Class: Dependabot::Gradle::Package::PackageDetailsFetcher

Inherits:

Object

• Object
• Dependabot::Gradle::Package::PackageDetailsFetcher

Extended by:

T::Sig

Defined in:

lib/dependabot/gradle/package/package_details_fetcher.rb

Constant Summary

CENTRAL_REPO_URL =

"https://repo.maven.apache.org/maven2"

KOTLIN_PLUGIN_REPO_PREFIX =

"org.jetbrains.kotlin"

TYPE_SUFFICES =

%w(jre android java native_mt agp).freeze

Instance Attribute Summary

• #credentials ⇒ Object readonly

  Returns the value of attribute credentials.

• #dependency ⇒ Object readonly

  Returns the value of attribute dependency.

• #dependency_files ⇒ Object readonly

  Returns the value of attribute dependency_files.

• #forbidden_urls ⇒ Object readonly

  Returns the value of attribute forbidden_urls.

Instance Method Summary

• #auth_headers(maven_repo_url) ⇒ Object
• #auth_headers_finder ⇒ Object
• #central_repo_urls ⇒ Object
• #check_response(response, repository_url) ⇒ Object
• #credentials_repository_details ⇒ Object
• #dependency_metadata(repository_details) ⇒ Object
• #dependency_metadata_url(repository_url) ⇒ Object
• #dependency_repository_details ⇒ Object
• #distribution? ⇒ Boolean
• #distribution_repository_details ⇒ Object
• #distribution_version_details ⇒ Object
• #fetch_available_versions ⇒ Object
• #google_version_details ⇒ Object
• #group_and_artifact_ids ⇒ Object
• #initialize(dependency:, dependency_files:, credentials:, forbidden_urls:) ⇒ PackageDetailsFetcher constructor

  A new instance of PackageDetailsFetcher.

• #kotlin_plugin? ⇒ Boolean
• #matches_dependency_version_type?(comparison_version) ⇒ Boolean
• #plugin? ⇒ Boolean
• #plugin_repository_details ⇒ Object
• #pom ⇒ Object
• #release_details ⇒ Object
• #release_info_metadata(repository_details) ⇒ Object
• #repositories ⇒ Object
• #repository_urls ⇒ Object
• #version_class ⇒ Object

Constructor Details

#initialize(dependency:, dependency_files:, credentials:, forbidden_urls:) ⇒ PackageDetailsFetcher

Returns a new instance of PackageDetailsFetcher.

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 35

def initialize(dependency:, dependency_files:, credentials:, forbidden_urls:)
  @dependency = dependency
  @dependency_files = dependency_files
  @credentials = credentials
  @forbidden_urls = forbidden_urls

  @repositories = T.let(nil, T.nilable(T::Array[T::Hash[String, T.untyped]]))
  @google_version_details = T.let(nil, T.nilable(T::Array[T::Hash[String, T.untyped]]))
  @dependency_repository_details = T.let(nil, T.nilable(T::Array[T::Hash[String, T.untyped]]))
end

Instance Attribute Details

#credentials ⇒ Object (readonly)

Returns the value of attribute credentials.

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 53

def credentials
  @credentials
end

#dependency ⇒ Object (readonly)

Returns the value of attribute dependency.

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 47

def dependency
  @dependency
end

#dependency_files ⇒ Object (readonly)

Returns the value of attribute dependency_files.

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 50

def dependency_files
  @dependency_files
end

#forbidden_urls ⇒ Object (readonly)

Returns the value of attribute forbidden_urls.

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 56

def forbidden_urls
  @forbidden_urls
end

Instance Method Details

#auth_headers(maven_repo_url) ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 382

def auth_headers(maven_repo_url)
  auth_headers_finder.auth_headers(maven_repo_url)
end

#auth_headers_finder ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 374

def auth_headers_finder
  @auth_headers_finder ||= T.let(
    Dependabot::Maven::Utils::AuthHeadersFinder.new(credentials),
    T.nilable(Dependabot::Maven::Utils::AuthHeadersFinder)
  )
end

#central_repo_urls ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 360

def central_repo_urls
  central_url_without_protocol =
    Gradle::FileParser::RepositoriesFinder::CENTRAL_REPO_URL
    .gsub(%r{^.*://}, "")

  %w(http:// https://).map { |p| p + central_url_without_protocol }
end

#check_response(response, repository_url) ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 239

def check_response(response, repository_url)
  return unless response.status == 401 || response.status == 403
  return if T.must(@forbidden_urls).include?(repository_url)
  return if central_repo_urls.include?(repository_url)

  T.must(@forbidden_urls) << repository_url
end

#credentials_repository_details ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 248

def credentials_repository_details
  credentials
    .select { |cred| cred["type"] == "maven_repository" }
    .map do |cred|
    {
      "url" => cred.fetch("url").gsub(%r{/+$}, ""),
      "auth_headers" => auth_headers(cred.fetch("url").gsub(%r{/+$}, ""))
    }
  end
end

#dependency_metadata(repository_details) ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 188

def dependency_metadata(repository_details)
  @dependency_metadata ||= T.let({}, T.nilable(T::Hash[T.untyped, T.untyped]))
  @dependency_metadata[repository_details.hash] ||=
    begin
      response = Dependabot::RegistryClient.get(
        url: dependency_metadata_url(repository_details.fetch("url")),
        headers: repository_details.fetch("auth_headers")
      )

      check_response(response, repository_details.fetch("url"))
      Nokogiri::XML(response.body)
    rescue URI::InvalidURIError
      Nokogiri::XML("")
    rescue Excon::Error::Socket, Excon::Error::Timeout,
           Excon::Error::TooManyRedirects
      raise if central_repo_urls.include?(repository_details["url"])

      Nokogiri::XML("")
    end
end

#dependency_metadata_url(repository_url) ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 322

def dependency_metadata_url(repository_url)
  group_id, artifact_id = group_and_artifact_ids
  group_id = "#{Dependabot::Gradle::MetadataFinder::KOTLIN_PLUGIN_REPO_PREFIX}.#{group_id}" if kotlin_plugin?

  "#{repository_url}/" \
    "#{T.must(group_id).tr('.', '/')}/" \
    "#{artifact_id}/" \
    "maven-metadata.xml"
end

#dependency_repository_details ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 260

def dependency_repository_details
  requirement_files =
    dependency.requirements
              .map { |r| r.fetch(:file) }
              .map { |nm| dependency_files.find { |f| f.name == nm } }

  @dependency_repository_details ||=
    requirement_files.flat_map do |target_file|
      Gradle::FileParser::RepositoriesFinder.new(
        dependency_files: dependency_files,
        target_dependency_file: target_file
      ).repository_urls
                                            .map do |url|
        { "url" => url, "auth_headers" => {} }
      end
    end.uniq
end

#distribution? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 355

def distribution?
  Distributions.distribution_requirements?(dependency.requirements)
end

#distribution_repository_details ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 287

def distribution_repository_details
  [{
    "url" => Gradle::Distributions::DISTRIBUTION_REPOSITORY_URL,
    "auth_headers" => {}
  }]
end

#distribution_version_details ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 139

def distribution_version_details
  return nil unless Experiments.enabled?(:gradle_wrapper_updater)

  DistributionsFetcher.available_versions.map do |info|
    release_date = begin
      Time.parse(info[:build_time])
    rescue StandardError
      nil
    end

    {
      version: info[:version],
      released_at: release_date,
      source_url: Distributions::DISTRIBUTION_REPOSITORY_URL
    }
  end
rescue StandardError
  nil
end

#fetch_available_versions ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 62

def fetch_available_versions
  T.let({}, T::Hash[String, T::Hash[Symbol, T.untyped]])
  package_releases = T.let([], T::Array[T::Hash[String, T.untyped]])

  version_details =
    repositories.map do |repository_details|
      url = repository_details.fetch("url")

      next distribution_version_details if url == Gradle::Distributions::DISTRIBUTION_REPOSITORY_URL
      next google_version_details if url == Gradle::FileParser::RepositoriesFinder::GOOGLE_MAVEN_REPO

      dependency_metadata(repository_details).css("versions > version")
                                             .select { |node| version_class.correct?(node.content) }
                                             .map { |node| version_class.new(node.content) }
                                             .map do |version|
        { version: version, source_url: url }
      end
    end.flatten.compact

  version_details = version_details.sort_by { |details| details.fetch(:version) }
  release_date_info = release_details

  version_details.map do |info|
    version = info[:version]&.to_s

    package_releases << {
      version: Gradle::Version.new(version),
      released_at: info[:released_at] || release_date_info[version]&.fetch(:release_date),
      source_url: info[:source_url]
    }
  end
  if version_details.none? && T.must(forbidden_urls).any?
    raise PrivateSourceAuthenticationFailure,
          T.must(forbidden_urls).first
  end
  # version_details

  package_releases
end

#google_version_details ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 160

def google_version_details
  url = Gradle::FileParser::RepositoriesFinder::GOOGLE_MAVEN_REPO
  group_id, artifact_id = group_and_artifact_ids

  dependency_metadata_url = "#{Gradle::FileParser::RepositoriesFinder::GOOGLE_MAVEN_REPO}/" \
                            "#{T.must(group_id).tr('.', '/')}/" \
                            "group-index.xml"

  @google_version_details ||=
    begin
      response = Dependabot::RegistryClient.get(url: dependency_metadata_url)
      Nokogiri::XML(response.body)
    end

  xpath = "/#{group_id}/#{artifact_id}"
  return unless @google_version_details.at_xpath(xpath)

  @google_version_details.at_xpath(xpath)
                         .attributes.fetch("versions")
                         .value.split(",")
                         .select { |v| version_class.correct?(v) }
                         .map { |v| version_class.new(v) }
                         .map { |version| { version: version, source_url: url } }
rescue Nokogiri::XML::XPath::SyntaxError
  nil
end

#group_and_artifact_ids ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 333

def group_and_artifact_ids
  if kotlin_plugin?
    [dependency.name,
     "#{Dependabot::Gradle::MetadataFinder::KOTLIN_PLUGIN_REPO_PREFIX}.#{dependency.name}.gradle.plugin"]
  elsif plugin?
    [dependency.name, "#{dependency.name}.gradle.plugin"]
  else
    dependency.name.split(":")
  end
end

#kotlin_plugin? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 350

def kotlin_plugin?
  plugin? && dependency.requirements.any? { |r| r.fetch(:groups).include? "kotlin" }
end

#matches_dependency_version_type?(comparison_version) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 295

def matches_dependency_version_type?(comparison_version)
  return true unless dependency.version

  current_type = T.must(dependency.version)
                  .gsub("native-mt", "native_mt")
                  .split(/[.\-]/)
                  .find do |type|
    Dependabot::Gradle::UpdateChecker::VersionFinder::TYPE_SUFFICES.find { |s| type.include?(s) }
  end

  version_type = comparison_version.to_s
                                   .gsub("native-mt", "native_mt")
                                   .split(/[.\-]/)
                                   .find do |type|
    Dependabot::Gradle::UpdateChecker::VersionFinder::TYPE_SUFFICES.find { |s| type.include?(s) }
  end

  current_type == version_type
end

#plugin? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 345

def plugin?
  dependency.requirements.any? { |r| r.fetch(:groups).include? "plugins" }
end

#plugin_repository_details ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 279

def plugin_repository_details
  [{
    "url" => Gradle::FileParser::RepositoriesFinder::GRADLE_PLUGINS_REPO,
    "auth_headers" => {}
  }] + dependency_repository_details
end

#pom ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 316

def pom
  filename = T.must(dependency.requirements.first).fetch(:file)
  dependency_files.find { |f| f.name == filename }
end

#release_details ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 104

def release_details
  extractor = ReleaseDateExtractor.new(
    dependency_name: dependency.name,
    version_class: version_class
  )

  extractor.extract(
    repositories: repositories,
    dependency_metadata_fetcher: ->(repo) { dependency_metadata(repo) },
    release_info_metadata_fetcher: ->(repo) { release_info_metadata(repo) }
  )
end

#release_info_metadata(repository_details) ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 212

def release_info_metadata(repository_details)
  @release_info_metadata ||= T.let({}, T.nilable(T::Hash[Integer, T.untyped]))
  @release_info_metadata[repository_details.hash] ||=
    begin
      response = Dependabot::RegistryClient.get(
        url: dependency_metadata_url(repository_details.fetch("url")).gsub("maven-metadata.xml", ""),
        headers: repository_details.fetch("auth_headers")
      )

      check_response(response, repository_details.fetch("url"))
      Nokogiri::HTML(response.body)
    rescue URI::InvalidURIError
      Nokogiri::HTML("")
    rescue Excon::Error::Socket, Excon::Error::Timeout,
           Excon::Error::TooManyRedirects
      raise if central_repo_urls.include?(repository_details["url"])

      Nokogiri::HTML("")
    end
end

#repositories ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 118

def repositories
  return @repositories if @repositories

  details = if distribution?
              distribution_repository_details
            elsif plugin?
              plugin_repository_details + credentials_repository_details
            else
              dependency_repository_details + credentials_repository_details
            end

  @repositories =
    details.reject do |repo|
      next if repo["auth_headers"]

      # Reject this entry if an identical one with non-empty auth_headers exists
      details.any? { |r| r["url"] == repo["url"] && r["auth_headers"] != {} }
    end
end

#repository_urls ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 234

def repository_urls
  plugin? ? plugin_repository_details : dependency_repository_details
end

#version_class ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 369

def version_class
  dependency.version_class
end