dependabot-hex 0.88.0

data/lib/dependabot/hex/metadata_finder.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require "excon"
+require "dependabot/metadata_finders"
+require "dependabot/metadata_finders/base"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module Hex
+    class MetadataFinder < Dependabot::MetadataFinders::Base
+      SOURCE_KEYS = %w(
+        GitHub Github github
+        GitLab Gitlab gitlab
+        BitBucket Bitbucket bitbucket
+        Source source
+      ).freeze
+
+      private
+
+      def look_up_source
+        case new_source_type
+        when "default" then find_source_from_hex_listing
+        when "git" then find_source_from_git_url
+        else raise "Unexpected source type: #{new_source_type}"
+        end
+      end
+
+      def new_source_type
+        sources =
+          dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
+
+        return "default" if sources.empty?
+        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
+
+        sources.first[:type] || sources.first.fetch("type")
+      end
+
+      def find_source_from_hex_listing
+        potential_source_urls =
+          SOURCE_KEYS.
+          map { |key| hex_listing.dig("meta", "links", key) }.
+          compact
+
+        source_url = potential_source_urls.find { |url| Source.from_url(url) }
+        Source.from_url(source_url)
+      end
+
+      def find_source_from_git_url
+        info = dependency.requirements.map { |r| r[:source] }.compact.first
+
+        url = info[:url] || info.fetch("url")
+        Source.from_url(url)
+      end
+
+      def hex_listing
+        return @hex_listing unless @hex_listing.nil?
+
+        response = Excon.get(
+          "https://hex.pm/api/packages/#{dependency.name}",
+          idempotent: true,
+          **SharedHelpers.excon_defaults
+        )
+
+        @hex_listing = JSON.parse(response.body)
+      end
+    end
+  end
+end
+
+Dependabot::MetadataFinders.register("hex", Dependabot::Hex::MetadataFinder)

data/lib/dependabot/hex/native_helpers.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Dependabot
+  module Hex
+    module NativeHelpers
+      def self.hex_helpers_dir
+        File.join(native_helpers_root, "hex/helpers")
+      end
+
+      def self.native_helpers_root
+        default_path = File.join(__dir__, "../../../..")
+        ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", default_path)
+      end
+
+      def self.clean_path(path)
+        Pathname.new(path).cleanpath.to_path
+      end
+    end
+  end
+end

data/lib/dependabot/hex/requirement.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require "dependabot/utils"
+require "dependabot/hex/version"
+
+module Dependabot
+  module Hex
+    class Requirement < Gem::Requirement
+      AND_SEPARATOR = /\s+and\s+/.freeze
+      OR_SEPARATOR = /\s+or\s+/.freeze
+
+      # Add the double-equality matcher to the list of allowed operations
+      OPS = OPS.merge("==" => ->(v, r) { v == r })
+
+      # Override the version pattern to allow local versions
+      quoted = OPS.keys.map { |k| Regexp.quote k }.join "|"
+      PATTERN_RAW = "\\s*(#{quoted})?\\s*(#{Hex::Version::VERSION_PATTERN})\\s*"
+      PATTERN = /\A#{PATTERN_RAW}\z/.freeze
+
+      # Returns an array of requirements. At least one requirement from the
+      # returned array must be satisfied for a version to be valid.
+      def self.requirements_array(requirement_string)
+        requirement_string.strip.split(OR_SEPARATOR).map do |req_string|
+          requirements = req_string.strip.split(AND_SEPARATOR)
+          new(requirements)
+        end
+      end
+
+      # Override the parser to create Hex::Versions
+      def self.parse(obj)
+        return ["=", Hex::Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
+
+        unless (matches = PATTERN.match(obj.to_s))
+          msg = "Illformed requirement [#{obj.inspect}]"
+          raise BadRequirementError, msg
+        end
+
+        return DefaultRequirement if matches[1] == ">=" && matches[2] == "0"
+
+        [matches[1] || "=", Hex::Version.new(matches[2])]
+      end
+
+      def satisfied_by?(version)
+        version = Hex::Version.new(version.to_s)
+
+        requirements.all? { |op, rv| (OPS[op] || OPS["="]).call(version, rv) }
+      end
+    end
+  end
+end
+
+Dependabot::Utils.
+  register_requirement_class("hex", Dependabot::Hex::Requirement)

data/lib/dependabot/hex/update_checker.rb

@@ -0,0 +1,275 @@
+# frozen_string_literal: true
+
+require "excon"
+require "dependabot/git_commit_checker"
+require "dependabot/update_checkers"
+require "dependabot/update_checkers/base"
+require "dependabot/shared_helpers"
+
+require "json"
+
+module Dependabot
+  module Hex
+    class UpdateChecker < Dependabot::UpdateCheckers::Base
+      require_relative "update_checker/file_preparer"
+      require_relative "update_checker/requirements_updater"
+      require_relative "update_checker/version_resolver"
+
+      def latest_version
+        @latest_version ||=
+          if git_dependency?
+            latest_version_for_git_dependency
+          else
+            latest_release_from_hex_registry || latest_resolvable_version
+          end
+      end
+
+      def latest_resolvable_version
+        @latest_resolvable_version ||=
+          if git_dependency?
+            latest_resolvable_version_for_git_dependency
+          else
+            fetch_latest_resolvable_version(unlock_requirement: true)
+          end
+      end
+
+      def latest_resolvable_version_with_no_unlock
+        @latest_resolvable_version_with_no_unlock ||=
+          if git_dependency?
+            latest_resolvable_commit_with_unchanged_git_source
+          else
+            fetch_latest_resolvable_version(unlock_requirement: false)
+          end
+      end
+
+      def updated_requirements
+        RequirementsUpdater.new(
+          requirements: dependency.requirements,
+          updated_source: updated_source,
+          latest_resolvable_version: latest_resolvable_version&.to_s
+        ).updated_requirements
+      end
+
+      private
+
+      def latest_version_resolvable_with_full_unlock?
+        # Full unlock checks aren't implemented for Elixir (yet)
+        false
+      end
+
+      def updated_dependencies_after_full_unlock
+        raise NotImplementedError
+      end
+
+      def latest_version_for_git_dependency
+        latest_git_version_sha
+      end
+
+      def latest_resolvable_version_for_git_dependency
+        # If the gem isn't pinned, the latest version is just the latest
+        # commit for the specified branch.
+        unless git_commit_checker.pinned?
+          return latest_resolvable_commit_with_unchanged_git_source
+        end
+
+        # If the dependency is pinned to a tag that looks like a version then
+        # we want to update that tag. The latest version will then be the SHA
+        # of the latest tag that looks like a version.
+        if git_commit_checker.pinned_ref_looks_like_version? &&
+           latest_git_tag_is_resolvable?
+          new_tag = git_commit_checker.local_tag_for_latest_version
+          return new_tag.fetch(:commit_sha)
+        end
+
+        # If the dependency is pinned then there's nothing we can do.
+        dependency.version
+      end
+
+      def latest_resolvable_commit_with_unchanged_git_source
+        fetch_latest_resolvable_version(unlock_requirement: false)
+      rescue SharedHelpers::HelperSubprocessFailed,
+             Dependabot::DependencyFileNotResolvable => error
+        # Resolution may fail, as Elixir updates straight to the tip of the
+        # branch. Just return `nil` if it does (so no update).
+        return if error.message.include?("resolution failed")
+
+        raise error
+      end
+
+      def git_dependency?
+        git_commit_checker.git_dependency?
+      end
+
+      def latest_git_version_sha
+        # If the gem isn't pinned, the latest version is just the latest
+        # commit for the specified branch.
+        unless git_commit_checker.pinned?
+          return git_commit_checker.head_commit_for_current_branch
+        end
+
+        # If the dependency is pinned to a tag that looks like a version then
+        # we want to update that tag. The latest version will then be the SHA
+        # of the latest tag that looks like a version.
+        if git_commit_checker.pinned_ref_looks_like_version?
+          latest_tag = git_commit_checker.local_tag_for_latest_version
+          return latest_tag&.fetch(:commit_sha) || dependency.version
+        end
+
+        # If the dependency is pinned to a tag that doesn't look like a
+        # version then there's nothing we can do.
+        dependency.version
+      end
+
+      def latest_git_tag_is_resolvable?
+        return @git_tag_resolvable if @latest_git_tag_is_resolvable_checked
+
+        @latest_git_tag_is_resolvable_checked = true
+
+        return false if git_commit_checker.local_tag_for_latest_version.nil?
+
+        replacement_tag = git_commit_checker.local_tag_for_latest_version
+
+        prepared_files = FilePreparer.new(
+          dependency: dependency,
+          dependency_files: dependency_files,
+          replacement_git_pin: replacement_tag.fetch(:tag)
+        ).prepared_dependency_files
+
+        resolver_result = VersionResolver.new(
+          dependency: dependency,
+          prepared_dependency_files: prepared_files,
+          original_dependency_files: dependency_files,
+          credentials: credentials
+        ).latest_resolvable_version
+
+        @git_tag_resolvable = !resolver_result.nil?
+      rescue SharedHelpers::HelperSubprocessFailed,
+             Dependabot::DependencyFileNotResolvable => error
+        raise error unless error.message.include?("resolution failed")
+
+        @git_tag_resolvable = false
+      end
+
+      def updated_source
+        # Never need to update source, unless a git_dependency
+        return dependency_source_details unless git_dependency?
+
+        # Update the git tag if updating a pinned version
+        if git_commit_checker.pinned_ref_looks_like_version? &&
+           latest_git_tag_is_resolvable?
+          new_tag = git_commit_checker.local_tag_for_latest_version
+          return dependency_source_details.merge(ref: new_tag.fetch(:tag))
+        end
+
+        # Otherwise return the original source
+        dependency_source_details
+      end
+
+      def dependency_source_details
+        sources =
+          dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
+
+        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
+
+        sources.first
+      end
+
+      def fetch_latest_resolvable_version(unlock_requirement:)
+        @latest_resolvable_version_hash ||= {}
+        @latest_resolvable_version_hash[unlock_requirement] ||=
+          version_resolver(unlock_requirement: unlock_requirement).
+          latest_resolvable_version
+      end
+
+      def version_resolver(unlock_requirement:)
+        @version_resolver ||= {}
+        @version_resolver[unlock_requirement] ||=
+          begin
+            prepared_dependency_files = prepared_dependency_files(
+              unlock_requirement: unlock_requirement,
+              latest_allowable_version: latest_release_from_hex_registry
+            )
+
+            VersionResolver.new(
+              dependency: dependency,
+              prepared_dependency_files: prepared_dependency_files,
+              original_dependency_files: dependency_files,
+              credentials: credentials
+            )
+          end
+      end
+
+      def prepared_dependency_files(unlock_requirement:,
+                                    latest_allowable_version: nil)
+        FilePreparer.new(
+          dependency: dependency,
+          dependency_files: dependency_files,
+          unlock_requirement: unlock_requirement,
+          latest_allowable_version: latest_allowable_version
+        ).prepared_dependency_files
+      end
+
+      def latest_release_from_hex_registry
+        @latest_release_from_hex_registry ||=
+          begin
+            versions = hex_registry_response&.fetch("releases", []) || []
+            versions =
+              versions.
+              select { |release| version_class.correct?(release["version"]) }.
+              map { |release| version_class.new(release["version"]) }
+
+            versions.reject!(&:prerelease?) unless wants_prerelease?
+            versions.reject! do |v|
+              ignore_reqs.any? { |r| r.satisfied_by?(v) }
+            end
+            versions.max
+          end
+      end
+
+      def hex_registry_response
+        return @hex_registry_response if @hex_registry_requested
+
+        @hex_registry_requested = true
+
+        response = Excon.get(
+          dependency_url,
+          idempotent: true,
+          **SharedHelpers.excon_defaults
+        )
+
+        return unless response.status == 200
+
+        @hex_registry_response = JSON.parse(response.body)
+      rescue Excon::Error::Socket, Excon::Error::Timeout
+        nil
+      end
+
+      def wants_prerelease?
+        current_version = dependency.version
+        if current_version &&
+           version_class.correct?(current_version) &&
+           version_class.new(current_version).prerelease?
+          return true
+        end
+
+        dependency.requirements.any? do |req|
+          req[:requirement]&.match?(/\d-[A-Za-z0-9]/)
+        end
+      end
+
+      def dependency_url
+        "https://hex.pm/api/packages/#{dependency.name}"
+      end
+
+      def git_commit_checker
+        @git_commit_checker ||=
+          GitCommitChecker.new(
+            dependency: dependency,
+            credentials: credentials
+          )
+      end
+    end
+  end
+end
+
+Dependabot::UpdateCheckers.register("hex", Dependabot::Hex::UpdateChecker)

data/lib/dependabot/hex/update_checker/file_preparer.rb

@@ -0,0 +1,191 @@
+# frozen_string_literal: true
+
+require "dependabot/dependency_file"
+require "dependabot/hex/update_checker"
+require "dependabot/hex/file_updater/mixfile_requirement_updater"
+require "dependabot/hex/file_updater/mixfile_git_pin_updater"
+require "dependabot/hex/file_updater/mixfile_sanitizer"
+require "dependabot/hex/version"
+
+module Dependabot
+  module Hex
+    class UpdateChecker
+      # This class takes a set of dependency files and sanitizes them for use
+      # in UpdateCheckers::Elixir::Hex.
+      class FilePreparer
+        def initialize(dependency_files:, dependency:,
+                       unlock_requirement: true,
+                       replacement_git_pin: nil,
+                       latest_allowable_version: nil)
+          @dependency_files = dependency_files
+          @dependency = dependency
+          @unlock_requirement = unlock_requirement
+          @replacement_git_pin = replacement_git_pin
+          @latest_allowable_version = latest_allowable_version
+        end
+
+        def prepared_dependency_files
+          files = []
+          files += mixfiles.map do |file|
+            DependencyFile.new(
+              name: file.name,
+              content: mixfile_content_for_update_check(file),
+              directory: file.directory
+            )
+          end
+          files << lockfile if lockfile
+          files += support_files
+          files
+        end
+
+        private
+
+        attr_reader :dependency_files, :dependency, :replacement_git_pin,
+                    :latest_allowable_version
+
+        def unlock_requirement?
+          @unlock_requirement
+        end
+
+        def replace_git_pin?
+          !replacement_git_pin.nil?
+        end
+
+        def mixfile_content_for_update_check(file)
+          content = file.content
+
+          unless dependency_appears_in_file?(file.name)
+            return sanitize_mixfile(content)
+          end
+
+          content = relax_version(content, filename: file.name)
+          if replace_git_pin?
+            content = replace_git_pin(content, filename: file.name)
+          end
+
+          sanitize_mixfile(content)
+        end
+
+        def relax_version(content, filename:)
+          old_requirement =
+            dependency.requirements.find { |r| r.fetch(:file) == filename }.
+            fetch(:requirement)
+
+          Hex::FileUpdater::MixfileRequirementUpdater.new(
+            dependency_name: dependency.name,
+            mixfile_content: content,
+            previous_requirement: old_requirement,
+            updated_requirement: updated_version_requirement_string(filename),
+            insert_if_bare: true
+          ).updated_content
+        end
+
+        def updated_version_requirement_string(filename)
+          lower_bound_req = updated_version_req_lower_bound(filename)
+
+          return lower_bound_req if latest_allowable_version.nil?
+          unless version_class.correct?(latest_allowable_version)
+            return lower_bound_req
+          end
+
+          lower_bound_req + " and <= #{latest_allowable_version}"
+        end
+
+        # rubocop:disable Metrics/AbcSize
+        # rubocop:disable Metrics/PerceivedComplexity
+        def updated_version_req_lower_bound(filename)
+          original_req = dependency.requirements.
+                         find { |r| r.fetch(:file) == filename }&.
+                         fetch(:requirement)
+
+          if original_req && !unlock_requirement? then original_req
+          elsif dependency.version&.match?(/^[0-9a-f]{40}$/) then ">= 0"
+          elsif dependency.version then ">= #{dependency.version}"
+          else
+            version_for_requirement =
+              dependency.requirements.map { |r| r[:requirement] }.compact.
+              reject { |req_string| req_string.start_with?("<") }.
+              select { |req_string| req_string.match?(version_regex) }.
+              map { |req_string| req_string.match(version_regex) }.
+              select { |version| version_class.correct?(version.to_s) }.
+              max_by { |version| version_class.new(version.to_s) }
+
+            return ">= 0" unless version_for_requirement
+
+            # Elixir requires that versions are specified to three places
+            # when used with a >= specifier
+            parts = version_for_requirement.to_s.split(".")
+            parts << "0" while parts.count < 3
+            ">= #{parts.join('.')}"
+          end
+        end
+        # rubocop:enable Metrics/AbcSize
+        # rubocop:enable Metrics/PerceivedComplexity
+
+        def replace_git_pin(content, filename:)
+          old_pin =
+            dependency.requirements.find { |r| r.fetch(:file) == filename }&.
+            dig(:source, :ref)
+
+          return content unless old_pin
+          return content if old_pin == replacement_git_pin
+
+          Hex::FileUpdater::MixfileGitPinUpdater.new(
+            dependency_name: dependency.name,
+            mixfile_content: content,
+            previous_pin: old_pin,
+            updated_pin: replacement_git_pin
+          ).updated_content
+        end
+
+        def sanitize_mixfile(content)
+          Hex::FileUpdater::MixfileSanitizer.new(
+            mixfile_content: content
+          ).sanitized_content
+        end
+
+        def mixfiles
+          mixfiles =
+            dependency_files.
+            select { |f| f.name.end_with?("mix.exs") }
+          raise "No mix.exs!" if mixfiles.none?
+
+          mixfiles
+        end
+
+        def lockfile
+          @lockfile ||= dependency_files.find { |f| f.name == "mix.lock" }
+        end
+
+        def support_files
+          @support_files ||= dependency_files.select(&:support_file)
+        end
+
+        def wants_prerelease?
+          current_version = dependency.version
+          if current_version &&
+             version_class.correct?(current_version) &&
+             version_class.new(current_version).prerelease?
+            return true
+          end
+
+          dependency.requirements.any? do |req|
+            req[:requirement].match?(/\d-[A-Za-z0-9]/)
+          end
+        end
+
+        def version_class
+          Hex::Version
+        end
+
+        def version_regex
+          version_class::VERSION_PATTERN
+        end
+
+        def dependency_appears_in_file?(file_name)
+          dependency.requirements.any? { |r| r[:file] == file_name }
+        end
+      end
+    end
+  end
+end