dependabot-maven 0.155.1 → 0.156.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 81d04eb91efbee7e3b673f00f16e9f8f85ebe789b03afd9f74e2abe85fcccecf
-  data.tar.gz: bcee568eddc1651d27092fbe494aa8f9e2929a3fbd26157eb7873984b73426bb
+  metadata.gz: feeb88c8b9bfbd7462b12cdbb345bd379641fb3bdc38d445e75a5e422fe60e22
+  data.tar.gz: 899a394d853ad6f889bc3539acb5d64f39511b3d8d1a329d190995f583ef2ae1
 SHA512:
-  metadata.gz: 795faa7666428c64137b1230feeeb5dc182a679a3eb10feaa16619299ba6c9be0b544dfe5749098d20eadb056332e5a4cfaad21c741e248ae752b88547a6994c
-  data.tar.gz: 8922ba25411d320cb4ed679d4b321e6dc5f7a12b37cf102f78a94375a87110d92bc847c87fe4468abc3046ca57401fdcc3bba1870b5d5292093bb515264889b9
+  metadata.gz: 04ba6f3d8a32f6dc78cd030d6fbb60b7944285b8bc54681afe03ee8c0050f80ccac9a4517587e78d10e1f1fdbfcefa8b1924aeb49383594ae36ba324591ab096
+  data.tar.gz: 3bb78982430ffe9d0f24d4c32bc121fb4b06fd451bf5fa1fc7a209b9d008578d89fc0b7a79375818b23826ba2a55949ac830ace0097e2ea210863a02d7ff3cfa

data/lib/dependabot/maven/file_fetcher.rb

@@ -25,6 +25,7 @@ module Dependabot
         fetched_files << pom
         fetched_files += child_poms
         fetched_files += relative_path_parents(fetched_files)
+        fetched_files << extensions if extensions
         fetched_files.uniq
       end
 
@@ -32,6 +33,17 @@ module Dependabot
         @pom ||= fetch_file_from_host("pom.xml")
       end
 
+      def extensions
+        return @extensions if defined?(@extensions)
+        return @extensions if defined?(@extensions)
+
+        begin
+          fetch_file_if_present(".mvn/extensions.xml")
+        rescue Dependabot::DependencyFileNotFound
+          nil
+        end
+      end
+
       def child_poms
         recursively_fetch_child_poms(pom, fetched_filenames: ["pom.xml"])
       end

data/lib/dependabot/maven/file_parser.rb

@@ -25,6 +25,7 @@ module Dependabot
                             "dependencies > dependency, "\
                             "extensions > extension"
       PLUGIN_SELECTOR     = "plugins > plugin"
+      EXTENSION_SELECTOR  = "extensions > extension"
 
       # Regex to get the property name from a declaration that uses a property
       PROPERTY_REGEX      = /\$\{(?<property>.*?)\}/.freeze
@@ -32,6 +33,7 @@ module Dependabot
       def parse
         dependency_set = DependencySet.new
         pomfiles.each { |pom| dependency_set += pomfile_dependencies(pom) }
+        extensionfiles.each { |extension| dependency_set += extensionfile_dependencies(extension) }
         dependency_set.dependencies
       end
 
@@ -63,6 +65,25 @@ module Dependabot
         dependency_set
       end
 
+      def extensionfile_dependencies(extension)
+        dependency_set = DependencySet.new
+
+        errors = []
+        doc = Nokogiri::XML(extension.content)
+        doc.remove_namespaces!
+
+        doc.css(EXTENSION_SELECTOR).each do |dependency_node|
+          dep = dependency_from_dependency_node(extension, dependency_node)
+          dependency_set << dep if dep
+        rescue DependencyFileNotEvaluatable => e
+          errors << e
+        end
+
+        raise errors.first if errors.any? && dependency_set.dependencies.none?
+
+        dependency_set
+      end
+
       def dependency_from_dependency_node(pom, dependency_node)
         return unless (name = dependency_name(dependency_node, pom))
         return if internal_dependency_names.include?(name)
@@ -252,6 +273,11 @@ module Dependabot
           dependency_files.select { |f| f.name.end_with?("pom.xml") }
       end
 
+      def extensionfiles
+        @extensionfiles ||=
+          dependency_files.select { |f| f.name.end_with?("extensions.xml") }
+      end
+
       def internal_dependency_names
         @internal_dependency_names ||=
           dependency_files.map do |pom|

data/lib/dependabot/maven/file_updater.rb

@@ -11,25 +11,28 @@ module Dependabot
       require_relative "file_updater/property_value_updater"
 
       def self.updated_files_regex
-        [/^pom\.xml$/, %r{/pom\.xml$}]
+        [
+          /^pom\.xml$/, %r{/pom\.xml$},
+          /^extensions.\.xml$/, %r{/extensions\.xml$}
+        ]
       end
 
       def updated_dependency_files
         updated_files = dependency_files.dup
 
         # Loop through each of the changed requirements, applying changes to
-        # all pomfiles for that change. Note that the logic is different here
-        # to other languages because Java has property inheritance across
-        # files
+        # all pom and extensions files for that change. Note that the logic
+        # is different here to other package managers because Maven has property
+        # inheritance across files
         dependencies.each do |dependency|
-          updated_files = update_pomfiles_for_dependency(
-            pomfiles: updated_files,
+          updated_files = update_files_for_dependency(
+            original_files: updated_files,
             dependency: dependency
           )
         end
 
-        updated_files.select! { |f| f.name.end_with?("pom.xml") }
-        updated_files.reject! { |f| original_pomfiles.include?(f) }
+        updated_files.select! { |f| f.name.end_with?("pom.xml") || f.name.end_with?("extensions.xml") }
+        updated_files.reject! { |f| dependency_files.include?(f) }
 
         raise "No files changed!" if updated_files.none?
         raise "Updated a supporting POM!" if updated_files.any? { |f| f.name.end_with?("pom_parent.xml") }
@@ -43,15 +46,15 @@ module Dependabot
         raise "No pom.xml!" unless get_original_file("pom.xml")
       end
 
-      def update_pomfiles_for_dependency(pomfiles:, dependency:)
-        files = pomfiles.dup
+      def update_files_for_dependency(original_files:, dependency:)
+        files = original_files.dup
 
         # The UpdateChecker ensures the order of requirements is preserved
         # when updating, so we can zip them together in new/old pairs.
         reqs = dependency.requirements.zip(dependency.previous_requirements).
                reject { |new_req, old_req| new_req == old_req }
 
-        # Loop through each changed requirement and update the pomfiles
+        # Loop through each changed requirement and update the files
         reqs.each do |new_req, old_req|
           raise "Bad req match" unless new_req[:file] == old_req[:file]
           next if new_req[:requirement] == old_req[:requirement]
@@ -62,9 +65,9 @@ module Dependabot
             files[files.index(pom)] =
               remove_property_suffix_in_pom(dependency, pom, old_req)
           else
-            pom = files.find { |f| f.name == new_req.fetch(:file) }
-            files[files.index(pom)] =
-              update_version_in_pom(dependency, pom, old_req, new_req)
+            file = files.find { |f| f.name == new_req.fetch(:file) }
+            files[files.index(file)] =
+              update_version_in_file(dependency, file, old_req, new_req)
           end
         end
 
@@ -82,25 +85,25 @@ module Dependabot
           )
       end
 
-      def update_version_in_pom(dependency, pom, previous_req, requirement)
-        updated_content = pom.content
+      def update_version_in_file(dependency, file, previous_req, requirement)
+        updated_content = file.content
 
-        original_pom_declarations(dependency, previous_req).each do |old_dec|
+        original_file_declarations(dependency, previous_req).each do |old_dec|
           updated_content = updated_content.gsub(
             old_dec,
-            updated_pom_declaration(old_dec, previous_req, requirement)
+            updated_file_declaration(old_dec, previous_req, requirement)
           )
         end
 
-        raise "Expected content to change!" if updated_content == pom.content
+        raise "Expected content to change!" if updated_content == file.content
 
-        updated_file(file: pom, content: updated_content)
+        updated_file(file: file, content: updated_content)
       end
 
       def remove_property_suffix_in_pom(dep, pom, req)
         updated_content = pom.content
 
-        original_pom_declarations(dep, req).each do |old_declaration|
+        original_file_declarations(dep, req).each do |old_declaration|
           updated_content = updated_content.gsub(old_declaration) do |old_dec|
             version_string =
               old_dec.match(%r{(?<=\<version\>).*(?=\</version\>)})
@@ -116,7 +119,7 @@ module Dependabot
         updated_file(file: pom, content: updated_content)
       end
 
-      def original_pom_declarations(dependency, requirement)
+      def original_file_declarations(dependency, requirement)
         declaration_finder(dependency, requirement).declaration_strings
       end
 
@@ -132,7 +135,7 @@ module Dependabot
           )
       end
 
-      def updated_pom_declaration(old_declaration, previous_req, requirement)
+      def updated_file_declaration(old_declaration, previous_req, requirement)
         original_req_string = previous_req.fetch(:requirement)
 
         old_declaration.gsub(

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-maven
 version: !ruby/object:Gem::Version
-  version: 0.155.1
+  version: 0.156.4
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-06-23 00:00:00.000000000 Z
+date: 2021-06-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.155.1
+        version: 0.156.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.155.1
+        version: 0.156.4
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -100,14 +100,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.16.0
+        version: 1.18.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.16.0
+        version: 1.18.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement