dependabot-gradle 0.344.1 → 0.346.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 07ce668445eeab438ae97771737d7258350d7dd18860a83f5e819cb2204c13ea
-  data.tar.gz: 48e36a06c18360262a74bcc8ff982e3ec1178610afc949b562f881e2d81ed50c
+  metadata.gz: c0e7bd82eab187986339ffedc9f8373d0b14bd54d89fdb1753814532baf8f0e5
+  data.tar.gz: 22e4355175c077fb3a95461d5f8e4970ec3c095a43db830caf368fe1f64ace6d
 SHA512:
-  metadata.gz: 8824be2c33fffcf1dff6dd8208af5f2da3181c58199c4178b6066f9ffe2593853768003cc38fddba19fb2e9b2b045220632b14bfebc26de076390c2933d9392e
-  data.tar.gz: a60d58f4853ddf645f1eb054e51fcff7e3185be198b036d87908ac72936c25195490478c28d0134eefe5e8dc5331e59c9559147ea2571db8ad75f5990f0a4864
+  metadata.gz: 015aead61df769d95c51d9f23b2383f6bca808335de15c2a2531af3d3b9e4eb53fe7887244ec576e64ece0fc304d095659f418c4b2227df39cbca96c713bd2cc
+  data.tar.gz: de0365699f56cc9be2fcbf043b447922bbd64c8d7df95095dc4f6d7fd8bcff5c11c10db0aa0fc8273881d75d4d6231e89acb30728c709fc3e97a75be1f557d11

data/lib/dependabot/gradle/distributions.rb

@@ -0,0 +1,20 @@
+# typed: strict
+# frozen_string_literal: true
+
+module Dependabot
+  module Gradle
+    module Distributions
+      extend T::Sig
+
+      DISTRIBUTION_REPOSITORY_URL = "https://services.gradle.org"
+      DISTRIBUTION_DEPENDENCY_TYPE = "gradle-distribution"
+
+      sig { params(requirements: T::Array[T::Hash[Symbol, T.untyped]]).returns(T::Boolean) }
+      def self.distribution_requirements?(requirements)
+        requirements.any? do |req|
+          req.dig(:source, :type) == DISTRIBUTION_DEPENDENCY_TYPE
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/gradle/file_fetcher.rb

@@ -24,6 +24,13 @@ module Dependabot
       SUPPORTED_SETTINGS_FILE_NAMES =
         T.let(%w(settings.gradle settings.gradle.kts).freeze, T::Array[String])
 
+      SUPPORTED_WRAPPER_FILES_PATH = %w(
+        gradlew
+        gradlew.bat
+        gradle/wrapper/gradle-wrapper.jar
+        gradle/wrapper/gradle-wrapper.properties
+      ).freeze
+
       # For now Gradle only supports library .toml files in the main gradle folder
       SUPPORTED_VERSION_CATALOG_FILE_PATH =
         T.let(%w(/gradle/libs.versions.toml).freeze, T::Array[String])
@@ -76,6 +83,7 @@ module Dependabot
       def all_buildfiles_in_build(root_dir)
         files = [buildfile(root_dir), settings_file(root_dir), version_catalog_file(root_dir), lockfile(root_dir)]
                 .compact
+        files += wrapper_files(root_dir)
         files += subproject_buildfiles(root_dir)
         files += subproject_lockfiles(root_dir)
         files += dependency_script_plugins(root_dir)
@@ -172,6 +180,25 @@ module Dependabot
         end
       end
 
+      sig { params(dir: String).returns(T::Array[DependencyFile]) }
+      def wrapper_files(dir)
+        return [] unless Experiments.enabled?(:gradle_wrapper_updater)
+
+        SUPPORTED_WRAPPER_FILES_PATH.filter_map do |filename|
+          file = fetch_file_if_present(File.join(dir, filename))
+          next unless file
+
+          if file.name.end_with?(".jar")
+            file.content = Base64.encode64(T.must(file.content)) if file.content
+            file.content_encoding = DependencyFile::ContentEncoding::BASE64
+          end
+          file
+        rescue Dependabot::DependencyFileNotFound
+          # Gradle itself doesn't worry about missing subprojects, so we don't
+          nil
+        end
+      end
+
       sig { params(root_dir: String).returns(T.nilable(DependencyFile)) }
       def version_catalog_file(root_dir)
         return nil unless root_dir == "."

data/lib/dependabot/gradle/file_parser/distributions_finder.rb

@@ -0,0 +1,90 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/gradle/file_parser"
+require "dependabot/gradle/distributions"
+require "sorbet-runtime"
+
+module Dependabot
+  module Gradle
+    class FileParser
+      class DistributionsFinder
+        extend T::Sig
+
+        DISTRIBUTION_URL_REGEX =
+          /.*?(?<version>(\d+(?:\.\d+){1,3}(?:-(?!bin|all)\w++)*(?:\+\w++)*))(?:-bin|-all)?.*?/
+
+        sig { params(properties_file: DependencyFile).returns(T.nilable(Dependency)) }
+        def self.resolve_dependency(properties_file) # rubocop:disable Metrics/MethodLength
+          content = properties_file.content
+          return nil unless content
+
+          distribution_url, checksum = load_properties(content)
+          match = distribution_url&.match(DISTRIBUTION_URL_REGEX)&.named_captures
+          return nil unless match
+
+          version = match.fetch("version")
+
+          requirements = T.let(
+            [{
+              requirement: version,
+              file: properties_file.name,
+              source: {
+                type: Distributions::DISTRIBUTION_DEPENDENCY_TYPE,
+                url: distribution_url,
+                property: "distributionUrl"
+              },
+              groups: []
+            }],
+            T::Array[T::Hash[Symbol, T.untyped]]
+          )
+
+          if checksum
+            requirements << {
+              requirement: checksum,
+              file: properties_file.name,
+              source: {
+                type: Distributions::DISTRIBUTION_DEPENDENCY_TYPE,
+                url: "#{distribution_url}.sha256",
+                property: "distributionSha256Sum"
+              },
+              groups: []
+            }
+          end
+
+          Dependency.new(
+            name: "gradle-wrapper",
+            version: version,
+            requirements: requirements,
+            package_manager: "gradle"
+          )
+        end
+
+        sig { params(properties_content: String).returns(T::Array[T.nilable(String)]) }
+        def self.load_properties(properties_content)
+          distribution_url = T.let(nil, T.nilable(String))
+          checksum = T.let(nil, T.nilable(String))
+
+          properties_content.lines.each do |line|
+            (key, value) = line.split("=", 2).map(&:strip)
+            next unless key && value
+
+            case key
+            when "distributionUrl"
+              distribution_url = value.gsub("\\:", ":")
+            when "distributionSha256Sum"
+              checksum = value
+            else
+              next
+            end
+            break if distribution_url && checksum
+          end
+
+          [distribution_url, checksum]
+        end
+
+        private_class_method :load_properties
+      end
+    end
+  end
+end

data/lib/dependabot/gradle/file_parser.rb

@@ -25,6 +25,7 @@ module Dependabot
       extend T::Sig
 
       require "dependabot/file_parsers/base/dependency_set"
+      require_relative "file_parser/distributions_finder"
       require_relative "file_parser/property_value_finder"
 
       SUPPORTED_BUILD_FILE_NAMES = T.let(
@@ -59,6 +60,11 @@ module Dependabot
         script_plugin_files.each do |plugin_file|
           dependency_set += buildfile_dependencies(plugin_file)
         end
+        if Experiments.enabled?(:gradle_wrapper_updater)
+          wrapper_properties_file.each do |properties_file|
+            dependency_set += wrapper_properties_dependencies(properties_file)
+          end
+        end
         version_catalog_file.each do |toml_file|
           dependency_set += version_catalog_dependencies(toml_file)
         end
@@ -119,6 +125,14 @@ module Dependabot
         )
       end
 
+      sig { params(properties_file: Dependabot::DependencyFile).returns(DependencySet) }
+      def wrapper_properties_dependencies(properties_file)
+        dependency_set = DependencySet.new
+        dependency = DistributionsFinder.resolve_dependency(properties_file)
+        dependency_set << dependency if dependency
+        dependency_set
+      end
+
       sig { params(toml_file: Dependabot::DependencyFile).returns(DependencySet) }
       def version_catalog_dependencies(toml_file)
         dependency_set = DependencySet.new
@@ -544,6 +558,14 @@ module Dependabot
         )
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def wrapper_properties_file
+        @wrapper_properties_file ||= T.let(
+          dependency_files.select { |f| f.name.end_with?("gradle-wrapper.properties") },
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
+      end
+
       sig { returns(T::Array[Dependabot::DependencyFile]) }
       def version_catalog_file
         @version_catalog_file ||= T.let(

data/lib/dependabot/gradle/file_updater/wrapper_updater.rb

@@ -0,0 +1,161 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "shellwords"
+
+require "dependabot/gradle/distributions"
+
+module Dependabot
+  module Gradle
+    class FileUpdater
+      class WrapperUpdater
+        extend T::Sig
+        include Dependabot::Gradle::Distributions
+
+        sig { params(dependency_files: T::Array[Dependabot::DependencyFile], dependency: Dependabot::Dependency).void }
+        def initialize(dependency_files:, dependency:)
+          @dependency_files = dependency_files
+          @dependency = dependency
+          @target_files = T.let(
+            %w(
+              /gradlew
+              /gradlew.bat
+              /gradle/wrapper/gradle-wrapper.properties
+              /gradle/wrapper/gradle-wrapper.jar
+            ),
+            T::Array[String]
+          )
+          @build_files = T.let(
+            %w(
+              build.gradle
+              build.gradle.kts
+              settings.gradle
+              settings.gradle.kts
+            ),
+            T::Array[String]
+          )
+        end
+
+        sig { params(build_file: Dependabot::DependencyFile).returns(T::Array[Dependabot::DependencyFile]) }
+        def update_files(build_file)
+          local_files = dependency_files.select do |file|
+            file.directory == build_file.directory && target_file?(file)
+          end
+
+          # If we don't have any files in the build files don't generate one
+          return dependency_files unless local_files.any?
+
+          updated_files = dependency_files.dup
+          SharedHelpers.in_a_temporary_directory do |temp_dir|
+            populate_temp_directory(temp_dir)
+            cwd = File.join(temp_dir, base_path(build_file))
+
+            # Create gradle.properties file with proxy settings
+            # Would prefer to use command line arguments, but they don't work.
+            properties_filename = File.join(temp_dir, build_file.directory, "gradle.properties")
+            write_properties_file(properties_filename)
+
+            command_parts = %w(gradle --no-daemon --stacktrace) + command_args
+            command = Shellwords.join(command_parts)
+
+            Dir.chdir(cwd) do
+              SharedHelpers.run_shell_command(command, cwd: cwd)
+              update_files_content(temp_dir, local_files, updated_files)
+            rescue SharedHelpers::HelperSubprocessFailed => e
+              puts "Failed to update files: #{e.message}"
+              return updated_files
+            end
+          end
+          updated_files
+        end
+
+        private
+
+        sig { params(file: Dependabot::DependencyFile).returns(T::Boolean) }
+        def target_file?(file)
+          @target_files.any? { |r| "/#{file.name}".end_with?(r) }
+        end
+
+        sig { returns(T::Array[String]) }
+        def command_args
+          version = T.let(dependency.requirements[0]&.[](:requirement), String)
+          checksum = T.let(dependency.requirements[1]&.[](:requirement), String) if dependency.requirements.size > 1
+
+          args = %W(wrapper --no-validate-url --gradle-version #{version})
+          args += %W(--gradle-distribution-sha256-sum #{checksum}) if checksum
+          args
+        end
+
+        # Gradle builds can be complex, to maximize the chances of a successful we just keep related wrapper files
+        # and produce a minimal build for it to run (losing any customisations of the `wrapper` task in the process)
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        def files_to_populate
+          @dependency_files.filter_map do |f|
+            next f if target_file?(f)
+            next Dependabot::DependencyFile.new(directory: f.directory, name: f.name, content: "") if build_file?(f)
+          end
+        end
+
+        sig { params(file: Dependabot::DependencyFile).returns(T::Boolean) }
+        def build_file?(file)
+          @build_files.include?(File.basename(file.name))
+        end
+
+        sig { params(build_file: Dependabot::DependencyFile).returns(String) }
+        def base_path(build_file)
+          File.dirname(File.join(build_file.directory, build_file.name)).delete_suffix("/gradle/wrapper")
+        end
+
+        sig do
+          params(
+            temp_dir: T.any(Pathname, String),
+            local_files: T::Array[Dependabot::DependencyFile],
+            updated_files: T::Array[Dependabot::DependencyFile]
+          ).void
+        end
+        def update_files_content(temp_dir, local_files, updated_files)
+          local_files.each do |file|
+            f_content = File.read(File.join(temp_dir, file.directory, file.name))
+            tmp_file = file.dup
+            tmp_file.content = tmp_file.binary? ? Base64.encode64(f_content) : f_content
+            updated_files[T.must(updated_files.index(file))] = tmp_file
+          end
+        end
+
+        sig { params(temp_dir: T.any(Pathname, String)).void }
+        def populate_temp_directory(temp_dir)
+          files_to_populate.each do |file|
+            in_path_name = File.join(temp_dir, file.directory, file.name)
+            FileUtils.mkdir_p(File.dirname(in_path_name))
+            File.write(in_path_name, file.content)
+          end
+        end
+
+        sig { params(file_name: String).void }
+        def write_properties_file(file_name) # rubocop:disable Metrics/PerceivedComplexity
+          http_proxy = ENV.fetch("HTTP_PROXY", nil)
+          https_proxy = ENV.fetch("HTTPS_PROXY", nil)
+          http_split = http_proxy&.split(":")
+          https_split = https_proxy&.split(":")
+          http_proxy_host = http_split&.fetch(1, nil)&.gsub("//", "") || "host.docker.internal"
+          https_proxy_host = https_split&.fetch(1, nil)&.gsub("//", "") || "host.docker.internal"
+          http_proxy_port = http_split&.fetch(2) || "1080"
+          https_proxy_port = https_split&.fetch(2) || "1080"
+          properties_content = "
+systemProp.http.proxyHost=#{http_proxy_host}
+systemProp.http.proxyPort=#{http_proxy_port}
+systemProp.https.proxyHost=#{https_proxy_host}
+systemProp.https.proxyPort=#{https_proxy_port}"
+          File.write(file_name, properties_content)
+        end
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        attr_reader :dependency_files
+
+        sig { returns(Dependabot::Dependency) }
+        attr_reader :dependency
+      end
+    end
+  end
+end

data/lib/dependabot/gradle/file_updater.rb

@@ -15,6 +15,7 @@ module Dependabot
       require_relative "file_updater/dependency_set_updater"
       require_relative "file_updater/property_value_updater"
       require_relative "file_updater/lockfile_updater"
+      require_relative "file_updater/wrapper_updater"
 
       SUPPORTED_BUILD_FILE_NAMES = %w(build.gradle build.gradle.kts gradle.lockfile).freeze
 
@@ -57,6 +58,7 @@ module Dependabot
       # rubocop:disable Metrics/AbcSize
       # rubocop:disable Metrics/CyclomaticComplexity
       # rubocop:disable Metrics/PerceivedComplexity
+      # rubocop:disable Metrics/MethodLength
       sig do
         params(buildfiles: T::Array[Dependabot::DependencyFile], dependency: Dependabot::Dependency)
           .returns(T::Array[Dependabot::DependencyFile])
@@ -64,6 +66,10 @@ module Dependabot
       def update_buildfiles_for_dependency(buildfiles:, dependency:)
         files = buildfiles.dup
 
+        # dependencies may have multiple requirements targeting the same file or build dir
+        # we keep the last one by path to later run its native helpers
+        buildfiles_processed = T.let({}, T::Hash[String, Dependabot::DependencyFile])
+
         # The UpdateChecker ensures the order of requirements is preserved
         # when updating, so we can zip them together in new/old pairs.
         reqs = dependency.requirements.zip(T.must(dependency.previous_requirements))
@@ -93,17 +99,28 @@ module Dependabot
             files[T.must(files.index(buildfile))] = update_version_in_buildfile(dependency, buildfile, old_req, new_req)
           end
 
-          next unless Dependabot::Experiments.enabled?(:gradle_lockfile_updater)
-
-          lockfile_updater = LockfileUpdater.new(dependency_files: files)
-          lockfiles = lockfile_updater.update_lockfiles(buildfile)
-          lockfiles.each do |lockfile|
-            existing_file = files.find { |f| f.name == lockfile.name && f.directory == lockfile.directory }
-            if existing_file.nil?
-              files << lockfile
-            else
-              files[T.must(files.index(existing_file))] = lockfile
-            end
+          buildfiles_processed[buildfile.name] = buildfile
+        end
+
+        # runs native updaters (e.g. wrapper, lockfile) on relevant build files updated
+        updated_files = T.let([], T::Array[Dependabot::DependencyFile])
+        buildfiles_processed.each do |_, buildfile|
+          if Dependabot::Experiments.enabled?(:gradle_lockfile_updater)
+            lockfile_updater = LockfileUpdater.new(dependency_files: files)
+            updated_files += lockfile_updater.update_lockfiles(buildfile)
+          end
+          if Dependabot::Experiments.enabled?(:gradle_wrapper_updater)
+            wrapper_updater = WrapperUpdater.new(dependency_files: files, dependency: dependency)
+            updated_files += wrapper_updater.update_files(buildfile)
+          end
+        end
+
+        updated_files.each do |file|
+          existing_file = files.find { |f| f.name == file.name && f.directory == file.directory }
+          if existing_file.nil?
+            files << file
+          else
+            files[T.must(files.index(existing_file))] = file
           end
         end
 
@@ -112,6 +129,7 @@ module Dependabot
       # rubocop:enable Metrics/PerceivedComplexity
       # rubocop:enable Metrics/CyclomaticComplexity
       # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/MethodLength
 
       sig do
         params(
@@ -191,6 +209,7 @@ module Dependabot
       end
 
       # rubocop:disable Metrics/AbcSize
+      # rubocop:disable Metrics/PerceivedComplexity
       sig do
         params(
           dependency: Dependabot::Dependency,
@@ -209,6 +228,10 @@ module Dependabot
           if dependency.name.include?(":")
             dep_parts = dependency.name.split(":")
             next false unless line.include?(T.must(dep_parts.first)) || line.include?(T.must(dep_parts.last))
+          elsif T.let(requirement.fetch(:file), String).end_with?(".properties")
+            property = T.let(requirement, T::Hash[Symbol, T.nilable(T::Hash[Symbol, T.nilable(String)])])
+                        .dig(:source, :property)
+            next false unless !property.nil? && line.start_with?(property)
           elsif T.let(requirement.fetch(:file), String).end_with?(".toml")
             next false unless line.include?(dependency.name)
           else
@@ -221,6 +244,7 @@ module Dependabot
         end
       end
       # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/PerceivedComplexity
 
       sig { params(string: String, buildfile: Dependabot::DependencyFile).returns(String) }
       def evaluate_properties(string, buildfile)

data/lib/dependabot/gradle/metadata_finder.rb

@@ -5,6 +5,7 @@ require "nokogiri"
 require "sorbet-runtime"
 
 require "dependabot/file_fetchers/base"
+require "dependabot/gradle/distributions"
 require "dependabot/gradle/file_fetcher"
 require "dependabot/gradle/file_parser/repositories_finder"
 require "dependabot/maven/utils/auth_headers_finder"
@@ -25,6 +26,8 @@ module Dependabot
 
       sig { override.returns(T.nilable(Dependabot::Source)) }
       def look_up_source
+        return nil if Distributions.distribution_requirements?(dependency.requirements)
+
         tmp_source = look_up_source_in_pom(dependency_pom_file)
         return tmp_source if tmp_source
 

data/lib/dependabot/gradle/package/distributions_fetcher.rb

@@ -0,0 +1,67 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/gradle/version"
+require "dependabot/gradle/distributions"
+require "sorbet-runtime"
+
+module Dependabot
+  module Gradle
+    module Package
+      class DistributionsFetcher
+        extend T::Sig
+
+        @available_versions = T.let([], T::Array[T::Hash[String, T.untyped]])
+        @distributions_checksums = T.let({}, T::Hash[String, T::Array[String]])
+
+        sig { returns(T.any(T::Array[T::Hash[String, T.untyped]], T::Array[T::Hash[Symbol, T.untyped]])) }
+        def self.available_versions
+          return @available_versions if @available_versions.any?
+
+          response = Dependabot::RegistryClient.get(url: "https://services.gradle.org/versions/all")
+          versions = T.let(
+            JSON.parse(
+              T.let(response.body, String),
+              object_class: OpenStruct
+            ),
+            T::Array[OpenStruct]
+          )
+          @available_versions +=
+            versions
+            .select { |v| release_version?(version: v) }
+            .uniq { |v| v[:version] }
+            .map do |v|
+              {
+                version: v[:version],
+                build_time: v[:buildTime]
+              }
+            end
+        end
+
+        sig { params(version: OpenStruct).returns(T::Boolean) }
+        def self.release_version?(version:)
+          Gradle::Version.correct?(T.let(version[:version], String)) &&
+            T.let(version[:broken], T::Boolean) == false &&
+            T.let(version[:snapshot], T::Boolean) == false &&
+            T.let(version[:rcFor], String) == "" &&
+            T.let(version[:milestoneFor], String) == "" &&
+            /.*-(rc|milestone)-.*/.match?(T.let(version[:version], String)) == false
+        end
+
+        sig { params(distribution_url: String).returns(T.nilable(T::Array[String])) }
+        def self.resolve_checksum(distribution_url)
+          cached = @distributions_checksums[distribution_url]
+          return cached if cached
+
+          checksum_url = "#{distribution_url}.sha256"
+          checksum = T.let(Dependabot::RegistryClient.get(url: checksum_url).body, String).strip
+          return nil unless checksum.match?(/\A[a-f0-9]{64}\z/)
+
+          @distributions_checksums[distribution_url] = [checksum_url, checksum]
+        end
+
+        private_class_method :release_version?
+      end
+    end
+  end
+end

data/lib/dependabot/gradle/package/package_details_fetcher.rb

@@ -8,6 +8,7 @@ require "dependabot/gradle/file_parser/repositories_finder"
 require "dependabot/gradle/update_checker"
 require "dependabot/gradle/version"
 require "dependabot/gradle/requirement"
+require "dependabot/gradle/distributions"
 require "dependabot/maven/utils/auth_headers_finder"
 require "sorbet-runtime"
 require "dependabot/gradle/metadata_finder"
@@ -65,6 +66,7 @@ module Dependabot
             repositories.map do |repository_details|
               url = repository_details.fetch("url")
 
+              next distribution_version_details if url == Gradle::Distributions::DISTRIBUTION_REPOSITORY_URL
               next google_version_details if url == Gradle::FileParser::RepositoriesFinder::GOOGLE_MAVEN_REPO
 
               dependency_metadata(repository_details).css("versions > version")
@@ -83,7 +85,7 @@ module Dependabot
 
             package_releases << {
               version: Gradle::Version.new(version),
-              released_at: release_date_info.none? ? nil : (release_date_info[version]&.fetch(:release_date) || nil),
+              released_at: info[:released_at] || release_date_info[version]&.fetch(:release_date),
               source_url: info[:source_url]
             }
           end
@@ -136,7 +138,9 @@ module Dependabot
         def repositories
           return @repositories if @repositories
 
-          details = if plugin?
+          details = if distribution?
+                      distribution_repository_details
+                    elsif plugin?
                       plugin_repository_details + credentials_repository_details
                     else
                       dependency_repository_details + credentials_repository_details
@@ -151,6 +155,27 @@ module Dependabot
             end
         end
 
+        sig { returns(T.nilable(T::Array[T::Hash[String, T.untyped]])) }
+        def distribution_version_details
+          return nil unless Experiments.enabled?(:gradle_wrapper_updater)
+
+          DistributionsFetcher.available_versions.map do |info|
+            release_date = begin
+              Time.parse(info[:build_time])
+            rescue StandardError
+              nil
+            end
+
+            {
+              version: info[:version],
+              released_at: release_date,
+              source_url: Distributions::DISTRIBUTION_REPOSITORY_URL
+            }
+          end
+        rescue StandardError
+          nil
+        end
+
         sig { returns(T.nilable(T::Array[T::Hash[String, T.untyped]])) }
         def google_version_details
           url = Gradle::FileParser::RepositoriesFinder::GOOGLE_MAVEN_REPO
@@ -276,6 +301,14 @@ module Dependabot
           }] + dependency_repository_details
         end
 
+        sig { returns(T::Array[T::Hash[String, T.untyped]]) }
+        def distribution_repository_details
+          [{
+            "url" => Gradle::Distributions::DISTRIBUTION_REPOSITORY_URL,
+            "auth_headers" => {}
+          }]
+        end
+
         sig { params(comparison_version: T.untyped).returns(T::Boolean) }
         def matches_dependency_version_type?(comparison_version)
           return true unless dependency.version
@@ -336,6 +369,11 @@ module Dependabot
           plugin? && dependency.requirements.any? { |r| r.fetch(:groups).include? "kotlin" }
         end
 
+        sig { returns(T::Boolean) }
+        def distribution?
+          Distributions.distribution_requirements?(dependency.requirements)
+        end
+
         sig { returns(T::Array[String]) }
         def central_repo_urls
           central_url_without_protocol =

data/lib/dependabot/gradle/update_checker/requirements_updater.rb

@@ -9,6 +9,8 @@
 require "sorbet-runtime"
 
 require "dependabot/requirements_updater/base"
+require "dependabot/gradle/distributions"
+require "dependabot/gradle/package/distributions_fetcher"
 require "dependabot/gradle/update_checker"
 require "dependabot/gradle/version"
 require "dependabot/gradle/requirement"
@@ -46,11 +48,13 @@ module Dependabot
           return unless latest_version
 
           @latest_version = T.let(version_class.new(latest_version), Version)
+          @is_distribution = T.let(Distributions.distribution_requirements?(requirements), T::Boolean)
         end
 
         sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
         def updated_requirements
           return requirements unless latest_version
+          return updated_distribution_requirements if @is_distribution
 
           # NOTE: Order is important here. The FileUpdater needs the updated
           # requirement at index `i` to correspond to the previous requirement
@@ -114,6 +118,38 @@ module Dependabot
           end
         end
 
+        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+        def updated_distribution_requirements
+          return requirements unless Experiments.enabled?(:gradle_wrapper_updater)
+
+          distribution_url = T.let(nil, T.nilable(String))
+
+          requirements.map do |req|
+            source = req[:source]
+            next req unless source
+
+            case source[:property]
+            when "distributionUrl"
+              requirement = req[:requirement]
+              version = update_exact_requirement(requirement)
+              distribution_url = source[:url].gsub(requirement, version)
+
+              req.merge(
+                requirement: version,
+                source: source.merge(url: distribution_url)
+              )
+            when "distributionSha256Sum"
+              checksum_url, checksum = Gradle::Package::DistributionsFetcher.resolve_checksum(T.must(distribution_url))
+              req.merge(
+                requirement: checksum,
+                source: source.merge(url: checksum_url)
+              )
+            else
+              next req
+            end
+          end
+        end
+
         sig { override.returns(T::Class[Version]) }
         def version_class
           Gradle::Version

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-gradle
 version: !ruby/object:Gem::Version
-  version: 0.344.1
+  version: 0.346.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,28 +15,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.344.1
+        version: 0.346.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.344.1
+        version: 0.346.0
 - !ruby/object:Gem::Dependency
   name: dependabot-maven
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.344.1
+        version: 0.346.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.344.1
+        version: 0.346.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -256,17 +256,21 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/dependabot/gradle.rb
+- lib/dependabot/gradle/distributions.rb
 - lib/dependabot/gradle/file_fetcher.rb
 - lib/dependabot/gradle/file_fetcher/settings_file_parser.rb
 - lib/dependabot/gradle/file_parser.rb
+- lib/dependabot/gradle/file_parser/distributions_finder.rb
 - lib/dependabot/gradle/file_parser/property_value_finder.rb
 - lib/dependabot/gradle/file_parser/repositories_finder.rb
 - lib/dependabot/gradle/file_updater.rb
 - lib/dependabot/gradle/file_updater/dependency_set_updater.rb
 - lib/dependabot/gradle/file_updater/lockfile_updater.rb
 - lib/dependabot/gradle/file_updater/property_value_updater.rb
+- lib/dependabot/gradle/file_updater/wrapper_updater.rb
 - lib/dependabot/gradle/language.rb
 - lib/dependabot/gradle/metadata_finder.rb
+- lib/dependabot/gradle/package/distributions_fetcher.rb
 - lib/dependabot/gradle/package/package_details_fetcher.rb
 - lib/dependabot/gradle/package_manager.rb
 - lib/dependabot/gradle/requirement.rb
@@ -280,7 +284,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.344.1
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.346.0
 rdoc_options: []
 require_paths:
 - lib