dependabot-maven 0.361.2 → 0.362.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/maven/file_parser/property_value_finder.rb +57 -31
  3. metadata +4 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 87e639c848738f466a5c3a503c4506c601d10db84b99a766585e75f799b5514c
4
- data.tar.gz: c1deca188041924a4946ad4b33012c31a237e9a5432bd01968bed1a89f34d723
3
+ metadata.gz: 6b2d3206a58a6877d490d4f996f43d1703de69920e76511741966fbc7272a5c2
4
+ data.tar.gz: 31322a8a1dccaaf04a38233d9b3f767469aebd741dfd0081131fde8e94b8ad06
5
5
  SHA512:
6
- metadata.gz: 5277a91613aec8e220e7be4f6dd949ce8fa3f4b17b979072b164c7f93ba252888b751bb9b29d8c796dcb9e8e805b11ac13578d6e138c7a1876038bd9cc09a3d9
7
- data.tar.gz: f91ad820a970652221fa8cf621b7978ff6db67f79d1763b8bd562a9012388c59c2c1cb0ab47ed1c4deb338d3e56aaa823e7d36a81fe212e0ebfcb14ab9e950fe
6
+ metadata.gz: c5ac97434660ab394d413523feb11dbd898478bf92d9eca00834b474a896f26e70db3fbe2d3a74b110042376eac57590c4d722d717c306ca02db7e86d9a47f29
7
+ data.tar.gz: 1f280b0cc45b41fed7f5831338df860add33a7b003e44c3568522955f32cfc9ccfb679640859c1e84b3d888ef623a70a371620cba031034ce03958524894e6a7
data/lib/dependabot/maven/file_parser/property_value_finder.rb CHANGED
@@ -20,6 +20,7 @@ module Dependabot
20
20
  require_relative "pom_fetcher"
21
21
 
22
22
  DOT_SEPARATOR_REGEX = %r{\.(?!\d+([.\/_\-]|$)+)}
23
+ MAVEN_PROPERTY_REGEX = /\$\{.+?/
23
24
 
24
25
  sig do
25
26
  params(
@@ -37,10 +38,15 @@ module Dependabot
37
38
  )
38
39
  end
39
40
 
41
+ # rubocop:disable Metrics/PerceivedComplexity
40
42
  sig do
41
- params(property_name: String, callsite_pom: DependencyFile).returns(T.nilable(T::Hash[Symbol, T.untyped]))
43
+ params(
44
+ property_name: String,
45
+ callsite_pom: DependencyFile,
46
+ seen_properties: T::Set[String]
47
+ ).returns(T.nilable(T::Hash[Symbol, T.untyped]))
42
48
  end
43
- def property_details(property_name:, callsite_pom:)
49
+ def property_details(property_name:, callsite_pom:, seen_properties: Set.new)
44
50
  pom = callsite_pom
45
51
  doc = Nokogiri::XML(pom.content)
46
52
  doc.remove_namespaces!
@@ -63,53 +69,73 @@ module Dependabot
63
69
  raise DependencyFileNotEvaluatable, e.message
64
70
  end
65
71
 
66
- # and value is an expression
67
- if node && /\$\{(?<expression>.+)\}/.match(node.content.strip)
68
- return extract_value_from_expression(
69
- expression: node.content.strip,
72
+ if node.nil? && parent_pom(pom)
73
+ return property_details(
70
74
  property_name: property_name,
71
- callsite_pom: callsite_pom
75
+ callsite_pom: T.must(parent_pom(pom)),
76
+ seen_properties: seen_properties
77
+ )
78
+ end
79
+ # If the property can’t be resolved for any reason, we return nil which
80
+ # causes Dependabot to skip the dependency.
81
+ # This differs from Maven’s behavior, where an unresolved property would fail the entire build.
82
+ # We intentionally choose this as a compromise so Dependabot can continue parsing the rest of the project,
83
+ # rather than failing completely due to a single unknown property.
84
+ # The trade-off is that some dependencies may not be updated as expected.
85
+ Dependabot.logger.warn "Could not resolve property '#{property_name}'" unless node
86
+ return nil unless node
87
+
88
+ content = node.content.strip
89
+
90
+ # Detect infinite recursion such as ${property1} where property1=${property1}
91
+ if seen_properties.include?(property_name)
92
+ raise Dependabot::DependencyFileNotParseable.new(
93
+ callsite_pom.name,
94
+ "Error trying to resolve recursive expression '${#{property_name}}'."
72
95
  )
73
96
  end
74
97
 
75
- # If we found a property, return it
76
- return { file: pom.name, node: node, value: node.content.strip } if node
98
+ seen_properties << property_name
77
99
 
78
- # Otherwise, look for a value in this pom's parent
79
- return unless (parent = parent_pom(pom))
100
+ # If the content has no placeholders, return it as-is
101
+ return { file: pom.name, node: node, value: content } unless content.match?(MAVEN_PROPERTY_REGEX)
80
102
 
81
- property_details(
82
- property_name: property_name,
83
- callsite_pom: parent
84
- )
103
+ resolve_property_placeholder(content, callsite_pom, pom, node, seen_properties)
85
104
  end
105
+ # rubocop:enable Metrics/PerceivedComplexity
86
106
 
87
107
  private
88
108
 
89
- sig { returns(T::Array[DependencyFile]) }
90
- attr_reader :dependency_files
91
-
109
+ # Extract property placeholders from a string and resolve them
110
+ # These properties can be simple properties such as ${project.version}
111
+ # or more complex such as ${my.property.${other.property}} or constant.${property}
112
+ # See https://maven.apache.org/pom.html#properties
92
113
  sig do
93
114
  params(
94
- expression: String,
95
- property_name: String,
96
- callsite_pom: DependencyFile
97
- )
98
- .returns(T.nilable(T::Hash[Symbol, String]))
115
+ content: String,
116
+ callsite_pom: DependencyFile,
117
+ pom: DependencyFile,
118
+ node: T.untyped,
119
+ seen_properties: T::Set[String]
120
+ ).returns(T.nilable(T::Hash[Symbol, T.untyped]))
99
121
  end
100
- def extract_value_from_expression(expression:, property_name:, callsite_pom:)
101
- # and the expression is pointing to self then raise the error
102
- if expression.eql?("${#{property_name}}")
103
- raise Dependabot::DependencyFileNotParseable.new(
104
- callsite_pom.name,
105
- "Error trying to resolve recursive expression '#{expression}'."
122
+ def resolve_property_placeholder(content, callsite_pom, pom, node, seen_properties)
123
+ resolved_value = content.gsub(/\$\{(.+?)}/) do
124
+ inner_name = Regexp.last_match(1)
125
+ resolved = property_details(
126
+ property_name: T.must(inner_name),
127
+ callsite_pom: callsite_pom,
128
+ seen_properties: seen_properties
106
129
  )
130
+ T.must(resolved)[:value]
107
131
  end
108
132
 
109
- # and the expression is pointing to another tag, then get the value of that tag
110
- property_details(property_name: T.must(expression.slice(2..-2)), callsite_pom: callsite_pom)
133
+ { file: pom.name, node: node, value: resolved_value }
111
134
  end
112
135
 
136
+ sig { returns(T::Array[DependencyFile]) }
137
+ attr_reader :dependency_files
138
+
113
139
  sig { params(property_name: String).returns(String) }
114
140
  def sanitize_property_name(property_name)
115
141
  property_name.sub(/^pom\./, "").sub(/^project\./, "")
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-maven
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.361.2
4
+ version: 0.362.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
@@ -15,14 +15,14 @@ dependencies:
15
15
  requirements:
16
16
  - - '='
17
17
  - !ruby/object:Gem::Version
18
- version: 0.361.2
18
+ version: 0.362.0
19
19
  type: :runtime
20
20
  prerelease: false
21
21
  version_requirements: !ruby/object:Gem::Requirement
22
22
  requirements:
23
23
  - - '='
24
24
  - !ruby/object:Gem::Version
25
- version: 0.361.2
25
+ version: 0.362.0
26
26
  - !ruby/object:Gem::Dependency
27
27
  name: rexml
28
28
  requirement: !ruby/object:Gem::Requirement
@@ -286,7 +286,7 @@ licenses:
286
286
  - MIT
287
287
  metadata:
288
288
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
289
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.361.2
289
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.362.0
290
290
  rdoc_options: []
291
291
  require_paths:
292
292
  - lib