dependabot-maven 0.215.0 → 0.216.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 565c1abcfc97b2e7785967f04d732dbfa8136d668e843320df5ec7e8e1ddbdbf
-  data.tar.gz: 4042ef798a199b012305616a8a085e28c69ec24173449992333ac9541bdf00db
+  metadata.gz: 898d484d74c6be04f0a0f1287361309f9a3d7ef5f894b584025af9e22bd6f3e0
+  data.tar.gz: cf629e5c3da134a26e9db1cb12f89fa227d59f4876ac1210c01ecbd82adcfc34
 SHA512:
-  metadata.gz: 34dfd8dbe543e4a1521942cdc8a403d7dc0938cd1b0863c82a756e5cdcf810a700e4ac83b11f56de06fbf0874d347fba52533d186e11c951816b712fafa05b4a
-  data.tar.gz: f99a58593d3b2854380d88b82c7959611498a2cb55570b3635a28b5d33a7ffa854430e5fe91cb2fb3e0dcb63f67bcd9913d3ac8a277c976f7f992d3a61410cd9
+  metadata.gz: f0b15ce696fd8b01de8ef4d328d0d64872f3db4d7e0b785bd73276c23a83a1b68623e9450b9b85407173db0959050e93adff0b63b16c3d15e09ec7ba9a203ce9
+  data.tar.gz: 7064c5b7c0b887d9b4098b659e7671ca634aa3002403f4605a292bd64e53f7397004a016943c45f118c7afa5516ac2a9b8879ed88c94a3c2ecbff54691f21195

data/lib/dependabot/maven/file_fetcher.rb

@@ -11,7 +11,7 @@ module Dependabot
                         "profile > modules > module"
 
       def self.required_files_in?(filenames)
-        (%w(pom.xml) - filenames).empty?
+        filenames.include?("pom.xml")
       end
 
       def self.required_files_message
@@ -58,7 +58,7 @@ module Dependabot
       end
 
       def recursively_fetch_child_poms(pom, fetched_filenames:)
-        base_path = pom.name.gsub(/pom\.xml$/, "")
+        base_path = File.dirname(pom.name)
         doc = Nokogiri::XML(pom.content)
 
         doc.css(MODULE_SELECTOR).flat_map do |module_node|
@@ -66,7 +66,7 @@ module Dependabot
           name_parts = [
             base_path,
             relative_path,
-            relative_path.end_with?("pom.xml") ? nil : "pom.xml"
+            relative_path.end_with?(".xml") ? nil : "pom.xml"
           ].compact.reject(&:empty?)
           path = Pathname.new(File.join(*name_parts)).cleanpath.to_path
 
@@ -92,22 +92,18 @@ module Dependabot
       def recursively_fetch_relative_path_parents(pom, fetched_filenames:)
         path = parent_path_for_pom(pom)
 
-        if fetched_filenames.include?(path) ||
-           fetched_filenames.include?(path.gsub("pom.xml", "pom_parent.xml"))
-          return []
-        end
+        return [] if path.nil? || fetched_filenames.include?(path)
 
         full_path_parts =
           [directory.gsub(%r{^/}, ""), path].reject(&:empty?).compact
 
-        full_path = Pathname.new(File.join(*full_path_parts)).
-                    cleanpath.to_path
+        full_path = Pathname.new(File.join(*full_path_parts)).cleanpath.to_path
 
         return [] if full_path.start_with?("..")
 
         parent_pom = fetch_file_from_host(path)
-        parent_pom.support_file = true
-        parent_pom.name = parent_pom.name.gsub("pom.xml", "pom_parent.xml")
+
+        return [] unless fetched_pom_is_parent(pom, parent_pom)
 
         [
           parent_pom,
@@ -124,17 +120,41 @@ module Dependabot
         doc = Nokogiri::XML(pom.content)
         doc.remove_namespaces!
 
+        return unless doc.at_xpath("/project/parent")
+
         relative_parent_path =
           doc.at_xpath("/project/parent/relativePath")&.content&.strip || ".."
 
         name_parts = [
-          pom.name.gsub(/pom\.xml$/, "").gsub(/pom_parent\.xml$/, ""),
+          File.dirname(pom.name),
           relative_parent_path,
-          relative_parent_path.end_with?("pom.xml") ? nil : "pom.xml"
+          relative_parent_path.end_with?(".xml") ? nil : "pom.xml"
         ].compact.reject(&:empty?)
 
         Pathname.new(File.join(*name_parts)).cleanpath.to_path
       end
+
+      def fetched_pom_is_parent(pom, parent_pom)
+        pom_doc = Nokogiri::XML(pom.content).remove_namespaces!
+        pom_artifact_id, pom_group_id, pom_version = fetch_pom_unique_ids(pom_doc, true)
+
+        parent_doc = Nokogiri::XML(parent_pom.content).remove_namespaces!
+        parent_artifact_id, parent_group_id, parent_version = fetch_pom_unique_ids(parent_doc, false)
+
+        if parent_group_id.nil?
+          [parent_artifact_id, parent_version] == [pom_artifact_id, pom_version]
+        else
+          [parent_group_id, parent_artifact_id, parent_version] == [pom_group_id, pom_artifact_id, pom_version]
+        end
+      end
+
+      def fetch_pom_unique_ids(doc, check_parent_node)
+        parent = check_parent_node ? "/parent" : ""
+        group_id = doc.at_xpath("/project#{parent}/groupId")&.content&.strip
+        artifact_id = doc.at_xpath("/project#{parent}/artifactId")&.content&.strip
+        version = doc.at_xpath("/project#{parent}/version")&.content&.strip
+        [artifact_id, group_id, version]
+      end
     end
   end
 end

data/lib/dependabot/maven/file_parser/property_value_finder.rb

@@ -36,8 +36,8 @@ module Dependabot
             loop do
               candidate_node =
                 doc.at_xpath("/project/#{nm}") ||
-                doc.at_xpath("/project/properties/#{nm}") ||
-                doc.at_xpath("/project/profiles/profile/properties/#{nm}")
+                doc.at_xpath("/project/properties/#{property_name}") ||
+                doc.at_xpath("/project/profiles/profile/properties/#{property_name}")
               break candidate_node if candidate_node
               break unless nm.match?(DOT_SEPARATOR_REGEX)
 

data/lib/dependabot/maven/file_parser.rb

@@ -23,7 +23,8 @@ module Dependabot
       # - Any extensions
       DEPENDENCY_SELECTOR = "project > parent, " \
                             "dependencies > dependency, " \
-                            "extensions > extension"
+                            "extensions > extension, " \
+                            "annotationProcessorPaths > path"
       PLUGIN_SELECTOR     = "plugins > plugin"
       EXTENSION_SELECTOR  = "extensions > extension"
 
@@ -271,9 +272,10 @@ module Dependabot
       end
 
       def pomfiles
-        # NOTE: this (correctly) excludes any parent POMs that were downloaded
         @pomfiles ||=
-          dependency_files.select { |f| f.name.end_with?("pom.xml") }
+          dependency_files.select do |f|
+            f.name.end_with?(".xml") && !f.name.end_with?("extensions.xml")
+          end
       end
 
       def extensionfiles

data/lib/dependabot/maven/file_updater/declaration_finder.rb

@@ -11,7 +11,8 @@ module Dependabot
       class DeclarationFinder
         DECLARATION_REGEX =
           %r{<parent>.*?</parent>|<dependency>.*?</dependency>|
-             <plugin>.*?(?:<plugin>.*?</plugin>.*)?</plugin>|<extension>.*?</extension>}mx
+             <plugin>.*?(?:<plugin>.*?</plugin>.*)?</plugin>|<extension>.*?</extension>|
+             <path>.*?</path>}mx
 
         attr_reader :dependency, :declaring_requirement, :dependency_files
 

data/lib/dependabot/maven/file_updater.rb

@@ -13,6 +13,7 @@ module Dependabot
       def self.updated_files_regex
         [
           /^pom\.xml$/, %r{/pom\.xml$},
+          /.*\.xml$/, %r{/.*\.xml$},
           /^extensions.\.xml$/, %r{/extensions\.xml$}
         ]
       end
@@ -31,11 +32,10 @@ module Dependabot
           )
         end
 
-        updated_files.select! { |f| f.name.end_with?("pom.xml", "extensions.xml") }
+        updated_files.select! { |f| f.name.end_with?(".xml") }
         updated_files.reject! { |f| dependency_files.include?(f) }
 
         raise "No files changed!" if updated_files.none?
-        raise "Updated a supporting POM!" if updated_files.any? { |f| f.name.end_with?("pom_parent.xml") }
 
         updated_files
       end

data/lib/dependabot/maven/metadata_finder.rb

@@ -42,7 +42,7 @@ module Dependabot
           any? { |f| dependency_artifact_id.end_with?(f.name) }
       rescue Dependabot::BranchNotFound
         # If we are attempting to find a branch, we should fail over to the default branch and retry once only
-        if tmp_source.branch.present?
+        unless tmp_source.branch.to_s.empty?
           tmp_source.branch = nil
           retry
         end

data/lib/dependabot/maven/update_checker/version_finder.rb

@@ -58,7 +58,7 @@ module Dependabot
             repositories.map do |repository_details|
               url = repository_details.fetch("url")
               xml = dependency_metadata(repository_details)
-              next [] if xml.blank?
+              next [] if xml.nil?
 
               break xml.css("versions > version").
                 select { |node| version_class.correct?(node.content) }.

data/lib/dependabot/maven/update_checker.rb

@@ -68,8 +68,7 @@ module Dependabot
             property_details(property_name: prop_name, callsite_pom: pom)&.
             fetch(:file)
 
-          declaration_pom_name == "remote_pom.xml" ||
-            declaration_pom_name&.end_with?("pom_parent.xml")
+          declaration_pom_name == "remote_pom.xml"
         end
       end
 

data/lib/dependabot/maven/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
+require "dependabot/version"
 require "dependabot/utils"
-require "rubygems_version_patch"
 
 # Java versions use dots and dashes when tokenising their versions.
 # Gem::Version converts a "-" to ".pre.", so we override the `to_s` method.
@@ -10,7 +10,7 @@ require "rubygems_version_patch"
 
 module Dependabot
   module Maven
-    class Version < Gem::Version
+    class Version < Dependabot::Version
       NULL_VALUES = %w(0 final ga).freeze
       PREFIXED_TOKEN_HIERARCHY = {
         "." => { qualifier: 1, number: 4 },

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-maven
 version: !ruby/object:Gem::Version
-  version: 0.215.0
+  version: 0.216.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-12-07 00:00:00.000000000 Z
+date: 2023-04-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.215.0
+        version: 0.216.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.215.0
+        version: 0.216.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 1.7.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 1.7.1
 - !ruby/object:Gem::Dependency
   name: gpgme
   requirement: !ruby/object:Gem::Requirement
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.0.0
+        version: 4.2.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.0.0
+        version: 4.2.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -86,70 +86,70 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.12'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.12'
 - !ruby/object:Gem::Dependency
   name: rspec-its
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.39.0
+        version: 1.48.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.39.0
+        version: 1.48.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.15.0
+        version: 1.17.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.15.0
+        version: 1.17.1
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.21.0
+        version: 0.22.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.21.0
+        version: 0.22.0
 - !ruby/object:Gem::Dependency
   name: simplecov-console
   requirement: !ruby/object:Gem::Requirement
@@ -182,33 +182,34 @@ dependencies:
   name: vcr
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 6.1.0
+        version: '6.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 6.1.0
+        version: '6.1'
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.4'
+        version: '3.18'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.4'
-description: Automated dependency management for Ruby, JavaScript, Python, PHP, Elixir,
-  Rust, Java, .NET, Elm and Go
-email: support@dependabot.com
+        version: '3.18'
+description: Dependabot-Maven provides support for bumping Maven packages via Dependabot.
+  If you want support for multiple package managers, you probably want the meta-gem
+  dependabot-omnibus.
+email: opensource@github.com
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -233,7 +234,9 @@ files:
 homepage: https://github.com/dependabot/dependabot-core
 licenses:
 - Nonstandard
-metadata: {}
+metadata:
+  issue_tracker_uri: https://github.com/dependabot/dependabot-core/issues
+  changelog_uri: https://github.com/dependabot/dependabot-core/blob/main/CHANGELOG.md
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -249,8 +252,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.1.0
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.3.26
 signing_key: 
 specification_version: 4
-summary: Maven support for dependabot
+summary: Provides Dependabot support for Maven
 test_files: []