dependabot-terraform 0.276.0 → 0.277.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9d1d53e1f7f48deae40823c178a8e34590dcb9a686605ac04b4a26b4b68c6b29
-  data.tar.gz: a09a75e466ff9635927215cbbcd84ecef4e43a3814785801f676a4c00358d7a4
+  metadata.gz: ebe92edc7ae776761d9ddb633672c9ff260d86b40dd845c08307d7f30a4315c1
+  data.tar.gz: 1fb3fb264832e08f580e40157f3fac8e3de388bc700991cd2184b2ef3de0c025
 SHA512:
-  metadata.gz: 642f839e7f70293587c940b3a30a8419080069d76ca10e8fd1439e3883f1da1d5c15cab7e1ac50e436d99e028235381a7a19ad5b682ddaf35619b35c0f50c90b
-  data.tar.gz: a3e4d05af1d6c4567e45fc8e53516de2557d9805117b80c6adbf4255fc3633005b4e69d2f3e9524cfd37e4ac2be18586ecc4aa4e582690fbf42392f61e653f0b
+  metadata.gz: d0a06b41820076bf571c81d4bda05b0fac400e6853ab1264042cf425585c01c984eb1c4467fd0fbc9bf232afea18026cda47349fd9ede280693aa9cbd9e27da7
+  data.tar.gz: c885814bd5b0ddd9bd858b9d1e0eec2491ec45711e76a8f41c8955ff316e9b0a39b76db33b8b15a68d5ee1756e8d31a31844b04bd7c6e764efa9a9efa12499f9

data/lib/dependabot/terraform/file_parser.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "cgi"
@@ -30,6 +30,7 @@ module Dependabot
       # https://www.terraform.io/docs/language/providers/requirements.html#source-addresses
       PROVIDER_SOURCE_ADDRESS = %r{\A((?<hostname>.+)/)?(?<namespace>.+)/(?<name>.+)\z}
 
+      sig { override.returns(T::Array[Dependabot::Dependency]) }
       def parse
         dependency_set = DependencySet.new
 
@@ -42,6 +43,7 @@ module Dependabot
 
       private
 
+      sig { params(dependency_set: Dependabot::FileParsers::Base::DependencySet).void }
       def parse_terraform_files(dependency_set)
         terraform_files.each do |file|
           modules = parsed_file(file).fetch("module", {})
@@ -50,9 +52,9 @@ module Dependabot
 
             source = source_from(details)
             # Cannot update local path modules, skip
-            next if source[:type] == "path"
+            next if source && source[:type] == "path"
 
-            dependency_set << build_terraform_dependency(file, name, source, details)
+            dependency_set << build_terraform_dependency(file, name, T.must(source), details)
           end
 
           parsed_file(file).fetch("terraform", []).each do |terraform|
@@ -66,6 +68,7 @@ module Dependabot
         end
       end
 
+      sig { params(dependency_set: Dependabot::FileParsers::Base::DependencySet).void }
       def parse_terragrunt_files(dependency_set)
         terragrunt_files.each do |file|
           modules = parsed_file(file).fetch("terraform", [])
@@ -81,6 +84,15 @@ module Dependabot
         end
       end
 
+      sig do
+        params(
+          file: Dependabot::DependencyFile,
+          name: String,
+          source: T::Hash[Symbol, T.untyped],
+          details: T.untyped
+        )
+          .returns(Dependabot::Dependency)
+      end
       def build_terraform_dependency(file, name, source, details)
         # dep_name should be unique for a source, using the info derived from
         # the source or the source name provides this uniqueness
@@ -109,17 +121,25 @@ module Dependabot
         )
       end
 
+      sig do
+        params(
+          file: Dependabot::DependencyFile,
+          name: String,
+          details: T.any(String, T::Hash[String, T.untyped])
+        )
+          .returns(Dependabot::Dependency)
+      end
       def build_provider_dependency(file, name, details = {})
         deprecated_provider_error(file) if deprecated_provider?(details)
 
-        source_address = details.fetch("source", nil)
+        source_address = T.cast(details, T::Hash[String, T.untyped]).fetch("source", nil)
         version_req = details["version"]&.strip
         hostname, namespace, name = provider_source_from(source_address, name)
         dependency_name = source_address ? "#{namespace}/#{name}" : name
 
         Dependency.new(
-          name: dependency_name,
-          version: determine_version_for(hostname, namespace, name, version_req),
+          name: T.must(dependency_name),
+          version: determine_version_for(T.must(hostname), T.must(namespace), T.must(name), version_req),
           package_manager: "terraform",
           requirements: [
             requirement: version_req,
@@ -134,6 +154,7 @@ module Dependabot
         )
       end
 
+      sig { params(file: Dependabot::DependencyFile).returns(T.noreturn) }
       def deprecated_provider_error(file)
         raise Dependabot::DependencyFileNotParseable.new(
           file.path,
@@ -143,18 +164,20 @@ module Dependabot
         )
       end
 
+      sig { params(details: Object).returns(T::Boolean) }
       def deprecated_provider?(details)
         # The old syntax for terraform providers v0.12- looked like
         # "tls ~> 2.1" which gets parsed as a string instead of a hash
         details.is_a?(String)
       end
 
+      sig { params(file: Dependabot::DependencyFile, source: T::Hash[Symbol, String]).returns(Dependabot::Dependency) }
       def build_terragrunt_dependency(file, source)
         dep_name = Source.from_url(source[:url]) ? T.must(Source.from_url(source[:url])).repo : source[:url]
         version = version_from_ref(source[:ref])
 
         Dependency.new(
-          name: dep_name,
+          name: T.must(dep_name),
           version: version,
           package_manager: "terraform",
           requirements: [
@@ -167,6 +190,7 @@ module Dependabot
       end
 
       # Full docs at https://www.terraform.io/docs/modules/sources.html
+      sig { params(details_hash: T::Hash[String, String]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
       def source_from(details_hash)
         raw_source = details_hash.fetch("source")
         bare_source = RegistryClient.get_proxied_source(raw_source)
@@ -183,10 +207,11 @@ module Dependabot
             return nil
           end
 
-        source_details[:proxy_url] = raw_source if raw_source != bare_source
+        T.must(source_details)[:proxy_url] = raw_source if raw_source != bare_source
         source_details
       end
 
+      sig { params(source_address: T.nilable(String), name: String).returns(T::Array[String]) }
       def provider_source_from(source_address, name)
         matches = source_address&.match(PROVIDER_SOURCE_ADDRESS)
         matches = {} if matches.nil?
@@ -198,6 +223,7 @@ module Dependabot
         ]
       end
 
+      sig { params(source_string: T.untyped).returns(T::Hash[Symbol, String]) }
       def registry_source_details_from(source_string)
         parts = source_string.split("//").first.split("/")
 
@@ -219,6 +245,7 @@ module Dependabot
         end
       end
 
+      sig { params(name: String, source: T::Hash[Symbol, T.untyped]).returns(String) }
       def git_dependency_name(name, source)
         git_source = Source.from_url(source[:url])
         if git_source && source[:ref]
@@ -233,13 +260,14 @@ module Dependabot
         end
       end
 
+      sig { params(source_string: String).returns(T::Hash[Symbol, T.nilable(String)]) }
       def git_source_details_from(source_string)
         git_url = source_string.strip.gsub(/^git::/, "")
         git_url = "https://" + git_url unless git_url.start_with?("git@") || git_url.include?("://")
 
         bare_uri =
           if git_url.include?("git@")
-            git_url.split("git@").last.sub(":", "/")
+            T.must(git_url.split("git@").last).sub(":", "/")
           else
             git_url.sub(%r{.*?://}, "")
           end
@@ -255,14 +283,16 @@ module Dependabot
         }
       end
 
+      sig { params(ref: T.nilable(String)).returns(T.nilable(String)) }
       def version_from_ref(ref)
         version_regex = GitCommitChecker::VERSION_REGEX
         return unless ref&.match?(version_regex)
 
-        ref.match(version_regex).named_captures.fetch("version")
+        ref.match(version_regex)&.named_captures&.fetch("version")
       end
 
       # rubocop:disable Metrics/PerceivedComplexity
+      sig { params(source_string: String).returns(Symbol) }
       def source_type(source_string)
         return :interpolation if source_string.include?("${")
         return :path if source_string.start_with?(".")
@@ -272,11 +302,11 @@ module Dependabot
         return :mercurial if source_string.start_with?("hg::")
         return :s3 if source_string.start_with?("s3::")
 
-        raise "Unknown src: #{source_string}" if source_string.split("/").first.include?("::")
+        raise "Unknown src: #{source_string}" if source_string.split("/").first&.include?("::")
 
         return :registry unless source_string.start_with?("http")
 
-        path_uri = URI.parse(source_string.split(%r{(?<!:)//}).first)
+        path_uri = URI.parse(T.must(source_string.split(%r{(?<!:)//}).first))
         query_uri = URI.parse(source_string)
         return :http_archive if path_uri.path.end_with?(*RegistryClient::ARCHIVE_EXTENSIONS)
         return :http_archive if query_uri.query&.include?("archive=")
@@ -307,8 +337,9 @@ module Dependabot
       #     }
       #   ],
       # }
+      sig { params(file: Dependabot::DependencyFile).returns(T::Hash[String, T.untyped]) }
       def parsed_file(file)
-        @parsed_buildfile ||= {}
+        @parsed_buildfile ||= T.let({}, T.nilable(T::Hash[String, T.untyped]))
         @parsed_buildfile[file.name] ||= SharedHelpers.in_a_temporary_directory do
           File.write("tmp.tf", file.content)
 
@@ -335,27 +366,40 @@ module Dependabot
         raise Dependabot::DependencyFileNotParseable.new(file.path, msg)
       end
 
+      sig { returns(String) }
       def terraform_parser_path
         helper_bin_dir = File.join(native_helpers_root, "terraform/bin")
         Pathname.new(File.join(helper_bin_dir, "json2hcl")).cleanpath.to_path
       end
 
+      sig { returns(String) }
       def terraform_hcl2_parser_path
         helper_bin_dir = File.join(native_helpers_root, "terraform/bin")
         Pathname.new(File.join(helper_bin_dir, "hcl2json")).cleanpath.to_path
       end
 
+      sig { returns(String) }
       def native_helpers_root
         default_path = File.join(__dir__, "../../../helpers/install-dir")
         ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", default_path)
       end
 
+      sig { override.void }
       def check_required_files
         return if [*terraform_files, *terragrunt_files].any?
 
         raise "No Terraform configuration file!"
       end
 
+      sig do
+        params(
+          hostname: String,
+          namespace: String,
+          name: String,
+          constraint: T.nilable(String)
+        )
+          .returns(T.nilable(String))
+      end
       def determine_version_for(hostname, namespace, name, constraint)
         return constraint if constraint&.match?(/\A\d/)
 
@@ -363,14 +407,17 @@ module Dependabot
           .dig("provider", "#{hostname}/#{namespace}/#{name}", 0, "version")
       end
 
+      sig { returns(T::Hash[String, T.untyped]) }
       def lockfile_content
-        @lockfile_content ||=
+        @lockfile_content ||= T.let(
           begin
             lockfile = dependency_files.find do |file|
               file.name == ".terraform.lock.hcl"
             end
             lockfile ? parsed_file(lockfile) : {}
-          end
+          end,
+          T.nilable(T::Hash[String, T.untyped])
+        )
       end
     end
   end

data/lib/dependabot/terraform/requirements_updater.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 ####################################################################
@@ -6,6 +6,8 @@
 # https://www.terraform.io/docs/modules/usage.html#module-versions #
 ####################################################################
 
+require "sorbet-runtime"
+
 require "dependabot/terraform/version"
 require "dependabot/terraform/requirement"
 
@@ -46,9 +48,18 @@ module Dependabot
     #   }
     # }
     class RequirementsUpdater
+      extend T::Sig
+
       # @param requirements [Hash{Symbol => String, Array, Hash}]
       # @param latest_version [Dependabot::Terraform::Version]
       # @param tag_for_latest_version [String, NilClass]
+      sig do
+        params(
+          requirements: T::Array[T::Hash[Symbol, T.untyped]],
+          latest_version: T.nilable(Dependabot::Version::VersionParameter),
+          tag_for_latest_version: T.nilable(String)
+        ).void
+      end
       def initialize(requirements:, latest_version:, tag_for_latest_version:)
         @requirements = requirements
         @tag_for_latest_version = tag_for_latest_version
@@ -56,7 +67,7 @@ module Dependabot
         return unless latest_version
         return unless version_class.correct?(latest_version)
 
-        @latest_version = version_class.new(latest_version)
+        @latest_version = T.let(version_class.new(latest_version), Dependabot::Terraform::Version)
       end
 
       # @return requirements [Hash{Symbol => String, Array, Hash}]
@@ -64,9 +75,8 @@ module Dependabot
       #   * groups [Array] no-op for terraform
       #   * file [String] the file that specified this dependency
       #   * source [Hash{Symbol => String}] The updated git or registry source details
+      sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
       def updated_requirements
-        return requirements unless latest_version
-
         # NOTE: Order is important here. The FileUpdater needs the updated
         # requirement at index `i` to correspond to the previous requirement
         # at the same index.
@@ -81,10 +91,16 @@ module Dependabot
 
       private
 
+      sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
       attr_reader :requirements
+
+      sig { returns(Dependabot::Terraform::Version) }
       attr_reader :latest_version
+
+      sig { returns(T.nilable(String)) }
       attr_reader :tag_for_latest_version
 
+      sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
       def update_git_requirement(req)
         return req unless req.dig(:source, :ref)
         return req unless tag_for_latest_version
@@ -92,6 +108,7 @@ module Dependabot
         req.merge(source: req[:source].merge(ref: tag_for_latest_version))
       end
 
+      sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
       def update_registry_requirement(req)
         return req if req.fetch(:requirement).nil?
 
@@ -111,6 +128,7 @@ module Dependabot
       end
 
       # Updates the version in a "~>" constraint to allow the given version
+      sig { params(req_string: String).returns(String) }
       def update_twiddle_version(req_string)
         old_version = requirement_class.new(req_string)
                                        .requirements.first.last
@@ -118,6 +136,7 @@ module Dependabot
         req_string.sub(old_version.to_s, updated_version)
       end
 
+      sig { params(req_string: String).returns(T::Array[Dependabot::Terraform::Requirement]) }
       def update_range(req_string)
         requirement_class.new(req_string).requirements.flat_map do |r|
           ruby_req = requirement_class.new(r.join(" "))
@@ -131,6 +150,13 @@ module Dependabot
         end
       end
 
+      sig do
+        params(
+          new_version: Dependabot::Terraform::Version,
+          old_version: Dependabot::Terraform::Version
+        )
+          .returns(String)
+      end
       def at_same_precision(new_version, old_version)
         release_precision =
           old_version.to_s.split(".").count { |i| i.match?(/^\d+$/) }
@@ -149,6 +175,13 @@ module Dependabot
 
       # Updates the version in a "<" or "<=" constraint to allow the given
       # version
+      sig do
+        params(
+          requirement: Dependabot::Requirement,
+          version_to_be_permitted: T.any(String, Dependabot::Terraform::Version)
+        )
+          .returns(Dependabot::Terraform::Requirement)
+      end
       def update_greatest_version(requirement, version_to_be_permitted)
         if version_to_be_permitted.is_a?(String)
           version_to_be_permitted =
@@ -164,7 +197,7 @@ module Dependabot
           if index < index_to_update
             version_to_be_permitted.segments[index]
           elsif index == index_to_update
-            version_to_be_permitted.segments[index] + 1
+            version_to_be_permitted.segments[index].to_i + 1
           else
             0
           end
@@ -173,10 +206,12 @@ module Dependabot
         requirement_class.new("#{op} #{new_segments.join('.')}")
       end
 
+      sig { returns(T.class_of(Dependabot::Terraform::Version)) }
       def version_class
         Version
       end
 
+      sig { returns(T.class_of(Dependabot::Terraform::Requirement)) }
       def requirement_class
         Requirement
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-terraform
 version: !ruby/object:Gem::Version
-  version: 0.276.0
+  version: 0.277.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-09-19 00:00:00.000000000 Z
+date: 2024-09-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.276.0
+        version: 0.277.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.276.0
+        version: 0.277.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -260,7 +260,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.276.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.277.0
 post_install_message: 
 rdoc_options: []
 require_paths: