Added Missing Regex for Allowlist Dependency Files (#10389)

* added submodules regex * added missing poetry.lock in updated_files_regex * remove unwanted comma * added better comment * fixed lint error * added regex to support vendor files for bundler and go ecosystem * nested regex and test case added for bundler * regex test case added for cargo * regex test case added for composer * regex test case added for devcontainers * fixed lint issue for bundler #updated_files_regex test * regex test case added for docker * regex test case added for elm, submodules, go, gradle * regex test case added for hex and fix for gradle and github_actions * regex test case added for npm, yarn, nuget, maven and fix for hex * regex test case added for pub, python, swift and regexfix for python * fixed nuget regex error and python lint error * fixed lint issue in gradle ecosystem * added nuget.config and NuGet.Config to test for not updating it * fix the nuget.config case * added feature flag for production rollout * replace ff to use boolean variable passed via api * fixed lint issue in hex and nuget rspec
dependabot · Aug 14, 2024 · 134a545 · 134a545
1 parent 3ce1165
commit 134a545
Show file tree

Hide file tree

Showing 37 changed files with 937 additions and 76 deletions.
diff --git a/bundler/lib/dependabot/bundler/file_updater.rb b/bundler/lib/dependabot/bundler/file_updater.rb
@@ -14,14 +14,24 @@ class FileUpdater < Dependabot::FileUpdaters::Base
       require_relative "file_updater/gemspec_updater"
       require_relative "file_updater/lockfile_updater"
 
-      def self.updated_files_regex
-        [
-          /^Gemfile$/,
-          /^Gemfile\.lock$/,
-          /^gems\.rb$/,
-          /^gems\.locked$/,
-          /^*\.gemspec$/
-        ]
+      def self.updated_files_regex(allowlist_enabled = false)
+        if allowlist_enabled
+          [
+            # Matches Gemfile, Gemfile.lock, gems.rb, gems.locked, .gemspec files, and anything in vendor directory
+            %r{^(Gemfile(\.lock)?|gems\.(rb|locked)|.*\.gemspec|vendor/.*)$},
+            # Matches the same files in any subdirectory
+            %r{^.*\/(Gemfile|Gemfile\.lock|gems\.rb|gems\.locked)$}
+          ]
+        else
+          # Old regex. After 100% rollout of the allowlist, this will be removed.
+          [
+            /^Gemfile$/,
+            /^Gemfile\.lock$/,
+            /^gems\.rb$/,
+            /^gems\.locked$/,
+            /^*\.gemspec$/
+          ]
+        end
       end
 
       # rubocop:disable Metrics/PerceivedComplexity

diff --git a/bundler/spec/dependabot/bundler/file_updater_spec.rb b/bundler/spec/dependabot/bundler/file_updater_spec.rb
@@ -54,6 +54,52 @@
 
   it_behaves_like "a dependency file updater"
 
+  describe "#updated_files_regex" do
+    subject(:updated_files_regex) { described_class.updated_files_regex(allowlist_enabled) }
+
+    let(:allowlist_enabled) { true }
+
+    it "is not empty" do
+      expect(updated_files_regex).not_to be_empty
+    end
+
+    context "when files match the regex patterns" do
+      it "returns true for files that should be updated" do
+        matching_files = [
+          "Gemfile",
+          "Gemfile.lock",
+          "gems.rb",
+          "gems.locked",
+          "some_project.gemspec",
+          "vendor/cache/business-1.5.0.gem",
+          "backend/Gemfile",
+          "backend/Gemfile.lock",
+          "backend/gems.rb",
+          "backend/gems.locked"
+        ]
+
+        matching_files.each do |file_name|
+          expect(updated_files_regex).to(be_any { |regex| file_name.match?(regex) })
+        end
+      end
+
+      it "returns false for files that should not be updated" do
+        non_matching_files = [
+          "README.md",
+          ".github/workflow/main.yml",
+          "some_random_file.rb",
+          "requirements.txt",
+          "package-lock.json",
+          "package.json"
+        ]
+
+        non_matching_files.each do |file_name|
+          expect(updated_files_regex).not_to(be_any { |regex| file_name.match?(regex) })
+        end
+      end
+    end
+  end
+
   describe "#updated_dependency_files" do
     subject(:updated_files) { updater.updated_dependency_files }
 

diff --git a/cargo/lib/dependabot/cargo/file_updater.rb b/cargo/lib/dependabot/cargo/file_updater.rb
@@ -13,7 +13,7 @@ class FileUpdater < Dependabot::FileUpdaters::Base
       require_relative "file_updater/manifest_updater"
       require_relative "file_updater/lockfile_updater"
 
-      def self.updated_files_regex
+      def self.updated_files_regex(_ = false)
         [
           /^Cargo\.toml$/,
           /^Cargo\.lock$/

diff --git a/cargo/spec/dependabot/cargo/file_updater_spec.rb b/cargo/spec/dependabot/cargo/file_updater_spec.rb
@@ -55,6 +55,44 @@
 
   it_behaves_like "a dependency file updater"
 
+  describe "#updated_files_regex" do
+    subject(:updated_files_regex) { described_class.updated_files_regex(allowlist_enabled) }
+
+    let(:allowlist_enabled) { false } # default value
+
+    it "is not empty" do
+      expect(updated_files_regex).not_to be_empty
+    end
+
+    context "when files match the regex patterns" do
+      it "returns true for files that should be updated" do
+        matching_files = [
+          "Cargo.toml",
+          "Cargo.lock"
+        ]
+
+        matching_files.each do |file_name|
+          expect(updated_files_regex).to(be_any { |regex| file_name.match?(regex) })
+        end
+      end
+
+      it "returns false for files that should not be updated" do
+        non_matching_files = [
+          "README.md",
+          ".github/workflow/main.yml",
+          "some_random_file.rb",
+          "requirements.txt",
+          "package-lock.json",
+          "package.json"
+        ]
+
+        non_matching_files.each do |file_name|
+          expect(updated_files_regex).not_to(be_any { |regex| file_name.match?(regex) })
+        end
+      end
+    end
+  end
+
   describe "#updated_dependency_files" do
     subject(:updated_files) { updater.updated_dependency_files }
 

diff --git a/common/lib/dependabot/file_updaters/base.rb b/common/lib/dependabot/file_updaters/base.rb
@@ -28,8 +28,8 @@ class Base
       sig { returns(T::Hash[Symbol, T.untyped]) }
       attr_reader :options
 
-      sig { overridable.returns(T::Array[Regexp]) }
-      def self.updated_files_regex
+      sig { overridable.params(allowlist_enabled: T::Boolean).returns(T::Array[Regexp]) }
+      def self.updated_files_regex(allowlist_enabled = false)
         raise NotImplementedError
       end
 

diff --git a/composer/lib/dependabot/composer/file_updater.rb b/composer/lib/dependabot/composer/file_updater.rb
@@ -12,7 +12,7 @@ class FileUpdater < Dependabot::FileUpdaters::Base
       require_relative "file_updater/manifest_updater"
       require_relative "file_updater/lockfile_updater"
 
-      def self.updated_files_regex
+      def self.updated_files_regex(_ = false)
         [
           /^composer\.json$/,
           /^composer\.lock$/

diff --git a/composer/spec/dependabot/composer/file_updater_spec.rb b/composer/spec/dependabot/composer/file_updater_spec.rb
@@ -50,6 +50,44 @@
 
   it_behaves_like "a dependency file updater"
 
+  describe "#updated_files_regex" do
+    subject(:updated_files_regex) { described_class.updated_files_regex(allowlist_enabled) }
+
+    let(:allowlist_enabled) { false } # default value
+
+    it "is not empty" do
+      expect(updated_files_regex).not_to be_empty
+    end
+
+    context "when files match the regex patterns" do
+      it "returns true for files that should be updated" do
+        matching_files = [
+          "composer.json",
+          "composer.lock"
+        ]
+
+        matching_files.each do |file_name|
+          expect(updated_files_regex).to(be_any { |regex| file_name.match?(regex) })
+        end
+      end
+
+      it "returns false for files that should not be updated" do
+        non_matching_files = [
+          "README.md",
+          ".github/workflow/main.yml",
+          "some_random_file.rb",
+          "requirements.txt",
+          "package-lock.json",
+          "package.json"
+        ]
+
+        non_matching_files.each do |file_name|
+          expect(updated_files_regex).not_to(be_any { |regex| file_name.match?(regex) })
+        end
+      end
+    end
+  end
+
   describe "#updated_dependency_files" do
     subject(:updated_files) { updater.updated_dependency_files }
 

diff --git a/devcontainers/lib/dependabot/devcontainers/file_updater.rb b/devcontainers/lib/dependabot/devcontainers/file_updater.rb
@@ -12,8 +12,8 @@ module Devcontainers
     class FileUpdater < Dependabot::FileUpdaters::Base
       extend T::Sig
 
-      sig { override.returns(T::Array[Regexp]) }
-      def self.updated_files_regex
+      sig { override.params(_: T::Boolean).returns(T::Array[Regexp]) }
+      def self.updated_files_regex(_ = false)
         [
           /^\.?devcontainer\.json$/,
           /^\.?devcontainer-lock\.json$/

diff --git a/devcontainers/spec/dependabot/devcontainers/file_updater_spec.rb b/devcontainers/spec/dependabot/devcontainers/file_updater_spec.rb
@@ -27,6 +27,46 @@
 
   it_behaves_like "a dependency file updater"
 
+  describe "#updated_files_regex" do
+    subject(:updated_files_regex) { described_class.updated_files_regex(allowlist_enabled) }
+
+    let(:allowlist_enabled) { false } # default value
+
+    it "is not empty" do
+      expect(updated_files_regex).not_to be_empty
+    end
+
+    context "when files match the regex patterns" do
+      it "returns true for files that should be updated" do
+        matching_files = [
+          "devcontainer.json",
+          ".devcontainer.json",
+          "devcontainer-lock.json",
+          ".devcontainer-lock.json"
+        ]
+
+        matching_files.each do |file_name|
+          expect(updated_files_regex).to(be_any { |regex| file_name.match?(regex) })
+        end
+      end
+
+      it "returns false for files that should not be updated" do
+        non_matching_files = [
+          "README.md",
+          ".github/workflow/main.yml",
+          "some_random_file.rb",
+          "requirements.txt",
+          "package-lock.json",
+          "package.json"
+        ]
+
+        non_matching_files.each do |file_name|
+          expect(updated_files_regex).not_to(be_any { |regex| file_name.match?(regex) })
+        end
+      end
+    end
+  end
+
   describe "#updated_dependency_files" do
     subject(:updated_dependency_files) { updater.updated_dependency_files }
 

diff --git a/docker/lib/dependabot/docker/file_updater.rb b/docker/lib/dependabot/docker/file_updater.rb
@@ -17,8 +17,8 @@ class FileUpdater < Dependabot::FileUpdaters::Base
       YAML_REGEXP = /^[^\.].*\.ya?ml$/i
       DOCKER_REGEXP = /dockerfile/i
 
-      sig { override.returns(T::Array[Regexp]) }
-      def self.updated_files_regex
+      sig { override.params(_: T::Boolean).returns(T::Array[Regexp]) }
+      def self.updated_files_regex(_ = false)
         [
           DOCKER_REGEXP,
           YAML_REGEXP

diff --git a/docker/spec/dependabot/docker/file_updater_spec.rb b/docker/spec/dependabot/docker/file_updater_spec.rb
@@ -141,6 +141,49 @@
 
   it_behaves_like "a dependency file updater"
 
+  describe "#updated_files_regex" do
+    subject(:updated_files_regex) { described_class.updated_files_regex(allowlist_enabled) }
+
+    let(:allowlist_enabled) { false } # default value
+
+    it "is not empty" do
+      expect(updated_files_regex).not_to be_empty
+    end
+
+    context "when files match the regex patterns" do
+      it "returns true for files that should be updated" do
+        matching_files = [
+          "Dockerfile",
+          "dockerfile",
+          "my_dockerfile",
+          "myapp.yaml",
+          "config.yml",
+          "service.yaml",
+          "v1_tag.yaml"
+        ]
+
+        matching_files.each do |file_name|
+          expect(updated_files_regex).to(be_any { |regex| file_name.match?(regex) })
+        end
+      end
+
+      it "returns false for files that should not be updated" do
+        non_matching_files = [
+          "README.md",
+          ".github/workflow/main.yml",
+          "some_random_file.rb",
+          "requirements.txt",
+          "package-lock.json",
+          "package.json"
+        ]
+
+        non_matching_files.each do |file_name|
+          expect(updated_files_regex).not_to(be_any { |regex| file_name.match?(regex) })
+        end
+      end
+    end
+  end
+
   describe "#updated_dependency_files" do
     subject(:updated_files) { updater.updated_dependency_files }
 

diff --git a/elm/lib/dependabot/elm/file_updater.rb b/elm/lib/dependabot/elm/file_updater.rb
@@ -9,7 +9,7 @@ module Elm
     class FileUpdater < Dependabot::FileUpdaters::Base
       require_relative "file_updater/elm_json_updater"
 
-      def self.updated_files_regex
+      def self.updated_files_regex(_ = false)
         [
           /^elm\.json$/
         ]

diff --git a/elm/spec/dependabot/elm/file_updater_spec.rb b/elm/spec/dependabot/elm/file_updater_spec.rb
@@ -58,6 +58,43 @@
 
   it_behaves_like "a dependency file updater"
 
+  describe "#updated_files_regex" do
+    subject(:updated_files_regex) { described_class.updated_files_regex(allowlist_enabled) }
+
+    let(:allowlist_enabled) { false } # default value
+
+    it "is not empty" do
+      expect(updated_files_regex).not_to be_empty
+    end
+
+    context "when files match the regex patterns" do
+      it "returns true for files that should be updated" do
+        matching_files = [
+          "elm.json"
+        ]
+
+        matching_files.each do |file_name|
+          expect(updated_files_regex).to(be_any { |regex| file_name.match?(regex) })
+        end
+      end
+
+      it "returns false for files that should not be updated" do
+        non_matching_files = [
+          "README.md",
+          ".github/workflow/main.yml",
+          "some_random_file.rb",
+          "requirements.txt",
+          "package-lock.json",
+          "package.json"
+        ]
+
+        non_matching_files.each do |file_name|
+          expect(updated_files_regex).not_to(be_any { |regex| file_name.match?(regex) })
+        end
+      end
+    end
+  end
+
   describe "#updated_dependency_files" do
     subject(:updated_files) { updater.updated_dependency_files }
 

diff --git a/git_submodules/lib/dependabot/git_submodules/file_updater.rb b/git_submodules/lib/dependabot/git_submodules/file_updater.rb
@@ -11,9 +11,18 @@ module GitSubmodules
     class FileUpdater < Dependabot::FileUpdaters::Base
       extend T::Sig
 
-      sig { override.returns(T::Array[Regexp]) }
-      def self.updated_files_regex
-        []
+      sig { override.params(allowlist_enabled: T::Boolean).returns(T::Array[Regexp]) }
+      def self.updated_files_regex(allowlist_enabled = false)
+        if allowlist_enabled
+          [
+            /^\.gitmodules$/,            # Matches the .gitmodules file in the root directory
+            %r{^.+/\.git$},              # Matches the .git file inside any submodule directory
+            %r{^\.git/modules/.+}        # Matches any files under .git/modules directory where submodule data is stored
+          ]
+        else
+          # Old regex. After 100% rollout of the allowlist, this will be removed.
+          []
+        end
       end
 
       sig { override.returns(T::Array[Dependabot::DependencyFile]) }