dependabot-linguist 0.212.1 → 0.217.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.rubocop.yml +38 -2
- data/Gemfile.lock +98 -106
- data/Makefile +4 -2
- data/README.md +5 -4
- data/SECURITY.md +3 -2
- data/dependabot-linguist.gemspec +8 -6
- data/exe/dependabot-linguist +1 -1
- data/lib/dependabot/linguist/dependabot_file_validator.rb +3 -1
- data/lib/dependabot/linguist/dependabot_patch.rb +14 -2
- data/lib/dependabot/linguist/file_fetchers/bundler.rb +54 -0
- data/lib/dependabot/linguist/file_fetchers/git_submodules.rb +9 -7
- data/lib/dependabot/linguist/file_fetchers/go_modules.rb +2 -2
- data/lib/dependabot/linguist/language.rb +18 -14
- data/lib/dependabot/linguist/languages_to_ecosystems/contexts.rb +22 -21
- data/lib/dependabot/linguist/languages_to_ecosystems/languages.yaml +172 -21
- data/lib/dependabot/linguist/languages_to_ecosystems/manager_ecosystem_maps.rb +17 -17
- data/lib/dependabot/linguist/linguist_patch.rb +1 -1
- data/lib/dependabot/linguist/repository.rb +7 -2
- data/lib/dependabot/linguist/version.rb +1 -1
- metadata +17 -17
- data/lib/dependabot/linguist/file_fetchers/base.rb +0 -48
@@ -12,8 +12,6 @@
|
|
12
12
|
#########################################################################################
|
13
13
|
|
14
14
|
# Patches Dependabot::GitSubmodules::FileFetcher.(fetch_files, gitmodules_file)
|
15
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.212.0/git_submodules/lib/dependabot/git_submodules/file_fetcher.rb#L21-L26
|
16
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.212.0/git_submodules/lib/dependabot/git_submodules/file_fetcher.rb#L28-L30
|
17
15
|
|
18
16
|
# This patches out the network calls that might fail if you've used a private
|
19
17
|
# repo as a submodule. It still validates the `.gitmodules` exists. If you ARE
|
@@ -21,9 +19,11 @@
|
|
21
19
|
# "Allowing Dependabot to access private dependencies" at the below link
|
22
20
|
# https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-dependabot-to-access-private-dependencies
|
23
21
|
|
24
|
-
# required_files_in? only asserts the
|
25
|
-
# submodule referenced is private, then
|
26
|
-
# might break the runner.
|
22
|
+
# Dependabot::GitSubmodules::FileFetcher::required_files_in? only asserts the
|
23
|
+
# presence of a `.gitmodules` file if the submodule referenced is private, then
|
24
|
+
# the network calls in `submodule_refs` might break the runner.
|
25
|
+
|
26
|
+
# If Dependabot::FileFetchers::Base.load_cloned_file_if_present
|
27
27
|
# can't see the file, it'll `raise Dependabot::DependencyFileNotFound`, which
|
28
28
|
# will make Dependabot::FileFetchers::Base.fetch_file_if_present `return` which
|
29
29
|
# will add nil to the list of fetched_files -- i.e.
|
@@ -36,9 +36,9 @@
|
|
36
36
|
# So we need to be more cautious with this and check it first.
|
37
37
|
|
38
38
|
# Dependabot::FileFetchers::Base.load_cloned_file_if_present
|
39
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.
|
39
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/common/lib/dependabot/file_fetchers/base.rb#L135-L155
|
40
40
|
# Dependabot::FileFetchers::Base.fetch_file_if_present
|
41
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.
|
41
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/common/lib/dependabot/file_fetchers/base.rb#L111-L133
|
42
42
|
|
43
43
|
require "dependabot/errors"
|
44
44
|
require "dependabot/git_submodules"
|
@@ -48,11 +48,13 @@ require "dependabot/git_submodules"
|
|
48
48
|
module Dependabot
|
49
49
|
module GitSubmodules
|
50
50
|
class FileFetcher
|
51
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/git_submodules/lib/dependabot/git_submodules/file_fetcher.rb#L21-L26
|
51
52
|
def fetch_files
|
52
53
|
raise(Dependabot::DependencyFileNotFound, Pathname.new(File.join(directory, ".gitmodules")).cleanpath.to_path) if gitmodules_file.nil?
|
53
54
|
[gitmodules_file]
|
54
55
|
end
|
55
56
|
|
57
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/git_submodules/lib/dependabot/git_submodules/file_fetcher.rb#L28-L30
|
56
58
|
def gitmodules_file
|
57
59
|
@gitmodules_file ||= fetch_file_if_present(".gitmodules")
|
58
60
|
end
|
@@ -12,9 +12,8 @@
|
|
12
12
|
#########################################################################################
|
13
13
|
|
14
14
|
# Patches Dependabot::GoModules::FileFetcher.fetch_files
|
15
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.212.0/go_modules/lib/dependabot/go_modules/file_fetcher.rb#L19-L41
|
16
15
|
|
17
|
-
#
|
16
|
+
# Patched to remove the online requirement for fetching go modules
|
18
17
|
|
19
18
|
# See the git_submodule patch for a comment explaining the reorder pattern,
|
20
19
|
# due to `go_mod` being acquired via `fetch_file_if_present` and hitting
|
@@ -28,6 +27,7 @@ require "dependabot/go_modules"
|
|
28
27
|
module Dependabot
|
29
28
|
module GoModules
|
30
29
|
class FileFetcher
|
30
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/go_modules/lib/dependabot/go_modules/file_fetcher.rb#L30-L50
|
31
31
|
def fetch_files
|
32
32
|
raise(Dependabot::DependencyFileNotFound, Pathname.new(File.join(directory, "go.mod")).cleanpath.to_path) if go_mod.nil?
|
33
33
|
fetched_files = [go_mod]
|
@@ -11,26 +11,29 @@
|
|
11
11
|
# |___/ #
|
12
12
|
#####################################################################
|
13
13
|
|
14
|
-
# Patches the class Linguist::Language to selectively "ungroup"
|
15
|
-
#
|
16
|
-
#
|
17
|
-
|
18
|
-
# Patch
|
19
|
-
#
|
20
|
-
# can't rely on the gitmodules to be unvendored in a `.gitattributes
|
21
|
-
#
|
22
|
-
#
|
23
|
-
#
|
24
|
-
|
25
|
-
#
|
26
|
-
#
|
27
|
-
#
|
14
|
+
# Patches the class Linguist::Language to selectively "ungroup" and
|
15
|
+
# change the type of "languages" to a detectable type. This patches
|
16
|
+
# the class with new functions, so there are no links to the "orig".
|
17
|
+
|
18
|
+
# Patch Linguist::BlobHelper::VendoredRegexp. Need to remove the
|
19
|
+
# "(^|/)\.gitmodules$" string (plus one of the adjacent "|") as we
|
20
|
+
# can't rely on the gitmodules to be unvendored in a `.gitattributes`.
|
21
|
+
# Need to remove the "(^|/)\.github/" string (plus the adjacent "|"),
|
22
|
+
# to capture yaml files under `.github/workflows/*.yaml`
|
23
|
+
# See https://ruby-doc.org/core-3.1.0/Regexp.html
|
24
|
+
|
25
|
+
# Patching either Linguist::LazyBlob::git_attributes or
|
26
|
+
# Linguist::LazyBlob::vendored? would be too cumbersome.
|
27
|
+
# It also seems easier than duplicating the vendor patterns from
|
28
|
+
# https://github.com/github/linguist/blob/v7.25.0/lib/linguist/vendor.yml
|
28
29
|
|
29
30
|
require "linguist"
|
30
31
|
|
31
32
|
# rubocop:disable Style/Documentation
|
32
33
|
|
33
34
|
module Linguist
|
35
|
+
# https://github.com/github/linguist/blob/v7.25.0/lib/linguist/language.rb
|
36
|
+
|
34
37
|
class Language
|
35
38
|
def ungroup_language
|
36
39
|
@group_name = self.name
|
@@ -55,6 +58,7 @@ module Linguist
|
|
55
58
|
end
|
56
59
|
|
57
60
|
module BlobHelper
|
61
|
+
# https://github.com/github/linguist/blob/v7.25.0/lib/linguist/blob_helper.rb#L220
|
58
62
|
VendoredRegexp = Regexp.new(VendoredRegexp.source.gsub("(^|/)\\.gitmodules$|", "").gsub("|(^|/)\\.github/", ""))
|
59
63
|
end
|
60
64
|
end
|
@@ -8,7 +8,7 @@
|
|
8
8
|
# as it's source directory is not the directory it is valid to "fetch" from.
|
9
9
|
|
10
10
|
# For a list of "linguist languages", see
|
11
|
-
# https://github.com/github/linguist/blob/v7.
|
11
|
+
# https://github.com/github/linguist/blob/v7.25.0/lib/linguist/languages.yml
|
12
12
|
|
13
13
|
require_relative "manager_ecosystem_maps"
|
14
14
|
|
@@ -23,6 +23,7 @@ module Dependabot
|
|
23
23
|
# is derived from inspecting the rules the file fetcher class actually
|
24
24
|
# uses itself to determine if it can "fetch files" for a directory.
|
25
25
|
# Possibly also based on the `def self.required_files_message` message.
|
26
|
+
# Or alternatively the `def self.required_files_in?`, the actual check!
|
26
27
|
FETCH_FILES = "def fetch_files"
|
27
28
|
# PRIMARY_LANGUAGES implies that the language should be the main or only
|
28
29
|
# languages that that package manager could be used for, and the presence
|
@@ -60,7 +61,7 @@ module Dependabot
|
|
60
61
|
|
61
62
|
##
|
62
63
|
CONTEXT_RULES[PackageManagers::BUNDLER][ContextRule::FETCH_FILES] = [
|
63
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.
|
64
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/bundler/lib/dependabot/bundler/file_fetcher.rb#L22-L24
|
64
65
|
"Gemfile.lock", # Gemfile.lock
|
65
66
|
"Ruby" # Gemfile or .gemspec
|
66
67
|
]
|
@@ -69,7 +70,7 @@ module Dependabot
|
|
69
70
|
|
70
71
|
##
|
71
72
|
CONTEXT_RULES[PackageManagers::CARGO][ContextRule::FETCH_FILES] = [
|
72
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.
|
73
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/cargo/lib/dependabot/cargo/file_fetcher.rb#L19-L21
|
73
74
|
"TOML" # Cargo.toml and Cargo.lock
|
74
75
|
]
|
75
76
|
CONTEXT_RULES[PackageManagers::CARGO][ContextRule::PRIMARY_LANGUAGES] = ["Rust"]
|
@@ -77,7 +78,7 @@ module Dependabot
|
|
77
78
|
|
78
79
|
##
|
79
80
|
CONTEXT_RULES[PackageManagers::COMPOSER][ContextRule::FETCH_FILES] = [
|
80
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.
|
81
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/composer/lib/dependabot/composer/file_fetcher.rb#L16-L18
|
81
82
|
"JSON" # composer.json and composer.lock
|
82
83
|
]
|
83
84
|
CONTEXT_RULES[PackageManagers::COMPOSER][ContextRule::PRIMARY_LANGUAGES] = ["PHP"]
|
@@ -85,7 +86,7 @@ module Dependabot
|
|
85
86
|
|
86
87
|
##
|
87
88
|
CONTEXT_RULES[PackageManagers::DOCKER][ContextRule::FETCH_FILES] = [
|
88
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.
|
89
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/docker/lib/dependabot/docker/file_fetcher.rb#L19-L21
|
89
90
|
"Dockerfile", # Dockerfile
|
90
91
|
"YAML" # .yaml, if kubernetes option is set
|
91
92
|
]
|
@@ -94,7 +95,7 @@ module Dependabot
|
|
94
95
|
|
95
96
|
##
|
96
97
|
CONTEXT_RULES[PackageManagers::HEX][ContextRule::FETCH_FILES] = [
|
97
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.
|
98
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/hex/lib/dependabot/hex/file_fetcher.rb#L19-L21
|
98
99
|
"Elixir" # mix.lock and mix.exs by extension
|
99
100
|
]
|
100
101
|
CONTEXT_RULES[PackageManagers::HEX][ContextRule::PRIMARY_LANGUAGES] = ["Elixir"]
|
@@ -102,7 +103,7 @@ module Dependabot
|
|
102
103
|
|
103
104
|
##
|
104
105
|
CONTEXT_RULES[PackageManagers::ELM_PACKAGE][ContextRule::FETCH_FILES] = [
|
105
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.
|
106
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/elm/lib/dependabot/elm/file_fetcher.rb#L13-L15
|
106
107
|
"JSON" # elm-package.json or an elm.json, only seeks via .json extension though.
|
107
108
|
]
|
108
109
|
CONTEXT_RULES[PackageManagers::ELM_PACKAGE][ContextRule::PRIMARY_LANGUAGES] = ["Elm"]
|
@@ -110,7 +111,7 @@ module Dependabot
|
|
110
111
|
|
111
112
|
##
|
112
113
|
CONTEXT_RULES[PackageManagers::GIT_SUBMODULE][ContextRule::FETCH_FILES] = [
|
113
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.
|
114
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/git_submodules/lib/dependabot/git_submodules/file_fetcher.rb#L15-L17
|
114
115
|
"Git Config" # ".gitmodules"
|
115
116
|
]
|
116
117
|
CONTEXT_RULES[PackageManagers::GIT_SUBMODULE][ContextRule::PRIMARY_LANGUAGES] = []
|
@@ -118,7 +119,7 @@ module Dependabot
|
|
118
119
|
|
119
120
|
##
|
120
121
|
CONTEXT_RULES[PackageManagers::GITHUB_ACTIONS][ContextRule::FETCH_FILES] = [
|
121
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.
|
122
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/github_actions/lib/dependabot/github_actions/file_fetcher.rb#L15-L17
|
122
123
|
# "YAML", but this is handled without linguist
|
123
124
|
]
|
124
125
|
CONTEXT_RULES[PackageManagers::GITHUB_ACTIONS][ContextRule::PRIMARY_LANGUAGES] = []
|
@@ -126,7 +127,7 @@ module Dependabot
|
|
126
127
|
|
127
128
|
##
|
128
129
|
CONTEXT_RULES[PackageManagers::GO_MODULES][ContextRule::FETCH_FILES] = [
|
129
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.
|
130
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/go_modules/lib/dependabot/go_modules/file_fetcher.rb#L13-L15
|
130
131
|
"Go Checksums", # go.sum
|
131
132
|
"Go Module" # go.mod
|
132
133
|
]
|
@@ -134,7 +135,7 @@ module Dependabot
|
|
134
135
|
CONTEXT_RULES[PackageManagers::GO_MODULES][ContextRule::RELEVANT_LANGUAGES] = []
|
135
136
|
|
136
137
|
CONTEXT_RULES[PackageManagers::GRADLE][ContextRule::FETCH_FILES] = [
|
137
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.
|
138
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/gradle/lib/dependabot/gradle/file_fetcher.rb#L27-L29
|
138
139
|
"Gradle", # for any `.gradle` file
|
139
140
|
"Kotlin" # for any `.kts` file"
|
140
141
|
]
|
@@ -144,7 +145,7 @@ module Dependabot
|
|
144
145
|
]
|
145
146
|
|
146
147
|
CONTEXT_RULES[PackageManagers::MAVEN][ContextRule::FETCH_FILES] = [
|
147
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.
|
148
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/maven/lib/dependabot/maven/file_fetcher.rb#L17-L19
|
148
149
|
"Maven POM" # for `pom.xml` files
|
149
150
|
]
|
150
151
|
CONTEXT_RULES[PackageManagers::MAVEN][ContextRule::PRIMARY_LANGUAGES] = []
|
@@ -154,7 +155,7 @@ module Dependabot
|
|
154
155
|
|
155
156
|
##
|
156
157
|
CONTEXT_RULES[PackageManagers::NPM][ContextRule::FETCH_FILES] = [
|
157
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.
|
158
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/npm_and_yarn/lib/dependabot/npm_and_yarn/file_fetcher.rb#L31-L33
|
158
159
|
"JSON", # "package.json" or "package-lock.json" or "npm-shrinkwrap.json" but only by extension
|
159
160
|
"NPM Config" # ".npmrc"
|
160
161
|
]
|
@@ -163,7 +164,7 @@ module Dependabot
|
|
163
164
|
|
164
165
|
##
|
165
166
|
CONTEXT_RULES[PackageManagers::NUGET][ContextRule::FETCH_FILES] = [
|
166
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.
|
167
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/nuget/lib/dependabot/nuget/file_fetcher.rb#L20-L22
|
167
168
|
"XML" # .csproj, .vbproj and .fsproj
|
168
169
|
# Nothing looks for a packages.config
|
169
170
|
]
|
@@ -172,7 +173,7 @@ module Dependabot
|
|
172
173
|
|
173
174
|
##
|
174
175
|
CONTEXT_RULES[PackageManagers::PIP][ContextRule::FETCH_FILES] = [
|
175
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.
|
176
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/python/lib/dependabot/python/file_fetcher.rb#L35-L38
|
176
177
|
# Besides the other pip related package managers, there is no language for `requirements` files. RIP.
|
177
178
|
"Text" # for `.txt`
|
178
179
|
]
|
@@ -181,7 +182,7 @@ module Dependabot
|
|
181
182
|
|
182
183
|
##
|
183
184
|
CONTEXT_RULES[PackageManagers::PIPENV][ContextRule::FETCH_FILES] = [
|
184
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.
|
185
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/python/lib/dependabot/python/file_fetcher.rb#L35-L38
|
185
186
|
"JSON", # Pipfile.lock
|
186
187
|
"TOML" # Pipfile
|
187
188
|
]
|
@@ -190,7 +191,7 @@ module Dependabot
|
|
190
191
|
|
191
192
|
##
|
192
193
|
CONTEXT_RULES[PackageManagers::PIP_COMPILE][ContextRule::FETCH_FILES] = [
|
193
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.
|
194
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/python/lib/dependabot/python/file_fetcher.rb#L35-L38
|
194
195
|
# Already captured by the other pip related package manager paths
|
195
196
|
]
|
196
197
|
CONTEXT_RULES[PackageManagers::PIP_COMPILE][ContextRule::PRIMARY_LANGUAGES] = ["Python"]
|
@@ -198,7 +199,7 @@ module Dependabot
|
|
198
199
|
|
199
200
|
##
|
200
201
|
CONTEXT_RULES[PackageManagers::POETRY][ContextRule::FETCH_FILES] = [
|
201
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.
|
202
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/python/lib/dependabot/python/file_fetcher.rb#L35-L38
|
202
203
|
# pyproject.lock has none and setup.py is vague.
|
203
204
|
"TOML" # poetry.lock and pyproject.toml by extension
|
204
205
|
]
|
@@ -207,7 +208,7 @@ module Dependabot
|
|
207
208
|
|
208
209
|
##
|
209
210
|
CONTEXT_RULES[PackageManagers::PUB][ContextRule::FETCH_FILES] = [
|
210
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.
|
211
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/pub/lib/dependabot/pub/file_fetcher.rb#L15-L17
|
211
212
|
"YAML" # pubspec.yaml, but only by extension.
|
212
213
|
]
|
213
214
|
CONTEXT_RULES[PackageManagers::PUB][ContextRule::PRIMARY_LANGUAGES] = ["Dart"]
|
@@ -215,7 +216,7 @@ module Dependabot
|
|
215
216
|
|
216
217
|
##
|
217
218
|
CONTEXT_RULES[PackageManagers::TERRAFORM][ContextRule::FETCH_FILES] = [
|
218
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.
|
219
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/terraform/lib/dependabot/terraform/file_fetcher.rb#L19-L21
|
219
220
|
"HCL" # .tf and .hcl
|
220
221
|
]
|
221
222
|
CONTEXT_RULES[PackageManagers::TERRAFORM][ContextRule::PRIMARY_LANGUAGES] = []
|
@@ -223,7 +224,7 @@ module Dependabot
|
|
223
224
|
|
224
225
|
##
|
225
226
|
CONTEXT_RULES[PackageManagers::YARN][ContextRule::FETCH_FILES] = [
|
226
|
-
# https://github.com/dependabot/dependabot-core/blob/v0.
|
227
|
+
# https://github.com/dependabot/dependabot-core/blob/v0.217.0/npm_and_yarn/lib/dependabot/npm_and_yarn/file_fetcher.rb#L31-L33
|
227
228
|
"YAML" # yarn.lock
|
228
229
|
]
|
229
230
|
CONTEXT_RULES[PackageManagers::YARN][ContextRule::PRIMARY_LANGUAGES] = ["JavaScript", "TypeScript"]
|