dependabot-maven 0.308.0 → 0.309.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ecad9ed68d5e38fdcbf2d655b868ea282629e93d6cbc5f19c1732d2b59b329eb
-  data.tar.gz: 77a824b0906e80df4847d0c5c5b8ac1f4a288051002a694d6e6bfc50171368da
+  metadata.gz: 280386e839ade4655181e1cf43a6ac57c1258082bd6eddf71936eb59ba16dc5c
+  data.tar.gz: 0f3fa2c05fa23352eb9985ce388c7626fa12742dd3141e41a3649219eff62386
 SHA512:
-  metadata.gz: 7205996fea2c8447c8e0d6d013e8c552d35adb7ebec3321a392979ebc6844d9f62b819ab6540051a680b8c84f3efe44f1cae796edd39694ac6e6ad0b0983d27d
-  data.tar.gz: d1a56abe418c71031e9afa1d730a399eaaf85399b2c56b9e03489d47523a41a29bf39952665114406eb43e991263629c5e3ebba3296a4af24b107f1e71628729
+  metadata.gz: 5b0afa1d41c41c19d2d43e1b52f51227bdc3450e88d1be98c486cbb6b95e12dd374ecc32246b3d3b42349115df224896e227303ea1cc6e08fe62416d1309ffe9
+  data.tar.gz: cc3b88872953f7f641758c5b4947e9428485d25ce5a1cdf66dc7ee2247bb3c9e724d5ce18b19f02a45c8f3e27ad2ade5feda09bc6a9be5f38b1fad3f59cc31e4

data/lib/dependabot/maven/file_parser/property_value_finder.rb

@@ -21,7 +21,13 @@ module Dependabot
 
         DOT_SEPARATOR_REGEX = %r{\.(?!\d+([.\/_\-]|$)+)}
 
-        sig { params(dependency_files: T::Array[DependencyFile], credentials: T::Array[String]).void }
+        sig do
+          params(
+            dependency_files: T::Array[DependencyFile],
+            credentials: T::Array[Dependabot::Credential]
+          )
+            .void
+        end
         def initialize(dependency_files:, credentials: [])
           @dependency_files = dependency_files
           @credentials = credentials

data/lib/dependabot/maven/file_parser/repositories_finder.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "nokogiri"
@@ -20,9 +20,19 @@ module Dependabot
         # In theory we should check the artifact type and either look in
         # <repositories> or <pluginRepositories>. In practice it's unlikely
         # anyone makes this distinction.
+        extend T::Sig
+
         REPOSITORY_SELECTOR = "repositories > repository, " \
                               "pluginRepositories > pluginRepository"
 
+        sig do
+          params(
+            pom_fetcher: T.nilable(Dependabot::Maven::FileParser::PomFetcher),
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential],
+            evaluate_properties: T::Boolean
+          ).void
+        end
         def initialize(pom_fetcher:, dependency_files: [], credentials: [], evaluate_properties: true)
           @pom_fetcher = pom_fetcher
           @dependency_files = dependency_files
@@ -34,25 +44,35 @@ module Dependabot
           @evaluate_properties = evaluate_properties
           # Aggregates URLs seen in POMs to avoid short term memory loss.
           # For instance a repository in a child POM might apply to the parent too.
-          @known_urls = []
+          @known_urls = T.let([], T::Array[T::Hash[Symbol, T.untyped]])
+          @property_value_finder = T.let(nil, T.nilable(PropertyValueFinder))
         end
 
+        sig { returns(String) }
         def central_repo_url
           base = @credentials.find { |cred| cred["type"] == "maven_repository" && cred.replaces_base? }
-          base ? base["url"] : "https://repo.maven.apache.org/maven2"
+          base ? T.must(base["url"]) : "https://repo.maven.apache.org/maven2"
         end
 
         # Collect all repository URLs from this POM and its parents
+        sig do
+          params(
+            pom: Dependabot::DependencyFile,
+            exclude_inherited: T::Boolean,
+            exclude_snapshots: T::Boolean
+          )
+            .returns(T::Array[String])
+        end
         def repository_urls(pom:, exclude_inherited: false, exclude_snapshots: true)
           entries = gather_repository_urls(pom: pom, exclude_inherited: exclude_inherited)
           ids = Set.new
-          @known_urls += entries.map do |entry|
+          @known_urls += entries.filter_map do |entry|
             next if entry[:id] && ids.include?(entry[:id])
 
             ids.add(entry[:id]) unless entry[:id].nil?
             entry
           end
-          @known_urls = @known_urls.uniq.compact
+          @known_urls = @known_urls.uniq
 
           urls = urls_from_credentials + @known_urls.reject { |entry| exclude_snapshots && entry[:snapshots] }
                                                     .map { |entry| entry[:url] }
@@ -62,14 +82,17 @@ module Dependabot
 
         private
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
 
         # The Central Repository is included in the Super POM, which is
         # always inherited from.
+        sig { returns(T::Hash[Symbol, String]) }
         def super_pom
           { url: central_repo_url, id: "central" }
         end
 
+        sig { params(entry: Nokogiri::XML::Element).returns(T::Hash[Symbol, T.nilable(String)]) }
         def serialize_mvn_repo(entry)
           {
             url: entry.at_css("url").content.strip,
@@ -79,10 +102,18 @@ module Dependabot
           }
         end
 
+        sig { params(entry: T::Hash[Symbol, T.untyped]).returns(T::Boolean) }
         def snapshot_repo(entry)
           entry[:releases] == "false" && (entry[:snapshots].nil? || entry[:snapshots] == "true")
         end
 
+        sig do
+          params(
+            entry: T::Hash[Symbol, T.untyped],
+            pom: Dependabot::DependencyFile
+          )
+            .returns(T::Hash[Symbol, T.untyped])
+        end
         def serialize_urls(entry, pom)
           {
             url: evaluated_value(entry[:url], pom).gsub(%r{/$}, ""),
@@ -91,6 +122,13 @@ module Dependabot
           }
         end
 
+        sig do
+          params(
+            pom: Dependabot::DependencyFile,
+            exclude_inherited: T::Boolean
+          )
+            .returns(T::Array[T::Hash[Symbol, T.untyped]])
+        end
         def gather_repository_urls(pom:, exclude_inherited: false)
           repos_in_pom =
             Nokogiri::XML(pom.content)
@@ -110,11 +148,19 @@ module Dependabot
           repos_in_pom + gather_repository_urls(pom: parent)
         end
 
+        sig { returns(T::Boolean) }
         def evaluate_properties?
           @evaluate_properties
         end
 
         # rubocop:disable Metrics/PerceivedComplexity
+        sig do
+          params(
+            pom: T.untyped,
+            repo_urls: T::Array[String]
+          )
+            .returns(T.untyped)
+        end
         def parent_pom(pom, repo_urls)
           doc = Nokogiri::XML(pom.content)
           doc.remove_namespaces!
@@ -127,35 +173,41 @@ module Dependabot
 
           name = [group_id, artifact_id].join(":")
 
-          return @pom_fetcher.internal_dependency_poms[name] if @pom_fetcher.internal_dependency_poms[name]
+          if T.must(@pom_fetcher).internal_dependency_poms[name]
+            return T.must(@pom_fetcher).internal_dependency_poms[name]
+          end
 
           return unless version && !version.include?(",")
 
           urls = urls_from_credentials + repo_urls + [central_repo_url]
-          @pom_fetcher.fetch_remote_parent_pom(group_id, artifact_id, version, urls)
+          T.must(@pom_fetcher).fetch_remote_parent_pom(group_id, artifact_id, version, urls)
         end
         # rubocop:enable Metrics/PerceivedComplexity
 
+        sig { returns(T::Array[String]) }
         def urls_from_credentials
           @credentials
             .select { |cred| cred["type"] == "maven_repository" }
             .filter_map { |cred| cred["url"]&.strip&.gsub(%r{/$}, "") }
         end
 
+        sig { params(value: String).returns(T::Boolean) }
         def contains_property?(value)
           value.match?(property_regex)
         end
 
+        sig { params(value: String, pom: Dependabot::DependencyFile).returns(T.untyped) }
         def evaluated_value(value, pom)
           return value unless contains_property?(value)
 
-          property_name = value.match(property_regex)
-                               .named_captures.fetch("property")
-          property_value = value_for_property(property_name, pom)
+          match_data = value.match(property_regex)
+          property_name = T.must(match_data).named_captures.fetch("property")
+          property_value = value_for_property(T.cast(property_name, String), pom)
 
           value.gsub(property_regex, property_value)
         end
 
+        sig { params(property_name: String, pom: Dependabot::DependencyFile).returns(String) }
         def value_for_property(property_name, pom)
           value =
             property_value_finder
@@ -172,11 +224,13 @@ module Dependabot
 
         # Cached, since this can makes calls to the registry (to get property
         # values from parent POMs)
+        sig { returns(Dependabot::Maven::FileParser::PropertyValueFinder) }
         def property_value_finder
           @property_value_finder ||=
             PropertyValueFinder.new(dependency_files: dependency_files, credentials: @credentials)
         end
 
+        sig { returns(Regexp) }
         def property_regex
           Maven::FileParser::PROPERTY_REGEX
         end

data/lib/dependabot/maven/file_parser.rb

@@ -342,7 +342,7 @@ module Dependabot
       sig { returns(Dependabot::Maven::FileParser::PropertyValueFinder) }
       def property_value_finder
         @property_value_finder ||= T.let(
-          PropertyValueFinder.new(dependency_files: dependency_files, credentials: credentials.map(&:to_s)),
+          PropertyValueFinder.new(dependency_files: dependency_files, credentials: @credentials),
           T.nilable(Dependabot::Maven::FileParser::PropertyValueFinder)
         )
       end

data/lib/dependabot/maven/file_updater/declaration_finder.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "nokogiri"
@@ -10,6 +10,8 @@ module Dependabot
   module Maven
     class FileUpdater
       class DeclarationFinder
+        extend T::Sig
+
         DECLARATION_REGEX = %r{
               <parent>.*?</parent>|
               <dependency>.*?</dependency>|
@@ -19,20 +21,36 @@ module Dependabot
               <artifactItem>.*?</artifactItem>
             }mx
 
+        sig { returns(Dependabot::Dependency) }
         attr_reader :dependency
+
+        sig { returns(T::Hash[Symbol, T.untyped]) }
         attr_reader :declaring_requirement
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
 
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            declaring_requirement: T::Hash[Symbol, T.untyped]
+          ).void
+        end
         def initialize(dependency:, dependency_files:, declaring_requirement:)
-          @dependency            = dependency
-          @dependency_files      = dependency_files
+          @dependency = dependency
+          @dependency_files = dependency_files
           @declaring_requirement = declaring_requirement
+          @declaration_strings = T.let(nil, T.nilable(T::Array[String]))
+          @property_value_finder = T.let(nil, T.nilable(Maven::FileParser::PropertyValueFinder))
         end
 
+        sig { returns(T::Array[String]) }
         def declaration_strings
           @declaration_strings ||= fetch_pom_declaration_strings
         end
 
+        sig { returns(T::Array[Nokogiri::XML::Document]) }
         def declaration_nodes
           declaration_strings.map do |declaration_string|
             Nokogiri::XML(declaration_string)
@@ -41,6 +59,7 @@ module Dependabot
 
         private
 
+        sig { returns(Dependabot::DependencyFile) }
         def declaring_pom
           filename = declaring_requirement.fetch(:file)
           declaring_pom = dependency_files.find { |f| f.name == filename }
@@ -49,12 +68,14 @@ module Dependabot
           raise "No pom found with name #{filename}!"
         end
 
+        sig { returns(String) }
         def dependency_name
           dependency.name
         end
 
+        sig { returns(T::Array[String]) }
         def fetch_pom_declaration_strings
-          deep_find_declarations(declaring_pom.content).select do |nd|
+          deep_find_declarations(T.must(declaring_pom.content)).select do |nd|
             node = Nokogiri::XML(nd)
             node.remove_namespaces!
             next false unless node_group_id(node)
@@ -67,7 +88,7 @@ module Dependabot
 
             if node.at_xpath("./*/classifier")
               classifier = evaluated_value(node.at_xpath("./*/classifier").content.strip)
-              dep_classifier = dependency.requirements.first.dig(:metadata, :classifier)
+              dep_classifier = dependency.requirements.first&.dig(:metadata, :classifier)
               next false if classifier != dep_classifier
             end
 
@@ -79,6 +100,7 @@ module Dependabot
           end
         end
 
+        sig { params(node: Nokogiri::XML::Document).returns(T.nilable(String)) }
         def node_group_id(node)
           return unless node.at_xpath("./*/groupId") || node.at_xpath("./plugin")
           return "org.apache.maven.plugins" unless node.at_xpath("./*/groupId")
@@ -86,12 +108,14 @@ module Dependabot
           evaluated_value(node.at_xpath("./*/groupId").content.strip)
         end
 
+        sig { params(string: String).returns(T::Array[String]) }
         def deep_find_declarations(string)
           string.scan(DECLARATION_REGEX).flat_map do |matching_node|
-            [matching_node, *deep_find_declarations(matching_node[1..-1])]
-          end
+            [matching_node, *deep_find_declarations(matching_node[1..-1].to_s)]
+          end.flatten
         end
 
+        sig { params(node: Nokogiri::XML::Document).returns(T::Boolean) }
         def declaring_requirement_matches?(node)
           node_requirement = node.at_css("version")&.content&.strip
 
@@ -110,11 +134,13 @@ module Dependabot
           end
         end
 
+        sig { params(node: Nokogiri::XML::Document).returns(T::Boolean) }
         def packaging_type_matches?(node)
           type = declaring_requirement.dig(:metadata, :packaging_type)
           type == packaging_type(node)
         end
 
+        sig { params(node: Nokogiri::XML::Document).returns(T::Boolean) }
         def scope_matches?(node)
           dependency_type = declaring_requirement.fetch(:groups)
           node_type = dependency_scope(node) == "test" ? ["test"] : []
@@ -122,6 +148,7 @@ module Dependabot
           dependency_type == node_type
         end
 
+        sig { params(dependency_node: Nokogiri::XML::Document).returns(String) }
         def packaging_type(dependency_node)
           return "pom" if dependency_node.child.node_name == "parent"
           return "jar" unless dependency_node.at_xpath("./*/type")
@@ -132,6 +159,7 @@ module Dependabot
           evaluated_value(packaging_type_content)
         end
 
+        sig { params(dependency_node: Nokogiri::XML::Document).returns(String) }
         def dependency_scope(dependency_node)
           return "compile" unless dependency_node.at_xpath("./*/scope")
 
@@ -141,12 +169,15 @@ module Dependabot
           scope_content.empty? ? "compile" : scope_content
         end
 
+        sig { params(value: String).returns(String) }
         def evaluated_value(value)
           return value unless value.match?(Maven::FileParser::PROPERTY_REGEX)
 
-          property_name =
-            value.match(Maven::FileParser::PROPERTY_REGEX)
-                 .named_captures.fetch("property")
+          match_data = value.match(Maven::FileParser::PROPERTY_REGEX)
+          return value unless match_data
+
+          property_name = match_data.named_captures.fetch("property")
+          return value unless property_name
 
           property_value =
             property_value_finder
@@ -158,11 +189,12 @@ module Dependabot
           return value unless property_value
 
           value.gsub(
-            value.match(Maven::FileParser::PROPERTY_REGEX).to_s,
+            match_data.to_s,
             property_value
           )
         end
 
+        sig { returns(Maven::FileParser::PropertyValueFinder) }
         def property_value_finder
           @property_value_finder ||=
             Maven::FileParser::PropertyValueFinder

data/lib/dependabot/maven/file_updater/property_value_updater.rb

@@ -28,8 +28,7 @@ module Dependabot
             updated_value: String
           ).returns(T::Array[DependencyFile])
         end
-        def update_pomfiles_for_property_change(property_name:, callsite_pom:,
-                                                updated_value:)
+        def update_pomfiles_for_property_change(property_name:, callsite_pom:, updated_value:)
           declaration_details = property_value_finder.property_details(
             property_name: property_name,
             callsite_pom: callsite_pom

data/lib/dependabot/maven/file_updater.rb

@@ -1,16 +1,20 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "nokogiri"
+require "sorbet-runtime"
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
 
 module Dependabot
   module Maven
     class FileUpdater < Dependabot::FileUpdaters::Base
+      extend T::Sig
+
       require_relative "file_updater/declaration_finder"
       require_relative "file_updater/property_value_updater"
 
+      sig { override.returns(T::Array[Regexp]) }
       def self.updated_files_regex
         [
           /^pom\.xml$/, %r{/pom\.xml$},
@@ -19,8 +23,9 @@ module Dependabot
         ]
       end
 
+      sig { override.returns(T::Array[Dependabot::DependencyFile]) }
       def updated_dependency_files
-        updated_files = T.let(dependency_files.dup, T.untyped)
+        updated_files = T.let(dependency_files.dup, T::Array[Dependabot::DependencyFile])
 
         # Loop through each of the changed requirements, applying changes to
         # all pom and extensions files for that change. Note that the logic
@@ -43,51 +48,77 @@ module Dependabot
 
       private
 
+      sig { override.void }
       def check_required_files
         raise "No pom.xml!" unless get_original_file("pom.xml")
       end
 
+      # rubocop:disable Metrics/AbcSize
+      sig do
+        params(
+          original_files: T::Array[Dependabot::DependencyFile],
+          dependency: Dependabot::Dependency
+        )
+          .returns(T::Array[Dependabot::DependencyFile])
+      end
       def update_files_for_dependency(original_files:, dependency:)
         files = original_files.dup
 
         # The UpdateChecker ensures the order of requirements is preserved
         # when updating, so we can zip them together in new/old pairs.
-        reqs = dependency.requirements.zip(dependency.previous_requirements)
+        reqs = dependency.requirements.zip(dependency.previous_requirements.to_a)
                          .reject { |new_req, old_req| new_req == old_req }
 
         # Loop through each changed requirement and update the files
         reqs.each do |new_req, old_req|
-          raise "Bad req match" unless new_req[:file] == old_req[:file]
-          next if new_req[:requirement] == old_req[:requirement]
+          raise "Bad req match" unless new_req[:file] == T.must(old_req)[:file]
+          next if new_req[:requirement] == T.must(old_req)[:requirement]
 
           if new_req.dig(:metadata, :property_name)
             files = update_pomfiles_for_property_change(files, new_req)
             pom = files.find { |f| f.name == new_req.fetch(:file) }
-            files[files.index(pom)] =
-              remove_property_suffix_in_pom(dependency, pom, old_req)
+            files[T.must(files.index(pom))] =
+              remove_property_suffix_in_pom(dependency, T.must(pom), T.must(old_req))
           else
             file = files.find { |f| f.name == new_req.fetch(:file) }
-            files[files.index(file)] =
-              update_version_in_file(dependency, file, old_req, new_req)
+            files[T.must(files.index(file))] =
+              update_version_in_file(dependency, T.must(file), T.must(old_req), new_req)
           end
         end
 
         files
       end
+      # rubocop:enable Metrics/AbcSize
 
+      sig do
+        params(
+          pomfiles: T::Array[Dependabot::DependencyFile],
+          req: T::Hash[Symbol, T.untyped]
+        )
+          .returns(T::Array[Dependabot::DependencyFile])
+      end
       def update_pomfiles_for_property_change(pomfiles, req)
         property_name = req.fetch(:metadata).fetch(:property_name)
 
         PropertyValueUpdater.new(dependency_files: pomfiles)
                             .update_pomfiles_for_property_change(
                               property_name: property_name,
-                              callsite_pom: pomfiles.find { |f| f.name == req.fetch(:file) },
+                              callsite_pom: T.must(pomfiles.find { |f| f.name == req.fetch(:file) }),
                               updated_value: req.fetch(:requirement)
                             )
       end
 
+      sig do
+        params(
+          dependency: Dependabot::Dependency,
+          file: Dependabot::DependencyFile,
+          previous_req: T::Hash[Symbol, T.untyped],
+          requirement: T::Hash[Symbol, T.untyped]
+        )
+          .returns(Dependabot::DependencyFile)
+      end
       def update_version_in_file(dependency, file, previous_req, requirement)
-        updated_content = file.content
+        updated_content = T.must(file.content)
 
         original_file_declarations(dependency, previous_req).each do |old_dec|
           updated_content = updated_content.gsub(old_dec) do
@@ -100,8 +131,16 @@ module Dependabot
         updated_file(file: file, content: updated_content)
       end
 
+      sig do
+        params(
+          dep: Dependabot::Dependency,
+          pom: Dependabot::DependencyFile,
+          req: T::Hash[Symbol, T.untyped]
+        )
+          .returns(Dependabot::DependencyFile)
+      end
       def remove_property_suffix_in_pom(dep, pom, req)
-        updated_content = pom.content
+        updated_content = T.must(pom.content)
 
         original_file_declarations(dep, req).each do |old_declaration|
           updated_content = updated_content.gsub(old_declaration) do |old_dec|
@@ -119,15 +158,27 @@ module Dependabot
         updated_file(file: pom, content: updated_content)
       end
 
+      sig do
+        params(
+          dependency: Dependabot::Dependency,
+          requirement: T::Hash[Symbol, T.untyped]
+        )
+          .returns(T::Array[String])
+      end
       def original_file_declarations(dependency, requirement)
         declaration_finder(dependency, requirement).declaration_strings
       end
 
-      # The declaration finder may need to make remote calls (to get parent
-      # POMs if it's searching for the value of a property), so we cache it.
+      sig do
+        params(
+          dependency: Dependabot::Dependency,
+          requirement: T::Hash[Symbol, T.untyped]
+        )
+          .returns(DeclarationFinder)
+      end
       def declaration_finder(dependency, requirement)
-        @declaration_finders ||= {}
-        @declaration_finders[dependency.hash + requirement.hash] ||=
+        @declaration_finders ||= T.let({}, T.nilable(T::Hash[Integer, DeclarationFinder]))
+        @declaration_finders[dependency.hash + requirement.hash] =
           DeclarationFinder.new(
             dependency: dependency,
             declaring_requirement: requirement,
@@ -135,6 +186,14 @@ module Dependabot
           )
       end
 
+      sig do
+        params(
+          old_declaration: String,
+          previous_req: T::Hash[Symbol, T.untyped],
+          requirement: T::Hash[Symbol, T.untyped]
+        )
+          .returns(String)
+      end
       def updated_file_declaration(old_declaration, previous_req, requirement)
         original_req_string = previous_req.fetch(:requirement)
 
@@ -144,9 +203,12 @@ module Dependabot
         )
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def original_pomfiles
-        @original_pomfiles ||=
-          dependency_files.select { |f| f.name.end_with?("pom.xml") }
+        @original_pomfiles ||= T.let(
+          dependency_files.select { |f| f.name.end_with?("pom.xml") },
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
       end
     end
   end

data/lib/dependabot/maven/metadata_finder.rb

@@ -164,6 +164,8 @@ module Dependabot
 
         source&.fetch(:url, nil) ||
           source&.fetch("url") ||
+          # TODO: Move central_repo_url method to a more appropriate place
+          # Then we can remove T.nilable from pom_fetcher
           Dependabot::Maven::FileParser::RepositoriesFinder.new(credentials: credentials,
                                                                 pom_fetcher: nil).central_repo_url
       end