dependabot-gradle 0.84.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9255569d1d2be72d9e6fcfce5fbd4a08b426e4ef01f0977bd31715f6f5ac62bf
+  data.tar.gz: 68c4fd51846ab0203004d13a436a78e7a645f52eb28f7832bcd115202fc6aae4
+SHA512:
+  metadata.gz: b0850f35295906b35c442821a2a93bee885bc5cd2fd53e94640230902b31c71c15f3f9fa99c1111c755983e42c4bd20fc4fc2222a837170150c1ac77a76284f3
+  data.tar.gz: 7f2c01f94d0465c5250bdf0ff20fcdee1d4c5752c5f21d20bc098d8d0220505ec0cfc747a9139299d1c8210a77fb49389d62218fb56133d533b7cb3adbbebdac

data/lib/dependabot/gradle.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+# These all need to be required so the various classes can be registered in a
+# lookup table of package manager names to concrete classes.
+require "dependabot/gradle/file_fetcher"
+require "dependabot/gradle/file_parser"
+require "dependabot/gradle/update_checker"
+require "dependabot/gradle/file_updater"
+require "dependabot/gradle/metadata_finder"
+require "dependabot/gradle/requirement"
+require "dependabot/gradle/version"

data/lib/dependabot/gradle/file_fetcher.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require "dependabot/file_fetchers"
+require "dependabot/file_fetchers/base"
+
+module Dependabot
+  module Gradle
+    class FileFetcher < Dependabot::FileFetchers::Base
+      require_relative "file_fetcher/settings_file_parser"
+
+      def self.required_files_in?(filenames)
+        filenames.include?("build.gradle")
+      end
+
+      def self.required_files_message
+        "Repo must contain a build.gradle."
+      end
+
+      private
+
+      def fetch_files
+        fetched_files = []
+        fetched_files << buildfile
+        fetched_files += subproject_buildfiles
+        fetched_files
+      end
+
+      def buildfile
+        @buildfile ||= fetch_file_from_host("build.gradle")
+      end
+
+      def subproject_buildfiles
+        return [] unless settings_file
+
+        subproject_paths =
+          SettingsFileParser.
+          new(settings_file: settings_file).
+          subproject_paths
+
+        subproject_paths.map do |path|
+          fetch_file_from_host(File.join(path, "build.gradle"))
+        rescue Dependabot::DependencyFileNotFound
+          # Gradle itself doesn't worry about missing subprojects, so we don't
+          nil
+        end.compact
+      end
+
+      def settings_file
+        @settings_file ||= fetch_file_from_host("settings.gradle")
+      rescue Dependabot::DependencyFileNotFound
+        nil
+      end
+    end
+  end
+end
+
+Dependabot::FileFetchers.register("gradle", Dependabot::Gradle::FileFetcher)

data/lib/dependabot/gradle/file_fetcher/settings_file_parser.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require "dependabot/gradle/file_fetcher"
+
+module Dependabot
+  module Gradle
+    class FileFetcher
+      class SettingsFileParser
+        INCLUDE_ARGS_REGEX =
+          /(?:^|\s)include(?:\(|\s)(\s*[^\s,\)]+(?:,\s*[^\s,\)]+)*)/.freeze
+
+        def initialize(settings_file:)
+          @settings_file = settings_file
+        end
+
+        def subproject_paths
+          subprojects = []
+
+          comment_free_content.scan(function_regex("include")) do
+            args = Regexp.last_match.named_captures.fetch("args")
+            args = args.split(",")
+            args = args.map { |p| p.gsub(/["']/, "").strip }.compact
+            subprojects += args
+          end
+
+          subprojects = subprojects.uniq
+
+          subproject_dirs = subprojects.map do |proj|
+            if comment_free_content.match?(project_dir_regex(proj))
+              comment_free_content.match(project_dir_regex(proj)).
+                named_captures.fetch("path").sub(%r{^/}, "")
+            else
+              proj.tr(":", "/").sub(%r{^/}, "")
+            end
+          end
+
+          subproject_dirs.uniq
+        end
+
+        private
+
+        attr_reader :settings_file
+
+        def comment_free_content
+          settings_file.content.
+            gsub(%r{(?<=^|\s)//.*$}, "\n").
+            gsub(%r{(?<=^|\s)/\*.*?\*/}m, "")
+        end
+
+        def function_regex(function_name)
+          /
+            (?:^|\s)#{Regexp.quote(function_name)}(?:\(|\s)
+            (?<args>\s*[^\s,\)]+(?:,\s*[^\s,\)]+)*)
+          /mx
+        end
+
+        def project_dir_regex(proj)
+          prefixed_proj = Regexp.quote(":#{proj.gsub(/^:/, '')}")
+          /['"]#{prefixed_proj}['"].*dir\s*=.*['"](?<path>.*?)['"]/i
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/gradle/file_parser.rb

@@ -0,0 +1,237 @@
+# frozen_string_literal: true
+
+require "dependabot/dependency"
+require "dependabot/file_parsers"
+require "dependabot/file_parsers/base"
+require "dependabot/shared_helpers"
+
+# The best Gradle documentation is at:
+# - https://docs.gradle.org/current/dsl/org.gradle.api.artifacts.dsl.
+#   DependencyHandler.html
+module Dependabot
+  module Gradle
+    class FileParser < Dependabot::FileParsers::Base
+      require "dependabot/file_parsers/base/dependency_set"
+      require_relative "file_parser/property_value_finder"
+
+      PROPERTY_REGEX =
+        /
+          (?:\$\{property\((?<property_name>[^:\s]*?)\)\})|
+          (?:\$\{(?<property_name>[^:\s]*?)\})|
+          (?:\$(?<property_name>[^:\s]*))
+        /x.freeze
+
+      PART = %r{[^\s,@'":/\\]+}.freeze
+      VSN_PART = %r{[^\s,'":/\\]+}.freeze
+      DEPENDENCY_DECLARATION_REGEX =
+        /(?:\(|\s)\s*['"](?<declaration>#{PART}:#{PART}:#{VSN_PART})['"]/.
+        freeze
+      DEPENDENCY_SET_DECLARATION_REGEX =
+        /(?:^|\s)dependencySet\((?<arguments>[^\)]+)\)\s*\{/.freeze
+      DEPENDENCY_SET_ENTRY_REGEX = /entry\s+['"](?<name>#{PART})['"]/.freeze
+
+      def parse
+        dependency_set = DependencySet.new
+        buildfiles.each do |buildfile|
+          dependency_set += buildfile_dependencies(buildfile)
+        end
+        dependency_set.dependencies
+      end
+
+      private
+
+      def map_value_regex(key)
+        /(?:^|\s|,|\()#{Regexp.quote(key)}:\s*['"](?<value>[^'"]+)['"]/
+      end
+
+      def buildfile_dependencies(buildfile)
+        dependency_set = DependencySet.new
+
+        dependency_set += shortform_buildfile_dependencies(buildfile)
+        dependency_set += keyword_arg_buildfile_dependencies(buildfile)
+        dependency_set += dependency_set_dependencies(buildfile)
+
+        dependency_set
+      end
+
+      def shortform_buildfile_dependencies(buildfile)
+        dependency_set = DependencySet.new
+
+        prepared_content(buildfile).scan(DEPENDENCY_DECLARATION_REGEX) do
+          declaration = Regexp.last_match.named_captures.fetch("declaration")
+
+          group, name, version = declaration.split(":")
+          details = { group: group, name: name, version: version }
+
+          dep = dependency_from(details_hash: details, buildfile: buildfile)
+          dependency_set << dep if dep
+        end
+
+        dependency_set
+      end
+
+      def keyword_arg_buildfile_dependencies(buildfile)
+        dependency_set = DependencySet.new
+
+        prepared_content(buildfile).lines.each do |line|
+          name    = argument_from_string(line, "name")
+          group   = argument_from_string(line, "group")
+          version = argument_from_string(line, "version")
+          next unless name && group && version
+
+          details = { name: name, group: group, version: version }
+
+          dep = dependency_from(details_hash: details, buildfile: buildfile)
+          dependency_set << dep if dep
+        end
+
+        dependency_set
+      end
+
+      def dependency_set_dependencies(buildfile)
+        dependency_set = DependencySet.new
+
+        dependency_set_blocks = []
+
+        prepared_content(buildfile).scan(DEPENDENCY_SET_DECLARATION_REGEX) do
+          mch = Regexp.last_match
+          dependency_set_blocks <<
+            {
+              arguments: mch.named_captures.fetch("arguments"),
+              block: mch.post_match[0..closing_bracket_index(mch.post_match)]
+            }
+        end
+
+        dependency_set_blocks.each do |blk|
+          group   = argument_from_string(blk[:arguments], "group")
+          version = argument_from_string(blk[:arguments], "version")
+
+          next unless group && version
+
+          blk[:block].scan(DEPENDENCY_SET_ENTRY_REGEX).flatten.each do |name|
+            dep = dependency_from(
+              details_hash: { group: group, name: name, version: version },
+              buildfile: buildfile,
+              in_dependency_set: true
+            )
+            dependency_set << dep if dep
+          end
+        end
+
+        dependency_set
+      end
+
+      def argument_from_string(string, arg_name)
+        string.
+          match(map_value_regex(arg_name))&.
+          named_captures&.
+          fetch("value")
+      end
+
+      def dependency_from(details_hash:, buildfile:, in_dependency_set: false)
+        group   = evaluated_value(details_hash[:group], buildfile)
+        name    = evaluated_value(details_hash[:name], buildfile)
+        version = evaluated_value(details_hash[:version], buildfile)
+
+        dependency_name = "#{group}:#{name}"
+
+        # If we can't evaluate a property they we won't be able to
+        # update this dependency
+        return if "#{dependency_name}:#{version}".match?(PROPERTY_REGEX)
+
+        Dependency.new(
+          name: dependency_name,
+          version: version,
+          requirements: [{
+            requirement: version,
+            file: buildfile.name,
+            source: nil,
+            groups: [],
+            metadata: dependency_metadata(details_hash, in_dependency_set)
+          }],
+          package_manager: "gradle"
+        )
+      end
+
+      def dependency_metadata(details_hash, in_dependency_set)
+        version_property_name =
+          details_hash[:version].
+          match(PROPERTY_REGEX)&.
+          named_captures&.fetch("property_name")
+
+        return unless version_property_name || in_dependency_set
+
+        metadata = {}
+        if version_property_name
+          metadata[:property_name] = version_property_name
+        end
+        if in_dependency_set
+          metadata[:dependency_set] = {
+            group: details_hash[:group],
+            version: details_hash[:version]
+          }
+        end
+        metadata
+      end
+
+      def evaluated_value(value, buildfile)
+        return value unless value.scan(PROPERTY_REGEX).count == 1
+
+        property_name  = value.match(PROPERTY_REGEX).
+                         named_captures.fetch("property_name")
+        property_value = property_value_finder.property_value(
+          property_name: property_name,
+          callsite_buildfile: buildfile
+        )
+
+        return value unless property_value
+
+        value.gsub(PROPERTY_REGEX, property_value)
+      end
+
+      def property_value_finder
+        @property_value_finder ||=
+          PropertyValueFinder.new(dependency_files: dependency_files)
+      end
+
+      def prepared_content(buildfile)
+        # Remove any comments
+        prepared_content =
+          buildfile.content.
+          gsub(%r{(?<=^|\s)//.*$}, "\n").
+          gsub(%r{(?<=^|\s)/\*.*?\*/}m, "")
+
+        # Remove the dependencyVerification section added by Gradle Witness
+        # (TODO: Support updating this in the FileUpdater)
+        prepared_content.dup.scan(/dependencyVerification\s*{/) do
+          mtch = Regexp.last_match
+          block = mtch.post_match[0..closing_bracket_index(mtch.post_match)]
+          prepared_content.gsub!(block, "")
+        end
+
+        prepared_content
+      end
+
+      def closing_bracket_index(string)
+        closes_required = 1
+
+        string.chars.each_with_index do |char, index|
+          closes_required += 1 if char == "{"
+          closes_required -= 1 if char == "}"
+          return index if closes_required.zero?
+        end
+      end
+
+      def buildfiles
+        @buildfiles ||=
+          dependency_files.select { |f| f.name.end_with?("build.gradle") }
+      end
+
+      def check_required_files
+        raise "No build.gradle!" unless get_original_file("build.gradle")
+      end
+    end
+  end
+end
+
+Dependabot::FileParsers.register("gradle", Dependabot::Gradle::FileParser)

data/lib/dependabot/gradle/file_parser/property_value_finder.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+require "dependabot/gradle/file_parser"
+
+module Dependabot
+  module Gradle
+    class FileParser
+      class PropertyValueFinder
+        PROPERTY_DECLARATION_REGEX =
+          /(?:^|\s+|ext.)(?<name>[^\s=]+)\s*=\s*['"](?<value>[^\s]+)['"]/.
+          freeze
+
+        def initialize(dependency_files:)
+          @dependency_files = dependency_files
+        end
+
+        def property_details(property_name:, callsite_buildfile:)
+          # If the root project was specified, just look in the top-level
+          # buildfile
+          if property_name.start_with?("rootProject.")
+            property_name = property_name.sub("rootProject.", "")
+            return properties(top_level_buildfile).fetch(property_name, nil)
+          end
+
+          # If this project was specified strip the specifier
+          if property_name.start_with?("project.")
+            property_name = property_name.sub("project.", "")
+          end
+
+          # If a `properties` prefix was specified strip that out, too
+          if property_name.start_with?("properties.")
+            property_name = property_name.sub("properties.", "")
+          end
+
+          # Look for a property in the callsite buildfile. If that fails, look
+          # for the property in the top-level buildfile
+          if properties(callsite_buildfile).fetch(property_name, nil)
+            return properties(callsite_buildfile).fetch(property_name)
+          end
+
+          properties(top_level_buildfile).fetch(property_name, nil)
+        end
+
+        def property_value(property_name:, callsite_buildfile:)
+          property_details(
+            property_name: property_name,
+            callsite_buildfile: callsite_buildfile
+          )&.fetch(:value)
+        end
+
+        private
+
+        attr_reader :dependency_files
+
+        def properties(buildfile)
+          @properties ||= {}
+          return @properties[buildfile.name] if @properties[buildfile.name]
+
+          @properties[buildfile.name] = {}
+          prepared_content(buildfile).scan(PROPERTY_DECLARATION_REGEX) do
+            declaration_string = Regexp.last_match.to_s.strip
+            captures = Regexp.last_match.named_captures
+            name = captures.fetch("name").sub(/^ext\./, "")
+            @properties[buildfile.name][name] = {
+              value: captures.fetch("value"),
+              declaration_string: declaration_string,
+              file: buildfile.name
+            }
+          end
+
+          @properties[buildfile.name]
+        end
+
+        def prepared_content(buildfile)
+          # Remove any comments
+          buildfile.content.
+            gsub(%r{(?<=^|\s)//.*$}, "\n").
+            gsub(%r{(?<=^|\s)/\*.*?\*/}m, "")
+        end
+
+        def top_level_buildfile
+          @top_level_buildfile ||=
+            dependency_files.find { |f| f.name == "build.gradle" }
+        end
+      end
+    end
+  end
+end