
-
-          dependency_set
-        end
-
-        def argument_from_string(string, arg_name)
-          string.
-            match(map_value_regex(arg_name))&.
-            named_captures&.
-            fetch("value")
-        end
-
-        def dependency_from(details_hash:, buildfile:, in_dependency_set: false)
-          group   = evaluated_value(details_hash[:group], buildfile)
-          name    = evaluated_value(details_hash[:name], buildfile)
-          version = evaluated_value(details_hash[:version], buildfile)
-
-          dependency_name = "#{group}:#{name}"
-
-          # If we can't evaluate a property they we won't be able to
-          # update this dependency
-          return if "#{dependency_name}:#{version}".match?(PROPERTY_REGEX)
-
-          Dependency.new(
-            name: dependency_name,
-            version: version,
-            requirements: [{
-              requirement: version,
-              file: buildfile.name,
-              source: nil,
-              groups: [],
-              metadata: dependency_metadata(details_hash, in_dependency_set)
-            }],
-            package_manager: "gradle"
-          )
-        end
-
-        def dependency_metadata(details_hash, in_dependency_set)
-          version_property_name =
-            details_hash[:version].
-            match(PROPERTY_REGEX)&.
-            named_captures&.fetch("property_name")
-
-          return unless version_property_name || in_dependency_set
-
-          metadata = {}
-          if version_property_name
-            metadata[:property_name] = version_property_name
-          end
-          if in_dependency_set
-            metadata[:dependency_set] = {
-              group: details_hash[:group],
-              version: details_hash[:version]
-            }
-          end
-          metadata
-        end
-
-        def evaluated_value(value, buildfile)
-          return value unless value.scan(PROPERTY_REGEX).count == 1
-
-          property_name  = value.match(PROPERTY_REGEX).
-                           named_captures.fetch("property_name")
-          property_value = property_value_finder.property_value(
-            property_name: property_name,
-            callsite_buildfile: buildfile
-          )
-
-          return value unless property_value
-
-          value.gsub(PROPERTY_REGEX, property_value)
-        end
-
-        def property_value_finder
-          @property_value_finder ||=
-            PropertyValueFinder.new(dependency_files: dependency_files)
-        end
-
-        def prepared_content(buildfile)
-          # Remove any comments
-          prepared_content =
-            buildfile.content.
-            gsub(%r{(?<=^|\s)//.*$}, "\n").
-            gsub(%r{(?<=^|\s)/\*.*?\*/}m, "")
-
-          # Remove the dependencyVerification section added by Gradle Witness
-          # (TODO: Support updating this in the FileUpdater)
-          prepared_content.dup.scan(/dependencyVerification\s*{/) do
-            mtch = Regexp.last_match
-            block = mtch.post_match[0..closing_bracket_index(mtch.post_match)]
-            prepared_content.gsub!(block, "")
-          end
-
-          prepared_content
-        end
-
-        def closing_bracket_index(string)
-          closes_required = 1
-
-          string.chars.each_with_index do |char, index|
-            closes_required += 1 if char == "{"
-            closes_required -= 1 if char == "}"
-            return index if closes_required.zero?
-          end
-        end
-
-        def buildfiles
-          @buildfiles ||=
-            dependency_files.select { |f| f.name.end_with?("build.gradle") }
-        end
-
-        def check_required_files
-          raise "No build.gradle!" unless get_original_file("build.gradle")
-        end
-      end
-    end
-  end
-end