dependabot-sbt 0.377.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9eafbe53d441a9d8b07914410bf4dc22012c56e3dc2cf3b57908c6024da99c27
+  data.tar.gz: a308cafa02b00033ad80af59a511fa44b30748052fc230aa9a74ec93e86b3d85
+SHA512:
+  metadata.gz: 543b3691a28a571bf6cdfdf53af5e4fcf517190f51481944a8e62ecfab0218a30511ed16f7363851ca138e6ef047ba8bf17f41217ac51f6390e9ebfba94b5698
+  data.tar.gz: c2e1ee2eaf7055654ff518174718ee4f3a1afadea6724a69e0adff2d77453cfddf19452abdfcfef4ad858e478867bef303d9cbcac5c231ae8d7e759c826ea019

data/lib/dependabot/sbt/file_fetcher.rb

@@ -0,0 +1,121 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/file_fetchers"
+require "dependabot/file_fetchers/base"
+require "dependabot/file_filtering"
+
+module Dependabot
+  module Sbt
+    class FileFetcher < Dependabot::FileFetchers::Base
+      extend T::Sig
+      extend T::Helpers
+
+      BUILD_SBT_FILENAME = "build.sbt"
+      PLUGINS_SBT_FILENAME = "project/plugins.sbt"
+      BUILD_PROPERTIES_FILENAME = "project/build.properties"
+      # Directories that are part of the SBT build structure, not subprojects
+      NON_SUBPROJECT_DIRS = T.let(%w(project target .git .github).freeze, T::Array[String])
+
+      sig { override.params(filenames: T::Array[String]).returns(T::Boolean) }
+      def self.required_files_in?(filenames)
+        filenames.any? { |name| name.end_with?(BUILD_SBT_FILENAME) }
+      end
+
+      sig { override.returns(String) }
+      def self.required_files_message
+        "Repo must contain a build.sbt file."
+      end
+
+      sig { override.returns(T::Array[DependencyFile]) }
+      def fetch_files
+        unless allow_beta_ecosystems?
+          raise Dependabot::DependencyFileNotFound.new(
+            nil,
+            "Sbt support is currently in beta. Enable the beta ecosystems experiment to use it " \
+            "(for example, run bin/dry-run.rb --enable-beta-ecosystems)."
+          )
+        end
+
+        fetched_files = T.let([], T::Array[DependencyFile])
+
+        fetched_files << build_sbt
+        fetched_files << T.must(plugins_sbt) if plugins_sbt
+        fetched_files << T.must(build_properties) if build_properties
+        fetched_files += subproject_build_files
+        fetched_files += project_scala_files
+
+        fetched_files.reject do |file|
+          Dependabot::FileFiltering.should_exclude_path?(file.name, "file from final collection", @exclude_paths)
+        end
+      end
+
+      sig { override.returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+      def ecosystem_versions
+        return nil unless build_properties
+
+        sbt_version = parse_sbt_version(T.must(build_properties).content)
+        return nil unless sbt_version
+
+        {
+          package_managers: {
+            "sbt" => sbt_version
+          }
+        }
+      end
+
+      private
+
+      sig { returns(DependencyFile) }
+      def build_sbt
+        @build_sbt ||= T.let(fetch_file_from_host(BUILD_SBT_FILENAME), T.nilable(DependencyFile))
+      end
+
+      sig { returns(T.nilable(DependencyFile)) }
+      def plugins_sbt
+        @plugins_sbt ||= T.let(fetch_file_if_present(PLUGINS_SBT_FILENAME), T.nilable(DependencyFile))
+      end
+
+      sig { returns(T.nilable(DependencyFile)) }
+      def build_properties
+        @build_properties ||= T.let(fetch_file_if_present(BUILD_PROPERTIES_FILENAME), T.nilable(DependencyFile))
+      end
+
+      sig { returns(T::Array[DependencyFile]) }
+      def subproject_build_files
+        repo_contents(raise_errors: false)
+          .select { |item| item.type == "dir" }
+          .reject { |dir| NON_SUBPROJECT_DIRS.include?(dir.name) }
+          .reject { |dir| Dependabot::FileFiltering.should_exclude_path?(dir.name, "subproject directory", @exclude_paths) }
+          .filter_map { |dir| fetch_file_if_present(File.join(dir.name, BUILD_SBT_FILENAME)) }
+      end
+
+      sig { returns(T::Array[DependencyFile]) }
+      def project_scala_files
+        project_dir_contents = repo_contents(dir: "project", raise_errors: false)
+        project_dir_contents
+          .select { |item| item.type == "file" && item.name.end_with?(".scala") }
+          .filter_map { |item| fetch_file_if_present(File.join("project", item.name)) }
+      end
+
+      sig { params(content: T.nilable(String)).returns(T.nilable(String)) }
+      def parse_sbt_version(content)
+        return nil unless content
+
+        content.each_line do |line|
+          line = line.strip
+          next if line.empty? || line.start_with?("#", "!")
+
+          match = line.match(/\Asbt\.version\s*=\s*(.+)\z/)
+          return match[1]&.strip if match
+        end
+
+        nil
+      end
+    end
+  end
+end
+
+Dependabot::FileFetchers.register("sbt", Dependabot::Sbt::FileFetcher)

data/lib/dependabot/sbt/file_parser/property_value_finder.rb

@@ -0,0 +1,179 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/sbt/file_parser"
+
+module Dependabot
+  module Sbt
+    class FileParser < Dependabot::FileParsers::Base
+      class PropertyValueFinder
+        extend T::Sig
+
+        # Matches: val someVersion = "1.2.3"
+        # Also:   val someVersion: String = "1.2.3"
+        # Also:   lazy val someVersion = "1.2.3"
+        VAL_DECLARATION_REGEX = T.let(
+          /(?:^|\s)(?:lazy\s+)?val\s+(?<name>\w+)(?:\s*:\s*String)?\s*=\s*"(?<value>[^"]+)"/,
+          Regexp
+        )
+
+        sig { params(dependency_files: T::Array[Dependabot::DependencyFile]).void }
+        def initialize(dependency_files:)
+          @dependency_files = T.let(dependency_files, T::Array[Dependabot::DependencyFile])
+          @properties = T.let({}, T::Hash[String, T::Hash[String, T::Hash[Symbol, String]]])
+        end
+
+        sig do
+          params(property_name: String, callsite_buildfile: Dependabot::DependencyFile)
+            .returns(T.nilable(T::Hash[Symbol, String]))
+        end
+        def property_details(property_name:, callsite_buildfile:)
+          # Handle dotted references like "V.scalafixVersion" by looking up the member name
+          if property_name.include?(".")
+            return dotted_property_details(property_name: property_name, callsite_buildfile: callsite_buildfile)
+          end
+
+          # Look in the callsite file first, then fall back to the root build.sbt,
+          # then check project/*.scala build definition files
+          all_files = [callsite_buildfile, top_level_buildfile].compact
+          all_files += project_scala_files
+          all_files.uniq!
+          all_files.each do |file|
+            details = properties(file).fetch(property_name, nil)
+            return details if details
+          end
+          nil
+        end
+
+        sig { params(property_name: String, callsite_buildfile: Dependabot::DependencyFile).returns(T.nilable(String)) }
+        def property_value(property_name:, callsite_buildfile:)
+          property_details(
+            property_name: property_name,
+            callsite_buildfile: callsite_buildfile
+          )&.fetch(:value)
+        end
+
+        private
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        attr_reader :dependency_files
+
+        # Resolves dotted property references like "Versions.catsVersion" or "V.scala212".
+        # Searches for `val <member> = "..."` inside `object <ObjectName> { ... }` blocks
+        # across all dependency files.
+        sig do
+          params(property_name: String, callsite_buildfile: Dependabot::DependencyFile)
+            .returns(T.nilable(T::Hash[Symbol, String]))
+        end
+        def dotted_property_details(property_name:, callsite_buildfile:)
+          parts = property_name.split(".")
+          return nil unless parts.length == 2
+
+          object_name = T.must(parts.first)
+          member_name = T.must(parts.last)
+
+          # Resolve val aliases (e.g. "val V = BuildInfo" means V.x should look in object BuildInfo)
+          resolved_names = resolve_object_aliases(object_name, callsite_buildfile)
+
+          all_files = [callsite_buildfile, top_level_buildfile].compact
+          all_files += project_scala_files
+          all_files.uniq!
+
+          resolved_names.each do |resolved_name|
+            all_files.each do |file|
+              content = prepared_content(file)
+              object_regex = /object\s+#{Regexp.quote(resolved_name)}\b[^{]*\{(?<body>[^}]*)\}/m
+              content.scan(object_regex) do
+                body = T.must(Regexp.last_match).named_captures.fetch("body")
+                member_regex = /(?:^|\s)(?:lazy\s+)?val\s+#{Regexp.quote(member_name)}/
+                member_value_regex = /#{member_regex}(?:\s*:\s*String)?\s*=\s*"(?<value>[^"]+)"/
+                member_match = body&.match(member_value_regex)
+                next unless member_match
+
+                declaration_string = member_match.to_s.strip
+                return {
+                  value: T.must(member_match[:value]),
+                  declaration_string: declaration_string,
+                  file: file.name
+                }
+              end
+            end
+          end
+
+          nil
+        end
+
+        # Resolves val aliases like "val V = BuildInfo" → returns ["V", "BuildInfo"]
+        # so that dotted references like V.member can look in object BuildInfo.
+        sig { params(name: String, callsite_buildfile: Dependabot::DependencyFile).returns(T::Array[String]) }
+        def resolve_object_aliases(name, callsite_buildfile)
+          names = [name]
+
+          all_files = [callsite_buildfile, top_level_buildfile].compact
+          all_files += project_scala_files
+          all_files.uniq!
+
+          all_files.each do |file|
+            prepared_content(file).scan(/(?:^|\s)(?:lazy\s+)?val\s+#{Regexp.quote(name)}\s*=\s*(?<target>[A-Z]\w*)/) do
+              target = T.must(Regexp.last_match).named_captures.fetch("target")
+              names << T.must(target) unless names.include?(target)
+            end
+          end
+
+          names
+        end
+
+        sig { params(buildfile: Dependabot::DependencyFile).returns(T::Hash[String, T::Hash[Symbol, String]]) }
+        def properties(buildfile)
+          @properties[buildfile.name] ||= fetch_val_declarations(buildfile)
+        end
+
+        sig { params(buildfile: Dependabot::DependencyFile).returns(T::Hash[String, T::Hash[Symbol, String]]) }
+        def fetch_val_declarations(buildfile)
+          props = T.let({}, T::Hash[String, T::Hash[Symbol, String]])
+
+          prepared_content(buildfile).scan(VAL_DECLARATION_REGEX) do
+            captures = T.must(Regexp.last_match).named_captures
+            name = T.must(captures.fetch("name"))
+            value = T.must(captures.fetch("value"))
+
+            unless props.key?(name)
+              props[name] = {
+                value: value,
+                declaration_string: Regexp.last_match.to_s.strip,
+                file: buildfile.name
+              }
+            end
+          end
+
+          props
+        end
+
+        sig { params(buildfile: Dependabot::DependencyFile).returns(String) }
+        def prepared_content(buildfile)
+          T.must(buildfile.content)
+           .gsub(%r{(?<=^|\s)//.*$}, "\n")
+           .gsub(%r{(?<=^|\s)/\*.*?\*/}m, "")
+        end
+
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
+        def top_level_buildfile
+          @top_level_buildfile ||= T.let(
+            dependency_files.find { |f| f.name == "build.sbt" },
+            T.nilable(Dependabot::DependencyFile)
+          )
+        end
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        def project_scala_files
+          @project_scala_files ||= T.let(
+            dependency_files.select { |f| f.name.end_with?(".scala") && f.name.start_with?("project/") },
+            T.nilable(T::Array[Dependabot::DependencyFile])
+          )
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/sbt/file_parser/repositories_finder.rb

@@ -0,0 +1,141 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/sbt/file_parser"
+
+module Dependabot
+  module Sbt
+    class FileParser < Dependabot::FileParsers::Base
+      class RepositoriesFinder
+        extend T::Sig
+
+        CENTRAL_REPO_URL = "https://repo.maven.apache.org/maven2"
+
+        # Matches: resolvers += "Name" at "https://url"
+        RESOLVER_AT_REGEX = T.let(
+          /resolvers\s*\+?=\s*(?:Seq\s*\()?\s*"[^"]*"\s+at\s+"(?<url>[^"]+)"/,
+          Regexp
+        )
+
+        # Matches: resolvers ++= Seq("Name" at "url", ...)
+        RESOLVER_SEQ_AT_REGEX = T.let(
+          /"[^"]*"\s+at\s+"(?<url>[^"]+)"/,
+          Regexp
+        )
+
+        # Matches: Resolver.url("name", url("https://url"))
+        RESOLVER_URL_REGEX = T.let(
+          /Resolver\.url\(\s*"[^"]*"\s*,\s*url\(\s*"(?<url>[^"]+)"\s*\)/,
+          Regexp
+        )
+
+        # Matches: MavenRepository("name", "https://url")
+        MAVEN_REPOSITORY_REGEX = T.let(
+          /MavenRepository\(\s*"[^"]*"\s*,\s*"(?<url>[^"]+)"\s*\)/,
+          Regexp
+        )
+
+        sig do
+          params(
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential]
+          ).void
+        end
+        def initialize(dependency_files:, credentials: [])
+          @dependency_files = T.let(dependency_files, T::Array[Dependabot::DependencyFile])
+          @credentials = T.let(credentials, T::Array[Dependabot::Credential])
+        end
+
+        sig { returns(T::Array[String]) }
+        def repository_urls
+          urls = T.let([], T::Array[String])
+
+          sbt_files.each do |file|
+            urls += repository_urls_from(file)
+          end
+
+          # SBT always includes Maven Central as a default resolver.
+          # Custom resolvers supplement but don't replace it.
+          urls << central_repo_url unless urls.include?(central_repo_url)
+
+          urls.uniq
+        end
+
+        private
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        attr_reader :dependency_files
+
+        sig { returns(T::Array[Dependabot::Credential]) }
+        attr_reader :credentials
+
+        sig { params(buildfile: Dependabot::DependencyFile).returns(T::Array[String]) }
+        def repository_urls_from(buildfile)
+          content = comment_free_content(buildfile)
+
+          urls = [RESOLVER_AT_REGEX, RESOLVER_SEQ_AT_REGEX, RESOLVER_URL_REGEX, MAVEN_REPOSITORY_REGEX]
+                 .flat_map { |regex| scan_urls(content, regex) }
+
+          urls
+            .map { |url| url.strip.gsub(%r{/$}, "") }
+            .select { |url| valid_url?(url) }
+            .uniq
+        end
+
+        sig { params(content: String, regex: Regexp).returns(T::Array[String]) }
+        def scan_urls(content, regex)
+          urls = T.let([], T::Array[String])
+          content.scan(regex) do
+            urls << T.must(T.must(Regexp.last_match).named_captures.fetch("url"))
+          end
+          urls
+        end
+
+        sig { returns(String) }
+        def central_repo_url
+          base_credential = credentials.find do |cred|
+            cred["type"] == "maven_repository" && replaces_base?(cred) && cred["url"]
+          end
+
+          base_credential ? T.must(base_credential["url"]).gsub(%r{/+$}, "") : CENTRAL_REPO_URL
+        end
+
+        sig { params(credential: Dependabot::Credential).returns(T::Boolean) }
+        def replaces_base?(credential)
+          if credential.respond_to?(:replaces_base?)
+            credential.replaces_base?
+          else
+            credential["replaces-base"] == true
+          end
+        end
+
+        sig { params(url: String).returns(T::Boolean) }
+        def valid_url?(url)
+          return false unless url.start_with?("http")
+
+          URI.parse(url)
+          true
+        rescue URI::InvalidURIError
+          false
+        end
+
+        sig { params(buildfile: Dependabot::DependencyFile).returns(String) }
+        def comment_free_content(buildfile)
+          T.must(buildfile.content)
+           .gsub(%r{(?<=^|\s)//.*$}, "\n")
+           .gsub(%r{(?<=^|\s)/\*.*?\*/}m, "")
+        end
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        def sbt_files
+          @sbt_files ||= T.let(
+            dependency_files.select { |f| f.name.end_with?(".sbt") },
+            T.nilable(T::Array[Dependabot::DependencyFile])
+          )
+        end
+      end
+    end
+  end
+end