dependabot-docker 0.359.0 → 0.360.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/docker/metadata_finder.rb +71 -6
  3. data/lib/dependabot/docker/update_checker.rb +7 -1
  4. data/lib/dependabot/shared/shared_file_updater.rb +11 -1
  5. metadata +4 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6ecfdad27b87474faf0ea1f6d1a4395f39e3631b6b3e21654172f51f4f1ce4c9
4
- data.tar.gz: 51ddd06f0d81281929a636c781493d69bd082af3853862d2e9916388b7f56ed4
3
+ metadata.gz: 6e3a281a81f5f7329c01110ef4ac731e61702fca5fb3161706350b1e13b21952
4
+ data.tar.gz: 817cf36ec492541cea959cff1e23d44b3fbb953de067391ea8427b27b6f8f1a0
5
5
  SHA512:
6
- metadata.gz: 7c57a3a5c4dbdad5e8e0dd99d23948077fd4c489d569637c53f3002eab8ff13a59601d63aa85297f739e23c979cccb0a16b9990024087cebc742a1778a9583a1
7
- data.tar.gz: b22d67a41edd6f4a8ee35b9b8a9254e533659000615b185840d46827669220ed5b091b9cd212ff9563f3755379fd57c82cd5d48aa68cbe214691e4a8abbcb919
6
+ metadata.gz: e9b40addec253cbca79fc8faad20af986046f3e07c13c6c6e6b81b065e10aad5e49172a2a6155a767d0db4e0e683872f0c9343922c4746bc3d76e394212efb97
7
+ data.tar.gz: d6d11c276cac70ff79262cacd5a76e215388d793b3001f7db77232aa226634aad4dc896e442f4bd53144824d1c0fb2a7fd00a456c571180ce951dbfca03268a2
data/lib/dependabot/docker/metadata_finder.rb CHANGED
@@ -13,24 +13,89 @@ module Dependabot
13
13
 
14
14
  private
15
15
 
16
+ # Finds the repository for the Docker image using OCI annotations.
17
+ # @see https://specs.opencontainers.org/image-spec/annotations/
16
18
  sig { override.returns(T.nilable(Dependabot::Source)) }
17
19
  def look_up_source
18
20
  return if dependency.requirements.empty?
19
21
 
20
22
  new_source = dependency.requirements.first&.fetch(:source)
21
- return unless new_source && new_source[:registry] && new_source[:tag]
23
+ return unless new_source && new_source[:registry] && (new_source[:tag] || new_source[:digest])
22
24
 
23
- image_ref = "#{new_source[:registry]}/#{dependency.name}:#{new_source[:tag]}"
24
- image_details_output = SharedHelpers.run_shell_command("regctl image inspect #{image_ref}")
25
- image_details = JSON.parse(image_details_output)
26
- image_source = image_details.dig("config", "Labels", "org.opencontainers.image.source")
25
+ details = image_details(new_source)
26
+ image_source = details.dig("config", "Labels", "org.opencontainers.image.source")
27
+ # Return early if the org.opencontainers.image.source label is not present
27
28
  return unless image_source
28
29
 
29
- Dependabot::Source.from_url(image_source)
30
+ # If we have a tag, return the source directly without additional version metadata
31
+ return Dependabot::Source.from_url(image_source) if new_source[:tag]
32
+
33
+ # If we only have a digest, we need to look for the version label to build the source
34
+ build_source_from_image_version(image_source, details)
30
35
  rescue StandardError => e
31
36
  Dependabot.logger.warn("Error looking up Docker source: #{e.message}")
32
37
  nil
33
38
  end
39
+
40
+ sig do
41
+ params(
42
+ source: T::Hash[Symbol, T.untyped]
43
+ ).returns(
44
+ T::Hash[String, T.untyped]
45
+ )
46
+ end
47
+ def image_details(source)
48
+ registry = source[:registry]
49
+ tag = source[:tag]
50
+ digest = source[:digest]
51
+
52
+ image_ref =
53
+ # If both tag and digest are present, use the digest as docker ignores the tag when a digest is present
54
+ if digest
55
+ "#{registry}/#{dependency.name}@sha256:#{digest}"
56
+ else
57
+ "#{registry}/#{dependency.name}:#{tag}"
58
+ end
59
+
60
+ Dependabot.logger.info("Looking up Docker source #{image_ref}")
61
+ output = SharedHelpers.run_shell_command("regctl image inspect #{image_ref}")
62
+ JSON.parse(output)
63
+ end
64
+
65
+ # Builds a Dependabot::Source object using the OCI image version label.
66
+ #
67
+ # This is used as a fallback when an image is referenced by digest rather than a tag
68
+ sig do
69
+ params(
70
+ image_source: String,
71
+ details: T::Hash[String, T.untyped]
72
+ ).returns(T.nilable(Dependabot::Source))
73
+ end
74
+ def build_source_from_image_version(image_source, details)
75
+ image_version = details.dig("config", "Labels", "org.opencontainers.image.version")
76
+ revision = details.dig("config", "Labels", "org.opencontainers.image.revision")
77
+ # Sometimes the versions are not tags (e.g., "24.04")
78
+ # We only want to build a source if the version looks like a tag (starts with "v")
79
+ # This is a safeguard for a first iteration. We may adjust this later based on user feedback.
80
+ tag_like = image_version&.start_with?("v")
81
+
82
+ return unless tag_like || revision
83
+
84
+ parsed_source = Dependabot::Source.from_url(image_source)
85
+ return unless parsed_source
86
+
87
+ branch_info = image_version ? "image version '#{image_version}'" : "unknown image version"
88
+ commit_info = revision ? "revision '#{revision}'" : "no commit"
89
+ Dependabot.logger.info "Building source with #{branch_info} and #{commit_info}"
90
+
91
+ Dependabot::Source.new(
92
+ provider: parsed_source.provider,
93
+ repo: parsed_source.repo,
94
+ directory: parsed_source.directory,
95
+ branch: image_version,
96
+ commit: revision
97
+ )
98
+ end
34
99
  end
35
100
  end
36
101
  end
data/lib/dependabot/docker/update_checker.rb CHANGED
@@ -14,6 +14,7 @@ require "dependabot/docker/requirement"
14
14
  require "dependabot/shared/utils/credentials_finder"
15
15
  require "dependabot/package/release_cooldown_options"
16
16
  require "dependabot/package/package_release"
17
+ require "dependabot/experiments"
17
18
 
18
19
  module Dependabot
19
20
  module Docker
@@ -49,7 +50,7 @@ module Dependabot
49
50
  if tag
50
51
  updated_tag = latest_version_from(tag)
51
52
  updated_source[:tag] = updated_tag
52
- updated_source[:digest] = digest_of(updated_tag) if digest
53
+ updated_source[:digest] = digest_of(updated_tag) if digest || pin_digests?
53
54
  elsif digest
54
55
  updated_source[:digest] = digest_of("latest")
55
56
  end
@@ -665,6 +666,11 @@ module Dependabot
665
666
  true
666
667
  end
667
668
 
669
+ sig { returns(T::Boolean) }
670
+ def pin_digests?
671
+ Dependabot::Experiments.enabled?(:docker_pin_digests)
672
+ end
673
+
668
674
  sig do
669
675
  returns(Integer)
670
676
  end
data/lib/dependabot/shared/shared_file_updater.rb CHANGED
@@ -66,6 +66,9 @@ module Dependabot
66
66
  updated_content
67
67
  end
68
68
 
69
+ # rubocop:disable Metrics/AbcSize
70
+ # rubocop:disable Metrics/PerceivedComplexity
71
+ # rubocop:disable Metrics/MethodLength
69
72
  sig do
70
73
  params(
71
74
  previous_content: String,
@@ -73,7 +76,7 @@ module Dependabot
73
76
  new_source: T::Hash[Symbol, T.nilable(String)]
74
77
  ).returns(String)
75
78
  end
76
- def update_digest_and_tag(previous_content, old_source, new_source) # rubocop:disable Metrics/PerceivedComplexity
79
+ def update_digest_and_tag(previous_content, old_source, new_source)
77
80
  old_digest = old_source[:digest]
78
81
  new_digest = new_source[:digest]
79
82
 
@@ -115,9 +118,16 @@ module Dependabot
115
118
 
116
119
  old_dec = old_dec.gsub(":#{old_tag}", ":#{new_tag}") unless old_tag.to_s.empty?
117
120
 
121
+ # Adding a digest to a tag-only image (digest pinning)
122
+ old_dec = "#{old_dec}@sha256:#{new_digest}" if old_digest.to_s.empty? && !new_digest.to_s.empty?
123
+
118
124
  old_dec
119
125
  end
120
126
  end
127
+ # rubocop:enable Metrics/MethodLength
128
+ # rubocop:enable Metrics/PerceivedComplexity
129
+ # rubocop:enable Metrics/AbcSize
130
+
121
131
  sig { params(escaped_declaration: String).returns(Regexp) }
122
132
  def build_old_declaration_regex(escaped_declaration)
123
133
  %r{^#{FROM_REGEX}\s+(docker\.io/)?#{escaped_declaration}(?=\s|$)}
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-docker
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.359.0
4
+ version: 0.360.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
@@ -15,14 +15,14 @@ dependencies:
15
15
  requirements:
16
16
  - - '='
17
17
  - !ruby/object:Gem::Version
18
- version: 0.359.0
18
+ version: 0.360.0
19
19
  type: :runtime
20
20
  prerelease: false
21
21
  version_requirements: !ruby/object:Gem::Requirement
22
22
  requirements:
23
23
  - - '='
24
24
  - !ruby/object:Gem::Version
25
- version: 0.359.0
25
+ version: 0.360.0
26
26
  - !ruby/object:Gem::Dependency
27
27
  name: debug
28
28
  requirement: !ruby/object:Gem::Requirement
@@ -261,7 +261,7 @@ licenses:
261
261
  - MIT
262
262
  metadata:
263
263
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
264
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.359.0
264
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.360.0
265
265
  rdoc_options: []
266
266
  require_paths:
267
267
  - lib