dependabot-core 0.86.2 → 0.86.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3fb583a981c621530496015f73a782429b0568609b5f31d09ed89c5838293aba
-  data.tar.gz: a222bd74ffef9dbac2666a0d0d6497d5acb8c021193901c9527b0f7389c3a709
+  metadata.gz: 79480d8761aa9ae5e22a3d197b8c81770866eaf147d8b245c64d57d3b9134e12
+  data.tar.gz: 1c955f487998a185bb77262a1b442b098ad72c68b2cd8be0352bf81a6a31f616
 SHA512:
-  metadata.gz: fc857dd517079e25d749762439b309b1804fc527b5ed5bfa5a42c8876107912b04c435569c5727576e29b1d4d17b32f6d487c9a02ac1576127fdc7c369064f09
-  data.tar.gz: 7921325dfc09e1f68188ea80e1ed324c6ff0a1c3540bcf9e37f716da3aafedb24b929353b84a93aadc6241aed3277e73eca70e5c36399fffde1ed28193aed193
+  metadata.gz: edb02105ebee6e2d9285b927833e0de0e51f752a9033f963baa4b627c0242f5445c9522f526ef8952a8cc8cf7c6a5d4d11eb7d0e90e9fe7659f32aa84934c7cb
+  data.tar.gz: 46e9c2785aa3148c36b59ee9a3eb518317bbcfa54668f859ad84b6d30887c58a90698004fa0abb5513d349304164a45678fb79f960648c88ffb9445cf44f79e4

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## v0.86.3, 19 December 2018
+
+- Ruby: Fetch gemspec to look for source if API is not available
+
 ## v0.86.2, 18 December 2018
 
 - Allow .NET repos with a src directory through

data/lib/dependabot/metadata_finders/ruby/bundler.rb

@@ -19,21 +19,18 @@ module Dependabot
         ).freeze
 
         def homepage_url
-          if new_source_type == "default" || new_source_type == "rubygems"
-            if rubygems_listing["homepage_uri"]
-              return rubygems_listing["homepage_uri"]
-            end
-          end
+          return super unless %w(default rubygems).include?(new_source_type)
+          return super unless rubygems_api_response["homepage_uri"]
 
-          super
+          rubygems_api_response["homepage_uri"]
         end
 
         private
 
         def look_up_source
           case new_source_type
-          when "default", "rubygems" then find_source_from_rubygems_listing
           when "git" then find_source_from_git_url
+          when "default", "rubygems" then find_source_from_rubygems
           else raise "Unexpected source type: #{new_source_type}"
           end
         end
@@ -48,8 +45,15 @@ module Dependabot
           sources.first[:type] || sources.first.fetch("type")
         end
 
-        def find_source_from_rubygems_listing
-          source_url = rubygems_listing.
+        def find_source_from_rubygems
+          api_source = find_source_from_rubygems_api_response
+          return api_source if api_source || new_source_type == "default"
+
+          find_source_from_gemspec_download
+        end
+
+        def find_source_from_rubygems_api_response
+          source_url = rubygems_api_response.
                        values_at(*SOURCE_KEYS).
                        compact.
                        find { |url| Source.from_url(url) }
@@ -64,8 +68,54 @@ module Dependabot
           Source.from_url(url)
         end
 
-        def rubygems_listing
-          return @rubygems_listing unless @rubygems_listing.nil?
+        def find_source_from_gemspec_download
+          github_urls = []
+          return unless rubygems_marshalled_gemspec_response
+
+          rubygems_marshalled_gemspec_response.scan(Source::SOURCE_REGEX) do
+            github_urls << Regexp.last_match.to_s
+          end
+
+          source_url = github_urls.find do |url|
+            repo = Source.from_url(url).repo
+            repo.downcase.end_with?(dependency.name)
+          end
+          return unless source_url
+
+          Source.from_url(source_url)
+        end
+
+        # Note: This response MUST NOT be unmarshalled
+        # (as calling Marshal.load is unsafe)
+        def rubygems_marshalled_gemspec_response
+          if defined?(@rubygems_marshalled_gemspec_response)
+            return @rubygems_marshalled_gemspec_response
+          end
+
+          gemspec_uri =
+            "#{registry_url}quick/Marshal.4.8/"\
+            "#{dependency.name}-#{dependency.version}.gemspec.rz"
+
+          response =
+            Excon.get(
+              gemspec_uri,
+              headers: registry_auth_headers,
+              idempotent: true,
+              **SharedHelpers.excon_defaults
+            )
+
+          if response.status >= 400
+            return @rubygems_marshalled_gemspec_response = nil
+          end
+
+          @rubygems_marshalled_gemspec_response =
+            Zlib::Inflate.inflate(response.body)
+        rescue Zlib::DataError
+          @rubygems_marshalled_gemspec_response = nil
+        end
+
+        def rubygems_api_response
+          return @rubygems_api_response if defined?(@rubygems_api_response)
 
           response =
             Excon.get(
@@ -74,13 +124,15 @@ module Dependabot
               idempotent: true,
               **SharedHelpers.excon_defaults
             )
+          return @rubygems_api_response = {} if response.status >= 400
+
           response_body = response.body
           response_body = augment_private_response_if_appropriate(response_body)
 
-          @rubygems_listing = JSON.parse(response_body)
-          append_slash_to_source_code_uri(@rubygems_listing)
+          @rubygems_api_response = JSON.parse(response_body)
+          append_slash_to_source_code_uri(@rubygems_api_response)
         rescue JSON::ParserError, Excon::Error::Timeout
-          @rubygems_listing = {}
+          @rubygems_api_response = {}
         end
 
         def append_slash_to_source_code_uri(listing)

data/lib/dependabot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.86.2"
+  VERSION = "0.86.3"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-core
 version: !ruby/object:Gem::Version
-  version: 0.86.2
+  version: 0.86.3
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-12-18 00:00:00.000000000 Z
+date: 2018-12-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-ecr