dependabot-gradle 0.377.0 → 0.378.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fc9ccb07b414741f2b8839cd0fb9515a004b20df4dfb5b008347af097a93128a
-  data.tar.gz: d974e7d7f85518016c86c19366421127781be99f2d014b16891d6483d9196e76
+  metadata.gz: 0016ba8c19319e359c4d4ba76a14a47d4d1c55f6f5dab5fe72604df215d52777
+  data.tar.gz: 746d406e83069c13be3aa0a987273f0d216e8811c7766a023b83ce492a5e9fc3
 SHA512:
-  metadata.gz: b9c4b0b21c8b0dd3625b464491a723e63bfb5d12c6524e503f0edae004a65cfa7194c86638c2a8eb609652b79e3625dbbfdebbbe41f620ce889679a1e2aacddf
-  data.tar.gz: 20b4d157bf6a305cafe771152a638ef3f4290d935cb7b2d221c62338c33e8b18de2bb6b55586d0808118993b34f37d7b62392eb02c9324f0f010a465fa4eed8c
+  metadata.gz: 0a5ee60f58ec228d0e2c246798dfa01007472fdf2f76d33fdd4ed09d079dd7b29667a74eb996ffde9201cd723d38c74b4dd96bf60b19856faedfbfca80eda64b
+  data.tar.gz: 3849e2484105ca53b3c39ff4d2410f343d000dd0d8106c78dbb320a70867829e2a3653501139a5170b4e104ea7878e86ddf1df8a02afefaa1ab699dc91ab9c10

data/lib/dependabot/gradle/package/package_details_fetcher.rb

@@ -11,8 +11,10 @@ require "dependabot/gradle/requirement"
 require "dependabot/gradle/distributions"
 require "dependabot/maven/utils/auth_headers_finder"
 require "sorbet-runtime"
+require "dependabot/logger"
 require "dependabot/gradle/metadata_finder"
 require "dependabot/gradle/package/release_date_extractor"
+require "dependabot/gradle/package/version_release_date_fallback_fetcher"
 
 module Dependabot
   module Gradle
@@ -37,10 +39,11 @@ module Dependabot
           @dependency_files = dependency_files
           @credentials = credentials
           @forbidden_urls = forbidden_urls
-
           @repositories = T.let(nil, T.nilable(T::Array[T::Hash[String, T.untyped]]))
           @google_version_details = T.let(nil, T.nilable(T::Array[T::Hash[String, T.untyped]]))
           @dependency_repository_details = T.let(nil, T.nilable(T::Array[T::Hash[String, T.untyped]]))
+          @release_details = T.let(nil, T.nilable(T::Hash[String, T::Hash[Symbol, T.untyped]]))
+          @version_release_date_fallback_fetcher = T.let(nil, T.nilable(VersionReleaseDateFallbackFetcher))
         end
 
         sig { returns(Dependabot::Dependency) }
@@ -56,17 +59,12 @@ module Dependabot
         attr_reader :forbidden_urls
 
         # rubocop:disable Metrics/AbcSize, Metrics/PerceivedComplexity
-        sig do
-          returns(T::Array[T::Hash[String, T.untyped]])
-        end
+        sig { returns(T::Array[T::Hash[String, T.untyped]]) }
         def fetch_available_versions
-          T.let({}, T::Hash[String, T::Hash[Symbol, T.untyped]])
           package_releases = T.let([], T::Array[T::Hash[String, T.untyped]])
-
           version_details =
             repositories.map do |repository_details|
               url = repository_details.fetch("url")
-
               next distribution_version_details if url == Gradle::Distributions::DISTRIBUTION_REPOSITORY_URL
               next google_version_details if url == Gradle::FileParser::RepositoriesFinder::GOOGLE_MAVEN_REPO
 
@@ -80,37 +78,78 @@ module Dependabot
 
           version_details = version_details.sort_by { |details| details.fetch(:version) }
           release_date_info = release_details
-
-          version_details.map do |info|
-            version = info[:version]&.to_s
-
+          version_details.each do |info|
             package_releases << {
-              version: Gradle::Version.new(version),
-              released_at: info[:released_at] || release_date_info[version]&.fetch(:release_date),
+              version: Gradle::Version.new(info[:version].to_s),
+              released_at: info[:released_at] || release_date_info[info[:version].to_s]&.fetch(:release_date),
               source_url: info[:source_url]
             }
           end
           if version_details.none? && T.must(forbidden_urls).any?
-            raise PrivateSourceAuthenticationFailure,
-                  T.must(forbidden_urls).first
+            raise PrivateSourceAuthenticationFailure, T.must(forbidden_urls).first
           end
-          # version_details
 
           package_releases
         end
         # rubocop:enable Metrics/AbcSize,Metrics/PerceivedComplexity
 
+        sig { params(release: Dependabot::Package::PackageRelease).returns(Dependabot::Package::PackageRelease) }
+        def fetch_release_metadata(release:)
+          return release if release.released_at
+
+          release_date = release_details[release.version.to_s]&.fetch(:release_date, nil)
+          hydrated_release = build_release_with_date(release, release_date)
+
+          return hydrated_release if hydrated_release.released_at || !plugin?
+
+          build_release_with_date(hydrated_release, version_release_date_fallback(release.version.to_s))
+        end
+
         sig { returns(T::Hash[String, T::Hash[Symbol, T.untyped]]) }
         def release_details
-          extractor = ReleaseDateExtractor.new(
-            dependency_name: dependency.name,
-            version_class: version_class
-          )
+          @release_details ||= begin
+            extractor = ReleaseDateExtractor.new(dependency_name: dependency.name, version_class: version_class)
+            extractor.extract(
+              repositories: repositories,
+              dependency_metadata_fetcher: ->(repo) { dependency_metadata(repo) },
+              release_info_metadata_fetcher: ->(repo) { release_info_metadata(repo) }
+            )
+          end
+        end
 
-          extractor.extract(
-            repositories: repositories,
-            dependency_metadata_fetcher: ->(repo) { dependency_metadata(repo) },
-            release_info_metadata_fetcher: ->(repo) { release_info_metadata(repo) }
+        sig { params(version: String).returns(T.nilable(Time)) }
+        def version_release_date_fallback(version)
+          version_release_date_fallback_fetcher.fetch(version)
+        end
+
+        sig { params(repository_url: String, version: String).returns(String) }
+        def plugin_version_pom_url(repository_url, version)
+          group_id, artifact_id = group_and_artifact_ids
+          group_id = "#{Dependabot::Gradle::MetadataFinder::KOTLIN_PLUGIN_REPO_PREFIX}.#{group_id}" if kotlin_plugin?
+          pom_filename = "#{artifact_id}-#{version}.pom"
+          File.join(repository_url, T.must(group_id).tr(".", "/"), artifact_id, version, pom_filename)
+        end
+
+        sig do
+          params(
+            release: Dependabot::Package::PackageRelease,
+            release_date: T.nilable(Time)
+          )
+            .returns(Dependabot::Package::PackageRelease)
+        end
+        def build_release_with_date(release, release_date)
+          Dependabot::Package::PackageRelease.new(
+            version: release.version,
+            released_at: release_date,
+            latest: release.latest,
+            yanked: release.yanked,
+            yanked_reason: release.yanked_reason,
+            downloads: release.downloads,
+            url: release.url,
+            package_type: release.package_type,
+            language: release.language,
+            tag: release.tag,
+            details: release.details
           )
         end
 
@@ -130,7 +169,6 @@ module Dependabot
             details.reject do |repo|
               next if repo["auth_headers"]
 
-              # Reject this entry if an identical one with non-empty auth_headers exists
               details.any? { |r| r["url"] == repo["url"] && r["auth_headers"] != {} }
             end
         end
@@ -204,8 +242,6 @@ module Dependabot
             end
         end
 
-        # Fetches HTML directory listing from Maven-compatible repositories.
-        # Uses CSS selector "a[title]" to extract versions and dates. Caches results per repository.
         sig { params(repository_details: T::Hash[T.untyped, T.untyped]).returns(T.untyped) }
         def release_info_metadata(repository_details)
           @release_info_metadata ||= T.let({}, T.nilable(T::Hash[Integer, T.untyped]))
@@ -276,18 +312,13 @@ module Dependabot
 
         sig { returns(T::Array[T::Hash[String, String]]) }
         def plugin_repository_details
-          [{
-            "url" => Gradle::FileParser::RepositoriesFinder::GRADLE_PLUGINS_REPO,
-            "auth_headers" => {}
-          }] + dependency_repository_details
+          [{ "url" => Gradle::FileParser::RepositoriesFinder::GRADLE_PLUGINS_REPO, "auth_headers" => {} }] +
+            dependency_repository_details
         end
 
         sig { returns(T::Array[T::Hash[String, T.untyped]]) }
         def distribution_repository_details
-          [{
-            "url" => Gradle::Distributions::DISTRIBUTION_REPOSITORY_URL,
-            "auth_headers" => {}
-          }]
+          [{ "url" => Gradle::Distributions::DISTRIBUTION_REPOSITORY_URL, "auth_headers" => {} }]
         end
 
         sig { params(comparison_version: T.untyped).returns(T::Boolean) }
@@ -355,6 +386,16 @@ module Dependabot
           Distributions.distribution_requirements?(dependency.requirements)
         end
 
+        sig { returns(VersionReleaseDateFallbackFetcher) }
+        def version_release_date_fallback_fetcher
+          @version_release_date_fallback_fetcher ||= VersionReleaseDateFallbackFetcher.new(
+            dependency_name: dependency.name,
+            repositories: repositories,
+            forbidden_urls: T.must(forbidden_urls),
+            pom_url_builder: ->(repository_url, version) { plugin_version_pom_url(repository_url, version) }
+          )
+        end
+
         sig { returns(T::Array[String]) }
         def central_repo_urls
           central_url_without_protocol =

data/lib/dependabot/gradle/package/release_date_extractor.rb

@@ -45,19 +45,12 @@ module Dependabot
           release_date_info = T.let({}, T::Hash[String, T::Hash[Symbol, T.untyped]])
 
           begin
-            repositories.each do |repository_details|
-              parse_gradle_plugin_portal_release(
-                repository_details,
-                release_date_info,
-                dependency_metadata_fetcher
-              )
-
-              parse_maven_central_releases(
-                repository_details,
-                release_date_info,
-                release_info_metadata_fetcher
-              )
-            end
+            parse_repository_release_dates(
+              repositories: repositories,
+              release_date_info: release_date_info,
+              dependency_metadata_fetcher: dependency_metadata_fetcher,
+              release_info_metadata_fetcher: release_info_metadata_fetcher
+            )
 
             release_date_info
           rescue StandardError => e
@@ -77,6 +70,39 @@ module Dependabot
         sig { returns(T.class_of(Dependabot::Version)) }
         attr_reader :version_class
 
+        sig do
+          params(
+            repositories: T::Array[T::Hash[String, T.untyped]],
+            release_date_info: T::Hash[String, T::Hash[Symbol, T.untyped]],
+            dependency_metadata_fetcher: T.proc.params(
+              repo: T::Hash[String, T.untyped]
+            ).returns(Nokogiri::XML::Document),
+            release_info_metadata_fetcher: T.proc.params(
+              repo: T::Hash[String, T.untyped]
+            ).returns(Nokogiri::HTML::Document)
+          ).void
+        end
+        def parse_repository_release_dates(
+          repositories:,
+          release_date_info:,
+          dependency_metadata_fetcher:,
+          release_info_metadata_fetcher:
+        )
+          repositories.each do |repository_details|
+            parse_gradle_plugin_portal_release(
+              repository_details,
+              release_date_info,
+              dependency_metadata_fetcher
+            )
+
+            parse_maven_central_releases(
+              repository_details,
+              release_date_info,
+              release_info_metadata_fetcher
+            )
+          end
+        end
+
         # Parses Maven-style HTML directory listings to extract release dates.
         sig do
           params(

data/lib/dependabot/gradle/package/version_release_date_fallback_fetcher.rb

@@ -0,0 +1,95 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "dependabot/logger"
+require "sorbet-runtime"
+require "time"
+
+module Dependabot
+  module Gradle
+    module Package
+      class VersionReleaseDateFallbackFetcher
+        extend T::Sig
+
+        sig do
+          params(
+            dependency_name: String,
+            repositories: T::Array[T::Hash[String, T.untyped]],
+            forbidden_urls: T::Array[String],
+            pom_url_builder: T.proc.params(repository_url: String, version: String).returns(String)
+          ).void
+        end
+        def initialize(dependency_name:, repositories:, forbidden_urls:, pom_url_builder:)
+          @dependency_name = dependency_name
+          @repositories = repositories
+          @forbidden_urls = forbidden_urls
+          @pom_url_builder = pom_url_builder
+          @cache = T.let({}, T::Hash[String, T.nilable(Time)])
+          @preferred_repository_url = T.let(nil, T.nilable(String))
+          @fallback_logged = T.let(false, T::Boolean)
+        end
+
+        sig { params(version: String).returns(T.nilable(Time)) }
+        def fetch(version)
+          return @cache[version] if @cache.key?(version)
+
+          ordered_repositories.each do |repo|
+            repository_url = repo.fetch("url")
+            pom_url = @pom_url_builder.call(repository_url, version)
+
+            begin
+              response = Dependabot::RegistryClient.head(url: pom_url, headers: repo["auth_headers"])
+              last_modified = response.headers["Last-Modified"] || response.headers["last-modified"]
+              next unless last_modified
+
+              released_at = Time.httpdate(last_modified)
+              @preferred_repository_url = repository_url
+              log_fallback_hit(version: version, repository_url: repository_url, released_at: released_at)
+              @cache[version] = released_at
+              return released_at
+            rescue StandardError => e
+              Dependabot.logger.debug(
+                "Failed POM Last-Modified fallback for #{@dependency_name} version #{version} from " \
+                "#{repository_url}: #{e.message}"
+              )
+            end
+          end
+
+          Dependabot.logger.debug(
+            "No POM Last-Modified fallback release date found for #{@dependency_name} version #{version}"
+          )
+          @cache[version] = nil
+        end
+
+        private
+
+        sig { returns(T::Array[T::Hash[String, T.untyped]]) }
+        def ordered_repositories
+          candidates = @repositories.reject do |repo|
+            @forbidden_urls.include?(repo.fetch("url"))
+          end
+
+          preferred, remaining = candidates.partition do |repo|
+            @preferred_repository_url && repo.fetch("url") == @preferred_repository_url
+          end
+
+          preferred + remaining
+        end
+
+        sig { params(version: String, repository_url: String, released_at: Time).void }
+        def log_fallback_hit(version:, repository_url:, released_at:)
+          Dependabot.logger.debug(
+            "Using POM Last-Modified fallback for #{@dependency_name} version #{version} from " \
+            "#{repository_url}: #{released_at}"
+          )
+          return if @fallback_logged
+
+          Dependabot.logger.info(
+            "Using POM Last-Modified fallback release dates for #{@dependency_name} from #{repository_url}"
+          )
+          @fallback_logged = true
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/gradle/update_checker/version_finder.rb

@@ -232,21 +232,36 @@ module Dependabot
 
         sig { params(release: Dependabot::Package::PackageRelease).returns(T::Boolean) }
         def in_cooldown_period?(release)
-          unless release.released_at
-            if cooldown_options
-              Dependabot.logger.info("Release date not available for version #{release.version} - filtering out")
-              return true
-            else
-              Dependabot.logger.info("Release date not available for version #{release.version}")
-              return false
-            end
-          end
-
           current_version = version_class.correct?(dependency.version) ? version_class.new(dependency.version) : nil
           days = cooldown_days_for(current_version, release.version)
+          return false if days <= 0
+
+          release = package_details_fetcher.fetch_release_metadata(release: release)
+          return missing_release_date_in_cooldown?(release) unless release.released_at
+
+          cooldown_window?(release: release, days: days)
+        end
+
+        sig { params(release: Dependabot::Package::PackageRelease).returns(T::Boolean) }
+        def missing_release_date_in_cooldown?(release)
+          if cooldown_options
+            Dependabot.logger.info("Release date not available for version #{release.version} - filtering out")
+            true
+          else
+            Dependabot.logger.info("Release date not available for version #{release.version}")
+            false
+          end
+        end
+
+        sig do
+          params(
+            release: Dependabot::Package::PackageRelease,
+            days: Integer
+          ).returns(T::Boolean)
+        end
+        def cooldown_window?(release:, days:)
           in_cooldown = Dependabot::UpdateCheckers::CooldownCalculation
                         .within_cooldown_window?(T.must(release.released_at), days)
-
           if in_cooldown
             passed_days = (Time.now.to_i - release.released_at.to_i) / (24 * 60 * 60)
             Dependabot.logger.info(
@@ -254,7 +269,6 @@ module Dependabot
               " Days since release: #{passed_days} (cooldown days: #{days})"
             )
           end
-
           in_cooldown
         end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-gradle
 version: !ruby/object:Gem::Version
-  version: 0.377.0
+  version: 0.378.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,28 +15,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.377.0
+        version: 0.378.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.377.0
+        version: 0.378.0
 - !ruby/object:Gem::Dependency
   name: dependabot-maven
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.377.0
+        version: 0.378.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.377.0
+        version: 0.378.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -273,6 +273,7 @@ files:
 - lib/dependabot/gradle/package/distributions_fetcher.rb
 - lib/dependabot/gradle/package/package_details_fetcher.rb
 - lib/dependabot/gradle/package/release_date_extractor.rb
+- lib/dependabot/gradle/package/version_release_date_fallback_fetcher.rb
 - lib/dependabot/gradle/package_manager.rb
 - lib/dependabot/gradle/requirement.rb
 - lib/dependabot/gradle/update_checker.rb
@@ -285,7 +286,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.377.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.378.0
 rdoc_options: []
 require_paths:
 - lib