dependabot-terraform 0.279.0 → 0.280.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/terraform/file_parser.rb +4 -2
  3. data/lib/dependabot/terraform/file_updater.rb +60 -17
  4. data/lib/dependabot/terraform/registry_client.rb +6 -2
  5. metadata +10 -10
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 5aaff31ec9c254d6546d349bf160dd50f0dc038f00d3fb4deb1521d26b4c621b
4
- data.tar.gz: '08fb4b1a107d25ded631a2f6ac3f392f0b808930c7c3fc1b064191b6acb4999a'
3
+ metadata.gz: c85bba9ecab8ebf0239a7bbc4a48bc78f607fccd5bd92b505208a696b3096e70
4
+ data.tar.gz: bfa2deb62e27495b466e32eca61977cfa12bbf08a77f7558f6f2e5eecb9f33ab
5
5
  SHA512:
6
- metadata.gz: b4e2435cd36a64fd1984fa489c9048d57f363585c8fb07eb210b8345d5956d44e952e05a759ce87d06bf2ba38f562825d8660e1fd39d78496382891b59f35840
7
- data.tar.gz: b1ef7bf7f8dc3c836aea734f48af7a446261320e9a249c47149a507cca99147844be0efccad2c678345d3df97e00e0bf83345aaf2a876037bfd3846b7bde4a97
6
+ metadata.gz: eb36350e826b08838986f8cd25a13a324c3a435e77502938afc8fc785b7d9de3f14d5920da6a4ff116a4913d925c94fbfc5b441954755ad3235d9b64d71d035f
7
+ data.tar.gz: b4983e4a5a4ad9db62f03edc634ab22061ddfd677f4ddbca96573b63873cd244248aad149a6c0aefcd9457dcc382e32dbadb989184d7798390bf7818ead96e16
data/lib/dependabot/terraform/file_parser.rb CHANGED
@@ -269,7 +269,7 @@ module Dependabot
269
269
  if git_url.include?("git@")
270
270
  T.must(git_url.split("git@").last).sub(":", "/")
271
271
  else
272
- git_url.sub(%r{.*?://}, "")
272
+ git_url.sub(%r{(?:\w{3,5})?://}, "")
273
273
  end
274
274
 
275
275
  querystr = URI.parse("https://" + bare_uri).query
@@ -292,6 +292,7 @@ module Dependabot
292
292
  end
293
293
 
294
294
  # rubocop:disable Metrics/PerceivedComplexity
295
+ # rubocop:disable Metrics/CyclomaticComplexity
295
296
  sig { params(source_string: String).returns(Symbol) }
296
297
  def source_type(source_string)
297
298
  return :interpolation if source_string.include?("${")
@@ -308,11 +309,12 @@ module Dependabot
308
309
 
309
310
  path_uri = URI.parse(T.must(source_string.split(%r{(?<!:)//}).first))
310
311
  query_uri = URI.parse(source_string)
311
- return :http_archive if path_uri.path.end_with?(*RegistryClient::ARCHIVE_EXTENSIONS)
312
+ return :http_archive if RegistryClient::ARCHIVE_EXTENSIONS.any? { |ext| path_uri.path&.end_with?(ext) }
312
313
  return :http_archive if query_uri.query&.include?("archive=")
313
314
 
314
315
  raise "HTTP source, but not an archive!"
315
316
  end
317
+ # rubocop:enable Metrics/CyclomaticComplexity
316
318
  # rubocop:enable Metrics/PerceivedComplexity
317
319
 
318
320
  # == Returns:
data/lib/dependabot/terraform/file_updater.rb CHANGED
@@ -1,4 +1,4 @@
1
- # typed: true
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "sorbet-runtime"
@@ -20,10 +20,12 @@ module Dependabot
20
20
  MODULE_NOT_INSTALLED_ERROR = /Module not installed.*module\s*\"(?<mod>\S+)\"/m
21
21
  GIT_HTTPS_PREFIX = %r{^git::https://}
22
22
 
23
+ sig { override.returns(T::Array[Regexp]) }
23
24
  def self.updated_files_regex
24
25
  [/\.tf$/, /\.hcl$/]
25
26
  end
26
27
 
28
+ sig { override.returns(T::Array[Dependabot::DependencyFile]) }
27
29
  def updated_dependency_files
28
30
  updated_files = []
29
31
 
@@ -69,23 +71,25 @@ module Dependabot
69
71
  # (requirements - previous_requirements) | (previous_requirements - requirements)
70
72
  # => [{requirement: "0.9.1"}]
71
73
  # we can detect that change.
74
+ sig { params(file: Dependabot::DependencyFile, dependency: Dependabot::Dependency).returns(T::Boolean) }
72
75
  def requirement_changed?(file, dependency)
73
76
  changed_requirements =
74
- (dependency.requirements - dependency.previous_requirements) |
75
- (dependency.previous_requirements - dependency.requirements)
77
+ (dependency.requirements - T.must(dependency.previous_requirements)) |
78
+ (T.must(dependency.previous_requirements) - dependency.requirements)
76
79
 
77
80
  changed_requirements.any? { |f| f[:file] == file.name }
78
81
  end
79
82
 
83
+ sig { params(file: Dependabot::DependencyFile).returns(String) }
80
84
  def updated_terraform_file_content(file)
81
- content = file.content.dup
85
+ content = T.must(file.content.dup)
82
86
 
83
- reqs = dependency.requirements.zip(dependency.previous_requirements)
87
+ reqs = dependency.requirements.zip(T.must(dependency.previous_requirements))
84
88
  .reject { |new_req, old_req| new_req == old_req }
85
89
 
86
90
  # Loop through each changed requirement and update the files and lockfile
87
91
  reqs.each do |new_req, old_req|
88
- raise "Bad req match" unless new_req[:file] == old_req[:file]
92
+ raise "Bad req match" unless new_req[:file] == old_req&.fetch(:file)
89
93
  next unless new_req.fetch(:file) == file.name
90
94
 
91
95
  case new_req[:source][:type]
@@ -102,20 +106,37 @@ module Dependabot
102
106
  content
103
107
  end
104
108
 
109
+ sig do
110
+ params(
111
+ new_req: T::Hash[Symbol, T.untyped],
112
+ old_req: T.nilable(T::Hash[Symbol, T.untyped]),
113
+ updated_content: String,
114
+ filename: String
115
+ )
116
+ .void
117
+ end
105
118
  def update_git_declaration(new_req, old_req, updated_content, filename)
106
- url = old_req.fetch(:source)[:url].gsub(%r{^https://}, "")
107
- tag = old_req.fetch(:source)[:ref]
119
+ url = old_req&.dig(:source, :url)&.gsub(%r{^https://}, "")
120
+ tag = old_req&.dig(:source, :ref)
108
121
  url_regex = /#{Regexp.quote(url)}.*ref=#{Regexp.quote(tag)}/
109
122
 
110
123
  declaration_regex = git_declaration_regex(filename)
111
124
 
112
125
  updated_content.sub!(declaration_regex) do |regex_match|
113
126
  regex_match.sub(url_regex) do |url_match|
114
- url_match.sub(old_req[:source][:ref], new_req[:source][:ref])
127
+ url_match.sub(old_req&.dig(:source, :ref), new_req[:source][:ref])
115
128
  end
116
129
  end
117
130
  end
118
131
 
132
+ sig do
133
+ params(
134
+ new_req: T::Hash[Symbol, T.untyped],
135
+ old_req: T.nilable(T::Hash[Symbol, T.untyped]),
136
+ updated_content: String
137
+ )
138
+ .void
139
+ end
119
140
  def update_registry_declaration(new_req, old_req, updated_content)
120
141
  regex = if new_req[:source][:type] == "provider"
121
142
  provider_declaration_regex(updated_content)
@@ -124,18 +145,20 @@ module Dependabot
124
145
  end
125
146
  updated_content.gsub!(regex) do |regex_match|
126
147
  regex_match.sub(/^\s*version\s*=.*/) do |req_line_match|
127
- req_line_match.sub(old_req[:requirement], new_req[:requirement])
148
+ req_line_match.sub(old_req&.fetch(:requirement), new_req[:requirement])
128
149
  end
129
150
  end
130
151
  end
131
152
 
153
+ sig { params(content: String, declaration_regex: Regexp).returns(T::Array[String]) }
132
154
  def extract_provider_h1_hashes(content, declaration_regex)
133
155
  content.match(declaration_regex).to_s
134
156
  .match(hashes_object_regex).to_s
135
157
  .split("\n").map { |hash| hash.match(hashes_string_regex).to_s }
136
- .select { |h| h&.match?(/^h1:/) }
158
+ .select { |h| h.match?(/^h1:/) }
137
159
  end
138
160
 
161
+ sig { params(content: String, declaration_regex: Regexp).returns(String) }
139
162
  def remove_provider_h1_hashes(content, declaration_regex)
140
163
  content.match(declaration_regex).to_s
141
164
  .sub(hashes_object_regex, "")
@@ -155,8 +178,9 @@ module Dependabot
155
178
  [T.must(content), provider_source, declaration_regex]
156
179
  end
157
180
 
181
+ sig { returns(T.nilable(T::Array[Symbol])) }
158
182
  def lookup_hash_architecture # rubocop:disable Metrics/AbcSize, Metrics/MethodLength, Metrics/PerceivedComplexity
159
- new_req = dependency.requirements.first
183
+ new_req = T.must(dependency.requirements.first)
160
184
 
161
185
  # NOTE: Only providers are included in the lockfile, modules are not
162
186
  return unless new_req[:source][:type] == "provider"
@@ -222,14 +246,23 @@ module Dependabot
222
246
  architectures.to_a
223
247
  end
224
248
 
249
+ sig { returns(T::Array[Symbol]) }
225
250
  def architecture_type
226
- @architecture_type ||= lookup_hash_architecture.empty? ? [:linux_amd64] : lookup_hash_architecture
251
+ @architecture_type ||= T.let(
252
+ if lookup_hash_architecture.nil? || lookup_hash_architecture&.empty?
253
+ [:linux_amd64]
254
+ else
255
+ T.must(lookup_hash_architecture)
256
+ end,
257
+ T.nilable(T::Array[Symbol])
258
+ )
227
259
  end
228
260
 
261
+ sig { params(updated_manifest_files: T::Array[Dependabot::DependencyFile]).returns(T.nilable(String)) }
229
262
  def update_lockfile_declaration(updated_manifest_files) # rubocop:disable Metrics/AbcSize, Metrics/PerceivedComplexity
230
263
  return if lockfile.nil?
231
264
 
232
- new_req = dependency.requirements.first
265
+ new_req = T.must(dependency.requirements.first)
233
266
  # NOTE: Only providers are included in the lockfile, modules are not
234
267
  return unless new_req[:source][:type] == "provider"
235
268
 
@@ -268,7 +301,7 @@ module Dependabot
268
301
  raise if @retrying_lock || !e.message.include?("terraform init")
269
302
 
270
303
  # NOTE: Modules need to be installed before terraform can update the lockfile
271
- @retrying_lock = true
304
+ @retrying_lock = T.let(true, T.nilable(T::Boolean))
272
305
  run_terraform_init
273
306
  retry
274
307
  end
@@ -276,6 +309,7 @@ module Dependabot
276
309
  content
277
310
  end
278
311
 
312
+ sig { void }
279
313
  def run_terraform_init
280
314
  SharedHelpers.with_git_configured(credentials: credentials) do
281
315
  # -backend=false option used to ignore any backend configuration, as these won't be accessible
@@ -298,30 +332,36 @@ module Dependabot
298
332
  end
299
333
  end
300
334
 
335
+ sig { returns(Dependabot::Dependency) }
301
336
  def dependency
302
337
  # Terraform updates will only ever be updating a single dependency
303
- dependencies.first
338
+ T.must(dependencies.first)
304
339
  end
305
340
 
341
+ sig { returns(T::Array[Dependabot::DependencyFile]) }
306
342
  def files_with_requirement
307
343
  filenames = dependency.requirements.map { |r| r[:file] }
308
344
  dependency_files.select { |file| filenames.include?(file.name) }
309
345
  end
310
346
 
347
+ sig { override.void }
311
348
  def check_required_files
312
349
  return if [*terraform_files, *terragrunt_files].any?
313
350
 
314
351
  raise "No Terraform configuration file!"
315
352
  end
316
353
 
354
+ sig { returns(Regexp) }
317
355
  def hashes_object_regex
318
356
  /hashes\s*=\s*[^\]]*\]/m
319
357
  end
320
358
 
359
+ sig { returns(Regexp) }
321
360
  def hashes_string_regex
322
361
  /(?<=\").*(?=\")/
323
362
  end
324
363
 
364
+ sig { params(updated_content: String).returns(Regexp) }
325
365
  def provider_declaration_regex(updated_content)
326
366
  name = Regexp.escape(dependency.name)
327
367
  registry_host = Regexp.escape(registry_host_for(dependency))
@@ -341,6 +381,7 @@ module Dependabot
341
381
  end
342
382
  end
343
383
 
384
+ sig { returns(Regexp) }
344
385
  def registry_declaration_regex
345
386
  %r{
346
387
  (?<=\{)
@@ -354,6 +395,7 @@ module Dependabot
354
395
  }mx
355
396
  end
356
397
 
398
+ sig { params(filename: String).returns(Regexp) }
357
399
  def git_declaration_regex(filename)
358
400
  # For terragrunt dependencies there's not a lot we can base the
359
401
  # regex on. Just look for declarations within a `terraform` block
@@ -361,13 +403,14 @@ module Dependabot
361
403
 
362
404
  # For modules we can do better - filter for module blocks that use the
363
405
  # name of the module
364
- module_name = dependency.name.split("::").first
406
+ module_name = T.must(dependency.name.split("::").first)
365
407
  /
366
408
  module\s+["']#{Regexp.escape(module_name)}["']\s*\{
367
409
  (?:(?!^\}).)*
368
410
  /mx
369
411
  end
370
412
 
413
+ sig { params(dependency: Dependabot::Dependency).returns(String) }
371
414
  def registry_host_for(dependency)
372
415
  source = dependency.requirements.filter_map { |r| r[:source] }.first
373
416
  source[:registry_hostname] || source["registry_hostname"] || "registry.terraform.io"
data/lib/dependabot/terraform/registry_client.rb CHANGED
@@ -25,11 +25,13 @@ module Dependabot
25
25
  # rubocop:disable Metrics/PerceivedComplexity
26
26
  # See https://www.terraform.io/docs/modules/sources.html#http-urls for
27
27
  # details of how Terraform handle HTTP(S) sources for modules
28
- def self.get_proxied_source(raw_source) # rubocop:disable Metrics/AbcSize
28
+ # rubocop:disable Metrics/AbcSize
29
+ # rubocop:disable Metrics/CyclomaticComplexity
30
+ def self.get_proxied_source(raw_source)
29
31
  return raw_source unless raw_source.start_with?("http")
30
32
 
31
33
  uri = URI.parse(raw_source.split(%r{(?<!:)//}).first)
32
- return raw_source if uri.path.end_with?(*ARCHIVE_EXTENSIONS)
34
+ return raw_source if ARCHIVE_EXTENSIONS.any? { |ext| uri.path&.end_with?(ext) }
33
35
  return raw_source if URI.parse(raw_source).query&.include?("archive=")
34
36
 
35
37
  url = raw_source.split(%r{(?<!:)//}).first + "?terraform-get=1"
@@ -49,6 +51,8 @@ module Dependabot
49
51
 
50
52
  raw_source
51
53
  end
54
+ # rubocop:enable Metrics/CyclomaticComplexity
55
+ # rubocop:enable Metrics/AbcSize
52
56
  # rubocop:enable Metrics/PerceivedComplexity
53
57
 
54
58
  # Fetch all the versions of a provider, and return a Version
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-terraform
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.279.0
4
+ version: 0.280.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-10-03 00:00:00.000000000 Z
11
+ date: 2024-10-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.279.0
19
+ version: 0.280.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.279.0
26
+ version: 0.280.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debug
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -156,14 +156,14 @@ dependencies:
156
156
  requirements:
157
157
  - - "~>"
158
158
  - !ruby/object:Gem::Version
159
- version: 0.8.1
159
+ version: 0.8.5
160
160
  type: :development
161
161
  prerelease: false
162
162
  version_requirements: !ruby/object:Gem::Requirement
163
163
  requirements:
164
164
  - - "~>"
165
165
  - !ruby/object:Gem::Version
166
- version: 0.8.1
166
+ version: 0.8.5
167
167
  - !ruby/object:Gem::Dependency
168
168
  name: simplecov
169
169
  requirement: !ruby/object:Gem::Requirement
@@ -260,8 +260,8 @@ licenses:
260
260
  - MIT
261
261
  metadata:
262
262
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
263
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.279.0
264
- post_install_message:
263
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.280.0
264
+ post_install_message:
265
265
  rdoc_options: []
266
266
  require_paths:
267
267
  - lib
@@ -277,7 +277,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
277
277
  version: 3.1.0
278
278
  requirements: []
279
279
  rubygems_version: 3.5.9
280
- signing_key:
280
+ signing_key:
281
281
  specification_version: 4
282
282
  summary: Provides Dependabot support for Terraform
283
283
  test_files: []