Class: Dependabot::Gradle::Package::PackageDetailsFetcher

Inherits:

Object

• Object
• Dependabot::Gradle::Package::PackageDetailsFetcher

Extended by:

T::Sig

Defined in:

lib/dependabot/gradle/package/package_details_fetcher.rb

Constant Summary

CENTRAL_REPO_URL =

"https://repo.maven.apache.org/maven2"

KOTLIN_PLUGIN_REPO_PREFIX =

"org.jetbrains.kotlin"

TYPE_SUFFICES =

%w(jre android java native_mt agp).freeze

Instance Attribute Summary

• #credentials ⇒ Object readonly

  Returns the value of attribute credentials.

• #dependency ⇒ Object readonly

  Returns the value of attribute dependency.

• #dependency_files ⇒ Object readonly

  Returns the value of attribute dependency_files.

• #forbidden_urls ⇒ Object readonly

  Returns the value of attribute forbidden_urls.

Instance Method Summary

• #auth_headers(maven_repo_url) ⇒ Object
• #auth_headers_finder ⇒ Object
• #build_release_with_date(release, release_date) ⇒ Object
• #central_repo_urls ⇒ Object
• #check_response(response, repository_url) ⇒ Object
• #credentials_repository_details ⇒ Object
• #dependency_metadata(repository_details) ⇒ Object
• #dependency_metadata_url(repository_url) ⇒ Object
• #dependency_repository_details ⇒ Object
• #distribution? ⇒ Boolean
• #distribution_repository_details ⇒ Object
• #distribution_version_details ⇒ Object
• #fetch_available_versions ⇒ Object
• #fetch_release_metadata(release:) ⇒ Object
• #google_version_details ⇒ Object
• #group_and_artifact_ids ⇒ Object
• #initialize(dependency:, dependency_files:, credentials:, forbidden_urls:) ⇒ PackageDetailsFetcher constructor

  A new instance of PackageDetailsFetcher.

• #kotlin_plugin? ⇒ Boolean
• #matches_dependency_version_type?(comparison_version) ⇒ Boolean
• #plugin? ⇒ Boolean
• #plugin_repository_details ⇒ Object
• #plugin_version_pom_url(repository_url, version) ⇒ Object
• #pom ⇒ Object
• #release_details ⇒ Object
• #release_info_metadata(repository_details) ⇒ Object
• #repositories ⇒ Object
• #repository_urls ⇒ Object
• #version_class ⇒ Object
• #version_release_date_fallback(version) ⇒ Object
• #version_release_date_fallback_fetcher ⇒ Object

Constructor Details

#initialize(dependency:, dependency_files:, credentials:, forbidden_urls:) ⇒ PackageDetailsFetcher

Returns a new instance of PackageDetailsFetcher.

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 61

def initialize(dependency:, dependency_files:, credentials:, forbidden_urls:)
  @dependency = dependency
  @dependency_files = dependency_files
  @credentials = credentials
  @forbidden_urls = forbidden_urls
  @repositories = T.let(nil, T.nilable(T::Array[T::Hash[String, T.untyped]]))
  @google_version_details = T.let(nil, T.nilable(T::Array[T::Hash[String, T.untyped]]))
  @dependency_repository_details = T.let(nil, T.nilable(T::Array[T::Hash[String, T.untyped]]))
  @release_details = T.let(nil, T.nilable(T::Hash[String, T::Hash[Symbol, T.untyped]]))
  @version_release_date_fallback_fetcher = T.let(nil, T.nilable(VersionReleaseDateFallbackFetcher))
end

Instance Attribute Details

#credentials ⇒ Object (readonly)

Returns the value of attribute credentials.

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 80

def credentials
  @credentials
end

#dependency ⇒ Object (readonly)

Returns the value of attribute dependency.

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 74

def dependency
  @dependency
end

#dependency_files ⇒ Object (readonly)

Returns the value of attribute dependency_files.

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 77

def dependency_files
  @dependency_files
end

#forbidden_urls ⇒ Object (readonly)

Returns the value of attribute forbidden_urls.

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 83

def forbidden_urls
  @forbidden_urls
end

Instance Method Details

#auth_headers(maven_repo_url) ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 446

def auth_headers(maven_repo_url)
  auth_headers_finder.auth_headers(maven_repo_url)
end

#auth_headers_finder ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 438

def auth_headers_finder
  @auth_headers_finder ||= T.let(
    Dependabot::Maven::Utils::AuthHeadersFinder.new(credentials),
    T.nilable(Dependabot::Maven::Utils::AuthHeadersFinder)
  )
end

#build_release_with_date(release, release_date) ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 164

def build_release_with_date(release, release_date)
  Dependabot::Package::PackageRelease.new(
    version: release.version,
    released_at: release_date,
    latest: release.latest,
    yanked: release.yanked,
    yanked_reason: release.yanked_reason,
    downloads: release.downloads,
    url: release.url,
    package_type: release.package_type,
    language: release.language,
    tag: release.tag,
    details: release.details
  )
end

#central_repo_urls ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 424

def central_repo_urls
  central_url_without_protocol =
    Gradle::FileParser::RepositoriesFinder::CENTRAL_REPO_URL
    .gsub(%r{^.*://}, "")

  %w(http:// https://).map { |p| p + central_url_without_protocol }
end

#check_response(response, repository_url) ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 297

def check_response(response, repository_url)
  return unless response.status == 401 || response.status == 403
  return if T.must(@forbidden_urls).include?(repository_url)
  return if central_repo_urls.include?(repository_url)

  T.must(@forbidden_urls) << repository_url
end

#credentials_repository_details ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 306

def credentials_repository_details
  credentials
    .select { |cred| cred["type"] == "maven_repository" }
    .map do |cred|
    {
      "url" => cred.fetch("url").gsub(%r{/+$}, ""),
      "auth_headers" => auth_headers(cred.fetch("url").gsub(%r{/+$}, ""))
    }
  end
end

#dependency_metadata(repository_details) ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 248

def dependency_metadata(repository_details)
  @dependency_metadata ||= T.let({}, T.nilable(T::Hash[T.untyped, T.untyped]))
  @dependency_metadata[repository_details.hash] ||=
    begin
      response = EofRetry.get(
        url: dependency_metadata_url(repository_details.fetch("url")),
        headers: repository_details.fetch("auth_headers")
      )

      check_response(response, repository_details.fetch("url"))
      Nokogiri::XML(response.body)
    rescue URI::InvalidURIError
      Nokogiri::XML("")
    rescue Excon::Error::Socket, Excon::Error::Timeout,
           Excon::Error::TooManyRedirects
      raise if central_repo_urls.include?(repository_details["url"])

      Nokogiri::XML("")
    end
end

#dependency_metadata_url(repository_url) ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 376

def dependency_metadata_url(repository_url)
  group_id, artifact_id = group_and_artifact_ids
  group_id = "#{Dependabot::Gradle::MetadataFinder::KOTLIN_PLUGIN_REPO_PREFIX}.#{group_id}" if kotlin_plugin?

  "#{repository_url}/" \
    "#{T.must(group_id).tr('.', '/')}/" \
    "#{artifact_id}/" \
    "maven-metadata.xml"
end

#dependency_repository_details ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 318

def dependency_repository_details
  requirement_files =
    dependency.requirements
              .map { |r| r.fetch(:file) }
              .map { |nm| dependency_files.find { |f| f.name == nm } }

  @dependency_repository_details ||=
    requirement_files.flat_map do |target_file|
      Gradle::FileParser::RepositoriesFinder.new(
        dependency_files: dependency_files,
        target_dependency_file: target_file,
        credentials: credentials
      ).repository_urls
                                            .map do |url|
        { "url" => url, "auth_headers" => auth_headers(url) }
      end
    end.uniq
end

#distribution? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 409

def distribution?
  Distributions.distribution_requirements?(dependency.requirements)
end

#distribution_repository_details ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 344

def distribution_repository_details
  [{ "url" => Gradle::Distributions::DISTRIBUTION_REPOSITORY_URL, "auth_headers" => {} }]
end

#distribution_version_details ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 201

def distribution_version_details
  DistributionsFetcher.available_versions.map do |info|
    release_date = begin
      Time.parse(info[:build_time])
    rescue StandardError
      nil
    end

    {
      version: info[:version],
      released_at: release_date,
      source_url: Distributions::DISTRIBUTION_REPOSITORY_URL
    }
  end
rescue StandardError
  nil
end

#fetch_available_versions ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 87

def fetch_available_versions
  package_releases = T.let([], T::Array[T::Hash[String, T.untyped]])
  version_details =
    repositories.map do |repository_details|
      url = repository_details.fetch("url")
      next distribution_version_details if url == Gradle::Distributions::DISTRIBUTION_REPOSITORY_URL
      next google_version_details if url == Gradle::FileParser::RepositoriesFinder::GOOGLE_MAVEN_REPO

      dependency_metadata(repository_details).css("versions > version")
                                             .select { |node| version_class.correct?(node.content) }
                                             .map { |node| version_class.new(node.content) }
                                             .map do |version|
        { version: version, source_url: url }
      end
    end.flatten.compact

  version_details = version_details.sort_by { |details| details.fetch(:version) }
  release_date_info = release_details
  version_details.each do |info|
    package_releases << {
      version: Gradle::Version.new(info[:version].to_s),
      released_at: info[:released_at] || release_date_info[info[:version].to_s]&.fetch(:release_date),
      source_url: info[:source_url]
    }
  end
  if version_details.none? && T.must(forbidden_urls).any?
    raise PrivateSourceAuthenticationFailure, T.must(forbidden_urls).first
  end

  package_releases
end

#fetch_release_metadata(release:) ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 121

def fetch_release_metadata(release:)
  return release if release.released_at

  release_date = release_details[release.version.to_s]&.fetch(:release_date, nil)
  hydrated_release = build_release_with_date(release, release_date)

  return hydrated_release if hydrated_release.released_at || !plugin?

  build_release_with_date(hydrated_release, version_release_date_fallback(release.version.to_s))
end

#google_version_details ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 220

def google_version_details
  url = Gradle::FileParser::RepositoriesFinder::GOOGLE_MAVEN_REPO
  group_id, artifact_id = group_and_artifact_ids

  dependency_metadata_url = "#{Gradle::FileParser::RepositoriesFinder::GOOGLE_MAVEN_REPO}/" \
                            "#{T.must(group_id).tr('.', '/')}/" \
                            "group-index.xml"

  @google_version_details ||=
    begin
      response = Dependabot::RegistryClient.get(url: dependency_metadata_url)
      Nokogiri::XML(response.body)
    end

  xpath = "/#{group_id}/#{artifact_id}"
  return unless @google_version_details.at_xpath(xpath)

  @google_version_details.at_xpath(xpath)
                         .attributes.fetch("versions")
                         .value.split(",")
                         .select { |v| version_class.correct?(v) }
                         .map { |v| version_class.new(v) }
                         .map { |version| { version: version, source_url: url } }
rescue Nokogiri::XML::XPath::SyntaxError
  nil
end

#group_and_artifact_ids ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 387

def group_and_artifact_ids
  if kotlin_plugin?
    [dependency.name,
     "#{Dependabot::Gradle::MetadataFinder::KOTLIN_PLUGIN_REPO_PREFIX}.#{dependency.name}.gradle.plugin"]
  elsif plugin?
    [dependency.name, "#{dependency.name}.gradle.plugin"]
  else
    dependency.name.split(":")
  end
end

#kotlin_plugin? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 404

def kotlin_plugin?
  plugin? && dependency.requirements.any? { |r| r.fetch(:groups).include? "kotlin" }
end

#matches_dependency_version_type?(comparison_version) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 349

def matches_dependency_version_type?(comparison_version)
  return true unless dependency.version

  current_type = T.must(dependency.version)
                  .gsub("native-mt", "native_mt")
                  .split(/[.\-]/)
                  .find do |type|
    Dependabot::Gradle::UpdateChecker::VersionFinder::TYPE_SUFFICES.find { |s| type.include?(s) }
  end

  version_type = comparison_version.to_s
                                   .gsub("native-mt", "native_mt")
                                   .split(/[.\-]/)
                                   .find do |type|
    Dependabot::Gradle::UpdateChecker::VersionFinder::TYPE_SUFFICES.find { |s| type.include?(s) }
  end

  current_type == version_type
end

#plugin? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 399

def plugin?
  dependency.requirements.any? { |r| r.fetch(:groups).include? "plugins" }
end

#plugin_repository_details ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 338

def plugin_repository_details
  [{ "url" => Gradle::FileParser::RepositoriesFinder::GRADLE_PLUGINS_REPO, "auth_headers" => {} }] +
    dependency_repository_details
end

#plugin_version_pom_url(repository_url, version) ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 150

def plugin_version_pom_url(repository_url, version)
  group_id, artifact_id = group_and_artifact_ids
  group_id = "#{Dependabot::Gradle::MetadataFinder::KOTLIN_PLUGIN_REPO_PREFIX}.#{group_id}" if kotlin_plugin?
  pom_filename = "#{artifact_id}-#{version}.pom"
  File.join(repository_url, T.must(group_id).tr(".", "/"), artifact_id, version, pom_filename)
end

#pom ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 370

def pom
  filename = T.must(dependency.requirements.first).fetch(:file)
  dependency_files.find { |f| f.name == filename }
end

#release_details ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 133

def release_details
  @release_details ||= begin
    extractor = ReleaseDateExtractor.new(dependency_name: dependency.name, version_class: version_class)
    extractor.extract(
      repositories: repositories,
      dependency_metadata_fetcher: ->(repo) { dependency_metadata(repo) },
      release_info_metadata_fetcher: ->(repo) { release_info_metadata(repo) }
    )
  end
end

#release_info_metadata(repository_details) ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 270

def release_info_metadata(repository_details)
  @release_info_metadata ||= T.let({}, T.nilable(T::Hash[Integer, T.untyped]))
  @release_info_metadata[repository_details.hash] ||=
    begin
      response = EofRetry.get(
        url: dependency_metadata_url(repository_details.fetch("url")).gsub("maven-metadata.xml", ""),
        headers: repository_details.fetch("auth_headers")
      )

      check_response(response, repository_details.fetch("url"))
      Nokogiri::HTML(response.body)
    rescue URI::InvalidURIError
      Nokogiri::HTML("")
    rescue Excon::Error::Socket, Excon::Error::Timeout,
           Excon::Error::TooManyRedirects
      raise if central_repo_urls.include?(repository_details["url"])

      Nokogiri::HTML("")
    end
end

#repositories ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 181

def repositories
  return @repositories if @repositories

  details = if distribution?
              distribution_repository_details
            elsif plugin?
              plugin_repository_details + credentials_repository_details
            else
              dependency_repository_details + credentials_repository_details
            end

  @repositories =
    details.reject do |repo|
      next if repo["auth_headers"]

      details.any? { |r| r["url"] == repo["url"] && r["auth_headers"] != {} }
    end
end

#repository_urls ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 292

def repository_urls
  plugin? ? plugin_repository_details : dependency_repository_details
end

#version_class ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 433

def version_class
  dependency.version_class
end

#version_release_date_fallback(version) ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 145

def version_release_date_fallback(version)
  version_release_date_fallback_fetcher.fetch(version)
end

#version_release_date_fallback_fetcher ⇒ Object

# File 'lib/dependabot/gradle/package/package_details_fetcher.rb', line 414

def version_release_date_fallback_fetcher
  @version_release_date_fallback_fetcher ||= VersionReleaseDateFallbackFetcher.new(
    dependency_name: dependency.name,
    repositories: repositories,
    forbidden_urls: T.must(forbidden_urls),
    pom_url_builder: ->(repository_url, version) { plugin_version_pom_url(repository_url, version) }
  )
end