dependabot-gradle 0.84.0

data/lib/dependabot/gradle/file_parser/repositories_finder.rb

@@ -0,0 +1,143 @@
+# frozen_string_literal: true
+
+require "dependabot/gradle/file_parser"
+
+module Dependabot
+  module Gradle
+    class FileParser
+      class RepositoriesFinder
+        # The Central Repo doesn't have special status for Gradle, but until
+        # we're confident we're selecting repos correctly it's wise to include
+        # it as a default.
+        CENTRAL_REPO_URL = "https://repo.maven.apache.org/maven2"
+
+        REPOSITORIES_BLOCK_START = /(?:^|\s)repositories\s*\{/.freeze
+        MAVEN_REPO_REGEX =
+          /maven\s*\{[^\}]*\surl[\s\(]\s*['"](?<url>[^'"]+)['"]/.freeze
+
+        def initialize(dependency_files:, target_dependency_file:)
+          @dependency_files = dependency_files
+          @target_dependency_file = target_dependency_file
+          raise "No target file!" unless target_dependency_file
+        end
+
+        def repository_urls
+          repository_urls = []
+          repository_urls += inherited_repository_urls
+          repository_urls += own_buildfile_repository_urls
+          repository_urls = repository_urls.uniq
+
+          return repository_urls unless repository_urls.empty?
+
+          [CENTRAL_REPO_URL]
+        end
+
+        private
+
+        attr_reader :dependency_files, :target_dependency_file
+
+        def inherited_repository_urls
+          return [] unless top_level_buildfile
+
+          buildfile_content = comment_free_content(top_level_buildfile)
+          subproject_blocks = []
+
+          buildfile_content.scan(/(?:^|\s)allprojects\s*\{/) do
+            mtch = Regexp.last_match
+            subproject_blocks <<
+              mtch.post_match[0..closing_bracket_index(mtch.post_match)]
+          end
+
+          if top_level_buildfile != target_dependency_file
+            buildfile_content.scan(/(?:^|\s)subprojects\s*\{/) do
+              mtch = Regexp.last_match
+              subproject_blocks <<
+                mtch.post_match[0..closing_bracket_index(mtch.post_match)]
+            end
+          end
+
+          repository_urls_from(subproject_blocks.join("\n"))
+        end
+
+        def own_buildfile_repository_urls
+          buildfile_content = comment_free_content(target_dependency_file)
+
+          buildfile_content.dup.scan(/(?:^|\s)subprojects\s*\{/) do
+            mtch = Regexp.last_match
+            buildfile_content.gsub!(
+              mtch.post_match[0..closing_bracket_index(mtch.post_match)],
+              ""
+            )
+          end
+
+          repository_urls_from(buildfile_content)
+        end
+
+        def repository_urls_from(buildfile_content)
+          repository_urls = []
+
+          repository_blocks = []
+          buildfile_content.scan(REPOSITORIES_BLOCK_START) do
+            mtch = Regexp.last_match
+            repository_blocks <<
+              mtch.post_match[0..closing_bracket_index(mtch.post_match)]
+          end
+
+          repository_blocks.each do |block|
+            if block.include?(" google(")
+              repository_urls << "https://maven.google.com/"
+            end
+
+            if block.include?(" mavenCentral(")
+              repository_urls << "https://repo.maven.apache.org/maven2/"
+            end
+
+            if block.include?(" jcenter(")
+              repository_urls << "https://jcenter.bintray.com/"
+            end
+
+            block.scan(MAVEN_REPO_REGEX) do
+              repository_urls << Regexp.last_match.named_captures.fetch("url")
+            end
+          end
+
+          repository_urls.
+            map { |url| url.strip.gsub(%r{/$}, "") }.
+            select { |url| valid_url?(url) }.
+            uniq
+        end
+
+        def closing_bracket_index(string)
+          closes_required = 1
+
+          string.chars.each_with_index do |char, index|
+            closes_required += 1 if char == "{"
+            closes_required -= 1 if char == "}"
+            return index if closes_required.zero?
+          end
+        end
+
+        def valid_url?(url)
+          # Reject non-http URLs because they're probably parsing mistakes
+          return false unless url.start_with?("http")
+
+          URI.parse(url)
+          true
+        rescue URI::InvalidURIError
+          false
+        end
+
+        def comment_free_content(buildfile)
+          buildfile.content.
+            gsub(%r{(?<=^|\s)//.*$}, "\n").
+            gsub(%r{(?<=^|\s)/\*.*?\*/}m, "")
+        end
+
+        def top_level_buildfile
+          @top_level_buildfile ||=
+            dependency_files.find { |f| f.name == "build.gradle" }
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/gradle/file_updater.rb

@@ -0,0 +1,177 @@
+# frozen_string_literal: true
+
+require "dependabot/file_updaters"
+require "dependabot/file_updaters/base"
+require "dependabot/gradle/file_parser"
+
+module Dependabot
+  module Gradle
+    class FileUpdater < Dependabot::FileUpdaters::Base
+      require_relative "file_updater/dependency_set_updater"
+      require_relative "file_updater/property_value_updater"
+
+      def self.updated_files_regex
+        [/^build\.gradle$/, %r{/build\.gradle$}]
+      end
+
+      def updated_dependency_files
+        updated_files = buildfiles.dup
+
+        # Loop through each of the changed requirements, applying changes to
+        # all buildfiles for that change. Note that the logic is different
+        # here to other languages because Java has property inheritance across
+        # files (although we're not supporting it for gradle yet).
+        dependencies.each do |dependency|
+          updated_files = update_buildfiles_for_dependency(
+            buildfiles: updated_files,
+            dependency: dependency
+          )
+        end
+
+        updated_files = updated_files.reject { |f| buildfiles.include?(f) }
+
+        raise "No files changed!" if updated_files.none?
+
+        updated_files
+      end
+
+      private
+
+      def check_required_files
+        raise "No build.gradle!" unless get_original_file("build.gradle")
+      end
+
+      def update_buildfiles_for_dependency(buildfiles:, dependency:)
+        files = buildfiles.dup
+
+        # The UpdateChecker ensures the order of requirements is preserved
+        # when updating, so we can zip them together in new/old pairs.
+        reqs = dependency.requirements.zip(dependency.previous_requirements).
+               reject { |new_req, old_req| new_req == old_req }
+
+        # Loop through each changed requirement and update the buildfiles
+        reqs.each do |new_req, old_req|
+          raise "Bad req match" unless new_req[:file] == old_req[:file]
+          next if new_req[:requirement] == old_req[:requirement]
+
+          buildfile = files.find { |f| f.name == new_req.fetch(:file) }
+
+          if new_req.dig(:metadata, :property_name)
+            files = update_files_for_property_change(files, old_req, new_req)
+          elsif new_req.dig(:metadata, :dependency_set)
+            files = update_files_for_dep_set_change(files, old_req, new_req)
+          else
+            files[files.index(buildfile)] =
+              update_version_in_buildfile(
+                dependency,
+                buildfile,
+                old_req,
+                new_req
+              )
+          end
+        end
+
+        files
+      end
+
+      def update_files_for_property_change(buildfiles, old_req, new_req)
+        files = buildfiles.dup
+        property_name = new_req.fetch(:metadata).fetch(:property_name)
+        buildfile = files.find { |f| f.name == new_req.fetch(:file) }
+
+        PropertyValueUpdater.new(dependency_files: files).
+          update_files_for_property_change(
+            property_name: property_name,
+            callsite_buildfile: buildfile,
+            previous_value: old_req.fetch(:requirement),
+            updated_value: new_req.fetch(:requirement)
+          )
+      end
+
+      def update_files_for_dep_set_change(buildfiles, old_req, new_req)
+        files = buildfiles.dup
+        dependency_set = new_req.fetch(:metadata).fetch(:dependency_set)
+        buildfile = files.find { |f| f.name == new_req.fetch(:file) }
+
+        DependencySetUpdater.new(dependency_files: files).
+          update_files_for_dep_set_change(
+            dependency_set: dependency_set,
+            buildfile: buildfile,
+            previous_requirement: old_req.fetch(:requirement),
+            updated_requirement: new_req.fetch(:requirement)
+          )
+      end
+
+      def update_version_in_buildfile(dependency, buildfile, previous_req,
+                                      requirement)
+        updated_content =
+          buildfile.content.gsub(
+            original_buildfile_declaration(dependency, previous_req),
+            updated_buildfile_declaration(
+              dependency,
+              previous_req,
+              requirement
+            )
+          )
+
+        if updated_content == buildfile.content
+          raise "Expected content to change!"
+        end
+
+        updated_file(file: buildfile, content: updated_content)
+      end
+
+      def original_buildfile_declaration(dependency, requirement)
+        # This implementation is limited to declarations that appear on a
+        # single line.
+        buildfile = buildfiles.find { |f| f.name == requirement.fetch(:file) }
+        buildfile.content.lines.find do |line|
+          line = evaluate_properties(line, buildfile)
+          next false unless line.include?(dependency.name.split(":").first)
+          next false unless line.include?(dependency.name.split(":").last)
+
+          line.include?(requirement.fetch(:requirement))
+        end
+      end
+
+      def evaluate_properties(string, buildfile)
+        result = string.dup
+
+        string.scan(Gradle::FileParser::PROPERTY_REGEX) do
+          prop_name = Regexp.last_match.named_captures.fetch("property_name")
+          property_value = property_value_finder.property_value(
+            property_name: prop_name,
+            callsite_buildfile: buildfile
+          )
+          next unless property_value
+
+          result.sub!(Regexp.last_match.to_s, property_value)
+        end
+
+        result
+      end
+
+      def property_value_finder
+        @property_value_finder ||=
+          Gradle::FileParser::PropertyValueFinder.
+          new(dependency_files: dependency_files)
+      end
+
+      def updated_buildfile_declaration(dependency, previous_req, requirement)
+        original_req_string = previous_req.fetch(:requirement)
+
+        original_buildfile_declaration(dependency, previous_req).gsub(
+          original_req_string,
+          requirement.fetch(:requirement)
+        )
+      end
+
+      def buildfiles
+        @buildfiles ||=
+          dependency_files.select { |f| f.name.end_with?("build.gradle") }
+      end
+    end
+  end
+end
+
+Dependabot::FileUpdaters.register("gradle", Dependabot::Gradle::FileUpdater)

data/lib/dependabot/gradle/file_updater/dependency_set_updater.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require "dependabot/gradle/file_parser"
+require "dependabot/gradle/file_updater"
+
+module Dependabot
+  module Gradle
+    class FileUpdater
+      class DependencySetUpdater
+        def initialize(dependency_files:)
+          @dependency_files = dependency_files
+        end
+
+        def update_files_for_dep_set_change(dependency_set:,
+                                            buildfile:,
+                                            previous_requirement:,
+                                            updated_requirement:)
+          declaration_string =
+            original_declaration_string(dependency_set, buildfile)
+
+          return dependency_files unless declaration_string
+
+          updated_content = buildfile.content.sub(
+            declaration_string,
+            declaration_string.sub(
+              previous_requirement,
+              updated_requirement
+            )
+          )
+
+          updated_files = dependency_files.dup
+          updated_files[updated_files.index(buildfile)] =
+            update_file(file: buildfile, content: updated_content)
+
+          updated_files
+        end
+
+        private
+
+        attr_reader :dependency_files
+
+        def original_declaration_string(dependency_set, buildfile)
+          regex = Gradle::FileParser::DEPENDENCY_SET_DECLARATION_REGEX
+          dependency_sets = []
+          buildfile.content.scan(regex) do
+            dependency_sets << Regexp.last_match.to_s
+          end
+
+          dependency_sets.find do |mtch|
+            next unless mtch.include?(dependency_set[:group])
+
+            mtch.include?(dependency_set[:version])
+          end
+        end
+
+        def update_file(file:, content:)
+          updated_file = file.dup
+          updated_file.content = content
+          updated_file
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/gradle/file_updater/property_value_updater.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require "dependabot/gradle/file_updater"
+require "dependabot/gradle/file_parser/property_value_finder"
+
+module Dependabot
+  module Gradle
+    class FileUpdater
+      class PropertyValueUpdater
+        def initialize(dependency_files:)
+          @dependency_files = dependency_files
+        end
+
+        def update_files_for_property_change(property_name:,
+                                             callsite_buildfile:,
+                                             previous_value:,
+                                             updated_value:)
+          declaration_details = property_value_finder.property_details(
+            property_name: property_name,
+            callsite_buildfile: callsite_buildfile
+          )
+          declaration_string = declaration_details.fetch(:declaration_string)
+          filename = declaration_details.fetch(:file)
+
+          file_to_update = dependency_files.find { |f| f.name == filename }
+          updated_content = file_to_update.content.sub(
+            declaration_string,
+            declaration_string.sub(previous_value, updated_value)
+          )
+
+          updated_files = dependency_files.dup
+          updated_files[updated_files.index(file_to_update)] =
+            update_file(file: file_to_update, content: updated_content)
+
+          updated_files
+        end
+
+        private
+
+        attr_reader :dependency_files
+
+        def property_value_finder
+          @property_value_finder ||=
+            Gradle::FileParser::PropertyValueFinder.
+            new(dependency_files: dependency_files)
+        end
+
+        def update_file(file:, content:)
+          updated_file = file.dup
+          updated_file.content = content
+          updated_file
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/gradle/metadata_finder.rb

@@ -0,0 +1,174 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+require "dependabot/metadata_finders/base"
+require "dependabot/file_fetchers/base"
+require "dependabot/gradle/file_parser/repositories_finder"
+
+module Dependabot
+  module Gradle
+    class MetadataFinder < Dependabot::MetadataFinders::Base
+      DOT_SEPARATOR_REGEX = %r{\.(?:(?!\d+[.\/])+)}.freeze
+      PROPERTY_REGEX      = /\$\{(?<property>.*?)\}/.freeze
+
+      private
+
+      def look_up_source
+        tmp_source = look_up_source_in_pom(dependency_pom_file)
+        return tmp_source if tmp_source
+
+        return unless (parent = parent_pom_file(dependency_pom_file))
+
+        tmp_source = look_up_source_in_pom(parent)
+        return unless tmp_source
+
+        artifact = dependency.name.split(":").last
+        return tmp_source if tmp_source.repo.end_with?(artifact)
+        return tmp_source if repo_has_subdir_for_dep?(tmp_source)
+      end
+
+      def repo_has_subdir_for_dep?(tmp_source)
+        @repo_has_subdir_for_dep ||= {}
+        if @repo_has_subdir_for_dep.key?(tmp_source)
+          return @repo_has_subdir_for_dep[tmp_source]
+        end
+
+        artifact = dependency.name.split(":").last
+        fetcher =
+          FileFetchers::Base.new(source: tmp_source, credentials: credentials)
+
+        @repo_has_subdir_for_dep[tmp_source] =
+          fetcher.send(:repo_contents, raise_errors: false).
+          select { |f| f.type == "dir" }.
+          any? { |f| artifact.end_with?(f.name) }
+      rescue Dependabot::RepoNotFound
+        @repo_has_subdir_for_dep[tmp_source] = false
+      end
+
+      def look_up_source_in_pom(pom)
+        potential_source_urls = [
+          pom.at_css("project > url")&.content,
+          pom.at_css("project > scm > url")&.content,
+          pom.at_css("project > issueManagement > url")&.content
+        ].compact
+
+        source_url = potential_source_urls.find { |url| Source.from_url(url) }
+        source_url ||= source_from_anywhere_in_pom(pom)
+        source_url = substitute_property_in_source_url(source_url, pom)
+
+        Source.from_url(source_url)
+      end
+
+      def substitute_property_in_source_url(source_url, pom)
+        return unless source_url
+        return source_url unless source_url.include?("${")
+
+        regex = PROPERTY_REGEX
+        property_name = source_url.match(regex).named_captures["property"]
+        doc = pom.dup
+        doc.remove_namespaces!
+        nm = property_name.sub(/^pom\./, "").sub(/^project\./, "")
+        property_value =
+          loop do
+            candidate_node =
+              doc.at_xpath("/project/#{nm}") ||
+              doc.at_xpath("/project/properties/#{nm}") ||
+              doc.at_xpath("/project/profiles/profile/properties/#{nm}")
+            break candidate_node.content if candidate_node
+            break unless nm.match?(DOT_SEPARATOR_REGEX)
+
+            nm = nm.sub(DOT_SEPARATOR_REGEX, "/")
+          end
+
+        source_url.gsub("${#{property_name}}", property_value)
+      end
+
+      def source_from_anywhere_in_pom(pom)
+        github_urls = []
+        pom.to_s.scan(Source::SOURCE_REGEX) do
+          github_urls << Regexp.last_match.to_s
+        end
+
+        github_urls.find do |url|
+          repo = Source.from_url(url).repo
+          repo.end_with?(dependency.name.split(":").last)
+        end
+      end
+
+      def dependency_pom_file
+        return @dependency_pom_file unless @dependency_pom_file.nil?
+
+        artifact_id = dependency.name.split(":").last
+        response = Excon.get(
+          "#{maven_repo_dependency_url}/"\
+          "#{dependency.version}/"\
+          "#{artifact_id}-#{dependency.version}.pom",
+          headers: auth_details,
+          idempotent: true,
+          **SharedHelpers.excon_defaults
+        )
+
+        @dependency_pom_file = Nokogiri::XML(response.body)
+      rescue Excon::Error::Timeout
+        @dependency_pom_file = Nokogiri::XML("")
+      end
+
+      def parent_pom_file(pom)
+        doc = pom.dup
+        doc.remove_namespaces!
+        group_id = doc.at_xpath("/project/parent/groupId")&.content&.strip
+        artifact_id =
+          doc.at_xpath("/project/parent/artifactId")&.content&.strip
+        version = doc.at_xpath("/project/parent/version")&.content&.strip
+
+        return unless artifact_id && group_id && version
+
+        response = Excon.get(
+          "#{maven_repo_url}/#{group_id.tr('.', '/')}/#{artifact_id}/"\
+          "#{version}/"\
+          "#{artifact_id}-#{version}.pom",
+          headers: auth_details,
+          idempotent: true,
+          **SharedHelpers.excon_defaults
+        )
+
+        Nokogiri::XML(response.body)
+      end
+
+      def maven_repo_url
+        source = dependency.requirements.
+                 find { |r| r&.fetch(:source) }&.fetch(:source)
+
+        source&.fetch(:url, nil) ||
+          source&.fetch("url") ||
+          Gradle::FileParser::RepositoriesFinder::CENTRAL_REPO_URL
+      end
+
+      def maven_repo_dependency_url
+        group_id, artifact_id = dependency.name.split(":")
+
+        "#{maven_repo_url}/#{group_id.tr('.', '/')}/#{artifact_id}"
+      end
+
+      def auth_details
+        cred =
+          credentials.select { |c| c["type"] == "maven_repository" }.
+          find do |c|
+            cred_url = c.fetch("url").gsub(%r{/+$}, "")
+            next false unless cred_url == maven_repo_url
+
+            c.fetch("username", nil)
+          end
+
+        return {} unless cred
+
+        token = cred.fetch("username") + ":" + cred.fetch("password")
+        encoded_token = Base64.encode64(token).delete("\n")
+        { "Authorization" => "Basic #{encoded_token}" }
+      end
+    end
+  end
+end
+
+Dependabot::MetadataFinders.
+  register("gradle", Dependabot::Gradle::MetadataFinder)