dependabot-docker 0.212.0 → 0.213.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/dependabot/docker/file_fetcher.rb +13 -7
- data/lib/dependabot/docker/file_parser.rb +33 -17
- data/lib/dependabot/docker/file_updater.rb +35 -7
- data/lib/dependabot/docker/requirement.rb +5 -1
- data/lib/dependabot/docker/update_checker.rb +7 -8
- data/lib/dependabot/docker/utils/credentials_finder.rb +1 -1
- data/lib/dependabot/docker/version.rb +22 -0
- metadata +13 -55
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ebc54cfc835861f5ff7c37dabe72928e92786cda8925b7744029121b17fdc097
|
4
|
+
data.tar.gz: 4e99d4753649e65f7d34295f596c9de8e1060487e066c8c3cc6a2054e9e6c30a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 2312611afec9a4b58b82b0327a95f9257ae1cfacabc7f294c9eba48e52cf5d268dcf9004260a8fcb5aa9b6d9f647c2df5199b8bc9ad6e4131a4ad7ec85fa693e
|
7
|
+
data.tar.gz: 74760bd8b337feb6a2b7ca3a083079c2f6c187bdd2495c9467bc7a5b5f96bb825ac8cfda8defce871295d6e10ec4e8dbed01a6776816f83cc87eabc75517537d
|
@@ -1,13 +1,15 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
+
require "dependabot/experiments"
|
3
4
|
require "dependabot/file_fetchers"
|
4
5
|
require "dependabot/file_fetchers/base"
|
5
6
|
|
6
7
|
module Dependabot
|
7
8
|
module Docker
|
8
9
|
class FileFetcher < Dependabot::FileFetchers::Base
|
9
|
-
YAML_REGEXP = /^[^\.]+\.ya?ml$/i
|
10
|
-
DOCKER_REGEXP = /dockerfile/i
|
10
|
+
YAML_REGEXP = /^[^\.]+\.ya?ml$/i
|
11
|
+
DOCKER_REGEXP = /dockerfile/i
|
12
|
+
HELM_REGEXP = /values[\-a-zA-Z_0-9]*\.yaml/i
|
11
13
|
|
12
14
|
def self.required_files_in?(filenames)
|
13
15
|
filenames.any? { |f| f.match?(DOCKER_REGEXP) } or
|
@@ -21,7 +23,7 @@ module Dependabot
|
|
21
23
|
private
|
22
24
|
|
23
25
|
def kubernetes_enabled?
|
24
|
-
|
26
|
+
Experiments.enabled?(:kubernetes_updates)
|
25
27
|
end
|
26
28
|
|
27
29
|
def fetch_files
|
@@ -84,10 +86,14 @@ module Dependabot
|
|
84
86
|
def correctly_encoded_yamlfiles
|
85
87
|
candidate_files = yamlfiles.select { |f| f.content.valid_encoding? }
|
86
88
|
candidate_files.select do |f|
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
89
|
+
if f.type == "file" && f.name.match?(HELM_REGEXP)
|
90
|
+
true
|
91
|
+
else
|
92
|
+
# This doesn't handle multi-resource files, but it shouldn't matter, since the first resource
|
93
|
+
# in a multi-resource file had better be a valid k8s resource
|
94
|
+
content = ::YAML.safe_load(f.content, aliases: true)
|
95
|
+
likely_kubernetes_resource?(content)
|
96
|
+
end
|
91
97
|
rescue ::Psych::Exception
|
92
98
|
false
|
93
99
|
end
|
@@ -15,27 +15,25 @@ module Dependabot
|
|
15
15
|
|
16
16
|
# Details of Docker regular expressions is at
|
17
17
|
# https://github.com/docker/distribution/blob/master/reference/regexp.go
|
18
|
-
DOMAIN_COMPONENT =
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
NAME = /\s+AS\s+(?<name>[\w-]+)/.freeze
|
18
|
+
DOMAIN_COMPONENT = /(?:[[:alnum:]]|[[:alnum:]][[[:alnum:]]-]*[[:alnum:]])/
|
19
|
+
DOMAIN = /(?:#{DOMAIN_COMPONENT}(?:\.#{DOMAIN_COMPONENT})+)/
|
20
|
+
REGISTRY = /(?<registry>#{DOMAIN}(?::\d+)?)/
|
21
|
+
|
22
|
+
NAME_COMPONENT = /(?:[a-z\d]+(?:(?:[._]|__|[-]*)[a-z\d]+)*)/
|
23
|
+
IMAGE = %r{(?<image>#{NAME_COMPONENT}(?:/#{NAME_COMPONENT})*)}
|
24
|
+
|
25
|
+
FROM = /FROM/i
|
26
|
+
PLATFORM = /--platform\=(?<platform>\S+)/
|
27
|
+
TAG = /:(?<tag>[\w][\w.-]{0,127})/
|
28
|
+
DIGEST = /@(?<digest>[^\s]+)/
|
29
|
+
NAME = /\s+AS\s+(?<name>[\w-]+)/
|
31
30
|
FROM_LINE =
|
32
31
|
%r{^#{FROM}\s+(#{PLATFORM}\s+)?(#{REGISTRY}/)?
|
33
|
-
#{IMAGE}#{TAG}?#{DIGEST}?#{NAME}?}x
|
32
|
+
#{IMAGE}#{TAG}?#{DIGEST}?#{NAME}?}x
|
34
33
|
|
35
|
-
AWS_ECR_URL = /dkr\.ecr\.(?<region>[^.]+)\.amazonaws\.com
|
34
|
+
AWS_ECR_URL = /dkr\.ecr\.(?<region>[^.]+)\.amazonaws\.com/
|
36
35
|
|
37
|
-
IMAGE_SPEC =
|
38
|
-
%r{^(#{REGISTRY}/)?#{IMAGE}#{TAG}?#{DIGEST}?#{NAME}?}x.freeze
|
36
|
+
IMAGE_SPEC = %r{^(#{REGISTRY}/)?#{IMAGE}#{TAG}?#{DIGEST}?#{NAME}?}x
|
39
37
|
|
40
38
|
def parse
|
41
39
|
dependency_set = DependencySet.new
|
@@ -214,6 +212,8 @@ module Dependabot
|
|
214
212
|
images =
|
215
213
|
if !img.nil? && img.is_a?(String) && !img.empty?
|
216
214
|
[img]
|
215
|
+
elsif !img.nil? && img.is_a?(Hash) && !img.empty?
|
216
|
+
parse_helm(img)
|
217
217
|
else
|
218
218
|
[]
|
219
219
|
end
|
@@ -225,6 +225,22 @@ module Dependabot
|
|
225
225
|
# Dependencies include both Dockerfiles and yaml, select yaml.
|
226
226
|
dependency_files.select { |f| f.type == "file" && f.name.match?(/^[^\.]+\.ya?ml/i) }
|
227
227
|
end
|
228
|
+
|
229
|
+
def parse_helm(img_hash)
|
230
|
+
repo = img_hash.fetch("repository", nil)
|
231
|
+
tag = img_hash.key?("tag") ? img_hash.fetch("tag", nil) : img_hash.fetch("version", nil)
|
232
|
+
registry = img_hash.fetch("registry", nil)
|
233
|
+
|
234
|
+
if !repo.nil? && !registry.nil? && !tag.nil?
|
235
|
+
["#{registry}/#{repo}:#{tag}"]
|
236
|
+
elsif !repo.nil? && !tag.nil?
|
237
|
+
["#{repo}:#{tag}"]
|
238
|
+
elsif !repo.nil?
|
239
|
+
[repo]
|
240
|
+
else
|
241
|
+
[]
|
242
|
+
end
|
243
|
+
end
|
228
244
|
end
|
229
245
|
end
|
230
246
|
end
|
@@ -7,7 +7,7 @@ require "dependabot/errors"
|
|
7
7
|
module Dependabot
|
8
8
|
module Docker
|
9
9
|
class FileUpdater < Dependabot::FileUpdaters::Base
|
10
|
-
FROM_REGEX = /FROM(\s+--platform\=\S+)?/i
|
10
|
+
FROM_REGEX = /FROM(\s+--platform\=\S+)?/i
|
11
11
|
|
12
12
|
def self.updated_files_regex
|
13
13
|
[
|
@@ -18,7 +18,6 @@ module Dependabot
|
|
18
18
|
|
19
19
|
def updated_dependency_files
|
20
20
|
updated_files = []
|
21
|
-
|
22
21
|
dependency_files.each do |file|
|
23
22
|
next unless requirement_changed?(file, dependency)
|
24
23
|
|
@@ -153,13 +152,29 @@ module Dependabot
|
|
153
152
|
end
|
154
153
|
|
155
154
|
def updated_yaml_content(file)
|
156
|
-
updated_content = update_image(file)
|
155
|
+
updated_content = file.name == "values.yaml" ? update_helm(file) : update_image(file)
|
157
156
|
|
158
157
|
raise "Expected content to change!" if updated_content == file.content
|
159
158
|
|
160
159
|
updated_content
|
161
160
|
end
|
162
161
|
|
162
|
+
def update_helm(file)
|
163
|
+
# TODO: this won't work if two images have the same tag version
|
164
|
+
old_tags = old_helm_tags(file)
|
165
|
+
return if old_tags.empty?
|
166
|
+
|
167
|
+
modified_content = file.content
|
168
|
+
|
169
|
+
old_tags.each do |old_tag|
|
170
|
+
old_tag_regex = /^\s+(?:-\s)?(?:tag|version):\s+#{old_tag}(?=\s|$)/
|
171
|
+
modified_content = modified_content.gsub(old_tag_regex) do |old_img_tag|
|
172
|
+
old_img_tag.gsub(old_tag.to_s, new_yaml_tag(file).to_s)
|
173
|
+
end
|
174
|
+
end
|
175
|
+
modified_content
|
176
|
+
end
|
177
|
+
|
163
178
|
def update_image(file)
|
164
179
|
old_images = old_yaml_images(file)
|
165
180
|
return if old_images.empty?
|
@@ -176,13 +191,18 @@ module Dependabot
|
|
176
191
|
end
|
177
192
|
|
178
193
|
def new_yaml_image(file)
|
179
|
-
|
180
|
-
prefix =
|
181
|
-
digest =
|
182
|
-
tag =
|
194
|
+
element = dependency.requirements.find { |r| r[:file] == file.name }
|
195
|
+
prefix = element.fetch(:source)[:registry] ? "#{element.fetch(:source)[:registry]}/" : ""
|
196
|
+
digest = element.fetch(:source)[:digest] ? "@#{element.fetch(:source)[:digest]}" : ""
|
197
|
+
tag = element.fetch(:source)[:tag] ? ":#{element.fetch(:source)[:tag]}" : ""
|
183
198
|
"#{prefix}#{dependency.name}#{tag}#{digest}"
|
184
199
|
end
|
185
200
|
|
201
|
+
def new_yaml_tag(file)
|
202
|
+
element = dependency.requirements.find { |r| r[:file] == file.name }
|
203
|
+
element.fetch(:source)[:tag] || ""
|
204
|
+
end
|
205
|
+
|
186
206
|
def old_yaml_images(file)
|
187
207
|
dependency.
|
188
208
|
previous_requirements.
|
@@ -193,6 +213,14 @@ module Dependabot
|
|
193
213
|
"#{prefix}#{dependency.name}#{tag}#{digest}"
|
194
214
|
end
|
195
215
|
end
|
216
|
+
|
217
|
+
def old_helm_tags(file)
|
218
|
+
dependency.
|
219
|
+
previous_requirements.
|
220
|
+
select { |r| r[:file] == file.name }.map do |r|
|
221
|
+
r.fetch(:source)[:tag] || ""
|
222
|
+
end
|
223
|
+
end
|
196
224
|
end
|
197
225
|
end
|
198
226
|
end
|
@@ -6,13 +6,17 @@ module Dependabot
|
|
6
6
|
module Docker
|
7
7
|
# Lifted from the bundler package manager
|
8
8
|
class Requirement < Gem::Requirement
|
9
|
-
# For consistency with other
|
9
|
+
# For consistency with other languages, we define a requirements array.
|
10
10
|
# Ruby doesn't have an `OR` separator for requirements, so it always
|
11
11
|
# contains a single element.
|
12
12
|
def self.requirements_array(requirement_string)
|
13
13
|
[new(requirement_string)]
|
14
14
|
end
|
15
15
|
|
16
|
+
def satisfied_by?(version)
|
17
|
+
super(version.release_part)
|
18
|
+
end
|
19
|
+
|
16
20
|
# Patches Gem::Requirement to make it accept requirement strings like
|
17
21
|
# "~> 4.2.5, >= 4.2.5.1" without first needing to split them.
|
18
22
|
def initialize(*requirements)
|
@@ -43,18 +43,16 @@ module Dependabot
|
|
43
43
|
module Docker
|
44
44
|
class UpdateChecker < Dependabot::UpdateCheckers::Base
|
45
45
|
VERSION_REGEX =
|
46
|
-
/v?(?<version>[0-9]+(?:(?:\.[
|
47
|
-
VERSION_WITH_SFX = /^#{VERSION_REGEX}(?<suffix>-[a-z0-9.\-]+)?$/i
|
48
|
-
VERSION_WITH_PFX = /^(?<prefix>[a-z0-9.\-]+-)?#{VERSION_REGEX}$/i
|
49
|
-
VERSION_WITH_PFX_AND_SFX =
|
50
|
-
/^(?<prefix>[a-z\-]+-)?#{VERSION_REGEX}(?<suffix>-[a-z\-]+)?$/i.
|
51
|
-
freeze
|
46
|
+
/v?(?<version>[0-9]+(?:(?:\.[_a-z0-9]+)|(?:-(?:kb)?[0-9]+))*)/i
|
47
|
+
VERSION_WITH_SFX = /^#{VERSION_REGEX}(?<suffix>-[a-z0-9.\-]+)?$/i
|
48
|
+
VERSION_WITH_PFX = /^(?<prefix>[a-z0-9.\-]+-)?#{VERSION_REGEX}$/i
|
49
|
+
VERSION_WITH_PFX_AND_SFX = /^(?<prefix>[a-z\-]+-)?#{VERSION_REGEX}(?<suffix>-[a-z\-]+)?$/i
|
52
50
|
NAME_WITH_VERSION =
|
53
51
|
/
|
54
52
|
#{VERSION_WITH_PFX}|
|
55
53
|
#{VERSION_WITH_SFX}|
|
56
54
|
#{VERSION_WITH_PFX_AND_SFX}
|
57
|
-
/x
|
55
|
+
/x
|
58
56
|
|
59
57
|
def latest_version
|
60
58
|
fetch_latest_version(dependency.version)
|
@@ -347,7 +345,8 @@ module Dependabot
|
|
347
345
|
DockerRegistry2::Registry.new(
|
348
346
|
"https://#{registry_hostname}",
|
349
347
|
user: registry_credentials&.fetch("username", nil),
|
350
|
-
password: registry_credentials&.fetch("password", nil)
|
348
|
+
password: registry_credentials&.fetch("password", nil),
|
349
|
+
read_timeout: 10
|
351
350
|
)
|
352
351
|
end
|
353
352
|
|
@@ -9,7 +9,7 @@ module Dependabot
|
|
9
9
|
module Docker
|
10
10
|
module Utils
|
11
11
|
class CredentialsFinder
|
12
|
-
AWS_ECR_URL = /dkr\.ecr\.(?<region>[^.]+)\.amazonaws\.com
|
12
|
+
AWS_ECR_URL = /dkr\.ecr\.(?<region>[^.]+)\.amazonaws\.com/
|
13
13
|
|
14
14
|
def initialize(credentials)
|
15
15
|
@credentials = credentials
|
@@ -4,7 +4,29 @@ require "dependabot/utils"
|
|
4
4
|
|
5
5
|
module Dependabot
|
6
6
|
module Docker
|
7
|
+
# In the special case of Java, the version string may also contain
|
8
|
+
# optional "update number" and "identifier" components.
|
9
|
+
# See https://www.oracle.com/java/technologies/javase/versioning-naming.html
|
10
|
+
# for a description of Java versions.
|
11
|
+
#
|
7
12
|
class Version < Gem::Version
|
13
|
+
def initialize(version)
|
14
|
+
release_part, update_part = version.split("_", 2)
|
15
|
+
|
16
|
+
@release_part = Gem::Version.new(release_part)
|
17
|
+
|
18
|
+
@update_part = Gem::Version.new(update_part&.start_with?(/[0-9]/) ? update_part : 0)
|
19
|
+
end
|
20
|
+
|
21
|
+
attr_reader :release_part
|
22
|
+
|
23
|
+
def <=>(other)
|
24
|
+
sort_criteria <=> other.sort_criteria
|
25
|
+
end
|
26
|
+
|
27
|
+
def sort_criteria
|
28
|
+
[@release_part, @update_part]
|
29
|
+
end
|
8
30
|
end
|
9
31
|
end
|
10
32
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-docker
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.213.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-
|
11
|
+
date: 2022-10-31 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,42 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.213.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
27
|
-
- !ruby/object:Gem::Dependency
|
28
|
-
name: debase
|
29
|
-
requirement: !ruby/object:Gem::Requirement
|
30
|
-
requirements:
|
31
|
-
- - '='
|
32
|
-
- !ruby/object:Gem::Version
|
33
|
-
version: 0.2.3
|
34
|
-
type: :development
|
35
|
-
prerelease: false
|
36
|
-
version_requirements: !ruby/object:Gem::Requirement
|
37
|
-
requirements:
|
38
|
-
- - '='
|
39
|
-
- !ruby/object:Gem::Version
|
40
|
-
version: 0.2.3
|
41
|
-
- !ruby/object:Gem::Dependency
|
42
|
-
name: debase-ruby_core_source
|
43
|
-
requirement: !ruby/object:Gem::Requirement
|
44
|
-
requirements:
|
45
|
-
- - '='
|
46
|
-
- !ruby/object:Gem::Version
|
47
|
-
version: 0.10.16
|
48
|
-
type: :development
|
49
|
-
prerelease: false
|
50
|
-
version_requirements: !ruby/object:Gem::Requirement
|
51
|
-
requirements:
|
52
|
-
- - '='
|
53
|
-
- !ruby/object:Gem::Version
|
54
|
-
version: 0.10.16
|
26
|
+
version: 0.213.0
|
55
27
|
- !ruby/object:Gem::Dependency
|
56
28
|
name: debug
|
57
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -86,14 +58,14 @@ dependencies:
|
|
86
58
|
requirements:
|
87
59
|
- - "~>"
|
88
60
|
- !ruby/object:Gem::Version
|
89
|
-
version: 3.
|
61
|
+
version: 3.13.0
|
90
62
|
type: :development
|
91
63
|
prerelease: false
|
92
64
|
version_requirements: !ruby/object:Gem::Requirement
|
93
65
|
requirements:
|
94
66
|
- - "~>"
|
95
67
|
- !ruby/object:Gem::Version
|
96
|
-
version: 3.
|
68
|
+
version: 3.13.0
|
97
69
|
- !ruby/object:Gem::Dependency
|
98
70
|
name: rake
|
99
71
|
requirement: !ruby/object:Gem::Requirement
|
@@ -142,42 +114,28 @@ dependencies:
|
|
142
114
|
requirements:
|
143
115
|
- - "~>"
|
144
116
|
- !ruby/object:Gem::Version
|
145
|
-
version: 1.
|
117
|
+
version: 1.37.1
|
146
118
|
type: :development
|
147
119
|
prerelease: false
|
148
120
|
version_requirements: !ruby/object:Gem::Requirement
|
149
121
|
requirements:
|
150
122
|
- - "~>"
|
151
123
|
- !ruby/object:Gem::Version
|
152
|
-
version: 1.
|
124
|
+
version: 1.37.1
|
153
125
|
- !ruby/object:Gem::Dependency
|
154
126
|
name: rubocop-performance
|
155
127
|
requirement: !ruby/object:Gem::Requirement
|
156
128
|
requirements:
|
157
129
|
- - "~>"
|
158
130
|
- !ruby/object:Gem::Version
|
159
|
-
version: 1.
|
160
|
-
type: :development
|
161
|
-
prerelease: false
|
162
|
-
version_requirements: !ruby/object:Gem::Requirement
|
163
|
-
requirements:
|
164
|
-
- - "~>"
|
165
|
-
- !ruby/object:Gem::Version
|
166
|
-
version: 1.14.2
|
167
|
-
- !ruby/object:Gem::Dependency
|
168
|
-
name: ruby-debug-ide
|
169
|
-
requirement: !ruby/object:Gem::Requirement
|
170
|
-
requirements:
|
171
|
-
- - "~>"
|
172
|
-
- !ruby/object:Gem::Version
|
173
|
-
version: 0.7.3
|
131
|
+
version: 1.15.0
|
174
132
|
type: :development
|
175
133
|
prerelease: false
|
176
134
|
version_requirements: !ruby/object:Gem::Requirement
|
177
135
|
requirements:
|
178
136
|
- - "~>"
|
179
137
|
- !ruby/object:Gem::Version
|
180
|
-
version:
|
138
|
+
version: 1.15.0
|
181
139
|
- !ruby/object:Gem::Dependency
|
182
140
|
name: simplecov
|
183
141
|
requirement: !ruby/object:Gem::Requirement
|
@@ -276,14 +234,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
276
234
|
requirements:
|
277
235
|
- - ">="
|
278
236
|
- !ruby/object:Gem::Version
|
279
|
-
version:
|
237
|
+
version: 3.1.0
|
280
238
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
281
239
|
requirements:
|
282
240
|
- - ">="
|
283
241
|
- !ruby/object:Gem::Version
|
284
|
-
version:
|
242
|
+
version: 3.1.0
|
285
243
|
requirements: []
|
286
|
-
rubygems_version: 3.
|
244
|
+
rubygems_version: 3.3.7
|
287
245
|
signing_key:
|
288
246
|
specification_version: 4
|
289
247
|
summary: Docker support for dependabot-common
|