dependabot-gradle 0.351.0 → 0.353.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 30dce402f6a1e1d5d480105632edb8e3d2bfeac81934edb44f31792ee613546a
-  data.tar.gz: db954fea128d5474b45d3b21996387d80818456cea82f563429872d8a9d2d8cc
+  metadata.gz: 4df97c3857297707a0ee0c2bf06c540d06e93fc7038e38fbe557b7944d810a00
+  data.tar.gz: af7e7cd25247eff9b1f23a31e40bbdd8650d4a1e393800ed0eaab7d8bbc837d8
 SHA512:
-  metadata.gz: e5586d92c24df693f36ae79fadf7bf271d23acc62ff0e513b28e147c32e349b64593b2153355d6e995956d9b39f5430e91bbbb0991d3013e095a0dbdb6b88eaf
-  data.tar.gz: 71f5a0b55f4613257c37def935459077338c767a715fd246ffab3125661c2c709f725375a5a7972440b733bd23d865324bf306852eed6ca796272ddce62f4697
+  metadata.gz: d582940602b75462d8c3510624dd691176132bfa0503b9a40f9eb7af13b16c4232afde4b1173e1f188be7c5b296e01870d14266dc567f188a27c642ad1954091
+  data.tar.gz: 89efef686fd6a6b22b75f81706adbaf192264ad8968656583de0eaa53bcb43a97c24bebb926d3c17e5f5c7abfc162eb20ed8f8ad98ee9c3aa5864f7c58f97982

data/lib/dependabot/gradle/file_fetcher.rb

@@ -192,6 +192,7 @@ module Dependabot
             file.content = Base64.encode64(T.must(file.content)) if file.content
             file.content_encoding = DependencyFile::ContentEncoding::BASE64
           end
+          file.mode = DependencyFile::Mode::EXECUTABLE if file.name.end_with?("gradlew", "gradlew.bat")
           file
         rescue Dependabot::DependencyFileNotFound
           # Gradle itself doesn't worry about missing subprojects, so we don't

data/lib/dependabot/gradle/file_updater/wrapper_updater.rb

@@ -37,6 +37,9 @@ module Dependabot
           )
         end
 
+        # rubocop:disable Metrics/AbcSize
+        # rubocop:disable Metrics/MethodLength
+        # rubocop:disable Metrics/PerceivedComplexity
         sig { params(build_file: Dependabot::DependencyFile).returns(T::Array[Dependabot::DependencyFile]) }
         def update_files(build_file)
           # We only run this updater if it's a distribution dependency
@@ -49,29 +52,57 @@ module Dependabot
           # If we don't have any files in the build files don't generate one
           return [] unless local_files.any?
 
+          # we only run this updater if the build file has a requirement for this dependency
+          target_requirements = dependency.requirements.select do |req|
+            T.let(req[:file], String) == build_file.name
+          end
+          return [] unless target_requirements.any?
+
           updated_files = dependency_files.dup
           SharedHelpers.in_a_temporary_directory do |temp_dir|
             populate_temp_directory(temp_dir)
             cwd = File.join(temp_dir, base_path(build_file))
 
-            # Create gradle.properties file with proxy settings
-            # Would prefer to use command line arguments, but they don't work.
-            properties_filename = File.join(temp_dir, build_file.directory, "gradle.properties")
-            write_properties_file(properties_filename)
-
-            command_parts = %w(gradle --no-daemon --stacktrace) + command_args
-            command = Shellwords.join(command_parts)
+            has_local_script = File.exist?(File.join(cwd, "./gradlew"))
+            command_parts = %w(--no-daemon --stacktrace) + command_args(target_requirements)
+            command = Shellwords.join([has_local_script ? "./gradlew" : "gradle"] + command_parts)
 
             Dir.chdir(cwd) do
-              SharedHelpers.run_shell_command(command, cwd: cwd)
+              FileUtils.chmod("+x", "./gradlew") if has_local_script
+
+              properties_file = File.join(cwd, "gradle/wrapper/gradle-wrapper.properties")
+              validate_option = get_validate_distribution_url_option(properties_file)
+              env = { "JAVA_OPTS" => proxy_args.join(" ") } # set proxy for gradle execution
+
+              begin
+                # first attempt: run the wrapper task via the local gradle wrapper (if present)
+                # `gradle-wrapper.jar` might be too old to run on host's Java version
+                SharedHelpers.run_shell_command(command, cwd: cwd, env: env)
+              rescue SharedHelpers::HelperSubprocessFailed => e
+                raise e unless has_local_script # already field with system one, there is no point to retry
+
+                Dependabot.logger.warn("Running #{command} failed, retrying first with system Gradle: #{e.message}")
+
+                # second attempt: run the wrapper task via system gradle and then retry via local wrapper
+                system_command = Shellwords.join(["gradle"] + command_parts)
+                SharedHelpers.run_shell_command(system_command, cwd: cwd, env: env) # run via system gradle
+                SharedHelpers.run_shell_command(command, cwd: cwd, env: env) # retry via local wrapper
+              end
+
+              # Restore previous validateDistributionUrl option if it existed
+              override_validate_distribution_url_option(properties_file, validate_option)
+
               update_files_content(temp_dir, local_files, updated_files)
             rescue SharedHelpers::HelperSubprocessFailed => e
-              puts "Failed to update files: #{e.message}"
+              Dependabot.logger.error("Failed to update files: #{e.message}")
               return updated_files
             end
           end
           updated_files
         end
+        # rubocop:enable Metrics/AbcSize
+        # rubocop:enable Metrics/MethodLength
+        # rubocop:enable Metrics/PerceivedComplexity
 
         private
 
@@ -80,12 +111,20 @@ module Dependabot
           @target_files.any? { |r| "/#{file.name}".end_with?(r) }
         end
 
-        sig { returns(T::Array[String]) }
-        def command_args
-          version = T.let(dependency.requirements[0]&.[](:requirement), String)
-          checksum = T.let(dependency.requirements[1]&.[](:requirement), String) if dependency.requirements.size > 1
-
-          args = %W(wrapper --no-validate-url --gradle-version #{version})
+        sig { params(requirements: T::Array[T::Hash[Symbol, T.untyped]]).returns(T::Array[String]) }
+        def command_args(requirements)
+          version = T.let(requirements[0]&.[](:requirement), String)
+          checksum = T.let(requirements[1]&.[](:requirement), String) if dependency.requirements.size > 1
+          distribution_url = T.let(requirements[0]&.[](:source), T::Hash[Symbol, String])[:url]
+          distribution_type = distribution_url&.match(/\b(bin|all)\b/)&.captures&.first
+
+          # --no-validate-url is required to bypass HTTP proxy issues when running ./gradlew
+          # This prevents validation failures during the wrapper update process
+          # Note: This temporarily sets validateDistributionUrl=false in gradle-wrapper.properties
+          # The original value is restored after the wrapper task completes
+          # see method `get_validate_distribution_url_option` for more details
+          args = %W(wrapper --gradle-version #{version} --no-validate-url) # see
+          args += %W(--distribution-type #{distribution_type}) if distribution_type
           args += %W(--gradle-distribution-sha256-sum #{checksum}) if checksum
           args
         end
@@ -135,8 +174,35 @@ module Dependabot
           end
         end
 
-        sig { params(file_name: String).void }
-        def write_properties_file(file_name) # rubocop:disable Metrics/PerceivedComplexity
+        # This is a consequence of the lack of proper proxy support in Gradle Wrapper
+        # During the update process, Gradle Wrapper logic will try to validate the distribution URL
+        # by performing an HTTP request. If the environment requires a proxy, this validation will fail
+        # We need to add the `--no-validate-url` the commandline args to disable this validation
+        # However, this change is persistent in the `gradle-wrapper.properties` file
+        # To avoid side effects, we read the existing value before the update and restore it afterward
+        sig { params(properties_file: T.any(Pathname, String)).returns(T.nilable(String)) }
+        def get_validate_distribution_url_option(properties_file)
+          return nil unless File.exist?(properties_file)
+
+          properties_content = File.read(properties_file)
+          properties_content.match(/^validateDistributionUrl=(.*)$/)&.captures&.first
+        end
+
+        sig { params(properties_file: T.any(Pathname, String), value: T.nilable(String)).void }
+        def override_validate_distribution_url_option(properties_file, value)
+          return unless File.exist?(properties_file)
+
+          properties_content = File.read(properties_file)
+          updated_content = properties_content.gsub(
+            /^validateDistributionUrl=(.*)\n/,
+            value ? "validateDistributionUrl=#{value}\n" : ""
+          )
+          File.write(properties_file, updated_content)
+        end
+
+        # rubocop:disable Metrics/PerceivedComplexity
+        sig { returns(T::Array[String]) }
+        def proxy_args
           http_proxy = ENV.fetch("HTTP_PROXY", nil)
           https_proxy = ENV.fetch("HTTPS_PROXY", nil)
           http_split = http_proxy&.split(":")
@@ -145,13 +211,15 @@ module Dependabot
           https_proxy_host = https_split&.fetch(1, nil)&.gsub("//", "") || "host.docker.internal"
           http_proxy_port = http_split&.fetch(2) || "1080"
           https_proxy_port = https_split&.fetch(2) || "1080"
-          properties_content = "
-systemProp.http.proxyHost=#{http_proxy_host}
-systemProp.http.proxyPort=#{http_proxy_port}
-systemProp.https.proxyHost=#{https_proxy_host}
-systemProp.https.proxyPort=#{https_proxy_port}"
-          File.write(file_name, properties_content)
+
+          args = []
+          args += %W(-Dhttp.proxyHost=#{http_proxy_host}) if http_proxy_host
+          args += %W(-Dhttp.proxyPort=#{http_proxy_port}) if http_proxy_port
+          args += %W(-Dhttps.proxyHost=#{https_proxy_host}) if https_proxy_host
+          args += %W(-Dhttps.proxyPort=#{https_proxy_port}) if https_proxy_port
+          args
         end
+        # rubocop:enable Metrics/PerceivedComplexity
 
         sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files

data/lib/dependabot/gradle/file_updater.rb

@@ -56,9 +56,7 @@ module Dependabot
       end
 
       # rubocop:disable Metrics/AbcSize
-      # rubocop:disable Metrics/CyclomaticComplexity
       # rubocop:disable Metrics/PerceivedComplexity
-      # rubocop:disable Metrics/MethodLength
       sig do
         params(buildfiles: T::Array[Dependabot::DependencyFile], dependency: Dependabot::Dependency)
           .returns(T::Array[Dependabot::DependencyFile])
@@ -103,33 +101,42 @@ module Dependabot
         end
 
         # runs native updaters (e.g. wrapper, lockfile) on relevant build files updated
-        updated_files = T.let([], T::Array[Dependabot::DependencyFile])
-        buildfiles_processed.each do |_, buildfile|
-          if Dependabot::Experiments.enabled?(:gradle_wrapper_updater)
+        if Dependabot::Experiments.enabled?(:gradle_wrapper_updater)
+          buildfiles_processed.each_value do |buildfile|
             wrapper_updater = WrapperUpdater.new(dependency_files: files, dependency: dependency)
-            updated_files += wrapper_updater.update_files(buildfile)
+            updated_files = wrapper_updater.update_files(buildfile)
+            replace_updated_files(files, updated_files)
           end
-          if Dependabot::Experiments.enabled?(:gradle_lockfile_updater)
+        end
+        if Dependabot::Experiments.enabled?(:gradle_lockfile_updater)
+          buildfiles_processed.each_value do |buildfile|
             lockfile_updater = LockfileUpdater.new(dependency_files: files)
-            updated_files += lockfile_updater.update_lockfiles(buildfile)
+            updated_files = lockfile_updater.update_lockfiles(buildfile)
+            replace_updated_files(files, updated_files)
           end
         end
 
+        files
+      end
+      # rubocop:enable Metrics/PerceivedComplexity
+      # rubocop:enable Metrics/AbcSize
+      sig do
+        params(
+          files: T::Array[Dependabot::DependencyFile],
+          updated_files: T::Array[Dependabot::DependencyFile]
+        ).returns(T::Array[Dependabot::DependencyFile])
+      end
+      def replace_updated_files(files, updated_files)
         updated_files.each do |file|
-          existing_file = files.find { |f| f.name == file.name && f.directory == file.directory }
+          existing_file = files.find { |f| f.name == file.name }
           if existing_file.nil?
             files << file
           else
             files[T.must(files.index(existing_file))] = file
           end
         end
-
         files
       end
-      # rubocop:enable Metrics/PerceivedComplexity
-      # rubocop:enable Metrics/CyclomaticComplexity
-      # rubocop:enable Metrics/AbcSize
-      # rubocop:enable Metrics/MethodLength
 
       sig do
         params(

data/lib/dependabot/gradle/package/package_details_fetcher.rb

@@ -12,6 +12,7 @@ require "dependabot/gradle/distributions"
 require "dependabot/maven/utils/auth_headers_finder"
 require "sorbet-runtime"
 require "dependabot/gradle/metadata_finder"
+require "dependabot/gradle/package/release_date_extractor"
 
 module Dependabot
   module Gradle
@@ -101,37 +102,16 @@ module Dependabot
 
         sig { returns(T::Hash[String, T::Hash[Symbol, T.untyped]]) }
         def release_details
-          release_date_info = T.let({}, T::Hash[String, T::Hash[Symbol, T.untyped]])
-
-          begin
-            repositories.map do |repository_details|
-              url = repository_details.fetch("url")
-              next unless url == Gradle::FileParser::RepositoriesFinder::CENTRAL_REPO_URL
-
-              release_info_metadata(repository_details).css("a[title]").each do |link|
-                version_string = link["title"]
-                version = version_string.gsub(%r{/$}, "")
-                raw_date_text = link.next.text.strip.split("\n").last.strip
-
-                release_date = begin
-                  Time.parse(raw_date_text)
-                rescue StandardError
-                  nil
-                end
-
-                next unless version && version_class.correct?(version)
-
-                release_date_info[version] = {
-                  release_date: release_date
-                }
-              end
-            end
+          extractor = ReleaseDateExtractor.new(
+            dependency_name: dependency.name,
+            version_class: version_class
+          )
 
-            release_date_info
-          rescue StandardError
-            Dependabot.logger.error("Failed to get release date")
-            {}
-          end
+          extractor.extract(
+            repositories: repositories,
+            dependency_metadata_fetcher: ->(repo) { dependency_metadata(repo) },
+            release_info_metadata_fetcher: ->(repo) { release_info_metadata(repo) }
+          )
         end
 
         sig { returns(T::Array[T::Hash[String, T.untyped]]) }
@@ -226,6 +206,8 @@ module Dependabot
             end
         end
 
+        # Fetches HTML directory listing from Maven-compatible repositories.
+        # Uses CSS selector "a[title]" to extract versions and dates. Caches results per repository.
         sig { params(repository_details: T::Hash[T.untyped, T.untyped]).returns(T.untyped) }
         def release_info_metadata(repository_details)
           @release_info_metadata ||= T.let({}, T.nilable(T::Hash[Integer, T.untyped]))
@@ -237,14 +219,14 @@ module Dependabot
               )
 
               check_response(response, repository_details.fetch("url"))
-              Nokogiri::XML(response.body)
+              Nokogiri::HTML(response.body)
             rescue URI::InvalidURIError
-              Nokogiri::XML("")
+              Nokogiri::HTML("")
             rescue Excon::Error::Socket, Excon::Error::Timeout,
                    Excon::Error::TooManyRedirects
               raise if central_repo_urls.include?(repository_details["url"])
 
-              Nokogiri::XML("")
+              Nokogiri::HTML("")
             end
         end
 

data/lib/dependabot/gradle/package/release_date_extractor.rb

@@ -0,0 +1,166 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "nokogiri"
+require "time"
+require "sorbet-runtime"
+require "dependabot/logger"
+
+module Dependabot
+  module Gradle
+    module Package
+      # Extracts release dates from repository metadata to support the cooldown feature.
+      # Handles multiple repository formats (Maven Central HTML listings, Gradle Plugin Portal XML).
+      class ReleaseDateExtractor
+        extend T::Sig
+
+        sig do
+          params(
+            dependency_name: String,
+            version_class: T.class_of(Dependabot::Version)
+          ).void
+        end
+        def initialize(dependency_name:, version_class:)
+          @dependency_name = dependency_name
+          @version_class = version_class
+        end
+
+        # Extracts release dates from all repositories.
+        # Attempts both parsing strategies for all repositories:
+        # 1. Gradle Plugin Portal style: maven-metadata.xml with lastUpdated timestamp (latest version only)
+        # 2. Maven repository style: HTML directory listings with per-version dates
+        # This supports mirrors/proxies of both Maven Central and Gradle Plugin Portal.
+        sig do
+          params(
+            repositories: T::Array[T::Hash[String, T.untyped]],
+            dependency_metadata_fetcher: T.proc.params(
+              repo: T::Hash[String, T.untyped]
+            ).returns(Nokogiri::XML::Document),
+            release_info_metadata_fetcher: T.proc.params(
+              repo: T::Hash[String, T.untyped]
+            ).returns(Nokogiri::HTML::Document)
+          ).returns(T::Hash[String, T::Hash[Symbol, T.untyped]])
+        end
+        def extract(repositories:, dependency_metadata_fetcher:, release_info_metadata_fetcher:)
+          release_date_info = T.let({}, T::Hash[String, T::Hash[Symbol, T.untyped]])
+
+          begin
+            repositories.each do |repository_details|
+              parse_gradle_plugin_portal_release(
+                repository_details,
+                release_date_info,
+                dependency_metadata_fetcher
+              )
+
+              parse_maven_central_releases(
+                repository_details,
+                release_date_info,
+                release_info_metadata_fetcher
+              )
+            end
+
+            release_date_info
+          rescue StandardError => e
+            Dependabot.logger.error(
+              "Failed to get release date for #{@dependency_name}: #{e.class} - #{e.message}"
+            )
+            Dependabot.logger.error(e.backtrace&.join("\n") || "No backtrace available")
+            {}
+          end
+        end
+
+        private
+
+        sig { returns(String) }
+        attr_reader :dependency_name
+
+        sig { returns(T.class_of(Dependabot::Version)) }
+        attr_reader :version_class
+
+        # Parses Maven-style HTML directory listings to extract release dates.
+        sig do
+          params(
+            repository_details: T::Hash[String, T.untyped],
+            release_date_info: T::Hash[String, T::Hash[Symbol, T.untyped]],
+            metadata_fetcher: T.proc.params(
+              repo: T::Hash[String, T.untyped]
+            ).returns(Nokogiri::HTML::Document)
+          ).void
+        end
+        def parse_maven_central_releases(repository_details, release_date_info, metadata_fetcher)
+          metadata_fetcher.call(repository_details).css("a[title]").each do |link|
+            title = link["title"]
+            next unless title
+
+            version = title.gsub(%r{/$}, "")
+            next unless version_class.correct?(version)
+            next if release_date_info.key?(version)
+
+            release_date = extract_release_date_from_link(link, version)
+            release_date_info[version] = { release_date: release_date }
+          end
+        rescue StandardError => e
+          Dependabot.logger.debug(
+            "Could not parse Maven-style release dates from #{repository_details.fetch('url')} " \
+            "for #{dependency_name}: #{e.message}"
+          )
+        end
+
+        # Parses Gradle Plugin Portal maven-metadata.xml for release dates.
+        sig do
+          params(
+            repository_details: T::Hash[String, T.untyped],
+            release_date_info: T::Hash[String, T::Hash[Symbol, T.untyped]],
+            metadata_fetcher: T.proc.params(
+              repo: T::Hash[String, T.untyped]
+            ).returns(Nokogiri::XML::Document)
+          ).void
+        end
+        def parse_gradle_plugin_portal_release(repository_details, release_date_info, metadata_fetcher)
+          metadata_xml = metadata_fetcher.call(repository_details)
+          last_updated = metadata_xml.at_xpath("//metadata/versioning/lastUpdated")&.text&.strip
+          latest_version = metadata_xml.at_xpath("//metadata/versioning/latest")&.text&.strip
+
+          return unless latest_version && version_class.correct?(latest_version)
+          return if release_date_info.key?(latest_version)
+
+          release_date = parse_gradle_timestamp(last_updated)
+          Dependabot.logger.info(
+            "Parsed Gradle Plugin Portal release for #{dependency_name}: #{latest_version} at #{release_date}"
+          )
+          release_date_info[latest_version] = { release_date: release_date }
+        rescue StandardError => e
+          Dependabot.logger.debug(
+            "Could not parse Gradle Plugin Portal metadata from #{repository_details.fetch('url')} " \
+            "for #{dependency_name}: #{e.message}"
+          )
+        end
+
+        # Extracts release date from HTML link element's adjacent text.
+        sig { params(link: Nokogiri::XML::Element, version: String).returns(T.nilable(Time)) }
+        def extract_release_date_from_link(link, version)
+          raw_date_text = link.next.text.strip.split("\n").last.strip
+          Time.parse(raw_date_text)
+        rescue StandardError => e
+          Dependabot.logger.debug(
+            "Failed to parse release date for #{dependency_name} version #{version}: #{e.message}"
+          )
+          nil
+        end
+
+        # Parses Gradle Plugin Portal timestamp format (YYYYMMDDHHmmss).
+        sig { params(timestamp: T.nilable(String)).returns(T.nilable(Time)) }
+        def parse_gradle_timestamp(timestamp)
+          return nil if timestamp.nil? || timestamp.empty?
+
+          Time.strptime(timestamp, "%Y%m%d%H%M%S")
+        rescue ArgumentError => e
+          Dependabot.logger.warn(
+            "Failed to parse Gradle timestamp for #{dependency_name}: '#{timestamp}' - #{e.message}"
+          )
+          nil
+        end
+      end
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-gradle
 version: !ruby/object:Gem::Version
-  version: 0.351.0
+  version: 0.353.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,28 +15,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.351.0
+        version: 0.353.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.351.0
+        version: 0.353.0
 - !ruby/object:Gem::Dependency
   name: dependabot-maven
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.351.0
+        version: 0.353.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.351.0
+        version: 0.353.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -272,6 +272,7 @@ files:
 - lib/dependabot/gradle/metadata_finder.rb
 - lib/dependabot/gradle/package/distributions_fetcher.rb
 - lib/dependabot/gradle/package/package_details_fetcher.rb
+- lib/dependabot/gradle/package/release_date_extractor.rb
 - lib/dependabot/gradle/package_manager.rb
 - lib/dependabot/gradle/requirement.rb
 - lib/dependabot/gradle/update_checker.rb
@@ -284,7 +285,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.351.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.353.0
 rdoc_options: []
 require_paths:
 - lib