RubyGems - dependabot-docker - Versions diffs - 0.212.0 → 0.214.0 - Mend

dependabot-docker 0.212.0 → 0.214.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/lib/dependabot/docker/file_fetcher.rb +16 -18
data/lib/dependabot/docker/file_parser.rb +58 -43
data/lib/dependabot/docker/file_updater.rb +36 -7
data/lib/dependabot/docker/requirement.rb +5 -1
data/lib/dependabot/docker/update_checker.rb +91 -53
data/lib/dependabot/docker/utils/credentials_finder.rb +14 -1
data/lib/dependabot/docker/utils/helpers.rb +13 -0
data/lib/dependabot/docker/version.rb +22 -0
metadata +14 -55

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8a77135a48c7aab9a2b1bb6069cdae9de09c7ee2d9d2b5eb8cc30e4fc4cfbb1a
-  data.tar.gz: 0b92a7eed035d963f08b99026a671f7201d2074de87692ada394eedbc373717f
+  metadata.gz: b7aabb905dbb5a64638f936079c477b091dd8b2a05aad7cc070c10e11977cc97
+  data.tar.gz: 4cc6bbe0291ded5c2e975f2256561044700a6a5903f1d110815de0ff5a0da281
 SHA512:
-  metadata.gz: b70a2a9fc4b2e1b0605ba08197407c1bb93af05bd9cb3a105805545cb8809659da347c0048c2442f3a8a24b10e926aa785704eaf3cd947997e5fc888864b0f87
-  data.tar.gz: 02a76d37235c6bb35d157ec86d63b974d2a1f678149bf781d1d745d8424cd762bb8b3d72d9b6076fea4bb79cb729a11f30d161273672924346b5da6cde1e5297
+  metadata.gz: d2a1629644bf4dcc1a523aaef694b2601f0008361468dbde35008396bb9dfe6c225857946bdad4f6dad384f11b7c763357a50a8f27ab02fb8cde23f9ce6f7271
+  data.tar.gz: b5a6df5e91b49e9faa2d972ee74b4aba244f83051e076cf33dda73dc9f55deee7895f8ffc4e5e13ef4d309ae33e1d9a9ef0e710bf6b12dd35545d524ec7dca7b

data/lib/dependabot/docker/file_fetcher.rb CHANGED Viewed

@@ -1,13 +1,15 @@
 # frozen_string_literal: true
+require "dependabot/docker/utils/helpers"
+require "dependabot/experiments"
 require "dependabot/file_fetchers"
 require "dependabot/file_fetchers/base"
 module Dependabot
   module Docker
     class FileFetcher < Dependabot::FileFetchers::Base
-      YAML_REGEXP = /^[^\.]+\.ya?ml$/i.freeze
-      DOCKER_REGEXP = /dockerfile/i.freeze
+      YAML_REGEXP = /^[^\.]+\.ya?ml$/i
+      DOCKER_REGEXP = /dockerfile/i
       def self.required_files_in?(filenames)
         filenames.any? { |f| f.match?(DOCKER_REGEXP) } or
@@ -20,26 +22,18 @@ module Dependabot
       private
-      def kubernetes_enabled?
-        options.key?(:kubernetes_updates) && options[:kubernetes_updates]
-      end
       def fetch_files
         fetched_files = []
         fetched_files += correctly_encoded_dockerfiles
-        fetched_files += correctly_encoded_yamlfiles if kubernetes_enabled?
+        fetched_files += correctly_encoded_yamlfiles
         return fetched_files if fetched_files.any?
-        if !kubernetes_enabled? && incorrectly_encoded_dockerfiles.none?
+        if incorrectly_encoded_dockerfiles.none? && incorrectly_encoded_yamlfiles.none?
           raise(
             Dependabot::DependencyFileNotFound,
-            File.join(directory, "Dockerfile")
-          )
-        elsif incorrectly_encoded_dockerfiles.none? && incorrectly_encoded_yamlfiles.none?
-          raise(
-            Dependabot::DependabotError,
-            "Found neither Kubernetes YAML nor Dockerfiles in #{directory}"
+            File.join(directory, "Dockerfile"),
+            "No Dockerfiles nor Kubernetes YAML found in #{directory}"
           )
         elsif incorrectly_encoded_dockerfiles.none?
           raise(
@@ -84,10 +78,14 @@ module Dependabot
       def correctly_encoded_yamlfiles
         candidate_files = yamlfiles.select { |f| f.content.valid_encoding? }
         candidate_files.select do |f|
-          # This doesn't handle multi-resource files, but it shouldn't matter, since the first resource
-          # in a multi-resource file had better be a valid k8s resource
-          content = ::YAML.safe_load(f.content, aliases: true)
-          likely_kubernetes_resource?(content)
+          if f.type == "file" && Utils.likely_helm_chart?(f)
+            true
+          else
+            # This doesn't handle multi-resource files, but it shouldn't matter, since the first resource
+            # in a multi-resource file had better be a valid k8s resource
+            content = ::YAML.safe_load(f.content, aliases: true)
+            likely_kubernetes_resource?(content)
+          end
         rescue ::Psych::Exception
           false
         end

data/lib/dependabot/docker/file_parser.rb CHANGED Viewed

@@ -15,27 +15,25 @@ module Dependabot
       # Details of Docker regular expressions is at
       # https://github.com/docker/distribution/blob/master/reference/regexp.go
-      DOMAIN_COMPONENT =
-        /(?:[[:alnum:]]|[[:alnum:]][[[:alnum:]]-]*[[:alnum:]])/.freeze
-      DOMAIN = /(?:#{DOMAIN_COMPONENT}(?:\.#{DOMAIN_COMPONENT})+)/.freeze
-      REGISTRY = /(?<registry>#{DOMAIN}(?::\d+)?)/.freeze
-      NAME_COMPONENT = /(?:[a-z\d]+(?:(?:[._]|__|[-]*)[a-z\d]+)*)/.freeze
-      IMAGE = %r{(?<image>#{NAME_COMPONENT}(?:/#{NAME_COMPONENT})*)}.freeze
-      FROM = /FROM/i.freeze
-      PLATFORM = /--platform\=(?<platform>\S+)/.freeze
-      TAG = /:(?<tag>[\w][\w.-]{0,127})/.freeze
-      DIGEST = /@(?<digest>[^\s]+)/.freeze
-      NAME = /\s+AS\s+(?<name>[\w-]+)/.freeze
+      DOMAIN_COMPONENT = /(?:[[:alnum:]]|[[:alnum:]][[[:alnum:]]-]*[[:alnum:]])/
+      DOMAIN = /(?:#{DOMAIN_COMPONENT}(?:\.#{DOMAIN_COMPONENT})+)/
+      REGISTRY = /(?<registry>#{DOMAIN}(?::\d+)?)/
+      NAME_COMPONENT = /(?:[a-z\d]+(?:(?:[._]|__|[-]*)[a-z\d]+)*)/
+      IMAGE = %r{(?<image>#{NAME_COMPONENT}(?:/#{NAME_COMPONENT})*)}
+      FROM = /FROM/i
+      PLATFORM = /--platform\=(?<platform>\S+)/
+      TAG = /:(?<tag>[\w][\w.-]{0,127})/
+      DIGEST = /@(?<digest>[^\s]+)/
+      NAME = /\s+AS\s+(?<name>[\w-]+)/
       FROM_LINE =
         %r{^#{FROM}\s+(#{PLATFORM}\s+)?(#{REGISTRY}/)?
-          #{IMAGE}#{TAG}?#{DIGEST}?#{NAME}?}x.freeze
+          #{IMAGE}#{TAG}?#{DIGEST}?#{NAME}?}x
-      AWS_ECR_URL = /dkr\.ecr\.(?<region>[^.]+)\.amazonaws\.com/.freeze
+      AWS_ECR_URL = /dkr\.ecr\.(?<region>[^.]+)\.amazonaws\.com/
-      IMAGE_SPEC =
-        %r{^(#{REGISTRY}/)?#{IMAGE}#{TAG}?#{DIGEST}?#{NAME}?}x.freeze
+      IMAGE_SPEC = %r{^(#{REGISTRY}/)?#{IMAGE}#{TAG}?#{DIGEST}?#{NAME}?}x
       def parse
         dependency_set = DependencySet.new
@@ -103,8 +101,9 @@ module Dependabot
       def version_from_digest(registry:, image:, digest:)
         return unless digest
-        repo = docker_repo_name(image, registry)
-        client = docker_registry_client(registry)
+        registry_details = fetch_registry_details(registry)
+        repo = docker_repo_name(image, registry_details["registry"])
+        client = docker_registry_client(registry_details["registry"], registry_details["credentials"])
         client.tags(repo, auto_paginate: true).fetch("tags").find do |tag|
           digest == client.digest(repo, tag)
         rescue DockerRegistry2::NotFound
@@ -114,46 +113,44 @@ module Dependabot
         end
       rescue DockerRegistry2::RegistryAuthenticationException,
              RestClient::Forbidden
-        raise if standard_registry?(registry)
+        raise PrivateSourceAuthenticationFailure, registry_details["registry"]
+      rescue RestClient::Exceptions::OpenTimeout,
+             RestClient::Exceptions::ReadTimeout
+        raise if credentials_finder.using_dockerhub?(registry_details["registry"])
-        raise PrivateSourceAuthenticationFailure, registry
+        raise PrivateSourceTimedOut, registry_details["registry"]
       end
       def docker_repo_name(image, registry)
-        return image unless standard_registry?(registry)
-        return image unless image.split("/").count < 2
+        return image if image.include? "/"
+        return "library/#{image}" if credentials_finder.using_dockerhub?(registry)
-        "library/#{image}"
+        image
       end
-      def docker_registry_client(registry)
-        if registry
-          credentials = registry_credentials(registry)
-          DockerRegistry2::Registry.new(
-            "https://#{registry}",
-            user: credentials&.fetch("username", nil),
-            password: credentials&.fetch("password", nil)
-          )
-        else
-          DockerRegistry2::Registry.new("https://registry.hub.docker.com")
+      def docker_registry_client(registry_hostname, registry_credentials)
+        unless credentials_finder.using_dockerhub?(registry_hostname)
+          return DockerRegistry2::Registry.new("https://#{registry_hostname}")
         end
+        DockerRegistry2::Registry.new(
+          "https://#{registry_hostname}",
+          user: registry_credentials&.fetch("username", nil),
+          password: registry_credentials&.fetch("password", nil),
+          read_timeout: 10
+        )
       end
-      def registry_credentials(registry_url)
-        credentials_finder.credentials_for_registry(registry_url)
+      def fetch_registry_details(registry)
+        registry ||= credentials_finder.base_registry
+        credentials = credentials_finder.credentials_for_registry(registry)
+        { "registry" => registry, "credentials" => credentials }
       end
       def credentials_finder
         @credentials_finder ||= Utils::CredentialsFinder.new(credentials)
       end
-      def standard_registry?(registry)
-        return true if registry.nil?
-        registry == "registry.hub.docker.com"
-      end
       def check_required_files
         # Just check if there are any files at all.
         return if dependency_files.any?
@@ -214,6 +211,8 @@ module Dependabot
         images =
           if !img.nil? && img.is_a?(String) && !img.empty?
             [img]
+          elsif !img.nil? && img.is_a?(Hash) && !img.empty?
+            parse_helm(img)
           else
             []
           end
@@ -225,6 +224,22 @@ module Dependabot
         # Dependencies include both Dockerfiles and yaml, select yaml.
         dependency_files.select { |f| f.type == "file" && f.name.match?(/^[^\.]+\.ya?ml/i) }
       end
+      def parse_helm(img_hash)
+        repo = img_hash.fetch("repository", nil)
+        tag = img_hash.key?("tag") ? img_hash.fetch("tag", nil) : img_hash.fetch("version", nil)
+        registry = img_hash.fetch("registry", nil)
+        if !repo.nil? && !registry.nil? && !tag.nil?
+          ["#{registry}/#{repo}:#{tag}"]
+        elsif !repo.nil? && !tag.nil?
+          ["#{repo}:#{tag}"]
+        elsif !repo.nil?
+          [repo]
+        else
+          []
+        end
+      end
     end
   end
 end

data/lib/dependabot/docker/file_updater.rb CHANGED Viewed

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
+require "dependabot/docker/utils/helpers"
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
 require "dependabot/errors"
@@ -7,7 +8,7 @@ require "dependabot/errors"
 module Dependabot
   module Docker
     class FileUpdater < Dependabot::FileUpdaters::Base
-      FROM_REGEX = /FROM(\s+--platform\=\S+)?/i.freeze
+      FROM_REGEX = /FROM(\s+--platform\=\S+)?/i
       def self.updated_files_regex
         [
@@ -18,7 +19,6 @@ module Dependabot
       def updated_dependency_files
         updated_files = []
         dependency_files.each do |file|
           next unless requirement_changed?(file, dependency)
@@ -153,13 +153,29 @@ module Dependabot
       end
       def updated_yaml_content(file)
-        updated_content = update_image(file)
+        updated_content = Utils.likely_helm_chart?(file) ? update_helm(file) : update_image(file)
         raise "Expected content to change!" if updated_content == file.content
         updated_content
       end
+      def update_helm(file)
+        # TODO: this won't work if two images have the same tag version
+        old_tags = old_helm_tags(file)
+        return if old_tags.empty?
+        modified_content = file.content
+        old_tags.each do |old_tag|
+          old_tag_regex = /^\s+(?:-\s)?(?:tag|version):\s+#{old_tag}(?=\s|$)/
+          modified_content = modified_content.gsub(old_tag_regex) do |old_img_tag|
+            old_img_tag.gsub(old_tag.to_s, new_yaml_tag(file).to_s)
+          end
+        end
+        modified_content
+      end
       def update_image(file)
         old_images = old_yaml_images(file)
         return if old_images.empty?
@@ -176,13 +192,18 @@ module Dependabot
       end
       def new_yaml_image(file)
-        elt = dependency.requirements.find { |r| r[:file] == file.name }
-        prefix = elt.fetch(:source)[:registry] ? "#{elt.fetch(:source)[:registry]}/" : ""
-        digest = elt.fetch(:source)[:digest] ? "@#{elt.fetch(:source)[:digest]}" : ""
-        tag = elt.fetch(:source)[:tag] ? ":#{elt.fetch(:source)[:tag]}" : ""
+        element = dependency.requirements.find { |r| r[:file] == file.name }
+        prefix = element.fetch(:source)[:registry] ? "#{element.fetch(:source)[:registry]}/" : ""
+        digest = element.fetch(:source)[:digest] ? "@#{element.fetch(:source)[:digest]}" : ""
+        tag = element.fetch(:source)[:tag] ? ":#{element.fetch(:source)[:tag]}" : ""
         "#{prefix}#{dependency.name}#{tag}#{digest}"
       end
+      def new_yaml_tag(file)
+        element = dependency.requirements.find { |r| r[:file] == file.name }
+        element.fetch(:source)[:tag] || ""
+      end
       def old_yaml_images(file)
         dependency.
           previous_requirements.
@@ -193,6 +214,14 @@ module Dependabot
             "#{prefix}#{dependency.name}#{tag}#{digest}"
           end
       end
+      def old_helm_tags(file)
+        dependency.
+          previous_requirements.
+          select { |r| r[:file] == file.name }.map do |r|
+            r.fetch(:source)[:tag] || ""
+          end
+      end
     end
   end
 end

data/lib/dependabot/docker/requirement.rb CHANGED Viewed

@@ -6,13 +6,17 @@ module Dependabot
   module Docker
     # Lifted from the bundler package manager
     class Requirement < Gem::Requirement
-      # For consistency with other langauges, we define a requirements array.
+      # For consistency with other languages, we define a requirements array.
       # Ruby doesn't have an `OR` separator for requirements, so it always
       # contains a single element.
       def self.requirements_array(requirement_string)
         [new(requirement_string)]
       end
+      def satisfied_by?(version)
+        super(version.release_part)
+      end
       # Patches Gem::Requirement to make it accept requirement strings like
       # "~> 4.2.5, >= 4.2.5.1" without first needing to split them.
       def initialize(*requirements)

data/lib/dependabot/docker/update_checker.rb CHANGED Viewed

@@ -42,22 +42,19 @@ end
 module Dependabot
   module Docker
     class UpdateChecker < Dependabot::UpdateCheckers::Base
-      VERSION_REGEX =
-        /v?(?<version>[0-9]+(?:(?:\.[a-z0-9]+)|(?:-(?:kb)?[0-9]+))*)/i.freeze
-      VERSION_WITH_SFX = /^#{VERSION_REGEX}(?<suffix>-[a-z0-9.\-]+)?$/i.freeze
-      VERSION_WITH_PFX = /^(?<prefix>[a-z0-9.\-]+-)?#{VERSION_REGEX}$/i.freeze
-      VERSION_WITH_PFX_AND_SFX =
-        /^(?<prefix>[a-z\-]+-)?#{VERSION_REGEX}(?<suffix>-[a-z\-]+)?$/i.
-        freeze
+      VERSION_REGEX = /v?(?<version>[0-9]+(?:\.[0-9]+)*(?:_[0-9]+|\.[a-z0-9]+|-(?:kb)?[0-9]+)*)/i
+      VERSION_WITH_SFX = /^#{VERSION_REGEX}(?<suffix>-[a-z][a-z0-9.\-]*)?$/i
+      VERSION_WITH_PFX = /^(?<prefix>[a-z][a-z0-9.\-]*-)?#{VERSION_REGEX}$/i
+      VERSION_WITH_PFX_AND_SFX = /^(?<prefix>[a-z\-]+-)?#{VERSION_REGEX}(?<suffix>-[a-z\-]+)?$/i
       NAME_WITH_VERSION =
         /
           #{VERSION_WITH_PFX}|
           #{VERSION_WITH_SFX}|
           #{VERSION_WITH_PFX_AND_SFX}
-      /x.freeze
+      /x
       def latest_version
-        fetch_latest_version(dependency.version)
+        latest_version_from(dependency.version)
       end
       def latest_resolvable_version
@@ -74,7 +71,7 @@ module Dependabot
         dependency.requirements.map do |req|
           updated_source = req.fetch(:source).dup
           updated_source[:digest] = updated_digest if req[:source][:digest]
-          updated_source[:tag] = fetch_latest_version(req[:source][:tag]) if req[:source][:tag]
+          updated_source[:tag] = latest_version_from(req[:source][:tag]) if req[:source][:tag]
           req.merge(source: updated_source)
         end
@@ -120,7 +117,7 @@ module Dependabot
         # Check the precision of the potentially higher tag is the same as the
         # one it would replace. In the event that it's not the same, check the
         # digests are also unequal. Avoids 'updating' ruby-2 -> ruby-2.5.1
-        return false if old_v.split(".").count == latest_v.split(".").count
+        return false if precision_of(old_v) == precision_of(latest_v)
         digest_of(version) == digest_of(latest_version)
       end
@@ -134,33 +131,38 @@ module Dependabot
         end
       end
-      # NOTE: It's important that this *always* returns a version (even if
-      # it's the existing one) as it is what we later check the digest of.
-      def fetch_latest_version(version)
+      def latest_version_from(version)
         @versions ||= {}
         return @versions[version] if @versions.key?(version)
-        @versions[version] = begin
-          return version unless version.match?(NAME_WITH_VERSION)
-          # Prune out any downgrade tags before checking for pre-releases
-          # (which requires a call to the registry for each tag, so can be slow)
-          candidate_tags = comparable_tags_from_registry(version)
-          candidate_tags = remove_version_downgrades(candidate_tags, version)
+        @versions[version] = fetch_latest_version(version)
+      end
-          unless prerelease?(version)
-            candidate_tags =
-              candidate_tags.
-              reject { |tag| prerelease?(tag) }
+      # NOTE: It's important that this *always* returns a version (even if
+      # it's the existing one) as it is what we later check the digest of.
+      def fetch_latest_version(version)
+        return version unless version.match?(NAME_WITH_VERSION)
+        # Prune out any downgrade tags before checking for pre-releases
+        # (which requires a call to the registry for each tag, so can be slow)
+        candidate_tags = comparable_tags_from_registry(version)
+        candidate_tags = remove_version_downgrades(candidate_tags, version)
+        candidate_tags = remove_prereleases(candidate_tags, version)
+        candidate_tags = filter_ignored(candidate_tags)
+        candidate_tags = sort_tags(candidate_tags, version)
+        latest_tag = candidate_tags.last
+        if latest_tag && same_precision?(latest_tag, version)
+          latest_tag
+        else
+          latest_same_precision_tag = remove_precision_changes(candidate_tags, version).last
+          if latest_same_precision_tag && digest_of(latest_same_precision_tag) == digest_of(latest_tag)
+            latest_same_precision_tag
+          else
+            latest_tag || version
           end
-          latest_tag =
-            filter_ignored(candidate_tags).
-            max_by do |tag|
-              [version_class.new(numeric_version_from(tag)), tag.length]
-            end
-          latest_tag || version
         end
       end
@@ -169,28 +171,37 @@ module Dependabot
         original_suffix = suffix_of(version)
         original_format = format_of(version)
-        tags_from_registry.
+        candidate_tags =
+          tags_from_registry.
           select { |tag| tag.match?(NAME_WITH_VERSION) }.
           select { |tag| prefix_of(tag) == original_prefix }.
-          select { |tag| suffix_of(tag) == original_suffix || commit_sha_suffix?(tag) }.
           select { |tag| format_of(tag) == original_format }
+        return candidate_tags if original_format == :sha_suffixed
+        candidate_tags.select { |tag| suffix_of(tag) == original_suffix }
       end
       def remove_version_downgrades(candidate_tags, version)
         candidate_tags.select do |tag|
-          version_class.new(numeric_version_from(tag)) >=
-            version_class.new(numeric_version_from(version))
+          comparable_version_from(tag) >=
+            comparable_version_from(version)
         end
       end
-      def commit_sha_suffix?(tag)
-        # Some people suffix their versions with commit SHAs. Dependabot
-        # can't order on those but will try to, so instead we should exclude
-        # them (unless there's a `latest` version pushed to the registry, in
-        # which case we'll use that to find the latest version)
-        return false unless tag.match?(/(^|\-g?)[0-9a-f]{7,}$/)
+      def remove_prereleases(candidate_tags, version)
+        return candidate_tags if prerelease?(version)
-        !tag.match?(/(^|\-)\d+$/)
+        candidate_tags.reject { |tag| prerelease?(tag) }
+      end
+      def remove_precision_changes(candidate_tags, version)
+        candidate_tags.select do |tag|
+          same_precision?(tag, version)
+        end
+      end
+      def same_precision?(tag, another_tag)
+        precision_of(numeric_version_from(tag)) == precision_of(numeric_version_from(another_tag))
       end
       def version_of_latest_tag
@@ -199,13 +210,13 @@ module Dependabot
         candidate_tag =
           tags_from_registry.
           select { |tag| canonical_version?(tag) }.
-          sort_by { |t| version_class.new(numeric_version_from(t)) }.
+          sort_by { |t| comparable_version_from(t) }.
           reverse.
           find { |t| digest_of(t) == latest_digest }
         return unless candidate_tag
-        version_class.new(numeric_version_from(candidate_tag))
+        comparable_version_from(candidate_tag)
       end
       def canonical_version?(tag)
@@ -295,6 +306,7 @@ module Dependabot
         return :year_month if version.match?(/^[12]\d{3}(?:[.\-]|$)/)
         return :year_month_day if version.match?(/^[12]\d{5}(?:[.\-]|$)/)
+        return :sha_suffixed if tag.match?(/(^|\-g?)[0-9a-f]{7,}$/)
         return :build_num if version.match?(/^\d+$/)
         :normal
@@ -309,7 +321,11 @@ module Dependabot
         return false unless latest_digest
         return false unless version_of_latest_tag
-        version_class.new(numeric_version_from(tag)) > version_of_latest_tag
+        comparable_version_from(tag) > version_of_latest_tag
+      end
+      def comparable_version_from(tag)
+        version_class.new(numeric_version_from(tag))
       end
       def numeric_version_from(tag)
@@ -319,8 +335,9 @@ module Dependabot
       end
       def registry_hostname
-        dependency.requirements.first[:source][:registry] ||
-          "registry.hub.docker.com"
+        return dependency.requirements.first[:source][:registry] if dependency.requirements.first[:source][:registry]
+        credentials_finder.base_registry
       end
       def using_dockerhub?
@@ -347,15 +364,36 @@ module Dependabot
           DockerRegistry2::Registry.new(
             "https://#{registry_hostname}",
             user: registry_credentials&.fetch("username", nil),
-            password: registry_credentials&.fetch("password", nil)
+            password: registry_credentials&.fetch("password", nil),
+            read_timeout: 10
           )
       end
+      def sort_tags(candidate_tags, version)
+        candidate_tags.sort do |tag_a, tag_b|
+          if comparable_version_from(tag_a) > comparable_version_from(tag_b)
+            1
+          elsif comparable_version_from(tag_a) < comparable_version_from(tag_b)
+            -1
+          elsif same_precision?(tag_a, version)
+            1
+          elsif same_precision?(tag_b, version)
+            -1
+          else
+            0
+          end
+        end
+      end
+      def precision_of(version)
+        version.split(/[.-]/).length
+      end
       def filter_ignored(candidate_tags)
         filtered =
           candidate_tags.
           reject do |tag|
-            version = version_class.new(numeric_version_from(tag))
+            version = comparable_version_from(tag)
             ignore_requirements.any? { |r| r.satisfied_by?(version) }
           end
         if @raise_on_ignored && filter_lower_versions(filtered).empty? && filter_lower_versions(candidate_tags).any?
@@ -366,9 +404,9 @@ module Dependabot
       end
       def filter_lower_versions(tags)
-        versions_array = tags.map { |tag| version_class.new(numeric_version_from(tag)) }
+        versions_array = tags.map { |tag| comparable_version_from(tag) }
         versions_array.
-          select { |version| version > version_class.new(numeric_version_from(dependency.version)) }
+          select { |version| version > comparable_version_from(dependency.version) }
       end
     end
   end

data/lib/dependabot/docker/utils/credentials_finder.rb CHANGED Viewed

@@ -9,7 +9,8 @@ module Dependabot
   module Docker
     module Utils
       class CredentialsFinder
-        AWS_ECR_URL = /dkr\.ecr\.(?<region>[^.]+)\.amazonaws\.com/.freeze
+        AWS_ECR_URL = /dkr\.ecr\.(?<region>[^.]+)\.amazonaws\.com/
+        DEFAULT_DOCKER_HUB_REGISTRY = "registry.hub.docker.com"
         def initialize(credentials)
           @credentials = credentials
@@ -26,6 +27,18 @@ module Dependabot
           build_aws_credentials(registry_details)
         end
+        def base_registry
+          @base_registry ||= credentials.find do |cred|
+            cred["type"] == "docker_registry" && cred["replaces-base"] == true
+          end
+          @base_registry ||= { "registry" => DEFAULT_DOCKER_HUB_REGISTRY, "credentials" => nil }
+          @base_registry["registry"]
+        end
+        def using_dockerhub?(registry)
+          registry == DEFAULT_DOCKER_HUB_REGISTRY
+        end
         private
         attr_reader :credentials

data/lib/dependabot/docker/utils/helpers.rb ADDED Viewed

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+module Dependabot
+  module Docker
+    module Utils
+      HELM_REGEXP = /values[\-a-zA-Z_0-9]*\.ya?ml$/i
+      def self.likely_helm_chart?(file)
+        file.name.match?(HELM_REGEXP)
+      end
+    end
+  end
+end

data/lib/dependabot/docker/version.rb CHANGED Viewed

@@ -4,7 +4,29 @@ require "dependabot/utils"
 module Dependabot
   module Docker
+    # In the special case of Java, the version string may also contain
+    # optional "update number" and "identifier" components.
+    # See https://www.oracle.com/java/technologies/javase/versioning-naming.html
+    # for a description of Java versions.
+    #
     class Version < Gem::Version
+      def initialize(version)
+        release_part, update_part = version.split("_", 2)
+        @release_part = Gem::Version.new(release_part.tr("-", "."))
+        @update_part = Gem::Version.new(update_part&.start_with?(/[0-9]/) ? update_part : 0)
+      end
+      attr_reader :release_part
+      def <=>(other)
+        sort_criteria <=> other.sort_criteria
+      end
+      def sort_criteria
+        [@release_part, @update_part]
+      end
     end
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-docker
 version: !ruby/object:Gem::Version
-  version: 0.212.0
+  version: 0.214.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-09-06 00:00:00.000000000 Z
+date: 2022-12-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,42 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.212.0
+        version: 0.214.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.212.0
-- !ruby/object:Gem::Dependency
-  name: debase
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 0.2.3
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 0.2.3
-- !ruby/object:Gem::Dependency
-  name: debase-ruby_core_source
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 0.10.16
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 0.10.16
+        version: 0.214.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -86,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.12.0
+        version: 4.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.12.0
+        version: 4.0.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -142,42 +114,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.36.0
+        version: 1.39.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.36.0
+        version: 1.39.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.14.2
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.14.2
-- !ruby/object:Gem::Dependency
-  name: ruby-debug-ide
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.7.3
+        version: 1.15.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.3
+        version: 1.15.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -263,6 +221,7 @@ files:
 - lib/dependabot/docker/requirement.rb
 - lib/dependabot/docker/update_checker.rb
 - lib/dependabot/docker/utils/credentials_finder.rb
+- lib/dependabot/docker/utils/helpers.rb
 - lib/dependabot/docker/version.rb
 homepage: https://github.com/dependabot/dependabot-core
 licenses:
@@ -276,14 +235,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.7.0
+      version: 3.1.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.7.0
+      version: 3.1.0
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.3.7
 signing_key:
 specification_version: 4
 summary: Docker support for dependabot-common