dependabot-maven 0.259.0 → 0.261.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1b0bea9634fbaf63a431a74530cb0f82afff08e390d09dc4e199685b20661051
4
- data.tar.gz: e847a204478e9cb54d778fba3057898cbde11ca049548b9707b2cc6a97e4afe4
3
+ metadata.gz: 973b81f3c154c6ea20606d75712191f44794b1478d65a0d6027aa1f2a4306683
4
+ data.tar.gz: 5c96139bca52f77cfeb503dfe93647bf8102f739f45546985e7d0d665a2dc65f
5
5
  SHA512:
6
- metadata.gz: 760af7d750264daff2851306a343d78ca62b84b71fa0c8f4641f7af25668c300fb06346a69a2efd3805965d549429a5e3ee0394a9f0e47fdc0ea3b35611a300e
7
- data.tar.gz: a44f1729e9e814d00594ea610e13d9d4948c897e9fba2d1d4324d72f03008391c1ebadb950d849026558faeddec3cb0196d7bf95e2ec74ecc08babb5d14de8d3
6
+ metadata.gz: ff8362d39560cbfeb5a125c9ca5e66b144ff2d9b57634772cbfae1ac0f605f482be2cd47fb832173fed70dcc042228b9d4293ac7847570f0b727a79634129333
7
+ data.tar.gz: c5b2020b805980394694390844f894bbf04dd863966c86588b621dc7f86f9b57bc03d0a0f4ac4d48a6963c356bf71a3d8647cfa906a8a8fbc6f2113f0a361299
@@ -1,8 +1,9 @@
1
- # typed: false
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "nokogiri"
5
5
  require "sorbet-runtime"
6
+
6
7
  require "dependabot/file_fetchers"
7
8
  require "dependabot/file_fetchers/base"
8
9
 
@@ -15,10 +16,12 @@ module Dependabot
15
16
  MODULE_SELECTOR = "project > modules > module, " \
16
17
  "profile > modules > module"
17
18
 
19
+ sig { override.params(filenames: T::Array[String]).returns(T::Boolean) }
18
20
  def self.required_files_in?(filenames)
19
21
  filenames.include?("pom.xml")
20
22
  end
21
23
 
24
+ sig { override.returns(String) }
22
25
  def self.required_files_message
23
26
  "Repo must contain a pom.xml."
24
27
  end
@@ -35,20 +38,22 @@ module Dependabot
35
38
 
36
39
  private
37
40
 
41
+ sig { returns(T.nilable(Dependabot::DependencyFile)) }
38
42
  def pom
39
- @pom ||= fetch_file_from_host("pom.xml")
43
+ @pom ||= T.let(fetch_file_from_host("pom.xml"), T.nilable(Dependabot::DependencyFile))
40
44
  end
41
45
 
46
+ sig { returns(T.nilable(Dependabot::DependencyFile)) }
42
47
  def extensions
43
- return @extensions if defined?(@extensions)
44
-
45
- fetch_file_if_present(".mvn/extensions.xml")
48
+ @extensions ||= T.let(fetch_file_if_present(".mvn/extensions.xml"), T.nilable(Dependabot::DependencyFile))
46
49
  end
47
50
 
51
+ sig { returns(T::Array[DependencyFile]) }
48
52
  def child_poms
49
- recursively_fetch_child_poms(pom, fetched_filenames: ["pom.xml"])
53
+ recursively_fetch_child_poms(T.must(pom), fetched_filenames: ["pom.xml"])
50
54
  end
51
55
 
56
+ sig { params(fetched_files: T::Array[Dependabot::DependencyFile]).returns(T::Array[Dependabot::DependencyFile]) }
52
57
  def relative_path_parents(fetched_files)
53
58
  fetched_files.flat_map do |file|
54
59
  recursively_fetch_relative_path_parents(
@@ -58,6 +63,10 @@ module Dependabot
58
63
  end
59
64
  end
60
65
 
66
+ sig do
67
+ params(pom: Dependabot::DependencyFile,
68
+ fetched_filenames: T::Array[String]).returns(T::Array[Dependabot::DependencyFile])
69
+ end
61
70
  def recursively_fetch_child_poms(pom, fetched_filenames:)
62
71
  base_path = File.dirname(pom.name)
63
72
  doc = Nokogiri::XML(pom.content)
@@ -69,7 +78,7 @@ module Dependabot
69
78
  relative_path,
70
79
  relative_path.end_with?(".xml") ? nil : "pom.xml"
71
80
  ].compact.reject(&:empty?)
72
- path = Pathname.new(File.join(*name_parts)).cleanpath.to_path
81
+ path = Pathname.new(File.join(name_parts)).cleanpath.to_path
73
82
 
74
83
  next [] if fetched_filenames.include?(path)
75
84
 
@@ -84,12 +93,16 @@ module Dependabot
84
93
  fetched_filenames += [child_pom.name] + fetched_files.map(&:name)
85
94
  fetched_files
86
95
  rescue Dependabot::DependencyFileNotFound
87
- raise unless fetch_file_from_host(path, fetch_submodules: true)
96
+ fetch_file_from_host(T.must(path), fetch_submodules: true)
88
97
 
89
98
  [] # Ignore any child submodules (since we can't update them)
90
99
  end
91
100
  end
92
101
 
102
+ sig do
103
+ params(pom: Dependabot::DependencyFile,
104
+ fetched_filenames: T::Array[String]).returns(T::Array[Dependabot::DependencyFile])
105
+ end
93
106
  def recursively_fetch_relative_path_parents(pom, fetched_filenames:)
94
107
  path = parent_path_for_pom(pom)
95
108
 
@@ -98,7 +111,7 @@ module Dependabot
98
111
  full_path_parts =
99
112
  [directory.gsub(%r{^/}, ""), path].reject(&:empty?).compact
100
113
 
101
- full_path = Pathname.new(File.join(*full_path_parts)).cleanpath.to_path
114
+ full_path = Pathname.new(File.join(full_path_parts)).cleanpath.to_path
102
115
 
103
116
  return [] if full_path.start_with?("..")
104
117
 
@@ -117,6 +130,7 @@ module Dependabot
117
130
  []
118
131
  end
119
132
 
133
+ sig { params(pom: Dependabot::DependencyFile).returns(T.nilable(String)) }
120
134
  def parent_path_for_pom(pom)
121
135
  doc = Nokogiri::XML(pom.content)
122
136
  doc.remove_namespaces!
@@ -132,9 +146,10 @@ module Dependabot
132
146
  relative_parent_path.end_with?(".xml") ? nil : "pom.xml"
133
147
  ].compact.reject(&:empty?)
134
148
 
135
- Pathname.new(File.join(*name_parts)).cleanpath.to_path
149
+ Pathname.new(File.join(name_parts)).cleanpath.to_path
136
150
  end
137
151
 
152
+ sig { params(pom: Dependabot::DependencyFile, parent_pom: Dependabot::DependencyFile).returns(T::Boolean) }
138
153
  def fetched_pom_is_parent(pom, parent_pom)
139
154
  pom_doc = Nokogiri::XML(pom.content).remove_namespaces!
140
155
  pom_artifact_id, pom_group_id, pom_version = fetch_pom_unique_ids(pom_doc, true)
@@ -149,6 +164,7 @@ module Dependabot
149
164
  end
150
165
  end
151
166
 
167
+ sig { params(doc: Nokogiri::XML::Document, check_parent_node: T::Boolean).returns(T::Array[T.nilable(String)]) }
152
168
  def fetch_pom_unique_ids(doc, check_parent_node)
153
169
  parent = check_parent_node ? "/parent" : ""
154
170
  group_id = doc.at_xpath("/project#{parent}/groupId")&.content&.strip
@@ -1,4 +1,4 @@
1
- # typed: false
1
+ # typed: true
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "nokogiri"
@@ -1,7 +1,8 @@
1
- # typed: false
1
+ # typed: true
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "nokogiri"
5
+ require "sorbet-runtime"
5
6
 
6
7
  require "dependabot/dependency"
7
8
  require "dependabot/file_parsers"
@@ -46,7 +47,7 @@ module Dependabot
46
47
  def pomfile_dependencies(pom)
47
48
  dependency_set = DependencySet.new
48
49
 
49
- errors = []
50
+ errors = T.let([], T::Array[Dependabot::DependencyFileNotEvaluatable])
50
51
  doc = Nokogiri::XML(pom.content)
51
52
  doc.remove_namespaces!
52
53
 
@@ -64,7 +65,7 @@ module Dependabot
64
65
  errors << e
65
66
  end
66
67
 
67
- raise errors.first if errors.any? && dependency_set.dependencies.none?
68
+ raise T.must(errors.first) if errors.any? && dependency_set.dependencies.none?
68
69
 
69
70
  dependency_set
70
71
  end
@@ -72,7 +73,7 @@ module Dependabot
72
73
  def extensionfile_dependencies(extension)
73
74
  dependency_set = DependencySet.new
74
75
 
75
- errors = []
76
+ errors = T.let([], T::Array[Dependabot::DependencyFileNotEvaluatable])
76
77
  doc = Nokogiri::XML(extension.content)
77
78
  doc.remove_namespaces!
78
79
 
@@ -83,7 +84,7 @@ module Dependabot
83
84
  errors << e
84
85
  end
85
86
 
86
- raise errors.first if errors.any? && dependency_set.dependencies.none?
87
+ raise T.must(errors.first) if errors.any? && dependency_set.dependencies.none?
87
88
 
88
89
  dependency_set
89
90
  end
@@ -1,4 +1,4 @@
1
- # typed: false
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "nokogiri"
@@ -9,14 +9,17 @@ require "dependabot/maven/file_parser"
9
9
  require "dependabot/maven/file_parser/repositories_finder"
10
10
  require "dependabot/maven/utils/auth_headers_finder"
11
11
  require "dependabot/registry_client"
12
+ require "sorbet-runtime"
12
13
 
13
14
  module Dependabot
14
15
  module Maven
15
16
  class MetadataFinder < Dependabot::MetadataFinders::Base
17
+ extend T::Sig
16
18
  DOT_SEPARATOR_REGEX = %r{\.(?!\d+([.\/_\-]|$)+)}
17
19
 
18
20
  private
19
21
 
22
+ sig { override.returns(T.nilable(Dependabot::Source)) }
20
23
  def look_up_source
21
24
  tmp_source = look_up_source_in_pom(dependency_pom_file)
22
25
  return tmp_source if tmp_source
@@ -26,14 +29,15 @@ module Dependabot
26
29
  tmp_source = look_up_source_in_pom(parent)
27
30
  return unless tmp_source
28
31
 
29
- return tmp_source if tmp_source.repo.end_with?(dependency_artifact_id)
32
+ return tmp_source if tmp_source.repo.end_with?(T.must(dependency_artifact_id))
30
33
 
31
34
  tmp_source if repo_has_subdir_for_dep?(tmp_source)
32
35
  end
33
36
 
37
+ sig { params(tmp_source: Dependabot::Source).returns(T::Boolean) }
34
38
  def repo_has_subdir_for_dep?(tmp_source)
35
- @repo_has_subdir_for_dep ||= {}
36
- return @repo_has_subdir_for_dep[tmp_source] if @repo_has_subdir_for_dep.key?(tmp_source)
39
+ @repo_has_subdir_for_dep ||= T.let({}, T.nilable(T::Hash[Dependabot::Source, T::Boolean]))
40
+ return T.must(@repo_has_subdir_for_dep[tmp_source]) if @repo_has_subdir_for_dep.key?(tmp_source)
37
41
 
38
42
  fetcher =
39
43
  Dependabot::Maven::FileFetcher.new(source: tmp_source, credentials: credentials)
@@ -41,18 +45,19 @@ module Dependabot
41
45
  @repo_has_subdir_for_dep[tmp_source] =
42
46
  fetcher.send(:repo_contents, raise_errors: false)
43
47
  .select { |f| f.type == "dir" }
44
- .any? { |f| dependency_artifact_id.end_with?(f.name) }
48
+ .any? { |f| T.must(dependency_artifact_id).end_with?(f.name) }
45
49
  rescue Dependabot::BranchNotFound
46
50
  # If we are attempting to find a branch, we should fail over to the default branch and retry once only
47
51
  unless tmp_source.branch.to_s.empty?
48
52
  tmp_source.branch = nil
49
53
  retry
50
54
  end
51
- @repo_has_subdir_for_dep[tmp_source] = false
55
+ T.must(@repo_has_subdir_for_dep)[tmp_source] = false
52
56
  rescue Dependabot::RepoNotFound
53
- @repo_has_subdir_for_dep[tmp_source] = false
57
+ T.must(@repo_has_subdir_for_dep)[tmp_source] = false
54
58
  end
55
59
 
60
+ sig { params(pom: Nokogiri::XML::Document).returns(T.nilable(Dependabot::Source)) }
56
61
  def look_up_source_in_pom(pom)
57
62
  potential_source_urls = [
58
63
  pom.at_css("project > url")&.content,
@@ -67,15 +72,16 @@ module Dependabot
67
72
  Source.from_url(source_url)
68
73
  end
69
74
 
75
+ sig { params(source_url: T.nilable(String), pom: Nokogiri::XML::Document).returns(T.nilable(String)) }
70
76
  def substitute_properties_in_source_url(source_url, pom)
71
77
  return unless source_url
72
78
  return source_url unless source_url.include?("${")
73
79
 
74
80
  regex = Maven::FileParser::PROPERTY_REGEX
75
- property_name = source_url.match(regex).named_captures["property"]
81
+ property_name = T.must(source_url.match(regex)).named_captures["property"]
76
82
  doc = pom.dup
77
83
  doc.remove_namespaces!
78
- nm = property_name.sub(/^pom\./, "").sub(/^project\./, "")
84
+ nm = T.must(property_name).sub(/^pom\./, "").sub(/^project\./, "")
79
85
  property_value =
80
86
  loop do
81
87
  candidate_node =
@@ -92,6 +98,7 @@ module Dependabot
92
98
  substitute_properties_in_source_url(url, pom)
93
99
  end
94
100
 
101
+ sig { params(pom: T.any(String, Nokogiri::XML::Document)).returns(T.nilable(String)) }
95
102
  def source_from_anywhere_in_pom(pom)
96
103
  github_urls = []
97
104
  pom.to_s.scan(Source::SOURCE_REGEX) do
@@ -99,12 +106,15 @@ module Dependabot
99
106
  end
100
107
 
101
108
  github_urls.find do |url|
102
- repo = Source.from_url(url).repo
103
- repo.end_with?(dependency_artifact_id)
109
+ repo = T.must(Source.from_url(url)).repo
110
+ repo.end_with?(T.must(dependency_artifact_id))
104
111
  end
105
112
  end
106
113
 
114
+ sig { returns(Nokogiri::XML::Document) }
107
115
  def dependency_pom_file
116
+ @dependency_pom_file ||= T.let(nil, T.nilable(Nokogiri::XML::Document))
117
+
108
118
  return @dependency_pom_file unless @dependency_pom_file.nil?
109
119
 
110
120
  response = Dependabot::RegistryClient.get(
@@ -117,12 +127,14 @@ module Dependabot
117
127
  @dependency_pom_file = Nokogiri::XML("")
118
128
  end
119
129
 
130
+ sig { returns(T.nilable(String)) }
120
131
  def dependency_artifact_id
121
132
  _group_id, artifact_id = dependency.name.split(":")
122
133
 
123
134
  artifact_id
124
135
  end
125
136
 
137
+ sig { params(pom: Nokogiri::XML::Document).returns(T.nilable(Nokogiri::XML::Document)) }
126
138
  def parent_pom_file(pom)
127
139
  doc = pom.dup
128
140
  doc.remove_namespaces!
@@ -138,30 +150,37 @@ module Dependabot
138
150
  "#{artifact_id}-#{version}.pom"
139
151
 
140
152
  response = Dependabot::RegistryClient.get(
141
- url: substitute_properties_in_source_url(url, pom),
153
+ url: T.must(substitute_properties_in_source_url(url, pom)),
142
154
  headers: auth_headers
143
155
  )
144
156
 
145
157
  Nokogiri::XML(response.body)
146
158
  end
147
159
 
160
+ sig { returns(String) }
148
161
  def maven_repo_url
149
162
  source = dependency.requirements
150
- .find { |r| r&.fetch(:source) }&.fetch(:source)
163
+ .find { |r| r.fetch(:source) }&.fetch(:source)
151
164
 
152
165
  source&.fetch(:url, nil) ||
153
166
  source&.fetch("url") ||
154
- Maven::FileParser::RepositoriesFinder.new(credentials: credentials).central_repo_url
167
+ Dependabot::Maven::FileParser::RepositoriesFinder.new(credentials: credentials,
168
+ pom_fetcher: nil).central_repo_url
155
169
  end
156
170
 
171
+ sig { returns(String) }
157
172
  def maven_repo_dependency_url
158
173
  group_id, artifact_id = dependency.name.split(":")
159
174
 
160
- "#{maven_repo_url}/#{group_id.tr('.', '/')}/#{artifact_id}"
175
+ "#{maven_repo_url}/#{T.must(group_id).tr('.', '/')}/#{artifact_id}"
161
176
  end
162
177
 
178
+ sig { returns(T::Hash[String, String]) }
163
179
  def auth_headers
164
- @auth_headers ||= Utils::AuthHeadersFinder.new(credentials).auth_headers(maven_repo_url)
180
+ @auth_headers ||= T.let(
181
+ Dependabot::Maven::Utils::AuthHeadersFinder.new(credentials).auth_headers(maven_repo_url),
182
+ T.nilable(T::Hash[String, String])
183
+ )
165
184
  end
166
185
  end
167
186
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-maven
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.259.0
4
+ version: 0.261.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-05-30 00:00:00.000000000 Z
11
+ date: 2024-06-13 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.259.0
19
+ version: 0.261.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.259.0
26
+ version: 0.261.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debug
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -264,7 +264,7 @@ licenses:
264
264
  - MIT
265
265
  metadata:
266
266
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
267
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.259.0
267
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.261.0
268
268
  post_install_message:
269
269
  rdoc_options: []
270
270
  require_paths: