RubyGems - dependabot-docker - Versions diffs - 0.213.0 → 0.214.0 - Mend

dependabot-docker 0.213.0 → 0.214.0

Files changed (9) hide show

checksums.yaml +4 -4
data/lib/dependabot/docker/file_fetcher.rb +6 -14
data/lib/dependabot/docker/file_parser.rb +25 -26
data/lib/dependabot/docker/file_updater.rb +2 -1
data/lib/dependabot/docker/update_checker.rb +87 -48
data/lib/dependabot/docker/utils/credentials_finder.rb +13 -0
data/lib/dependabot/docker/utils/helpers.rb +13 -0
data/lib/dependabot/docker/version.rb +1 -1
metadata +9 -8

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ebc54cfc835861f5ff7c37dabe72928e92786cda8925b7744029121b17fdc097
-  data.tar.gz: 4e99d4753649e65f7d34295f596c9de8e1060487e066c8c3cc6a2054e9e6c30a
+  metadata.gz: b7aabb905dbb5a64638f936079c477b091dd8b2a05aad7cc070c10e11977cc97
+  data.tar.gz: 4cc6bbe0291ded5c2e975f2256561044700a6a5903f1d110815de0ff5a0da281
 SHA512:
-  metadata.gz: 2312611afec9a4b58b82b0327a95f9257ae1cfacabc7f294c9eba48e52cf5d268dcf9004260a8fcb5aa9b6d9f647c2df5199b8bc9ad6e4131a4ad7ec85fa693e
-  data.tar.gz: 74760bd8b337feb6a2b7ca3a083079c2f6c187bdd2495c9467bc7a5b5f96bb825ac8cfda8defce871295d6e10ec4e8dbed01a6776816f83cc87eabc75517537d
+  metadata.gz: d2a1629644bf4dcc1a523aaef694b2601f0008361468dbde35008396bb9dfe6c225857946bdad4f6dad384f11b7c763357a50a8f27ab02fb8cde23f9ce6f7271
+  data.tar.gz: b5a6df5e91b49e9faa2d972ee74b4aba244f83051e076cf33dda73dc9f55deee7895f8ffc4e5e13ef4d309ae33e1d9a9ef0e710bf6b12dd35545d524ec7dca7b

data/lib/dependabot/docker/file_fetcher.rb CHANGED Viewed

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
+require "dependabot/docker/utils/helpers"
 require "dependabot/experiments"
 require "dependabot/file_fetchers"
 require "dependabot/file_fetchers/base"
@@ -9,7 +10,6 @@ module Dependabot
     class FileFetcher < Dependabot::FileFetchers::Base
       YAML_REGEXP = /^[^\.]+\.ya?ml$/i
       DOCKER_REGEXP = /dockerfile/i
-      HELM_REGEXP = /values[\-a-zA-Z_0-9]*\.yaml/i
       def self.required_files_in?(filenames)
         filenames.any? { |f| f.match?(DOCKER_REGEXP) } or
@@ -22,26 +22,18 @@ module Dependabot
       private
-      def kubernetes_enabled?
-        Experiments.enabled?(:kubernetes_updates)
-      end
       def fetch_files
         fetched_files = []
         fetched_files += correctly_encoded_dockerfiles
-        fetched_files += correctly_encoded_yamlfiles if kubernetes_enabled?
+        fetched_files += correctly_encoded_yamlfiles
         return fetched_files if fetched_files.any?
-        if !kubernetes_enabled? && incorrectly_encoded_dockerfiles.none?
+        if incorrectly_encoded_dockerfiles.none? && incorrectly_encoded_yamlfiles.none?
           raise(
             Dependabot::DependencyFileNotFound,
-            File.join(directory, "Dockerfile")
-          )
-        elsif incorrectly_encoded_dockerfiles.none? && incorrectly_encoded_yamlfiles.none?
-          raise(
-            Dependabot::DependabotError,
-            "Found neither Kubernetes YAML nor Dockerfiles in #{directory}"
+            File.join(directory, "Dockerfile"),
+            "No Dockerfiles nor Kubernetes YAML found in #{directory}"
           )
         elsif incorrectly_encoded_dockerfiles.none?
           raise(
@@ -86,7 +78,7 @@ module Dependabot
       def correctly_encoded_yamlfiles
         candidate_files = yamlfiles.select { |f| f.content.valid_encoding? }
         candidate_files.select do |f|
-          if f.type == "file" && f.name.match?(HELM_REGEXP)
+          if f.type == "file" && Utils.likely_helm_chart?(f)
             true
           else
             # This doesn't handle multi-resource files, but it shouldn't matter, since the first resource

data/lib/dependabot/docker/file_parser.rb CHANGED Viewed

@@ -101,8 +101,9 @@ module Dependabot
       def version_from_digest(registry:, image:, digest:)
         return unless digest
-        repo = docker_repo_name(image, registry)
-        client = docker_registry_client(registry)
+        registry_details = fetch_registry_details(registry)
+        repo = docker_repo_name(image, registry_details["registry"])
+        client = docker_registry_client(registry_details["registry"], registry_details["credentials"])
         client.tags(repo, auto_paginate: true).fetch("tags").find do |tag|
           digest == client.digest(repo, tag)
         rescue DockerRegistry2::NotFound
@@ -112,46 +113,44 @@ module Dependabot
         end
       rescue DockerRegistry2::RegistryAuthenticationException,
              RestClient::Forbidden
-        raise if standard_registry?(registry)
+        raise PrivateSourceAuthenticationFailure, registry_details["registry"]
+      rescue RestClient::Exceptions::OpenTimeout,
+             RestClient::Exceptions::ReadTimeout
+        raise if credentials_finder.using_dockerhub?(registry_details["registry"])
-        raise PrivateSourceAuthenticationFailure, registry
+        raise PrivateSourceTimedOut, registry_details["registry"]
       end
       def docker_repo_name(image, registry)
-        return image unless standard_registry?(registry)
-        return image unless image.split("/").count < 2
+        return image if image.include? "/"
+        return "library/#{image}" if credentials_finder.using_dockerhub?(registry)
-        "library/#{image}"
+        image
       end
-      def docker_registry_client(registry)
-        if registry
-          credentials = registry_credentials(registry)
-          DockerRegistry2::Registry.new(
-            "https://#{registry}",
-            user: credentials&.fetch("username", nil),
-            password: credentials&.fetch("password", nil)
-          )
-        else
-          DockerRegistry2::Registry.new("https://registry.hub.docker.com")
+      def docker_registry_client(registry_hostname, registry_credentials)
+        unless credentials_finder.using_dockerhub?(registry_hostname)
+          return DockerRegistry2::Registry.new("https://#{registry_hostname}")
         end
+        DockerRegistry2::Registry.new(
+          "https://#{registry_hostname}",
+          user: registry_credentials&.fetch("username", nil),
+          password: registry_credentials&.fetch("password", nil),
+          read_timeout: 10
+        )
       end
-      def registry_credentials(registry_url)
-        credentials_finder.credentials_for_registry(registry_url)
+      def fetch_registry_details(registry)
+        registry ||= credentials_finder.base_registry
+        credentials = credentials_finder.credentials_for_registry(registry)
+        { "registry" => registry, "credentials" => credentials }
       end
       def credentials_finder
         @credentials_finder ||= Utils::CredentialsFinder.new(credentials)
       end
-      def standard_registry?(registry)
-        return true if registry.nil?
-        registry == "registry.hub.docker.com"
-      end
       def check_required_files
         # Just check if there are any files at all.
         return if dependency_files.any?

data/lib/dependabot/docker/file_updater.rb CHANGED Viewed

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
+require "dependabot/docker/utils/helpers"
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
 require "dependabot/errors"
@@ -152,7 +153,7 @@ module Dependabot
       end
       def updated_yaml_content(file)
-        updated_content = file.name == "values.yaml" ? update_helm(file) : update_image(file)
+        updated_content = Utils.likely_helm_chart?(file) ? update_helm(file) : update_image(file)
         raise "Expected content to change!" if updated_content == file.content

data/lib/dependabot/docker/update_checker.rb CHANGED Viewed

@@ -42,10 +42,9 @@ end
 module Dependabot
   module Docker
     class UpdateChecker < Dependabot::UpdateCheckers::Base
-      VERSION_REGEX =
-        /v?(?<version>[0-9]+(?:(?:\.[_a-z0-9]+)|(?:-(?:kb)?[0-9]+))*)/i
-      VERSION_WITH_SFX = /^#{VERSION_REGEX}(?<suffix>-[a-z0-9.\-]+)?$/i
-      VERSION_WITH_PFX = /^(?<prefix>[a-z0-9.\-]+-)?#{VERSION_REGEX}$/i
+      VERSION_REGEX = /v?(?<version>[0-9]+(?:\.[0-9]+)*(?:_[0-9]+|\.[a-z0-9]+|-(?:kb)?[0-9]+)*)/i
+      VERSION_WITH_SFX = /^#{VERSION_REGEX}(?<suffix>-[a-z][a-z0-9.\-]*)?$/i
+      VERSION_WITH_PFX = /^(?<prefix>[a-z][a-z0-9.\-]*-)?#{VERSION_REGEX}$/i
       VERSION_WITH_PFX_AND_SFX = /^(?<prefix>[a-z\-]+-)?#{VERSION_REGEX}(?<suffix>-[a-z\-]+)?$/i
       NAME_WITH_VERSION =
         /
@@ -55,7 +54,7 @@ module Dependabot
       /x
       def latest_version
-        fetch_latest_version(dependency.version)
+        latest_version_from(dependency.version)
       end
       def latest_resolvable_version
@@ -72,7 +71,7 @@ module Dependabot
         dependency.requirements.map do |req|
           updated_source = req.fetch(:source).dup
           updated_source[:digest] = updated_digest if req[:source][:digest]
-          updated_source[:tag] = fetch_latest_version(req[:source][:tag]) if req[:source][:tag]
+          updated_source[:tag] = latest_version_from(req[:source][:tag]) if req[:source][:tag]
           req.merge(source: updated_source)
         end
@@ -118,7 +117,7 @@ module Dependabot
         # Check the precision of the potentially higher tag is the same as the
         # one it would replace. In the event that it's not the same, check the
         # digests are also unequal. Avoids 'updating' ruby-2 -> ruby-2.5.1
-        return false if old_v.split(".").count == latest_v.split(".").count
+        return false if precision_of(old_v) == precision_of(latest_v)
         digest_of(version) == digest_of(latest_version)
       end
@@ -132,33 +131,38 @@ module Dependabot
         end
       end
-      # NOTE: It's important that this *always* returns a version (even if
-      # it's the existing one) as it is what we later check the digest of.
-      def fetch_latest_version(version)
+      def latest_version_from(version)
         @versions ||= {}
         return @versions[version] if @versions.key?(version)
-        @versions[version] = begin
-          return version unless version.match?(NAME_WITH_VERSION)
-          # Prune out any downgrade tags before checking for pre-releases
-          # (which requires a call to the registry for each tag, so can be slow)
-          candidate_tags = comparable_tags_from_registry(version)
-          candidate_tags = remove_version_downgrades(candidate_tags, version)
+        @versions[version] = fetch_latest_version(version)
+      end
-          unless prerelease?(version)
-            candidate_tags =
-              candidate_tags.
-              reject { |tag| prerelease?(tag) }
+      # NOTE: It's important that this *always* returns a version (even if
+      # it's the existing one) as it is what we later check the digest of.
+      def fetch_latest_version(version)
+        return version unless version.match?(NAME_WITH_VERSION)
+        # Prune out any downgrade tags before checking for pre-releases
+        # (which requires a call to the registry for each tag, so can be slow)
+        candidate_tags = comparable_tags_from_registry(version)
+        candidate_tags = remove_version_downgrades(candidate_tags, version)
+        candidate_tags = remove_prereleases(candidate_tags, version)
+        candidate_tags = filter_ignored(candidate_tags)
+        candidate_tags = sort_tags(candidate_tags, version)
+        latest_tag = candidate_tags.last
+        if latest_tag && same_precision?(latest_tag, version)
+          latest_tag
+        else
+          latest_same_precision_tag = remove_precision_changes(candidate_tags, version).last
+          if latest_same_precision_tag && digest_of(latest_same_precision_tag) == digest_of(latest_tag)
+            latest_same_precision_tag
+          else
+            latest_tag || version
           end
-          latest_tag =
-            filter_ignored(candidate_tags).
-            max_by do |tag|
-              [version_class.new(numeric_version_from(tag)), tag.length]
-            end
-          latest_tag || version
         end
       end
@@ -167,28 +171,37 @@ module Dependabot
         original_suffix = suffix_of(version)
         original_format = format_of(version)
-        tags_from_registry.
+        candidate_tags =
+          tags_from_registry.
           select { |tag| tag.match?(NAME_WITH_VERSION) }.
           select { |tag| prefix_of(tag) == original_prefix }.
-          select { |tag| suffix_of(tag) == original_suffix || commit_sha_suffix?(tag) }.
           select { |tag| format_of(tag) == original_format }
+        return candidate_tags if original_format == :sha_suffixed
+        candidate_tags.select { |tag| suffix_of(tag) == original_suffix }
       end
       def remove_version_downgrades(candidate_tags, version)
         candidate_tags.select do |tag|
-          version_class.new(numeric_version_from(tag)) >=
-            version_class.new(numeric_version_from(version))
+          comparable_version_from(tag) >=
+            comparable_version_from(version)
         end
       end
-      def commit_sha_suffix?(tag)
-        # Some people suffix their versions with commit SHAs. Dependabot
-        # can't order on those but will try to, so instead we should exclude
-        # them (unless there's a `latest` version pushed to the registry, in
-        # which case we'll use that to find the latest version)
-        return false unless tag.match?(/(^|\-g?)[0-9a-f]{7,}$/)
+      def remove_prereleases(candidate_tags, version)
+        return candidate_tags if prerelease?(version)
-        !tag.match?(/(^|\-)\d+$/)
+        candidate_tags.reject { |tag| prerelease?(tag) }
+      end
+      def remove_precision_changes(candidate_tags, version)
+        candidate_tags.select do |tag|
+          same_precision?(tag, version)
+        end
+      end
+      def same_precision?(tag, another_tag)
+        precision_of(numeric_version_from(tag)) == precision_of(numeric_version_from(another_tag))
       end
       def version_of_latest_tag
@@ -197,13 +210,13 @@ module Dependabot
         candidate_tag =
           tags_from_registry.
           select { |tag| canonical_version?(tag) }.
-          sort_by { |t| version_class.new(numeric_version_from(t)) }.
+          sort_by { |t| comparable_version_from(t) }.
           reverse.
           find { |t| digest_of(t) == latest_digest }
         return unless candidate_tag
-        version_class.new(numeric_version_from(candidate_tag))
+        comparable_version_from(candidate_tag)
       end
       def canonical_version?(tag)
@@ -293,6 +306,7 @@ module Dependabot
         return :year_month if version.match?(/^[12]\d{3}(?:[.\-]|$)/)
         return :year_month_day if version.match?(/^[12]\d{5}(?:[.\-]|$)/)
+        return :sha_suffixed if tag.match?(/(^|\-g?)[0-9a-f]{7,}$/)
         return :build_num if version.match?(/^\d+$/)
         :normal
@@ -307,7 +321,11 @@ module Dependabot
         return false unless latest_digest
         return false unless version_of_latest_tag
-        version_class.new(numeric_version_from(tag)) > version_of_latest_tag
+        comparable_version_from(tag) > version_of_latest_tag
+      end
+      def comparable_version_from(tag)
+        version_class.new(numeric_version_from(tag))
       end
       def numeric_version_from(tag)
@@ -317,8 +335,9 @@ module Dependabot
       end
       def registry_hostname
-        dependency.requirements.first[:source][:registry] ||
-          "registry.hub.docker.com"
+        return dependency.requirements.first[:source][:registry] if dependency.requirements.first[:source][:registry]
+        credentials_finder.base_registry
       end
       def using_dockerhub?
@@ -350,11 +369,31 @@ module Dependabot
           )
       end
+      def sort_tags(candidate_tags, version)
+        candidate_tags.sort do |tag_a, tag_b|
+          if comparable_version_from(tag_a) > comparable_version_from(tag_b)
+            1
+          elsif comparable_version_from(tag_a) < comparable_version_from(tag_b)
+            -1
+          elsif same_precision?(tag_a, version)
+            1
+          elsif same_precision?(tag_b, version)
+            -1
+          else
+            0
+          end
+        end
+      end
+      def precision_of(version)
+        version.split(/[.-]/).length
+      end
       def filter_ignored(candidate_tags)
         filtered =
           candidate_tags.
           reject do |tag|
-            version = version_class.new(numeric_version_from(tag))
+            version = comparable_version_from(tag)
             ignore_requirements.any? { |r| r.satisfied_by?(version) }
           end
         if @raise_on_ignored && filter_lower_versions(filtered).empty? && filter_lower_versions(candidate_tags).any?
@@ -365,9 +404,9 @@ module Dependabot
       end
       def filter_lower_versions(tags)
-        versions_array = tags.map { |tag| version_class.new(numeric_version_from(tag)) }
+        versions_array = tags.map { |tag| comparable_version_from(tag) }
         versions_array.
-          select { |version| version > version_class.new(numeric_version_from(dependency.version)) }
+          select { |version| version > comparable_version_from(dependency.version) }
       end
     end
   end

data/lib/dependabot/docker/utils/credentials_finder.rb CHANGED Viewed

@@ -10,6 +10,7 @@ module Dependabot
     module Utils
       class CredentialsFinder
         AWS_ECR_URL = /dkr\.ecr\.(?<region>[^.]+)\.amazonaws\.com/
+        DEFAULT_DOCKER_HUB_REGISTRY = "registry.hub.docker.com"
         def initialize(credentials)
           @credentials = credentials
@@ -26,6 +27,18 @@ module Dependabot
           build_aws_credentials(registry_details)
         end
+        def base_registry
+          @base_registry ||= credentials.find do |cred|
+            cred["type"] == "docker_registry" && cred["replaces-base"] == true
+          end
+          @base_registry ||= { "registry" => DEFAULT_DOCKER_HUB_REGISTRY, "credentials" => nil }
+          @base_registry["registry"]
+        end
+        def using_dockerhub?(registry)
+          registry == DEFAULT_DOCKER_HUB_REGISTRY
+        end
         private
         attr_reader :credentials

data/lib/dependabot/docker/utils/helpers.rb ADDED Viewed

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+module Dependabot
+  module Docker
+    module Utils
+      HELM_REGEXP = /values[\-a-zA-Z_0-9]*\.ya?ml$/i
+      def self.likely_helm_chart?(file)
+        file.name.match?(HELM_REGEXP)
+      end
+    end
+  end
+end

data/lib/dependabot/docker/version.rb CHANGED Viewed

@@ -13,7 +13,7 @@ module Dependabot
       def initialize(version)
         release_part, update_part = version.split("_", 2)
-        @release_part = Gem::Version.new(release_part)
+        @release_part = Gem::Version.new(release_part.tr("-", "."))
         @update_part = Gem::Version.new(update_part&.start_with?(/[0-9]/) ? update_part : 0)
       end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-docker
 version: !ruby/object:Gem::Version
-  version: 0.213.0
+  version: 0.214.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-10-31 00:00:00.000000000 Z
+date: 2022-12-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.213.0
+        version: 0.214.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.213.0
+        version: 0.214.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.13.0
+        version: 4.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.13.0
+        version: 4.0.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -114,14 +114,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.37.1
+        version: 1.39.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.37.1
+        version: 1.39.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
@@ -221,6 +221,7 @@ files:
 - lib/dependabot/docker/requirement.rb
 - lib/dependabot/docker/update_checker.rb
 - lib/dependabot/docker/utils/credentials_finder.rb
+- lib/dependabot/docker/utils/helpers.rb
 - lib/dependabot/docker/version.rb
 homepage: https://github.com/dependabot/dependabot-core
 licenses: