Class: Dependabot::UpdateCheckers::Base

Inherits:
Object
  • Object
show all
Defined in:
lib/dependabot/update_checkers/base.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(dependency:, dependency_files:, repo_contents_path: nil, credentials:, ignored_versions: [], raise_on_ignored: false, security_advisories: [], requirements_update_strategy: nil, options: {}) ⇒ Base

Returns a new instance of Base.



15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# File 'lib/dependabot/update_checkers/base.rb', line 15

def initialize(dependency:, dependency_files:, repo_contents_path: nil,
               credentials:, ignored_versions: [],
               raise_on_ignored: false, security_advisories: [],
               requirements_update_strategy: nil,
               options: {})
  @dependency = dependency
  @dependency_files = dependency_files
  @repo_contents_path = repo_contents_path
  @credentials = credentials
  @requirements_update_strategy = requirements_update_strategy
  @ignored_versions = ignored_versions
  @raise_on_ignored = raise_on_ignored
  @security_advisories = security_advisories
  @options = options
end

Instance Attribute Details

#credentialsObject (readonly)

Returns the value of attribute credentials.



10
11
12
# File 'lib/dependabot/update_checkers/base.rb', line 10

def credentials
  @credentials
end

#dependencyObject (readonly)

Returns the value of attribute dependency.



10
11
12
# File 'lib/dependabot/update_checkers/base.rb', line 10

def dependency
  @dependency
end

#dependency_filesObject (readonly)

Returns the value of attribute dependency_files.



10
11
12
# File 'lib/dependabot/update_checkers/base.rb', line 10

def dependency_files
  @dependency_files
end

#ignored_versionsObject (readonly)

Returns the value of attribute ignored_versions.



10
11
12
# File 'lib/dependabot/update_checkers/base.rb', line 10

def ignored_versions
  @ignored_versions
end

#optionsObject (readonly)

Returns the value of attribute options.



10
11
12
# File 'lib/dependabot/update_checkers/base.rb', line 10

def options
  @options
end

#raise_on_ignoredObject (readonly)

Returns the value of attribute raise_on_ignored.



10
11
12
# File 'lib/dependabot/update_checkers/base.rb', line 10

def raise_on_ignored
  @raise_on_ignored
end

#repo_contents_pathObject (readonly)

Returns the value of attribute repo_contents_path.



10
11
12
# File 'lib/dependabot/update_checkers/base.rb', line 10

def repo_contents_path
  @repo_contents_path
end

#requirements_update_strategyObject (readonly)

Returns the value of attribute requirements_update_strategy.



10
11
12
# File 'lib/dependabot/update_checkers/base.rb', line 10

def requirements_update_strategy
  @requirements_update_strategy
end

#security_advisoriesObject (readonly)

Returns the value of attribute security_advisories.



10
11
12
# File 'lib/dependabot/update_checkers/base.rb', line 10

def security_advisories
  @security_advisories
end

Instance Method Details

#can_update?(requirements_to_unlock:) ⇒ Boolean

Returns:

  • (Boolean)


39
40
41
42
43
44
45
46
47
48
49
50
51
# File 'lib/dependabot/update_checkers/base.rb', line 39

def can_update?(requirements_to_unlock:)
  # Can't update if all versions are being ignored
  return false if ignore_requirements.include?(requirement_class.new(">= 0"))

  if dependency.version
    version_can_update?(requirements_to_unlock: requirements_to_unlock)
  else
    # TODO: Handle full unlock updates for dependencies without a lockfile
    return false if requirements_to_unlock == :none

    requirements_can_update?
  end
end

#conflicting_dependenciesArray<Hash{String => String}] name [String] the blocking dependencies name version [String] the version of the blocking dependency requirement [String] the requirement on the target_dependency

Finds any dependencies in the lockfile that have a subdependency on the given dependency that do not satisfy the target_version.

Returns:

  • (Array<Hash{String => String}] name [String] the blocking dependencies name version [String] the version of the blocking dependency requirement [String] the requirement on the target_dependency)

    Array<Hash=> String] name [String] the blocking dependencies name version [String] the version of the blocking dependency requirement [String] the requirement on the target_dependency



103
104
105
# File 'lib/dependabot/update_checkers/base.rb', line 103

def conflicting_dependencies
  [] # return an empty array for ecosystems that don't support this yet
end

#ignore_requirementsObject



144
145
146
# File 'lib/dependabot/update_checkers/base.rb', line 144

def ignore_requirements
  ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
end

#latest_resolvable_previous_version(_updated_version) ⇒ Object



107
108
109
# File 'lib/dependabot/update_checkers/base.rb', line 107

def latest_resolvable_previous_version(_updated_version)
  dependency.version
end

#latest_resolvable_versionObject

Raises:

  • (NotImplementedError)


79
80
81
# File 'lib/dependabot/update_checkers/base.rb', line 79

def latest_resolvable_version
  raise NotImplementedError
end

#latest_resolvable_version_with_no_unlockObject

Raises:

  • (NotImplementedError)


93
94
95
# File 'lib/dependabot/update_checkers/base.rb', line 93

def latest_resolvable_version_with_no_unlock
  raise NotImplementedError
end

#latest_versionObject

Raises:

  • (NotImplementedError)


64
65
66
# File 'lib/dependabot/update_checkers/base.rb', line 64

def latest_version
  raise NotImplementedError
end

#lowest_resolvable_security_fix_versionObject

Raises:

  • (NotImplementedError)


89
90
91
# File 'lib/dependabot/update_checkers/base.rb', line 89

def lowest_resolvable_security_fix_version
  raise NotImplementedError
end

#lowest_security_fix_versionDependabot::<package manager>::Version, #to_s

Lowest available security fix version not checking resolvability

Returns:

  • (Dependabot::<package manager>::Version, #to_s)

    version class

Raises:

  • (NotImplementedError)


85
86
87
# File 'lib/dependabot/update_checkers/base.rb', line 85

def lowest_security_fix_version
  raise NotImplementedError
end

#preferred_resolvable_versionObject



68
69
70
71
72
73
74
75
76
77
# File 'lib/dependabot/update_checkers/base.rb', line 68

def preferred_resolvable_version
  # If this dependency is vulnerable, prefer trying to update to the
  # lowest_resolvable_security_fix_version. Otherwise update all the way
  # to the latest_resolvable_version.
  return lowest_resolvable_security_fix_version if vulnerable?

  latest_resolvable_version
rescue NotImplementedError
  latest_resolvable_version
end

#requirement_classObject



119
120
121
# File 'lib/dependabot/update_checkers/base.rb', line 119

def requirement_class
  Utils.requirement_class_for_package_manager(dependency.package_manager)
end

#requirements_unlocked_or_can_be?Boolean

For some langauges, the manifest file may be constructed such that Dependabot has no way to update it (e.g., if it fetches its versions from a web API). This method is overridden in those cases.

Returns:

  • (Boolean)


126
127
128
# File 'lib/dependabot/update_checkers/base.rb', line 126

def requirements_unlocked_or_can_be?
  true
end

#up_to_date?Boolean

Returns:

  • (Boolean)


31
32
33
34
35
36
37
# File 'lib/dependabot/update_checkers/base.rb', line 31

def up_to_date?
  if dependency.version
    version_up_to_date?
  else
    requirements_up_to_date?
  end
end

#updated_dependencies(requirements_to_unlock:) ⇒ Object



53
54
55
56
57
58
59
60
61
62
# File 'lib/dependabot/update_checkers/base.rb', line 53

def updated_dependencies(requirements_to_unlock:)
  return [] unless can_update?(requirements_to_unlock: requirements_to_unlock)

  case requirements_to_unlock&.to_sym
  when :none then [updated_dependency_without_unlock]
  when :own then [updated_dependency_with_own_req_unlock]
  when :all then updated_dependencies_after_full_unlock
  else raise "Unknown unlock level '#{requirements_to_unlock}'"
  end
end

#updated_requirementsObject

Raises:

  • (NotImplementedError)


111
112
113
# File 'lib/dependabot/update_checkers/base.rb', line 111

def updated_requirements
  raise NotImplementedError
end

#version_classObject



115
116
117
# File 'lib/dependabot/update_checkers/base.rb', line 115

def version_class
  Utils.version_class_for_package_manager(dependency.package_manager)
end

#vulnerable?Boolean

Returns:

  • (Boolean)


130
131
132
133
134
135
136
137
138
139
140
141
142
# File 'lib/dependabot/update_checkers/base.rb', line 130

def vulnerable?
  return false if security_advisories.none?

  # Can't (currently) detect whether dependencies without a version
  # (i.e., for repos without a lockfile) are vulnerable
  return false unless dependency.version

  # Can't (currently) detect whether git dependencies are vulnerable
  return false if existing_version_is_sha?

  version = version_class.new(dependency.version)
  security_advisories.any? { |a| a.vulnerable?(version) }
end