Handle ruby and pm specific version requirements

This is an attempt to handle both ruby and package manager specific
version requirements from ignore conditions in the package manager
specific requirement class.

We currently create ruby style ignore requirement when commenting on
dependabot PRs with £dependabot ignore this major version for example.
We also say to use the package manager specific requirement syntax when
adding ignores to the config file.

We also support specifying comma-separated ignore conditions as a single
string, > 1.2.3, <= 2.0.0 and split these when parsing the ignore
conditions. This works for most ecosystems except for gradle/maven that
have special range syntax, we used to handle this specifically when
parsing ignore conditions:
https://github.com/dependabot/dependabot-core/pull/3368/files#diff-3107de50e63836063ddedc0b51b50e47d1dba7d517f060e051b1b4d9494dd2abL131-L135

All requirement classes now support splitting comma-separated strings,
whereas only some did this in the past and those who didn't would raise
from Gem::Requirement.

Using the requirements_array method also means we'll properly deal with
languages that support OR syntax, e.q.
https://github.com/dependabot/dependabot-core/blob/main/maven/lib/dependabot/maven/requirement.rb#L28

Author: feelepxyz

bundler/lib/dependabot/bundler/requirement.rb

@@ -16,7 +16,7 @@ def self.requirements_array(requirement_string)
       # "~> 4.2.5, >= 4.2.5.1" without first needing to split them.
       def initialize(*requirements)
         requirements = requirements.flatten.flat_map do |req_string|
-          req_string.split(",")
+          req_string.split(",").map(&:strip)
         end
 
         super(requirements)

bundler/lib/dependabot/bundler/update_checker/latest_version_finder.rb

@@ -70,7 +70,7 @@ def filter_prerelease_versions(versions_array)
 
         def filter_ignored_versions(versions_array)
           filtered = versions_array.
-                     reject { |v| ignore_reqs.any? { |r| r.satisfied_by?(v) } }
+                     reject { |v| ignore_requirements.any? { |r| r.satisfied_by?(v) } }
           raise AllVersionsIgnored if @raise_on_ignored && filtered.empty? && versions_array.any?
 
           filtered
@@ -110,8 +110,8 @@ def dependency_source
           )
         end
 
-        def ignore_reqs
-          ignored_versions.map { |req| Gem::Requirement.new(req.split(",")) }
+        def ignore_requirements
+          ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
         end
 
         def gemfile

cargo/lib/dependabot/cargo/requirement.rb

@@ -42,7 +42,7 @@ def self.requirements_array(requirement_string)
 
       def initialize(*requirements)
         requirements = requirements.flatten.flat_map do |req_string|
-          req_string.split(",").map do |r|
+          req_string.split(",").map(&:strip).map do |r|
             convert_rust_constraint_to_ruby_constraint(r.strip)
           end
         end

cargo/lib/dependabot/cargo/update_checker/latest_version_finder.rb

@@ -55,7 +55,7 @@ def filter_prerelease_versions(versions_array)
 
         def filter_ignored_versions(versions_array)
           filtered = versions_array.
-                     reject { |v| ignore_reqs.any? { |r| r.satisfied_by?(v) } }
+                     reject { |v| ignore_requirements.any? { |r| r.satisfied_by?(v) } }
           raise Dependabot::AllVersionsIgnored if @raise_on_ignored && filtered.empty? && versions_array.any?
 
           filtered
@@ -108,8 +108,8 @@ def wants_prerelease?
           end
         end
 
-        def ignore_reqs
-          ignored_versions.map { |req| requirement_class.new(req.split(",")) }
+        def ignore_requirements
+          ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
         end
 
         def version_class

common/lib/dependabot/git_commit_checker.rb

@@ -92,7 +92,7 @@ def local_tag_for_latest_version
         local_tags.
         select { |t| version_tag?(t.name) && matches_existing_prefix?(t.name) }
       filtered = tags.
-                 reject { |t| tag_included_in_ignore_reqs?(t) }
+                 reject { |t| tag_included_in_ignore_requirements?(t) }
       raise Dependabot::AllVersionsIgnored if @raise_on_ignored && tags.any? && filtered.empty?
 
       tag = filtered.
@@ -317,8 +317,8 @@ def listing_upload_pack
       listing_repo_git_metadata_fetcher.upload_pack
     end
 
-    def ignore_reqs
-      ignored_versions.map { |req| requirement_class.new(req.split(",")) }
+    def ignore_requirements
+      ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
     end
 
     def wants_prerelease?
@@ -330,9 +330,9 @@ def wants_prerelease?
       version_class.new(version).prerelease?
     end
 
-    def tag_included_in_ignore_reqs?(tag)
+    def tag_included_in_ignore_requirements?(tag)
       version = tag.name.match(VERSION_REGEX).named_captures.fetch("version")
-      ignore_reqs.any? { |r| r.satisfied_by?(version_class.new(version)) }
+      ignore_requirements.any? { |r| r.satisfied_by?(version_class.new(version)) }
     end
 
     def tag_is_prerelease?(tag)

common/lib/dependabot/update_checkers/base.rb

@@ -38,7 +38,7 @@ def up_to_date?
 
       def can_update?(requirements_to_unlock:)
         # Can't update if all versions are being ignored
-        return false if ignore_reqs.include?(requirement_class.new(">= 0"))
+        return false if ignore_requirements.include?(requirement_class.new(">= 0"))
 
         if dependency.version
           version_can_update?(requirements_to_unlock: requirements_to_unlock)
@@ -141,6 +141,10 @@ def vulnerable?
         security_advisories.any? { |a| a.vulnerable?(version) }
       end
 
+      def ignore_requirements
+        ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
+      end
+
       private
 
       def latest_version_resolvable_with_full_unlock?
@@ -296,10 +300,6 @@ def requirements_can_update?
 
         changed_requirements.none? { |r| r[:requirement] == :unfixable }
       end
-
-      def ignore_reqs
-        ignored_versions.map { |req| requirement_class.new(req.split(",")) }
-      end
     end
   end
 end

common/spec/dependabot/git_commit_checker_spec.rb

@@ -925,6 +925,11 @@
           its([:tag]) { is_expected.to eq("v1.11.1") }
         end
 
+        context "multiple ignore conditions" do
+          let(:ignored_versions) { [">= 1.11.2, < 1.12.0"] }
+          its([:tag]) { is_expected.to eq("v1.13.0") }
+        end
+
         context "all versions ignored" do
           let(:ignored_versions) { [">= 0"] }
           it "returns nil" do

common/spec/dependabot/update_checkers/base_spec.rb

@@ -10,6 +10,7 @@
     described_class.new(
       dependency: dependency,
       dependency_files: [],
+      ignored_versions: ignored_versions,
       credentials: [{
         "type" => "git_source",
         "host" => "github.com",
@@ -26,6 +27,7 @@
       package_manager: "dummy"
     )
   end
+  let(:ignored_versions) { [] }
   let(:latest_version) { Gem::Version.new("1.0.0") }
   let(:original_requirements) do
     [{ file: "Gemfile", requirement: ">= 0", groups: [], source: nil }]
@@ -600,4 +602,16 @@
       it { is_expected.to eq(false) }
     end
   end
+
+  describe "#ignore_requirements" do
+    subject(:ignore_requirements) { updater_instance.ignore_requirements }
+
+    it { is_expected.to eq([]) }
+
+    context "with ignored versions" do
+      let(:ignored_versions) { ["~> 1.0, < 2"] }
+
+      it { is_expected.to eq([updater_instance.requirement_class.new("~> 1.0", "< 2")]) }
+    end
+  end
 end

common/spec/dummy_package_manager/requirement.rb

@@ -7,6 +7,16 @@ class Requirement < Gem::Requirement
     def self.requirements_array(requirement_string)
       [new(requirement_string)]
     end
+
+    # Patches Gem::Requirement to make it accept requirement strings like
+    # "~> 4.2.5, >= 4.2.5.1" without first needing to split them.
+    def initialize(*requirements)
+      requirements = requirements.flatten.flat_map do |req_string|
+        req_string.split(",").map(&:strip)
+      end
+
+      super(requirements)
+    end
   end
 end
 

composer/lib/dependabot/composer/update_checker/latest_version_finder.rb

@@ -60,7 +60,7 @@ def filter_prerelease_versions(versions_array)
         def filter_ignored_versions(versions_array)
           filtered =
             versions_array.
-            reject { |v| ignore_reqs.any? { |r| r.satisfied_by?(v) } }
+            reject { |v| ignore_requirements.any? { |r| r.satisfied_by?(v) } }
 
           raise AllVersionsIgnored if @raise_on_ignored && filtered.empty? && versions_array.any?
 
@@ -178,7 +178,7 @@ def auth_json
           dependency_files.find { |f| f.name == "auth.json" }
         end
 
-        def ignore_reqs
+        def ignore_requirements
           ignored_versions.map { |req| requirement_class.new(req.split(",")) }
         end