dependabot-maven 0.100.2 → 0.101.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 27c69d7d84a08f4d94c75a949acc1b5bca08dd1f7901409bc2fd010cb564e079
|
|
4
|
+
data.tar.gz: 8de19800adf49d3a979e09b34c19e91fdd86469f3efc5a5aea454100b2f2d810
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ee3ae831be414918bb16d5ee59a73dd82498af645308a1e6a71364a91f775d362e8c7646dba24124cc06ad861e46db0695bea4798dbee8f83c1a119f16f46615
|
|
7
|
+
data.tar.gz: 6ffc68ba6d6ee390decdd92e9e462c6f4e7f2302bbd67f09928b31c73360cfdbd582034ff284902e40eebc27aa3ccc91b5c6002bd5d9927cd02556aae659d778
|
|
@@ -32,7 +32,8 @@ module Dependabot
|
|
|
32
32
|
dependency: dep,
|
|
33
33
|
dependency_files: dependency_files,
|
|
34
34
|
credentials: credentials,
|
|
35
|
-
ignored_versions: ignored_versions
|
|
35
|
+
ignored_versions: ignored_versions,
|
|
36
|
+
security_advisories: []
|
|
36
37
|
).versions.map { |v| v.fetch(:version) }
|
|
37
38
|
|
|
38
39
|
versions.include?(updated_version(dep)) || versions.none?
|
|
@@ -14,41 +14,37 @@ module Dependabot
|
|
|
14
14
|
TYPE_SUFFICES = %w(jre android java).freeze
|
|
15
15
|
|
|
16
16
|
def initialize(dependency:, dependency_files:, credentials:,
|
|
17
|
-
ignored_versions:)
|
|
18
|
-
@dependency
|
|
19
|
-
@dependency_files
|
|
20
|
-
@credentials
|
|
21
|
-
@ignored_versions
|
|
22
|
-
@
|
|
17
|
+
ignored_versions:, security_advisories:)
|
|
18
|
+
@dependency = dependency
|
|
19
|
+
@dependency_files = dependency_files
|
|
20
|
+
@credentials = credentials
|
|
21
|
+
@ignored_versions = ignored_versions
|
|
22
|
+
@security_advisories = security_advisories
|
|
23
|
+
@forbidden_urls = []
|
|
23
24
|
end
|
|
24
25
|
|
|
25
26
|
def latest_version_details
|
|
26
27
|
possible_versions = versions
|
|
27
28
|
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
end
|
|
29
|
+
possible_versions = filter_prereleases(possible_versions)
|
|
30
|
+
possible_versions = filter_date_based_versions(possible_versions)
|
|
31
|
+
possible_versions = filter_version_types(possible_versions)
|
|
32
|
+
possible_versions = filter_ignored_versions(possible_versions)
|
|
33
33
|
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
possible_versions.
|
|
37
|
-
reject { |v| v.fetch(:version) > version_class.new(1900) }
|
|
38
|
-
end
|
|
34
|
+
possible_versions.reverse.find { |v| released?(v.fetch(:version)) }
|
|
35
|
+
end
|
|
39
36
|
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
select { |v| matches_dependency_version_type?(v.fetch(:version)) }
|
|
37
|
+
def lowest_security_fix_version_details
|
|
38
|
+
possible_versions = versions
|
|
43
39
|
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
40
|
+
possible_versions = filter_prereleases(possible_versions)
|
|
41
|
+
possible_versions = filter_date_based_versions(possible_versions)
|
|
42
|
+
possible_versions = filter_version_types(possible_versions)
|
|
43
|
+
possible_versions = filter_ignored_versions(possible_versions)
|
|
44
|
+
possible_versions = filter_vulnerable_versions(possible_versions)
|
|
45
|
+
possible_versions = filter_lower_versions(possible_versions)
|
|
50
46
|
|
|
51
|
-
possible_versions.
|
|
47
|
+
possible_versions.find { |v| released?(v.fetch(:version)) }
|
|
52
48
|
end
|
|
53
49
|
|
|
54
50
|
def versions
|
|
@@ -72,7 +68,56 @@ module Dependabot
|
|
|
72
68
|
private
|
|
73
69
|
|
|
74
70
|
attr_reader :dependency, :dependency_files, :credentials,
|
|
75
|
-
:ignored_versions, :forbidden_urls
|
|
71
|
+
:ignored_versions, :forbidden_urls, :security_advisories
|
|
72
|
+
|
|
73
|
+
def filter_prereleases(possible_versions)
|
|
74
|
+
return possible_versions if wants_prerelease?
|
|
75
|
+
|
|
76
|
+
possible_versions.reject { |v| v.fetch(:version).prerelease? }
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
def filter_date_based_versions(possible_versions)
|
|
80
|
+
return possible_versions if wants_date_based_version?
|
|
81
|
+
|
|
82
|
+
possible_versions.
|
|
83
|
+
reject { |v| v.fetch(:version) > version_class.new(1900) }
|
|
84
|
+
end
|
|
85
|
+
|
|
86
|
+
def filter_version_types(possible_versions)
|
|
87
|
+
possible_versions.
|
|
88
|
+
select { |v| matches_dependency_version_type?(v.fetch(:version)) }
|
|
89
|
+
end
|
|
90
|
+
|
|
91
|
+
def filter_ignored_versions(possible_versions)
|
|
92
|
+
versions_array = possible_versions
|
|
93
|
+
|
|
94
|
+
ignored_versions.each do |req|
|
|
95
|
+
ignore_req = Maven::Requirement.new(req.split(","))
|
|
96
|
+
versions_array =
|
|
97
|
+
versions_array.
|
|
98
|
+
reject { |v| ignore_req.satisfied_by?(v.fetch(:version)) }
|
|
99
|
+
end
|
|
100
|
+
|
|
101
|
+
versions_array
|
|
102
|
+
end
|
|
103
|
+
|
|
104
|
+
def filter_vulnerable_versions(possible_versions)
|
|
105
|
+
versions_array = possible_versions
|
|
106
|
+
|
|
107
|
+
security_advisories.each do |advisory|
|
|
108
|
+
versions_array =
|
|
109
|
+
versions_array.
|
|
110
|
+
reject { |v| advisory.vulnerable?(v.fetch(:version)) }
|
|
111
|
+
end
|
|
112
|
+
|
|
113
|
+
versions_array
|
|
114
|
+
end
|
|
115
|
+
|
|
116
|
+
def filter_lower_versions(possible_versions)
|
|
117
|
+
possible_versions.select do |v|
|
|
118
|
+
v.fetch(:version) > version_class.new(dependency.version)
|
|
119
|
+
end
|
|
120
|
+
end
|
|
76
121
|
|
|
77
122
|
def wants_prerelease?
|
|
78
123
|
return false unless dependency.version
|
|
@@ -89,23 +134,27 @@ module Dependabot
|
|
|
89
134
|
end
|
|
90
135
|
|
|
91
136
|
def released?(version)
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
137
|
+
@released_check ||= {}
|
|
138
|
+
return @released_check[version] if @released_check.key?(version)
|
|
139
|
+
|
|
140
|
+
@released_check[version] =
|
|
141
|
+
repositories.any? do |repository_details|
|
|
142
|
+
url = repository_details.fetch("url")
|
|
143
|
+
response = Excon.get(
|
|
144
|
+
dependency_files_url(url, version),
|
|
145
|
+
user: repository_details.fetch("username"),
|
|
146
|
+
password: repository_details.fetch("password"),
|
|
147
|
+
idempotent: true,
|
|
148
|
+
**SharedHelpers.excon_defaults
|
|
149
|
+
)
|
|
150
|
+
|
|
151
|
+
artifact_id = dependency.name.split(":").last
|
|
152
|
+
type = dependency.requirements.first.
|
|
153
|
+
dig(:metadata, :packaging_type)
|
|
154
|
+
response.body.include?("#{artifact_id}-#{version}.#{type}")
|
|
155
|
+
rescue Excon::Error::Socket, Excon::Error::Timeout
|
|
156
|
+
false
|
|
157
|
+
end
|
|
109
158
|
end
|
|
110
159
|
|
|
111
160
|
def dependency_metadata(repository_details)
|
|
@@ -26,6 +26,12 @@ module Dependabot
|
|
|
26
26
|
latest_version
|
|
27
27
|
end
|
|
28
28
|
|
|
29
|
+
def lowest_resolvable_security_fix_version
|
|
30
|
+
return nil if version_comes_from_multi_dependency_property?
|
|
31
|
+
|
|
32
|
+
lowest_security_fix_version_details&.fetch(:version)
|
|
33
|
+
end
|
|
34
|
+
|
|
29
35
|
def latest_resolvable_version_with_no_unlock
|
|
30
36
|
# Irrelevant, since Maven has a single dependency file (the pom.xml).
|
|
31
37
|
#
|
|
@@ -44,8 +50,8 @@ module Dependabot
|
|
|
44
50
|
|
|
45
51
|
RequirementsUpdater.new(
|
|
46
52
|
requirements: dependency.requirements,
|
|
47
|
-
latest_version:
|
|
48
|
-
source_url:
|
|
53
|
+
latest_version: preferred_resolvable_version&.to_s,
|
|
54
|
+
source_url: preferred_version_details&.fetch(:source_url),
|
|
49
55
|
properties_to_update: property_names
|
|
50
56
|
).updated_requirements
|
|
51
57
|
end
|
|
@@ -89,17 +95,29 @@ module Dependabot
|
|
|
89
95
|
super
|
|
90
96
|
end
|
|
91
97
|
|
|
98
|
+
def preferred_version_details
|
|
99
|
+
return lowest_security_fix_version_details if vulnerable?
|
|
100
|
+
|
|
101
|
+
latest_version_details
|
|
102
|
+
end
|
|
103
|
+
|
|
92
104
|
def latest_version_details
|
|
93
105
|
@latest_version_details ||= version_finder.latest_version_details
|
|
94
106
|
end
|
|
95
107
|
|
|
108
|
+
def lowest_security_fix_version_details
|
|
109
|
+
@lowest_security_fix_version_details ||=
|
|
110
|
+
version_finder.lowest_security_fix_version_details
|
|
111
|
+
end
|
|
112
|
+
|
|
96
113
|
def version_finder
|
|
97
114
|
@version_finder ||=
|
|
98
115
|
VersionFinder.new(
|
|
99
116
|
dependency: dependency,
|
|
100
117
|
dependency_files: dependency_files,
|
|
101
118
|
credentials: credentials,
|
|
102
|
-
ignored_versions: ignored_versions
|
|
119
|
+
ignored_versions: ignored_versions,
|
|
120
|
+
security_advisories: security_advisories
|
|
103
121
|
)
|
|
104
122
|
end
|
|
105
123
|
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-maven
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.101.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.101.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.101.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: byebug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|