RubyGems - dependabot-docker - Versions diffs - 0.213.0 → 0.214.0 - Mend

dependabot-docker 0.213.0 → 0.214.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/lib/dependabot/docker/file_fetcher.rb +6 -14
data/lib/dependabot/docker/file_parser.rb +25 -26
data/lib/dependabot/docker/file_updater.rb +2 -1
data/lib/dependabot/docker/update_checker.rb +87 -48
data/lib/dependabot/docker/utils/credentials_finder.rb +13 -0
data/lib/dependabot/docker/utils/helpers.rb +13 -0
data/lib/dependabot/docker/version.rb +1 -1
metadata +9 -8

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ebc54cfc835861f5ff7c37dabe72928e92786cda8925b7744029121b17fdc097
-  data.tar.gz: 4e99d4753649e65f7d34295f596c9de8e1060487e066c8c3cc6a2054e9e6c30a
+  metadata.gz: b7aabb905dbb5a64638f936079c477b091dd8b2a05aad7cc070c10e11977cc97
+  data.tar.gz: 4cc6bbe0291ded5c2e975f2256561044700a6a5903f1d110815de0ff5a0da281
 SHA512:
-  metadata.gz: 2312611afec9a4b58b82b0327a95f9257ae1cfacabc7f294c9eba48e52cf5d268dcf9004260a8fcb5aa9b6d9f647c2df5199b8bc9ad6e4131a4ad7ec85fa693e
-  data.tar.gz: 74760bd8b337feb6a2b7ca3a083079c2f6c187bdd2495c9467bc7a5b5f96bb825ac8cfda8defce871295d6e10ec4e8dbed01a6776816f83cc87eabc75517537d
+  metadata.gz: d2a1629644bf4dcc1a523aaef694b2601f0008361468dbde35008396bb9dfe6c225857946bdad4f6dad384f11b7c763357a50a8f27ab02fb8cde23f9ce6f7271
+  data.tar.gz: b5a6df5e91b49e9faa2d972ee74b4aba244f83051e076cf33dda73dc9f55deee7895f8ffc4e5e13ef4d309ae33e1d9a9ef0e710bf6b12dd35545d524ec7dca7b

data/lib/dependabot/docker/file_fetcher.rb CHANGED Viewed

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
+require "dependabot/docker/utils/helpers"
 require "dependabot/experiments"
 require "dependabot/file_fetchers"
 require "dependabot/file_fetchers/base"
@@ -9,7 +10,6 @@ module Dependabot
     class FileFetcher < Dependabot::FileFetchers::Base
       YAML_REGEXP = /^[^\.]+\.ya?ml$/i
       DOCKER_REGEXP = /dockerfile/i
-      HELM_REGEXP = /values[\-a-zA-Z_0-9]*\.yaml/i
       def self.required_files_in?(filenames)
         filenames.any? { |f| f.match?(DOCKER_REGEXP) } or
@@ -22,26 +22,18 @@ module Dependabot
       private
-      def kubernetes_enabled?
-        Experiments.enabled?(:kubernetes_updates)
-      end
       def fetch_files
         fetched_files = []
         fetched_files += correctly_encoded_dockerfiles
-        fetched_files += correctly_encoded_yamlfiles if kubernetes_enabled?
+        fetched_files += correctly_encoded_yamlfiles
         return fetched_files if fetched_files.any?
-        if !kubernetes_enabled? && incorrectly_encoded_dockerfiles.none?
+        if incorrectly_encoded_dockerfiles.none? && incorrectly_encoded_yamlfiles.none?
           raise(
             Dependabot::DependencyFileNotFound,
-            File.join(directory, "Dockerfile")
-          )
-        elsif incorrectly_encoded_dockerfiles.none? && incorrectly_encoded_yamlfiles.none?
-          raise(
-            Dependabot::DependabotError,
-            "Found neither Kubernetes YAML nor Dockerfiles in #{directory}"
+            File.join(directory, "Dockerfile"),
+            "No Dockerfiles nor Kubernetes YAML found in #{directory}"
           )
         elsif incorrectly_encoded_dockerfiles.none?
           raise(
@@ -86,7 +78,7 @@ module Dependabot
       def correctly_encoded_yamlfiles
         candidate_files = yamlfiles.select { |f| f.content.valid_encoding? }
         candidate_files.select do |f|
-          if f.type == "file" && f.name.match?(HELM_REGEXP)
+          if f.type == "file" && Utils.likely_helm_chart?(f)
             true
           else
             # This doesn't handle multi-resource files, but it shouldn't matter, since the first resource

data/lib/dependabot/docker/file_parser.rb CHANGED Viewed

@@ -101,8 +101,9 @@ module Dependabot
       def version_from_digest(registry:, image:, digest:)
         return unless digest
-        repo = docker_repo_name(image, registry)
-        client = docker_registry_client(registry)
+        registry_details = fetch_registry_details(registry)
+        repo = docker_repo_name(image, registry_details["registry"])
+        client = docker_registry_client(registry_details["registry"], registry_details["credentials"])
         client.tags(repo, auto_paginate: true).fetch("tags").find do |tag|
           digest == client.digest(repo, tag)
         rescue DockerRegistry2::NotFound
@@ -112,46 +113,44 @@ module Dependabot
         end
       rescue DockerRegistry2::RegistryAuthenticationException,
              RestClient::Forbidden
-        raise if standard_registry?(registry)
+        raise PrivateSourceAuthenticationFailure, registry_details["registry"]
+      rescue RestClient::Exceptions::OpenTimeout,
+             RestClient::Exceptions::ReadTimeout
+        raise if credentials_finder.using_dockerhub?(registry_details["registry"])
-        raise PrivateSourceAuthenticationFailure, registry
+        raise PrivateSourceTimedOut, registry_details["registry"]
       end
       def docker_repo_name(image, registry)
-        return image unless standard_registry?(registry)
-        return image unless image.split("/").count < 2
+        return image if image.include? "/"
+        return "library/#{image}" if credentials_finder.using_dockerhub?(registry)
-        "library/#{image}"
+        image
       end
-      def docker_registry_client(registry)
-        if registry
-          credentials = registry_credentials(registry)
-          DockerRegistry2::Registry.new(
-            "https://#{registry}",
-            user: credentials&.fetch("username", nil),
-            password: credentials&.fetch("password", nil)
-          )
-        else
-          DockerRegistry2::Registry.new("https://registry.hub.docker.com")
+      def docker_registry_client(registry_hostname, registry_credentials)
+        unless credentials_finder.using_dockerhub?(registry_hostname)
+          return DockerRegistry2::Registry.new("https://#{registry_hostname}")
         end
+        DockerRegistry2::Registry.new(
+          "https://#{registry_hostname}",
+          user: registry_credentials&.fetch("username", nil),
+          password: registry_credentials&.fetch("password", nil),
+          read_timeout: 10
+        )
       end
-      def registry_credentials(registry_url)
-        credentials_finder.credentials_for_registry(registry_url)
+      def fetch_registry_details(registry)
+        registry ||= credentials_finder.base_registry
+        credentials = credentials_finder.credentials_for_registry(registry)
+        { "registry" => registry, "credentials" => credentials }
       end
       def credentials_finder
         @credentials_finder ||= Utils::CredentialsFinder.new(credentials)
       end
-      def standard_registry?(registry)
-        return true if registry.nil?
-        registry == "registry.hub.docker.com"
-      end
       def check_required_files
         # Just check if there are any files at all.
         return if dependency_files.any?

data/lib/dependabot/docker/file_updater.rb CHANGED Viewed

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
+require "dependabot/docker/utils/helpers"
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
 require "dependabot/errors"
@@ -152,7 +153,7 @@ module Dependabot
       end
       def updated_yaml_content(file)
-        updated_content = file.name == "values.yaml" ? update_helm(file) : update_image(file)
+        updated_content = Utils.likely_helm_chart?(file) ? update_helm(file) : update_image(file)
         raise "Expected content to change!" if updated_content == file.content

data/lib/dependabot/docker/update_checker.rb CHANGED Viewed

@@ -42,10 +42,9 @@ end
 module Dependabot
   module Docker
     class UpdateChecker < Dependabot::UpdateCheckers::Base
-      VERSION_REGEX =
-        /v?(?<version>[0-9]+(?:(?:\.[_a-z0-9]+)|(?:-(?:kb)?[0-9]+))*)/i
-      VERSION_WITH_SFX = /^#{VERSION_REGEX}(?<suffix>-[a-z0-9.\-]+)?$/i
-      VERSION_WITH_PFX = /^(?<prefix>[a-z0-9.\-]+-)?#{VERSION_REGEX}$/i
+      VERSION_REGEX = /v?(?<version>[0-9]+(?:\.[0-9]+)*(?:_[0-9]+|\.[a-z0-9]+|-(?:kb)?[0-9]+)*)/i
+      VERSION_WITH_SFX = /^#{VERSION_REGEX}(?<suffix>-[a-z][a-z0-9.\-]*)?$/i
+      VERSION_WITH_PFX = /^(?<prefix>[a-z][a-z0-9.\-]*-)?#{VERSION_REGEX}$/i
       VERSION_WITH_PFX_AND_SFX = /^(?<prefix>[a-z\-]+-)?#{VERSION_REGEX}(?<suffix>-[a-z\-]+)?$/i
       NAME_WITH_VERSION =
         /
@@ -55,7 +54,7 @@ module Dependabot
       /x
       def latest_version
-        fetch_latest_version(dependency.version)
+        latest_version_from(dependency.version)
       end
       def latest_resolvable_version
@@ -72,7 +71,7 @@ module Dependabot
         dependency.requirements.map do |req|
           updated_source = req.fetch(:source).dup
           updated_source[:digest] = updated_digest if req[:source][:digest]
-          updated_source[:tag] = fetch_latest_version(req[:source][:tag]) if req[:source][:tag]
+          updated_source[:tag] = latest_version_from(req[:source][:tag]) if req[:source][:tag]
           req.merge(source: updated_source)
         end
@@ -118,7 +117,7 @@ module Dependabot
         # Check the precision of the potentially higher tag is the same as the
         # one it would replace. In the event that it's not the same, check the
         # digests are also unequal. Avoids 'updating' ruby-2 -> ruby-2.5.1
-        return false if old_v.split(".").count == latest_v.split(".").count
+        return false if precision_of(old_v) == precision_of(latest_v)
         digest_of(version) == digest_of(latest_version)
       end
@@ -132,33 +131,38 @@ module Dependabot
         end
       end
-      # NOTE: It's important that this *always* returns a version (even if
-      # it's the existing one) as it is what we later check the digest of.
-      def fetch_latest_version(version)
+      def latest_version_from(version)
         @versions ||= {}
         return @versions[version] if @versions.key?(version)
-        @versions[version] = begin
-          return version unless version.match?(NAME_WITH_VERSION)
-          # Prune out any downgrade tags before checking for pre-releases
-          # (which requires a call to the registry for each tag, so can be slow)
-          candidate_tags = comparable_tags_from_registry(version)
-          candidate_tags = remove_version_downgrades(candidate_tags, version)
+        @versions[version] = fetch_latest_version(version)
+      end
-          unless prerelease?(version)
-            candidate_tags =
-              candidate_tags.
-              reject { |tag| prerelease?(tag) }
+      # NOTE: It's important that this *always* returns a version (even if
+      # it's the existing one) as it is what we later check the digest of.
+      def fetch_latest_version(version)
+        return version unless version.match?(NAME_WITH_VERSION)
+        # Prune out any downgrade tags before checking for pre-releases
+        # (which requires a call to the registry for each tag, so can be slow)
+        candidate_tags = comparable_tags_from_registry(version)
+        candidate_tags = remove_version_downgrades(candidate_tags, version)
+        candidate_tags = remove_prereleases(candidate_tags, version)
+        candidate_tags = filter_ignored(candidate_tags)
+        candidate_tags = sort_tags(candidate_tags, version)
+        latest_tag = candidate_tags.last
+        if latest_tag && same_precision?(latest_tag, version)
+          latest_tag
+        else
+          latest_same_precision_tag = remove_precision_changes(candidate_tags, version).last
+          if latest_same_precision_tag && digest_of(latest_same_precision_tag) == digest_of(latest_tag)
+            latest_same_precision_tag
+          else
+            latest_tag || version
           end
-          latest_tag =
-            filter_ignored(candidate_tags).
-            max_by do |tag|
-              [version_class.new(numeric_version_from(tag)), tag.length]
-            end
-          latest_tag || version
         end
       end
@@ -167,28 +171,37 @@ module Dependabot
         original_suffix = suffix_of(version)
         original_format = format_of(version)
-        tags_from_registry.
+        candidate_tags =
+          tags_from_registry.
           select { |tag| tag.match?(NAME_WITH_VERSION) }.
           select { |tag| prefix_of(tag) == original_prefix }.
-          select { |tag| suffix_of(tag) == original_suffix || commit_sha_suffix?(tag) }.
           select { |tag| format_of(tag) == original_format }
+        return candidate_tags if original_format == :sha_suffixed
+        candidate_tags.select { |tag| suffix_of(tag) == original_suffix }
       end
       def remove_version_downgrades(candidate_tags, version)
         candidate_tags.select do |tag|
-          version_class.new(numeric_version_from(tag)) >=
-            version_class.new(numeric_version_from(version))
+          comparable_version_from(tag) >=
+            comparable_version_from(version)
         end
       end
-      def commit_sha_suffix?(tag)
-        # Some people suffix their versions with commit SHAs. Dependabot
-        # can't order on those but will try to, so instead we should exclude
-        # them (unless there's a `latest` version pushed to the registry, in
-        # which case we'll use that to find the latest version)
-        return false unless tag.match?(/(^|\-g?)[0-9a-f]{7,}$/)
+      def remove_prereleases(candidate_tags, version)
+        return candidate_tags if prerelease?(version)
-        !tag.match?(/(^|\-)\d+$/)
+        candidate_tags.reject { |tag| prerelease?(tag) }
+      end
+      def remove_precision_changes(candidate_tags, version)
+        candidate_tags.select do |tag|
+          same_precision?(tag, version)
+        end
+      end
+      def same_precision?(tag, another_tag)
+        precision_of(numeric_version_from(tag)) == precision_of(numeric_version_from(another_tag))
       end
       def version_of_latest_tag
@@ -197,13 +210,13 @@ module Dependabot
         candidate_tag =
           tags_from_registry.
           select { |tag| canonical_version?(tag) }.
-          sort_by { |t| version_class.new(numeric_version_from(t)) }.
+          sort_by { |t| comparable_version_from(t) }.
           reverse.
           find { |t| digest_of(t) == latest_digest }
         return unless candidate_tag
-        version_class.new(numeric_version_from(candidate_tag))
+        comparable_version_from(candidate_tag)
       end
       def canonical_version?(tag)
@@ -293,6 +306,7 @@ module Dependabot
         return :year_month if version.match?(/^[12]\d{3}(?:[.\-]|$)/)
         return :year_month_day if version.match?(/^[12]\d{5}(?:[.\-]|$)/)
+        return :sha_suffixed if tag.match?(/(^|\-g?)[0-9a-f]{7,}$/)
         return :build_num if version.match?(/^\d+$/)
         :normal
@@ -307,7 +321,11 @@ module Dependabot
         return false unless latest_digest
         return false unless version_of_latest_tag
-        version_class.new(numeric_version_from(tag)) > version_of_latest_tag
+        comparable_version_from(tag) > version_of_latest_tag
+      end
+      def comparable_version_from(tag)
+        version_class.new(numeric_version_from(tag))
       end
       def numeric_version_from(tag)
@@ -317,8 +335,9 @@ module Dependabot
       end
       def registry_hostname
-        dependency.requirements.first[:source][:registry] ||
-          "registry.hub.docker.com"
+        return dependency.requirements.first[:source][:registry] if dependency.requirements.first[:source][:registry]
+        credentials_finder.base_registry
       end
       def using_dockerhub?
@@ -350,11 +369,31 @@ module Dependabot
           )
       end
+      def sort_tags(candidate_tags, version)
+        candidate_tags.sort do |tag_a, tag_b|
+          if comparable_version_from(tag_a) > comparable_version_from(tag_b)
+            1
+          elsif comparable_version_from(tag_a) < comparable_version_from(tag_b)
+            -1
+          elsif same_precision?(tag_a, version)
+            1
+          elsif same_precision?(tag_b, version)
+            -1
+          else
+            0
+          end
+        end
+      end
+      def precision_of(version)
+        version.split(/[.-]/).length
+      end
       def filter_ignored(candidate_tags)
         filtered =
           candidate_tags.
           reject do |tag|
-            version = version_class.new(numeric_version_from(tag))
+            version = comparable_version_from(tag)
             ignore_requirements.any? { |r| r.satisfied_by?(version) }
           end
         if @raise_on_ignored && filter_lower_versions(filtered).empty? && filter_lower_versions(candidate_tags).any?
@@ -365,9 +404,9 @@ module Dependabot
       end
       def filter_lower_versions(tags)
-        versions_array = tags.map { |tag| version_class.new(numeric_version_from(tag)) }
+        versions_array = tags.map { |tag| comparable_version_from(tag) }
         versions_array.
-          select { |version| version > version_class.new(numeric_version_from(dependency.version)) }
+          select { |version| version > comparable_version_from(dependency.version) }
       end
     end
   end

data/lib/dependabot/docker/utils/credentials_finder.rb CHANGED Viewed

@@ -10,6 +10,7 @@ module Dependabot
     module Utils
       class CredentialsFinder
         AWS_ECR_URL = /dkr\.ecr\.(?<region>[^.]+)\.amazonaws\.com/
+        DEFAULT_DOCKER_HUB_REGISTRY = "registry.hub.docker.com"
         def initialize(credentials)
           @credentials = credentials
@@ -26,6 +27,18 @@ module Dependabot
           build_aws_credentials(registry_details)
         end
+        def base_registry
+          @base_registry ||= credentials.find do |cred|
+            cred["type"] == "docker_registry" && cred["replaces-base"] == true
+          end
+          @base_registry ||= { "registry" => DEFAULT_DOCKER_HUB_REGISTRY, "credentials" => nil }
+          @base_registry["registry"]
+        end
+        def using_dockerhub?(registry)
+          registry == DEFAULT_DOCKER_HUB_REGISTRY
+        end
         private
         attr_reader :credentials

data/lib/dependabot/docker/utils/helpers.rb ADDED Viewed

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+module Dependabot
+  module Docker
+    module Utils
+      HELM_REGEXP = /values[\-a-zA-Z_0-9]*\.ya?ml$/i
+      def self.likely_helm_chart?(file)
+        file.name.match?(HELM_REGEXP)
+      end
+    end
+  end
+end

data/lib/dependabot/docker/version.rb CHANGED Viewed

@@ -13,7 +13,7 @@ module Dependabot
       def initialize(version)
         release_part, update_part = version.split("_", 2)
-        @release_part = Gem::Version.new(release_part)
+        @release_part = Gem::Version.new(release_part.tr("-", "."))
         @update_part = Gem::Version.new(update_part&.start_with?(/[0-9]/) ? update_part : 0)
       end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-docker
 version: !ruby/object:Gem::Version
-  version: 0.213.0
+  version: 0.214.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-10-31 00:00:00.000000000 Z
+date: 2022-12-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.213.0
+        version: 0.214.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.213.0
+        version: 0.214.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.13.0
+        version: 4.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.13.0
+        version: 4.0.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -114,14 +114,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.37.1
+        version: 1.39.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.37.1
+        version: 1.39.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
@@ -221,6 +221,7 @@ files:
 - lib/dependabot/docker/requirement.rb
 - lib/dependabot/docker/update_checker.rb
 - lib/dependabot/docker/utils/credentials_finder.rb
+- lib/dependabot/docker/utils/helpers.rb
 - lib/dependabot/docker/version.rb
 homepage: https://github.com/dependabot/dependabot-core
 licenses: