dependabot-core 0.84.1 → 0.85.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0b2e7f8d9069bc5cfb9da1e817372e30d84adf0284743e7559a8f54d2cd32006
-  data.tar.gz: 20aff40625a00ecbcaf2cafa23a2393905bcb862da2e776f55e338c37e3a7e65
+  metadata.gz: f56e8c0f198f3f66454b6f05ebbc30f455c49aba8f0da9052b392b2b1b61d084
+  data.tar.gz: f7f3831108f7d86a3435f144dbc9d44ced3a04a43800084c1f6c4d1180be1778
 SHA512:
-  metadata.gz: 2a7f3ae3620e4b95300fdd31fee462af0e10c384387b30a469f2efee8467ec610f1e1349f9984ecc033634b7e7669d33588b46ab057fb08b0836b44393cd87ba
-  data.tar.gz: e8cc4d65365d2cc9292686ba2f095e82ec251d360d1b61461abe6a8e71e3f3e4afeb0c8627274339db4b50621103d19d86cadb12db73f2b3005dda7a4a8256e9
+  metadata.gz: 41c9aa7701bb168005b318eab7ee9f3ebd431066f252d6e5c0a9ca600822d780bad7d420d338857e763d9e65eed1a80259c2fc271f733e9b308cf61add8d6f41
+  data.tar.gz: 2c49b78e5e135cf85b073910781c8368f85f305abfd54a341d1592a95ba776d007e5700fc0ff8e7e075be5be50edf63018542efc4564435fd8e43897a920ec99

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## v0.85.0, 14 December 2018
+
+- Move Maven into separate gem
+
 ## v0.84.1, 14 December 2018
 
 - Add php72-memcached to Dockerfile

data/lib/dependabot/file_fetchers.rb

@@ -2,7 +2,6 @@
 
 require "dependabot/file_fetchers/ruby/bundler"
 require "dependabot/file_fetchers/java_script/npm_and_yarn"
-require "dependabot/file_fetchers/java/maven"
 require "dependabot/file_fetchers/php/composer"
 require "dependabot/file_fetchers/elixir/hex"
 require "dependabot/file_fetchers/go/dep"
@@ -13,7 +12,6 @@ module Dependabot
     @file_fetchers = {
       "bundler" => FileFetchers::Ruby::Bundler,
       "npm_and_yarn" => FileFetchers::JavaScript::NpmAndYarn,
-      "maven" => FileFetchers::Java::Maven,
       "composer" => FileFetchers::Php::Composer,
       "hex" => FileFetchers::Elixir::Hex,
       "dep" => FileFetchers::Go::Dep,

data/lib/dependabot/file_parsers.rb

@@ -2,7 +2,6 @@
 
 require "dependabot/file_parsers/ruby/bundler"
 require "dependabot/file_parsers/java_script/npm_and_yarn"
-require "dependabot/file_parsers/java/maven"
 require "dependabot/file_parsers/php/composer"
 require "dependabot/file_parsers/elixir/hex"
 require "dependabot/file_parsers/go/dep"
@@ -13,7 +12,6 @@ module Dependabot
     @file_parsers = {
       "bundler" => FileParsers::Ruby::Bundler,
       "npm_and_yarn" => FileParsers::JavaScript::NpmAndYarn,
-      "maven" => FileParsers::Java::Maven,
       "composer" => FileParsers::Php::Composer,
       "hex" => FileParsers::Elixir::Hex,
       "dep" => FileParsers::Go::Dep,

data/lib/dependabot/file_updaters.rb

@@ -2,7 +2,6 @@
 
 require "dependabot/file_updaters/ruby/bundler"
 require "dependabot/file_updaters/java_script/npm_and_yarn"
-require "dependabot/file_updaters/java/maven"
 require "dependabot/file_updaters/php/composer"
 require "dependabot/file_updaters/elixir/hex"
 require "dependabot/file_updaters/go/dep"
@@ -13,7 +12,6 @@ module Dependabot
     @file_updaters = {
       "bundler" => FileUpdaters::Ruby::Bundler,
       "npm_and_yarn" => FileUpdaters::JavaScript::NpmAndYarn,
-      "maven" => FileUpdaters::Java::Maven,
       "composer" => FileUpdaters::Php::Composer,
       "hex" => FileUpdaters::Elixir::Hex,
       "dep" => FileUpdaters::Go::Dep,

data/lib/dependabot/metadata_finders.rb

@@ -2,7 +2,6 @@
 
 require "dependabot/metadata_finders/ruby/bundler"
 require "dependabot/metadata_finders/java_script/npm_and_yarn"
-require "dependabot/metadata_finders/java/maven"
 require "dependabot/metadata_finders/php/composer"
 require "dependabot/metadata_finders/elixir/hex"
 require "dependabot/metadata_finders/go/dep"
@@ -12,7 +11,6 @@ module Dependabot
     @metadata_finders = {
       "bundler" => MetadataFinders::Ruby::Bundler,
       "npm_and_yarn" => MetadataFinders::JavaScript::NpmAndYarn,
-      "maven" => MetadataFinders::Java::Maven,
       "composer" => MetadataFinders::Php::Composer,
       "hex" => MetadataFinders::Elixir::Hex,
       "dep" => MetadataFinders::Go::Dep,

data/lib/dependabot/update_checkers.rb

@@ -2,7 +2,6 @@
 
 require "dependabot/update_checkers/ruby/bundler"
 require "dependabot/update_checkers/java_script/npm_and_yarn"
-require "dependabot/update_checkers/java/maven"
 require "dependabot/update_checkers/php/composer"
 require "dependabot/update_checkers/elixir/hex"
 require "dependabot/update_checkers/go/dep"
@@ -13,7 +12,6 @@ module Dependabot
     @update_checkers = {
       "bundler" => UpdateCheckers::Ruby::Bundler,
       "npm_and_yarn" => UpdateCheckers::JavaScript::NpmAndYarn,
-      "maven" => UpdateCheckers::Java::Maven,
       "composer" => UpdateCheckers::Php::Composer,
       "hex" => UpdateCheckers::Elixir::Hex,
       "dep" => UpdateCheckers::Go::Dep,

data/lib/dependabot/utils.rb

@@ -1,13 +1,11 @@
 # frozen_string_literal: true
 
 require "dependabot/utils/elixir/version"
-require "dependabot/utils/java/version"
 require "dependabot/utils/java_script/version"
 require "dependabot/utils/php/version"
 require "dependabot/utils/go/version"
 
 require "dependabot/utils/elixir/requirement"
-require "dependabot/utils/java/requirement"
 require "dependabot/utils/java_script/requirement"
 require "dependabot/utils/php/requirement"
 require "dependabot/utils/ruby/requirement"
@@ -21,7 +19,6 @@ module Dependabot
       "bundler" => Gem::Version,
       "submodules" => Gem::Version,
       "docker" => Gem::Version,
-      "maven" => Utils::Java::Version,
       "npm_and_yarn" => Utils::JavaScript::Version,
       "composer" => Utils::Php::Version,
       "hex" => Utils::Elixir::Version,
@@ -44,7 +41,6 @@ module Dependabot
       "bundler" => Utils::Ruby::Requirement,
       "submodules" => Utils::Ruby::Requirement,
       "docker" => Utils::Ruby::Requirement,
-      "maven" => Utils::Java::Requirement,
       "npm_and_yarn" => Utils::JavaScript::Requirement,
       "composer" => Utils::Php::Requirement,
       "hex" => Utils::Elixir::Requirement,

data/lib/dependabot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.84.1"
+  VERSION = "0.85.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-core
 version: !ruby/object:Gem::Version
-  version: 0.84.1
+  version: 0.85.0
 platform: ruby
 authors:
 - Dependabot
@@ -378,7 +378,6 @@ files:
 - lib/dependabot/file_fetchers/elixir/hex.rb
 - lib/dependabot/file_fetchers/go/dep.rb
 - lib/dependabot/file_fetchers/go/modules.rb
-- lib/dependabot/file_fetchers/java/maven.rb
 - lib/dependabot/file_fetchers/java_script/npm_and_yarn.rb
 - lib/dependabot/file_fetchers/java_script/npm_and_yarn/path_dependency_builder.rb
 - lib/dependabot/file_fetchers/php/composer.rb
@@ -394,9 +393,6 @@ files:
 - lib/dependabot/file_parsers/go/dep.rb
 - lib/dependabot/file_parsers/go/modules.rb
 - lib/dependabot/file_parsers/go/modules/go_mod_parser.rb
-- lib/dependabot/file_parsers/java/maven.rb
-- lib/dependabot/file_parsers/java/maven/property_value_finder.rb
-- lib/dependabot/file_parsers/java/maven/repositories_finder.rb
 - lib/dependabot/file_parsers/java_script/npm_and_yarn.rb
 - lib/dependabot/file_parsers/php/composer.rb
 - lib/dependabot/file_parsers/ruby/bundler.rb
@@ -416,9 +412,6 @@ files:
 - lib/dependabot/file_updaters/go/dep/manifest_updater.rb
 - lib/dependabot/file_updaters/go/modules.rb
 - lib/dependabot/file_updaters/go/modules/go_mod_updater.rb
-- lib/dependabot/file_updaters/java/maven.rb
-- lib/dependabot/file_updaters/java/maven/declaration_finder.rb
-- lib/dependabot/file_updaters/java/maven/property_value_updater.rb
 - lib/dependabot/file_updaters/java_script/npm_and_yarn.rb
 - lib/dependabot/file_updaters/java_script/npm_and_yarn/npm_lockfile_updater.rb
 - lib/dependabot/file_updaters/java_script/npm_and_yarn/npmrc_builder.rb
@@ -428,6 +421,7 @@ files:
 - lib/dependabot/file_updaters/php/composer.rb
 - lib/dependabot/file_updaters/php/composer/lockfile_updater.rb
 - lib/dependabot/file_updaters/php/composer/manifest_updater.rb
+- lib/dependabot/file_updaters/ruby/.DS_Store
 - lib/dependabot/file_updaters/ruby/bundler.rb
 - lib/dependabot/file_updaters/ruby/bundler/gemfile_updater.rb
 - lib/dependabot/file_updaters/ruby/bundler/gemspec_dependency_name_finder.rb
@@ -447,7 +441,6 @@ files:
 - lib/dependabot/metadata_finders/base/release_finder.rb
 - lib/dependabot/metadata_finders/elixir/hex.rb
 - lib/dependabot/metadata_finders/go/dep.rb
-- lib/dependabot/metadata_finders/java/maven.rb
 - lib/dependabot/metadata_finders/java_script/npm_and_yarn.rb
 - lib/dependabot/metadata_finders/php/composer.rb
 - lib/dependabot/metadata_finders/ruby/bundler.rb
@@ -475,10 +468,6 @@ files:
 - lib/dependabot/update_checkers/go/dep/requirements_updater.rb
 - lib/dependabot/update_checkers/go/dep/version_resolver.rb
 - lib/dependabot/update_checkers/go/modules.rb
-- lib/dependabot/update_checkers/java/maven.rb
-- lib/dependabot/update_checkers/java/maven/property_updater.rb
-- lib/dependabot/update_checkers/java/maven/requirements_updater.rb
-- lib/dependabot/update_checkers/java/maven/version_finder.rb
 - lib/dependabot/update_checkers/java_script/npm_and_yarn.rb
 - lib/dependabot/update_checkers/java_script/npm_and_yarn/latest_version_finder.rb
 - lib/dependabot/update_checkers/java_script/npm_and_yarn/library_detector.rb
@@ -504,8 +493,6 @@ files:
 - lib/dependabot/utils/go/requirement.rb
 - lib/dependabot/utils/go/shared_helper.rb
 - lib/dependabot/utils/go/version.rb
-- lib/dependabot/utils/java/requirement.rb
-- lib/dependabot/utils/java/version.rb
 - lib/dependabot/utils/java_script/requirement.rb
 - lib/dependabot/utils/java_script/version.rb
 - lib/dependabot/utils/php/requirement.rb
@@ -532,7 +519,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: 2.7.3
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.7
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: Automated dependency management

data/lib/dependabot/file_fetchers/java/maven.rb

@@ -1,127 +0,0 @@
-# frozen_string_literal: true
-
-require "nokogiri"
-require "dependabot/file_fetchers/base"
-
-module Dependabot
-  module FileFetchers
-    module Java
-      class Maven < Dependabot::FileFetchers::Base
-        MODULE_SELECTOR = "project > modules > module"
-
-        def self.required_files_in?(filenames)
-          (%w(pom.xml) - filenames).empty?
-        end
-
-        def self.required_files_message
-          "Repo must contain a pom.xml."
-        end
-
-        private
-
-        def fetch_files
-          fetched_files = []
-          fetched_files << pom
-          fetched_files += child_poms
-          fetched_files += relative_path_parents(fetched_files)
-          fetched_files.uniq
-        end
-
-        def pom
-          @pom ||= fetch_file_from_host("pom.xml")
-        end
-
-        def child_poms
-          recursively_fetch_child_poms(pom, fetched_filenames: ["pom.xml"])
-        end
-
-        def relative_path_parents(fetched_files)
-          fetched_files.flat_map do |file|
-            recursively_fetch_relative_path_parents(
-              file,
-              fetched_filenames: fetched_files.map(&:name)
-            )
-          end
-        end
-
-        def recursively_fetch_child_poms(pom, fetched_filenames:)
-          base_path = pom.name.gsub(/pom\.xml$/, "")
-          doc = Nokogiri::XML(pom.content)
-
-          doc.css(MODULE_SELECTOR).flat_map do |module_node|
-            relative_path = module_node.content.strip
-            name_parts = [
-              base_path,
-              relative_path,
-              relative_path.end_with?("pom.xml") ? nil : "pom.xml"
-            ].compact.reject(&:empty?)
-            path = Pathname.new(File.join(*name_parts)).cleanpath.to_path
-
-            next [] if fetched_filenames.include?(path)
-
-            child_pom = fetch_file_from_host(path)
-            fetched_filenames += [child_pom.name]
-            [
-              child_pom,
-              recursively_fetch_child_poms(
-                child_pom,
-                fetched_filenames: fetched_filenames
-              )
-            ].flatten
-          rescue Dependabot::DependencyFileNotFound
-            raise unless fetch_file_from_host_or_submodule(path)
-
-            [] # Ignore any child submodules (since we can't update them)
-          end
-        end
-
-        def recursively_fetch_relative_path_parents(pom, fetched_filenames:)
-          path = parent_path_for_pom(pom)
-
-          if fetched_filenames.include?(path) ||
-             fetched_filenames.include?(path.gsub("pom.xml", "pom_parent.xml"))
-            return []
-          end
-
-          full_path_parts =
-            [directory.gsub(%r{^/}, ""), path].reject(&:empty?).compact
-
-          full_path = Pathname.new(File.join(*full_path_parts)).
-                      cleanpath.to_path
-
-          return [] if full_path.start_with?("..")
-
-          parent_pom = fetch_file_from_host(path)
-          parent_pom.support_file = true
-          parent_pom.name = parent_pom.name.gsub("pom.xml", "pom_parent.xml")
-
-          [
-            parent_pom,
-            recursively_fetch_relative_path_parents(
-              parent_pom,
-              fetched_filenames: fetched_filenames + [parent_pom.name]
-            )
-          ].flatten
-        rescue Dependabot::DependencyFileNotFound
-          []
-        end
-
-        def parent_path_for_pom(pom)
-          doc = Nokogiri::XML(pom.content)
-          doc.remove_namespaces!
-
-          relative_parent_path =
-            doc.at_xpath("/project/parent/relativePath")&.content&.strip || ".."
-
-          name_parts = [
-            pom.name.gsub(/pom\.xml$/, "").gsub(/pom_parent\.xml$/, ""),
-            relative_parent_path,
-            relative_parent_path.end_with?("pom.xml") ? nil : "pom.xml"
-          ].compact.reject(&:empty?)
-
-          Pathname.new(File.join(*name_parts)).cleanpath.to_path
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/file_parsers/java/maven.rb

@@ -1,252 +0,0 @@
-# frozen_string_literal: true
-
-require "nokogiri"
-
-require "dependabot/dependency"
-require "dependabot/file_parsers/base"
-require "dependabot/errors"
-
-# The best Maven documentation is at:
-# - http://maven.apache.org/pom.html
-module Dependabot
-  module FileParsers
-    module Java
-      class Maven < Dependabot::FileParsers::Base
-        require "dependabot/file_parsers/base/dependency_set"
-        require_relative "maven/property_value_finder"
-
-        # The following "dependencies" are candidates for updating:
-        # - The project's parent
-        # - Any dependencies (incl. those in dependencyManagement or plugins)
-        # - Any plugins (incl. those in pluginManagement)
-        # - Any extensions
-        DEPENDENCY_SELECTOR = "project > parent, "\
-                              "dependencies > dependency, "\
-                              "extensions > extension"
-        PLUGIN_SELECTOR     = "plugins > plugin"
-
-        # Regex to get the property name from a declaration that uses a property
-        PROPERTY_REGEX      = /\$\{(?<property>.*?)\}/.freeze
-
-        def parse
-          dependency_set = DependencySet.new
-          pomfiles.each { |pom| dependency_set += pomfile_dependencies(pom) }
-          dependency_set.dependencies
-        end
-
-        private
-
-        def pomfile_dependencies(pom)
-          dependency_set = DependencySet.new
-
-          errors = []
-          doc = Nokogiri::XML(pom.content)
-          doc.remove_namespaces!
-
-          doc.css(DEPENDENCY_SELECTOR).each do |dependency_node|
-            dep = dependency_from_dependency_node(pom, dependency_node)
-            dependency_set << dep if dep
-          rescue DependencyFileNotEvaluatable => error
-            errors << error
-          end
-
-          doc.css(PLUGIN_SELECTOR).each do |dependency_node|
-            dep = dependency_from_plugin_node(pom, dependency_node)
-            dependency_set << dep if dep
-          rescue DependencyFileNotEvaluatable => error
-            errors << error
-          end
-
-          raise errors.first if errors.any? && dependency_set.dependencies.none?
-
-          dependency_set
-        end
-
-        def dependency_from_dependency_node(pom, dependency_node)
-          return unless (name = dependency_name(dependency_node, pom))
-          return if internal_dependency_names.include?(name)
-
-          build_dependency(pom, dependency_node, name)
-        end
-
-        def dependency_from_plugin_node(pom, dependency_node)
-          return unless (name = plugin_name(dependency_node, pom))
-          return if internal_dependency_names.include?(name)
-
-          build_dependency(pom, dependency_node, name)
-        end
-
-        def build_dependency(pom, dependency_node, name)
-          property_details =
-            {
-              property_name: version_property_name(dependency_node),
-              property_source: property_source(dependency_node, pom)
-            }.compact
-
-          Dependency.new(
-            name: name,
-            version: dependency_version(pom, dependency_node),
-            package_manager: "maven",
-            requirements: [{
-              requirement: dependency_requirement(pom, dependency_node),
-              file: pom.name,
-              groups: [],
-              source: nil,
-              metadata: {
-                packaging_type: packaging_type(pom, dependency_node)
-              }.merge(property_details)
-            }]
-          )
-        end
-
-        def dependency_name(dependency_node, pom)
-          return unless dependency_node.at_xpath("./groupId")
-          return unless dependency_node.at_xpath("./artifactId")
-
-          [
-            evaluated_value(
-              dependency_node.at_xpath("./groupId").content.strip,
-              pom
-            ),
-            evaluated_value(
-              dependency_node.at_xpath("./artifactId").content.strip,
-              pom
-            )
-          ].join(":")
-        end
-
-        def plugin_name(dependency_node, pom)
-          return unless plugin_group_id(pom, dependency_node)
-          return unless dependency_node.at_xpath("./artifactId")
-
-          [
-            plugin_group_id(pom, dependency_node),
-            evaluated_value(
-              dependency_node.at_xpath("./artifactId").content.strip,
-              pom
-            )
-          ].join(":")
-        end
-
-        def plugin_group_id(pom, node)
-          return "org.apache.maven.plugins" unless node.at_xpath("./groupId")
-
-          evaluated_value(
-            node.at_xpath("./groupId").content.strip,
-            pom
-          )
-        end
-
-        def dependency_version(pom, dependency_node)
-          requirement = dependency_requirement(pom, dependency_node)
-          return nil unless requirement
-
-          # If a range is specified then we can't tell the exact version
-          return nil if requirement.include?(",")
-
-          # Remove brackets if present (and not denoting a range)
-          requirement.gsub(/[\(\)\[\]]/, "").strip
-        end
-
-        def dependency_requirement(pom, dependency_node)
-          return unless dependency_node.at_xpath("./version")
-
-          version_content = dependency_node.at_xpath("./version").content.strip
-          version_content = evaluated_value(version_content, pom)
-
-          version_content.empty? ? nil : version_content
-        end
-
-        def packaging_type(pom, dependency_node)
-          return "pom" if dependency_node.node_name == "parent"
-          return "jar" unless dependency_node.at_xpath("./type")
-
-          packaging_type_content = dependency_node.at_xpath("./type").
-                                   content.strip
-
-          evaluated_value(packaging_type_content, pom)
-        end
-
-        def version_property_name(dependency_node)
-          return unless dependency_node.at_xpath("./version")
-
-          version_content = dependency_node.at_xpath("./version").content.strip
-
-          return unless version_content.match?(PROPERTY_REGEX)
-
-          version_content.
-            match(PROPERTY_REGEX).
-            named_captures.fetch("property")
-        end
-
-        def evaluated_value(value, pom)
-          return value unless value.match?(PROPERTY_REGEX)
-
-          property_name = value.match(PROPERTY_REGEX).
-                          named_captures.fetch("property")
-          property_value = value_for_property(property_name, pom)
-
-          value.gsub(PROPERTY_REGEX, property_value)
-        end
-
-        def property_source(dependency_node, pom)
-          property_name = version_property_name(dependency_node)
-          return unless property_name
-
-          declaring_pom =
-            property_value_finder.
-            property_details(property_name: property_name, callsite_pom: pom)&.
-            fetch(:file)
-
-          return declaring_pom if declaring_pom
-
-          msg = "Property not found: #{property_name}"
-          raise DependencyFileNotEvaluatable, msg
-        end
-
-        def value_for_property(property_name, pom)
-          value =
-            property_value_finder.
-            property_details(property_name: property_name, callsite_pom: pom)&.
-            fetch(:value)
-
-          return value if value
-
-          msg = "Property not found: #{property_name}"
-          raise DependencyFileNotEvaluatable, msg
-        end
-
-        # Cached, since this can makes calls to the registry (to get property
-        # values from parent POMs)
-        def property_value_finder
-          @property_value_finder ||=
-            PropertyValueFinder.new(dependency_files: dependency_files)
-        end
-
-        def pomfiles
-          # Note: this (correctly) excludes any parent POMs that were downloaded
-          @pomfiles ||=
-            dependency_files.select { |f| f.name.end_with?("pom.xml") }
-        end
-
-        def internal_dependency_names
-          @internal_dependency_names ||=
-            dependency_files.map do |pom|
-              doc = Nokogiri::XML(pom.content)
-              group_id    = doc.at_css("project > groupId") ||
-                            doc.at_css("project > parent > groupId")
-              artifact_id = doc.at_css("project > artifactId")
-
-              next unless group_id && artifact_id
-
-              [group_id.content.strip, artifact_id.content.strip].join(":")
-            end.compact
-        end
-
-        def check_required_files
-          raise "No pom.xml!" unless get_original_file("pom.xml")
-        end
-      end
-    end
-  end
-end