dependabot-maven 0.259.0 → 0.261.0
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 973b81f3c154c6ea20606d75712191f44794b1478d65a0d6027aa1f2a4306683
|
4
|
+
data.tar.gz: 5c96139bca52f77cfeb503dfe93647bf8102f739f45546985e7d0d665a2dc65f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ff8362d39560cbfeb5a125c9ca5e66b144ff2d9b57634772cbfae1ac0f605f482be2cd47fb832173fed70dcc042228b9d4293ac7847570f0b727a79634129333
|
7
|
+
data.tar.gz: c5b2020b805980394694390844f894bbf04dd863966c86588b621dc7f86f9b57bc03d0a0f4ac4d48a6963c356bf71a3d8647cfa906a8a8fbc6f2113f0a361299
|
@@ -1,8 +1,9 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: strict
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require "nokogiri"
|
5
5
|
require "sorbet-runtime"
|
6
|
+
|
6
7
|
require "dependabot/file_fetchers"
|
7
8
|
require "dependabot/file_fetchers/base"
|
8
9
|
|
@@ -15,10 +16,12 @@ module Dependabot
|
|
15
16
|
MODULE_SELECTOR = "project > modules > module, " \
|
16
17
|
"profile > modules > module"
|
17
18
|
|
19
|
+
sig { override.params(filenames: T::Array[String]).returns(T::Boolean) }
|
18
20
|
def self.required_files_in?(filenames)
|
19
21
|
filenames.include?("pom.xml")
|
20
22
|
end
|
21
23
|
|
24
|
+
sig { override.returns(String) }
|
22
25
|
def self.required_files_message
|
23
26
|
"Repo must contain a pom.xml."
|
24
27
|
end
|
@@ -35,20 +38,22 @@ module Dependabot
|
|
35
38
|
|
36
39
|
private
|
37
40
|
|
41
|
+
sig { returns(T.nilable(Dependabot::DependencyFile)) }
|
38
42
|
def pom
|
39
|
-
@pom ||= fetch_file_from_host("pom.xml")
|
43
|
+
@pom ||= T.let(fetch_file_from_host("pom.xml"), T.nilable(Dependabot::DependencyFile))
|
40
44
|
end
|
41
45
|
|
46
|
+
sig { returns(T.nilable(Dependabot::DependencyFile)) }
|
42
47
|
def extensions
|
43
|
-
|
44
|
-
|
45
|
-
fetch_file_if_present(".mvn/extensions.xml")
|
48
|
+
@extensions ||= T.let(fetch_file_if_present(".mvn/extensions.xml"), T.nilable(Dependabot::DependencyFile))
|
46
49
|
end
|
47
50
|
|
51
|
+
sig { returns(T::Array[DependencyFile]) }
|
48
52
|
def child_poms
|
49
|
-
recursively_fetch_child_poms(pom, fetched_filenames: ["pom.xml"])
|
53
|
+
recursively_fetch_child_poms(T.must(pom), fetched_filenames: ["pom.xml"])
|
50
54
|
end
|
51
55
|
|
56
|
+
sig { params(fetched_files: T::Array[Dependabot::DependencyFile]).returns(T::Array[Dependabot::DependencyFile]) }
|
52
57
|
def relative_path_parents(fetched_files)
|
53
58
|
fetched_files.flat_map do |file|
|
54
59
|
recursively_fetch_relative_path_parents(
|
@@ -58,6 +63,10 @@ module Dependabot
|
|
58
63
|
end
|
59
64
|
end
|
60
65
|
|
66
|
+
sig do
|
67
|
+
params(pom: Dependabot::DependencyFile,
|
68
|
+
fetched_filenames: T::Array[String]).returns(T::Array[Dependabot::DependencyFile])
|
69
|
+
end
|
61
70
|
def recursively_fetch_child_poms(pom, fetched_filenames:)
|
62
71
|
base_path = File.dirname(pom.name)
|
63
72
|
doc = Nokogiri::XML(pom.content)
|
@@ -69,7 +78,7 @@ module Dependabot
|
|
69
78
|
relative_path,
|
70
79
|
relative_path.end_with?(".xml") ? nil : "pom.xml"
|
71
80
|
].compact.reject(&:empty?)
|
72
|
-
path = Pathname.new(File.join(
|
81
|
+
path = Pathname.new(File.join(name_parts)).cleanpath.to_path
|
73
82
|
|
74
83
|
next [] if fetched_filenames.include?(path)
|
75
84
|
|
@@ -84,12 +93,16 @@ module Dependabot
|
|
84
93
|
fetched_filenames += [child_pom.name] + fetched_files.map(&:name)
|
85
94
|
fetched_files
|
86
95
|
rescue Dependabot::DependencyFileNotFound
|
87
|
-
|
96
|
+
fetch_file_from_host(T.must(path), fetch_submodules: true)
|
88
97
|
|
89
98
|
[] # Ignore any child submodules (since we can't update them)
|
90
99
|
end
|
91
100
|
end
|
92
101
|
|
102
|
+
sig do
|
103
|
+
params(pom: Dependabot::DependencyFile,
|
104
|
+
fetched_filenames: T::Array[String]).returns(T::Array[Dependabot::DependencyFile])
|
105
|
+
end
|
93
106
|
def recursively_fetch_relative_path_parents(pom, fetched_filenames:)
|
94
107
|
path = parent_path_for_pom(pom)
|
95
108
|
|
@@ -98,7 +111,7 @@ module Dependabot
|
|
98
111
|
full_path_parts =
|
99
112
|
[directory.gsub(%r{^/}, ""), path].reject(&:empty?).compact
|
100
113
|
|
101
|
-
full_path = Pathname.new(File.join(
|
114
|
+
full_path = Pathname.new(File.join(full_path_parts)).cleanpath.to_path
|
102
115
|
|
103
116
|
return [] if full_path.start_with?("..")
|
104
117
|
|
@@ -117,6 +130,7 @@ module Dependabot
|
|
117
130
|
[]
|
118
131
|
end
|
119
132
|
|
133
|
+
sig { params(pom: Dependabot::DependencyFile).returns(T.nilable(String)) }
|
120
134
|
def parent_path_for_pom(pom)
|
121
135
|
doc = Nokogiri::XML(pom.content)
|
122
136
|
doc.remove_namespaces!
|
@@ -132,9 +146,10 @@ module Dependabot
|
|
132
146
|
relative_parent_path.end_with?(".xml") ? nil : "pom.xml"
|
133
147
|
].compact.reject(&:empty?)
|
134
148
|
|
135
|
-
Pathname.new(File.join(
|
149
|
+
Pathname.new(File.join(name_parts)).cleanpath.to_path
|
136
150
|
end
|
137
151
|
|
152
|
+
sig { params(pom: Dependabot::DependencyFile, parent_pom: Dependabot::DependencyFile).returns(T::Boolean) }
|
138
153
|
def fetched_pom_is_parent(pom, parent_pom)
|
139
154
|
pom_doc = Nokogiri::XML(pom.content).remove_namespaces!
|
140
155
|
pom_artifact_id, pom_group_id, pom_version = fetch_pom_unique_ids(pom_doc, true)
|
@@ -149,6 +164,7 @@ module Dependabot
|
|
149
164
|
end
|
150
165
|
end
|
151
166
|
|
167
|
+
sig { params(doc: Nokogiri::XML::Document, check_parent_node: T::Boolean).returns(T::Array[T.nilable(String)]) }
|
152
168
|
def fetch_pom_unique_ids(doc, check_parent_node)
|
153
169
|
parent = check_parent_node ? "/parent" : ""
|
154
170
|
group_id = doc.at_xpath("/project#{parent}/groupId")&.content&.strip
|
@@ -1,7 +1,8 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: true
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require "nokogiri"
|
5
|
+
require "sorbet-runtime"
|
5
6
|
|
6
7
|
require "dependabot/dependency"
|
7
8
|
require "dependabot/file_parsers"
|
@@ -46,7 +47,7 @@ module Dependabot
|
|
46
47
|
def pomfile_dependencies(pom)
|
47
48
|
dependency_set = DependencySet.new
|
48
49
|
|
49
|
-
errors = []
|
50
|
+
errors = T.let([], T::Array[Dependabot::DependencyFileNotEvaluatable])
|
50
51
|
doc = Nokogiri::XML(pom.content)
|
51
52
|
doc.remove_namespaces!
|
52
53
|
|
@@ -64,7 +65,7 @@ module Dependabot
|
|
64
65
|
errors << e
|
65
66
|
end
|
66
67
|
|
67
|
-
raise errors.first if errors.any? && dependency_set.dependencies.none?
|
68
|
+
raise T.must(errors.first) if errors.any? && dependency_set.dependencies.none?
|
68
69
|
|
69
70
|
dependency_set
|
70
71
|
end
|
@@ -72,7 +73,7 @@ module Dependabot
|
|
72
73
|
def extensionfile_dependencies(extension)
|
73
74
|
dependency_set = DependencySet.new
|
74
75
|
|
75
|
-
errors = []
|
76
|
+
errors = T.let([], T::Array[Dependabot::DependencyFileNotEvaluatable])
|
76
77
|
doc = Nokogiri::XML(extension.content)
|
77
78
|
doc.remove_namespaces!
|
78
79
|
|
@@ -83,7 +84,7 @@ module Dependabot
|
|
83
84
|
errors << e
|
84
85
|
end
|
85
86
|
|
86
|
-
raise errors.first if errors.any? && dependency_set.dependencies.none?
|
87
|
+
raise T.must(errors.first) if errors.any? && dependency_set.dependencies.none?
|
87
88
|
|
88
89
|
dependency_set
|
89
90
|
end
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: strict
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require "nokogiri"
|
@@ -9,14 +9,17 @@ require "dependabot/maven/file_parser"
|
|
9
9
|
require "dependabot/maven/file_parser/repositories_finder"
|
10
10
|
require "dependabot/maven/utils/auth_headers_finder"
|
11
11
|
require "dependabot/registry_client"
|
12
|
+
require "sorbet-runtime"
|
12
13
|
|
13
14
|
module Dependabot
|
14
15
|
module Maven
|
15
16
|
class MetadataFinder < Dependabot::MetadataFinders::Base
|
17
|
+
extend T::Sig
|
16
18
|
DOT_SEPARATOR_REGEX = %r{\.(?!\d+([.\/_\-]|$)+)}
|
17
19
|
|
18
20
|
private
|
19
21
|
|
22
|
+
sig { override.returns(T.nilable(Dependabot::Source)) }
|
20
23
|
def look_up_source
|
21
24
|
tmp_source = look_up_source_in_pom(dependency_pom_file)
|
22
25
|
return tmp_source if tmp_source
|
@@ -26,14 +29,15 @@ module Dependabot
|
|
26
29
|
tmp_source = look_up_source_in_pom(parent)
|
27
30
|
return unless tmp_source
|
28
31
|
|
29
|
-
return tmp_source if tmp_source.repo.end_with?(dependency_artifact_id)
|
32
|
+
return tmp_source if tmp_source.repo.end_with?(T.must(dependency_artifact_id))
|
30
33
|
|
31
34
|
tmp_source if repo_has_subdir_for_dep?(tmp_source)
|
32
35
|
end
|
33
36
|
|
37
|
+
sig { params(tmp_source: Dependabot::Source).returns(T::Boolean) }
|
34
38
|
def repo_has_subdir_for_dep?(tmp_source)
|
35
|
-
@repo_has_subdir_for_dep ||= {}
|
36
|
-
return @repo_has_subdir_for_dep[tmp_source] if @repo_has_subdir_for_dep.key?(tmp_source)
|
39
|
+
@repo_has_subdir_for_dep ||= T.let({}, T.nilable(T::Hash[Dependabot::Source, T::Boolean]))
|
40
|
+
return T.must(@repo_has_subdir_for_dep[tmp_source]) if @repo_has_subdir_for_dep.key?(tmp_source)
|
37
41
|
|
38
42
|
fetcher =
|
39
43
|
Dependabot::Maven::FileFetcher.new(source: tmp_source, credentials: credentials)
|
@@ -41,18 +45,19 @@ module Dependabot
|
|
41
45
|
@repo_has_subdir_for_dep[tmp_source] =
|
42
46
|
fetcher.send(:repo_contents, raise_errors: false)
|
43
47
|
.select { |f| f.type == "dir" }
|
44
|
-
.any? { |f| dependency_artifact_id.end_with?(f.name) }
|
48
|
+
.any? { |f| T.must(dependency_artifact_id).end_with?(f.name) }
|
45
49
|
rescue Dependabot::BranchNotFound
|
46
50
|
# If we are attempting to find a branch, we should fail over to the default branch and retry once only
|
47
51
|
unless tmp_source.branch.to_s.empty?
|
48
52
|
tmp_source.branch = nil
|
49
53
|
retry
|
50
54
|
end
|
51
|
-
@repo_has_subdir_for_dep[tmp_source] = false
|
55
|
+
T.must(@repo_has_subdir_for_dep)[tmp_source] = false
|
52
56
|
rescue Dependabot::RepoNotFound
|
53
|
-
@repo_has_subdir_for_dep[tmp_source] = false
|
57
|
+
T.must(@repo_has_subdir_for_dep)[tmp_source] = false
|
54
58
|
end
|
55
59
|
|
60
|
+
sig { params(pom: Nokogiri::XML::Document).returns(T.nilable(Dependabot::Source)) }
|
56
61
|
def look_up_source_in_pom(pom)
|
57
62
|
potential_source_urls = [
|
58
63
|
pom.at_css("project > url")&.content,
|
@@ -67,15 +72,16 @@ module Dependabot
|
|
67
72
|
Source.from_url(source_url)
|
68
73
|
end
|
69
74
|
|
75
|
+
sig { params(source_url: T.nilable(String), pom: Nokogiri::XML::Document).returns(T.nilable(String)) }
|
70
76
|
def substitute_properties_in_source_url(source_url, pom)
|
71
77
|
return unless source_url
|
72
78
|
return source_url unless source_url.include?("${")
|
73
79
|
|
74
80
|
regex = Maven::FileParser::PROPERTY_REGEX
|
75
|
-
property_name = source_url.match(regex).named_captures["property"]
|
81
|
+
property_name = T.must(source_url.match(regex)).named_captures["property"]
|
76
82
|
doc = pom.dup
|
77
83
|
doc.remove_namespaces!
|
78
|
-
nm = property_name.sub(/^pom\./, "").sub(/^project\./, "")
|
84
|
+
nm = T.must(property_name).sub(/^pom\./, "").sub(/^project\./, "")
|
79
85
|
property_value =
|
80
86
|
loop do
|
81
87
|
candidate_node =
|
@@ -92,6 +98,7 @@ module Dependabot
|
|
92
98
|
substitute_properties_in_source_url(url, pom)
|
93
99
|
end
|
94
100
|
|
101
|
+
sig { params(pom: T.any(String, Nokogiri::XML::Document)).returns(T.nilable(String)) }
|
95
102
|
def source_from_anywhere_in_pom(pom)
|
96
103
|
github_urls = []
|
97
104
|
pom.to_s.scan(Source::SOURCE_REGEX) do
|
@@ -99,12 +106,15 @@ module Dependabot
|
|
99
106
|
end
|
100
107
|
|
101
108
|
github_urls.find do |url|
|
102
|
-
repo = Source.from_url(url).repo
|
103
|
-
repo.end_with?(dependency_artifact_id)
|
109
|
+
repo = T.must(Source.from_url(url)).repo
|
110
|
+
repo.end_with?(T.must(dependency_artifact_id))
|
104
111
|
end
|
105
112
|
end
|
106
113
|
|
114
|
+
sig { returns(Nokogiri::XML::Document) }
|
107
115
|
def dependency_pom_file
|
116
|
+
@dependency_pom_file ||= T.let(nil, T.nilable(Nokogiri::XML::Document))
|
117
|
+
|
108
118
|
return @dependency_pom_file unless @dependency_pom_file.nil?
|
109
119
|
|
110
120
|
response = Dependabot::RegistryClient.get(
|
@@ -117,12 +127,14 @@ module Dependabot
|
|
117
127
|
@dependency_pom_file = Nokogiri::XML("")
|
118
128
|
end
|
119
129
|
|
130
|
+
sig { returns(T.nilable(String)) }
|
120
131
|
def dependency_artifact_id
|
121
132
|
_group_id, artifact_id = dependency.name.split(":")
|
122
133
|
|
123
134
|
artifact_id
|
124
135
|
end
|
125
136
|
|
137
|
+
sig { params(pom: Nokogiri::XML::Document).returns(T.nilable(Nokogiri::XML::Document)) }
|
126
138
|
def parent_pom_file(pom)
|
127
139
|
doc = pom.dup
|
128
140
|
doc.remove_namespaces!
|
@@ -138,30 +150,37 @@ module Dependabot
|
|
138
150
|
"#{artifact_id}-#{version}.pom"
|
139
151
|
|
140
152
|
response = Dependabot::RegistryClient.get(
|
141
|
-
url: substitute_properties_in_source_url(url, pom),
|
153
|
+
url: T.must(substitute_properties_in_source_url(url, pom)),
|
142
154
|
headers: auth_headers
|
143
155
|
)
|
144
156
|
|
145
157
|
Nokogiri::XML(response.body)
|
146
158
|
end
|
147
159
|
|
160
|
+
sig { returns(String) }
|
148
161
|
def maven_repo_url
|
149
162
|
source = dependency.requirements
|
150
|
-
.find { |r| r
|
163
|
+
.find { |r| r.fetch(:source) }&.fetch(:source)
|
151
164
|
|
152
165
|
source&.fetch(:url, nil) ||
|
153
166
|
source&.fetch("url") ||
|
154
|
-
Maven::FileParser::RepositoriesFinder.new(credentials: credentials
|
167
|
+
Dependabot::Maven::FileParser::RepositoriesFinder.new(credentials: credentials,
|
168
|
+
pom_fetcher: nil).central_repo_url
|
155
169
|
end
|
156
170
|
|
171
|
+
sig { returns(String) }
|
157
172
|
def maven_repo_dependency_url
|
158
173
|
group_id, artifact_id = dependency.name.split(":")
|
159
174
|
|
160
|
-
"#{maven_repo_url}/#{group_id.tr('.', '/')}/#{artifact_id}"
|
175
|
+
"#{maven_repo_url}/#{T.must(group_id).tr('.', '/')}/#{artifact_id}"
|
161
176
|
end
|
162
177
|
|
178
|
+
sig { returns(T::Hash[String, String]) }
|
163
179
|
def auth_headers
|
164
|
-
@auth_headers ||=
|
180
|
+
@auth_headers ||= T.let(
|
181
|
+
Dependabot::Maven::Utils::AuthHeadersFinder.new(credentials).auth_headers(maven_repo_url),
|
182
|
+
T.nilable(T::Hash[String, String])
|
183
|
+
)
|
165
184
|
end
|
166
185
|
end
|
167
186
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-maven
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.261.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
11
|
+
date: 2024-06-13 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.261.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.261.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: debug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -264,7 +264,7 @@ licenses:
|
|
264
264
|
- MIT
|
265
265
|
metadata:
|
266
266
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
267
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
267
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.261.0
|
268
268
|
post_install_message:
|
269
269
|
rdoc_options: []
|
270
270
|
require_paths:
|