dependabot-maven 0.85.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: c70fcdd9db80bcb5c781271979123b194482cef46189bd23e833408e2becc307
+  data.tar.gz: 5befedbb46de560a815ce47ee3fba871a48017a0b6a17714bdd2fd1f0191cf5c
+SHA512:
+  metadata.gz: 55f03fced39293f82040504860e05a342c8cc334495d5ffd9865d7c8e3e0a858b3e9c9368cfb340a911ed17634e2b1a2f45edc2a6aee09cb3e714b89ee8bb095
+  data.tar.gz: e7e1a8793c35b0f8f44bfcedd310367cea396c60002939798394e94fc56fa7da17f91ef260f8503fa18a721324cf0c00e14def849ed0002b0d5575b03fd01adf

data/lib/dependabot/maven/file_fetcher.rb

@@ -0,0 +1,128 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+require "dependabot/file_fetchers"
+require "dependabot/file_fetchers/base"
+
+module Dependabot
+  module Maven
+    class FileFetcher < Dependabot::FileFetchers::Base
+      MODULE_SELECTOR = "project > modules > module"
+
+      def self.required_files_in?(filenames)
+        (%w(pom.xml) - filenames).empty?
+      end
+
+      def self.required_files_message
+        "Repo must contain a pom.xml."
+      end
+
+      private
+
+      def fetch_files
+        fetched_files = []
+        fetched_files << pom
+        fetched_files += child_poms
+        fetched_files += relative_path_parents(fetched_files)
+        fetched_files.uniq
+      end
+
+      def pom
+        @pom ||= fetch_file_from_host("pom.xml")
+      end
+
+      def child_poms
+        recursively_fetch_child_poms(pom, fetched_filenames: ["pom.xml"])
+      end
+
+      def relative_path_parents(fetched_files)
+        fetched_files.flat_map do |file|
+          recursively_fetch_relative_path_parents(
+            file,
+            fetched_filenames: fetched_files.map(&:name)
+          )
+        end
+      end
+
+      def recursively_fetch_child_poms(pom, fetched_filenames:)
+        base_path = pom.name.gsub(/pom\.xml$/, "")
+        doc = Nokogiri::XML(pom.content)
+
+        doc.css(MODULE_SELECTOR).flat_map do |module_node|
+          relative_path = module_node.content.strip
+          name_parts = [
+            base_path,
+            relative_path,
+            relative_path.end_with?("pom.xml") ? nil : "pom.xml"
+          ].compact.reject(&:empty?)
+          path = Pathname.new(File.join(*name_parts)).cleanpath.to_path
+
+          next [] if fetched_filenames.include?(path)
+
+          child_pom = fetch_file_from_host(path)
+          fetched_filenames += [child_pom.name]
+          [
+            child_pom,
+            recursively_fetch_child_poms(
+              child_pom,
+              fetched_filenames: fetched_filenames
+            )
+          ].flatten
+        rescue Dependabot::DependencyFileNotFound
+          raise unless fetch_file_from_host_or_submodule(path)
+
+          [] # Ignore any child submodules (since we can't update them)
+        end
+      end
+
+      def recursively_fetch_relative_path_parents(pom, fetched_filenames:)
+        path = parent_path_for_pom(pom)
+
+        if fetched_filenames.include?(path) ||
+           fetched_filenames.include?(path.gsub("pom.xml", "pom_parent.xml"))
+          return []
+        end
+
+        full_path_parts =
+          [directory.gsub(%r{^/}, ""), path].reject(&:empty?).compact
+
+        full_path = Pathname.new(File.join(*full_path_parts)).
+                    cleanpath.to_path
+
+        return [] if full_path.start_with?("..")
+
+        parent_pom = fetch_file_from_host(path)
+        parent_pom.support_file = true
+        parent_pom.name = parent_pom.name.gsub("pom.xml", "pom_parent.xml")
+
+        [
+          parent_pom,
+          recursively_fetch_relative_path_parents(
+            parent_pom,
+            fetched_filenames: fetched_filenames + [parent_pom.name]
+          )
+        ].flatten
+      rescue Dependabot::DependencyFileNotFound
+        []
+      end
+
+      def parent_path_for_pom(pom)
+        doc = Nokogiri::XML(pom.content)
+        doc.remove_namespaces!
+
+        relative_parent_path =
+          doc.at_xpath("/project/parent/relativePath")&.content&.strip || ".."
+
+        name_parts = [
+          pom.name.gsub(/pom\.xml$/, "").gsub(/pom_parent\.xml$/, ""),
+          relative_parent_path,
+          relative_parent_path.end_with?("pom.xml") ? nil : "pom.xml"
+        ].compact.reject(&:empty?)
+
+        Pathname.new(File.join(*name_parts)).cleanpath.to_path
+      end
+    end
+  end
+end
+
+Dependabot::FileFetchers.register("maven", Dependabot::Maven::FileFetcher)

data/lib/dependabot/maven/file_parser/property_value_finder.rb

@@ -0,0 +1,164 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+
+require "dependabot/dependency_file"
+require "dependabot/maven/file_parser"
+require "dependabot/shared_helpers"
+
+# For documentation, see:
+# - http://maven.apache.org/guides/introduction/introduction-to-the-pom.html
+# - http://maven.apache.org/pom.html#Properties
+module Dependabot
+  module Maven
+    class FileParser
+      class PropertyValueFinder
+        require_relative "repositories_finder"
+
+        DOT_SEPARATOR_REGEX = %r{\.(?:(?!\d+[.\/])+)}.freeze
+
+        def initialize(dependency_files:)
+          @dependency_files = dependency_files
+        end
+
+        def property_details(property_name:, callsite_pom:)
+          pom = callsite_pom
+          doc = Nokogiri::XML(pom.content)
+          doc.remove_namespaces!
+
+          # Loop through the paths that would satisfy this property name,
+          # looking for one that exists in this POM
+          nm = sanitize_property_name(property_name)
+          node =
+            loop do
+              candidate_node =
+                doc.at_xpath("/project/#{nm}") ||
+                doc.at_xpath("/project/properties/#{nm}") ||
+                doc.at_xpath("/project/profiles/profile/properties/#{nm}")
+              break candidate_node if candidate_node
+              break unless nm.match?(DOT_SEPARATOR_REGEX)
+
+              nm = nm.sub(DOT_SEPARATOR_REGEX, "/")
+            end
+
+          # If we found a property, return it
+          if node
+            return { file: pom.name, node: node, value: node.content.strip }
+          end
+
+          # Otherwise, look for a value in this pom's parent
+          return unless (parent = parent_pom(pom))
+
+          property_details(
+            property_name: property_name,
+            callsite_pom: parent
+          )
+        end
+
+        private
+
+        attr_reader :dependency_files
+
+        def internal_dependency_poms
+          return @internal_dependency_poms if @internal_dependency_poms
+
+          @internal_dependency_poms = {}
+          dependency_files.each do |pom|
+            doc = Nokogiri::XML(pom.content)
+            group_id    = doc.at_css("project > groupId") ||
+                          doc.at_css("project > parent > groupId")
+            artifact_id = doc.at_css("project > artifactId")
+
+            next unless group_id && artifact_id
+
+            dependency_name = [
+              group_id.content.strip,
+              artifact_id.content.strip
+            ].join(":")
+
+            @internal_dependency_poms[dependency_name] = pom
+          end
+
+          @internal_dependency_poms
+        end
+
+        def sanitize_property_name(property_name)
+          property_name.sub(/^pom\./, "").sub(/^project\./, "")
+        end
+
+        def parent_pom(pom)
+          doc = Nokogiri::XML(pom.content)
+          doc.remove_namespaces!
+          group_id = doc.at_xpath("/project/parent/groupId")&.content&.strip
+          artifact_id =
+            doc.at_xpath("/project/parent/artifactId")&.content&.strip
+          version = doc.at_xpath("/project/parent/version")&.content&.strip
+
+          return unless group_id && artifact_id
+
+          name = [group_id, artifact_id].join(":")
+
+          if internal_dependency_poms[name]
+            return internal_dependency_poms[name]
+          end
+
+          return unless version && !version.include?(",")
+
+          fetch_remote_parent_pom(group_id, artifact_id, version, pom)
+        end
+
+        def parent_repository_urls(pom)
+          repositories_finder.repository_urls(
+            pom: pom,
+            exclude_inherited: true
+          )
+        end
+
+        def repositories_finder
+          @repositories_finder ||=
+            RepositoriesFinder.new(
+              dependency_files: dependency_files,
+              evaluate_properties: false
+            )
+        end
+
+        def fetch_remote_parent_pom(group_id, artifact_id, version, pom)
+          parent_repository_urls(pom).each do |base_url|
+            url = remote_pom_url(group_id, artifact_id, version, base_url)
+
+            @maven_responses ||= {}
+            @maven_responses[url] ||= Excon.get(
+              url,
+              idempotent: true,
+              **SharedHelpers.excon_defaults
+            )
+            next unless @maven_responses[url].status == 200
+            next unless pom?(@maven_responses[url].body)
+
+            dependency_file = DependencyFile.new(
+              name: "remote_pom.xml",
+              content: @maven_responses[url].body
+            )
+
+            return dependency_file
+          rescue Excon::Error::Socket, Excon::Error::Timeout
+            nil
+          end
+
+          # If a parent POM couldn't be found, return `nil`
+          nil
+        end
+
+        def remote_pom_url(group_id, artifact_id, version, base_repo_url)
+          "#{base_repo_url}/"\
+          "#{group_id.tr('.', '/')}/#{artifact_id}/#{version}/"\
+          "#{artifact_id}-#{version}.pom"
+        end
+
+        def pom?(content)
+          !Nokogiri::XML(content).at_css("project > artifactId").nil?
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/maven/file_parser/repositories_finder.rb

@@ -0,0 +1,186 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+
+require "dependabot/dependency_file"
+require "dependabot/maven/file_parser"
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+
+# For documentation, see:
+# - http://maven.apache.org/pom.html#Repositories
+# - http://maven.apache.org/guides/mini/guide-multiple-repositories.html
+module Dependabot
+  module Maven
+    class FileParser
+      class RepositoriesFinder
+        require_relative "property_value_finder"
+        # In theory we should check the artifact type and either look in
+        # <repositories> or <pluginRepositories>. In practice it's unlikely
+        # anyone makes this distinction.
+        REPOSITORY_SELECTOR = "repositories > repository, "\
+                              "pluginRepositories > pluginRepository"
+
+        # The Central Repository is included in the Super POM, which is
+        # always inherited from.
+        CENTRAL_REPO_URL = "https://repo.maven.apache.org/maven2"
+
+        def initialize(dependency_files:, evaluate_properties: true)
+          @dependency_files = dependency_files
+
+          # We need the option not to evaluate properties so as not to have a
+          # circular dependency between this class and the PropertyValueFinder
+          # class
+          @evaluate_properties = evaluate_properties
+        end
+
+        # Collect all repository URLs from this POM and its parents
+        def repository_urls(pom:, exclude_inherited: false)
+          repo_urls_in_pom =
+            Nokogiri::XML(pom.content).
+            css(REPOSITORY_SELECTOR).
+            map { |node| node.at_css("url").content.strip.gsub(%r{/$}, "") }.
+            reject { |url| contains_property?(url) && !evaluate_properties? }.
+            select { |url| url.start_with?("http") }.
+            map { |url| evaluated_value(url, pom) }
+
+          return repo_urls_in_pom + [CENTRAL_REPO_URL] if exclude_inherited
+
+          unless (parent = parent_pom(pom, repo_urls_in_pom))
+            return repo_urls_in_pom + [CENTRAL_REPO_URL]
+          end
+
+          repo_urls_in_pom + repository_urls(pom: parent)
+        end
+
+        private
+
+        attr_reader :dependency_files
+
+        def evaluate_properties?
+          @evaluate_properties
+        end
+
+        def parent_pom(pom, repo_urls)
+          doc = Nokogiri::XML(pom.content)
+          doc.remove_namespaces!
+          group_id = doc.at_xpath("/project/parent/groupId")&.content&.strip
+          artifact_id =
+            doc.at_xpath("/project/parent/artifactId")&.content&.strip
+          version = doc.at_xpath("/project/parent/version")&.content&.strip
+
+          return unless group_id && artifact_id
+
+          name = [group_id, artifact_id].join(":")
+
+          if internal_dependency_poms[name]
+            return internal_dependency_poms[name]
+          end
+
+          return unless version && !version.include?(",")
+
+          fetch_remote_parent_pom(group_id, artifact_id, version, repo_urls)
+        end
+
+        def internal_dependency_poms
+          return @internal_dependency_poms if @internal_dependency_poms
+
+          @internal_dependency_poms = {}
+          dependency_files.each do |pom|
+            doc = Nokogiri::XML(pom.content)
+            group_id    = doc.at_css("project > groupId") ||
+                          doc.at_css("project > parent > groupId")
+            artifact_id = doc.at_css("project > artifactId")
+
+            next unless group_id && artifact_id
+
+            dependency_name = [
+              group_id.content.strip,
+              artifact_id.content.strip
+            ].join(":")
+
+            @internal_dependency_poms[dependency_name] = pom
+          end
+
+          @internal_dependency_poms
+        end
+
+        def fetch_remote_parent_pom(group_id, artifact_id, version, repo_urls)
+          (repo_urls + [CENTRAL_REPO_URL]).uniq.each do |base_url|
+            url = remote_pom_url(group_id, artifact_id, version, base_url)
+
+            @maven_responses ||= {}
+            @maven_responses[url] ||= Excon.get(
+              url,
+              idempotent: true,
+              **SharedHelpers.excon_defaults
+            )
+            next unless @maven_responses[url].status == 200
+            next unless pom?(@maven_responses[url].body)
+
+            dependency_file = DependencyFile.new(
+              name: "remote_pom.xml",
+              content: @maven_responses[url].body
+            )
+
+            return dependency_file
+          rescue Excon::Error::Socket, Excon::Error::Timeout
+            nil
+          end
+
+          # If a parent POM couldn't be found, return `nil`
+          nil
+        end
+
+        def remote_pom_url(group_id, artifact_id, version, base_repo_url)
+          "#{base_repo_url}/"\
+          "#{group_id.tr('.', '/')}/#{artifact_id}/#{version}/"\
+          "#{artifact_id}-#{version}.pom"
+        end
+
+        def contains_property?(value)
+          value.match?(property_regex)
+        end
+
+        def evaluated_value(value, pom)
+          return value unless contains_property?(value)
+
+          property_name = value.match(property_regex).
+                          named_captures.fetch("property")
+          property_value = value_for_property(property_name, pom)
+
+          value.gsub(property_regex, property_value)
+        end
+
+        def value_for_property(property_name, pom)
+          value =
+            property_value_finder.
+            property_details(
+              property_name: property_name,
+              callsite_pom: pom
+            )&.fetch(:value)
+
+          return value if value
+
+          msg = "Property not found: #{property_name}"
+          raise DependencyFileNotEvaluatable, msg
+        end
+
+        # Cached, since this can makes calls to the registry (to get property
+        # values from parent POMs)
+        def property_value_finder
+          @property_value_finder ||=
+            PropertyValueFinder.new(dependency_files: dependency_files)
+        end
+
+        def property_regex
+          Maven::FileParser::PROPERTY_REGEX
+        end
+
+        def pom?(content)
+          !Nokogiri::XML(content).at_css("project > artifactId").nil?
+        end
+      end
+    end
+  end
+end