dependabot-opentofu 0.348.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: d100ee54c94dcd801baea1e63e4a3bdc79a81744757674885810aff4863f4b65
+  data.tar.gz: c9ad465d66e7943109c75de15eadc0e751e6cda4c20448208c0e23451f72eba6
+SHA512:
+  metadata.gz: 5373dce4cf40f3ac59d92e11b95191d6576375e658f09add64d38b06ccdb84cd8b4fd259deb2986b46f088ccfaeb81f173550428818b0d8d21d0b9bdef489105
+  data.tar.gz: 1059dd9d73a32bfd5c93cdd7d272b3137e230738f4cceed2976c3433a929c0260f385cab22d6ee3a0c47d853702387c1c975921b5c0a2de655328f8b6729116d

data/helpers/build

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -e
+
+if [ -z "$DEPENDABOT_NATIVE_HELPERS_PATH" ]; then
+  echo "Unable to build, DEPENDABOT_NATIVE_HELPERS_PATH is not set"
+  exit 1
+fi
+
+install_dir="$DEPENDABOT_NATIVE_HELPERS_PATH/opentofu"
+
+if [ ! -d "$install_dir/bin" ]; then
+  mkdir -p "$install_dir/bin"
+fi
+
+os="$(uname -s | tr '[:upper:]' '[:lower:]')"
+
+hcl2json_checksum="8da5a86b3caff977067c62dd190bfdf296842191b0282c7e3a7019d6cf0f6657"
+hcl2json_url="https://github.com/tmccombs/hcl2json/releases/download/v0.6.4/hcl2json_${os}_amd64"
+hcl2json_path="$install_dir/bin/hcl2json"
+curl -sSLfo "$hcl2json_path" "$hcl2json_url"
+echo "$hcl2json_checksum  $hcl2json_path" | sha256sum -c
+chmod +x "$install_dir/bin/hcl2json"

data/lib/dependabot/opentofu/file_fetcher.rb

@@ -0,0 +1,130 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/file_fetchers"
+require "dependabot/file_fetchers/base"
+require "dependabot/opentofu/file_selector"
+require "dependabot/file_filtering"
+
+module Dependabot
+  module Opentofu
+    class FileFetcher < Dependabot::FileFetchers::Base
+      extend T::Sig
+      extend T::Helpers
+
+      include FileFilter
+
+      # https://opentofu.org/docs/language/modules/sources/#local-paths
+      LOCAL_PATH_SOURCE = %r{source\s*=\s*['"](?<path>..?\/[^'"]+)}
+
+      sig { override.params(filenames: T::Array[String]).returns(T::Boolean) }
+      def self.required_files_in?(filenames)
+        filenames.any? { |f| f.end_with?(".tf", ".tofu", ".hcl") }
+      end
+
+      sig { override.returns(String) }
+      def self.required_files_message
+        "Repo must contain a OpenTofu configuration file."
+      end
+
+      sig { override.returns(T::Array[DependencyFile]) }
+      def fetch_files
+        unless allow_beta_ecosystems?
+          raise Dependabot::DependencyFileNotFound.new(
+            nil,
+            "OpenTofu support is currently in beta. Set ALLOW_BETA_ECOSYSTEMS=true to enable it."
+          )
+        end
+        fetched_files = []
+        fetched_files += opentofu_files
+        fetched_files += terragrunt_files
+        fetched_files += local_path_module_files(opentofu_files)
+        fetched_files += [lockfile] if lockfile
+
+        filtered_files = fetched_files.compact.reject do |file|
+          Dependabot::FileFiltering.should_exclude_path?(file.name, "file from final collection", @exclude_paths)
+        end
+
+        filtered_files
+      end
+
+      private
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def opentofu_files
+        @opentofu_files ||= T.let(
+          repo_contents(raise_errors: false)
+          .select { |f| f.type == "file" && f.name.end_with?(".tf", ".tofu") }
+          .map { |f| fetch_file_from_host(f.name) },
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
+      end
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def terragrunt_files
+        @terragrunt_files ||= T.let(
+          repo_contents(raise_errors: false)
+          .select { |f| f.type == "file" && terragrunt_file?(f.name) }
+          .map { |f| fetch_file_from_host(f.name) },
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
+      end
+
+      sig do
+        params(
+          files: T::Array[Dependabot::DependencyFile],
+          dir: String
+        )
+          .returns(T::Array[Dependabot::DependencyFile])
+      end
+      def local_path_module_files(files, dir: ".")
+        opentofu_files = T.let([], T::Array[Dependabot::DependencyFile])
+
+        files.each do |file|
+          opentofu_file_local_module_details(file).each do |path|
+            base_path = Pathname.new(File.join(dir, path)).cleanpath.to_path
+
+            # Skip excluded local module paths
+            if Dependabot::FileFiltering.should_exclude_path?(base_path, "local path module directory", @exclude_paths)
+              next
+            end
+
+            nested_opentofu_files =
+              repo_contents(dir: base_path)
+              .select { |f| f.type == "file" && f.name.end_with?(".tf", ".tofu") }
+              .map { |f| fetch_file_from_host(File.join(base_path, f.name)) }
+            opentofu_files += nested_opentofu_files
+            opentofu_files += local_path_module_files(nested_opentofu_files, dir: path)
+          end
+        end
+
+        # NOTE: The `support_file` attribute is not used but we set this to
+        # match what we do in other ecosystems
+        opentofu_files.tap { |fs| fs.each { |f| f.support_file = true } }
+      end
+
+      sig { params(file: Dependabot::DependencyFile).returns(T::Array[String]) }
+      def opentofu_file_local_module_details(file)
+        return [] unless file.name.end_with?(".tf", ".tofu")
+        return [] unless file.content&.match?(LOCAL_PATH_SOURCE)
+
+        T.must(file.content).scan(LOCAL_PATH_SOURCE).flatten.map do |path|
+          Pathname.new(path).cleanpath.to_path
+        end
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def lockfile
+        @lockfile ||= T.let(
+          fetch_file_if_present(".terraform.lock.hcl"),
+          T.nilable(Dependabot::DependencyFile)
+        )
+      end
+    end
+  end
+end
+
+Dependabot::FileFetchers
+  .register("opentofu", Dependabot::Opentofu::FileFetcher)

data/lib/dependabot/opentofu/file_filter.rb

@@ -0,0 +1,24 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  module Opentofu
+    module FileFilter
+      extend T::Sig
+
+      private
+
+      sig { params(file_name: String).returns(T::Boolean) }
+      def terragrunt_file?(file_name)
+        !lockfile?(file_name) && file_name.end_with?(".hcl")
+      end
+
+      sig { params(filename: String).returns(T::Boolean) }
+      def lockfile?(filename)
+        filename == ".terraform.lock.hcl"
+      end
+    end
+  end
+end

data/lib/dependabot/opentofu/file_parser.rb

@@ -0,0 +1,483 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "cgi"
+require "excon"
+require "nokogiri"
+require "open3"
+require "digest"
+require "sorbet-runtime"
+require "dependabot/dependency"
+require "dependabot/file_parsers"
+require "dependabot/file_parsers/base"
+require "dependabot/git_commit_checker"
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+require "dependabot/opentofu/file_selector"
+require "dependabot/opentofu/registry_client"
+require "dependabot/opentofu/package_manager"
+
+module Dependabot
+  module Opentofu
+    class FileParser < Dependabot::FileParsers::Base
+      extend T::Sig
+
+      require "dependabot/file_parsers/base/dependency_set"
+
+      include FileSelector
+
+      DEFAULT_REGISTRY = "registry.opentofu.org"
+      DEFAULT_NAMESPACE = "hashicorp"
+      # https://opentofu.org/docs/language/providers/requirements/#source-addresses
+      PROVIDER_SOURCE_ADDRESS = %r{\A((?<hostname>.+)/)?(?<namespace>.+)/(?<name>.+)\z}
+
+      sig { override.returns(T::Array[Dependabot::Dependency]) }
+      def parse
+        dependency_set = DependencySet.new
+
+        parse_opentofu_files(dependency_set)
+
+        parse_terragrunt_files(dependency_set)
+
+        dependency_set.dependencies.sort_by(&:name)
+      end
+
+      sig { returns(Ecosystem) }
+      def ecosystem
+        @ecosystem ||= T.let(
+          begin
+            Ecosystem.new(
+              name: ECOSYSTEM,
+              package_manager: package_manager
+            )
+          end,
+          T.nilable(Dependabot::Ecosystem)
+        )
+      end
+
+      private
+
+      # rubocop:disable Metrics/PerceivedComplexity
+      sig { params(dependency_set: Dependabot::FileParsers::Base::DependencySet).void }
+      def parse_opentofu_files(dependency_set)
+        opentofu_files.each do |file|
+          next if file.support_file?
+
+          modules = parsed_file(file).fetch("module", {})
+          # If override.tf files are present, we need to merge the modules
+          if override_opentofu_files.any?
+            override_opentofu_files.each do |override_file|
+              override_modules = parsed_file(override_file).fetch("module", {})
+              modules = merge_modules(override_modules, modules)
+            end
+          end
+
+          modules.each do |name, details|
+            details = details.first
+
+            source = source_from(details)
+            # Cannot update local path modules, skip
+            next if source && source[:type] == "path"
+
+            # Cannot update modules using early evaluation yet
+            if T.must(source)[:type] == "interpolation"
+              Dependabot.logger.warn(
+                "Cannot parse module source name with early evaluation for #{name} in #{file.name}."
+              )
+              next
+            end
+
+            dependency_set << build_opentofu_dependency(file, name, T.must(source), details)
+          end
+
+          parsed_file(file).fetch("terraform", []).each do |opentofu|
+            required_providers = opentofu.fetch("required_providers", {})
+            required_providers.each do |provider|
+              provider.each do |name, details|
+                dependency_set << build_provider_dependency(file, name, details)
+              end
+            end
+          end
+        end
+      end
+
+      sig { params(dependency_set: Dependabot::FileParsers::Base::DependencySet).void }
+      def parse_terragrunt_files(dependency_set)
+        terragrunt_files.each do |file|
+          modules = parsed_file(file).fetch("terraform", [])
+          modules.each do |details|
+            next unless details["source"]
+
+            source = source_from(details)
+            # Cannot update nil (interpolation sources) or local path modules, skip
+            next if source.nil? || source[:type] == "path"
+
+            dependency_set << build_terragrunt_dependency(file, source)
+          end
+        end
+      end
+
+      sig do
+        params(
+          file: Dependabot::DependencyFile,
+          name: String,
+          source: T::Hash[Symbol, T.untyped],
+          details: T.untyped
+        )
+          .returns(Dependabot::Dependency)
+      end
+      def build_opentofu_dependency(file, name, source, details)
+        # dep_name should be unique for a source, using the info derived from
+        # the source or the source name provides this uniqueness
+        dep_name = case source[:type]
+                   when "registry" then source[:module_identifier]
+                   when "provider" then details["source"]
+                   when "git" then git_dependency_name(name, source)
+                   else name
+                   end
+        version_req = details["version"]&.strip
+        version =
+          if source[:type] == "git" then version_from_ref(source[:ref])
+          elsif version_req&.match?(/^\d/) then version_req
+          end
+
+        Dependency.new(
+          name: dep_name,
+          version: version,
+          package_manager: "opentofu",
+          requirements: [
+            requirement: version_req,
+            groups: [],
+            file: file.name,
+            source: source
+          ]
+        )
+      end
+
+      sig do
+        params(
+          file: Dependabot::DependencyFile,
+          name: String,
+          details: T.any(String, T::Hash[String, T.untyped])
+        )
+          .returns(Dependabot::Dependency)
+      end
+      def build_provider_dependency(file, name, details = {})
+        deprecated_provider_error(file) if deprecated_provider?(details)
+
+        source_address = T.cast(details, T::Hash[String, T.untyped]).fetch("source", nil)
+        version_req = details["version"]&.strip
+        hostname, namespace, name = provider_source_from(source_address, name)
+        dependency_name = source_address ? "#{namespace}/#{name}" : name
+
+        Dependency.new(
+          name: T.must(dependency_name),
+          version: determine_version_for(T.must(hostname), T.must(namespace), T.must(name), version_req),
+          package_manager: "opentofu",
+          requirements: [
+            requirement: version_req,
+            groups: [],
+            file: file.name,
+            source: {
+              type: "provider",
+              registry_hostname: hostname,
+              module_identifier: "#{namespace}/#{name}"
+            }
+          ]
+        )
+      end
+
+      sig { params(file: Dependabot::DependencyFile).returns(T.noreturn) }
+      def deprecated_provider_error(file)
+        raise Dependabot::DependencyFileNotParseable.new(
+          file.path,
+          "This provider syntax is now deprecated.\n" \
+          "See https://opentofu.org/docs/language/providers/requirements/" \
+          "for the supported provider syntax."
+        )
+      end
+
+      sig { params(details: Object).returns(T::Boolean) }
+      def deprecated_provider?(details)
+        # The old syntax for terraform providers v0.12- looked like
+        # "tls ~> 2.1" which gets parsed as a string instead of a hash
+        details.is_a?(String)
+      end
+
+      sig { params(file: Dependabot::DependencyFile, source: T::Hash[Symbol, String]).returns(Dependabot::Dependency) }
+      def build_terragrunt_dependency(file, source)
+        dep_name = Source.from_url(source[:url]) ? T.must(Source.from_url(source[:url])).repo : source[:url]
+        version = version_from_ref(source[:ref])
+
+        Dependency.new(
+          name: T.must(dep_name),
+          version: version,
+          package_manager: "opentofu",
+          requirements: [
+            requirement: nil,
+            groups: [],
+            file: file.name,
+            source: source
+          ]
+        )
+      end
+
+      # Full docs at https://opentofu.org/docs/language/modules/sources/
+      sig { params(details_hash: T::Hash[String, String]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+      def source_from(details_hash)
+        raw_source = details_hash.fetch("source")
+        bare_source = RegistryClient.get_proxied_source(raw_source)
+        source_type = source_type(bare_source)
+
+        source_details =
+          case source_type
+          # TODO: add support for OCI Registries https://opentofu.org/docs/cli/oci_registries/
+          when :http_archive, :path, :mercurial, :s3
+            { type: source_type.to_s, url: bare_source }
+          when :github, :bitbucket, :git
+            git_source_details_from(bare_source)
+          when :registry
+            registry_source_details_from(bare_source)
+          when :interpolation
+            { type: source_type.to_s, name: bare_source }
+          end
+
+        T.must(source_details)[:proxy_url] = raw_source if raw_source != bare_source
+        source_details
+      end
+
+      sig { params(source_address: T.nilable(String), name: String).returns(T::Array[String]) }
+      def provider_source_from(source_address, name)
+        matches = source_address&.match(PROVIDER_SOURCE_ADDRESS)
+        matches = {} if matches.nil?
+
+        [
+          matches[:hostname] || DEFAULT_REGISTRY,
+          matches[:namespace] || DEFAULT_NAMESPACE,
+          matches[:name] || name
+        ]
+      end
+
+      sig { params(source_string: T.untyped).returns(T::Hash[Symbol, String]) }
+      def registry_source_details_from(source_string)
+        parts = source_string.split("//").first.split("/")
+
+        if parts.count == 3
+          {
+            type: "registry",
+            registry_hostname: "registry.opentofu.org",
+            module_identifier: source_string.split("//").first
+          }
+        elsif parts.count == 4
+          {
+            type: "registry",
+            registry_hostname: parts.first,
+            module_identifier: parts[1..3].join("/")
+          }
+        else
+          msg = "Invalid registry source specified: '#{source_string}'"
+          raise DependencyFileNotEvaluatable, msg
+        end
+      end
+
+      sig { params(name: String, source: T::Hash[Symbol, T.untyped]).returns(String) }
+      def git_dependency_name(name, source)
+        git_source = Source.from_url(source[:url])
+        if git_source && source[:ref]
+          name + "::" + git_source.provider + "::" + git_source.repo + "::" + source[:ref]
+        elsif git_source
+          name + "::" + git_source.provider + "::" + git_source.repo
+        elsif source[:ref]
+          name + "::git_provider::repo_name/git_repo(" \
+          + Digest::SHA1.hexdigest(source[:url]) + ")::" + source[:ref]
+        else
+          name + "::git_provider::repo_name/git_repo(" + Digest::SHA1.hexdigest(source[:url]) + ")"
+        end
+      end
+
+      sig { params(source_string: String).returns(T::Hash[Symbol, T.nilable(String)]) }
+      def git_source_details_from(source_string)
+        git_url = source_string.strip.gsub(/^git::/, "")
+        git_url = "https://" + git_url unless git_url.start_with?("git@") || git_url.include?("://")
+
+        bare_uri =
+          if git_url.include?("git@")
+            T.must(git_url.split("git@").last).sub(":", "/")
+          else
+            git_url.sub(%r{(?:\w{3,5})?://}, "")
+          end
+
+        querystr = URI.parse("https://" + bare_uri).query
+        git_url = git_url.gsub("?#{querystr}", "").split(%r{(?<!:)//}).first
+
+        {
+          type: "git",
+          url: git_url,
+          branch: nil,
+          ref: CGI.parse(querystr.to_s)["ref"].first&.split(%r{(?<!:)//})&.first
+        }
+      end
+
+      sig { params(ref: T.nilable(String)).returns(T.nilable(String)) }
+      def version_from_ref(ref)
+        version_regex = GitCommitChecker::VERSION_REGEX
+        return unless ref&.match?(version_regex)
+
+        ref.match(version_regex)&.named_captures&.fetch("version")
+      end
+
+      # rubocop:disable Metrics/CyclomaticComplexity
+      sig { params(source_string: String).returns(Symbol) }
+      def source_type(source_string)
+        # TODO: add support for OCI Registries https://opentofu.org/docs/cli/oci_registries/
+        return :interpolation if source_string.include?("${")
+        return :path if source_string.start_with?(".")
+        return :github if source_string.start_with?("github.com/")
+        return :bitbucket if source_string.start_with?("bitbucket.org/")
+        return :git if source_string.start_with?("git::", "git@")
+        return :mercurial if source_string.start_with?("hg::")
+        return :s3 if source_string.start_with?("s3::")
+
+        raise "Unknown src: #{source_string}" if source_string.split("/").first&.include?("::")
+
+        return :registry unless source_string.start_with?("http")
+
+        path_uri = URI.parse(T.must(source_string.split(%r{(?<!:)//}).first))
+        query_uri = URI.parse(source_string)
+        return :http_archive if RegistryClient::ARCHIVE_EXTENSIONS.any? { |ext| path_uri.path&.end_with?(ext) }
+        return :http_archive if query_uri.query&.include?("archive=")
+
+        raise "HTTP source, but not an archive!"
+      end
+      # rubocop:enable Metrics/CyclomaticComplexity
+      # rubocop:enable Metrics/PerceivedComplexity
+
+      # == Returns:
+      # A Hash representing each module found in the specified file
+      #
+      # E.g.
+      # {
+      #   "module" => {
+      #     {
+      #       "consul" => [
+      #         {
+      #           "source"=>"consul/aws",
+      #           "version"=>"0.1.0"
+      #         }
+      #       ]
+      #     }
+      #   },
+      #   "terragrunt"=>[
+      #     {
+      #       "include"=>[{ "path"=>"${find_in_parent_folders()}" }],
+      #       "terraform"=>[{ "source" => "git::git@github.com:gruntwork-io/modules-example.git//consul?ref=v0.0.2" }]
+      #     }
+      #   ],
+      # }
+      sig { params(file: Dependabot::DependencyFile).returns(T::Hash[String, T.untyped]) }
+      def parsed_file(file)
+        @parsed_buildfile ||= T.let({}, T.nilable(T::Hash[String, T.untyped]))
+        @parsed_buildfile[file.name] ||= SharedHelpers.in_a_temporary_directory do
+          File.write("tmp.tf", file.content)
+
+          command = "#{opentofu_hcl2_parser_path} < tmp.tf"
+          start = Time.now
+          stdout, stderr, process = Open3.capture3(command)
+          time_taken = Time.now - start
+
+          unless process.success?
+            raise SharedHelpers::HelperSubprocessFailed.new(
+              message: stderr,
+              error_context: {
+                command: command,
+                time_taken: time_taken,
+                process_exit_value: process.to_s
+              }
+            )
+          end
+
+          JSON.parse(stdout)
+        end
+      rescue SharedHelpers::HelperSubprocessFailed => e
+        msg = e.message.strip
+        raise Dependabot::DependencyFileNotParseable.new(file.path, msg)
+      end
+
+      sig { returns(String) }
+      def opentofu_parser_path
+        helper_bin_dir = File.join(native_helpers_root, "opentofu/bin")
+        Pathname.new(File.join(helper_bin_dir, "json2hcl")).cleanpath.to_path
+      end
+
+      sig { returns(String) }
+      def opentofu_hcl2_parser_path
+        helper_bin_dir = File.join(native_helpers_root, "opentofu/bin")
+        Pathname.new(File.join(helper_bin_dir, "hcl2json")).cleanpath.to_path
+      end
+
+      sig { returns(String) }
+      def native_helpers_root
+        default_path = File.join(__dir__, "../../../helpers/install-dir")
+        ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", default_path)
+      end
+
+      sig { override.void }
+      def check_required_files
+        return if [*opentofu_files, *terragrunt_files].any?
+
+        raise "No OpenTofu configuration file!"
+      end
+
+      sig do
+        params(
+          hostname: String,
+          namespace: String,
+          name: String,
+          constraint: T.nilable(String)
+        )
+          .returns(T.nilable(String))
+      end
+      def determine_version_for(hostname, namespace, name, constraint)
+        return constraint if constraint&.match?(/\A\d/)
+
+        lockfile_content
+          .dig("provider", "#{hostname}/#{namespace}/#{name}", 0, "version")
+      end
+
+      sig { returns(T::Hash[String, T.untyped]) }
+      def lockfile_content
+        @lockfile_content ||= T.let(
+          begin
+            lockfile = dependency_files.find do |file|
+              file.name == ".terraform.lock.hcl"
+            end
+            lockfile ? parsed_file(lockfile) : {}
+          end,
+          T.nilable(T::Hash[String, T.untyped])
+        )
+      end
+
+      sig { returns(Ecosystem::VersionManager) }
+      def package_manager
+        @package_manager ||= T.let(
+          PackageManager.new(T.must(opentofu_version)),
+          T.nilable(Dependabot::Opentofu::PackageManager)
+        )
+      end
+
+      sig { returns(T.nilable(String)) }
+      def opentofu_version
+        @opentofu_version ||= T.let(
+          begin
+            version = SharedHelpers.run_shell_command("tofu --version")
+            version.match(Dependabot::Ecosystem::VersionManager::DEFAULT_VERSION_PATTERN)&.captures&.first
+          end,
+          T.nilable(String)
+        )
+      end
+    end
+  end
+end
+
+Dependabot::FileParsers
+  .register("opentofu", Dependabot::Opentofu::FileParser)