dependabot-docker 0.236.0 → 0.238.0
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 69bb77e9d2f9e7ba40fcb0e22d511c145a476f3f63552cf6eead115d6a65a752
|
|
4
|
+
data.tar.gz: 775a23cba49f525d5093629661c161d4deae5354daf52c8a5444f4cd6f3cdd09
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 96b9846927942ae465ab404247ad68f2cab7eaaa7e9301daec8153971154bb8a92f7be966f31ceb6e71dd0ca5a8685fcc032871257303ba35d11bef00833ce5a
|
|
7
|
+
data.tar.gz: 72c9b25b755bef30169f6428a66df7be98a02e35cc77e60d3a99e8cbf8c1d2a3ea4ba00d7bccdfe367d147f8287045f106a18267c76b80806fd18dcfbe88a155
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
# typed: false
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
require "sorbet-runtime"
|
|
4
5
|
require "dependabot/docker/utils/helpers"
|
|
5
6
|
require "dependabot/file_fetchers"
|
|
6
7
|
require "dependabot/file_fetchers/base"
|
|
@@ -8,6 +9,9 @@ require "dependabot/file_fetchers/base"
|
|
|
8
9
|
module Dependabot
|
|
9
10
|
module Docker
|
|
10
11
|
class FileFetcher < Dependabot::FileFetchers::Base
|
|
12
|
+
extend T::Sig
|
|
13
|
+
extend T::Helpers
|
|
14
|
+
|
|
11
15
|
YAML_REGEXP = /^[^\.]+\.ya?ml$/i
|
|
12
16
|
DOCKER_REGEXP = /dockerfile/i
|
|
13
17
|
|
|
@@ -20,8 +24,7 @@ module Dependabot
|
|
|
20
24
|
"Repo must contain a Dockerfile or Kubernetes YAML files."
|
|
21
25
|
end
|
|
22
26
|
|
|
23
|
-
|
|
24
|
-
|
|
27
|
+
sig { override.returns(T::Array[DependencyFile]) }
|
|
25
28
|
def fetch_files
|
|
26
29
|
fetched_files = []
|
|
27
30
|
fetched_files += correctly_encoded_dockerfiles
|
|
@@ -48,6 +51,8 @@ module Dependabot
|
|
|
48
51
|
end
|
|
49
52
|
end
|
|
50
53
|
|
|
54
|
+
private
|
|
55
|
+
|
|
51
56
|
def dockerfiles
|
|
52
57
|
@dockerfiles ||=
|
|
53
58
|
repo_contents(raise_errors: false)
|
|
@@ -24,12 +24,14 @@ module Dependabot
|
|
|
24
24
|
|
|
25
25
|
FROM = /FROM/i
|
|
26
26
|
PLATFORM = /--platform\=(?<platform>\S+)/
|
|
27
|
-
|
|
27
|
+
TAG_NO_PREFIX = /(?<tag>[\w][\w.-]{0,127})/
|
|
28
|
+
TAG = /:#{TAG_NO_PREFIX}/
|
|
28
29
|
DIGEST = /(?<digest>[0-9a-f]{64})/
|
|
29
30
|
NAME = /\s+AS\s+(?<name>[\w-]+)/
|
|
30
31
|
FROM_LINE =
|
|
31
32
|
%r{^#{FROM}\s+(#{PLATFORM}\s+)?(#{REGISTRY}/)?
|
|
32
33
|
#{IMAGE}#{TAG}?(?:@sha256:#{DIGEST})?#{NAME}?}x
|
|
34
|
+
TAG_WITH_DIGEST = /^#{TAG_NO_PREFIX}(?:@sha256:#{DIGEST})?/x
|
|
33
35
|
|
|
34
36
|
AWS_ECR_URL = /dkr\.ecr\.(?<region>[^.]+)\.amazonaws\.com/
|
|
35
37
|
|
|
@@ -50,7 +52,7 @@ module Dependabot
|
|
|
50
52
|
|
|
51
53
|
dependency_set << Dependency.new(
|
|
52
54
|
name: parsed_from_line.fetch("image"),
|
|
53
|
-
version: version
|
|
55
|
+
version: version,
|
|
54
56
|
package_manager: "docker",
|
|
55
57
|
requirements: [
|
|
56
58
|
requirement: nil,
|
|
@@ -127,7 +129,7 @@ module Dependabot
|
|
|
127
129
|
def build_image_dependency(file, details, version)
|
|
128
130
|
Dependency.new(
|
|
129
131
|
name: details.fetch("image"),
|
|
130
|
-
version: version
|
|
132
|
+
version: version,
|
|
131
133
|
package_manager: "docker",
|
|
132
134
|
requirements: [
|
|
133
135
|
requirement: nil,
|
|
@@ -168,18 +170,20 @@ module Dependabot
|
|
|
168
170
|
|
|
169
171
|
def parse_helm(img_hash)
|
|
170
172
|
repo = img_hash.fetch("repository", nil)
|
|
171
|
-
|
|
173
|
+
tag_value = img_hash.key?("tag") ? img_hash.fetch("tag", nil) : img_hash.fetch("version", nil)
|
|
172
174
|
registry = img_hash.fetch("registry", nil)
|
|
173
175
|
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
|
|
176
|
+
tag_details = tag_value.to_s.match(TAG_WITH_DIGEST).named_captures
|
|
177
|
+
tag = tag_details["tag"]
|
|
178
|
+
digest = tag_details["digest"]
|
|
179
|
+
|
|
180
|
+
return [] unless repo
|
|
181
|
+
return [repo] unless tag
|
|
182
|
+
|
|
183
|
+
image = "#{repo}:#{tag}"
|
|
184
|
+
image.prepend("#{registry}/") if registry
|
|
185
|
+
image.append("@sha256:#{digest}/") if digest
|
|
186
|
+
[image]
|
|
183
187
|
end
|
|
184
188
|
end
|
|
185
189
|
end
|
|
@@ -158,7 +158,7 @@ module Dependabot
|
|
|
158
158
|
old_tags.each do |old_tag|
|
|
159
159
|
old_tag_regex = /^\s+(?:-\s)?(?:tag|version):\s+["']?#{old_tag}["']?(?=\s|$)/
|
|
160
160
|
modified_content = modified_content.gsub(old_tag_regex) do |old_img_tag|
|
|
161
|
-
old_img_tag.gsub(old_tag.to_s,
|
|
161
|
+
old_img_tag.gsub(old_tag.to_s, new_helm_tag(file).to_s)
|
|
162
162
|
end
|
|
163
163
|
end
|
|
164
164
|
modified_content
|
|
@@ -187,11 +187,6 @@ module Dependabot
|
|
|
187
187
|
"#{prefix}#{dependency.name}#{tag}#{digest}"
|
|
188
188
|
end
|
|
189
189
|
|
|
190
|
-
def new_yaml_tag(file)
|
|
191
|
-
element = dependency.requirements.find { |r| r[:file] == file.name }
|
|
192
|
-
element.fetch(:source)[:tag] || ""
|
|
193
|
-
end
|
|
194
|
-
|
|
195
190
|
def old_yaml_images(file)
|
|
196
191
|
previous_requirements(file).map do |r|
|
|
197
192
|
prefix = r.fetch(:source)[:registry] ? "#{r.fetch(:source)[:registry]}/" : ""
|
|
@@ -203,10 +198,19 @@ module Dependabot
|
|
|
203
198
|
|
|
204
199
|
def old_helm_tags(file)
|
|
205
200
|
previous_requirements(file).map do |r|
|
|
206
|
-
r.fetch(:source)[:tag] || ""
|
|
201
|
+
tag = r.fetch(:source)[:tag] || ""
|
|
202
|
+
digest = r.fetch(:source)[:digest] ? "@sha256:#{r.fetch(:source)[:digest]}" : ""
|
|
203
|
+
"#{tag}#{digest}"
|
|
207
204
|
end
|
|
208
205
|
end
|
|
209
206
|
|
|
207
|
+
def new_helm_tag(file)
|
|
208
|
+
element = dependency.requirements.find { |r| r[:file] == file.name }
|
|
209
|
+
tag = element.fetch(:source)[:tag] || ""
|
|
210
|
+
digest = element.fetch(:source)[:digest] ? "@sha256:#{element.fetch(:source)[:digest]}" : ""
|
|
211
|
+
"#{tag}#{digest}"
|
|
212
|
+
end
|
|
213
|
+
|
|
210
214
|
def requirements(file)
|
|
211
215
|
dependency.requirements
|
|
212
216
|
.select { |r| r[:file] == file.name }
|
|
@@ -9,8 +9,8 @@ module Dependabot
|
|
|
9
9
|
WORDS_WITH_BUILD = /(?:(?:-[a-z]+)+-[0-9]+)+/
|
|
10
10
|
VERSION_REGEX = /v?(?<version>[0-9]+(?:\.[0-9]+)*(?:_[0-9]+|\.[a-z0-9]+|#{WORDS_WITH_BUILD}|-(?:kb)?[0-9]+)*)/i
|
|
11
11
|
VERSION_WITH_SFX = /^#{VERSION_REGEX}(?<suffix>-[a-z][a-z0-9.\-]*)?$/i
|
|
12
|
-
VERSION_WITH_PFX = /^(?<prefix>[a-z][a-z0-9.\-]*-)?#{VERSION_REGEX}$/i
|
|
13
|
-
VERSION_WITH_PFX_AND_SFX = /^(?<prefix>[a-z\-]+-)?#{VERSION_REGEX}(?<suffix>-[a-z\-]+)?$/i
|
|
12
|
+
VERSION_WITH_PFX = /^(?<prefix>[a-z][a-z0-9.\-_]*-)?#{VERSION_REGEX}$/i
|
|
13
|
+
VERSION_WITH_PFX_AND_SFX = /^(?<prefix>[a-z\-_]+-)?#{VERSION_REGEX}(?<suffix>-[a-z\-]+)?$/i
|
|
14
14
|
NAME_WITH_VERSION =
|
|
15
15
|
/
|
|
16
16
|
#{VERSION_WITH_PFX}|
|
|
@@ -33,7 +33,7 @@ module Dependabot
|
|
|
33
33
|
end
|
|
34
34
|
|
|
35
35
|
def looks_like_prerelease?
|
|
36
|
-
numeric_version.
|
|
36
|
+
numeric_version.match?(/[a-zA-Z]/)
|
|
37
37
|
end
|
|
38
38
|
|
|
39
39
|
def comparable_to?(other)
|
|
@@ -88,9 +88,9 @@ module Dependabot
|
|
|
88
88
|
end
|
|
89
89
|
|
|
90
90
|
def format
|
|
91
|
-
return :year_month if version.match?(/^[12]\d{3}(?:[.\-]|$)/)
|
|
92
|
-
return :year_month_day if version.match?(/^[12]\d{5}(?:[.\-]|$)/)
|
|
93
91
|
return :sha_suffixed if name.match?(/(^|\-g?)[0-9a-f]{7,}$/)
|
|
92
|
+
return :year_month if version.match?(/^[12]\d{3}(?:[.\-]|$)/)
|
|
93
|
+
return :year_month_day if version.match?(/^[12](?:\d{5}|\d{7})(?:[.\-]|$)/)
|
|
94
94
|
return :build_num if version.match?(/^\d+$/)
|
|
95
95
|
|
|
96
96
|
# As an example, "21-ea-32", "22-ea-7", and "22-ea-jdk-nanoserver-1809"
|
|
@@ -110,7 +110,7 @@ module Dependabot
|
|
|
110
110
|
def numeric_version
|
|
111
111
|
return unless comparable?
|
|
112
112
|
|
|
113
|
-
version.gsub(/-[a-z]+/, "").downcase
|
|
113
|
+
version.gsub(/kb/i, "").gsub(/-[a-z]+/, "").downcase
|
|
114
114
|
end
|
|
115
115
|
|
|
116
116
|
def precision
|
|
@@ -3,6 +3,7 @@
|
|
|
3
3
|
|
|
4
4
|
require "dependabot/version"
|
|
5
5
|
require "dependabot/utils"
|
|
6
|
+
require "dependabot/docker/tag"
|
|
6
7
|
|
|
7
8
|
module Dependabot
|
|
8
9
|
module Docker
|
|
@@ -12,11 +13,19 @@ module Dependabot
|
|
|
12
13
|
# for a description of Java versions.
|
|
13
14
|
#
|
|
14
15
|
class Version < Dependabot::Version
|
|
16
|
+
# The regex has limits for the 0,255 and 1,255 repetitions to avoid infinite limits which makes codeql angry.
|
|
17
|
+
# A docker image cannot be longer than 255 characters anyways.
|
|
18
|
+
DOCKER_VERSION_REGEX = /^(?<prefix>[a-z._\-]{0,255})[_\-v]?(?<version>.{1,255})$/
|
|
19
|
+
|
|
15
20
|
def initialize(version)
|
|
16
|
-
|
|
21
|
+
parsed_version = version.match(DOCKER_VERSION_REGEX)
|
|
22
|
+
release_part, update_part = parsed_version[:version].split("_", 2)
|
|
17
23
|
|
|
18
|
-
|
|
24
|
+
# The numeric_version is needed here to validate the version string (ex: 20.9.0-alpine3.18)
|
|
25
|
+
# when the call is made via Depenedabot Api to convert the image version to semver.
|
|
26
|
+
release_part = Tag.new(release_part.chomp(".").chomp("-").chomp("_")).numeric_version
|
|
19
27
|
|
|
28
|
+
@release_part = Dependabot::Version.new(release_part.tr("-", "."))
|
|
20
29
|
@update_part = Dependabot::Version.new(update_part&.start_with?(/[0-9]/) ? update_part : 0)
|
|
21
30
|
|
|
22
31
|
super(@release_part)
|
|
@@ -27,8 +36,11 @@ module Dependabot
|
|
|
27
36
|
|
|
28
37
|
# We can't call new here because Gem::Version calls self.correct? in its initialize method
|
|
29
38
|
# causing an infinite loop, so instead we check if the release_part of the version is correct
|
|
30
|
-
|
|
31
|
-
|
|
39
|
+
parsed_version = version.match(DOCKER_VERSION_REGEX)
|
|
40
|
+
return false if parsed_version.nil?
|
|
41
|
+
|
|
42
|
+
release_part, = parsed_version[:version].split("_", 2)
|
|
43
|
+
release_part = Tag.new(release_part.chomp(".").chomp("-").chomp("_")).numeric_version || parsed_version
|
|
32
44
|
super(release_part)
|
|
33
45
|
rescue ArgumentError
|
|
34
46
|
# if we can't instantiate a version, it can't be correct
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-docker
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.238.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-12-07 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.238.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.238.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: debug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -94,20 +94,34 @@ dependencies:
|
|
|
94
94
|
- - "~>"
|
|
95
95
|
- !ruby/object:Gem::Version
|
|
96
96
|
version: '1.3'
|
|
97
|
+
- !ruby/object:Gem::Dependency
|
|
98
|
+
name: rspec-sorbet
|
|
99
|
+
requirement: !ruby/object:Gem::Requirement
|
|
100
|
+
requirements:
|
|
101
|
+
- - "~>"
|
|
102
|
+
- !ruby/object:Gem::Version
|
|
103
|
+
version: 1.9.2
|
|
104
|
+
type: :development
|
|
105
|
+
prerelease: false
|
|
106
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
107
|
+
requirements:
|
|
108
|
+
- - "~>"
|
|
109
|
+
- !ruby/object:Gem::Version
|
|
110
|
+
version: 1.9.2
|
|
97
111
|
- !ruby/object:Gem::Dependency
|
|
98
112
|
name: rubocop
|
|
99
113
|
requirement: !ruby/object:Gem::Requirement
|
|
100
114
|
requirements:
|
|
101
115
|
- - "~>"
|
|
102
116
|
- !ruby/object:Gem::Version
|
|
103
|
-
version: 1.
|
|
117
|
+
version: 1.57.2
|
|
104
118
|
type: :development
|
|
105
119
|
prerelease: false
|
|
106
120
|
version_requirements: !ruby/object:Gem::Requirement
|
|
107
121
|
requirements:
|
|
108
122
|
- - "~>"
|
|
109
123
|
- !ruby/object:Gem::Version
|
|
110
|
-
version: 1.
|
|
124
|
+
version: 1.57.2
|
|
111
125
|
- !ruby/object:Gem::Dependency
|
|
112
126
|
name: rubocop-performance
|
|
113
127
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -216,7 +230,7 @@ licenses:
|
|
|
216
230
|
- Nonstandard
|
|
217
231
|
metadata:
|
|
218
232
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
219
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
233
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.238.0
|
|
220
234
|
post_install_message:
|
|
221
235
|
rdoc_options: []
|
|
222
236
|
require_paths:
|