dependabot-gradle 0.382.0 → 0.383.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3a3b9947c1607a8ada6ef1d74f34deb403f2cf76196658ba15b0390976f96c23
-  data.tar.gz: f1471d46f94ed018c4ddfa41c90ab67333fc5a562f3db9e1d9b1a7145964c3bf
+  metadata.gz: d3cb4e728e6f95cd0ba68227af68fd31b0e30ff55a7c28090bfd7f9bc0a357bd
+  data.tar.gz: 268f0b46c9fce142acc4f4b615803481e6e9a72844aafcaee0b18becccd471ef
 SHA512:
-  metadata.gz: 7d3a0d1e02c8fda4cb95d43834bce4d09e7eb591c8b2690e6e7e8ec2d40cb0c2128917fe129ee7d9c3683a4a5e6a5498351540430074b948bad4b9fd6c0a0fc1
-  data.tar.gz: d166b1faeacb7545f0c5327d68209fbbc980fce1a94ad9e6233dd227590ad8a0c8f1fae90380259ba60991850ba274cf6b468470bed59eeebe44085841921619
+  metadata.gz: 935e89f7162570265dc615315f89267fa5aee57d231e5ad7f561d4f08e7759310b3deff9c2e9170c8286d5e57384574c990bfc6be3101835e5ab72d5cf5b1a63
+  data.tar.gz: 06c419e20a01912105e76ec70577a27ab9fc091b37493b7d2481ae7e3383fc1d971004b6561b573f45db9bb0d54cfaafa35588e38b5e1aafd8f5c50cbc31f563

data/lib/dependabot/gradle/distributions.rb

@@ -1,6 +1,8 @@
 # typed: strict
 # frozen_string_literal: true
 
+require "dependabot/dependency_requirement"
+
 module Dependabot
   module Gradle
     module Distributions
@@ -9,7 +11,7 @@ module Dependabot
       DISTRIBUTION_REPOSITORY_URL = "https://services.gradle.org"
       DISTRIBUTION_DEPENDENCY_TYPE = "gradle-distribution"
 
-      sig { params(requirements: T::Array[T::Hash[Symbol, T.untyped]]).returns(T::Boolean) }
+      sig { params(requirements: T::Array[Dependabot::DependencyRequirement]).returns(T::Boolean) }
       def self.distribution_requirements?(requirements)
         requirements.any? do |req|
           req.dig(:source, :type) == DISTRIBUTION_DEPENDENCY_TYPE

data/lib/dependabot/gradle/file_updater/wrapper/command_builder.rb

@@ -0,0 +1,103 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/gradle/file_updater"
+require "dependabot/gradle/file_updater/wrapper/gradle_version_capabilities"
+require "dependabot/gradle/file_updater/wrapper/properties_document"
+
+module Dependabot
+  module Gradle
+    class FileUpdater
+      module Wrapper
+        # Builds the argument list for Gradle's `wrapper` task.
+        #
+        # The output file is reconciled afterwards (see PropertiesReconciler), so these arguments do
+        # not need to fully reproduce the user's file. We still forward the user's gated, run-relevant
+        # settings (networkTimeout/retries/retryBackOffMs) when the *executing* Gradle version supports
+        # them, both to honor the user's configuration during the run and to align with the wrapper
+        # task's intended usage. Options unsupported by the executing version are omitted so the run
+        # never aborts on an unknown flag.
+        class CommandBuilder
+          extend T::Sig
+
+          # Maps an existing properties key to its wrapper CLI option and the capability key used to
+          # decide whether the executing Gradle version understands the flag.
+          STEERED_OPTIONS = T.let(
+            [
+              ["networkTimeout", "--network-timeout", GradleVersionCapabilities::NETWORK_TIMEOUT],
+              ["retries", "--retries", GradleVersionCapabilities::RETRIES],
+              ["retryBackOffMs", "--retry-back-off-ms", GradleVersionCapabilities::RETRY_BACK_OFF_MS]
+            ].freeze,
+            T::Array[[String, String, String]]
+          )
+
+          sig do
+            params(
+              requirements: T::Array[Dependabot::DependencyRequirement],
+              original_properties: T.nilable(PropertiesDocument),
+              gradle_version: T.nilable(Dependabot::Gradle::Version)
+            ).void
+          end
+          def initialize(requirements:, original_properties:, gradle_version:)
+            @requirements = requirements
+            @original_properties = original_properties
+            @gradle_version = gradle_version
+          end
+
+          sig { returns(T::Array[String]) }
+          def build
+            args = %W(wrapper --gradle-version #{version})
+
+            # Dependabot's proxy cannot satisfy the HEAD request Gradle issues to validate the
+            # distribution URL, so we always skip validation. The user's original
+            # `validateDistributionUrl` value is preserved by reconciliation.
+            args += %w(--no-validate-url)
+
+            args += steered_args
+            args += %W(--distribution-type #{distribution_type}) if distribution_type
+            args += %W(--gradle-distribution-sha256-sum #{checksum}) if checksum
+            args
+          end
+
+          private
+
+          sig { returns(T::Array[String]) }
+          def steered_args
+            properties = @original_properties
+            return [] if properties.nil?
+
+            STEERED_OPTIONS.flat_map do |property_key, flag, capability|
+              value = properties.value_for(property_key)
+              next [] if value.nil? || value.strip.empty?
+              next [] unless GradleVersionCapabilities.supports?(capability, @gradle_version)
+
+              [flag, value]
+            end
+          end
+
+          sig { returns(String) }
+          def version
+            T.let(T.must(@requirements[0])[:requirement], String)
+          end
+
+          sig { returns(T.nilable(String)) }
+          def checksum
+            return nil unless @requirements.size > 1
+
+            T.let(T.must(@requirements[1])[:requirement], String)
+          end
+
+          sig { returns(T.nilable(String)) }
+          def distribution_type
+            url = T.let(T.must(@requirements[0])[:source], T::Hash[Symbol, String])[:url]
+            # Anchor to the `-bin.zip` / `-all.zip` filename suffix so a path segment such as a
+            # mirror host (e.g. https://binaries.example.com/...) can't false-match `bin`/`all`.
+            url&.match(/-(bin|all)\.zip/)&.captures&.first
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/gradle/file_updater/wrapper/executing_version_detector.rb

@@ -0,0 +1,60 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/gradle/file_updater"
+require "dependabot/gradle/version"
+
+module Dependabot
+  module Gradle
+    class FileUpdater
+      module Wrapper
+        # Detects the Gradle version that will actually *execute* the wrapper task.
+        #
+        # The wrapper task runs under whatever Gradle the project currently resolves to (the OLD
+        # distribution), not the target version. Knowing that version lets CommandBuilder decide
+        # which version-gated CLI flags are safe to pass.
+        module ExecutingVersionDetector
+          extend T::Sig
+
+          # Matches the version embedded in a Gradle distribution URL, e.g.
+          # https://services.gradle.org/distributions/gradle-9.5.0-bin.zip
+          # Anchored to the `gradle-<version>-(bin|all).zip` filename so host/port numbers in custom
+          # mirror URLs are never mistaken for the version. The captured token is validated with
+          # Version.correct? so non-version matches (and RC/milestone names) are handled safely.
+          DISTRIBUTION_URL_VERSION_REGEX = T.let(
+            /gradle-(?<version>.+?)-(?:bin|all)\.zip/,
+            Regexp
+          )
+
+          # Matches the version printed by `gradle --version`, e.g. "Gradle 9.2.1".
+          GRADLE_VERSION_OUTPUT_REGEX = T.let(/^Gradle\s+(?<version>\d+(?:\.\d+){1,2}(?:-[\w.]+)?)/, Regexp)
+
+          sig { params(distribution_url: T.nilable(String)).returns(T.nilable(Dependabot::Gradle::Version)) }
+          def self.from_distribution_url(distribution_url)
+            return nil if distribution_url.nil?
+
+            captured = distribution_url.match(DISTRIBUTION_URL_VERSION_REGEX)&.named_captures&.fetch("version", nil)
+            build_version(captured)
+          end
+
+          sig { params(output: T.nilable(String)).returns(T.nilable(Dependabot::Gradle::Version)) }
+          def self.from_version_output(output)
+            return nil if output.nil?
+
+            captured = output.match(GRADLE_VERSION_OUTPUT_REGEX)&.named_captures&.fetch("version", nil)
+            build_version(captured)
+          end
+
+          sig { params(captured: T.nilable(String)).returns(T.nilable(Dependabot::Gradle::Version)) }
+          def self.build_version(captured)
+            return nil if captured.nil? || !Dependabot::Gradle::Version.correct?(captured)
+
+            T.cast(Dependabot::Gradle::Version.new(captured), Dependabot::Gradle::Version)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/gradle/file_updater/wrapper/gradle_version_capabilities.rb

@@ -0,0 +1,59 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/gradle/file_updater"
+require "dependabot/gradle/version"
+
+module Dependabot
+  module Gradle
+    class FileUpdater
+      module Wrapper
+        # Declarative table of `wrapper` task command-line options and the minimum Gradle
+        # version that supports each one. The wrapper task is executed by the Gradle version
+        # currently resolved by the project (not the target version), so passing an option
+        # that the executing Gradle does not understand would abort the run. We use this table
+        # to only emit options that are safe for the executing version.
+        #
+        # Sources (gradle/gradle `Wrapper.java`):
+        #   --network-timeout       @since 7.6
+        #   --validate-url          @since 8.2  (incubating)
+        #   --retries               @since 9.5.0 (incubating)
+        #   --retry-back-off-ms     @since 9.5.0 (incubating)
+        module GradleVersionCapabilities
+          extend T::Sig
+
+          NETWORK_TIMEOUT = "network-timeout"
+          VALIDATE_URL = "validate-url"
+          RETRIES = "retries"
+          RETRY_BACK_OFF_MS = "retry-back-off-ms"
+
+          MINIMUM_VERSIONS = T.let(
+            {
+              NETWORK_TIMEOUT => "7.6",
+              VALIDATE_URL => "8.2",
+              RETRIES => "9.5.0",
+              RETRY_BACK_OFF_MS => "9.5.0"
+            }.freeze,
+            T::Hash[String, String]
+          )
+
+          # Returns true when the given (executing) Gradle version is known to support the option.
+          # When the version is unknown (nil) we conservatively refuse options that are gated behind
+          # a minimum version, so we never pass a flag that could abort the wrapper run. Reconciliation
+          # of the properties file guarantees the user's value is preserved regardless.
+          sig { params(option: String, gradle_version: T.nilable(Dependabot::Gradle::Version)).returns(T::Boolean) }
+          def self.supports?(option, gradle_version)
+            minimum = MINIMUM_VERSIONS[option]
+            return true if minimum.nil? # ungated option
+
+            return false if gradle_version.nil?
+
+            gradle_version >= Dependabot::Gradle::Version.new(minimum)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/gradle/file_updater/wrapper/properties_document.rb

@@ -0,0 +1,96 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/gradle/file_updater"
+
+module Dependabot
+  module Gradle
+    class FileUpdater
+      module Wrapper
+        # An order-preserving model of a `gradle-wrapper.properties` file.
+        #
+        # Java's `Properties.store` (used by Gradle's wrapper task) discards comments, blank
+        # lines, custom keys and the original key ordering. To preserve everything the user
+        # configured, we parse the original file into this document, mutate only the keys we
+        # intend to change, and render it back verbatim.
+        class PropertiesDocument
+          extend T::Sig
+
+          # A single physical line: either a raw line (comment/blank/unparsed) or a property.
+          class Line < T::Struct
+            prop :raw, String
+            prop :indent, String, default: ""
+            prop :key, T.nilable(String)
+            prop :separator, T.nilable(String)
+            prop :value, T.nilable(String)
+          end
+
+          # Properties files use `=`, `:` or whitespace as the key/value separator. Gradle always
+          # writes `=`, but we parse all three so user-authored files are handled faithfully.
+          KEY_VALUE_REGEX = T.let(/\A(\s*)([^\s:=]+)(\s*[:=]\s*|\s+)(.*)\z/, Regexp)
+          COMMENT_REGEX = T.let(/\A\s*[#!]/, Regexp)
+
+          sig { params(content: String).returns(PropertiesDocument) }
+          def self.parse(content)
+            lines = content.split("\n", -1).map { |line| parse_line(line) }
+            new(lines)
+          end
+
+          sig { params(line: String).returns(Line) }
+          def self.parse_line(line)
+            return Line.new(raw: line) if line.strip.empty? || line.match?(COMMENT_REGEX)
+
+            match = line.match(KEY_VALUE_REGEX)
+            return Line.new(raw: line) unless match
+
+            Line.new(
+              raw: line,
+              indent: match[1] || "",
+              key: match[2],
+              separator: match[3],
+              value: match[4]
+            )
+          end
+
+          sig { params(lines: T::Array[Line]).void }
+          def initialize(lines)
+            @lines = lines
+          end
+
+          sig { params(key: String).returns(T::Boolean) }
+          def key?(key)
+            @lines.any? { |line| line.key == key }
+          end
+
+          sig { params(key: String).returns(T.nilable(String)) }
+          def value_for(key)
+            @lines.find { |line| line.key == key }&.value
+          end
+
+          # Sets `key` to `value`, preserving the line's original position, indentation and separator
+          # when the key already exists, otherwise appending a new `key=value` line at the end.
+          sig { params(key: String, value: String).void }
+          def upsert(key, value)
+            existing = @lines.find { |line| line.key == key }
+            if existing
+              separator = existing.separator || "="
+              existing.value = value
+              existing.separator = separator
+              existing.raw = "#{existing.indent}#{key}#{separator}#{value}"
+              return
+            end
+
+            @lines << Line.new(raw: "#{key}=#{value}", key: key, separator: "=", value: value)
+          end
+
+          sig { returns(String) }
+          def to_s
+            @lines.map(&:raw).join("\n")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/gradle/file_updater/wrapper/properties_reconciler.rb

@@ -0,0 +1,71 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/gradle/file_updater"
+require "dependabot/gradle/file_updater/wrapper/properties_document"
+
+module Dependabot
+  module Gradle
+    class FileUpdater
+      module Wrapper
+        # Reconciles the `gradle-wrapper.properties` file after Gradle's wrapper task has
+        # regenerated it from hardcoded defaults (see https://github.com/gradle/gradle/issues/36172).
+        #
+        # The reconciliation policy is deliberately conservative: the user's original file is the
+        # source of truth for everything (comments, ordering, custom keys, networkTimeout, retries,
+        # retryBackOffMs, validateDistributionUrl, distributionBase/Path, store paths, ...). Only the
+        # keys that legitimately change for a version bump are taken from the regenerated file.
+        class PropertiesReconciler
+          extend T::Sig
+
+          # Keys whose value is owned by the update itself and therefore taken from the regenerated
+          # file. Everything not listed here is preserved verbatim from the user's original file.
+          MANAGED_KEYS = T.let(
+            %w(distributionUrl distributionSha256Sum).freeze,
+            T::Array[String]
+          )
+
+          # Reconciles the regenerated wrapper properties back onto the user's original file.
+          #
+          # When the original file is missing there is nothing to preserve, so nil is returned and the
+          # caller keeps the regenerated file as-is. When only the regenerated file is missing (e.g. the
+          # wrapper task did not produce one) the original content is returned unchanged.
+          sig do
+            params(original_content: T.nilable(String), regenerated_content: T.nilable(String))
+              .returns(T.nilable(String))
+          end
+          def self.reconcile(original_content:, regenerated_content:)
+            new(original_content: original_content, regenerated_content: regenerated_content).reconcile
+          end
+
+          sig { params(original_content: T.nilable(String), regenerated_content: T.nilable(String)).void }
+          def initialize(original_content:, regenerated_content:)
+            @original_content = original_content
+            @regenerated_content = regenerated_content
+          end
+
+          sig { returns(T.nilable(String)) }
+          def reconcile
+            original_content = @original_content
+            regenerated_content = @regenerated_content
+            return original_content if original_content.nil? || regenerated_content.nil?
+
+            document = PropertiesDocument.parse(original_content)
+            regenerated = PropertiesDocument.parse(regenerated_content)
+
+            MANAGED_KEYS.each do |key|
+              new_value = regenerated.value_for(key)
+              next if new_value.nil?
+
+              document.upsert(key, new_value)
+            end
+
+            document.to_s
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/gradle/file_updater/wrapper_updater.rb

@@ -7,6 +7,7 @@ require "shellwords"
 require "pathname"
 
 require "dependabot/gradle/distributions"
+require "dependabot/gradle/version"
 
 module Dependabot
   module Gradle
@@ -15,6 +16,11 @@ module Dependabot
         extend T::Sig
         include Dependabot::Gradle::Distributions
 
+        require_relative "wrapper/command_builder"
+        require_relative "wrapper/executing_version_detector"
+        require_relative "wrapper/properties_document"
+        require_relative "wrapper/properties_reconciler"
+
         sig { params(dependency_files: T::Array[Dependabot::DependencyFile], dependency: Dependabot::Dependency).void }
         def initialize(dependency_files:, dependency:)
           @dependency_files = dependency_files
@@ -68,14 +74,11 @@ module Dependabot
               FileUtils.chmod("+x", "./gradlew") if has_local_script
 
               properties_file = File.join(cwd, "gradle/wrapper/gradle-wrapper.properties")
-              validate_distribution, network_timeout = read_wrapper_options(properties_file)
+              original_properties_content = read_file(properties_file)
+              original_document = original_properties_content && Wrapper::PropertiesDocument.parse(original_properties_content)
               env = { "JAVA_OPTS" => proxy_args.join(" ") } # set proxy for gradle execution
 
-              command_parts = %w(--no-daemon --stacktrace) + command_args(target_requirements, network_timeout)
-
-              # There is no guarantee that the `gradlew` script is present on the project,
-              # if it's not, we fall back to system Gradle
-              command = Shellwords.join([has_local_script ? "./gradlew" : "gradle"] + command_parts)
+              command = local_wrapper_command(has_local_script, target_requirements, original_document, cwd, env)
 
               begin
                 # first attempt: run the wrapper task via the local Gradle wrapper (if present)
@@ -83,18 +86,23 @@ module Dependabot
                 # the `gradlew` script may be corrupted, so we try and fall back to system Gradle before giving up
                 SharedHelpers.run_shell_command(command, cwd: cwd, env: env)
               rescue SharedHelpers::HelperSubprocessFailed => e
-                raise e unless has_local_script # already field with system one, there is no point to retry
+                raise e unless has_local_script # already failed with system one, there is no point to retry
 
                 Dependabot.logger.warn("Running #{command} failed, retrying first with system Gradle: #{e.message}")
 
-                # second attempt: run the wrapper task via system gradle and then retry via local wrapper
-                system_command = Shellwords.join(["gradle"] + command_parts)
+                # second attempt: run the wrapper task via system gradle and then retry via local wrapper.
+                # The system Gradle may be a different (often older) version than the wrapper, so we rebuild
+                # the command against its detected version to avoid passing unsupported, version-gated flags.
+                system_command = system_wrapper_command(target_requirements, original_document, cwd, env)
                 SharedHelpers.run_shell_command(system_command, cwd: cwd, env: env) # run via system gradle
                 SharedHelpers.run_shell_command(command, cwd: cwd, env: env) # retry via local wrapper
               end
 
-              # Restore previous validateDistributionUrl option if it existed
-              override_validate_distribution_url_option(properties_file, validate_distribution)
+              # Gradle's wrapper task regenerates gradle-wrapper.properties from hardcoded defaults
+              # (https://github.com/gradle/gradle/issues/36172), discarding comments, ordering, custom
+              # keys and user-customized values. Reconcile the regenerated file back onto the user's
+              # original so only the version-bump keys change.
+              reconcile_properties(properties_file, original_properties_content)
 
               update_files_content(temp_dir, local_files, updated_files)
             rescue SharedHelpers::HelperSubprocessFailed => e
@@ -149,55 +157,68 @@ module Dependabot
           Pathname.new(file.name).cleanpath.to_path
         end
 
-        # rubocop:disable Metrics/PerceivedComplexity
+        # Builds the command for the first wrapper attempt.
+        #
+        # When the project ships a `gradlew` script we run it: it downloads and executes the Gradle
+        # version pinned in the current gradle-wrapper.properties, so wrapper flags are gated on that
+        # distributionUrl version. When `gradlew` is missing we instead invoke system Gradle directly,
+        # so flags must be gated on the system Gradle's detected version (not the wrapper's) to avoid
+        # forwarding options that an older system Gradle does not understand and aborting the run.
+        sig do
+          params(
+            has_local_script: T::Boolean,
+            requirements: T::Array[Dependabot::DependencyRequirement],
+            original_document: T.nilable(Wrapper::PropertiesDocument),
+            cwd: String,
+            env: T::Hash[String, String]
+          ).returns(String)
+        end
+        def local_wrapper_command(has_local_script, requirements, original_document, cwd, env)
+          return system_wrapper_command(requirements, original_document, cwd, env) unless has_local_script
+
+          distribution_url = original_document&.value_for("distributionUrl")
+          gradle_version = Wrapper::ExecutingVersionDetector.from_distribution_url(distribution_url)
+          Shellwords.join(["./gradlew"] + build_command_parts(requirements, original_document, gradle_version))
+        end
+
+        # Builds the system-Gradle fallback command, gating wrapper flags on the system Gradle's own
+        # version (which may differ from the project's wrapper version).
+        sig do
+          params(
+            requirements: T::Array[Dependabot::DependencyRequirement],
+            original_document: T.nilable(Wrapper::PropertiesDocument),
+            cwd: String,
+            env: T::Hash[String, String]
+          ).returns(String)
+        end
+        def system_wrapper_command(requirements, original_document, cwd, env)
+          gradle_version = detect_system_gradle_version(cwd, env)
+          Shellwords.join(["gradle"] + build_command_parts(requirements, original_document, gradle_version))
+        end
+
         sig do
           params(
             requirements: T::Array[Dependabot::DependencyRequirement],
-            network_timeout: T.nilable(String)
+            original_document: T.nilable(Wrapper::PropertiesDocument),
+            gradle_version: T.nilable(Dependabot::Gradle::Version)
           ).returns(T::Array[String])
         end
-        def command_args(requirements, network_timeout)
-          version = T.let(requirements[0]&.[](:requirement), String)
-          checksum = T.let(requirements[1]&.[](:requirement), T.nilable(String)) if requirements.size > 1
-          distribution_url = T.let(requirements[0]&.[](:source), T::Hash[Symbol, String])[:url]
-          distribution_type = distribution_url&.match(/\b(bin|all)\b/)&.captures&.first
-
-          args = %W(wrapper --gradle-version #{version})
-
-          # Executing the wrapper task with `validateDistributionUrl=true`,
-          # issues a HEAD request to ensure that the file exists and is reachable.
-          # Example: HEAD https://services.gradle.org/distributions/gradle-9.3.0-bin.zip
-          # Unfortunately, Dependabot's proxy does not seem to support something about this request
-          # This causes the validation to fail and the wrapper task to error out
-          # To work around this, we pass `--no-validate-url` to skip the url validation step,
-          # Note: this temporarily sets `validateDistributionUrl=false` in `gradle-wrapper.properties`.
-          # After the wrapper task completes, we restore the original value, since `--no-validate-url` would otherwise
-          # persist the change in the properties file, which is not the behavior we want for users.
-          # TODO: Investigate and fix the root cause of the proxy issue and remove this workaround
-          # See https://github.com/dependabot/dependabot-core/issues/14036
-          args += %w(--no-validate-url)
-
-          # Gradle builds can be very complex, and our current Gradle parsing is limited.
-          # To keep `./gradlew wrapper` running reliably, we generate a minimal build that omits the
-          # project’s build scripts and customizations. As a result, any `tasks.wrapper {}` DSL configuration
-          # defined in the original project is not applied.
-          #
-          # This approach, combined with https://github.com/gradle/gradle/issues/36172 where the wrapper task
-          # relies on hardcoded defaults instead of reading from `gradle-wrapper.properties`, causes
-          # `networkTimeout` customizations to be reset to the default value on every Dependabot pull request.
-          #
-          # This change mitigates the issue by reading the existing value and passing it explicitly to the
-          # `wrapper` command, ensuring any custom `networkTimeout` setting is preserved.
-          #
-          # In future iterations, we may consider parsing the full Gradle build and extracting only the
-          # wrapper-related customizations so the project-specific `tasks.wrapper {}` behavior is retained.
-          # Alternatively, if Gradle addresses the upstream issue, we can revert to using the default minimal
-          # build without needing explicit configuration.
-          args += %W(--network-timeout #{network_timeout}) if network_timeout
-
-          args += %W(--distribution-type #{distribution_type}) if distribution_type
-          args += %W(--gradle-distribution-sha256-sum #{checksum}) if checksum
-          args
+        def build_command_parts(requirements, original_document, gradle_version)
+          wrapper_args = Wrapper::CommandBuilder.new(
+            requirements: requirements,
+            original_properties: original_document,
+            gradle_version: gradle_version
+          ).build
+          %w(--no-daemon --stacktrace) + wrapper_args
+        end
+
+        sig { params(cwd: String, env: T::Hash[String, String]).returns(T.nilable(Dependabot::Gradle::Version)) }
+        def detect_system_gradle_version(cwd, env)
+          output = SharedHelpers.run_shell_command("gradle --version", cwd: cwd, env: env)
+          Wrapper::ExecutingVersionDetector.from_version_output(output)
+        rescue SharedHelpers::HelperSubprocessFailed => e
+          Dependabot.logger.warn("Unable to detect system Gradle version: #{e.message}")
+          nil
         end
 
         # Gradle builds can be complex, to maximize the chances of a successful we just keep related wrapper files
@@ -249,29 +270,27 @@ module Dependabot
           end
         end
 
-        sig { params(properties_file: T.any(Pathname, String)).returns(T::Array[T.nilable(String)]) }
-        def read_wrapper_options(properties_file)
-          return [nil, nil] unless File.exist?(properties_file)
-
-          properties_content = File.read(properties_file)
-          validate_distribution = properties_content.match(/^validateDistributionUrl=(.*)$/)&.captures&.first
-          network_timeout = properties_content.match(/^networkTimeout=(.*)$/)&.captures&.first
+        sig { params(path: T.any(Pathname, String)).returns(T.nilable(String)) }
+        def read_file(path)
+          return nil unless File.exist?(path)
 
-          [validate_distribution, network_timeout]
+          File.read(path)
         end
 
-        sig { params(properties_file: T.any(Pathname, String), value: T.nilable(String)).void }
-        def override_validate_distribution_url_option(properties_file, value)
-          return unless File.exist?(properties_file)
-
-          properties_content = File.read(properties_file)
-          updated_content = properties_content.gsub(
-            /^validateDistributionUrl=(.*)\n/,
-            value ? "validateDistributionUrl=#{value}\n" : ""
+        # Reconciles the wrapper-regenerated properties file back onto the user's original content,
+        # overwriting only the keys that legitimately change for a version bump. Preserves comments,
+        # ordering, custom keys and all other user-customized values.
+        sig { params(properties_file: T.any(Pathname, String), original_content: T.nilable(String)).void }
+        def reconcile_properties(properties_file, original_content)
+          regenerated_content = read_file(properties_file)
+          reconciled = Wrapper::PropertiesReconciler.reconcile(
+            original_content: original_content,
+            regenerated_content: regenerated_content
           )
-          File.write(properties_file, updated_content)
+          File.write(properties_file, reconciled) if reconciled && reconciled != regenerated_content
         end
 
+        # rubocop:disable Metrics/PerceivedComplexity
         sig { returns(T::Array[String]) }
         def proxy_args
           http_proxy = ENV.fetch("HTTP_PROXY", nil)

data/lib/dependabot/gradle/package/package_details_fetcher.rb

@@ -15,6 +15,7 @@ require "dependabot/logger"
 require "dependabot/gradle/metadata_finder"
 require "dependabot/gradle/package/release_date_extractor"
 require "dependabot/gradle/package/version_release_date_fallback_fetcher"
+require "dependabot/package/release_cooldown_options"
 
 module Dependabot
   module Gradle
@@ -55,14 +56,16 @@ module Dependabot
             dependency: Dependabot::Dependency,
             dependency_files: T::Array[Dependabot::DependencyFile],
             credentials: T::Array[Dependabot::Credential],
-            forbidden_urls: T.nilable(T::Array[String])
+            forbidden_urls: T.nilable(T::Array[String]),
+            cooldown_options: T.nilable(Dependabot::Package::ReleaseCooldownOptions)
           ).void
         end
-        def initialize(dependency:, dependency_files:, credentials:, forbidden_urls:)
+        def initialize(dependency:, dependency_files:, credentials:, forbidden_urls:, cooldown_options: nil)
           @dependency = dependency
           @dependency_files = dependency_files
           @credentials = credentials
           @forbidden_urls = forbidden_urls
+          @cooldown_options = T.let(cooldown_options, T.nilable(Dependabot::Package::ReleaseCooldownOptions))
           @repositories = T.let(nil, T.nilable(T::Array[T::Hash[String, T.untyped]]))
           @google_version_details = T.let(nil, T.nilable(T::Array[T::Hash[String, T.untyped]]))
           @dependency_repository_details = T.let(nil, T.nilable(T::Array[T::Hash[String, T.untyped]]))
@@ -101,7 +104,7 @@ module Dependabot
             end.flatten.compact
 
           version_details = version_details.sort_by { |details| details.fetch(:version) }
-          release_date_info = release_details
+          release_date_info = @cooldown_options ? release_details : {}
           version_details.each do |info|
             package_releases << {
               version: Gradle::Version.new(info[:version].to_s),

data/lib/dependabot/gradle/update_checker/requirements_updater.rb

@@ -8,6 +8,7 @@
 
 require "sorbet-runtime"
 
+require "dependabot/dependency_requirement"
 require "dependabot/requirements_updater/base"
 require "dependabot/gradle/distributions"
 require "dependabot/gradle/package/distributions_fetcher"
@@ -29,7 +30,7 @@ module Dependabot
 
         sig do
           params(
-            requirements: T::Array[T::Hash[Symbol, T.untyped]],
+            requirements: T::Array[Dependabot::DependencyRequirement],
             latest_version: T.nilable(T.any(Version, String)),
             source_url: T.nilable(String),
             properties_to_update: T::Array[String]
@@ -51,7 +52,7 @@ module Dependabot
           @is_distribution = T.let(Distributions.distribution_requirements?(requirements), T::Boolean)
         end
 
-        sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+        sig { override.returns(T::Array[Dependabot::DependencyRequirement]) }
         def updated_requirements
           return requirements unless latest_version
           return updated_distribution_requirements if @is_distribution
@@ -67,13 +68,13 @@ module Dependabot
             next req if property_name && !properties_to_update.include?(property_name)
 
             new_req = update_requirement(req[:requirement])
-            req.merge(requirement: new_req, source: updated_source)
+            Dependabot::DependencyRequirement.create(req.merge(requirement: new_req, source: updated_source))
           end
         end
 
         private
 
-        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+        sig { returns(T::Array[Dependabot::DependencyRequirement]) }
         attr_reader :requirements
 
         sig { returns(T.nilable(Version)) }
@@ -118,7 +119,7 @@ module Dependabot
           end
         end
 
-        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+        sig { returns(T::Array[Dependabot::DependencyRequirement]) }
         def updated_distribution_requirements
           distribution_url = T.let(nil, T.nilable(String))
 
@@ -132,15 +133,19 @@ module Dependabot
               version = update_exact_requirement(requirement)
               distribution_url = source[:url].gsub(requirement, version)
 
-              req.merge(
-                requirement: version,
-                source: source.merge(url: distribution_url)
+              Dependabot::DependencyRequirement.create(
+                req.merge(
+                  requirement: version,
+                  source: source.merge(url: distribution_url)
+                )
               )
             when "distributionSha256Sum"
               checksum_url, checksum = Gradle::Package::DistributionsFetcher.resolve_checksum(T.must(distribution_url))
-              req.merge(
-                requirement: checksum,
-                source: source.merge(url: checksum_url)
+              Dependabot::DependencyRequirement.create(
+                req.merge(
+                  requirement: checksum,
+                  source: source.merge(url: checksum_url)
+                )
               )
             else
               next req

data/lib/dependabot/gradle/update_checker/version_finder.rb

@@ -124,7 +124,8 @@ module Dependabot
             dependency: dependency,
             dependency_files: dependency_files,
             credentials: credentials,
-            forbidden_urls: forbidden_urls
+            forbidden_urls: forbidden_urls,
+            cooldown_options: cooldown_options
           ).fetch_available_versions
         end
 
@@ -169,7 +170,8 @@ module Dependabot
               dependency: dependency,
               dependency_files: dependency_files,
               credentials: credentials,
-              forbidden_urls: []
+              forbidden_urls: [],
+              cooldown_options: cooldown_options
             ),
             T.nilable(Dependabot::Gradle::Package::PackageDetailsFetcher)
           )

data/lib/dependabot/gradle/update_checker.rb

@@ -68,14 +68,12 @@ module Dependabot
           declarations_using_a_property
           .map { |req| req.dig(:metadata, :property_name) }
 
-        wrap_requirements(
-          RequirementsUpdater.new(
-            requirements: dependency.requirements,
-            latest_version: preferred_resolvable_version&.to_s,
-            source_url: preferred_version_details&.fetch(:source_url),
-            properties_to_update: property_names
-          ).updated_requirements
-        )
+        RequirementsUpdater.new(
+          requirements: dependency.requirements,
+          latest_version: preferred_resolvable_version&.to_s,
+          source_url: preferred_version_details&.fetch(:source_url),
+          properties_to_update: property_names
+        ).updated_requirements
       end
 
       sig { override.returns(T::Boolean) }

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-gradle
 version: !ruby/object:Gem::Version
-  version: 0.382.0
+  version: 0.383.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,28 +15,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.382.0
+        version: 0.383.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.382.0
+        version: 0.383.0
 - !ruby/object:Gem::Dependency
   name: dependabot-maven
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.382.0
+        version: 0.383.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.382.0
+        version: 0.383.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -267,6 +267,11 @@ files:
 - lib/dependabot/gradle/file_updater/dependency_set_updater.rb
 - lib/dependabot/gradle/file_updater/lockfile_updater.rb
 - lib/dependabot/gradle/file_updater/property_value_updater.rb
+- lib/dependabot/gradle/file_updater/wrapper/command_builder.rb
+- lib/dependabot/gradle/file_updater/wrapper/executing_version_detector.rb
+- lib/dependabot/gradle/file_updater/wrapper/gradle_version_capabilities.rb
+- lib/dependabot/gradle/file_updater/wrapper/properties_document.rb
+- lib/dependabot/gradle/file_updater/wrapper/properties_reconciler.rb
 - lib/dependabot/gradle/file_updater/wrapper_updater.rb
 - lib/dependabot/gradle/language.rb
 - lib/dependabot/gradle/metadata_finder.rb
@@ -286,7 +291,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.382.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.383.0
 rdoc_options: []
 require_paths:
 - lib