dependabot-maven 0.355.0 → 0.357.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ed3c6bc921b14f4b9c8b5b972eddd908d25ca480169eb1e154f4e469b3d49759
-  data.tar.gz: 91587156337eb764be0168703579558c50a134a6c15ce9e235d9318141bdfef9
+  metadata.gz: 88f4ec6abad6b9329da21a5d9d1b8a1ac73a541d0fb0437149def4a1cfad73e4
+  data.tar.gz: 99280b25245177eae98b618cba2ca285bf4db099dbe3396c481db91328a4997b
 SHA512:
-  metadata.gz: bda3df043f3c32e84a1f18536d2c7c574e5e2902746d6ba08ffe46fb173b8634ed55ce89b3b82b6e4f40aca248ea1d149612ab4cd3f10de68f5fdee751539249
-  data.tar.gz: 7583568de4499b7c72d1d32a94149ecd0dcfa20573db44e96af07de58b399efe48e783d0079383271f046608d2913cc4cbc4927a3864f7685ec415f719092569
+  metadata.gz: 010f3bbe4754d3e0128516561cb4f19b290d2d8d3edc1289f9ad89504638662ca922fa30c4cc1859080b4dbcbe33b8161523216a074319c41af0cd2739e87bdd
+  data.tar.gz: 4073e5d61854ad4ac1be44c72f2baef543e5f1f81e90f0c27e6816e03ed9f10de33edf645e4e3b8e1c5115ca8215a9b384634d06ffcbee343d97c641225a9e54

data/lib/dependabot/maven/file_parser.rb

@@ -122,14 +122,16 @@ module Dependabot
         doc = Nokogiri::XML(pom.content)
         doc.remove_namespaces!
 
+        plugin_names = collect_plugin_names(pom, doc)
+
         doc.css(DEPENDENCY_SELECTOR).each do |dependency_node|
-          dep = dependency_from_dependency_node(pom, dependency_node)
+          dep = dependency_from_dependency_node(pom, dependency_node, plugin_names)
           dependency_set << dep if dep
         rescue DependencyFileNotEvaluatable => e
           errors << e
         end
 
-        doc.css(PLUGIN_SELECTOR, PLUGIN_ARTIFACT_ITEMS_SELECTOR).each do |dependency_node|
+        plugin_nodes(doc).each do |dependency_node|
           dep = dependency_from_plugin_node(pom, dependency_node)
           dependency_set << dep if dep
         rescue DependencyFileNotEvaluatable => e
@@ -141,6 +143,18 @@ module Dependabot
         dependency_set
       end
 
+      sig { params(pom: Dependabot::DependencyFile, doc: Nokogiri::XML::Document).returns(T::Set[String]) }
+      def collect_plugin_names(pom, doc)
+        plugin_names = Set.new
+
+        plugin_nodes(doc).each do |plugin_node|
+          name = plugin_name(plugin_node, pom)
+          plugin_names << name if name
+        end
+
+        plugin_names
+      end
+
       sig { params(extension: Dependabot::DependencyFile).returns(DependencySet) }
       def extensionfile_dependencies(extension)
         dependency_set = DependencySet.new
@@ -149,8 +163,10 @@ module Dependabot
         doc = Nokogiri::XML(extension.content)
         doc.remove_namespaces!
 
+        plugin_names = collect_plugin_names(extension, doc)
+
         doc.css(EXTENSION_SELECTOR).each do |dependency_node|
-          dep = dependency_from_dependency_node(extension, dependency_node)
+          dep = dependency_from_dependency_node(extension, dependency_node, plugin_names)
           dependency_set << dep if dep
         rescue DependencyFileNotEvaluatable => e
           errors << e
@@ -169,8 +185,10 @@ module Dependabot
         doc = Nokogiri::XML(target.content)
         doc.remove_namespaces!
 
+        plugin_names = collect_plugin_names(target, doc)
+
         doc.css(TARGET_SELECTOR).each do |dependency_node|
-          dep = dependency_from_dependency_node(target, dependency_node)
+          dep = dependency_from_dependency_node(target, dependency_node, plugin_names)
           dependency_set << dep if dep
         rescue DependencyFileNotEvaluatable => e
           errors << e
@@ -184,14 +202,16 @@ module Dependabot
       sig do
         params(
           pom: Dependabot::DependencyFile,
-          dependency_node: Nokogiri::XML::Element
+          dependency_node: Nokogiri::XML::Element,
+          plugin_names: T::Set[String]
         ).returns(T.nilable(Dependabot::Dependency))
       end
-      def dependency_from_dependency_node(pom, dependency_node)
+      def dependency_from_dependency_node(pom, dependency_node, plugin_names)
         return unless (name = dependency_name(dependency_node, pom))
         return if internal_dependency_names.include?(name)
 
-        build_dependency(pom, dependency_node, name)
+        is_plugin = plugin_names.include?(name)
+        build_dependency(pom, dependency_node, name, is_plugin: is_plugin)
       end
 
       sig do
@@ -204,17 +224,18 @@ module Dependabot
         return unless (name = plugin_name(dependency_node, pom))
         return if internal_dependency_names.include?(name)
 
-        build_dependency(pom, dependency_node, name)
+        build_dependency(pom, dependency_node, name, is_plugin: true)
       end
 
       sig do
         params(
           pom: Dependabot::DependencyFile,
           dependency_node: Nokogiri::XML::Element,
-          name: String
+          name: String,
+          is_plugin: T::Boolean
         ).returns(T.nilable(Dependabot::Dependency))
       end
-      def build_dependency(pom, dependency_node, name)
+      def build_dependency(pom, dependency_node, name, is_plugin:)
         property_details =
           {
             property_name: version_property_name(dependency_node),
@@ -228,7 +249,7 @@ module Dependabot
           requirements: [{
             requirement: dependency_requirement(pom, dependency_node),
             file: pom.name,
-            groups: dependency_groups(pom, dependency_node),
+            groups: dependency_groups(pom, dependency_node, is_plugin: is_plugin),
             source: nil,
             metadata: {
               packaging_type: packaging_type(pom, dependency_node),
@@ -324,8 +345,16 @@ module Dependabot
         version_content.empty? ? nil : version_content
       end
 
-      sig { params(pom: Dependabot::DependencyFile, dependency_node: Nokogiri::XML::Element).returns(T::Array[String]) }
-      def dependency_groups(pom, dependency_node)
+      sig do
+        params(
+          pom: Dependabot::DependencyFile,
+          dependency_node: Nokogiri::XML::Element,
+          is_plugin: T::Boolean
+        ).returns(T::Array[String])
+      end
+      def dependency_groups(pom, dependency_node, is_plugin:)
+        return ["plugin"] if is_plugin
+
         dependency_scope(pom, dependency_node) == "test" ? ["test"] : []
       end
 
@@ -531,6 +560,11 @@ module Dependabot
           end
         end
       end
+
+      sig { params(doc: Nokogiri::XML::Document).returns(Nokogiri::XML::NodeSet) }
+      def plugin_nodes(doc)
+        doc.css(PLUGIN_SELECTOR, PLUGIN_ARTIFACT_ITEMS_SELECTOR)
+      end
     end
     # rubocop:enable Metrics/ClassLength
   end

data/lib/dependabot/maven/file_updater/declaration_finder.rb

@@ -86,15 +86,10 @@ module Dependabot
               evaluated_value(node.at_xpath("./*/artifactId").content.strip)
             ].compact.join(":")
 
-            if node.at_xpath("./*/classifier")
-              classifier = evaluated_value(node.at_xpath("./*/classifier").content.strip)
-              dep_classifier = dependency.requirements.first&.dig(:metadata, :classifier)
-              next false if classifier != dep_classifier
-            end
-
+            next false unless classifier_matches?(node)
             next false unless node_name == dependency_name
             next false unless packaging_type_matches?(node)
-            next false unless scope_matches?(node)
+            next false unless declaring_requirement.fetch(:groups) == ["plugin"] || scope_matches?(node)
 
             declaring_requirement_matches?(node)
           end
@@ -140,9 +135,19 @@ module Dependabot
           type == packaging_type(node)
         end
 
+        sig { params(node: Nokogiri::XML::Document).returns(T::Boolean) }
+        def classifier_matches?(node)
+          return true unless node.at_xpath("./*/classifier")
+
+          classifier = evaluated_value(node.at_xpath("./*/classifier").content.strip)
+          dep_classifier = dependency.requirements.first&.dig(:metadata, :classifier)
+          classifier == dep_classifier
+        end
+
         sig { params(node: Nokogiri::XML::Document).returns(T::Boolean) }
         def scope_matches?(node)
           dependency_type = declaring_requirement.fetch(:groups)
+
           node_type = dependency_scope(node) == "test" ? ["test"] : []
 
           dependency_type == node_type

data/lib/dependabot/maven/shared/shared_version_finder.rb

@@ -0,0 +1,117 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/file_fetchers"
+require "dependabot/file_fetchers/base"
+require "dependabot/package/package_latest_version_finder"
+
+module Dependabot
+  module Maven
+    module Shared
+      class SharedVersionFinder < Dependabot::Package::PackageLatestVersionFinder
+        extend T::Sig
+
+        # Regex to match common Maven release qualifiers that indicate stable releases.
+        # See https://github.com/apache/maven/blob/848fbb4bf2d427b72bdb2471c22fced7ebd9a7a1/maven-artifact/src/main/java/org/apache/maven/artifact/versioning/ComparableVersion.java#L315-L320
+        MAVEN_RELEASE_QUALIFIERS = /
+          ^.+[-._](
+            RELEASE|# Official release
+            FINAL|# Final build
+            GA# General Availability
+          )$
+        /ix
+
+        # Common Maven pre-release qualifiers.
+        # They often indicate versions that are not yet stable but that are released to the public for testing.
+        # Examples: 1.0.0-RC1, 2.0.0-ALPHA2, 3.1.0-BETA, 4.0.0-DEV5, etc.
+        # See https://maven.apache.org/guides/mini/guide-naming-conventions.html#version-identifier
+        MAVEN_PRE_RELEASE_QUALIFIERS = /
+            [-._]?(
+              # --- Qualifiers that usually REQUIRE a number ---
+              # Examples: "RC1", "BETA2", "M3", "ALPHA-1", "EAP.2"
+              # The number differentiates multiple pre-releases; a version like "1.0.0-RC"
+              (?i)(?:RC|CR|M|MILESTONE|ALPHA|BETA|EA|EAP)(?:[-._]?\d+)?
+              |
+              # --- Qualifiers that do NOT usually have numbers ---
+              DEV|
+              PREVIEW|
+              PRERELEASE|
+              EXPERIMENTAL|
+              UNSTABLE
+            )$
+          /ix
+
+        MAVEN_SNAPSHOT_QUALIFIER = /-SNAPSHOT$/i
+
+        sig { params(comparison_version: Dependabot::Version).returns(T::Boolean) }
+        def matches_dependency_version_type?(comparison_version)
+          return true unless dependency.version
+
+          current_version_string = dependency.version
+          candidate_version_string = comparison_version.to_s
+
+          current_is_pre_release = current_version_string&.match?(MAVEN_PRE_RELEASE_QUALIFIERS)
+          candidate_is_pre_release = candidate_version_string.match?(MAVEN_PRE_RELEASE_QUALIFIERS)
+
+          # Pre-releases are only compatible with other pre-releases
+          # When this happens, the suffix does not need to match exactly
+          # This allows transitions between 1.0.0-RC1 and 1.0.0-CR2, for example
+          return true if current_is_pre_release && candidate_is_pre_release
+
+          current_is_snapshot = current_version_string&.match?(MAVEN_SNAPSHOT_QUALIFIER)
+          # If the current version is a pre-release or a snapshot, allow upgrading to a stable release
+          # This can help move from pre-release to the stable version that supersedes it,
+          # but this should not happen vice versa as a stable release should not be downgraded to a pre-release
+          return true if (current_is_pre_release || current_is_snapshot) && !candidate_is_pre_release
+
+          current_suffix = extract_version_suffix(current_version_string)
+          candidate_suffix = extract_version_suffix(candidate_version_string)
+
+          # If both versions share the exact suffix or no suffix, they are compatible
+          current_suffix == candidate_suffix
+        end
+
+        private
+
+        # Extracts the qualifier/suffix from a Maven version string.
+        #
+        # Maven versions consist of numeric parts and optional string qualifiers.
+        # This method identifies the suffix by finding the first segment (separated by '.')
+        # that contains a non-digit character.
+        sig { params(version_string: T.nilable(String)).returns(T.nilable(String)) }
+        def extract_version_suffix(version_string)
+          return nil unless version_string
+
+          # Exclude common Maven release qualifiers that indicate stable releases
+          return nil if version_string.match?(MAVEN_RELEASE_QUALIFIERS)
+
+          version_string.split(".").each do |part|
+            # Skip fully numeric segments
+            next if part.match?(/\A\d+\z/)
+
+            # strip leading digits and capture the suffix
+            suffix = part.sub(/\A\d+/, "")
+            # Normalize delimiters to ensure consistent comparison
+            # e.g., "beta-1" and "beta_1" are treated the same
+            suffix = suffix.tr("-", "_")
+
+            # Ignore purely numeric suffixes (e.g., "-1", "_2")
+            # e.g., "1.0.0-1" or "1.0.0_2" are not considered to have a meaningful suffix
+            return nil if suffix.match?(/^_?\d+$/)
+
+            # Must contain a hyphen to be considered a valid suffix
+            return suffix if suffix.include?("-") || suffix.include?("_")
+          end
+
+          nil
+        end
+
+        sig { override.returns(T.nilable(Dependabot::Package::PackageDetails)) }
+        def package_details
+          raise NotImplementedError, "Subclasses must implement `package_details`"
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/maven/update_checker/version_finder.rb

@@ -6,16 +6,15 @@ require "dependabot/package/release_cooldown_options"
 require "dependabot/update_checkers/version_filters"
 require "dependabot/maven/package/package_details_fetcher"
 require "dependabot/maven/update_checker"
+require "dependabot/maven/shared/shared_version_finder"
 require "sorbet-runtime"
 
 module Dependabot
   module Maven
     class UpdateChecker
-      class VersionFinder < Dependabot::Package::PackageLatestVersionFinder
+      class VersionFinder < Dependabot::Maven::Shared::SharedVersionFinder
         extend T::Sig
 
-        TYPE_SUFFICES = %w(jre android java native_mt agp).freeze
-
         sig do
           params(
             dependency: Dependabot::Dependency,
@@ -192,27 +191,6 @@ module Dependabot
           T.must(dependency.numeric_version) >= version_class.new(100)
         end
 
-        sig { params(comparison_version: Dependabot::Version).returns(T::Boolean) }
-        def matches_dependency_version_type?(comparison_version)
-          return true unless dependency.version
-
-          current_type = dependency.version
-                                   &.gsub("native-mt", "native_mt")
-                                   &.split(/[.\-]/)
-                                   &.find do |type|
-            TYPE_SUFFICES.find { |s| type.include?(s) }
-          end
-
-          version_type = comparison_version.to_s
-                                           .gsub("native-mt", "native_mt")
-                                           .split(/[.\-]/)
-                                           .find do |type|
-            TYPE_SUFFICES.find { |s| type.include?(s) }
-          end
-
-          current_type == version_type
-        end
-
         sig { returns(T.class_of(Dependabot::Version)) }
         def version_class
           dependency.version_class

data/lib/dependabot/maven.rb

@@ -17,7 +17,7 @@ Dependabot::PullRequestCreator::Labeler
 
 require "dependabot/dependency"
 Dependabot::Dependency
-  .register_production_check("maven", ->(groups) { groups != ["test"] })
+  .register_production_check("maven", ->(groups) { groups != ["test"] && groups != ["plugin"] })
 
 Dependabot::Dependency
   .register_display_name_builder(

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-maven
 version: !ruby/object:Gem::Version
-  version: 0.355.0
+  version: 0.357.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.355.0
+        version: 0.357.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.355.0
+        version: 0.357.0
 - !ruby/object:Gem::Dependency
   name: rexml
   requirement: !ruby/object:Gem::Requirement
@@ -272,6 +272,7 @@ files:
 - lib/dependabot/maven/package_manager.rb
 - lib/dependabot/maven/pom.xml
 - lib/dependabot/maven/requirement.rb
+- lib/dependabot/maven/shared/shared_version_finder.rb
 - lib/dependabot/maven/token_bucket.rb
 - lib/dependabot/maven/update_checker.rb
 - lib/dependabot/maven/update_checker/property_updater.rb
@@ -285,7 +286,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.355.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.357.0
 rdoc_options: []
 require_paths:
 - lib
@@ -300,7 +301,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.3.0
 requirements: []
-rubygems_version: 3.6.9
+rubygems_version: 3.7.2
 specification_version: 4
 summary: Provides Dependabot support for Maven
 test_files: []