dependabot-maven 0.359.0 → 0.360.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/maven/package/package_details_fetcher.rb +1 -1
  3. data/lib/dependabot/maven/shared/shared_version_finder.rb +82 -0
  4. metadata +4 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 4b56d56076dd7572742ae5c219bee76cbb08a7eb9f951984f0c05bef88314b85
4
- data.tar.gz: c9fe660bf51ea3c9789b16a32a57e2e911d6446f22e02eb4feff93e99fb33ad0
3
+ metadata.gz: d2135816e7a3379a06d7aaf84692d986627bbfb4627ab263a150107a4feaee4e
4
+ data.tar.gz: c1deca188041924a4946ad4b33012c31a237e9a5432bd01968bed1a89f34d723
5
5
  SHA512:
6
- metadata.gz: b6c158bfbf352a1307dc8f2112ae2716eca87aad75888a0292350609139d22f1ecf6d703bb9d13d1fd74f04c6e04afff9beb4ba37aa6410993547c232b0cad63
7
- data.tar.gz: 4e3a49fff8493d1d906193f35d5ff2662e7f9b57418717f71fb56a2ff8a59000aba2c87f99e74cb5d04a7a7ec9352114b27987fbc2860def70221f575b16f371
6
+ metadata.gz: 06ff61a92d1358576a2e96b386ce1290f4edaf80e3d876e3d7cdeeae1f7b91859ef2ccfabdf354bc0a198b0098d71ade0864b1a949144b018591e8424407a170
7
+ data.tar.gz: f91ad820a970652221fa8cf621b7978ff6db67f79d1763b8bd562a9012388c59c2c1cb0ab47ed1c4deb338d3e56aaa823e7d36a81fe212e0ebfcb14ab9e950fe
data/lib/dependabot/maven/package/package_details_fetcher.rb CHANGED
@@ -135,7 +135,7 @@ module Dependabot
135
135
  xml = dependency_metadata(repository_details)
136
136
  next [] if xml.nil?
137
137
 
138
- break extract_metadata_from_xml(xml, url)
138
+ extract_metadata_from_xml(xml, url)
139
139
  end
140
140
 
141
141
  raise PrivateSourceAuthenticationFailure, forbidden_urls.first if version_details.none? && forbidden_urls.any?
data/lib/dependabot/maven/shared/shared_version_finder.rb CHANGED
@@ -68,12 +68,86 @@ module Dependabot
68
68
  current_suffix = extract_version_suffix(current_version_string)
69
69
  candidate_suffix = extract_version_suffix(candidate_version_string)
70
70
 
71
+ if jre_or_jdk?(current_suffix) && jre_or_jdk?(candidate_suffix)
72
+ return compatible_java_runtime?(T.must(current_suffix), T.must(candidate_suffix))
73
+ end
74
+
71
75
  # If both versions share the exact suffix or no suffix, they are compatible
72
76
  current_suffix == candidate_suffix
73
77
  end
74
78
 
75
79
  private
76
80
 
81
+ # Determines whether two Java runtime suffixes are compatible.
82
+ #
83
+ # Compatibility rules:
84
+ # - Both suffixes must be present and parseable.
85
+ # - Java major versions must match (e.g., jdk8 != jdk11).
86
+ # - JDK → JRE is NOT compatible (runtime capability downgrade).
87
+ # - JRE → JDK is compatible (the JDK includes the JRE).
88
+ # - JRE → JRE and JDK → JDK are compatible when versions match.
89
+ # @example
90
+ # compatible_java_runtime?("jre8", "jre8") # => true (same version, JRE → JRE)
91
+ # compatible_java_runtime?("jdk8", "jdk8") # => true (same version, JDK → JDK)
92
+ # compatible_java_runtime?("jre8", "jdk8") # => true (JRE → JDK is compatible)
93
+ # compatible_java_runtime?("jdk8", "jre8") # => false (JDK → JRE is NOT compatible)
94
+ # compatible_java_runtime?("jre8", "jre11") # => false (version mismatch)
95
+ # compatible_java_runtime?("jdk8", "jdk11") # => false (version mismatch)
96
+ sig do
97
+ params(
98
+ current_suffix: String,
99
+ candidate_suffix: String
100
+ ).returns(T::Boolean)
101
+ end
102
+ def compatible_java_runtime?(current_suffix, candidate_suffix)
103
+ current_major_version = java_major_version(current_suffix)
104
+ candidate_major_version = java_major_version(candidate_suffix)
105
+ return false unless current_major_version == candidate_major_version
106
+
107
+ is_downgrade = jdk?(current_suffix) && jre?(candidate_suffix)
108
+
109
+ !is_downgrade
110
+ end
111
+
112
+ # Extracts the major Java version number from a JRE/JDK version suffix.
113
+ #
114
+ # @example
115
+ # java_major_version("jre8") # => 8
116
+ # java_major_version("jdk17") # => 17
117
+ sig { params(jre_jdk_suffix: String).returns(Integer) }
118
+ def java_major_version(jre_jdk_suffix)
119
+ jre_jdk_suffix[/\d+/].to_i
120
+ end
121
+
122
+ sig { params(version: T.nilable(String)).returns(T::Boolean) }
123
+ def jre_or_jdk?(version)
124
+ jre?(version) || jdk?(version)
125
+ end
126
+
127
+ # Matches if the current version is a JRE version suffix.
128
+ #
129
+ # @example
130
+ # jre?( "jre8") # => true
131
+ # jre?("jdk8") # => false
132
+ sig { params(version: T.nilable(String)).returns(T::Boolean) }
133
+ def jre?(version)
134
+ return false unless version
135
+
136
+ version.match?(/\A(jre)\d+\z/i)
137
+ end
138
+
139
+ # Matches if the current version is a JDK version suffix.
140
+ #
141
+ # @example
142
+ # jdk?("jre8") # => false
143
+ # jdk?("jdk8") # => true
144
+ sig { params(version: T.nilable(String)).returns(T::Boolean) }
145
+ def jdk?(version)
146
+ return false unless version
147
+
148
+ version.match?(/\A(jdk)\d+\z/i)
149
+ end
150
+
77
151
  # Extracts the qualifier/suffix from a Maven version string.
78
152
  #
79
153
  # Maven versions consist of numeric parts and optional string qualifiers.
@@ -96,6 +170,14 @@ module Dependabot
96
170
  # e.g., "beta-1" and "beta_1" are treated the same
97
171
  suffix = suffix.tr("-", "_")
98
172
 
173
+ # Special case for JDK/JRE suffixes
174
+ # e.g., "13.2.1.jre8" or "13.2.1-jdk8"
175
+ # In Java, these suffixes often indicate compatibility with specific Java runtimes
176
+ # and are meaningful in version comparisons as we should not mix versions built for different runtimes.
177
+ # For example, "1.0.0.jdk8" should not be considered the same as "1.0.0.jdk11"
178
+ # because they target different Java versions.
179
+ return suffix if jre_or_jdk?(suffix)
180
+
99
181
  # Ignore purely numeric suffixes (e.g., "-1", "_2")
100
182
  # e.g., "1.0.0-1" or "1.0.0_2" are not considered to have a meaningful suffix
101
183
  return nil if suffix.match?(/^_?\d+$/)
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-maven
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.359.0
4
+ version: 0.360.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
@@ -15,14 +15,14 @@ dependencies:
15
15
  requirements:
16
16
  - - '='
17
17
  - !ruby/object:Gem::Version
18
- version: 0.359.0
18
+ version: 0.360.0
19
19
  type: :runtime
20
20
  prerelease: false
21
21
  version_requirements: !ruby/object:Gem::Requirement
22
22
  requirements:
23
23
  - - '='
24
24
  - !ruby/object:Gem::Version
25
- version: 0.359.0
25
+ version: 0.360.0
26
26
  - !ruby/object:Gem::Dependency
27
27
  name: rexml
28
28
  requirement: !ruby/object:Gem::Requirement
@@ -286,7 +286,7 @@ licenses:
286
286
  - MIT
287
287
  metadata:
288
288
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
289
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.359.0
289
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.360.0
290
290
  rdoc_options: []
291
291
  require_paths:
292
292
  - lib