dependabot-maven 0.260.0 → 0.261.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bd1aa6991805042d7870dc15416495a231c94c19e8c8db4e9a8904a6c4a95b3c
-  data.tar.gz: 25a34c7980dde439e602abce3860fb3eb2a91e971c07b371f513d4bdf75b3bd9
+  metadata.gz: 973b81f3c154c6ea20606d75712191f44794b1478d65a0d6027aa1f2a4306683
+  data.tar.gz: 5c96139bca52f77cfeb503dfe93647bf8102f739f45546985e7d0d665a2dc65f
 SHA512:
-  metadata.gz: 5ed9dfc57e939eee0e6adf14187f98259c876b3d2fdcbc7ab78e654dbfa958f3e9e019df14b3fb0ec39691a488b107950f2ca9b0abe3e81a20ab4b03bfdd3071
-  data.tar.gz: 31d976e5043c8a1c1ab9b45591d0fb4191d1b2e1c622ec5edccdf82577d34d4eb7fcdc3f77ec62bcff44fd7328da482104d1e7b54affc9f633b1b4e5cdbdf38e
+  metadata.gz: ff8362d39560cbfeb5a125c9ca5e66b144ff2d9b57634772cbfae1ac0f605f482be2cd47fb832173fed70dcc042228b9d4293ac7847570f0b727a79634129333
+  data.tar.gz: c5b2020b805980394694390844f894bbf04dd863966c86588b621dc7f86f9b57bc03d0a0f4ac4d48a6963c356bf71a3d8647cfa906a8a8fbc6f2113f0a361299

data/lib/dependabot/maven/file_fetcher.rb

@@ -1,8 +1,9 @@
-# typed: false
+# typed: strict
 # frozen_string_literal: true
 
 require "nokogiri"
 require "sorbet-runtime"
+
 require "dependabot/file_fetchers"
 require "dependabot/file_fetchers/base"
 
@@ -15,10 +16,12 @@ module Dependabot
       MODULE_SELECTOR = "project > modules > module, " \
                         "profile > modules > module"
 
+      sig { override.params(filenames: T::Array[String]).returns(T::Boolean) }
       def self.required_files_in?(filenames)
         filenames.include?("pom.xml")
       end
 
+      sig { override.returns(String) }
       def self.required_files_message
         "Repo must contain a pom.xml."
       end
@@ -35,20 +38,22 @@ module Dependabot
 
       private
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def pom
-        @pom ||= fetch_file_from_host("pom.xml")
+        @pom ||= T.let(fetch_file_from_host("pom.xml"), T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def extensions
-        return @extensions if defined?(@extensions)
-
-        fetch_file_if_present(".mvn/extensions.xml")
+        @extensions ||= T.let(fetch_file_if_present(".mvn/extensions.xml"), T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T::Array[DependencyFile]) }
       def child_poms
-        recursively_fetch_child_poms(pom, fetched_filenames: ["pom.xml"])
+        recursively_fetch_child_poms(T.must(pom), fetched_filenames: ["pom.xml"])
       end
 
+      sig { params(fetched_files: T::Array[Dependabot::DependencyFile]).returns(T::Array[Dependabot::DependencyFile]) }
       def relative_path_parents(fetched_files)
         fetched_files.flat_map do |file|
           recursively_fetch_relative_path_parents(
@@ -58,6 +63,10 @@ module Dependabot
         end
       end
 
+      sig do
+        params(pom: Dependabot::DependencyFile,
+               fetched_filenames: T::Array[String]).returns(T::Array[Dependabot::DependencyFile])
+      end
       def recursively_fetch_child_poms(pom, fetched_filenames:)
         base_path = File.dirname(pom.name)
         doc = Nokogiri::XML(pom.content)
@@ -69,7 +78,7 @@ module Dependabot
             relative_path,
             relative_path.end_with?(".xml") ? nil : "pom.xml"
           ].compact.reject(&:empty?)
-          path = Pathname.new(File.join(*name_parts)).cleanpath.to_path
+          path = Pathname.new(File.join(name_parts)).cleanpath.to_path
 
           next [] if fetched_filenames.include?(path)
 
@@ -84,12 +93,16 @@ module Dependabot
           fetched_filenames += [child_pom.name] + fetched_files.map(&:name)
           fetched_files
         rescue Dependabot::DependencyFileNotFound
-          raise unless fetch_file_from_host(path, fetch_submodules: true)
+          fetch_file_from_host(T.must(path), fetch_submodules: true)
 
           [] # Ignore any child submodules (since we can't update them)
         end
       end
 
+      sig do
+        params(pom: Dependabot::DependencyFile,
+               fetched_filenames: T::Array[String]).returns(T::Array[Dependabot::DependencyFile])
+      end
       def recursively_fetch_relative_path_parents(pom, fetched_filenames:)
         path = parent_path_for_pom(pom)
 
@@ -98,7 +111,7 @@ module Dependabot
         full_path_parts =
           [directory.gsub(%r{^/}, ""), path].reject(&:empty?).compact
 
-        full_path = Pathname.new(File.join(*full_path_parts)).cleanpath.to_path
+        full_path = Pathname.new(File.join(full_path_parts)).cleanpath.to_path
 
         return [] if full_path.start_with?("..")
 
@@ -117,6 +130,7 @@ module Dependabot
         []
       end
 
+      sig { params(pom: Dependabot::DependencyFile).returns(T.nilable(String)) }
       def parent_path_for_pom(pom)
         doc = Nokogiri::XML(pom.content)
         doc.remove_namespaces!
@@ -132,9 +146,10 @@ module Dependabot
           relative_parent_path.end_with?(".xml") ? nil : "pom.xml"
         ].compact.reject(&:empty?)
 
-        Pathname.new(File.join(*name_parts)).cleanpath.to_path
+        Pathname.new(File.join(name_parts)).cleanpath.to_path
       end
 
+      sig { params(pom: Dependabot::DependencyFile, parent_pom: Dependabot::DependencyFile).returns(T::Boolean) }
       def fetched_pom_is_parent(pom, parent_pom)
         pom_doc = Nokogiri::XML(pom.content).remove_namespaces!
         pom_artifact_id, pom_group_id, pom_version = fetch_pom_unique_ids(pom_doc, true)
@@ -149,6 +164,7 @@ module Dependabot
         end
       end
 
+      sig { params(doc: Nokogiri::XML::Document, check_parent_node: T::Boolean).returns(T::Array[T.nilable(String)]) }
       def fetch_pom_unique_ids(doc, check_parent_node)
         parent = check_parent_node ? "/parent" : ""
         group_id = doc.at_xpath("/project#{parent}/groupId")&.content&.strip

data/lib/dependabot/maven/file_parser/repositories_finder.rb

@@ -1,4 +1,4 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 require "nokogiri"

data/lib/dependabot/maven/file_parser.rb

@@ -1,7 +1,8 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 require "nokogiri"
+require "sorbet-runtime"
 
 require "dependabot/dependency"
 require "dependabot/file_parsers"
@@ -46,7 +47,7 @@ module Dependabot
       def pomfile_dependencies(pom)
         dependency_set = DependencySet.new
 
-        errors = []
+        errors = T.let([], T::Array[Dependabot::DependencyFileNotEvaluatable])
         doc = Nokogiri::XML(pom.content)
         doc.remove_namespaces!
 
@@ -64,7 +65,7 @@ module Dependabot
           errors << e
         end
 
-        raise errors.first if errors.any? && dependency_set.dependencies.none?
+        raise T.must(errors.first) if errors.any? && dependency_set.dependencies.none?
 
         dependency_set
       end
@@ -72,7 +73,7 @@ module Dependabot
       def extensionfile_dependencies(extension)
         dependency_set = DependencySet.new
 
-        errors = []
+        errors = T.let([], T::Array[Dependabot::DependencyFileNotEvaluatable])
         doc = Nokogiri::XML(extension.content)
         doc.remove_namespaces!
 
@@ -83,7 +84,7 @@ module Dependabot
           errors << e
         end
 
-        raise errors.first if errors.any? && dependency_set.dependencies.none?
+        raise T.must(errors.first) if errors.any? && dependency_set.dependencies.none?
 
         dependency_set
       end

data/lib/dependabot/maven/metadata_finder.rb

@@ -1,4 +1,4 @@
-# typed: false
+# typed: strict
 # frozen_string_literal: true
 
 require "nokogiri"
@@ -9,14 +9,17 @@ require "dependabot/maven/file_parser"
 require "dependabot/maven/file_parser/repositories_finder"
 require "dependabot/maven/utils/auth_headers_finder"
 require "dependabot/registry_client"
+require "sorbet-runtime"
 
 module Dependabot
   module Maven
     class MetadataFinder < Dependabot::MetadataFinders::Base
+      extend T::Sig
       DOT_SEPARATOR_REGEX = %r{\.(?!\d+([.\/_\-]|$)+)}
 
       private
 
+      sig { override.returns(T.nilable(Dependabot::Source)) }
       def look_up_source
         tmp_source = look_up_source_in_pom(dependency_pom_file)
         return tmp_source if tmp_source
@@ -26,14 +29,15 @@ module Dependabot
         tmp_source = look_up_source_in_pom(parent)
         return unless tmp_source
 
-        return tmp_source if tmp_source.repo.end_with?(dependency_artifact_id)
+        return tmp_source if tmp_source.repo.end_with?(T.must(dependency_artifact_id))
 
         tmp_source if repo_has_subdir_for_dep?(tmp_source)
       end
 
+      sig { params(tmp_source: Dependabot::Source).returns(T::Boolean) }
       def repo_has_subdir_for_dep?(tmp_source)
-        @repo_has_subdir_for_dep ||= {}
-        return @repo_has_subdir_for_dep[tmp_source] if @repo_has_subdir_for_dep.key?(tmp_source)
+        @repo_has_subdir_for_dep ||= T.let({}, T.nilable(T::Hash[Dependabot::Source, T::Boolean]))
+        return T.must(@repo_has_subdir_for_dep[tmp_source]) if @repo_has_subdir_for_dep.key?(tmp_source)
 
         fetcher =
           Dependabot::Maven::FileFetcher.new(source: tmp_source, credentials: credentials)
@@ -41,18 +45,19 @@ module Dependabot
         @repo_has_subdir_for_dep[tmp_source] =
           fetcher.send(:repo_contents, raise_errors: false)
                  .select { |f| f.type == "dir" }
-                 .any? { |f| dependency_artifact_id.end_with?(f.name) }
+                 .any? { |f| T.must(dependency_artifact_id).end_with?(f.name) }
       rescue Dependabot::BranchNotFound
         # If we are attempting to find a branch, we should fail over to the default branch and retry once only
         unless tmp_source.branch.to_s.empty?
           tmp_source.branch = nil
           retry
         end
-        @repo_has_subdir_for_dep[tmp_source] = false
+        T.must(@repo_has_subdir_for_dep)[tmp_source] = false
       rescue Dependabot::RepoNotFound
-        @repo_has_subdir_for_dep[tmp_source] = false
+        T.must(@repo_has_subdir_for_dep)[tmp_source] = false
       end
 
+      sig { params(pom: Nokogiri::XML::Document).returns(T.nilable(Dependabot::Source)) }
       def look_up_source_in_pom(pom)
         potential_source_urls = [
           pom.at_css("project > url")&.content,
@@ -67,15 +72,16 @@ module Dependabot
         Source.from_url(source_url)
       end
 
+      sig { params(source_url: T.nilable(String), pom: Nokogiri::XML::Document).returns(T.nilable(String)) }
       def substitute_properties_in_source_url(source_url, pom)
         return unless source_url
         return source_url unless source_url.include?("${")
 
         regex = Maven::FileParser::PROPERTY_REGEX
-        property_name = source_url.match(regex).named_captures["property"]
+        property_name = T.must(source_url.match(regex)).named_captures["property"]
         doc = pom.dup
         doc.remove_namespaces!
-        nm = property_name.sub(/^pom\./, "").sub(/^project\./, "")
+        nm = T.must(property_name).sub(/^pom\./, "").sub(/^project\./, "")
         property_value =
           loop do
             candidate_node =
@@ -92,6 +98,7 @@ module Dependabot
         substitute_properties_in_source_url(url, pom)
       end
 
+      sig { params(pom: T.any(String, Nokogiri::XML::Document)).returns(T.nilable(String)) }
       def source_from_anywhere_in_pom(pom)
         github_urls = []
         pom.to_s.scan(Source::SOURCE_REGEX) do
@@ -99,12 +106,15 @@ module Dependabot
         end
 
         github_urls.find do |url|
-          repo = Source.from_url(url).repo
-          repo.end_with?(dependency_artifact_id)
+          repo = T.must(Source.from_url(url)).repo
+          repo.end_with?(T.must(dependency_artifact_id))
         end
       end
 
+      sig { returns(Nokogiri::XML::Document) }
       def dependency_pom_file
+        @dependency_pom_file ||= T.let(nil, T.nilable(Nokogiri::XML::Document))
+
         return @dependency_pom_file unless @dependency_pom_file.nil?
 
         response = Dependabot::RegistryClient.get(
@@ -117,12 +127,14 @@ module Dependabot
         @dependency_pom_file = Nokogiri::XML("")
       end
 
+      sig { returns(T.nilable(String)) }
       def dependency_artifact_id
         _group_id, artifact_id = dependency.name.split(":")
 
         artifact_id
       end
 
+      sig { params(pom: Nokogiri::XML::Document).returns(T.nilable(Nokogiri::XML::Document)) }
       def parent_pom_file(pom)
         doc = pom.dup
         doc.remove_namespaces!
@@ -138,30 +150,37 @@ module Dependabot
               "#{artifact_id}-#{version}.pom"
 
         response = Dependabot::RegistryClient.get(
-          url: substitute_properties_in_source_url(url, pom),
+          url: T.must(substitute_properties_in_source_url(url, pom)),
           headers: auth_headers
         )
 
         Nokogiri::XML(response.body)
       end
 
+      sig { returns(String) }
       def maven_repo_url
         source = dependency.requirements
-                           .find { |r| r&.fetch(:source) }&.fetch(:source)
+                           .find { |r| r.fetch(:source) }&.fetch(:source)
 
         source&.fetch(:url, nil) ||
           source&.fetch("url") ||
-          Maven::FileParser::RepositoriesFinder.new(credentials: credentials).central_repo_url
+          Dependabot::Maven::FileParser::RepositoriesFinder.new(credentials: credentials,
+                                                                pom_fetcher: nil).central_repo_url
       end
 
+      sig { returns(String) }
       def maven_repo_dependency_url
         group_id, artifact_id = dependency.name.split(":")
 
-        "#{maven_repo_url}/#{group_id.tr('.', '/')}/#{artifact_id}"
+        "#{maven_repo_url}/#{T.must(group_id).tr('.', '/')}/#{artifact_id}"
       end
 
+      sig { returns(T::Hash[String, String]) }
       def auth_headers
-        @auth_headers ||= Utils::AuthHeadersFinder.new(credentials).auth_headers(maven_repo_url)
+        @auth_headers ||= T.let(
+          Dependabot::Maven::Utils::AuthHeadersFinder.new(credentials).auth_headers(maven_repo_url),
+          T.nilable(T::Hash[String, String])
+        )
       end
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-maven
 version: !ruby/object:Gem::Version
-  version: 0.260.0
+  version: 0.261.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-06-06 00:00:00.000000000 Z
+date: 2024-06-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.260.0
+        version: 0.261.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.260.0
+        version: 0.261.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -264,7 +264,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.260.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.261.0
 post_install_message: 
 rdoc_options: []
 require_paths: