dependabot-maven 0.118.4 → 0.118.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/dependabot/maven.rb +1 -1
- data/lib/dependabot/maven/file_parser.rb +10 -2
- data/lib/dependabot/maven/file_updater/declaration_finder.rb +5 -0
- data/lib/dependabot/maven/metadata_finder.rb +10 -7
- data/lib/dependabot/maven/update_checker/version_finder.rb +14 -4
- metadata +7 -21
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: aa3fbd7ab792af94cd4c0f2f30b48ce35078661d89804cb7f85e5a07816b3fc9
|
|
4
|
+
data.tar.gz: 9c7464a40e84e2c2de981946a1e8bd6b16b3916e70ae619ffd382a206eb06e00
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7d171938aa95f48287331abc61024f87fd9f6f4bcfdea89585d8848f4369f21e6177d78010dda3f4a5a642e859cef304de9c210f3e8afb1058597a0db287a40f
|
|
7
|
+
data.tar.gz: bdcdca70375e89e4963f6238a1c19829bf6316da87a4825e2ac98a32b051062fa5c23679891ea6189c082a4fca406f0cae6066fdca69ce86f412b189de7d8937
|
data/lib/dependabot/maven.rb
CHANGED
|
@@ -104,7 +104,7 @@ module Dependabot
|
|
|
104
104
|
return unless dependency_node.at_xpath("./groupId")
|
|
105
105
|
return unless dependency_node.at_xpath("./artifactId")
|
|
106
106
|
|
|
107
|
-
[
|
|
107
|
+
name = [
|
|
108
108
|
evaluated_value(
|
|
109
109
|
dependency_node.at_xpath("./groupId").content.strip,
|
|
110
110
|
pom
|
|
@@ -114,6 +114,15 @@ module Dependabot
|
|
|
114
114
|
pom
|
|
115
115
|
)
|
|
116
116
|
].join(":")
|
|
117
|
+
|
|
118
|
+
if dependency_node.at_xpath("./classifier")
|
|
119
|
+
name += ":#{evaluated_value(
|
|
120
|
+
dependency_node.at_xpath('./classifier').content.strip,
|
|
121
|
+
pom
|
|
122
|
+
)}"
|
|
123
|
+
end
|
|
124
|
+
|
|
125
|
+
name
|
|
117
126
|
end
|
|
118
127
|
|
|
119
128
|
def plugin_name(dependency_node, pom)
|
|
@@ -185,7 +194,6 @@ module Dependabot
|
|
|
185
194
|
return unless dependency_node.at_xpath("./version")
|
|
186
195
|
|
|
187
196
|
version_content = dependency_node.at_xpath("./version").content.strip
|
|
188
|
-
|
|
189
197
|
return unless version_content.match?(PROPERTY_REGEX)
|
|
190
198
|
|
|
191
199
|
version_content.
|
|
@@ -57,6 +57,11 @@ module Dependabot
|
|
|
57
57
|
evaluated_value(node.at_xpath("./*/artifactId").content.strip)
|
|
58
58
|
].compact.join(":")
|
|
59
59
|
|
|
60
|
+
if node.at_xpath("./*/classifier")
|
|
61
|
+
node_name += ":#{evaluated_value(node.at_xpath('./*/classifier').
|
|
62
|
+
content.strip)}"
|
|
63
|
+
end
|
|
64
|
+
|
|
60
65
|
next false unless node_name == dependency_name
|
|
61
66
|
next false unless packaging_type_matches?(node)
|
|
62
67
|
next false unless scope_matches?(node)
|
|
@@ -23,8 +23,7 @@ module Dependabot
|
|
|
23
23
|
tmp_source = look_up_source_in_pom(parent)
|
|
24
24
|
return unless tmp_source
|
|
25
25
|
|
|
26
|
-
|
|
27
|
-
return tmp_source if tmp_source.repo.end_with?(artifact)
|
|
26
|
+
return tmp_source if tmp_source.repo.end_with?(dependency_artifact_id)
|
|
28
27
|
return tmp_source if repo_has_subdir_for_dep?(tmp_source)
|
|
29
28
|
end
|
|
30
29
|
|
|
@@ -34,14 +33,13 @@ module Dependabot
|
|
|
34
33
|
return @repo_has_subdir_for_dep[tmp_source]
|
|
35
34
|
end
|
|
36
35
|
|
|
37
|
-
artifact = dependency.name.split(":").last
|
|
38
36
|
fetcher =
|
|
39
37
|
FileFetchers::Base.new(source: tmp_source, credentials: credentials)
|
|
40
38
|
|
|
41
39
|
@repo_has_subdir_for_dep[tmp_source] =
|
|
42
40
|
fetcher.send(:repo_contents, raise_errors: false).
|
|
43
41
|
select { |f| f.type == "dir" }.
|
|
44
|
-
any? { |f|
|
|
42
|
+
any? { |f| dependency_artifact_id.end_with?(f.name) }
|
|
45
43
|
rescue Dependabot::BranchNotFound
|
|
46
44
|
tmp_source.branch = nil
|
|
47
45
|
retry
|
|
@@ -96,18 +94,17 @@ module Dependabot
|
|
|
96
94
|
|
|
97
95
|
github_urls.find do |url|
|
|
98
96
|
repo = Source.from_url(url).repo
|
|
99
|
-
repo.end_with?(
|
|
97
|
+
repo.end_with?(dependency_artifact_id)
|
|
100
98
|
end
|
|
101
99
|
end
|
|
102
100
|
|
|
103
101
|
def dependency_pom_file
|
|
104
102
|
return @dependency_pom_file unless @dependency_pom_file.nil?
|
|
105
103
|
|
|
106
|
-
artifact_id = dependency.name.split(":").last
|
|
107
104
|
response = Excon.get(
|
|
108
105
|
"#{maven_repo_dependency_url}/"\
|
|
109
106
|
"#{dependency.version}/"\
|
|
110
|
-
"#{
|
|
107
|
+
"#{dependency_artifact_id}-#{dependency.version}.pom",
|
|
111
108
|
headers: auth_details,
|
|
112
109
|
idempotent: true,
|
|
113
110
|
**SharedHelpers.excon_defaults
|
|
@@ -118,6 +115,12 @@ module Dependabot
|
|
|
118
115
|
@dependency_pom_file = Nokogiri::XML("")
|
|
119
116
|
end
|
|
120
117
|
|
|
118
|
+
def dependency_artifact_id
|
|
119
|
+
_group_id, artifact_id, _classifier = dependency.name.split(":")
|
|
120
|
+
|
|
121
|
+
artifact_id
|
|
122
|
+
end
|
|
123
|
+
|
|
121
124
|
def parent_pom_file(pom)
|
|
122
125
|
doc = pom.dup
|
|
123
126
|
doc.remove_namespaces!
|
|
@@ -13,6 +13,8 @@ module Dependabot
|
|
|
13
13
|
class VersionFinder
|
|
14
14
|
TYPE_SUFFICES = %w(jre android java).freeze
|
|
15
15
|
|
|
16
|
+
MAVEN_RANGE_REGEX = /[\(\[].*,.*[\)\]]/.freeze
|
|
17
|
+
|
|
16
18
|
def initialize(dependency:, dependency_files:, credentials:,
|
|
17
19
|
ignored_versions:, security_advisories:,
|
|
18
20
|
raise_on_ignored: false)
|
|
@@ -94,7 +96,7 @@ module Dependabot
|
|
|
94
96
|
filtered = possible_versions
|
|
95
97
|
|
|
96
98
|
ignored_versions.each do |req|
|
|
97
|
-
ignore_req = Maven::Requirement.new(req
|
|
99
|
+
ignore_req = Maven::Requirement.new(parse_requirement_string(req))
|
|
98
100
|
filtered =
|
|
99
101
|
filtered.
|
|
100
102
|
reject { |v| ignore_req.satisfied_by?(v.fetch(:version)) }
|
|
@@ -107,6 +109,12 @@ module Dependabot
|
|
|
107
109
|
filtered
|
|
108
110
|
end
|
|
109
111
|
|
|
112
|
+
def parse_requirement_string(string)
|
|
113
|
+
return string if string.match?(MAVEN_RANGE_REGEX)
|
|
114
|
+
|
|
115
|
+
string.split(",").map(&:strip)
|
|
116
|
+
end
|
|
117
|
+
|
|
110
118
|
def filter_vulnerable_versions(possible_versions)
|
|
111
119
|
versions_array = possible_versions
|
|
112
120
|
|
|
@@ -173,6 +181,7 @@ module Dependabot
|
|
|
173
181
|
**Dependabot::SharedHelpers.excon_defaults
|
|
174
182
|
)
|
|
175
183
|
check_response(response, repository_details.fetch("url"))
|
|
184
|
+
|
|
176
185
|
Nokogiri::XML(response.body)
|
|
177
186
|
rescue URI::InvalidURIError
|
|
178
187
|
Nokogiri::XML("")
|
|
@@ -248,7 +257,7 @@ module Dependabot
|
|
|
248
257
|
end
|
|
249
258
|
|
|
250
259
|
def dependency_metadata_url(repository_url)
|
|
251
|
-
group_id, artifact_id = dependency.name.split(":")
|
|
260
|
+
group_id, artifact_id, _classifier = dependency.name.split(":")
|
|
252
261
|
|
|
253
262
|
"#{repository_url}/"\
|
|
254
263
|
"#{group_id.tr('.', '/')}/"\
|
|
@@ -257,15 +266,16 @@ module Dependabot
|
|
|
257
266
|
end
|
|
258
267
|
|
|
259
268
|
def dependency_files_url(repository_url, version)
|
|
260
|
-
group_id, artifact_id = dependency.name.split(":")
|
|
269
|
+
group_id, artifact_id, classifier = dependency.name.split(":")
|
|
261
270
|
type = dependency.requirements.first.
|
|
262
271
|
dig(:metadata, :packaging_type)
|
|
263
272
|
|
|
273
|
+
actual_classifier = classifier.nil? ? "" : "-#{classifier}"
|
|
264
274
|
"#{repository_url}/"\
|
|
265
275
|
"#{group_id.tr('.', '/')}/"\
|
|
266
276
|
"#{artifact_id}/"\
|
|
267
277
|
"#{version}/"\
|
|
268
|
-
"#{artifact_id}-#{version}.#{type}"
|
|
278
|
+
"#{artifact_id}-#{version}#{actual_classifier}.#{type}"
|
|
269
279
|
end
|
|
270
280
|
|
|
271
281
|
def version_class
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-maven
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.118.
|
|
4
|
+
version: 0.118.10
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
11
|
+
date: 2020-08-03 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.118.
|
|
19
|
+
version: 0.118.10
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.118.
|
|
26
|
+
version: 0.118.10
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: byebug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -94,34 +94,20 @@ dependencies:
|
|
|
94
94
|
- - "~>"
|
|
95
95
|
- !ruby/object:Gem::Version
|
|
96
96
|
version: '1.2'
|
|
97
|
-
- !ruby/object:Gem::Dependency
|
|
98
|
-
name: rspec_junit_formatter
|
|
99
|
-
requirement: !ruby/object:Gem::Requirement
|
|
100
|
-
requirements:
|
|
101
|
-
- - "~>"
|
|
102
|
-
- !ruby/object:Gem::Version
|
|
103
|
-
version: '0.4'
|
|
104
|
-
type: :development
|
|
105
|
-
prerelease: false
|
|
106
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
107
|
-
requirements:
|
|
108
|
-
- - "~>"
|
|
109
|
-
- !ruby/object:Gem::Version
|
|
110
|
-
version: '0.4'
|
|
111
97
|
- !ruby/object:Gem::Dependency
|
|
112
98
|
name: rubocop
|
|
113
99
|
requirement: !ruby/object:Gem::Requirement
|
|
114
100
|
requirements:
|
|
115
101
|
- - "~>"
|
|
116
102
|
- !ruby/object:Gem::Version
|
|
117
|
-
version: 0.
|
|
103
|
+
version: 0.88.0
|
|
118
104
|
type: :development
|
|
119
105
|
prerelease: false
|
|
120
106
|
version_requirements: !ruby/object:Gem::Requirement
|
|
121
107
|
requirements:
|
|
122
108
|
- - "~>"
|
|
123
109
|
- !ruby/object:Gem::Version
|
|
124
|
-
version: 0.
|
|
110
|
+
version: 0.88.0
|
|
125
111
|
- !ruby/object:Gem::Dependency
|
|
126
112
|
name: vcr
|
|
127
113
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -191,7 +177,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
191
177
|
- !ruby/object:Gem::Version
|
|
192
178
|
version: 2.5.0
|
|
193
179
|
requirements: []
|
|
194
|
-
rubygems_version: 3.
|
|
180
|
+
rubygems_version: 3.1.2
|
|
195
181
|
signing_key:
|
|
196
182
|
specification_version: 4
|
|
197
183
|
summary: Maven support for dependabot
|