dependabot-maven 0.100.2 → 0.101.0
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 27c69d7d84a08f4d94c75a949acc1b5bca08dd1f7901409bc2fd010cb564e079
|
4
|
+
data.tar.gz: 8de19800adf49d3a979e09b34c19e91fdd86469f3efc5a5aea454100b2f2d810
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ee3ae831be414918bb16d5ee59a73dd82498af645308a1e6a71364a91f775d362e8c7646dba24124cc06ad861e46db0695bea4798dbee8f83c1a119f16f46615
|
7
|
+
data.tar.gz: 6ffc68ba6d6ee390decdd92e9e462c6f4e7f2302bbd67f09928b31c73360cfdbd582034ff284902e40eebc27aa3ccc91b5c6002bd5d9927cd02556aae659d778
|
@@ -32,7 +32,8 @@ module Dependabot
|
|
32
32
|
dependency: dep,
|
33
33
|
dependency_files: dependency_files,
|
34
34
|
credentials: credentials,
|
35
|
-
ignored_versions: ignored_versions
|
35
|
+
ignored_versions: ignored_versions,
|
36
|
+
security_advisories: []
|
36
37
|
).versions.map { |v| v.fetch(:version) }
|
37
38
|
|
38
39
|
versions.include?(updated_version(dep)) || versions.none?
|
@@ -14,41 +14,37 @@ module Dependabot
|
|
14
14
|
TYPE_SUFFICES = %w(jre android java).freeze
|
15
15
|
|
16
16
|
def initialize(dependency:, dependency_files:, credentials:,
|
17
|
-
ignored_versions:)
|
18
|
-
@dependency
|
19
|
-
@dependency_files
|
20
|
-
@credentials
|
21
|
-
@ignored_versions
|
22
|
-
@
|
17
|
+
ignored_versions:, security_advisories:)
|
18
|
+
@dependency = dependency
|
19
|
+
@dependency_files = dependency_files
|
20
|
+
@credentials = credentials
|
21
|
+
@ignored_versions = ignored_versions
|
22
|
+
@security_advisories = security_advisories
|
23
|
+
@forbidden_urls = []
|
23
24
|
end
|
24
25
|
|
25
26
|
def latest_version_details
|
26
27
|
possible_versions = versions
|
27
28
|
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
end
|
29
|
+
possible_versions = filter_prereleases(possible_versions)
|
30
|
+
possible_versions = filter_date_based_versions(possible_versions)
|
31
|
+
possible_versions = filter_version_types(possible_versions)
|
32
|
+
possible_versions = filter_ignored_versions(possible_versions)
|
33
33
|
|
34
|
-
|
35
|
-
|
36
|
-
possible_versions.
|
37
|
-
reject { |v| v.fetch(:version) > version_class.new(1900) }
|
38
|
-
end
|
34
|
+
possible_versions.reverse.find { |v| released?(v.fetch(:version)) }
|
35
|
+
end
|
39
36
|
|
40
|
-
|
41
|
-
|
42
|
-
select { |v| matches_dependency_version_type?(v.fetch(:version)) }
|
37
|
+
def lowest_security_fix_version_details
|
38
|
+
possible_versions = versions
|
43
39
|
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
40
|
+
possible_versions = filter_prereleases(possible_versions)
|
41
|
+
possible_versions = filter_date_based_versions(possible_versions)
|
42
|
+
possible_versions = filter_version_types(possible_versions)
|
43
|
+
possible_versions = filter_ignored_versions(possible_versions)
|
44
|
+
possible_versions = filter_vulnerable_versions(possible_versions)
|
45
|
+
possible_versions = filter_lower_versions(possible_versions)
|
50
46
|
|
51
|
-
possible_versions.
|
47
|
+
possible_versions.find { |v| released?(v.fetch(:version)) }
|
52
48
|
end
|
53
49
|
|
54
50
|
def versions
|
@@ -72,7 +68,56 @@ module Dependabot
|
|
72
68
|
private
|
73
69
|
|
74
70
|
attr_reader :dependency, :dependency_files, :credentials,
|
75
|
-
:ignored_versions, :forbidden_urls
|
71
|
+
:ignored_versions, :forbidden_urls, :security_advisories
|
72
|
+
|
73
|
+
def filter_prereleases(possible_versions)
|
74
|
+
return possible_versions if wants_prerelease?
|
75
|
+
|
76
|
+
possible_versions.reject { |v| v.fetch(:version).prerelease? }
|
77
|
+
end
|
78
|
+
|
79
|
+
def filter_date_based_versions(possible_versions)
|
80
|
+
return possible_versions if wants_date_based_version?
|
81
|
+
|
82
|
+
possible_versions.
|
83
|
+
reject { |v| v.fetch(:version) > version_class.new(1900) }
|
84
|
+
end
|
85
|
+
|
86
|
+
def filter_version_types(possible_versions)
|
87
|
+
possible_versions.
|
88
|
+
select { |v| matches_dependency_version_type?(v.fetch(:version)) }
|
89
|
+
end
|
90
|
+
|
91
|
+
def filter_ignored_versions(possible_versions)
|
92
|
+
versions_array = possible_versions
|
93
|
+
|
94
|
+
ignored_versions.each do |req|
|
95
|
+
ignore_req = Maven::Requirement.new(req.split(","))
|
96
|
+
versions_array =
|
97
|
+
versions_array.
|
98
|
+
reject { |v| ignore_req.satisfied_by?(v.fetch(:version)) }
|
99
|
+
end
|
100
|
+
|
101
|
+
versions_array
|
102
|
+
end
|
103
|
+
|
104
|
+
def filter_vulnerable_versions(possible_versions)
|
105
|
+
versions_array = possible_versions
|
106
|
+
|
107
|
+
security_advisories.each do |advisory|
|
108
|
+
versions_array =
|
109
|
+
versions_array.
|
110
|
+
reject { |v| advisory.vulnerable?(v.fetch(:version)) }
|
111
|
+
end
|
112
|
+
|
113
|
+
versions_array
|
114
|
+
end
|
115
|
+
|
116
|
+
def filter_lower_versions(possible_versions)
|
117
|
+
possible_versions.select do |v|
|
118
|
+
v.fetch(:version) > version_class.new(dependency.version)
|
119
|
+
end
|
120
|
+
end
|
76
121
|
|
77
122
|
def wants_prerelease?
|
78
123
|
return false unless dependency.version
|
@@ -89,23 +134,27 @@ module Dependabot
|
|
89
134
|
end
|
90
135
|
|
91
136
|
def released?(version)
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
137
|
+
@released_check ||= {}
|
138
|
+
return @released_check[version] if @released_check.key?(version)
|
139
|
+
|
140
|
+
@released_check[version] =
|
141
|
+
repositories.any? do |repository_details|
|
142
|
+
url = repository_details.fetch("url")
|
143
|
+
response = Excon.get(
|
144
|
+
dependency_files_url(url, version),
|
145
|
+
user: repository_details.fetch("username"),
|
146
|
+
password: repository_details.fetch("password"),
|
147
|
+
idempotent: true,
|
148
|
+
**SharedHelpers.excon_defaults
|
149
|
+
)
|
150
|
+
|
151
|
+
artifact_id = dependency.name.split(":").last
|
152
|
+
type = dependency.requirements.first.
|
153
|
+
dig(:metadata, :packaging_type)
|
154
|
+
response.body.include?("#{artifact_id}-#{version}.#{type}")
|
155
|
+
rescue Excon::Error::Socket, Excon::Error::Timeout
|
156
|
+
false
|
157
|
+
end
|
109
158
|
end
|
110
159
|
|
111
160
|
def dependency_metadata(repository_details)
|
@@ -26,6 +26,12 @@ module Dependabot
|
|
26
26
|
latest_version
|
27
27
|
end
|
28
28
|
|
29
|
+
def lowest_resolvable_security_fix_version
|
30
|
+
return nil if version_comes_from_multi_dependency_property?
|
31
|
+
|
32
|
+
lowest_security_fix_version_details&.fetch(:version)
|
33
|
+
end
|
34
|
+
|
29
35
|
def latest_resolvable_version_with_no_unlock
|
30
36
|
# Irrelevant, since Maven has a single dependency file (the pom.xml).
|
31
37
|
#
|
@@ -44,8 +50,8 @@ module Dependabot
|
|
44
50
|
|
45
51
|
RequirementsUpdater.new(
|
46
52
|
requirements: dependency.requirements,
|
47
|
-
latest_version:
|
48
|
-
source_url:
|
53
|
+
latest_version: preferred_resolvable_version&.to_s,
|
54
|
+
source_url: preferred_version_details&.fetch(:source_url),
|
49
55
|
properties_to_update: property_names
|
50
56
|
).updated_requirements
|
51
57
|
end
|
@@ -89,17 +95,29 @@ module Dependabot
|
|
89
95
|
super
|
90
96
|
end
|
91
97
|
|
98
|
+
def preferred_version_details
|
99
|
+
return lowest_security_fix_version_details if vulnerable?
|
100
|
+
|
101
|
+
latest_version_details
|
102
|
+
end
|
103
|
+
|
92
104
|
def latest_version_details
|
93
105
|
@latest_version_details ||= version_finder.latest_version_details
|
94
106
|
end
|
95
107
|
|
108
|
+
def lowest_security_fix_version_details
|
109
|
+
@lowest_security_fix_version_details ||=
|
110
|
+
version_finder.lowest_security_fix_version_details
|
111
|
+
end
|
112
|
+
|
96
113
|
def version_finder
|
97
114
|
@version_finder ||=
|
98
115
|
VersionFinder.new(
|
99
116
|
dependency: dependency,
|
100
117
|
dependency_files: dependency_files,
|
101
118
|
credentials: credentials,
|
102
|
-
ignored_versions: ignored_versions
|
119
|
+
ignored_versions: ignored_versions,
|
120
|
+
security_advisories: security_advisories
|
103
121
|
)
|
104
122
|
end
|
105
123
|
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-maven
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.101.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.101.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.101.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: byebug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|