dependabot-gradle 0.100.2 → 0.101.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2690c8e6c1172133b41893186e775ef0419367fdbbc0d4491dce89007f196e03
-  data.tar.gz: be9c66085a9c25c1cfd41c22e192ec21c420b286768996b0d745cae13a0a5185
+  metadata.gz: 8c979db53e87cd19a2fb616e1b9201608af93320190277ceabd7ecd84c6673d1
+  data.tar.gz: a566aa43e2a11555af09edd1a3ebaead3bd96e642b28d2124dac8bcc26797d6c
 SHA512:
-  metadata.gz: 54e9991c23afacee6dfb2ccd52987725d76922002203402f6adfc435382b5e1d6f92285895bdcde74c326373ace6efaad8beb2cafc9926e4443ba2f58add8a74
-  data.tar.gz: 659f7995646b5692e25b3472b8bbc798897585f58367f74733f33da9595396da53bc56b7ec3bae98e3d5c580bca80536ff664d6a3687e83a7541a3b90f34dddd
+  metadata.gz: 8e3558fd561af7c84baa9fc633bfacff2c86be9fa75dd2f3d58e3438219c9e51d45bb0b7957265a21a60924b3506db4da712ea9c50c10e60a912d4f5106a6661
+  data.tar.gz: 57ffc24ba93500e931fdbaa88789342d89213fa517b9762506cdc012c97429dd97c0675c8cbe106fd6c43121c01db452220a97dd4fa2a1545568234a09c14864

data/lib/dependabot/gradle/update_checker.rb

@@ -27,6 +27,13 @@ module Dependabot
         latest_version
       end
 
+      def lowest_resolvable_security_fix_version
+        return nil if version_comes_from_multi_dependency_property?
+        return nil if version_comes_from_dependency_set?
+
+        lowest_security_fix_version_details&.fetch(:version)
+      end
+
       def latest_resolvable_version_with_no_unlock
         # Irrelevant, since Gradle has a single dependency file.
         #
@@ -45,8 +52,8 @@ module Dependabot
 
         RequirementsUpdater.new(
           requirements: dependency.requirements,
-          latest_version: latest_version&.to_s,
-          source_url: latest_version_details&.fetch(:source_url),
+          latest_version: preferred_resolvable_version&.to_s,
+          source_url: preferred_version_details&.fetch(:source_url),
           properties_to_update: property_names
         ).updated_requirements
       end
@@ -84,16 +91,28 @@ module Dependabot
         super
       end
 
+      def preferred_version_details
+        return lowest_security_fix_version_details if vulnerable?
+
+        latest_version_details
+      end
+
       def latest_version_details
         @latest_version_details ||= version_finder.latest_version_details
       end
 
+      def lowest_security_fix_version_details
+        @lowest_security_fix_version_details ||=
+          version_finder.lowest_security_fix_version_details
+      end
+
       def version_finder
         @version_finder ||=
           VersionFinder.new(
             dependency: dependency,
             dependency_files: dependency_files,
-            ignored_versions: ignored_versions
+            ignored_versions: ignored_versions,
+            security_advisories: security_advisories
           )
       end
 

data/lib/dependabot/gradle/update_checker/multi_dependency_updater.rb

@@ -27,7 +27,8 @@ module Dependabot
               VersionFinder.new(
                 dependency: dep,
                 dependency_files: dependency_files,
-                ignored_versions: ignored_versions
+                ignored_versions: ignored_versions,
+                security_advisories: []
               ).versions.
                 map { |v| v.fetch(:version) }.
                 include?(target_version)
@@ -83,10 +84,6 @@ module Dependabot
                               dig(:metadata, :dependency_set)
         end
 
-        def pom
-          dependency_files.find { |f| f.name == "pom.xml" }
-        end
-
         def updated_requirements(dep)
           @updated_requirements ||= {}
           @updated_requirements[dep.name] ||=

data/lib/dependabot/gradle/update_checker/version_finder.rb

@@ -14,39 +14,36 @@ module Dependabot
         GOOGLE_MAVEN_REPO = "https://maven.google.com"
         TYPE_SUFFICES = %w(jre android java).freeze
 
-        def initialize(dependency:, dependency_files:, ignored_versions:)
-          @dependency = dependency
-          @dependency_files = dependency_files
-          @ignored_versions = ignored_versions
+        def initialize(dependency:, dependency_files:, ignored_versions:,
+                       security_advisories:)
+          @dependency          = dependency
+          @dependency_files    = dependency_files
+          @ignored_versions    = ignored_versions
+          @security_advisories = security_advisories
         end
 
         def latest_version_details
           possible_versions = versions
 
-          unless wants_prerelease?
-            possible_versions =
-              possible_versions.
-              reject { |v| v.fetch(:version).prerelease? }
-          end
+          possible_versions = filter_prereleases(possible_versions)
+          possible_versions = filter_date_based_versions(possible_versions)
+          possible_versions = filter_version_types(possible_versions)
+          possible_versions = filter_ignored_versions(possible_versions)
 
-          unless wants_date_based_version?
-            possible_versions =
-              possible_versions.
-              reject { |v| v.fetch(:version) > version_class.new(1900) }
-          end
+          possible_versions.last
+        end
 
-          possible_versions =
-            possible_versions.
-            select { |v| matches_dependency_version_type?(v.fetch(:version)) }
+        def lowest_security_fix_version_details
+          possible_versions = versions
 
-          ignored_versions.each do |req|
-            ignore_req = Gradle::Requirement.new(req.split(","))
-            possible_versions =
-              possible_versions.
-              reject { |v| ignore_req.satisfied_by?(v.fetch(:version)) }
-          end
+          possible_versions = filter_prereleases(possible_versions)
+          possible_versions = filter_date_based_versions(possible_versions)
+          possible_versions = filter_version_types(possible_versions)
+          possible_versions = filter_ignored_versions(possible_versions)
+          possible_versions = filter_vulnerable_versions(possible_versions)
+          possible_versions = filter_lower_versions(possible_versions)
 
-          possible_versions.last
+          possible_versions.first
         end
 
         def versions
@@ -65,7 +62,57 @@ module Dependabot
 
         private
 
-        attr_reader :dependency, :dependency_files, :ignored_versions
+        attr_reader :dependency, :dependency_files, :ignored_versions,
+                    :security_advisories
+
+        def filter_prereleases(possible_versions)
+          return possible_versions if wants_prerelease?
+
+          possible_versions.reject { |v| v.fetch(:version).prerelease? }
+        end
+
+        def filter_date_based_versions(possible_versions)
+          return possible_versions if wants_date_based_version?
+
+          possible_versions.
+            reject { |v| v.fetch(:version) > version_class.new(1900) }
+        end
+
+        def filter_version_types(possible_versions)
+          possible_versions.
+            select { |v| matches_dependency_version_type?(v.fetch(:version)) }
+        end
+
+        def filter_ignored_versions(possible_versions)
+          versions_array = possible_versions
+
+          ignored_versions.each do |req|
+            ignore_req = Gradle::Requirement.new(req.split(","))
+            versions_array =
+              versions_array.
+              reject { |v| ignore_req.satisfied_by?(v.fetch(:version)) }
+          end
+
+          versions_array
+        end
+
+        def filter_vulnerable_versions(possible_versions)
+          versions_array = possible_versions
+
+          security_advisories.each do |advisory|
+            versions_array =
+              versions_array.
+              reject { |v| advisory.vulnerable?(v.fetch(:version)) }
+          end
+
+          versions_array
+        end
+
+        def filter_lower_versions(possible_versions)
+          possible_versions.select do |v|
+            v.fetch(:version) > version_class.new(dependency.version)
+          end
+        end
 
         def wants_prerelease?
           return false unless dependency.version

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-gradle
 version: !ruby/object:Gem::Version
-  version: 0.100.2
+  version: 0.101.0
 platform: ruby
 authors:
 - Dependabot
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.100.2
+        version: 0.101.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.100.2
+        version: 0.101.0
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement