dependabot-docker 0.225.0 → 0.226.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bed9be20b5dafebe413d70b16a5940bb474b89b2eeaab9501f824f66c3d6ac90
-  data.tar.gz: f6ac3c022f82f6bbccbe7a7ed29d7b15eef4412e7a5f802ae7161bb39fbb3fca
+  metadata.gz: b32a9aefbcd623b4e2bf553b4aec6676f758f3d27f50f67f99156cc32d8206a0
+  data.tar.gz: f710312b8e2bed67dafabcea2b601be717292fab22301613e447a73153465703
 SHA512:
-  metadata.gz: e5d888a8c7c67653d554bfcaa24ecb7e532812000c0b89297303f9521195d5711bbca95b2cd66e19e460730e15f72ac67227f0ffcac99b3f3cf08a4c3cea9605
-  data.tar.gz: e1679c8e2220b27daa88ffc948296b2927e37ab11a475d1e7520d54c940a91f72d1b37ff6bfde5c7c11ea31ac9cbd6381542d3d3188202e33fbe905e7c82fcfa
+  metadata.gz: aa265e080fb4afd058721b5ac0bada493708327f2b5d10d35e0652b15ef0ae3b560ab890fbdd84a20ddf0a8abc7aff34d4bab56423a4b157553dc363ebed285e
+  data.tar.gz: 7f15e687d41a354f1a36b1e22ec899354d4f16edae0ae909e0ab2f105c57aaf3e59de48349b7005a92a13ded2cfd48ab8596434789001c62e345163d227e3894

data/lib/dependabot/docker/tag.rb

@@ -5,7 +5,8 @@ require "dependabot/docker/file_parser"
 module Dependabot
   module Docker
     class Tag
-      VERSION_REGEX = /v?(?<version>[0-9]+(?:\.[0-9]+)*(?:_[0-9]+|\.[a-z0-9]+|-(?:kb)?[0-9]+)*)/i
+      WORDS_WITH_BUILD = /(?:(?:-[a-z]+)+-[0-9]+)+/
+      VERSION_REGEX = /v?(?<version>[0-9]+(?:\.[0-9]+)*(?:_[0-9]+|\.[a-z0-9]+|#{WORDS_WITH_BUILD}|-(?:kb)?[0-9]+)*)/i
       VERSION_WITH_SFX = /^#{VERSION_REGEX}(?<suffix>-[a-z][a-z0-9.\-]*)?$/i
       VERSION_WITH_PFX = /^(?<prefix>[a-z][a-z0-9.\-]*-)?#{VERSION_REGEX}$/i
       VERSION_WITH_PFX_AND_SFX = /^(?<prefix>[a-z\-]+-)?#{VERSION_REGEX}(?<suffix>-[a-z\-]+)?$/i
@@ -30,6 +31,25 @@ module Dependabot
         name.match?(FileParser::DIGEST)
       end
 
+      def looks_like_prerelease?
+        numeric_version.gsub(/kb/i, "").match?(/[a-zA-Z]/)
+      end
+
+      def comparable_to?(other)
+        return false unless comparable?
+
+        other_prefix = other.prefix
+        other_suffix = other.suffix
+        other_format = other.format
+
+        equal_prefix = prefix == other_prefix
+        equal_format = format == other_format
+        return equal_prefix && equal_format if other_format == :sha_suffixed
+
+        equal_suffix = suffix == other_suffix
+        equal_prefix && equal_format && equal_suffix
+      end
+
       def comparable?
         name.match?(NAME_WITH_VERSION)
       end
@@ -62,11 +82,26 @@ module Dependabot
         name.match(NAME_WITH_VERSION).named_captures.fetch("suffix")
       end
 
+      def version
+        name.match(NAME_WITH_VERSION).named_captures.fetch("version")
+      end
+
       def format
-        return :year_month if numeric_version.match?(/^[12]\d{3}(?:[.\-]|$)/)
-        return :year_month_day if numeric_version.match?(/^[12]\d{5}(?:[.\-]|$)/)
+        return :year_month if version.match?(/^[12]\d{3}(?:[.\-]|$)/)
+        return :year_month_day if version.match?(/^[12]\d{5}(?:[.\-]|$)/)
         return :sha_suffixed if name.match?(/(^|\-g?)[0-9a-f]{7,}$/)
-        return :build_num if numeric_version.match?(/^\d+$/)
+        return :build_num if version.match?(/^\d+$/)
+
+        # As an example, "21-ea-32", "22-ea-7", and "22-ea-jdk-nanoserver-1809"
+        # are mapped to "<version>-ea-<build_num>", "<version>-ea-<build_num>",
+        # and "<version>-ea-jdk-nanoserver-<build_num>" respectively.
+        #
+        # That means only "22-ea-7" will be considered as a viable update
+        # candidate for "21-ea-32", since it's the only one that respects that
+        # format.
+        if version.match?(WORDS_WITH_BUILD)
+          return :"<version>#{version.match(WORDS_WITH_BUILD).to_s.gsub(/-[0-9]+/, "-<build_num>")}"
+        end
 
         :normal
       end
@@ -74,7 +109,7 @@ module Dependabot
       def numeric_version
         return unless comparable?
 
-        name.match(NAME_WITH_VERSION).named_captures.fetch("version").downcase
+        version.gsub(/-[a-z]+/, "").downcase
       end
 
       def precision

data/lib/dependabot/docker/update_checker.rb

@@ -82,10 +82,7 @@ module Dependabot
 
         latest_tag = latest_tag_from(version)
 
-        old_v = version_tag.numeric_version
-        latest_v = latest_tag.numeric_version
-
-        version_class.new(latest_v) <= version_class.new(old_v)
+        comparable_version_from(latest_tag) <= comparable_version_from(version_tag)
       end
 
       def digest_up_to_date?
@@ -151,18 +148,7 @@ module Dependabot
       end
 
       def comparable_tags_from_registry(original_tag)
-        original_prefix = original_tag.prefix
-        original_suffix = original_tag.suffix
-        original_format = original_tag.format
-
-        candidate_tags =
-          tags_from_registry.
-          select(&:comparable?).
-          select { |tag| tag.prefix == original_prefix }.
-          select { |tag| tag.format == original_format }
-        return candidate_tags if original_format == :sha_suffixed
-
-        candidate_tags.select { |tag| tag.suffix == original_suffix }
+        tags_from_registry.select { |tag| tag.comparable_to?(original_tag) }
       end
 
       def remove_version_downgrades(candidate_tags, version_tag)
@@ -245,7 +231,7 @@ module Dependabot
       end
 
       def fetch_digest_of(tag)
-        docker_registry_client.digest(docker_repo_name, tag)&.delete_prefix("sha256:")
+        docker_registry_client.manifest_digest(docker_repo_name, tag)&.delete_prefix("sha256:")
       rescue *transient_docker_errors => e
         attempt ||= 1
         attempt += 1
@@ -270,11 +256,9 @@ module Dependabot
       end
 
       def prerelease?(tag)
-        return true if tag.numeric_version.gsub(/kb/i, "").match?(/[a-zA-Z]/)
+        return true if tag.looks_like_prerelease?
 
-        # If we're dealing with a numeric version we can compare it against
-        # the digest for the `latest` tag.
-        return false unless tag.numeric_version
+        # Compare the numeric version against the version of the `latest` tag.
         return false unless latest_digest
         return false unless version_of_latest_tag
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-docker
 version: !ruby/object:Gem::Version
-  version: 0.225.0
+  version: 0.226.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-07-31 00:00:00.000000000 Z
+date: 2023-08-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.225.0
+        version: 0.226.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.225.0
+        version: 0.226.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -128,14 +128,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.17.1
+        version: 1.18.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.17.1
+        version: 1.18.0
 - !ruby/object:Gem::Dependency
   name: stackprof
   requirement: !ruby/object:Gem::Requirement
@@ -202,7 +202,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.225.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.226.0
 post_install_message: 
 rdoc_options: []
 require_paths: