RubyGems - dependabot-gradle - Versions diffs - 0.100.2 → 0.101.0 - Mend

dependabot-gradle 0.100.2 → 0.101.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/lib/dependabot/gradle/update_checker.rb +22 -3
data/lib/dependabot/gradle/update_checker/multi_dependency_updater.rb +2 -5
data/lib/dependabot/gradle/update_checker/version_finder.rb +72 -25
metadata +3 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2690c8e6c1172133b41893186e775ef0419367fdbbc0d4491dce89007f196e03
-  data.tar.gz: be9c66085a9c25c1cfd41c22e192ec21c420b286768996b0d745cae13a0a5185
+  metadata.gz: 8c979db53e87cd19a2fb616e1b9201608af93320190277ceabd7ecd84c6673d1
+  data.tar.gz: a566aa43e2a11555af09edd1a3ebaead3bd96e642b28d2124dac8bcc26797d6c
 SHA512:
-  metadata.gz: 54e9991c23afacee6dfb2ccd52987725d76922002203402f6adfc435382b5e1d6f92285895bdcde74c326373ace6efaad8beb2cafc9926e4443ba2f58add8a74
-  data.tar.gz: 659f7995646b5692e25b3472b8bbc798897585f58367f74733f33da9595396da53bc56b7ec3bae98e3d5c580bca80536ff664d6a3687e83a7541a3b90f34dddd
+  metadata.gz: 8e3558fd561af7c84baa9fc633bfacff2c86be9fa75dd2f3d58e3438219c9e51d45bb0b7957265a21a60924b3506db4da712ea9c50c10e60a912d4f5106a6661
+  data.tar.gz: 57ffc24ba93500e931fdbaa88789342d89213fa517b9762506cdc012c97429dd97c0675c8cbe106fd6c43121c01db452220a97dd4fa2a1545568234a09c14864

data/lib/dependabot/gradle/update_checker.rb CHANGED Viewed

@@ -27,6 +27,13 @@ module Dependabot
         latest_version
       end
+      def lowest_resolvable_security_fix_version
+        return nil if version_comes_from_multi_dependency_property?
+        return nil if version_comes_from_dependency_set?
+        lowest_security_fix_version_details&.fetch(:version)
+      end
       def latest_resolvable_version_with_no_unlock
         # Irrelevant, since Gradle has a single dependency file.
         #
@@ -45,8 +52,8 @@ module Dependabot
         RequirementsUpdater.new(
           requirements: dependency.requirements,
-          latest_version: latest_version&.to_s,
-          source_url: latest_version_details&.fetch(:source_url),
+          latest_version: preferred_resolvable_version&.to_s,
+          source_url: preferred_version_details&.fetch(:source_url),
           properties_to_update: property_names
         ).updated_requirements
       end
@@ -84,16 +91,28 @@ module Dependabot
         super
       end
+      def preferred_version_details
+        return lowest_security_fix_version_details if vulnerable?
+        latest_version_details
+      end
       def latest_version_details
         @latest_version_details ||= version_finder.latest_version_details
       end
+      def lowest_security_fix_version_details
+        @lowest_security_fix_version_details ||=
+          version_finder.lowest_security_fix_version_details
+      end
       def version_finder
         @version_finder ||=
           VersionFinder.new(
             dependency: dependency,
             dependency_files: dependency_files,
-            ignored_versions: ignored_versions
+            ignored_versions: ignored_versions,
+            security_advisories: security_advisories
           )
       end

data/lib/dependabot/gradle/update_checker/multi_dependency_updater.rb CHANGED Viewed

@@ -27,7 +27,8 @@ module Dependabot
               VersionFinder.new(
                 dependency: dep,
                 dependency_files: dependency_files,
-                ignored_versions: ignored_versions
+                ignored_versions: ignored_versions,
+                security_advisories: []
               ).versions.
                 map { |v| v.fetch(:version) }.
                 include?(target_version)
@@ -83,10 +84,6 @@ module Dependabot
                               dig(:metadata, :dependency_set)
         end
-        def pom
-          dependency_files.find { |f| f.name == "pom.xml" }
-        end
         def updated_requirements(dep)
           @updated_requirements ||= {}
           @updated_requirements[dep.name] ||=

data/lib/dependabot/gradle/update_checker/version_finder.rb CHANGED Viewed

@@ -14,39 +14,36 @@ module Dependabot
         GOOGLE_MAVEN_REPO = "https://maven.google.com"
         TYPE_SUFFICES = %w(jre android java).freeze
-        def initialize(dependency:, dependency_files:, ignored_versions:)
-          @dependency = dependency
-          @dependency_files = dependency_files
-          @ignored_versions = ignored_versions
+        def initialize(dependency:, dependency_files:, ignored_versions:,
+                       security_advisories:)
+          @dependency          = dependency
+          @dependency_files    = dependency_files
+          @ignored_versions    = ignored_versions
+          @security_advisories = security_advisories
         end
         def latest_version_details
           possible_versions = versions
-          unless wants_prerelease?
-            possible_versions =
-              possible_versions.
-              reject { |v| v.fetch(:version).prerelease? }
-          end
+          possible_versions = filter_prereleases(possible_versions)
+          possible_versions = filter_date_based_versions(possible_versions)
+          possible_versions = filter_version_types(possible_versions)
+          possible_versions = filter_ignored_versions(possible_versions)
-          unless wants_date_based_version?
-            possible_versions =
-              possible_versions.
-              reject { |v| v.fetch(:version) > version_class.new(1900) }
-          end
+          possible_versions.last
+        end
-          possible_versions =
-            possible_versions.
-            select { |v| matches_dependency_version_type?(v.fetch(:version)) }
+        def lowest_security_fix_version_details
+          possible_versions = versions
-          ignored_versions.each do |req|
-            ignore_req = Gradle::Requirement.new(req.split(","))
-            possible_versions =
-              possible_versions.
-              reject { |v| ignore_req.satisfied_by?(v.fetch(:version)) }
-          end
+          possible_versions = filter_prereleases(possible_versions)
+          possible_versions = filter_date_based_versions(possible_versions)
+          possible_versions = filter_version_types(possible_versions)
+          possible_versions = filter_ignored_versions(possible_versions)
+          possible_versions = filter_vulnerable_versions(possible_versions)
+          possible_versions = filter_lower_versions(possible_versions)
-          possible_versions.last
+          possible_versions.first
         end
         def versions
@@ -65,7 +62,57 @@ module Dependabot
         private
-        attr_reader :dependency, :dependency_files, :ignored_versions
+        attr_reader :dependency, :dependency_files, :ignored_versions,
+                    :security_advisories
+        def filter_prereleases(possible_versions)
+          return possible_versions if wants_prerelease?
+          possible_versions.reject { |v| v.fetch(:version).prerelease? }
+        end
+        def filter_date_based_versions(possible_versions)
+          return possible_versions if wants_date_based_version?
+          possible_versions.
+            reject { |v| v.fetch(:version) > version_class.new(1900) }
+        end
+        def filter_version_types(possible_versions)
+          possible_versions.
+            select { |v| matches_dependency_version_type?(v.fetch(:version)) }
+        end
+        def filter_ignored_versions(possible_versions)
+          versions_array = possible_versions
+          ignored_versions.each do |req|
+            ignore_req = Gradle::Requirement.new(req.split(","))
+            versions_array =
+              versions_array.
+              reject { |v| ignore_req.satisfied_by?(v.fetch(:version)) }
+          end
+          versions_array
+        end
+        def filter_vulnerable_versions(possible_versions)
+          versions_array = possible_versions
+          security_advisories.each do |advisory|
+            versions_array =
+              versions_array.
+              reject { |v| advisory.vulnerable?(v.fetch(:version)) }
+          end
+          versions_array
+        end
+        def filter_lower_versions(possible_versions)
+          possible_versions.select do |v|
+            v.fetch(:version) > version_class.new(dependency.version)
+          end
+        end
         def wants_prerelease?
           return false unless dependency.version

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-gradle
 version: !ruby/object:Gem::Version
-  version: 0.100.2
+  version: 0.101.0
 platform: ruby
 authors:
 - Dependabot
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.100.2
+        version: 0.101.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.100.2
+        version: 0.101.0
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement