dependabot-gradle 0.100.2 → 0.101.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2690c8e6c1172133b41893186e775ef0419367fdbbc0d4491dce89007f196e03
4
- data.tar.gz: be9c66085a9c25c1cfd41c22e192ec21c420b286768996b0d745cae13a0a5185
3
+ metadata.gz: 8c979db53e87cd19a2fb616e1b9201608af93320190277ceabd7ecd84c6673d1
4
+ data.tar.gz: a566aa43e2a11555af09edd1a3ebaead3bd96e642b28d2124dac8bcc26797d6c
5
5
  SHA512:
6
- metadata.gz: 54e9991c23afacee6dfb2ccd52987725d76922002203402f6adfc435382b5e1d6f92285895bdcde74c326373ace6efaad8beb2cafc9926e4443ba2f58add8a74
7
- data.tar.gz: 659f7995646b5692e25b3472b8bbc798897585f58367f74733f33da9595396da53bc56b7ec3bae98e3d5c580bca80536ff664d6a3687e83a7541a3b90f34dddd
6
+ metadata.gz: 8e3558fd561af7c84baa9fc633bfacff2c86be9fa75dd2f3d58e3438219c9e51d45bb0b7957265a21a60924b3506db4da712ea9c50c10e60a912d4f5106a6661
7
+ data.tar.gz: 57ffc24ba93500e931fdbaa88789342d89213fa517b9762506cdc012c97429dd97c0675c8cbe106fd6c43121c01db452220a97dd4fa2a1545568234a09c14864
@@ -27,6 +27,13 @@ module Dependabot
27
27
  latest_version
28
28
  end
29
29
 
30
+ def lowest_resolvable_security_fix_version
31
+ return nil if version_comes_from_multi_dependency_property?
32
+ return nil if version_comes_from_dependency_set?
33
+
34
+ lowest_security_fix_version_details&.fetch(:version)
35
+ end
36
+
30
37
  def latest_resolvable_version_with_no_unlock
31
38
  # Irrelevant, since Gradle has a single dependency file.
32
39
  #
@@ -45,8 +52,8 @@ module Dependabot
45
52
 
46
53
  RequirementsUpdater.new(
47
54
  requirements: dependency.requirements,
48
- latest_version: latest_version&.to_s,
49
- source_url: latest_version_details&.fetch(:source_url),
55
+ latest_version: preferred_resolvable_version&.to_s,
56
+ source_url: preferred_version_details&.fetch(:source_url),
50
57
  properties_to_update: property_names
51
58
  ).updated_requirements
52
59
  end
@@ -84,16 +91,28 @@ module Dependabot
84
91
  super
85
92
  end
86
93
 
94
+ def preferred_version_details
95
+ return lowest_security_fix_version_details if vulnerable?
96
+
97
+ latest_version_details
98
+ end
99
+
87
100
  def latest_version_details
88
101
  @latest_version_details ||= version_finder.latest_version_details
89
102
  end
90
103
 
104
+ def lowest_security_fix_version_details
105
+ @lowest_security_fix_version_details ||=
106
+ version_finder.lowest_security_fix_version_details
107
+ end
108
+
91
109
  def version_finder
92
110
  @version_finder ||=
93
111
  VersionFinder.new(
94
112
  dependency: dependency,
95
113
  dependency_files: dependency_files,
96
- ignored_versions: ignored_versions
114
+ ignored_versions: ignored_versions,
115
+ security_advisories: security_advisories
97
116
  )
98
117
  end
99
118
 
@@ -27,7 +27,8 @@ module Dependabot
27
27
  VersionFinder.new(
28
28
  dependency: dep,
29
29
  dependency_files: dependency_files,
30
- ignored_versions: ignored_versions
30
+ ignored_versions: ignored_versions,
31
+ security_advisories: []
31
32
  ).versions.
32
33
  map { |v| v.fetch(:version) }.
33
34
  include?(target_version)
@@ -83,10 +84,6 @@ module Dependabot
83
84
  dig(:metadata, :dependency_set)
84
85
  end
85
86
 
86
- def pom
87
- dependency_files.find { |f| f.name == "pom.xml" }
88
- end
89
-
90
87
  def updated_requirements(dep)
91
88
  @updated_requirements ||= {}
92
89
  @updated_requirements[dep.name] ||=
@@ -14,39 +14,36 @@ module Dependabot
14
14
  GOOGLE_MAVEN_REPO = "https://maven.google.com"
15
15
  TYPE_SUFFICES = %w(jre android java).freeze
16
16
 
17
- def initialize(dependency:, dependency_files:, ignored_versions:)
18
- @dependency = dependency
19
- @dependency_files = dependency_files
20
- @ignored_versions = ignored_versions
17
+ def initialize(dependency:, dependency_files:, ignored_versions:,
18
+ security_advisories:)
19
+ @dependency = dependency
20
+ @dependency_files = dependency_files
21
+ @ignored_versions = ignored_versions
22
+ @security_advisories = security_advisories
21
23
  end
22
24
 
23
25
  def latest_version_details
24
26
  possible_versions = versions
25
27
 
26
- unless wants_prerelease?
27
- possible_versions =
28
- possible_versions.
29
- reject { |v| v.fetch(:version).prerelease? }
30
- end
28
+ possible_versions = filter_prereleases(possible_versions)
29
+ possible_versions = filter_date_based_versions(possible_versions)
30
+ possible_versions = filter_version_types(possible_versions)
31
+ possible_versions = filter_ignored_versions(possible_versions)
31
32
 
32
- unless wants_date_based_version?
33
- possible_versions =
34
- possible_versions.
35
- reject { |v| v.fetch(:version) > version_class.new(1900) }
36
- end
33
+ possible_versions.last
34
+ end
37
35
 
38
- possible_versions =
39
- possible_versions.
40
- select { |v| matches_dependency_version_type?(v.fetch(:version)) }
36
+ def lowest_security_fix_version_details
37
+ possible_versions = versions
41
38
 
42
- ignored_versions.each do |req|
43
- ignore_req = Gradle::Requirement.new(req.split(","))
44
- possible_versions =
45
- possible_versions.
46
- reject { |v| ignore_req.satisfied_by?(v.fetch(:version)) }
47
- end
39
+ possible_versions = filter_prereleases(possible_versions)
40
+ possible_versions = filter_date_based_versions(possible_versions)
41
+ possible_versions = filter_version_types(possible_versions)
42
+ possible_versions = filter_ignored_versions(possible_versions)
43
+ possible_versions = filter_vulnerable_versions(possible_versions)
44
+ possible_versions = filter_lower_versions(possible_versions)
48
45
 
49
- possible_versions.last
46
+ possible_versions.first
50
47
  end
51
48
 
52
49
  def versions
@@ -65,7 +62,57 @@ module Dependabot
65
62
 
66
63
  private
67
64
 
68
- attr_reader :dependency, :dependency_files, :ignored_versions
65
+ attr_reader :dependency, :dependency_files, :ignored_versions,
66
+ :security_advisories
67
+
68
+ def filter_prereleases(possible_versions)
69
+ return possible_versions if wants_prerelease?
70
+
71
+ possible_versions.reject { |v| v.fetch(:version).prerelease? }
72
+ end
73
+
74
+ def filter_date_based_versions(possible_versions)
75
+ return possible_versions if wants_date_based_version?
76
+
77
+ possible_versions.
78
+ reject { |v| v.fetch(:version) > version_class.new(1900) }
79
+ end
80
+
81
+ def filter_version_types(possible_versions)
82
+ possible_versions.
83
+ select { |v| matches_dependency_version_type?(v.fetch(:version)) }
84
+ end
85
+
86
+ def filter_ignored_versions(possible_versions)
87
+ versions_array = possible_versions
88
+
89
+ ignored_versions.each do |req|
90
+ ignore_req = Gradle::Requirement.new(req.split(","))
91
+ versions_array =
92
+ versions_array.
93
+ reject { |v| ignore_req.satisfied_by?(v.fetch(:version)) }
94
+ end
95
+
96
+ versions_array
97
+ end
98
+
99
+ def filter_vulnerable_versions(possible_versions)
100
+ versions_array = possible_versions
101
+
102
+ security_advisories.each do |advisory|
103
+ versions_array =
104
+ versions_array.
105
+ reject { |v| advisory.vulnerable?(v.fetch(:version)) }
106
+ end
107
+
108
+ versions_array
109
+ end
110
+
111
+ def filter_lower_versions(possible_versions)
112
+ possible_versions.select do |v|
113
+ v.fetch(:version) > version_class.new(dependency.version)
114
+ end
115
+ end
69
116
 
70
117
  def wants_prerelease?
71
118
  return false unless dependency.version
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-gradle
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.100.2
4
+ version: 0.101.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.100.2
19
+ version: 0.101.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.100.2
26
+ version: 0.101.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: byebug
29
29
  requirement: !ruby/object:Gem::Requirement