dependabot-maven 0.85.0

data/lib/dependabot/maven/update_checker/version_finder.rb

@@ -0,0 +1,223 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+require "dependabot/shared_helpers"
+require "dependabot/maven/file_parser/repositories_finder"
+require "dependabot/maven/update_checker"
+require "dependabot/maven/version"
+require "dependabot/maven/requirement"
+
+module Dependabot
+  module Maven
+    class UpdateChecker
+      class VersionFinder
+        TYPE_SUFFICES = %w(jre android java).freeze
+
+        def initialize(dependency:, dependency_files:, credentials:,
+                       ignored_versions:)
+          @dependency       = dependency
+          @dependency_files = dependency_files
+          @credentials      = credentials
+          @ignored_versions = ignored_versions
+          @forbidden_urls   = []
+        end
+
+        def latest_version_details
+          possible_versions = versions
+
+          unless wants_prerelease?
+            possible_versions =
+              possible_versions.
+              reject { |v| v.fetch(:version).prerelease? }
+          end
+
+          unless wants_date_based_version?
+            possible_versions =
+              possible_versions.
+              reject { |v| v.fetch(:version) > version_class.new(1900) }
+          end
+
+          possible_versions =
+            possible_versions.
+            select { |v| matches_dependency_version_type?(v.fetch(:version)) }
+
+          ignored_versions.each do |req|
+            ignore_req = Maven::Requirement.new(req.split(","))
+            possible_versions =
+              possible_versions.
+              reject { |v| ignore_req.satisfied_by?(v.fetch(:version)) }
+          end
+
+          possible_versions.reverse.find { |v| released?(v.fetch(:version)) }
+        end
+
+        def versions
+          version_details =
+            repositories.map do |repository_details|
+              url = repository_details.fetch("url")
+              dependency_metadata(repository_details).
+                css("versions > version").
+                select { |node| version_class.correct?(node.content) }.
+                map { |node| version_class.new(node.content) }.
+                map { |version| { version: version, source_url: url } }
+            end.flatten
+
+          if version_details.none? && forbidden_urls.any?
+            raise PrivateSourceAuthenticationFailure, forbidden_urls.first
+          end
+
+          version_details.sort_by { |details| details.fetch(:version) }
+        end
+
+        private
+
+        attr_reader :dependency, :dependency_files, :credentials,
+                    :ignored_versions, :forbidden_urls
+
+        def wants_prerelease?
+          return false unless dependency.version
+          return false unless version_class.correct?(dependency.version)
+
+          version_class.new(dependency.version).prerelease?
+        end
+
+        def wants_date_based_version?
+          return false unless dependency.version
+          return false unless version_class.correct?(dependency.version)
+
+          version_class.new(dependency.version) >= version_class.new(100)
+        end
+
+        def released?(version)
+          repositories.any? do |repository_details|
+            url = repository_details.fetch("url")
+            response = Excon.get(
+              dependency_files_url(url, version),
+              user: repository_details.fetch("username"),
+              password: repository_details.fetch("password"),
+              idempotent: true,
+              **SharedHelpers.excon_defaults
+            )
+
+            artifact_id = dependency.name.split(":").last
+            type = dependency.requirements.first.
+                   dig(:metadata, :packaging_type)
+            response.body.include?("#{artifact_id}-#{version}.#{type}")
+          rescue Excon::Error::Socket, Excon::Error::Timeout
+            false
+          end
+        end
+
+        def dependency_metadata(repository_details)
+          @dependency_metadata ||= {}
+          @dependency_metadata[repository_details.hash] ||=
+            begin
+              response = Excon.get(
+                dependency_metadata_url(repository_details.fetch("url")),
+                user: repository_details.fetch("username"),
+                password: repository_details.fetch("password"),
+                idempotent: true,
+                **SharedHelpers.excon_defaults
+              )
+              check_response(response, repository_details.fetch("url"))
+              Nokogiri::XML(response.body)
+            rescue Excon::Error::Socket, Excon::Error::Timeout
+              central =
+                Maven::FileParser::RepositoriesFinder::CENTRAL_REPO_URL
+              raise if repository_details.fetch("url") == central
+
+              Nokogiri::XML("")
+            end
+        end
+
+        def check_response(response, repository_url)
+          central =
+            Maven::FileParser::RepositoriesFinder::CENTRAL_REPO_URL
+
+          return unless [401, 403].include?(response.status)
+          return if @forbidden_urls.include?(repository_url)
+          return if repository_url == central
+
+          @forbidden_urls << repository_url
+        end
+
+        def repositories
+          return @repositories if @repositories
+
+          details = pom_repository_details + credentials_repository_details
+
+          @repositories =
+            details.reject do |repo|
+              next if repo["password"]
+
+              # Reject this entry if an identical one with a password exists
+              details.any? { |r| r["url"] == repo["url"] && r["password"] }
+            end
+        end
+
+        def pom_repository_details
+          @pom_repository_details ||=
+            Maven::FileParser::RepositoriesFinder.
+            new(dependency_files: dependency_files).
+            repository_urls(pom: pom).
+            map do |url|
+              { "url" => url, "username" => nil, "password" => nil }
+            end
+        end
+
+        def credentials_repository_details
+          credentials.
+            select { |cred| cred["type"] == "maven_repository" }.
+            map do |cred|
+              {
+                "url" => cred.fetch("url").gsub(%r{/+$}, ""),
+                "username" => cred.fetch("username", nil),
+                "password" => cred.fetch("password", nil)
+              }
+            end
+        end
+
+        def matches_dependency_version_type?(comparison_version)
+          return true unless dependency.version
+
+          current_type =
+            TYPE_SUFFICES.
+            find { |t| dependency.version.split(/[.\-]/).include?(t) }
+
+          version_type =
+            TYPE_SUFFICES.
+            find { |t| comparison_version.to_s.split(/[.\-]/).include?(t) }
+
+          current_type == version_type
+        end
+
+        def pom
+          filename = dependency.requirements.first.fetch(:file)
+          dependency_files.find { |f| f.name == filename }
+        end
+
+        def dependency_metadata_url(repository_url)
+          group_id, artifact_id = dependency.name.split(":")
+
+          "#{repository_url}/"\
+          "#{group_id.tr('.', '/')}/"\
+          "#{artifact_id}/"\
+          "maven-metadata.xml"
+        end
+
+        def dependency_files_url(repository_url, version)
+          group_id, artifact_id = dependency.name.split(":")
+
+          "#{repository_url}/"\
+          "#{group_id.tr('.', '/')}/"\
+          "#{artifact_id}/"\
+          "#{version}/"
+        end
+
+        def version_class
+          Maven::Version
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/maven/update_checker.rb

@@ -0,0 +1,160 @@
+# frozen_string_literal: true
+
+require "dependabot/update_checkers"
+require "dependabot/update_checkers/base"
+require "dependabot/maven/file_parser/property_value_finder"
+
+module Dependabot
+  module Maven
+    class UpdateChecker < Dependabot::UpdateCheckers::Base
+      require_relative "update_checker/requirements_updater"
+      require_relative "update_checker/version_finder"
+      require_relative "update_checker/property_updater"
+
+      def latest_version
+        latest_version_details&.fetch(:version)
+      end
+
+      def latest_resolvable_version
+        # Maven's version resolution algorithm is very simple: it just uses
+        # the version defined "closest", with the first declaration winning
+        # if two declarations are equally close. As a result, we can just
+        # return that latest version unless dealing with a property dep.
+        # https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Transitive_Dependencies
+        return nil if version_comes_from_multi_dependency_property?
+
+        latest_version
+      end
+
+      def latest_resolvable_version_with_no_unlock
+        # Irrelevant, since Maven has a single dependency file (the pom.xml).
+        #
+        # For completeness we ought to resolve the pom.xml and return the
+        # latest version that satisfies the current constraint AND any
+        # constraints placed on it by other dependencies. Seeing as we're
+        # never going to take any action as a result, though, we just return
+        # nil.
+        nil
+      end
+
+      def updated_requirements
+        property_names =
+          declarations_using_a_property.
+          map { |req| req.dig(:metadata, :property_name) }
+
+        RequirementsUpdater.new(
+          requirements: dependency.requirements,
+          latest_version: latest_version&.to_s,
+          source_url: latest_version_details&.fetch(:source_url),
+          properties_to_update: property_names
+        ).updated_requirements
+      end
+
+      def requirements_unlocked_or_can_be?
+        declarations_using_a_property.none? do |requirement|
+          prop_name = requirement.dig(:metadata, :property_name)
+          pom = dependency_files.find { |f| f.name == requirement[:file] }
+
+          declaration_pom_name =
+            property_value_finder.
+            property_details(property_name: prop_name, callsite_pom: pom)&.
+            fetch(:file)
+
+          declaration_pom_name == "remote_pom.xml" ||
+            declaration_pom_name.end_with?("pom_parent.xml")
+        end
+      end
+
+      private
+
+      def latest_version_resolvable_with_full_unlock?
+        return false unless version_comes_from_multi_dependency_property?
+
+        property_updater.update_possible?
+      end
+
+      def updated_dependencies_after_full_unlock
+        property_updater.updated_dependencies
+      end
+
+      def numeric_version_up_to_date?
+        return false unless version_class.correct?(dependency.version)
+
+        super
+      end
+
+      def numeric_version_can_update?(requirements_to_unlock:)
+        return false unless version_class.correct?(dependency.version)
+
+        super
+      end
+
+      def latest_version_details
+        @latest_version_details ||= version_finder.latest_version_details
+      end
+
+      def version_finder
+        @version_finder ||=
+          VersionFinder.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            credentials: credentials,
+            ignored_versions: ignored_versions
+          )
+      end
+
+      def property_updater
+        @property_updater ||=
+          PropertyUpdater.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            target_version_details: latest_version_details,
+            credentials: credentials,
+            ignored_versions: ignored_versions
+          )
+      end
+
+      def property_value_finder
+        @property_value_finder ||=
+          Maven::FileParser::PropertyValueFinder.
+          new(dependency_files: dependency_files)
+      end
+
+      def version_comes_from_multi_dependency_property?
+        declarations_using_a_property.any? do |requirement|
+          property_name = requirement.fetch(:metadata).fetch(:property_name)
+          property_source = requirement.fetch(:metadata).
+                            fetch(:property_source)
+
+          all_property_based_dependencies.any? do |dep|
+            next false if dep.name == dependency.name
+
+            dep.requirements.any? do |req|
+              next unless req.dig(:metadata, :property_name) == property_name
+
+              req.dig(:metadata, :property_source) == property_source
+            end
+          end
+        end
+      end
+
+      def declarations_using_a_property
+        @declarations_using_a_property ||=
+          dependency.requirements.
+          select { |req| req.dig(:metadata, :property_name) }
+      end
+
+      def all_property_based_dependencies
+        @all_property_based_dependencies ||=
+          Maven::FileParser.new(
+            dependency_files: dependency_files,
+            source: nil
+          ).parse.select do |dep|
+            dep.requirements.any? { |req| req.dig(:metadata, :property_name) }
+          end
+      end
+    end
+  end
+end
+
+Dependabot::UpdateCheckers.register("maven", Dependabot::Maven::UpdateChecker)

data/lib/dependabot/maven/version.rb

@@ -0,0 +1,181 @@
+# frozen_string_literal: true
+
+require "dependabot/utils"
+
+# Java versions use dots and dashes when tokenising their versions.
+# Gem::Version converts a "-" to ".pre.", so we override the `to_s` method.
+#
+# See https://maven.apache.org/pom.html#Version_Order_Specification for details.
+
+module Dependabot
+  module Maven
+    class Version < Gem::Version
+      NULL_VALUES = %w(0 final ga).freeze
+      PREFIXED_TOKEN_HIERARCHY = {
+        "." => { qualifier: 1, number: 4 },
+        "-" => { qualifier: 2, number: 3 }
+      }.freeze
+      NAMED_QUALIFIERS_HIERARCHY = {
+        "a" => 1, "alpha"     => 1,
+        "b" => 2, "beta"      => 2,
+        "m" => 3, "milestone" => 3,
+        "rc" => 4, "cr" => 4,
+        "snapshot" => 5,
+        "ga" => 6, "" => 6, "final" => 6,
+        "sp" => 7
+      }.freeze
+      VERSION_PATTERN =
+        '[0-9a-zA-Z]+(?>\.[0-9a-zA-Z]*)*(-[0-9A-Za-z-]*(\.[0-9A-Za-z-]*)*)?'
+      ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/.freeze
+
+      def self.correct?(version)
+        return false if version.nil?
+
+        version.to_s.match?(ANCHORED_VERSION_PATTERN)
+      end
+
+      def initialize(version)
+        @version_string = version.to_s
+        super(version.to_s.tr("_", "-"))
+      end
+
+      def to_s
+        @version_string
+      end
+
+      def prerelease?
+        tokens.any? do |token|
+          next false unless NAMED_QUALIFIERS_HIERARCHY[token]
+
+          NAMED_QUALIFIERS_HIERARCHY[token] < 6
+        end
+      end
+
+      private
+
+      def tokens
+        @tokens ||=
+          begin
+            version = @version_string.to_s.downcase
+            version = fill_tokens(version)
+            version = trim_version(version)
+            split_into_prefixed_tokens(version).map { |t| t[1..-1] }
+          end
+      end
+
+      def <=>(other)
+        version = stringify_version(@version_string)
+        version = fill_tokens(version)
+        version = trim_version(version)
+
+        other_version = stringify_version(other)
+        other_version = fill_tokens(other_version)
+        other_version = trim_version(other_version)
+
+        version, other_version = convert_dates(version, other_version)
+
+        prefixed_tokens = split_into_prefixed_tokens(version)
+        other_prefixed_tokens = split_into_prefixed_tokens(other_version)
+
+        prefixed_tokens, other_prefixed_tokens =
+          pad_for_comparison(prefixed_tokens, other_prefixed_tokens)
+
+        prefixed_tokens.count.times.each do |index|
+          comp = compare_prefixed_token(
+            prefix: prefixed_tokens[index][0],
+            token: prefixed_tokens[index][1..-1] || "",
+            other_prefix: other_prefixed_tokens[index][0],
+            other_token: other_prefixed_tokens[index][1..-1] || ""
+          )
+          return comp unless comp.zero?
+        end
+
+        0
+      end
+
+      def stringify_version(version)
+        version = version.to_s.downcase
+
+        # Not technically correct, but pragmatic
+        version.gsub(/^v(?=\d)/, "")
+      end
+
+      def fill_tokens(version)
+        # Add separators when transitioning from digits to characters
+        version = version.gsub(/(\d)([A-Za-z])/, '\1-\2')
+        version = version.gsub(/([A-Za-z])(\d)/, '\1-\2')
+
+        # Replace empty tokens with 0
+        version = version.gsub(/([\.\-])([\.\-])/, '\10\2')
+        version = version.gsub(/^([\.\-])/, '0\1')
+        version.gsub(/([\.\-])$/, '\10')
+      end
+
+      def trim_version(version)
+        version.split("-").map do |v|
+          parts = v.split(".")
+          parts = parts[0..-2] while NULL_VALUES.include?(parts&.last)
+          parts&.join(".")
+        end.compact.reject(&:empty?).join("-")
+      end
+
+      def convert_dates(version, other_version)
+        default = [version, other_version]
+        return default unless version.match?(/^\d{4}-?\d{2}-?\d{2}$/)
+        return default unless other_version.match?(/^\d{4}-?\d{2}-?\d{2}$/)
+
+        [version.delete("-"), other_version.delete("-")]
+      end
+
+      def split_into_prefixed_tokens(version)
+        ".#{version}".split(/(?=[\-\.])/)
+      end
+
+      def pad_for_comparison(prefixed_tokens, other_prefixed_tokens)
+        prefixed_tokens = prefixed_tokens.dup
+        other_prefixed_tokens = other_prefixed_tokens.dup
+
+        longest = [prefixed_tokens, other_prefixed_tokens].max_by(&:count)
+        shortest = [prefixed_tokens, other_prefixed_tokens].min_by(&:count)
+
+        longest.count.times do |index|
+          next unless shortest[index].nil?
+
+          shortest[index] = longest[index].start_with?(".") ? ".0" : "-"
+        end
+
+        [prefixed_tokens, other_prefixed_tokens]
+      end
+
+      def compare_prefixed_token(prefix:, token:, other_prefix:, other_token:)
+        token_type = token.match?(/^\d+$/) ? :number : :qualifier
+        other_token_type = other_token.match?(/^\d+$/) ? :number : :qualifier
+
+        hierarchy = PREFIXED_TOKEN_HIERARCHY.fetch(prefix).fetch(token_type)
+        other_hierarchy =
+          PREFIXED_TOKEN_HIERARCHY.fetch(other_prefix).fetch(other_token_type)
+
+        hierarchy_comparison = hierarchy <=> other_hierarchy
+        return hierarchy_comparison unless hierarchy_comparison.zero?
+
+        compare_token(token: token, other_token: other_token)
+      end
+
+      def compare_token(token:, other_token:)
+        if (token_hierarchy = NAMED_QUALIFIERS_HIERARCHY[token])
+          return -1 unless NAMED_QUALIFIERS_HIERARCHY[other_token]
+
+          return token_hierarchy <=> NAMED_QUALIFIERS_HIERARCHY[other_token]
+        end
+
+        return 1 if NAMED_QUALIFIERS_HIERARCHY[other_token]
+
+        token = token.to_i if token.match?(/^\d+$/)
+        other_token = other_token.to_i if other_token.match?(/^\d+$/)
+        token <=> other_token
+      end
+    end
+  end
+end
+
+Dependabot::Utils.register_version_class("maven", Dependabot::Maven::Version)

data/lib/dependabot/maven.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+# These all need to be required so the various classes can be registered in a
+# lookup table of package manager names to concrete classes.
+require "dependabot/maven/file_fetcher"
+require "dependabot/maven/file_parser"
+require "dependabot/maven/update_checker"
+require "dependabot/maven/file_updater"
+require "dependabot/maven/metadata_finder"
+require "dependabot/maven/requirement"
+require "dependabot/maven/version"