Add support for updating dependencies in target files

The eclipse-pde target files (extension .target, content is xml) supports for a while to also mention maven dependencies. This enhances the file fetcher to scan for target files in a repository and the file parser to parse any maven type location. Fix #4682
dependabot · Jan 29, 2025 · 6a7813b · 6a7813b
1 parent 1cf9d09
commit 6a7813b
Show file tree

Hide file tree

Showing 5 changed files with 75 additions and 0 deletions.
diff --git a/maven/lib/dependabot/maven/file_fetcher.rb b/maven/lib/dependabot/maven/file_fetcher.rb
@@ -32,6 +32,7 @@ def fetch_files
         fetched_files << pom
         fetched_files += child_poms
         fetched_files += relative_path_parents(fetched_files)
+        fetched_files += targetfiles
         fetched_files << extensions if extensions
         fetched_files.uniq
       end
@@ -47,6 +48,14 @@ def pom
       def extensions
         @extensions ||= T.let(fetch_file_if_present(".mvn/extensions.xml"), T.nilable(Dependabot::DependencyFile))
       end
+
+	  sig { returns(T::Array[DependencyFile]) }
+	  def targetfiles
+	    @targetfiles ||=
+	      repo_contents(raise_errors: false).
+	      select { |f| f.type == "file" && f.name.end_with?(".target") }.
+	      map { |f| fetch_file_from_host(f.name) }
+	  end
 
       sig { returns(T::Array[DependencyFile]) }
       def child_poms

diff --git a/maven/lib/dependabot/maven/file_parser.rb b/maven/lib/dependabot/maven/file_parser.rb
@@ -26,12 +26,14 @@ class FileParser < Dependabot::FileParsers::Base
       # - Any dependencies (incl. those in dependencyManagement or plugins)
       # - Any plugins (incl. those in pluginManagement)
       # - Any extensions
+      # - Any eclipse-target with a location of type Maven
       DEPENDENCY_SELECTOR = "project > parent, " \
                             "dependencies > dependency, " \
                             "extensions > extension, " \
                             "annotationProcessorPaths > path"
       PLUGIN_SELECTOR     = "plugins > plugin"
       EXTENSION_SELECTOR  = "extensions > extension"
+	  TARGET_SELECTOR     = "target > locations > location[type='Maven'] > dependencies > dependency"
       PLUGIN_ARTIFACT_ITEMS_SELECTOR = "plugins > plugin > executions > execution > " \
                                        "configuration > artifactItems > artifactItem"
 
@@ -43,6 +45,7 @@ def parse
         dependency_set = DependencySet.new
         pomfiles.each { |pom| dependency_set += pomfile_dependencies(pom) }
         extensionfiles.each { |extension| dependency_set += extensionfile_dependencies(extension) }
+        targetfiles.each { |target| dependency_set += targetfile_dependencies(target) }
         dependency_set.dependencies
       end
 

diff --git a/maven/spec/dependabot/maven/file_fetcher_spec.rb b/maven/spec/dependabot/maven/file_fetcher_spec.rb
@@ -27,6 +27,9 @@
       directory: directory
     )
   end
+
+  let(:file_fetcher_instance) do
+    described_class.new(source: source, credentials: credentials, repo_contents_path: nil)
 
   before do
     allow(file_fetcher_instance).to receive(:commit).and_return("sha")
@@ -79,6 +82,21 @@
       it { is_expected.to be(false) }
     end
   end
+
+  before do
+    allow(file_fetcher_instance).to receive(:commit).and_return("sha")
+
+    stub_request(:get, File.join(url, ".mvn?ref=sha")).
+      with(headers: { "Authorization" => "token token" }).
+      to_return(
+        status: 404
+      )
+    stub_request(:get, /.*\?ref=sha/).
+      with(headers: { "Authorization" => "token token" }).
+      to_return(
+        status: 404
+      )
+  end
 
   context "with a basic pom" do
     before do

diff --git a/maven/spec/dependabot/maven/file_parser_spec.rb b/maven/spec/dependabot/maven/file_parser_spec.rb
@@ -118,6 +118,33 @@
       end
     end
 
+    context "with target-file" do
+      let(:files) { [targetfile, pom] }
+      let(:targetfile) do
+        Dependabot::DependencyFile.new(name: "releng/myproject.target", content: targetfile_body)
+      end
+      let(:targetfile_body) { fixture("target-files", "example.target") }
+
+      describe "the sole dependency" do
+        subject(:dependency) { dependencies[3] }
+
+        it "has the right details" do
+          expect(dependency).to be_a(Dependabot::Dependency)
+          expect(dependency.name).to eq("commons-io:commons-io")
+          expect(dependency.version).to eq("2.11.0")
+          expect(dependency.requirements).to eq(
+            [{
+              requirement: "2.11.0",
+              file: "releng/myproject.target",
+              groups: [],
+              source: nil,
+              metadata: { packaging_type: "jar" }
+            }]
+          )
+        end
+      end
+    end
+
     context "with rogue whitespace" do
       let(:pom_body) { fixture("poms", "whitespace.xml") }
 

diff --git a/maven/spec/fixtures/target-files/example.target b/maven/spec/fixtures/target-files/example.target
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<?pde version="3.8"?>
+<target name="example">
+	<locations>
+		<location path="/tmp/dummy/" type="Directory"/>
+		<location includeDependencyDepth="none" includeSource="true" label="An old version of commons-io" missingManifest="error" type="Maven">
+			<dependencies>
+				<dependency>
+					<groupId>commons-io</groupId>
+					<artifactId>commons-io</artifactId>
+					<version>2.11.0</version>
+					<type>jar</type>
+				</dependency>
+			</dependencies>
+		</location>
+		<location path="${eclipse_home}" type="Profile"/>
+	</locations>
+</target>