dependabot-gradle 0.100.2 → 0.101.0
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8c979db53e87cd19a2fb616e1b9201608af93320190277ceabd7ecd84c6673d1
|
4
|
+
data.tar.gz: a566aa43e2a11555af09edd1a3ebaead3bd96e642b28d2124dac8bcc26797d6c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8e3558fd561af7c84baa9fc633bfacff2c86be9fa75dd2f3d58e3438219c9e51d45bb0b7957265a21a60924b3506db4da712ea9c50c10e60a912d4f5106a6661
|
7
|
+
data.tar.gz: 57ffc24ba93500e931fdbaa88789342d89213fa517b9762506cdc012c97429dd97c0675c8cbe106fd6c43121c01db452220a97dd4fa2a1545568234a09c14864
|
@@ -27,6 +27,13 @@ module Dependabot
|
|
27
27
|
latest_version
|
28
28
|
end
|
29
29
|
|
30
|
+
def lowest_resolvable_security_fix_version
|
31
|
+
return nil if version_comes_from_multi_dependency_property?
|
32
|
+
return nil if version_comes_from_dependency_set?
|
33
|
+
|
34
|
+
lowest_security_fix_version_details&.fetch(:version)
|
35
|
+
end
|
36
|
+
|
30
37
|
def latest_resolvable_version_with_no_unlock
|
31
38
|
# Irrelevant, since Gradle has a single dependency file.
|
32
39
|
#
|
@@ -45,8 +52,8 @@ module Dependabot
|
|
45
52
|
|
46
53
|
RequirementsUpdater.new(
|
47
54
|
requirements: dependency.requirements,
|
48
|
-
latest_version:
|
49
|
-
source_url:
|
55
|
+
latest_version: preferred_resolvable_version&.to_s,
|
56
|
+
source_url: preferred_version_details&.fetch(:source_url),
|
50
57
|
properties_to_update: property_names
|
51
58
|
).updated_requirements
|
52
59
|
end
|
@@ -84,16 +91,28 @@ module Dependabot
|
|
84
91
|
super
|
85
92
|
end
|
86
93
|
|
94
|
+
def preferred_version_details
|
95
|
+
return lowest_security_fix_version_details if vulnerable?
|
96
|
+
|
97
|
+
latest_version_details
|
98
|
+
end
|
99
|
+
|
87
100
|
def latest_version_details
|
88
101
|
@latest_version_details ||= version_finder.latest_version_details
|
89
102
|
end
|
90
103
|
|
104
|
+
def lowest_security_fix_version_details
|
105
|
+
@lowest_security_fix_version_details ||=
|
106
|
+
version_finder.lowest_security_fix_version_details
|
107
|
+
end
|
108
|
+
|
91
109
|
def version_finder
|
92
110
|
@version_finder ||=
|
93
111
|
VersionFinder.new(
|
94
112
|
dependency: dependency,
|
95
113
|
dependency_files: dependency_files,
|
96
|
-
ignored_versions: ignored_versions
|
114
|
+
ignored_versions: ignored_versions,
|
115
|
+
security_advisories: security_advisories
|
97
116
|
)
|
98
117
|
end
|
99
118
|
|
@@ -27,7 +27,8 @@ module Dependabot
|
|
27
27
|
VersionFinder.new(
|
28
28
|
dependency: dep,
|
29
29
|
dependency_files: dependency_files,
|
30
|
-
ignored_versions: ignored_versions
|
30
|
+
ignored_versions: ignored_versions,
|
31
|
+
security_advisories: []
|
31
32
|
).versions.
|
32
33
|
map { |v| v.fetch(:version) }.
|
33
34
|
include?(target_version)
|
@@ -83,10 +84,6 @@ module Dependabot
|
|
83
84
|
dig(:metadata, :dependency_set)
|
84
85
|
end
|
85
86
|
|
86
|
-
def pom
|
87
|
-
dependency_files.find { |f| f.name == "pom.xml" }
|
88
|
-
end
|
89
|
-
|
90
87
|
def updated_requirements(dep)
|
91
88
|
@updated_requirements ||= {}
|
92
89
|
@updated_requirements[dep.name] ||=
|
@@ -14,39 +14,36 @@ module Dependabot
|
|
14
14
|
GOOGLE_MAVEN_REPO = "https://maven.google.com"
|
15
15
|
TYPE_SUFFICES = %w(jre android java).freeze
|
16
16
|
|
17
|
-
def initialize(dependency:, dependency_files:, ignored_versions
|
18
|
-
|
19
|
-
@
|
20
|
-
@
|
17
|
+
def initialize(dependency:, dependency_files:, ignored_versions:,
|
18
|
+
security_advisories:)
|
19
|
+
@dependency = dependency
|
20
|
+
@dependency_files = dependency_files
|
21
|
+
@ignored_versions = ignored_versions
|
22
|
+
@security_advisories = security_advisories
|
21
23
|
end
|
22
24
|
|
23
25
|
def latest_version_details
|
24
26
|
possible_versions = versions
|
25
27
|
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
end
|
28
|
+
possible_versions = filter_prereleases(possible_versions)
|
29
|
+
possible_versions = filter_date_based_versions(possible_versions)
|
30
|
+
possible_versions = filter_version_types(possible_versions)
|
31
|
+
possible_versions = filter_ignored_versions(possible_versions)
|
31
32
|
|
32
|
-
|
33
|
-
|
34
|
-
possible_versions.
|
35
|
-
reject { |v| v.fetch(:version) > version_class.new(1900) }
|
36
|
-
end
|
33
|
+
possible_versions.last
|
34
|
+
end
|
37
35
|
|
38
|
-
|
39
|
-
|
40
|
-
select { |v| matches_dependency_version_type?(v.fetch(:version)) }
|
36
|
+
def lowest_security_fix_version_details
|
37
|
+
possible_versions = versions
|
41
38
|
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
39
|
+
possible_versions = filter_prereleases(possible_versions)
|
40
|
+
possible_versions = filter_date_based_versions(possible_versions)
|
41
|
+
possible_versions = filter_version_types(possible_versions)
|
42
|
+
possible_versions = filter_ignored_versions(possible_versions)
|
43
|
+
possible_versions = filter_vulnerable_versions(possible_versions)
|
44
|
+
possible_versions = filter_lower_versions(possible_versions)
|
48
45
|
|
49
|
-
possible_versions.
|
46
|
+
possible_versions.first
|
50
47
|
end
|
51
48
|
|
52
49
|
def versions
|
@@ -65,7 +62,57 @@ module Dependabot
|
|
65
62
|
|
66
63
|
private
|
67
64
|
|
68
|
-
attr_reader :dependency, :dependency_files, :ignored_versions
|
65
|
+
attr_reader :dependency, :dependency_files, :ignored_versions,
|
66
|
+
:security_advisories
|
67
|
+
|
68
|
+
def filter_prereleases(possible_versions)
|
69
|
+
return possible_versions if wants_prerelease?
|
70
|
+
|
71
|
+
possible_versions.reject { |v| v.fetch(:version).prerelease? }
|
72
|
+
end
|
73
|
+
|
74
|
+
def filter_date_based_versions(possible_versions)
|
75
|
+
return possible_versions if wants_date_based_version?
|
76
|
+
|
77
|
+
possible_versions.
|
78
|
+
reject { |v| v.fetch(:version) > version_class.new(1900) }
|
79
|
+
end
|
80
|
+
|
81
|
+
def filter_version_types(possible_versions)
|
82
|
+
possible_versions.
|
83
|
+
select { |v| matches_dependency_version_type?(v.fetch(:version)) }
|
84
|
+
end
|
85
|
+
|
86
|
+
def filter_ignored_versions(possible_versions)
|
87
|
+
versions_array = possible_versions
|
88
|
+
|
89
|
+
ignored_versions.each do |req|
|
90
|
+
ignore_req = Gradle::Requirement.new(req.split(","))
|
91
|
+
versions_array =
|
92
|
+
versions_array.
|
93
|
+
reject { |v| ignore_req.satisfied_by?(v.fetch(:version)) }
|
94
|
+
end
|
95
|
+
|
96
|
+
versions_array
|
97
|
+
end
|
98
|
+
|
99
|
+
def filter_vulnerable_versions(possible_versions)
|
100
|
+
versions_array = possible_versions
|
101
|
+
|
102
|
+
security_advisories.each do |advisory|
|
103
|
+
versions_array =
|
104
|
+
versions_array.
|
105
|
+
reject { |v| advisory.vulnerable?(v.fetch(:version)) }
|
106
|
+
end
|
107
|
+
|
108
|
+
versions_array
|
109
|
+
end
|
110
|
+
|
111
|
+
def filter_lower_versions(possible_versions)
|
112
|
+
possible_versions.select do |v|
|
113
|
+
v.fetch(:version) > version_class.new(dependency.version)
|
114
|
+
end
|
115
|
+
end
|
69
116
|
|
70
117
|
def wants_prerelease?
|
71
118
|
return false unless dependency.version
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-gradle
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.101.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.101.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.101.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: byebug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|