Added Gradle Wrapper support

Author: gmazzo

gradle/lib/dependabot/gradle/distributions.rb

@@ -0,0 +1,22 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "dependabot/registry_client"
+
+module Dependabot
+  module Gradle
+    module Distributions
+      extend T::Sig
+
+      DISTRIBUTIONS_URL = "https://services.gradle.org"
+      DISTRIBUTION_DEPENDENCY_TYPE = "gradle-distribution"
+
+      sig { params(requirements: T::Array[T::Hash[Symbol, T.untyped]]).returns(T::Boolean) }
+      def self.distribution_requirements?(requirements)
+        requirements.any? do |req|
+          req.dig(:source, :type) == DISTRIBUTION_DEPENDENCY_TYPE
+        end
+      end
+    end
+  end
+end

gradle/lib/dependabot/gradle/file_fetcher.rb

@@ -23,6 +23,9 @@ class FileFetcher < Dependabot::FileFetchers::Base
       SUPPORTED_SETTINGS_FILE_NAMES =
         T.let(%w(settings.gradle settings.gradle.kts).freeze, T::Array[String])
 
+      SUPPORTED_WRAPPER_PROPERTIES_FILE_PATH =
+        %w(/gradle/wrapper/gradle-wrapper.properties).freeze
+
       # For now Gradle only supports library .toml files in the main gradle folder
       SUPPORTED_VERSION_CATALOG_FILE_PATH =
         T.let(%w(/gradle/libs.versions.toml).freeze, T::Array[String])
@@ -66,8 +69,13 @@ def fetch_files
 
       sig { params(root_dir: String).returns(T::Array[DependencyFile]) }
       def all_buildfiles_in_build(root_dir)
-        files = [buildfile(root_dir), settings_file(root_dir), version_catalog_file(root_dir), lockfile(root_dir)]
-                .compact
+        files = [
+          buildfile(root_dir),
+          settings_file(root_dir),
+          wrapper_properties_file(root_dir),
+          version_catalog_file(root_dir),
+          lockfile(root_dir)
+        ].compact
         files += subproject_buildfiles(root_dir)
         files += subproject_lockfiles(root_dir)
         files += dependency_script_plugins(root_dir)
@@ -139,6 +147,16 @@ def subproject_buildfiles(root_dir)
         end
       end
 
+      sig { params(root_dir: String).returns(T.nilable(DependencyFile)) }
+      def wrapper_properties_file(root_dir)
+        return nil unless root_dir == "."
+
+        gradle_wrapper_properties_file(root_dir)
+      rescue Dependabot::DependencyFileNotFound
+        # Wrapper file is optional for Gradle
+        nil
+      end
+
       sig { params(root_dir: String).returns(T.nilable(DependencyFile)) }
       def version_catalog_file(root_dir)
         return nil unless root_dir == "."
@@ -191,6 +209,11 @@ def buildfile(dir)
         file
       end
 
+      sig { params(dir: String).returns(T.nilable(DependencyFile)) }
+      def gradle_wrapper_properties_file(dir)
+        find_first(dir, SUPPORTED_WRAPPER_PROPERTIES_FILE_PATH)
+      end
+
       sig { params(dir: String).returns(T.nilable(DependencyFile)) }
       def gradle_toml_file(dir)
         find_first(dir, SUPPORTED_VERSION_CATALOG_FILE_PATH)

gradle/lib/dependabot/gradle/file_parser.rb

@@ -25,6 +25,7 @@ class FileParser < Dependabot::FileParsers::Base # rubocop:disable Metrics/Class
       extend T::Sig
 
       require "dependabot/file_parsers/base/dependency_set"
+      require_relative "file_parser/distributions_finder.rb"
       require_relative "file_parser/property_value_finder"
 
       SUPPORTED_BUILD_FILE_NAMES = T.let(%w(build.gradle build.gradle.kts settings.gradle settings.gradle.kts).freeze,
@@ -57,6 +58,9 @@ def parse
         script_plugin_files.each do |plugin_file|
           dependency_set += buildfile_dependencies(plugin_file)
         end
+        wrapper_properties_file.each do |properties_file|
+          dependency_set += wrapper_properties_dependencies(properties_file)
+        end
         version_catalog_file.each do |toml_file|
           dependency_set += version_catalog_dependencies(toml_file)
         end
@@ -114,6 +118,14 @@ def language
         end, T.nilable(Dependabot::Gradle::Language))
       end
 
+      sig { params(properties_file: Dependabot::DependencyFile).returns(DependencySet) }
+      def wrapper_properties_dependencies(properties_file)
+        dependency_set = DependencySet.new
+        dependency = DistributionsFinder.resolve_dependency(properties_file)
+        dependency_set << dependency if dependency
+        dependency_set
+      end
+
       sig { params(toml_file: Dependabot::DependencyFile).returns(DependencySet) }
       def version_catalog_dependencies(toml_file)
         dependency_set = DependencySet.new
@@ -534,6 +546,14 @@ def buildfiles
         )
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def wrapper_properties_file
+        @wrapper_properties_file ||= T.let(
+          dependency_files.select { |f| f.name.end_with?("gradle-wrapper.properties") },
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
+      end
+
       sig { returns(T::Array[Dependabot::DependencyFile]) }
       def version_catalog_file
         @version_catalog_file ||= T.let(

gradle/lib/dependabot/gradle/file_parser/distributions_finder.rb

@@ -0,0 +1,86 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/gradle/file_parser"
+require "dependabot/gradle/distributions"
+
+module Dependabot
+  module Gradle
+    class FileParser
+      class DistributionsFinder
+        extend T::Sig
+        include Dependabot::Gradle::Distributions
+
+        DISTRIBUTION_URL_REGEX = %r{^#{Regexp.escape(DISTRIBUTIONS_URL)}/distributions/gradle-(?<version>[\d.]+)-(?<distribution_type>bin|all)\.zip$} # rubocop:disable Layout/LineLength
+
+        sig { params(properties_file: DependencyFile).returns(T.nilable(Dependency)) }
+        def self.resolve_dependency(properties_file)
+          content = properties_file.content
+          return nil unless content
+
+          distribution_url, checksum = load_properties(content)
+          match = distribution_url&.match(DISTRIBUTION_URL_REGEX)&.named_captures
+          return nil unless match
+
+          version = match.fetch("version")
+
+          requirements = T.let([{
+            requirement: version,
+            file: properties_file.name,
+            source: {
+              type: DISTRIBUTION_DEPENDENCY_TYPE,
+              url: distribution_url,
+              property: "distributionUrl"
+            },
+            groups: []
+          }], T::Array[T::Hash[Symbol, T.untyped]])
+
+          if checksum
+            requirements << {
+              requirement: checksum,
+              file: properties_file.name,
+              source: {
+                type: DISTRIBUTION_DEPENDENCY_TYPE,
+                url: "#{distribution_url}.sha256",
+                property: "distributionSha256Sum"
+              },
+              groups: []
+            }
+          end
+
+          Dependency.new(
+            name: "gradle-wrapper",
+            version: version,
+            requirements: requirements,
+            package_manager: "gradle"
+          )
+        end
+
+        sig { params(properties_content: String).returns(T::Array[T.nilable(String)]) }
+        def self.load_properties(properties_content)
+          distribution_url = T.let(nil, T.nilable(String))
+          checksum = T.let(nil, T.nilable(String))
+
+          properties_content.lines.each do |line|
+            (key, value) = line.split("=", 2).map(&:strip)
+            next unless key && value
+
+            case key
+            when "distributionUrl"
+              distribution_url = value.gsub("\\:", ":")
+            when "distributionSha256Sum"
+              checksum = value
+            else
+              next
+            end
+            break if distribution_url && checksum
+          end
+
+          [distribution_url, checksum]
+        end
+
+        private_class_method :load_properties
+      end
+    end
+  end
+end

gradle/lib/dependabot/gradle/file_updater.rb

@@ -23,6 +23,8 @@ def self.updated_files_regex
         [
           # Matches build.gradle or build.gradle.kts in root directory
           %r{(^|.*/)build\.gradle(\.kts)?$},
+          # Matches gradle/wrapper/gradle-wrapper.properties in root or any subdirectory
+          %r{(^|.*/)?gradle/wrapper/gradle-wrapper.properties$},
           # Matches gradle/libs.versions.toml in root or any subdirectory
           %r{(^|.*/)?gradle/libs\.versions\.toml$},
           # Matches settings.gradle or settings.gradle.kts in root or any subdirectory
@@ -202,6 +204,7 @@ def update_version_in_buildfile(dependency, buildfile, previous_req,
       end
 
       # rubocop:disable Metrics/AbcSize
+      # rubocop:disable Metrics/PerceivedComplexity
       sig do
         params(
           dependency: Dependabot::Dependency,
@@ -220,6 +223,10 @@ def original_buildfile_declarations(dependency, requirement)
           if dependency.name.include?(":")
             dep_parts = dependency.name.split(":")
             next false unless line.include?(T.must(dep_parts.first)) || line.include?(T.must(dep_parts.last))
+          elsif T.let(requirement.fetch(:file), String).end_with?(".properties")
+            property = T.let(requirement, T::Hash[Symbol, T.nilable(T::Hash[Symbol, T.nilable(String)])])
+                        .dig(:source, :property)
+            next false unless !property.nil? && line.start_with?(property)
           elsif T.let(requirement.fetch(:file), String).end_with?(".toml")
             next false unless line.include?(dependency.name)
           else
@@ -232,6 +239,7 @@ def original_buildfile_declarations(dependency, requirement)
         end
       end
       # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/PerceivedComplexity
 
       sig { params(string: String, buildfile: Dependabot::DependencyFile).returns(String) }
       def evaluate_properties(string, buildfile)

gradle/lib/dependabot/gradle/metadata_finder.rb

@@ -5,6 +5,7 @@
 require "sorbet-runtime"
 
 require "dependabot/file_fetchers/base"
+require "dependabot/gradle/distributions"
 require "dependabot/gradle/file_fetcher"
 require "dependabot/gradle/file_parser/repositories_finder"
 require "dependabot/maven/utils/auth_headers_finder"
@@ -25,6 +26,8 @@ class MetadataFinder < Dependabot::MetadataFinders::Base
 
       sig { override.returns(T.nilable(Dependabot::Source)) }
       def look_up_source
+        return nil if Distributions.distribution_requirements?(dependency.requirements)
+
         tmp_source = look_up_source_in_pom(dependency_pom_file)
         return tmp_source if tmp_source
 

gradle/lib/dependabot/gradle/update_checker/distributions_finder.rb

@@ -0,0 +1,59 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/gradle/distributions"
+require "dependabot/gradle/version"
+
+module Dependabot
+  module Gradle
+    class UpdateChecker
+      class DistributionsFinder
+        extend T::Sig
+        include Dependabot::Gradle::Distributions
+
+        @available_versions = T.let([], T::Array[T::Hash[String, T.untyped]])
+        @distributions_checksums = T.let({}, T::Hash[String, T::Array[String]])
+
+        sig { returns(T.any(T::Array[T::Hash[String, T.untyped]], T::Array[T::Hash[Symbol, T.untyped]])) }
+        def self.available_versions
+          return @available_versions if @available_versions.any?
+
+          response = Dependabot::RegistryClient.get(url: "#{DISTRIBUTIONS_URL}/versions/all")
+          versions = T.let(JSON.parse(T.let(response.body, String),
+                                      object_class: OpenStruct), T::Array[OpenStruct])
+          @available_versions += versions
+                                 .select { |v| release_version?(version: v) }
+                                 .map { |v| T.let(v["version"], String) }
+                                 .uniq
+                                 .select { |v| Gradle::Version.correct?(v) }
+                                 .map { |v| Gradle::Version.new(v) }
+                                 .sort
+                                 .map { |version| { version: version, source_url: DISTRIBUTIONS_URL } }
+        end
+
+        sig { params(version: OpenStruct).returns(T::Boolean) }
+        def self.release_version?(version:)
+          T.let(version[:broken], T::Boolean) == false &&
+            T.let(version[:snapshot], T::Boolean) == false &&
+            T.let(version[:rcFor], String) == "" &&
+            T.let(version[:milestoneFor], String) == "" &&
+            /.*-(rc|milestone)-.*/.match?(T.let(version[:version], String)) == false
+        end
+
+        sig { params(distribution_url: String).returns(T.nilable(T::Array[String])) }
+        def self.resolve_checksum(distribution_url)
+          cached = @distributions_checksums[distribution_url]
+          return cached if cached
+
+          checksum_url = "#{distribution_url}.sha256"
+          checksum = T.let(Dependabot::RegistryClient.get(url: checksum_url).body, String).strip
+          return nil unless checksum.match?(/\A[a-f0-9]{64}\z/)
+
+          @distributions_checksums[distribution_url] = [checksum_url, checksum]
+        end
+
+        private_class_method :release_version?
+      end
+    end
+  end
+end

gradle/lib/dependabot/gradle/update_checker/requirements_updater.rb

@@ -9,6 +9,7 @@
 require "sorbet-runtime"
 
 require "dependabot/requirements_updater/base"
+require "dependabot/gradle/distributions"
 require "dependabot/gradle/update_checker"
 require "dependabot/gradle/version"
 require "dependabot/gradle/requirement"
@@ -42,11 +43,13 @@ def initialize(requirements:, latest_version:, source_url:,
           return unless latest_version
 
           @latest_version = T.let(version_class.new(latest_version), Version)
+          @is_distribution = T.let(Distributions.distribution_requirements?(requirements), T::Boolean)
         end
 
         sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
         def updated_requirements
           return requirements unless latest_version
+          return updated_distribution_requirements if @is_distribution
 
           # NOTE: Order is important here. The FileUpdater needs the updated
           # requirement at index `i` to correspond to the previous requirement
@@ -110,6 +113,31 @@ def update_dynamic_requirement(req_string)
           end
         end
 
+        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+        def updated_distribution_requirements
+          req_version = T.must(requirements[0])
+
+          requirement = req_version[:requirement]
+          updated_requirement = update_exact_requirement(requirement)
+
+          distribution_url = req_version[:source][:url]
+          updated_distribution_url = distribution_url.gsub(requirement, updated_requirement)
+
+          req_version = req_version.merge(
+            requirement: updated_requirement,
+            source: req_version[:source].merge(url: updated_distribution_url)
+          )
+          return [req_version] unless requirements.size > 1
+
+          req_checksum = T.must(requirements[1])
+          checksum_url, checksum = DistributionsFinder.resolve_checksum(updated_distribution_url)
+          req_checksum = req_checksum.merge(
+            requirement: checksum,
+            source: req_checksum[:source].merge(url: checksum_url)
+          )
+          [req_version, req_checksum]
+        end
+
         sig { override.returns(T::Class[Version]) }
         def version_class
           Gradle::Version