dependabot-sbt 0.377.0

data/lib/dependabot/sbt/file_updater.rb

@@ -0,0 +1,240 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/file_updaters"
+require "dependabot/file_updaters/base"
+require "dependabot/sbt/file_parser"
+
+module Dependabot
+  module Sbt
+    class FileUpdater < Dependabot::FileUpdaters::Base
+      extend T::Sig
+
+      require_relative "file_updater/property_value_updater"
+
+      # Regex matching scalaVersion declarations in all supported SBT syntaxes
+      SCALA_VERSION_DECL = T.let(
+        "(?:ThisBuild\\s*/\\s*)?" \
+        "(?:scalaVersion\\s+in\\s+ThisBuild|scalaVersion)" \
+        '\\s*:=\\s*"',
+        String
+      )
+
+      sig { override.returns(T::Array[Dependabot::DependencyFile]) }
+      def updated_dependency_files
+        updated_files = T.let(dependency_files.dup, T::Array[Dependabot::DependencyFile])
+
+        dependencies.each do |dependency|
+          updated_files = update_files_for_dependency(
+            original_files: updated_files,
+            dependency: dependency
+          )
+        end
+
+        updated_files.reject! { |f| dependency_files.include?(f) }
+
+        raise "No files changed!" if updated_files.none?
+
+        updated_files
+      end
+
+      private
+
+      sig { override.void }
+      def check_required_files
+        raise "No build.sbt!" unless get_original_file("build.sbt")
+      end
+
+      sig do
+        params(
+          original_files: T::Array[Dependabot::DependencyFile],
+          dependency: Dependabot::Dependency
+        ).returns(T::Array[Dependabot::DependencyFile])
+      end
+      def update_files_for_dependency(original_files:, dependency:)
+        files = original_files.dup
+
+        reqs = dependency.requirements.zip(dependency.previous_requirements.to_a)
+                         .reject { |new_req, old_req| new_req == old_req }
+
+        reqs.each do |new_req, old_req|
+          raise "Bad req match" unless new_req[:file] == T.must(old_req)[:file]
+          next if new_req[:requirement] == T.must(old_req)[:requirement]
+
+          files = apply_requirement_update(files, dependency, new_req, T.must(old_req))
+        end
+
+        files
+      end
+
+      sig do
+        params(
+          files: T::Array[Dependabot::DependencyFile],
+          dependency: Dependabot::Dependency,
+          new_req: T::Hash[Symbol, T.untyped],
+          old_req: T::Hash[Symbol, T.untyped]
+        ).returns(T::Array[Dependabot::DependencyFile])
+      end
+      def apply_requirement_update(files, dependency, new_req, old_req)
+        if new_req.dig(:metadata, :property_name)
+          update_files_for_property_change(files, old_req, new_req)
+        elsif T.let(new_req[:file], String).end_with?("build.properties")
+          update_build_properties(files, old_req, new_req)
+        elsif scala_version_requirement?(new_req)
+          file = T.must(files.find { |f| f.name == new_req[:file] })
+          idx = T.must(files.index(file))
+          files.dup.tap { |updated| updated[idx] = update_scala_version(file, old_req, new_req) }
+        else
+          file = T.must(files.find { |f| f.name == new_req[:file] })
+          idx = T.must(files.index(file))
+          files.dup.tap { |updated| updated[idx] = update_version_in_buildfile(dependency, file, old_req, new_req) }
+        end
+      end
+
+      sig do
+        params(
+          files: T::Array[Dependabot::DependencyFile],
+          old_req: T::Hash[Symbol, T.untyped],
+          new_req: T::Hash[Symbol, T.untyped]
+        ).returns(T::Array[Dependabot::DependencyFile])
+      end
+      def update_files_for_property_change(files, old_req, new_req)
+        property_name = T.let(new_req.dig(:metadata, :property_name), String)
+        callsite = T.must(files.find { |f| f.name == new_req[:file] })
+
+        PropertyValueUpdater.new(dependency_files: files)
+                            .update_files_for_property_change(
+                              property_name: property_name,
+                              callsite_buildfile: callsite,
+                              previous_value: T.let(old_req.fetch(:requirement), String),
+                              updated_value: T.let(new_req.fetch(:requirement), String)
+                            )
+      end
+
+      sig do
+        params(
+          files: T::Array[Dependabot::DependencyFile],
+          old_req: T::Hash[Symbol, T.untyped],
+          new_req: T::Hash[Symbol, T.untyped]
+        ).returns(T::Array[Dependabot::DependencyFile])
+      end
+      def update_build_properties(files, old_req, new_req)
+        file = T.must(files.find { |f| f.name == new_req[:file] })
+        old_version = T.let(old_req.fetch(:requirement), String)
+        new_version = T.let(new_req.fetch(:requirement), String)
+
+        updated_content = T.must(file.content).sub(
+          /(sbt\.version\s*=\s*)#{Regexp.quote(old_version)}/,
+          "\\1#{new_version}"
+        )
+
+        raise "Expected content to change!" if updated_content == file.content
+
+        updated_files = files.dup
+        updated_files[T.must(files.index(file))] =
+          updated_file(file: file, content: updated_content)
+        updated_files
+      end
+
+      sig do
+        params(
+          file: Dependabot::DependencyFile,
+          old_req: T::Hash[Symbol, T.untyped],
+          new_req: T::Hash[Symbol, T.untyped]
+        ).returns(Dependabot::DependencyFile)
+      end
+      def update_scala_version(file, old_req, new_req)
+        old_version = T.let(old_req.fetch(:requirement), String)
+        new_version = T.let(new_req.fetch(:requirement), String)
+
+        updated_content = T.must(file.content).sub(
+          /(#{SCALA_VERSION_DECL})#{Regexp.quote(old_version)}(")/,
+          "\\1#{new_version}\\2"
+        )
+
+        raise "Expected content to change!" if updated_content == file.content
+
+        updated_file(file: file, content: updated_content)
+      end
+
+      sig do
+        params(
+          dependency: Dependabot::Dependency,
+          buildfile: Dependabot::DependencyFile,
+          previous_req: T::Hash[Symbol, T.untyped],
+          requirement: T::Hash[Symbol, T.untyped]
+        ).returns(Dependabot::DependencyFile)
+      end
+      def update_version_in_buildfile(dependency, buildfile, previous_req, requirement)
+        updated_content = T.must(buildfile.content.dup)
+
+        original_declarations = original_buildfile_declarations(dependency, previous_req)
+        original_declarations.each do |old_dec|
+          updated_content = updated_content.gsub(old_dec) do
+            updated_buildfile_declaration(old_dec, previous_req, requirement)
+          end
+        end
+
+        raise "Expected content to change!" if updated_content == buildfile.content
+
+        updated_file(file: buildfile, content: updated_content)
+      end
+
+      sig do
+        params(
+          dependency: Dependabot::Dependency,
+          requirement: T::Hash[Symbol, T.untyped]
+        ).returns(T::Array[String])
+      end
+      def original_buildfile_declarations(dependency, requirement)
+        buildfile = T.must(dependency_files.find { |f| f.name == T.let(requirement.fetch(:file), String) })
+        group, artifact = dependency_group_and_artifact(dependency)
+
+        T.must(buildfile.content).lines.select do |line|
+          next false unless line.include?(group)
+          next false unless line.include?(artifact)
+
+          line.include?(T.let(requirement.fetch(:requirement), String))
+        end
+      end
+
+      sig { params(dependency: Dependabot::Dependency).returns([String, String]) }
+      def dependency_group_and_artifact(dependency)
+        parts = dependency.name.split(":")
+        group = T.must(parts.first)
+        artifact = T.must(parts.last)
+
+        # Strip Scala version suffix for cross-versioned deps (e.g. cats-core_2.13 → cats-core)
+        artifact = artifact.sub(/_\d+(\.\d+)?$/, "")
+
+        [group, artifact]
+      end
+
+      sig do
+        params(
+          old_declaration: String,
+          previous_req: T::Hash[Symbol, T.untyped],
+          requirement: T::Hash[Symbol, T.untyped]
+        ).returns(String)
+      end
+      def updated_buildfile_declaration(old_declaration, previous_req, requirement)
+        original_req_string = T.let(previous_req.fetch(:requirement), String)
+        new_req_string = T.let(requirement.fetch(:requirement), String)
+
+        old_declaration.gsub(
+          /"#{Regexp.quote(original_req_string)}"/,
+          "\"#{new_req_string}\""
+        )
+      end
+
+      sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Boolean) }
+      def scala_version_requirement?(req)
+        req.dig(:metadata, :property_source) == "scalaVersion"
+      end
+    end
+  end
+end
+
+Dependabot::FileUpdaters.register("sbt", Dependabot::Sbt::FileUpdater)

data/lib/dependabot/sbt/language.rb

@@ -0,0 +1,24 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/ecosystem"
+require "dependabot/sbt/version"
+
+module Dependabot
+  module Sbt
+    LANGUAGE = "scala"
+
+    class Language < Dependabot::Ecosystem::VersionManager
+      extend T::Sig
+
+      sig { params(raw_version: String).void }
+      def initialize(raw_version)
+        super(
+          name: LANGUAGE,
+          version: Version.new(raw_version)
+        )
+      end
+    end
+  end
+end

data/lib/dependabot/sbt/metadata_finder.rb

@@ -0,0 +1,24 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/metadata_finders"
+require "dependabot/maven/shared/shared_metadata_finder"
+require "dependabot/sbt/file_fetcher"
+require "sorbet-runtime"
+
+module Dependabot
+  module Sbt
+    class MetadataFinder < Dependabot::Maven::Shared::SharedMetadataFinder
+      extend T::Sig
+
+      private
+
+      sig { override.returns(T.class_of(Dependabot::FileFetchers::Base)) }
+      def file_fetcher_class
+        Dependabot::Sbt::FileFetcher
+      end
+    end
+  end
+end
+
+Dependabot::MetadataFinders.register("sbt", Dependabot::Sbt::MetadataFinder)

data/lib/dependabot/sbt/native_helpers.rb

@@ -0,0 +1,28 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  module Sbt
+    module NativeHelpers
+      extend T::Sig
+
+      sig { returns(String) }
+      def self.coursier_path
+        clean_path(File.join(native_helpers_root, "sbt/bin/cs"))
+      end
+
+      sig { returns(String) }
+      def self.native_helpers_root
+        default_path = File.join(__dir__, "../../../helpers/install-dir")
+        ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", default_path)
+      end
+
+      sig { params(path: String).returns(String) }
+      def self.clean_path(path)
+        Pathname.new(path).cleanpath.to_path
+      end
+    end
+  end
+end

data/lib/dependabot/sbt/package/package_details_fetcher.rb

@@ -0,0 +1,175 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "nokogiri"
+require "sorbet-runtime"
+require "dependabot/registry_client"
+require "dependabot/package/package_release"
+require "dependabot/package/package_details"
+require "dependabot/sbt/file_parser/repositories_finder"
+require "dependabot/sbt/version"
+require "dependabot/sbt/requirement"
+require "dependabot/maven/shared/shared_package_details_fetcher"
+require "dependabot/maven/utils/auth_headers_finder"
+
+module Dependabot
+  module Sbt
+    module Package
+      class PackageDetailsFetcher < Dependabot::Maven::Shared::SharedPackageDetailsFetcher
+        extend T::Sig
+
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential]
+          ).void
+        end
+        def initialize(dependency:, dependency_files:, credentials:)
+          @dependency = T.let(dependency, Dependabot::Dependency)
+          @dependency_files = T.let(dependency_files, T::Array[Dependabot::DependencyFile])
+          @credentials = T.let(credentials, T::Array[Dependabot::Credential])
+
+          @repositories_cache = T.let(nil, T.nilable(T::Array[T::Hash[String, T.untyped]]))
+          @repository_finder = T.let(nil, T.nilable(Sbt::FileParser::RepositoriesFinder))
+          @package_details = T.let(nil, T.nilable(Dependabot::Package::PackageDetails))
+        end
+
+        sig { override.returns(Dependabot::Dependency) }
+        attr_reader :dependency
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        attr_reader :dependency_files
+
+        sig { override.returns(T::Array[Dependabot::Credential]) }
+        attr_reader :credentials
+
+        sig { returns(Dependabot::Package::PackageDetails) }
+        def fetch
+          return @package_details if @package_details
+
+          releases = versions.map do |version_details|
+            Dependabot::Package::PackageRelease.new(
+              version: version_details.fetch(:version),
+              released_at: version_details.fetch(:release_date, nil),
+              url: version_details.fetch(:source_url)
+            )
+          end
+
+          @package_details = Dependabot::Package::PackageDetails.new(
+            dependency: dependency,
+            releases: releases
+          )
+
+          @package_details
+        end
+
+        sig { returns(T::Array[Dependabot::Package::PackageRelease]) }
+        def releases
+          fetch.releases
+        end
+
+        # Assembles the list of Maven repositories to search: credential repos + SBT resolver repos.
+        sig { override.returns(T::Array[T::Hash[String, T.untyped]]) }
+        def repositories
+          return @repositories_cache if @repositories_cache
+
+          @repositories_cache = credentials_repository_details
+
+          sbt_repository_details.each do |repo|
+            @repositories_cache << repo unless @repositories_cache.any? do |r|
+              r[URL_KEY] == repo[URL_KEY]
+            end
+          end
+
+          @repositories_cache
+        end
+
+        sig { override.returns(String) }
+        def central_repo_url
+          Sbt::FileParser::RepositoriesFinder::CENTRAL_REPO_URL
+        end
+
+        # Override to always use "jar" for the HEAD check. The SBT parser sets
+        # packaging_type to "cross-versioned" as metadata for %% dependencies, but the
+        # actual Maven artifact is always a .jar file.
+        sig { override.params(repository_url: String, version: Dependabot::Version).returns(String) }
+        def dependency_files_url(repository_url, version)
+          _, artifact_id = dependency_parts
+          base_url = dependency_base_url(repository_url)
+
+          "#{base_url}/#{version}/#{artifact_id}-#{version}.jar"
+        end
+
+        # Override to handle SBT plugin cross-versioning.
+        # SBT plugins are published with a double-suffix: artifact_scalaVersion_sbtVersion
+        # e.g., sbt-jmh_2.12_1.0 for SBT 1.x plugins.
+        sig { override.returns([String, String]) }
+        def dependency_parts
+          @dependency_parts = T.let(@dependency_parts, T.nilable([String, String]))
+          return @dependency_parts if @dependency_parts
+
+          group_id, artifact_id = dependency.name.split(":")
+          group_path = T.must(group_id).tr(".", "/")
+
+          artifact_id = "#{artifact_id}_#{plugin_scala_version}_#{sbt_binary_version}" if sbt_plugin?
+
+          @dependency_parts = [group_path, T.must(artifact_id)]
+        end
+
+        private
+
+        sig { returns(Sbt::FileParser::RepositoriesFinder) }
+        def repository_finder
+          @repository_finder ||= Sbt::FileParser::RepositoriesFinder.new(
+            dependency_files: dependency_files,
+            credentials: credentials
+          )
+        end
+
+        # Returns the repository details discovered from SBT build files.
+        sig { returns(T::Array[T::Hash[String, T.untyped]]) }
+        def sbt_repository_details
+          repository_finder
+            .repository_urls
+            .map do |url|
+              { URL_KEY => url, AUTH_HEADERS_KEY => auth_headers(url) }
+            end
+        end
+
+        # SBT plugins are identified by having "plugins" in their groups.
+        sig { returns(T::Boolean) }
+        def sbt_plugin?
+          dependency.requirements.any? { |req| req.fetch(:groups, []).include?("plugins") }
+        end
+
+        # SBT 1.x plugins use Scala 2.12; SBT 2.x plugins use Scala 3.
+        sig { returns(String) }
+        def plugin_scala_version
+          sbt_major_version >= 2 ? "3" : "2.12"
+        end
+
+        # SBT binary version for plugin cross-versioning: "1.0" for SBT 1.x, "2.0" for SBT 2.x.
+        sig { returns(String) }
+        def sbt_binary_version
+          "#{sbt_major_version}.0"
+        end
+
+        sig { returns(Integer) }
+        def sbt_major_version
+          build_properties = dependency_files.find { |f| f.name.end_with?("build.properties") }
+          return 1 unless build_properties&.content
+
+          T.must(build_properties.content).each_line do |line|
+            match = line.strip.match(Sbt::FileParser::SBT_VERSION_REGEX)
+            next unless match
+
+            return T.must(match[:version]).strip.split(".").first.to_i
+          end
+
+          1
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/sbt/package_manager.rb

@@ -0,0 +1,39 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/ecosystem"
+require "dependabot/sbt/version"
+
+module Dependabot
+  module Sbt
+    ECOSYSTEM = "sbt"
+    PACKAGE_MANAGER = "sbt"
+    SUPPORTED_SBT_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+    DEPRECATED_SBT_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+
+    class PackageManager < Dependabot::Ecosystem::VersionManager
+      extend T::Sig
+
+      sig { params(raw_version: String).void }
+      def initialize(raw_version)
+        super(
+          name: PACKAGE_MANAGER,
+          version: Version.new(raw_version),
+          deprecated_versions: DEPRECATED_SBT_VERSIONS,
+          supported_versions: SUPPORTED_SBT_VERSIONS
+        )
+      end
+
+      sig { returns(T::Boolean) }
+      def deprecated?
+        false
+      end
+
+      sig { returns(T::Boolean) }
+      def unsupported?
+        false
+      end
+    end
+  end
+end

data/lib/dependabot/sbt/requirement.rb

@@ -0,0 +1,64 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/requirement"
+require "dependabot/utils"
+require "dependabot/maven/shared/shared_requirement"
+require "dependabot/sbt/version"
+
+module Dependabot
+  module Sbt
+    # SBT typically uses exact versions ("org" % "artifact" % "1.2.3"),
+    # but Maven-style version ranges are valid since artifacts resolve
+    # from Maven repositories.
+    class Requirement < Dependabot::Maven::Shared::SharedRequirement
+      extend T::Sig
+
+      quoted = OPS.keys.map { |k| Regexp.quote k }.join("|")
+      PATTERN_RAW = T.let("\\s*(#{quoted})?\\s*(#{Sbt::Version::VERSION_PATTERN})\\s*".freeze, String)
+      PATTERN = T.let(/\A#{PATTERN_RAW}\z/, Regexp)
+      RUBY_STYLE_PATTERN = T.let(/\A\s*(#{quoted})\s*(#{Sbt::Version::VERSION_PATTERN})\s*\z/, Regexp)
+
+      sig { override.returns(Regexp) }
+      def self.pattern
+        PATTERN
+      end
+
+      sig { override.returns(Regexp) }
+      def self.ruby_style_pattern
+        RUBY_STYLE_PATTERN
+      end
+
+      sig { override.params(obj: T.any(Gem::Version, String)).returns([String, Gem::Version]) }
+      def self.parse(obj)
+        return ["=", Sbt::Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
+
+        unless (matches = PATTERN.match(obj.to_s))
+          msg = "Illformed requirement [#{obj.inspect}]"
+          raise BadRequirementError, msg
+        end
+
+        return DefaultRequirement if matches[1] == ">=" && matches[2] == "0"
+
+        [matches[1] || "=", Sbt::Version.new(T.must(matches[2]))]
+      end
+
+      sig { override.params(requirement_string: T.nilable(String)).returns(T::Array[Requirement]) }
+      def self.requirements_array(requirement_string)
+        split_java_requirement(requirement_string).map do |str|
+          new(str)
+        end
+      end
+
+      sig { override.params(version: Gem::Version).returns(T::Boolean) }
+      def satisfied_by?(version)
+        version = Sbt::Version.new(version.to_s)
+        super
+      end
+    end
+  end
+end
+
+Dependabot::Utils.register_requirement_class("sbt", Dependabot::Sbt::Requirement)

data/lib/dependabot/sbt/update_checker/requirements_updater.rb

@@ -0,0 +1,98 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/requirements_updater/base"
+require "dependabot/sbt/update_checker"
+require "dependabot/sbt/version"
+require "dependabot/sbt/requirement"
+
+module Dependabot
+  module Sbt
+    class UpdateChecker < Dependabot::UpdateCheckers::Base
+      class RequirementsUpdater
+        extend T::Sig
+        extend T::Generic
+
+        Version = type_member { { fixed: Dependabot::Sbt::Version } }
+        Requirement = type_member { { fixed: Dependabot::Sbt::Requirement } }
+
+        include Dependabot::RequirementsUpdater::Base
+
+        sig do
+          params(
+            requirements: T::Array[T::Hash[Symbol, T.untyped]],
+            latest_version: T.nilable(T.any(Version, String)),
+            source_url: T.nilable(String),
+            properties_to_update: T::Array[String]
+          ).void
+        end
+        def initialize(
+          requirements:,
+          latest_version:,
+          source_url:,
+          properties_to_update:
+        )
+          @requirements = requirements
+          @source_url = source_url
+          @properties_to_update = properties_to_update
+          return unless latest_version
+
+          @latest_version = T.let(version_class.new(latest_version), Version)
+        end
+
+        sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+        def updated_requirements
+          return requirements unless latest_version
+
+          requirements.map do |req|
+            next req if req.fetch(:requirement).nil?
+            next req if req.fetch(:requirement).include?(",")
+
+            property_name = req.dig(:metadata, :property_name)
+            next req if property_name && !properties_to_update.include?(property_name)
+
+            new_req = update_requirement(req[:requirement])
+            req.merge(requirement: new_req, source: updated_source)
+          end
+        end
+
+        private
+
+        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+        attr_reader :requirements
+
+        sig { returns(T.nilable(Version)) }
+        attr_reader :latest_version
+
+        sig { returns(T.nilable(String)) }
+        attr_reader :source_url
+
+        sig { returns(T::Array[String]) }
+        attr_reader :properties_to_update
+
+        sig { params(req_string: String).returns(String) }
+        def update_requirement(req_string)
+          old_version = requirement_class.new(req_string)
+                                         .requirements.first.last
+          req_string.gsub(old_version.to_s, T.must(latest_version).to_s)
+        end
+
+        sig { override.returns(T::Class[Version]) }
+        def version_class
+          Sbt::Version
+        end
+
+        sig { override.returns(T::Class[Requirement]) }
+        def requirement_class
+          Sbt::Requirement
+        end
+
+        sig { returns(T::Hash[Symbol, T.untyped]) }
+        def updated_source
+          { type: "maven_repo", url: source_url }
+        end
+      end
+    end
+  end
+end