dependabot-maven 0.85.0

data/lib/dependabot/maven/metadata_finder.rb

@@ -0,0 +1,175 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+require "dependabot/metadata_finders"
+require "dependabot/metadata_finders/base"
+require "dependabot/file_fetchers/base"
+require "dependabot/maven/file_parser"
+require "dependabot/maven/file_parser/repositories_finder"
+
+module Dependabot
+  module Maven
+    class MetadataFinder < Dependabot::MetadataFinders::Base
+      DOT_SEPARATOR_REGEX = %r{\.(?:(?!\d+[.\/])+)}.freeze
+
+      private
+
+      def look_up_source
+        tmp_source = look_up_source_in_pom(dependency_pom_file)
+        return tmp_source if tmp_source
+
+        return unless (parent = parent_pom_file(dependency_pom_file))
+
+        tmp_source = look_up_source_in_pom(parent)
+        return unless tmp_source
+
+        artifact = dependency.name.split(":").last
+        return tmp_source if tmp_source.repo.end_with?(artifact)
+        return tmp_source if repo_has_subdir_for_dep?(tmp_source)
+      end
+
+      def repo_has_subdir_for_dep?(tmp_source)
+        @repo_has_subdir_for_dep ||= {}
+        if @repo_has_subdir_for_dep.key?(tmp_source)
+          return @repo_has_subdir_for_dep[tmp_source]
+        end
+
+        artifact = dependency.name.split(":").last
+        fetcher =
+          FileFetchers::Base.new(source: tmp_source, credentials: credentials)
+
+        @repo_has_subdir_for_dep[tmp_source] =
+          fetcher.send(:repo_contents, raise_errors: false).
+          select { |f| f.type == "dir" }.
+          any? { |f| artifact.end_with?(f.name) }
+      rescue Dependabot::RepoNotFound
+        @repo_has_subdir_for_dep[tmp_source] = false
+      end
+
+      def look_up_source_in_pom(pom)
+        potential_source_urls = [
+          pom.at_css("project > url")&.content,
+          pom.at_css("project > scm > url")&.content,
+          pom.at_css("project > issueManagement > url")&.content
+        ].compact
+
+        source_url = potential_source_urls.find { |url| Source.from_url(url) }
+        source_url ||= source_from_anywhere_in_pom(pom)
+        source_url = substitute_property_in_source_url(source_url, pom)
+
+        Source.from_url(source_url)
+      end
+
+      def substitute_property_in_source_url(source_url, pom)
+        return unless source_url
+        return source_url unless source_url.include?("${")
+
+        regex = Maven::FileParser::PROPERTY_REGEX
+        property_name = source_url.match(regex).named_captures["property"]
+        doc = pom.dup
+        doc.remove_namespaces!
+        nm = property_name.sub(/^pom\./, "").sub(/^project\./, "")
+        property_value =
+          loop do
+            candidate_node =
+              doc.at_xpath("/project/#{nm}") ||
+              doc.at_xpath("/project/properties/#{nm}") ||
+              doc.at_xpath("/project/profiles/profile/properties/#{nm}")
+            break candidate_node.content if candidate_node
+            break unless nm.match?(DOT_SEPARATOR_REGEX)
+
+            nm = nm.sub(DOT_SEPARATOR_REGEX, "/")
+          end
+
+        source_url.gsub("${#{property_name}}", property_value)
+      end
+
+      def source_from_anywhere_in_pom(pom)
+        github_urls = []
+        pom.to_s.scan(Source::SOURCE_REGEX) do
+          github_urls << Regexp.last_match.to_s
+        end
+
+        github_urls.find do |url|
+          repo = Source.from_url(url).repo
+          repo.end_with?(dependency.name.split(":").last)
+        end
+      end
+
+      def dependency_pom_file
+        return @dependency_pom_file unless @dependency_pom_file.nil?
+
+        artifact_id = dependency.name.split(":").last
+        response = Excon.get(
+          "#{maven_repo_dependency_url}/"\
+          "#{dependency.version}/"\
+          "#{artifact_id}-#{dependency.version}.pom",
+          headers: auth_details,
+          idempotent: true,
+          **SharedHelpers.excon_defaults
+        )
+
+        @dependency_pom_file = Nokogiri::XML(response.body)
+      rescue Excon::Error::Timeout
+        @dependency_pom_file = Nokogiri::XML("")
+      end
+
+      def parent_pom_file(pom)
+        doc = pom.dup
+        doc.remove_namespaces!
+        group_id = doc.at_xpath("/project/parent/groupId")&.content&.strip
+        artifact_id =
+          doc.at_xpath("/project/parent/artifactId")&.content&.strip
+        version = doc.at_xpath("/project/parent/version")&.content&.strip
+
+        return unless artifact_id && group_id && version
+
+        response = Excon.get(
+          "#{maven_repo_url}/#{group_id.tr('.', '/')}/#{artifact_id}/"\
+          "#{version}/"\
+          "#{artifact_id}-#{version}.pom",
+          headers: auth_details,
+          idempotent: true,
+          **SharedHelpers.excon_defaults
+        )
+
+        Nokogiri::XML(response.body)
+      end
+
+      def maven_repo_url
+        source = dependency.requirements.
+                 find { |r| r&.fetch(:source) }&.fetch(:source)
+
+        source&.fetch(:url, nil) ||
+          source&.fetch("url") ||
+          Maven::FileParser::RepositoriesFinder::CENTRAL_REPO_URL
+      end
+
+      def maven_repo_dependency_url
+        group_id, artifact_id = dependency.name.split(":")
+
+        "#{maven_repo_url}/#{group_id.tr('.', '/')}/#{artifact_id}"
+      end
+
+      def auth_details
+        cred =
+          credentials.select { |c| c["type"] == "maven_repository" }.
+          find do |c|
+            cred_url = c.fetch("url").gsub(%r{/+$}, "")
+            next false unless cred_url == maven_repo_url
+
+            c.fetch("username", nil)
+          end
+
+        return {} unless cred
+
+        token = cred.fetch("username") + ":" + cred.fetch("password")
+        encoded_token = Base64.encode64(token).delete("\n")
+        { "Authorization" => "Basic #{encoded_token}" }
+      end
+    end
+  end
+end
+
+Dependabot::MetadataFinders.
+  register("maven", Dependabot::Maven::MetadataFinder)

data/lib/dependabot/maven/requirement.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+require "dependabot/utils"
+require "dependabot/maven/version"
+
+module Dependabot
+  module Maven
+    class Requirement < Gem::Requirement
+      quoted = OPS.keys.map { |k| Regexp.quote k }.join("|")
+      PATTERN_RAW =
+        "\\s*(#{quoted})?\\s*(#{Maven::Version::VERSION_PATTERN})\\s*"
+      PATTERN = /\A#{PATTERN_RAW}\z/.freeze
+
+      def self.parse(obj)
+        return ["=", Maven::Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
+
+        unless (matches = PATTERN.match(obj.to_s))
+          msg = "Illformed requirement [#{obj.inspect}]"
+          raise BadRequirementError, msg
+        end
+
+        return DefaultRequirement if matches[1] == ">=" && matches[2] == "0"
+
+        [matches[1] || "=", Maven::Version.new(matches[2])]
+      end
+
+      def self.requirements_array(requirement_string)
+        split_java_requirement(requirement_string).map do |str|
+          new(str)
+        end
+      end
+
+      def initialize(*requirements)
+        requirements = requirements.flatten.flat_map do |req_string|
+          convert_java_constraint_to_ruby_constraint(req_string)
+        end
+
+        super(requirements)
+      end
+
+      def satisfied_by?(version)
+        version = Maven::Version.new(version.to_s)
+        super
+      end
+
+      private
+
+      def self.split_java_requirement(req_string)
+        req_string.split(/(?<=\]|\)),/).flat_map do |str|
+          next str if str.start_with?("(", "[")
+
+          exacts, *rest = str.split(/,(?=\[|\()/)
+          [*exacts.split(","), *rest]
+        end
+      end
+      private_class_method :split_java_requirement
+
+      def convert_java_constraint_to_ruby_constraint(req_string)
+        return unless req_string
+
+        if self.class.send(:split_java_requirement, req_string).count > 1
+          raise "Can't convert multiple Java reqs to a single Ruby one"
+        end
+
+        if req_string&.include?(",")
+          return convert_java_range_to_ruby_range(req_string)
+        end
+
+        convert_java_equals_req_to_ruby(req_string)
+      end
+
+      def convert_java_range_to_ruby_range(req_string)
+        lower_b, upper_b = req_string.split(",").map(&:strip)
+
+        lower_b =
+          if ["(", "["].include?(lower_b) then nil
+          elsif lower_b.start_with?("(") then "> #{lower_b.sub(/\(\s*/, '')}"
+          else ">= #{lower_b.sub(/\[\s*/, '').strip}"
+          end
+
+        upper_b =
+          if [")", "]"].include?(upper_b) then nil
+          elsif upper_b.end_with?(")") then "< #{upper_b.sub(/\s*\)/, '')}"
+          else "<= #{upper_b.sub(/\s*\]/, '').strip}"
+          end
+
+        [lower_b, upper_b].compact
+      end
+
+      def convert_java_equals_req_to_ruby(req_string)
+        return convert_wildcard_req(req_string) if req_string&.include?("+")
+
+        # If a soft requirement is being used, treat it as an equality matcher
+        return req_string unless req_string&.start_with?("[")
+
+        req_string.gsub(/[\[\]\(\)]/, "")
+      end
+
+      def convert_wildcard_req(req_string)
+        version = req_string.gsub(/(?:\.|^)\+/, "")
+        return ">= 0" if version.empty?
+
+        "~> #{version}.0"
+      end
+    end
+  end
+end
+
+Dependabot::Utils.
+  register_requirement_class("maven", Dependabot::Maven::Requirement)

data/lib/dependabot/maven/update_checker/property_updater.rb

@@ -0,0 +1,125 @@
+# frozen_string_literal: true
+
+require "dependabot/maven/file_parser"
+require "dependabot/maven/update_checker"
+require "dependabot/maven/file_updater/declaration_finder"
+
+module Dependabot
+  module Maven
+    class UpdateChecker
+      class PropertyUpdater
+        require_relative "requirements_updater"
+        require_relative "version_finder"
+
+        def initialize(dependency:, dependency_files:, credentials:,
+                       target_version_details:, ignored_versions:)
+          @dependency       = dependency
+          @dependency_files = dependency_files
+          @credentials      = credentials
+          @ignored_versions = ignored_versions
+          @target_version   = target_version_details&.fetch(:version)
+          @source_url       = target_version_details&.fetch(:source_url)
+        end
+
+        def update_possible?
+          return false unless target_version
+
+          @update_possible ||=
+            dependencies_using_property.all? do |dep|
+              versions = VersionFinder.new(
+                dependency: dep,
+                dependency_files: dependency_files,
+                credentials: credentials,
+                ignored_versions: ignored_versions
+              ).versions.map { |v| v.fetch(:version) }
+
+              versions.include?(target_version) || versions.none?
+            end
+        end
+
+        def updated_dependencies
+          raise "Update not possible!" unless update_possible?
+
+          @updated_dependencies ||=
+            dependencies_using_property.map do |dep|
+              Dependency.new(
+                name: dep.name,
+                version: updated_version(dep),
+                requirements: updated_requirements(dep),
+                previous_version: dep.version,
+                previous_requirements: dep.requirements,
+                package_manager: dep.package_manager
+              )
+            end
+        end
+
+        private
+
+        attr_reader :dependency, :dependency_files, :target_version,
+                    :source_url, :credentials, :ignored_versions
+
+        def dependencies_using_property
+          @dependencies_using_property ||=
+            Maven::FileParser.new(
+              dependency_files: dependency_files,
+              source: nil
+            ).parse.select do |dep|
+              dep.requirements.any? do |r|
+                next unless r.dig(:metadata, :property_name) == property_name
+
+                r.dig(:metadata, :property_source) == property_source
+              end
+            end
+        end
+
+        def property_name
+          @property_name ||= dependency.requirements.
+                             find { |r| r.dig(:metadata, :property_name) }&.
+                             dig(:metadata, :property_name)
+
+          raise "No requirement with a property name!" unless @property_name
+
+          @property_name
+        end
+
+        def property_source
+          @property_source ||=
+            dependency.requirements.
+            find { |r| r.dig(:metadata, :property_name) == property_name }&.
+            dig(:metadata, :property_source)
+        end
+
+        def version_string(dep)
+          declaring_requirement =
+            dep.requirements.
+            find { |r| r.dig(:metadata, :property_name) == property_name }
+
+          Maven::FileUpdater::DeclarationFinder.new(
+            dependency: dep,
+            declaring_requirement: declaring_requirement,
+            dependency_files: dependency_files
+          ).declaration_nodes.first.at_css("version")&.content
+        end
+
+        def pom
+          dependency_files.find { |f| f.name == "pom.xml" }
+        end
+
+        def updated_version(dep)
+          version_string(dep).gsub("${#{property_name}}", target_version.to_s)
+        end
+
+        def updated_requirements(dep)
+          @updated_requirements ||= {}
+          @updated_requirements[dep.name] ||=
+            RequirementsUpdater.new(
+              requirements: dep.requirements,
+              latest_version: updated_version(dep),
+              source_url: source_url,
+              properties_to_update: [property_name]
+            ).updated_requirements
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/maven/update_checker/requirements_updater.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+#######################################################
+# For more details on Maven version constraints, see: #
+# https://maven.apache.org/pom.html#Dependencies      #
+#######################################################
+
+require "dependabot/maven/update_checker"
+require "dependabot/maven/version"
+require "dependabot/maven/requirement"
+
+module Dependabot
+  module Maven
+    class UpdateChecker
+      class RequirementsUpdater
+        def initialize(requirements:, latest_version:, source_url:,
+                       properties_to_update:)
+          @requirements = requirements
+          @source_url = source_url
+          @properties_to_update = properties_to_update
+          return unless latest_version
+
+          @latest_version = version_class.new(latest_version)
+        end
+
+        def updated_requirements
+          return requirements unless latest_version
+
+          # Note: Order is important here. The FileUpdater needs the updated
+          # requirement at index `i` to correspond to the previous requirement
+          # at the same index.
+          requirements.map do |req|
+            next req if req.fetch(:requirement).nil?
+            next req if req.fetch(:requirement).include?(",")
+
+            property_name = req.dig(:metadata, :property_name)
+            if property_name && !properties_to_update.include?(property_name)
+              next req
+            end
+
+            new_req = update_requirement(req[:requirement])
+            req.merge(requirement: new_req, source: updated_source)
+          end
+        end
+
+        private
+
+        attr_reader :requirements, :latest_version, :source_url,
+                    :properties_to_update
+
+        def update_requirement(req_string)
+          if req_string.include?(".+")
+            update_dynamic_requirement(req_string)
+          else
+            # Since range requirements are excluded this must be exact
+            update_exact_requirement(req_string)
+          end
+        end
+
+        def update_exact_requirement(req_string)
+          old_version = requirement_class.new(req_string).
+                        requirements.first.last
+          req_string.gsub(old_version.to_s, latest_version.to_s)
+        end
+
+        # This is really only a Gradle thing, but Gradle relies on this
+        # RequirementsUpdater too
+        def update_dynamic_requirement(req_string)
+          precision = req_string.split(".").take_while { |s| s != "+" }.count
+
+          version_parts = latest_version.segments.first(precision)
+
+          version_parts.join(".") + ".+"
+        end
+
+        def version_class
+          Maven::Version
+        end
+
+        def requirement_class
+          Maven::Requirement
+        end
+
+        def updated_source
+          { type: "maven_repo", url: source_url }
+        end
+      end
+    end
+  end
+end