dependabot-gradle 0.84.0

data/lib/dependabot/gradle/requirement.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+require "dependabot/utils"
+require "dependabot/gradle/version"
+
+module Dependabot
+  module Gradle
+    class Requirement < Gem::Requirement
+      quoted = OPS.keys.map { |k| Regexp.quote k }.join("|")
+      PATTERN_RAW =
+        "\\s*(#{quoted})?\\s*(#{Gradle::Version::VERSION_PATTERN})\\s*"
+      PATTERN = /\A#{PATTERN_RAW}\z/.freeze
+
+      def self.parse(obj)
+        return ["=", Gradle::Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
+
+        unless (matches = PATTERN.match(obj.to_s))
+          msg = "Illformed requirement [#{obj.inspect}]"
+          raise BadRequirementError, msg
+        end
+
+        return DefaultRequirement if matches[1] == ">=" && matches[2] == "0"
+
+        [matches[1] || "=", Gradle::Version.new(matches[2])]
+      end
+
+      def self.requirements_array(requirement_string)
+        split_java_requirement(requirement_string).map do |str|
+          new(str)
+        end
+      end
+
+      def initialize(*requirements)
+        requirements = requirements.flatten.flat_map do |req_string|
+          convert_java_constraint_to_ruby_constraint(req_string)
+        end
+
+        super(requirements)
+      end
+
+      def satisfied_by?(version)
+        version = Gradle::Version.new(version.to_s)
+        super
+      end
+
+      private
+
+      def self.split_java_requirement(req_string)
+        req_string.split(/(?<=\]|\)),/).flat_map do |str|
+          next str if str.start_with?("(", "[")
+
+          exacts, *rest = str.split(/,(?=\[|\()/)
+          [*exacts.split(","), *rest]
+        end
+      end
+      private_class_method :split_java_requirement
+
+      def convert_java_constraint_to_ruby_constraint(req_string)
+        return unless req_string
+
+        if self.class.send(:split_java_requirement, req_string).count > 1
+          raise "Can't convert multiple Java reqs to a single Ruby one"
+        end
+
+        if req_string&.include?(",")
+          return convert_java_range_to_ruby_range(req_string)
+        end
+
+        convert_java_equals_req_to_ruby(req_string)
+      end
+
+      def convert_java_range_to_ruby_range(req_string)
+        lower_b, upper_b = req_string.split(",").map(&:strip)
+
+        lower_b =
+          if ["(", "["].include?(lower_b) then nil
+          elsif lower_b.start_with?("(") then "> #{lower_b.sub(/\(\s*/, '')}"
+          else ">= #{lower_b.sub(/\[\s*/, '').strip}"
+          end
+
+        upper_b =
+          if [")", "]"].include?(upper_b) then nil
+          elsif upper_b.end_with?(")") then "< #{upper_b.sub(/\s*\)/, '')}"
+          else "<= #{upper_b.sub(/\s*\]/, '').strip}"
+          end
+
+        [lower_b, upper_b].compact
+      end
+
+      def convert_java_equals_req_to_ruby(req_string)
+        return convert_wildcard_req(req_string) if req_string&.include?("+")
+
+        # If a soft requirement is being used, treat it as an equality matcher
+        return req_string unless req_string&.start_with?("[")
+
+        req_string.gsub(/[\[\]\(\)]/, "")
+      end
+
+      def convert_wildcard_req(req_string)
+        version = req_string.gsub(/(?:\.|^)\+/, "")
+        return ">= 0" if version.empty?
+
+        "~> #{version}.0"
+      end
+    end
+  end
+end
+
+Dependabot::Utils.
+  register_requirement_class("gradle", Dependabot::Gradle::Requirement)

data/lib/dependabot/gradle/update_checker.rb

@@ -0,0 +1,149 @@
+# frozen_string_literal: true
+
+require "dependabot/update_checkers"
+require "dependabot/update_checkers/base"
+require "dependabot/gradle/file_parser"
+
+module Dependabot
+  module Gradle
+    class UpdateChecker < Dependabot::UpdateCheckers::Base
+      require_relative "update_checker/requirements_updater"
+      require_relative "update_checker/version_finder"
+      require_relative "update_checker/multi_dependency_updater"
+
+      def latest_version
+        latest_version_details&.fetch(:version)
+      end
+
+      def latest_resolvable_version
+        # TODO: Resolve the build.gradle to find the latest version we could
+        # update to without updating any other dependencies at the same time.
+        #
+        # The above is hard. Currently we just return the latest version and
+        # hope (hence this package manager is in beta!)
+        return nil if version_comes_from_multi_dependency_property?
+        return nil if version_comes_from_dependency_set?
+
+        latest_version
+      end
+
+      def latest_resolvable_version_with_no_unlock
+        # Irrelevant, since Gradle has a single dependency file.
+        #
+        # For completeness we ought to resolve the build.gradle and return the
+        # latest version that satisfies the current constraint AND any
+        # constraints placed on it by other dependencies. Seeing as we're
+        # never going to take any action as a result, though, we just return
+        # nil.
+        nil
+      end
+
+      def updated_requirements
+        property_names =
+          declarations_using_a_property.
+          map { |req| req.dig(:metadata, :property_name) }
+
+        RequirementsUpdater.new(
+          requirements: dependency.requirements,
+          latest_version: latest_version&.to_s,
+          source_url: latest_version_details&.fetch(:source_url),
+          properties_to_update: property_names
+        ).updated_requirements
+      end
+
+      def requirements_unlocked_or_can_be?
+        # If the dependency version come from a property we couldn't
+        # interpolate then there's nothing we can do.
+        !dependency.version.include?("$")
+      end
+
+      private
+
+      def latest_version_resolvable_with_full_unlock?
+        unless version_comes_from_multi_dependency_property? ||
+               version_comes_from_dependency_set?
+          return false
+        end
+
+        multi_dependency_updater.update_possible?
+      end
+
+      def updated_dependencies_after_full_unlock
+        multi_dependency_updater.updated_dependencies
+      end
+
+      def numeric_version_up_to_date?
+        return false unless version_class.correct?(dependency.version)
+
+        super
+      end
+
+      def numeric_version_can_update?(requirements_to_unlock:)
+        return false unless version_class.correct?(dependency.version)
+
+        super
+      end
+
+      def latest_version_details
+        @latest_version_details ||= version_finder.latest_version_details
+      end
+
+      def version_finder
+        @version_finder ||=
+          VersionFinder.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            ignored_versions: ignored_versions
+          )
+      end
+
+      def multi_dependency_updater
+        @multi_dependency_updater ||=
+          MultiDependencyUpdater.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            target_version_details: latest_version_details,
+            ignored_versions: ignored_versions
+          )
+      end
+
+      def version_comes_from_multi_dependency_property?
+        declarations_using_a_property.any? do |requirement|
+          property_name = requirement.fetch(:metadata).fetch(:property_name)
+
+          all_property_based_dependencies.any? do |dep|
+            next false if dep.name == dependency.name
+
+            dep.requirements.any? do |req|
+              req.dig(:metadata, :property_name) == property_name
+            end
+          end
+        end
+      end
+
+      def version_comes_from_dependency_set?
+        dependency.requirements.any? do |req|
+          req.dig(:metadata, :dependency_set)
+        end
+      end
+
+      def declarations_using_a_property
+        @declarations_using_a_property ||=
+          dependency.requirements.
+          select { |req| req.dig(:metadata, :property_name) }
+      end
+
+      def all_property_based_dependencies
+        @all_property_based_dependencies ||=
+          Gradle::FileParser.new(
+            dependency_files: dependency_files,
+            source: nil
+          ).parse.select do |dep|
+            dep.requirements.any? { |req| req.dig(:metadata, :property_name) }
+          end
+      end
+    end
+  end
+end
+
+Dependabot::UpdateCheckers.register("gradle", Dependabot::Gradle::UpdateChecker)

data/lib/dependabot/gradle/update_checker/multi_dependency_updater.rb

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+
+require "dependabot/gradle/file_parser"
+require "dependabot/gradle/update_checker"
+
+module Dependabot
+  module Gradle
+    class UpdateChecker
+      class MultiDependencyUpdater
+        require_relative "version_finder"
+        require_relative "requirements_updater"
+
+        def initialize(dependency:, dependency_files:,
+                       target_version_details:, ignored_versions:)
+          @dependency       = dependency
+          @dependency_files = dependency_files
+          @target_version   = target_version_details&.fetch(:version)
+          @source_url       = target_version_details&.fetch(:source_url)
+          @ignored_versions = ignored_versions
+        end
+
+        def update_possible?
+          return false unless target_version
+
+          @update_possible ||=
+            dependencies_to_update.all? do |dep|
+              VersionFinder.new(
+                dependency: dep,
+                dependency_files: dependency_files,
+                ignored_versions: ignored_versions
+              ).versions.
+                map { |v| v.fetch(:version) }.
+                include?(target_version)
+            end
+        end
+
+        def updated_dependencies
+          raise "Update not possible!" unless update_possible?
+
+          @updated_dependencies ||=
+            dependencies_to_update.map do |dep|
+              Dependency.new(
+                name: dep.name,
+                version: target_version.to_s,
+                requirements: updated_requirements(dep),
+                previous_version: dep.version,
+                previous_requirements: dep.requirements,
+                package_manager: dep.package_manager
+              )
+            end
+        end
+
+        private
+
+        attr_reader :dependency, :dependency_files, :target_version,
+                    :source_url, :ignored_versions
+
+        def dependencies_to_update
+          @dependencies_to_update ||=
+            Gradle::FileParser.new(
+              dependency_files: dependency_files,
+              source: nil
+            ).parse.select do |dep|
+              dep.requirements.any? do |r|
+                tmp_p_name = r.dig(:metadata, :property_name)
+                tmp_dep_set = r.dig(:metadata, :dependency_set)
+                next true if property_name && tmp_p_name == property_name
+
+                dependency_set && tmp_dep_set == dependency_set
+              end
+            end
+        end
+
+        def property_name
+          @property_name ||= dependency.requirements.
+                             find { |r| r.dig(:metadata, :property_name) }&.
+                             dig(:metadata, :property_name)
+        end
+
+        def dependency_set
+          @dependency_set ||= dependency.requirements.
+                              find { |r| r.dig(:metadata, :dependency_set) }&.
+                              dig(:metadata, :dependency_set)
+        end
+
+        def pom
+          dependency_files.find { |f| f.name == "pom.xml" }
+        end
+
+        def updated_requirements(dep)
+          @updated_requirements ||= {}
+          @updated_requirements[dep.name] ||=
+            RequirementsUpdater.new(
+              requirements: dep.requirements,
+              latest_version: target_version.to_s,
+              source_url: source_url,
+              properties_to_update: [property_name].compact
+            ).updated_requirements
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/gradle/update_checker/requirements_updater.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+#######################################################
+# For more details on Maven version constraints, see: #
+# https://maven.apache.org/pom.html#Dependencies      #
+#######################################################
+
+require "dependabot/gradle/update_checker"
+require "dependabot/gradle/version"
+require "dependabot/gradle/requirement"
+
+module Dependabot
+  module Gradle
+    class UpdateChecker
+      class RequirementsUpdater
+        def initialize(requirements:, latest_version:, source_url:,
+                       properties_to_update:)
+          @requirements = requirements
+          @source_url = source_url
+          @properties_to_update = properties_to_update
+          return unless latest_version
+
+          @latest_version = version_class.new(latest_version)
+        end
+
+        def updated_requirements
+          return requirements unless latest_version
+
+          # Note: Order is important here. The FileUpdater needs the updated
+          # requirement at index `i` to correspond to the previous requirement
+          # at the same index.
+          requirements.map do |req|
+            next req if req.fetch(:requirement).nil?
+            next req if req.fetch(:requirement).include?(",")
+
+            property_name = req.dig(:metadata, :property_name)
+            if property_name && !properties_to_update.include?(property_name)
+              next req
+            end
+
+            new_req = update_requirement(req[:requirement])
+            req.merge(requirement: new_req, source: updated_source)
+          end
+        end
+
+        private
+
+        attr_reader :requirements, :latest_version, :source_url,
+                    :properties_to_update
+
+        def update_requirement(req_string)
+          if req_string.include?(".+")
+            update_dynamic_requirement(req_string)
+          else
+            # Since range requirements are excluded this must be exact
+            update_exact_requirement(req_string)
+          end
+        end
+
+        def update_exact_requirement(req_string)
+          old_version = requirement_class.new(req_string).
+                        requirements.first.last
+          req_string.gsub(old_version.to_s, latest_version.to_s)
+        end
+
+        # This is really only a Gradle thing, but Gradle relies on this
+        # RequirementsUpdater too
+        def update_dynamic_requirement(req_string)
+          precision = req_string.split(".").take_while { |s| s != "+" }.count
+
+          version_parts = latest_version.segments.first(precision)
+
+          version_parts.join(".") + ".+"
+        end
+
+        def version_class
+          Gradle::Version
+        end
+
+        def requirement_class
+          Gradle::Requirement
+        end
+
+        def updated_source
+          { type: "maven_repo", url: source_url }
+        end
+      end
+    end
+  end
+end