dependabot-maven 0.100.2 → 0.101.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/maven/update_checker/property_updater.rb +2 -1
  3. data/lib/dependabot/maven/update_checker/version_finder.rb +93 -44
  4. data/lib/dependabot/maven/update_checker.rb +21 -3
  5. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3f2d0036b079ac0be68cb1cf101254b36fdfb0c03eea8fcb9a0012f240c2a2dc
4
- data.tar.gz: 99bb4c64a1e031083df32ce2bc788c626a1eb8903b93694d1f5981f72a01b454
3
+ metadata.gz: 27c69d7d84a08f4d94c75a949acc1b5bca08dd1f7901409bc2fd010cb564e079
4
+ data.tar.gz: 8de19800adf49d3a979e09b34c19e91fdd86469f3efc5a5aea454100b2f2d810
5
5
  SHA512:
6
- metadata.gz: 8bf5a8be2a6e0dcd0216afb45a2060d9a7631d4496d351bc1bdf4830617904dbada0c2ef1441e7f366de57625455cc5fbec5356083381b4c7925ca4637bb50db
7
- data.tar.gz: 57153a9893005510226d0991dbbfa53fa9432e538f7ecae28f645159a4075f2762cea4fba351e289c6f1a7f607de1ad9c764636974f6176c62d148d5458d143a
6
+ metadata.gz: ee3ae831be414918bb16d5ee59a73dd82498af645308a1e6a71364a91f775d362e8c7646dba24124cc06ad861e46db0695bea4798dbee8f83c1a119f16f46615
7
+ data.tar.gz: 6ffc68ba6d6ee390decdd92e9e462c6f4e7f2302bbd67f09928b31c73360cfdbd582034ff284902e40eebc27aa3ccc91b5c6002bd5d9927cd02556aae659d778
data/lib/dependabot/maven/update_checker/property_updater.rb CHANGED
@@ -32,7 +32,8 @@ module Dependabot
32
32
  dependency: dep,
33
33
  dependency_files: dependency_files,
34
34
  credentials: credentials,
35
- ignored_versions: ignored_versions
35
+ ignored_versions: ignored_versions,
36
+ security_advisories: []
36
37
  ).versions.map { |v| v.fetch(:version) }
37
38
 
38
39
  versions.include?(updated_version(dep)) || versions.none?
data/lib/dependabot/maven/update_checker/version_finder.rb CHANGED
@@ -14,41 +14,37 @@ module Dependabot
14
14
  TYPE_SUFFICES = %w(jre android java).freeze
15
15
 
16
16
  def initialize(dependency:, dependency_files:, credentials:,
17
- ignored_versions:)
18
- @dependency = dependency
19
- @dependency_files = dependency_files
20
- @credentials = credentials
21
- @ignored_versions = ignored_versions
22
- @forbidden_urls = []
17
+ ignored_versions:, security_advisories:)
18
+ @dependency = dependency
19
+ @dependency_files = dependency_files
20
+ @credentials = credentials
21
+ @ignored_versions = ignored_versions
22
+ @security_advisories = security_advisories
23
+ @forbidden_urls = []
23
24
  end
24
25
 
25
26
  def latest_version_details
26
27
  possible_versions = versions
27
28
 
28
- unless wants_prerelease?
29
- possible_versions =
30
- possible_versions.
31
- reject { |v| v.fetch(:version).prerelease? }
32
- end
29
+ possible_versions = filter_prereleases(possible_versions)
30
+ possible_versions = filter_date_based_versions(possible_versions)
31
+ possible_versions = filter_version_types(possible_versions)
32
+ possible_versions = filter_ignored_versions(possible_versions)
33
33
 
34
- unless wants_date_based_version?
35
- possible_versions =
36
- possible_versions.
37
- reject { |v| v.fetch(:version) > version_class.new(1900) }
38
- end
34
+ possible_versions.reverse.find { |v| released?(v.fetch(:version)) }
35
+ end
39
36
 
40
- possible_versions =
41
- possible_versions.
42
- select { |v| matches_dependency_version_type?(v.fetch(:version)) }
37
+ def lowest_security_fix_version_details
38
+ possible_versions = versions
43
39
 
44
- ignored_versions.each do |req|
45
- ignore_req = Maven::Requirement.new(req.split(","))
46
- possible_versions =
47
- possible_versions.
48
- reject { |v| ignore_req.satisfied_by?(v.fetch(:version)) }
49
- end
40
+ possible_versions = filter_prereleases(possible_versions)
41
+ possible_versions = filter_date_based_versions(possible_versions)
42
+ possible_versions = filter_version_types(possible_versions)
43
+ possible_versions = filter_ignored_versions(possible_versions)
44
+ possible_versions = filter_vulnerable_versions(possible_versions)
45
+ possible_versions = filter_lower_versions(possible_versions)
50
46
 
51
- possible_versions.reverse.find { |v| released?(v.fetch(:version)) }
47
+ possible_versions.find { |v| released?(v.fetch(:version)) }
52
48
  end
53
49
 
54
50
  def versions
@@ -72,7 +68,56 @@ module Dependabot
72
68
  private
73
69
 
74
70
  attr_reader :dependency, :dependency_files, :credentials,
75
- :ignored_versions, :forbidden_urls
71
+ :ignored_versions, :forbidden_urls, :security_advisories
72
+
73
+ def filter_prereleases(possible_versions)
74
+ return possible_versions if wants_prerelease?
75
+
76
+ possible_versions.reject { |v| v.fetch(:version).prerelease? }
77
+ end
78
+
79
+ def filter_date_based_versions(possible_versions)
80
+ return possible_versions if wants_date_based_version?
81
+
82
+ possible_versions.
83
+ reject { |v| v.fetch(:version) > version_class.new(1900) }
84
+ end
85
+
86
+ def filter_version_types(possible_versions)
87
+ possible_versions.
88
+ select { |v| matches_dependency_version_type?(v.fetch(:version)) }
89
+ end
90
+
91
+ def filter_ignored_versions(possible_versions)
92
+ versions_array = possible_versions
93
+
94
+ ignored_versions.each do |req|
95
+ ignore_req = Maven::Requirement.new(req.split(","))
96
+ versions_array =
97
+ versions_array.
98
+ reject { |v| ignore_req.satisfied_by?(v.fetch(:version)) }
99
+ end
100
+
101
+ versions_array
102
+ end
103
+
104
+ def filter_vulnerable_versions(possible_versions)
105
+ versions_array = possible_versions
106
+
107
+ security_advisories.each do |advisory|
108
+ versions_array =
109
+ versions_array.
110
+ reject { |v| advisory.vulnerable?(v.fetch(:version)) }
111
+ end
112
+
113
+ versions_array
114
+ end
115
+
116
+ def filter_lower_versions(possible_versions)
117
+ possible_versions.select do |v|
118
+ v.fetch(:version) > version_class.new(dependency.version)
119
+ end
120
+ end
76
121
 
77
122
  def wants_prerelease?
78
123
  return false unless dependency.version
@@ -89,23 +134,27 @@ module Dependabot
89
134
  end
90
135
 
91
136
  def released?(version)
92
- repositories.any? do |repository_details|
93
- url = repository_details.fetch("url")
94
- response = Excon.get(
95
- dependency_files_url(url, version),
96
- user: repository_details.fetch("username"),
97
- password: repository_details.fetch("password"),
98
- idempotent: true,
99
- **SharedHelpers.excon_defaults
100
- )
101
-
102
- artifact_id = dependency.name.split(":").last
103
- type = dependency.requirements.first.
104
- dig(:metadata, :packaging_type)
105
- response.body.include?("#{artifact_id}-#{version}.#{type}")
106
- rescue Excon::Error::Socket, Excon::Error::Timeout
107
- false
108
- end
137
+ @released_check ||= {}
138
+ return @released_check[version] if @released_check.key?(version)
139
+
140
+ @released_check[version] =
141
+ repositories.any? do |repository_details|
142
+ url = repository_details.fetch("url")
143
+ response = Excon.get(
144
+ dependency_files_url(url, version),
145
+ user: repository_details.fetch("username"),
146
+ password: repository_details.fetch("password"),
147
+ idempotent: true,
148
+ **SharedHelpers.excon_defaults
149
+ )
150
+
151
+ artifact_id = dependency.name.split(":").last
152
+ type = dependency.requirements.first.
153
+ dig(:metadata, :packaging_type)
154
+ response.body.include?("#{artifact_id}-#{version}.#{type}")
155
+ rescue Excon::Error::Socket, Excon::Error::Timeout
156
+ false
157
+ end
109
158
  end
110
159
 
111
160
  def dependency_metadata(repository_details)
data/lib/dependabot/maven/update_checker.rb CHANGED
@@ -26,6 +26,12 @@ module Dependabot
26
26
  latest_version
27
27
  end
28
28
 
29
+ def lowest_resolvable_security_fix_version
30
+ return nil if version_comes_from_multi_dependency_property?
31
+
32
+ lowest_security_fix_version_details&.fetch(:version)
33
+ end
34
+
29
35
  def latest_resolvable_version_with_no_unlock
30
36
  # Irrelevant, since Maven has a single dependency file (the pom.xml).
31
37
  #
@@ -44,8 +50,8 @@ module Dependabot
44
50
 
45
51
  RequirementsUpdater.new(
46
52
  requirements: dependency.requirements,
47
- latest_version: latest_version&.to_s,
48
- source_url: latest_version_details&.fetch(:source_url),
53
+ latest_version: preferred_resolvable_version&.to_s,
54
+ source_url: preferred_version_details&.fetch(:source_url),
49
55
  properties_to_update: property_names
50
56
  ).updated_requirements
51
57
  end
@@ -89,17 +95,29 @@ module Dependabot
89
95
  super
90
96
  end
91
97
 
98
+ def preferred_version_details
99
+ return lowest_security_fix_version_details if vulnerable?
100
+
101
+ latest_version_details
102
+ end
103
+
92
104
  def latest_version_details
93
105
  @latest_version_details ||= version_finder.latest_version_details
94
106
  end
95
107
 
108
+ def lowest_security_fix_version_details
109
+ @lowest_security_fix_version_details ||=
110
+ version_finder.lowest_security_fix_version_details
111
+ end
112
+
96
113
  def version_finder
97
114
  @version_finder ||=
98
115
  VersionFinder.new(
99
116
  dependency: dependency,
100
117
  dependency_files: dependency_files,
101
118
  credentials: credentials,
102
- ignored_versions: ignored_versions
119
+ ignored_versions: ignored_versions,
120
+ security_advisories: security_advisories
103
121
  )
104
122
  end
105
123
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-maven
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.100.2
4
+ version: 0.101.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.100.2
19
+ version: 0.101.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.100.2
26
+ version: 0.101.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: byebug
29
29
  requirement: !ruby/object:Gem::Requirement