RubyGems - dependabot-maven - Versions diffs - 0.342.2 → 0.343.0 - Mend

dependabot-maven 0.342.2 → 0.343.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml +4 -4
data/lib/dependabot/maven/file_fetcher.rb +10 -0
data/lib/dependabot/maven/file_parser.rb +61 -22
metadata +4 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0d7a93e87ca2f1d0da526b2445a9af14586e8b6909c7e20505c3edb02c6484bd
-  data.tar.gz: '09fdc4c942e5f4573224f94d90d5115860f969e3a83fc16db90841f0f30cf64c'
+  metadata.gz: 975d281cfd454c2d1524b8a77fced5b2040ff104cd0c0989d45acffe18988d4f
+  data.tar.gz: 91587156337eb764be0168703579558c50a134a6c15ce9e235d9318141bdfef9
 SHA512:
-  metadata.gz: c2914b7f0b39c7f02d8c343b1c6e80ec69188966ccbcf36e57c1978930240a6fbfcfe4698e3731c3cc6f88c985c3b4d69334f23ada341f9c93f068073fea7a30
-  data.tar.gz: aaee9db165f27c67cc88e33009432d844e5eed8d37e35b7245c9abdb510b4af3f4f833048441c40af6858dd8bb6ce459554a5af89dc340576f298225490fbf12
+  metadata.gz: 93ba3833938dfb35c0c937ce9859e55515b29b27e85b21643e3b2169a42cb0c85a120ad4e3bbccba57d4663edd8a14c295cf547ce82e3a51088f9cbea9c0454a
+  data.tar.gz: 7583568de4499b7c72d1d32a94149ecd0dcfa20573db44e96af07de58b399efe48e783d0079383271f046608d2913cc4cbc4927a3864f7685ec415f719092569

data/lib/dependabot/maven/file_fetcher.rb CHANGED Viewed

@@ -33,6 +33,7 @@ module Dependabot
         fetched_files << pom
         fetched_files += child_poms
         fetched_files += relative_path_parents(fetched_files)
+        fetched_files += targetfiles
         fetched_files << extensions if extensions
         # Filter excluded files from final collection
@@ -55,6 +56,15 @@ module Dependabot
         @extensions ||= T.let(fetch_file_if_present(".mvn/extensions.xml"), T.nilable(Dependabot::DependencyFile))
       end
+      sig { returns(T::Array[DependencyFile]) }
+      def targetfiles
+        repo_contents(raise_errors: false)
+          .select { |f| f.type == "file" && f.name.end_with?(".target") }
+          .map { |f| fetch_file_from_host(f.name) }
+      rescue Dependabot::DirectoryNotFound, Octokit::NotFound
+        []
+      end
       sig { returns(T::Array[DependencyFile]) }
       def child_poms
         recursively_fetch_child_poms(T.must(pom), fetched_filenames: ["pom.xml"])

data/lib/dependabot/maven/file_parser.rb CHANGED Viewed

@@ -36,6 +36,7 @@ module Dependabot
                             "annotationProcessorPaths > path"
       PLUGIN_SELECTOR     = "plugins > plugin"
       EXTENSION_SELECTOR  = "extensions > extension"
+      TARGET_SELECTOR = "target > locations > location[type='Maven'] > dependencies > dependency"
       PLUGIN_ARTIFACT_ITEMS_SELECTOR = "plugins > plugin > executions > execution > " \
                                        "configuration > artifactItems > artifactItem"
@@ -44,31 +45,11 @@ module Dependabot
       sig { override.returns(T::Array[Dependabot::Dependency]) }
       def parse
-        dependency_set = DependencySet.new
-        dependencies = []
         if Dependabot::Experiments.enabled?(:maven_transitive_dependencies)
-          dependency_set += MavenDependencyParser.build_dependency_set(pomfiles)
-          pomfiles.each { |pom| dependency_set += pomfile_dependencies(pom) }
-          extensionfiles.each { |extension| dependency_set += extensionfile_dependencies(extension) }
-          dependency_set.dependencies.each do |dep|
-            requirements = merge_requirements(dep.requirements)
-            dependencies << Dependabot::Dependency.new(
-              name: dep.name,
-              version: dep.version,
-              package_manager: "maven",
-              requirements: requirements
-            )
-          end
+          parse_with_transitive_dependencies
         else
-          pomfiles.each { |pom| dependency_set += pomfile_dependencies(pom) }
-          extensionfiles.each { |extension| dependency_set += extensionfile_dependencies(extension) }
-          dependencies = dependency_set.dependencies
+          parse_standard_dependencies
         end
-        dependencies
       end
       sig { returns(Ecosystem) }
@@ -85,6 +66,36 @@ module Dependabot
       private
+      sig { returns(T::Array[Dependabot::Dependency]) }
+      def parse_with_transitive_dependencies
+        dependency_set = DependencySet.new
+        dependency_set += MavenDependencyParser.build_dependency_set(pomfiles)
+        pomfiles.each { |pom| dependency_set += pomfile_dependencies(pom) }
+        extensionfiles.each { |extension| dependency_set += extensionfile_dependencies(extension) }
+        dependencies = []
+        dependency_set.dependencies.each do |dep|
+          requirements = merge_requirements(dep.requirements)
+          dependencies << Dependabot::Dependency.new(
+            name: dep.name,
+            version: dep.version,
+            package_manager: "maven",
+            requirements: requirements
+          )
+        end
+        dependencies
+      end
+      sig { returns(T::Array[Dependabot::Dependency]) }
+      def parse_standard_dependencies
+        dependency_set = DependencySet.new
+        pomfiles.each { |pom| dependency_set += pomfile_dependencies(pom) }
+        extensionfiles.each { |extension| dependency_set += extensionfile_dependencies(extension) }
+        targetfiles.each { |target| dependency_set += targetfile_dependencies(target) }
+        dependency_set.dependencies
+      end
       sig { returns(Ecosystem::VersionManager) }
       def package_manager
         @package_manager ||= T.let(
@@ -150,6 +161,26 @@ module Dependabot
         dependency_set
       end
+      sig { params(target: Dependabot::DependencyFile).returns(DependencySet) }
+      def targetfile_dependencies(target)
+        dependency_set = DependencySet.new
+        errors = T.let([], T::Array[DependencyFileNotEvaluatable])
+        doc = Nokogiri::XML(target.content)
+        doc.remove_namespaces!
+        doc.css(TARGET_SELECTOR).each do |dependency_node|
+          dep = dependency_from_dependency_node(target, dependency_node)
+          dependency_set << dep if dep
+        rescue DependencyFileNotEvaluatable => e
+          errors << e
+        end
+        raise T.must(errors.first) if errors.any? && dependency_set.dependencies.none?
+        dependency_set
+      end
       sig do
         params(
           pom: Dependabot::DependencyFile,
@@ -402,6 +433,14 @@ module Dependabot
         )
       end
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def targetfiles
+        @targetfiles ||= T.let(
+          dependency_files.select { |f| f.name.end_with?(".target") },
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
+      end
       sig { returns(T::Array[String]) }
       def internal_dependency_names
         @internal_dependency_names ||= T.let(

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-maven
 version: !ruby/object:Gem::Version
-  version: 0.342.2
+  version: 0.343.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.342.2
+        version: 0.343.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.342.2
+        version: 0.343.0
 - !ruby/object:Gem::Dependency
   name: rexml
   requirement: !ruby/object:Gem::Requirement
@@ -285,7 +285,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.342.2
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.343.0
 rdoc_options: []
 require_paths:
 - lib