Skip to content

Commit

Permalink
Only consider specified configurations for UpgradeTransitiveDependenc…
Browse files Browse the repository at this point in the history 
…yVersion created constraints if these are mentioned. (#4233)

Co-authored-by: Jente Sondervorst <[email protected]>
  • Loading branch information
@Jenson3210
Jenson3210 and Jente Sondervorst authored Jun 7, 2024
1 parent d304dc8 commit da30d7e
Show file tree
Hide file tree
Showing 2 changed files with 154 additions and 2 deletions.
20 changes: 20 additions & 0 deletions rewrite-gradle/src/main/java/org/openrewrite/gradle/UpgradeTransitiveDependencyVersion.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,13 @@ public class UpgradeTransitiveDependencyVersion extends Recipe {
@Nullable
String because;

@Option(displayName = "Include configurations",
description = "A list of configurations to consider during the upgrade. For example, For example using `implementation, runtimeOnly`, we could be responding to a deployable asset vulnerability only (ignoring test scoped vulnerabilities).",
required = false,
example = "implementation, runtimeOnly")
@Nullable
List<String> onlyForConfigurations;

@Override
public String getDisplayName() {
return "Upgrade transitive Gradle dependencies";
Expand Down Expand Up @@ -253,10 +260,23 @@ private GradleDependencyConfiguration constraintConfiguration(GradleDependencyCo
break;
}

if (onlyForConfigurations != null) {
if (!onlyForConfigurations.contains(constraintConfigName)) {
return null;
}
} else {
for (GradleDependencyConfiguration extended : config.getExtendsFrom()) {
if (extended.getName().equals(constraintConfigName)) {
return extended;
}
}
}

GradleDependencyConfiguration configuration = gradleProject.getConfiguration(constraintConfigName);
if (configuration != null && configuration.isTransitive()) {
return configuration;
}

return null;
}
});
Expand Down
136 changes: 134 additions & 2 deletions ...e-gradle/src/test/java/org/openrewrite/gradle/UpgradeTransitiveDependencyVersionTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@
import org.openrewrite.test.RecipeSpec;
import org.openrewrite.test.RewriteTest;

import java.util.List;

import static org.openrewrite.gradle.Assertions.buildGradle;
import static org.openrewrite.gradle.toolingapi.Assertions.withToolingApi;

Expand All @@ -31,7 +33,7 @@ public void defaults(RecipeSpec spec) {
spec
.beforeRecipe(withToolingApi())
.recipe(new UpgradeTransitiveDependencyVersion(
"com.fasterxml*", "jackson-core", "2.12.5", null, "CVE-2024-BAD"));
"com.fasterxml*", "jackson-core", "2.12.5", null, "CVE-2024-BAD", null));
}

@DocumentExample
Expand Down Expand Up @@ -105,6 +107,29 @@ void customConfiguration() {
);
}

@Test
void customNonTransitiveConfigurationCannotAddConstraint() {
rewriteRun(
buildGradle(
"""
plugins {
id 'java'
}
configurations {
foo {
transitive = false
}
}
repositories { mavenCentral() }
dependencies {
foo 'org.openrewrite:rewrite-java:7.0.0'
}
"""
)
);
}

@Test
void addConstraintAddsSameArtifactsInSameConfigurationAsSingleConstraint() {
rewriteRun(
Expand Down Expand Up @@ -455,7 +480,7 @@ void constraintDoesNotGetAddedInsideConstraint() {
rewriteRun(
spec -> spec
.beforeRecipe(withToolingApi())
.recipe(new UpgradeTransitiveDependencyVersion("com.fasterxml.jackson.core", "jackson-core","2.12.5", null, "CVE-2024-BAD")),
.recipe(new UpgradeTransitiveDependencyVersion("com.fasterxml.jackson.core", "jackson-core","2.12.5", null, "CVE-2024-BAD", null)),
//language=groovy
buildGradle(
"""
Expand Down Expand Up @@ -503,4 +528,111 @@ void constraintDoesNotGetAddedInsideConstraint() {
)
);
}

@Test
void includedConfigurationsReceiveOnlyConfiguredConstraints() {
rewriteRun(
spec -> spec
.beforeRecipe(withToolingApi())
.recipe(new UpgradeTransitiveDependencyVersion(
"org.apache.commons", "commons-lang3", "3.14.0", null, null, List.of("pitest"))),
buildGradle(
"""
plugins {
id 'info.solidsoft.pitest' version '1.15.0'
id 'java'
}
repositories { mavenCentral() }
dependencies {
testImplementation 'org.apache.activemq:artemis-jakarta-server:2.28.0'
}
""", """
plugins {
id 'info.solidsoft.pitest' version '1.15.0'
id 'java'
}
repositories { mavenCentral() }
dependencies {
constraints {
pitest('org.apache.commons:commons-lang3:3.14.0')
}
testImplementation 'org.apache.activemq:artemis-jakarta-server:2.28.0'
}
"""
)
);
}

@Test
void noIncludedConfigurationsReceiveAllConstraints() {
rewriteRun(
spec -> spec
.beforeRecipe(withToolingApi())
.recipe(new UpgradeTransitiveDependencyVersion(
"org.apache.commons", "commons-lang3", "3.14.0", null, null, null)),
buildGradle(
"""
plugins {
id 'info.solidsoft.pitest' version '1.15.0'
id 'java'
}
repositories { mavenCentral() }
dependencies {
testImplementation 'org.apache.activemq:artemis-jakarta-server:2.28.0'
}
""", """
plugins {
id 'info.solidsoft.pitest' version '1.15.0'
id 'java'
}
repositories { mavenCentral() }
dependencies {
constraints {
pitest('org.apache.commons:commons-lang3:3.14.0')
testImplementation('org.apache.commons:commons-lang3:3.14.0')
}
testImplementation 'org.apache.activemq:artemis-jakarta-server:2.28.0'
}
"""
)
);
}

@Test
@DocumentExample
void IncludedDefaultConfigurationsReceiveRuntimeConstraints() {
rewriteRun(
spec -> spec
.beforeRecipe(withToolingApi())
.recipe(new UpgradeTransitiveDependencyVersion(
"org.apache.commons", "commons-lang3", "3.14.0", null, null, List.of("implementation", "runtimeOnly"))),
buildGradle(
"""
plugins {
id 'info.solidsoft.pitest' version '1.15.0'
id 'java'
}
repositories { mavenCentral() }
dependencies {
compileOnly 'org.apache.activemq:artemis-jakarta-server:2.28.0'
}
""", """
plugins {
id 'info.solidsoft.pitest' version '1.15.0'
id 'java'
}
repositories { mavenCentral() }
dependencies {
constraints {
implementation('org.apache.commons:commons-lang3:3.14.0')
}
compileOnly 'org.apache.activemq:artemis-jakarta-server:2.28.0'
}
"""
)
);
}
}

0 comments on commit da30d7e

Please sign in to comment.