Implement sbt metadata finder (#15011)

* handle pubspec validation errors gracefully

* implement sbt metadata finder

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* revert incorrect pub file changes

* fix sorbet error

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Author: AbhishekBhaskar

gradle/lib/dependabot/gradle/metadata_finder.rb

@@ -1,25 +1,19 @@
 # typed: strict
 # frozen_string_literal: true
 
-require "nokogiri"
 require "sorbet-runtime"
 
-require "dependabot/file_fetchers/base"
 require "dependabot/gradle/distributions"
 require "dependabot/gradle/file_fetcher"
 require "dependabot/gradle/file_parser/repositories_finder"
-require "dependabot/maven/utils/auth_headers_finder"
+require "dependabot/maven/shared/shared_metadata_finder"
 require "dependabot/metadata_finders"
-require "dependabot/metadata_finders/base"
-require "dependabot/registry_client"
 
 module Dependabot
   module Gradle
-    class MetadataFinder < Dependabot::MetadataFinders::Base
+    class MetadataFinder < Dependabot::Maven::Shared::SharedMetadataFinder
       extend T::Sig
 
-      DOT_SEPARATOR_REGEX = %r{\.(?!\d+([.\/_\-]|$)+)}
-      PROPERTY_REGEX      = /\$\{(?<property>.*?)\}/
       KOTLIN_PLUGIN_REPO_PREFIX = "org.jetbrains.kotlin"
 
       private
@@ -28,18 +22,7 @@ class MetadataFinder < Dependabot::MetadataFinders::Base
       def look_up_source
         return distributions_source if Distributions.distribution_requirements?(dependency.requirements)
 
-        tmp_source = look_up_source_in_pom(dependency_pom_file)
-        return tmp_source if tmp_source
-
-        return unless (parent = parent_pom_file(dependency_pom_file))
-
-        tmp_source = look_up_source_in_pom(parent)
-        return unless tmp_source
-
-        artifact = dependency.name.split(":").last
-        return tmp_source if tmp_source.repo.end_with?(T.must(artifact))
-
-        tmp_source if repo_has_subdir_for_dep?(tmp_source)
+        super
       end
 
       # The Gradle Wrapper does not have its own release notes.
@@ -53,120 +36,35 @@ def distributions_source
         )
       end
 
-      sig { params(tmp_source: Dependabot::Source).returns(T::Boolean) }
-      def repo_has_subdir_for_dep?(tmp_source)
-        @repo_has_subdir_for_dep ||= T.let({}, T.nilable(T::Hash[Dependabot::Source, T::Boolean]))
-        return T.must(@repo_has_subdir_for_dep[tmp_source]) if @repo_has_subdir_for_dep.key?(tmp_source)
-
-        artifact = dependency.name.split(":").last
-        fetcher =
-          Dependabot::Gradle::FileFetcher.new(source: tmp_source, credentials: credentials)
-
-        @repo_has_subdir_for_dep[tmp_source] =
-          fetcher.send(:repo_contents, raise_errors: false)
-                 .select { |f| f.type == "dir" }
-                 .any? { |f| artifact&.end_with?(f.name) }
-      rescue Dependabot::BranchNotFound
-        tmp_source.branch = nil
-        retry
-      rescue Dependabot::RepoNotFound
-        T.must(@repo_has_subdir_for_dep)[tmp_source] = false
-      end
-
-      sig { params(pom: Nokogiri::XML::Document).returns(T.nilable(Dependabot::Source)) }
-      def look_up_source_in_pom(pom)
-        potential_source_urls = [
-          pom.at_css("project > url")&.content,
-          pom.at_css("project > scm > url")&.content,
-          pom.at_css("project > issueManagement > url")&.content
-        ].compact
-
-        source_url = potential_source_urls.find { |url| Source.from_url(url) }
-        source_url ||= source_from_anywhere_in_pom(pom)
-        source_url = substitute_property_in_source_url(source_url, pom)
-
-        Source.from_url(source_url)
-      end
-
-      sig { params(source_url: T.nilable(String), pom: Nokogiri::XML::Document).returns(T.nilable(String)) }
-      def substitute_property_in_source_url(source_url, pom)
-        return unless source_url
-        return source_url unless source_url.include?("${")
-
-        regex = PROPERTY_REGEX
-        property_name = T.must(source_url.match(regex)).named_captures["property"]
-        doc = pom.dup
-        doc.remove_namespaces!
-        nm = T.must(property_name).sub(/^pom\./, "").sub(/^project\./, "")
-        property_value =
-          loop do
-            candidate_node =
-              doc.at_xpath("/project/#{nm}") ||
-              doc.at_xpath("/project/properties/#{nm}") ||
-              doc.at_xpath("/project/profiles/profile/properties/#{nm}")
-            break(candidate_node.content) if candidate_node
-            break unless nm.match?(DOT_SEPARATOR_REGEX)
-
-            nm = nm.sub(DOT_SEPARATOR_REGEX, "/")
-          end
-
-        source_url.gsub("${#{property_name}}", property_value)
+      sig { override.returns(T.class_of(Dependabot::FileFetchers::Base)) }
+      def file_fetcher_class
+        Dependabot::Gradle::FileFetcher
       end
 
-      sig { params(pom: T.any(String, Nokogiri::XML::Document)).returns(T.nilable(String)) }
-      def source_from_anywhere_in_pom(pom)
-        github_urls = []
-        pom.to_s.scan(Source::SOURCE_REGEX) do
-          github_urls << Regexp.last_match.to_s
-        end
-
-        github_urls.find do |url|
-          repo = T.must(Source.from_url(url)).repo
-          repo.end_with?(T.must(dependency.name.split(":").last))
+      sig { override.returns(T.nilable(String)) }
+      def dependency_artifact_id
+        if kotlin_plugin? then "#{KOTLIN_PLUGIN_REPO_PREFIX}.#{dependency.name}.gradle.plugin"
+        elsif plugin? then "#{dependency.name}.gradle.plugin"
+        else
+          dependency.name.split(":").last
         end
       end
 
-      sig { returns(Nokogiri::XML::Document) }
-      def dependency_pom_file
-        return @dependency_pom_file unless @dependency_pom_file.nil?
-
-        artifact_id =
-          if kotlin_plugin? then "#{KOTLIN_PLUGIN_REPO_PREFIX}.#{dependency.name}.gradle.plugin"
-          elsif plugin? then "#{dependency.name}.gradle.plugin"
+      sig { override.returns(String) }
+      def maven_repo_dependency_url
+        group_id, artifact_id =
+          if kotlin_plugin?
+            ["#{KOTLIN_PLUGIN_REPO_PREFIX}.#{dependency.name}",
+             "#{KOTLIN_PLUGIN_REPO_PREFIX}.#{dependency.name}.gradle.plugin"]
+          elsif plugin? then [dependency.name, "#{dependency.name}.gradle.plugin"]
           else
-            dependency.name.split(":").last
+            dependency.name.split(":")
           end
 
-        response = Dependabot::RegistryClient.get(
-          url: "#{maven_repo_dependency_url}/#{dependency.version}/#{artifact_id}-#{dependency.version}.pom",
-          headers: auth_headers
-        )
-
-        @dependency_pom_file = T.let(Nokogiri::XML(response.body), T.nilable(Nokogiri::XML::Document))
-      rescue Excon::Error::Timeout
-        @dependency_pom_file ||= T.let(Nokogiri::XML(""), T.nilable(Nokogiri::XML::Document))
-      end
-
-      sig { params(pom: Nokogiri::XML::Document).returns(T.nilable(Nokogiri::XML::Document)) }
-      def parent_pom_file(pom)
-        doc = pom.dup
-        doc.remove_namespaces!
-        group_id = doc.at_xpath("/project/parent/groupId")&.content&.strip
-        artifact_id =
-          doc.at_xpath("/project/parent/artifactId")&.content&.strip
-        version = doc.at_xpath("/project/parent/version")&.content&.strip
-
-        return unless artifact_id && group_id && version
-
-        response = Dependabot::RegistryClient.get(
-          url: "#{maven_repo_url}/#{group_id.tr('.', '/')}/#{artifact_id}/#{version}/#{artifact_id}-#{version}.pom",
-          headers: auth_headers
-        )
-
-        Nokogiri::XML(response.body)
+        "#{maven_repo_url}/#{group_id&.tr('.', '/')}/#{artifact_id}"
       end
 
-      sig { returns(String) }
+      sig { override.returns(String) }
       def maven_repo_url
         source = dependency.requirements
                            .find { |r| r.fetch(:source) }&.fetch(:source)
@@ -176,18 +74,9 @@ def maven_repo_url
           Gradle::FileParser::RepositoriesFinder::CENTRAL_REPO_URL
       end
 
-      sig { returns(String) }
-      def maven_repo_dependency_url
-        group_id, artifact_id =
-          if kotlin_plugin?
-            ["#{KOTLIN_PLUGIN_REPO_PREFIX}.#{dependency.name}",
-             "#{KOTLIN_PLUGIN_REPO_PREFIX}.#{dependency.name}.gradle.plugin"]
-          elsif plugin? then [dependency.name, "#{dependency.name}.gradle.plugin"]
-          else
-            dependency.name.split(":")
-          end
-
-        "#{maven_repo_url}/#{group_id&.tr('.', '/')}/#{artifact_id}"
+      sig { override.returns(String) }
+      def central_repo_url
+        Gradle::FileParser::RepositoriesFinder::CENTRAL_REPO_URL
       end
 
       sig { returns(T::Boolean) }
@@ -199,14 +88,6 @@ def plugin?
       def kotlin_plugin?
         plugin? && dependency.requirements.any? { |r| r.fetch(:groups).include? "kotlin" }
       end
-
-      sig { returns(T::Hash[String, String]) }
-      def auth_headers
-        @auth_headers ||= T.let(
-          Dependabot::Maven::Utils::AuthHeadersFinder.new(credentials).auth_headers(maven_repo_url),
-          T.nilable(T::Hash[String, String])
-        )
-      end
     end
   end
 end

maven/lib/dependabot/maven/shared/shared_metadata_finder.rb

@@ -140,7 +140,7 @@ def dependency_pom_file
           @dependency_pom_file = Nokogiri::XML("")
         end
 
-        sig { returns(T.nilable(String)) }
+        sig { overridable.returns(T.nilable(String)) }
         def dependency_artifact_id
           _group_id, artifact_id = dependency.name.split(":")
           artifact_id
@@ -186,7 +186,7 @@ def central_repo_url
           ).central_repo_url
         end
 
-        sig { returns(String) }
+        sig { overridable.returns(String) }
         def maven_repo_dependency_url
           group_id, artifact_id = dependency.name.split(":")
           "#{maven_repo_url}/#{T.must(group_id).tr('.', '/')}/#{artifact_id}"

sbt/lib/dependabot/sbt/metadata_finder.rb

@@ -1,25 +1,21 @@
 # typed: strong
 # frozen_string_literal: true
 
-# NOTE: This file was scaffolded automatically but is OPTIONAL.
-# If you don't need custom metadata finding logic (changelogs, release notes, etc.),
-# you can safely delete this file and remove the require from lib/dependabot/sbt.rb
-
 require "dependabot/metadata_finders"
-require "dependabot/metadata_finders/base"
+require "dependabot/maven/shared/shared_metadata_finder"
+require "dependabot/sbt/file_fetcher"
+require "sorbet-runtime"
 
 module Dependabot
   module Sbt
-    class MetadataFinder < Dependabot::MetadataFinders::Base
+    class MetadataFinder < Dependabot::Maven::Shared::SharedMetadataFinder
       extend T::Sig
 
       private
 
-      sig { override.returns(T.nilable(Dependabot::Source)) }
-      def look_up_source
-        # TODO: Implement custom source lookup logic if needed
-        # Otherwise, delete this file and the require in the main registration file
-        nil
+      sig { override.returns(T.class_of(Dependabot::FileFetchers::Base)) }
+      def file_fetcher_class
+        Dependabot::Sbt::FileFetcher
       end
     end
   end