Class: Dependabot::Gradle::Package::PackageDetailsFetcher

Inherits:
Object
  • Object
show all
Extended by:
T::Sig
Defined in:
lib/dependabot/gradle/package/package_details_fetcher.rb

Constant Summary collapse

CENTRAL_REPO_URL = 
"https://repo.maven.apache.org/maven2"
KOTLIN_PLUGIN_REPO_PREFIX = 
"org.jetbrains.kotlin"
TYPE_SUFFICES = 
%w(jre android java native_mt agp).freeze

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(dependency:, dependency_files:, credentials:, forbidden_urls:) ⇒ PackageDetailsFetcher 



34
35
36
37
38
39
40
41
42
43
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 34

def initialize(dependency:, dependency_files:, credentials:, forbidden_urls:)
  @dependency = dependency
  @dependency_files = dependency_files
  @credentials = credentials
  @forbidden_urls = forbidden_urls

  @repositories = T.let(nil, T.nilable(T::Array[T::Hash[String, T.untyped]]))
  @google_version_details = T.let(nil, T.nilable(T::Array[T::Hash[String, T.untyped]]))
  @dependency_repository_details = T.let(nil, T.nilable(T::Array[T::Hash[String, T.untyped]]))
end

Instance Attribute Details

#credentialsObject (readonly)

Returns the value of attribute credentials.



52
53
54
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 52

def credentials
  @credentials
end

#dependencyObject (readonly)

Returns the value of attribute dependency.



46
47
48
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 46

def dependency
  @dependency
end

#dependency_filesObject (readonly)

Returns the value of attribute dependency_files.



49
50
51
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 49

def dependency_files
  @dependency_files
end

#forbidden_urlsObject (readonly)

Returns the value of attribute forbidden_urls.



55
56
57
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 55

def forbidden_urls
  @forbidden_urls
end

Instance Method Details

#auth_headers(maven_repo_url) ⇒ Object 



400
401
402
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 400

def auth_headers(maven_repo_url)
  auth_headers_finder.auth_headers(maven_repo_url)
end

#auth_headers_finderObject 



392
393
394
395
396
397
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 392

def auth_headers_finder
  @auth_headers_finder ||= T.let(
    Dependabot::Maven::Utils::AuthHeadersFinder.new(credentials),
    T.nilable(Dependabot::Maven::Utils::AuthHeadersFinder)
  )
end

#central_repo_urlsObject 



378
379
380
381
382
383
384
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 378

def central_repo_urls
  central_url_without_protocol =
    Gradle::FileParser::RepositoriesFinder::CENTRAL_REPO_URL
    .gsub(%r{^.*://}, "")

  %w(http:// https://).map { |p| p + central_url_without_protocol }
end

#check_response(response, repository_url) ⇒ Object 



257
258
259
260
261
262
263
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 257

def check_response(response, repository_url)
  return unless response.status == 401 || response.status == 403
  return if T.must(@forbidden_urls).include?(repository_url)
  return if central_repo_urls.include?(repository_url)

  T.must(@forbidden_urls) << repository_url
end

#credentials_repository_detailsObject 



266
267
268
269
270
271
272
273
274
275
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 266

def credentials_repository_details
  credentials
    .select { |cred| cred["type"] == "maven_repository" }
    .map do |cred|
    {
      "url" => cred.fetch("url").gsub(%r{/+$}, ""),
      "auth_headers" => auth_headers(cred.fetch("url").gsub(%r{/+$}, ""))
    }
  end
end

#dependency_metadata(repository_details) ⇒ Object 



208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 208

def dependency_metadata(repository_details)
  @dependency_metadata ||= T.let({}, T.nilable(T::Hash[T.untyped, T.untyped]))
  @dependency_metadata[repository_details.hash] ||=
    begin
      response = Dependabot::RegistryClient.get(
        url: dependency_metadata_url(repository_details.fetch("url")),
        headers: repository_details.fetch("auth_headers")
      )

      check_response(response, repository_details.fetch("url"))
      Nokogiri::XML(response.body)
    rescue URI::InvalidURIError
      Nokogiri::XML("")
    rescue Excon::Error::Socket, Excon::Error::Timeout,
           Excon::Error::TooManyRedirects
      raise if central_repo_urls.include?(repository_details["url"])

      Nokogiri::XML("")
    end
end

#dependency_metadata_url(repository_url) ⇒ Object 



340
341
342
343
344
345
346
347
348
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 340

def dependency_metadata_url(repository_url)
  group_id, artifact_id = group_and_artifact_ids
  group_id = "#{Dependabot::Gradle::MetadataFinder::KOTLIN_PLUGIN_REPO_PREFIX}.#{group_id}" if kotlin_plugin?

  "#{repository_url}/" \
    "#{T.must(group_id).tr('.', '/')}/" \
    "#{artifact_id}/" \
    "maven-metadata.xml"
end

#dependency_repository_detailsObject 



278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 278

def dependency_repository_details
  requirement_files =
    dependency.requirements
              .map { |r| r.fetch(:file) }
              .map { |nm| dependency_files.find { |f| f.name == nm } }

  @dependency_repository_details ||=
    requirement_files.flat_map do |target_file|
      Gradle::FileParser::RepositoriesFinder.new(
        dependency_files: dependency_files,
        target_dependency_file: target_file
      ).repository_urls
                                            .map do |url|
        { "url" => url, "auth_headers" => {} }
      end
    end.uniq
end

#distribution?Boolean 



373
374
375
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 373

def distribution?
  Distributions.distribution_requirements?(dependency.requirements)
end

#distribution_repository_detailsObject 



305
306
307
308
309
310
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 305

def distribution_repository_details
  [{
    "url" => Gradle::Distributions::DISTRIBUTION_REPOSITORY_URL,
    "auth_headers" => {}
  }]
end

#distribution_version_detailsObject 



159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 159

def distribution_version_details
  return nil unless Experiments.enabled?(:gradle_wrapper_updater)

  DistributionsFetcher.available_versions.map do |info|
    release_date = begin
      Time.parse(info[:build_time])
    rescue StandardError
      nil
    end

    {
      version: info[:version],
      released_at: release_date,
      source_url: Distributions::DISTRIBUTION_REPOSITORY_URL
    }
  end
rescue StandardError
  nil
end

#fetch_available_versionsObject 



61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 61

def fetch_available_versions
  T.let({}, T::Hash[String, T::Hash[Symbol, T.untyped]])
  package_releases = T.let([], T::Array[T::Hash[String, T.untyped]])

  version_details =
    repositories.map do |repository_details|
      url = repository_details.fetch("url")

      next distribution_version_details if url == Gradle::Distributions::DISTRIBUTION_REPOSITORY_URL
      next google_version_details if url == Gradle::FileParser::RepositoriesFinder::GOOGLE_MAVEN_REPO

      dependency_metadata(repository_details).css("versions > version")
                                             .select { |node| version_class.correct?(node.content) }
                                             .map { |node| version_class.new(node.content) }
                                             .map do |version|
        { version: version, source_url: url }
      end
    end.flatten.compact

  version_details = version_details.sort_by { |details| details.fetch(:version) }
  release_date_info = release_details

  version_details.map do |info|
    version = info[:version]&.to_s

    package_releases << {
      version: Gradle::Version.new(version),
      released_at: info[:released_at] || release_date_info[version]&.fetch(:release_date),
      source_url: info[:source_url]
    }
  end
  if version_details.none? && T.must(forbidden_urls).any?
    raise PrivateSourceAuthenticationFailure,
          T.must(forbidden_urls).first
  end
  # version_details

  package_releases
end

#google_version_detailsObject 



180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 180

def google_version_details
  url = Gradle::FileParser::RepositoriesFinder::GOOGLE_MAVEN_REPO
  group_id, artifact_id = group_and_artifact_ids

  dependency_metadata_url = "#{Gradle::FileParser::RepositoriesFinder::GOOGLE_MAVEN_REPO}/" \
                            "#{T.must(group_id).tr('.', '/')}/" \
                            "group-index.xml"

  @google_version_details ||=
    begin
      response = Dependabot::RegistryClient.get(url: dependency_metadata_url)
      Nokogiri::XML(response.body)
    end

  xpath = "/#{group_id}/#{artifact_id}"
  return unless @google_version_details.at_xpath(xpath)

  @google_version_details.at_xpath(xpath)
                         .attributes.fetch("versions")
                         .value.split(",")
                         .select { |v| version_class.correct?(v) }
                         .map { |v| version_class.new(v) }
                         .map { |version| { version: version, source_url: url } }
rescue Nokogiri::XML::XPath::SyntaxError
  nil
end

#group_and_artifact_idsObject 



351
352
353
354
355
356
357
358
359
360
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 351

def group_and_artifact_ids
  if kotlin_plugin?
    [dependency.name,
     "#{Dependabot::Gradle::MetadataFinder::KOTLIN_PLUGIN_REPO_PREFIX}.#{dependency.name}.gradle.plugin"]
  elsif plugin?
    [dependency.name, "#{dependency.name}.gradle.plugin"]
  else
    dependency.name.split(":")
  end
end

#kotlin_plugin?Boolean 



368
369
370
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 368

def kotlin_plugin?
  plugin? && dependency.requirements.any? { |r| r.fetch(:groups).include? "kotlin" }
end

#matches_dependency_version_type?(comparison_version) ⇒ Boolean 



313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 313

def matches_dependency_version_type?(comparison_version)
  return true unless dependency.version

  current_type = T.must(dependency.version)
                  .gsub("native-mt", "native_mt")
                  .split(/[.\-]/)
                  .find do |type|
    Dependabot::Gradle::UpdateChecker::VersionFinder::TYPE_SUFFICES.find { |s| type.include?(s) }
  end

  version_type = comparison_version.to_s
                                   .gsub("native-mt", "native_mt")
                                   .split(/[.\-]/)
                                   .find do |type|
    Dependabot::Gradle::UpdateChecker::VersionFinder::TYPE_SUFFICES.find { |s| type.include?(s) }
  end

  current_type == version_type
end

#plugin?Boolean 



363
364
365
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 363

def plugin?
  dependency.requirements.any? { |r| r.fetch(:groups).include? "plugins" }
end

#plugin_repository_detailsObject 



297
298
299
300
301
302
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 297

def plugin_repository_details
  [{
    "url" => Gradle::FileParser::RepositoriesFinder::GRADLE_PLUGINS_REPO,
    "auth_headers" => {}
  }] + dependency_repository_details
end

#pomObject 



334
335
336
337
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 334

def pom
  filename = T.must(dependency.requirements.first).fetch(:file)
  dependency_files.find { |f| f.name == filename }
end

#release_detailsObject 



103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 103

def release_details
  release_date_info = T.let({}, T::Hash[String, T::Hash[Symbol, T.untyped]])

  begin
    repositories.map do |repository_details|
      url = repository_details.fetch("url")
      next unless url == Gradle::FileParser::RepositoriesFinder::CENTRAL_REPO_URL

      release_info_metadata(repository_details).css("a[title]").each do |link|
        version_string = link["title"]
        version = version_string.gsub(%r{/$}, "")
        raw_date_text = link.next.text.strip.split("\n").last.strip

        release_date = begin
          Time.parse(raw_date_text)
        rescue StandardError
          nil
        end

        next unless version && version_class.correct?(version)

        release_date_info[version] = {
          release_date: release_date
        }
      end
    end

    release_date_info
  rescue StandardError
    Dependabot.logger.error("Failed to get release date")
    {}
  end
end

#release_info_metadata(repository_details) ⇒ Object 



230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 230

def release_info_metadata(repository_details)
  @release_info_metadata ||= T.let({}, T.nilable(T::Hash[Integer, T.untyped]))
  @release_info_metadata[repository_details.hash] ||=
    begin
      response = Dependabot::RegistryClient.get(
        url: dependency_metadata_url(repository_details.fetch("url")).gsub("maven-metadata.xml", ""),
        headers: repository_details.fetch("auth_headers")
      )

      check_response(response, repository_details.fetch("url"))
      Nokogiri::XML(response.body)
    rescue URI::InvalidURIError
      Nokogiri::XML("")
    rescue Excon::Error::Socket, Excon::Error::Timeout,
           Excon::Error::TooManyRedirects
      raise if central_repo_urls.include?(repository_details["url"])

      Nokogiri::XML("")
    end
end

#repositoriesObject 



138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 138

def repositories
  return @repositories if @repositories

  details = if distribution?
              distribution_repository_details
            elsif plugin?
              plugin_repository_details + credentials_repository_details
            else
              dependency_repository_details + credentials_repository_details
            end

  @repositories =
    details.reject do |repo|
      next if repo["auth_headers"]

      # Reject this entry if an identical one with non-empty auth_headers exists
      details.any? { |r| r["url"] == repo["url"] && r["auth_headers"] != {} }
    end
end

#repository_urlsObject 



252
253
254
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 252

def repository_urls
  plugin? ? plugin_repository_details : dependency_repository_details
end

#version_classObject 



387
388
389
 
# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 387

def version_class
  dependency.version_class
end