dependabot-docker 0.77.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: f91e012344a707c90832f405af7e3c63084bd319b93c0ae9181867357de02e36
+  data.tar.gz: 0ec7fcb7029b52d69b9664f3b67aff22cbee2f9dfd71263c7041ee24dea59a15
+SHA512:
+  metadata.gz: f628cee07f0b8346d582ff23496607187bcbbf0dc174798b4d811f1410637c3442888dd41b530d23639e80477c83869272a7ba4543768e43cd93f10b72fce4ca
+  data.tar.gz: 52732d1c2c1273a91a8377ae551c9fecae807f460e883f7ab930c3f874dbf86365d4398770a5d7f71889c0e37c13af39bfadee3e6871901bbcfa459dc02cc98f

data/lib/dependabot/docker/file_fetcher.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require "dependabot/file_fetchers"
+require "dependabot/file_fetchers/base"
+
+module Dependabot
+  module Docker
+    class FileFetcher < Dependabot::FileFetchers::Base
+      def self.required_files_in?(filenames)
+        filenames.any? { |f| f.match?(/dockerfile/i) }
+      end
+
+      def self.required_files_message
+        "Repo must contain a Dockerfile."
+      end
+
+      private
+
+      def fetch_files
+        fetched_files = []
+        fetched_files += dockerfiles
+
+        return fetched_files if fetched_files.any?
+
+        raise(
+          Dependabot::DependencyFileNotFound,
+          File.join(directory, "Dockerfile")
+        )
+      end
+
+      def dockerfiles
+        @dockerfiles ||=
+          repo_contents(raise_errors: false).
+          select { |f| f.type == "file" && f.name.match?(/dockerfile/i) }.
+          map { |f| fetch_file_from_host(f.name) }
+      end
+    end
+  end
+end
+
+Dependabot::FileFetchers.
+  register("docker", Dependabot::Docker::FileFetcher)

data/lib/dependabot/docker/file_parser.rb

@@ -0,0 +1,165 @@
+# frozen_string_literal: true
+
+require "docker_registry2"
+
+require "dependabot/dependency"
+require "dependabot/file_parsers"
+require "dependabot/file_parsers/base"
+require "dependabot/errors"
+require "dependabot/docker/utils/credentials_finder"
+
+module Dependabot
+  module Docker
+    class FileParser < Dependabot::FileParsers::Base
+      require "dependabot/file_parsers/base/dependency_set"
+
+      # Detials of Docker regular expressions is at
+      # https://github.com/docker/distribution/blob/master/reference/regexp.go
+      DOMAIN_COMPONENT =
+        /(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])/.freeze
+      DOMAIN = /(?:#{DOMAIN_COMPONENT}(?:\.#{DOMAIN_COMPONENT})+)/.freeze
+      REGISTRY = /(?<registry>#{DOMAIN}(?::[0-9]+)?)/.freeze
+
+      NAME_COMPONENT = /(?:[a-z0-9]+(?:(?:[._]|__|[-]*)[a-z0-9]+)*)/.freeze
+      IMAGE = %r{(?<image>#{NAME_COMPONENT}(?:/#{NAME_COMPONENT})*)}.freeze
+
+      FROM = /[Ff][Rr][Oo][Mm]/.freeze
+      TAG = /:(?<tag>[\w][\w.-]{0,127})/.freeze
+      DIGEST = /@(?<digest>[^\s]+)/.freeze
+      NAME = /\s+AS\s+(?<name>[a-zA-Z0-9_-]+)/.freeze
+      FROM_LINE =
+        %r{^#{FROM}\s+(#{REGISTRY}/)?#{IMAGE}#{TAG}?#{DIGEST}?#{NAME}?}.freeze
+
+      AWS_ECR_URL = /dkr\.ecr\.(?<region>[^.]+).amazonaws\.com/.freeze
+
+      def parse
+        dependency_set = DependencySet.new
+
+        dockerfiles.each do |dockerfile|
+          dockerfile.content.each_line do |line|
+            next unless FROM_LINE.match?(line)
+
+            parsed_from_line = FROM_LINE.match(line).named_captures
+
+            version = version_from(parsed_from_line)
+            next unless version
+
+            dependency_set << Dependency.new(
+              name: parsed_from_line.fetch("image"),
+              version: version,
+              package_manager: "docker",
+              requirements: [
+                requirement: nil,
+                groups: [],
+                file: dockerfile.name,
+                source: source_from(parsed_from_line)
+              ]
+            )
+          end
+        end
+
+        dependency_set.dependencies
+      end
+
+      private
+
+      def dockerfiles
+        # The Docker file fetcher only fetches Dockerfiles, so no need to
+        # filter here
+        dependency_files
+      end
+
+      def version_from(parsed_from_line)
+        return parsed_from_line.fetch("tag") if parsed_from_line.fetch("tag")
+
+        version_from_digest(
+          registry: parsed_from_line.fetch("registry"),
+          image: parsed_from_line.fetch("image"),
+          digest: parsed_from_line.fetch("digest")
+        )
+      end
+
+      def source_from(parsed_from_line)
+        source = {}
+
+        if parsed_from_line.fetch("registry")
+          source[:registry] = parsed_from_line.fetch("registry")
+        end
+
+        if parsed_from_line.fetch("tag")
+          source[:tag] = parsed_from_line.fetch("tag")
+        end
+
+        if parsed_from_line.fetch("digest")
+          source[:digest] = parsed_from_line.fetch("digest")
+        end
+
+        source
+      end
+
+      def version_from_digest(registry:, image:, digest:)
+        return unless digest
+
+        repo = docker_repo_name(image, registry)
+        registry_client = docker_registry_client(registry)
+        registry_client.tags(repo).fetch("tags").find do |tag|
+          digest == registry_client.digest(repo, tag)
+        rescue DockerRegistry2::NotFound
+          # Shouldn't happen, but it does. Example of existing tag with
+          # no manifest is "library/python", "2-windowsservercore".
+          false
+        end
+      rescue DockerRegistry2::RegistryAuthenticationException,
+             RestClient::Forbidden
+        raise if standard_registry?(registry)
+
+        raise PrivateSourceAuthenticationFailure, registry
+      end
+
+      def docker_repo_name(image, registry)
+        return image unless standard_registry?(registry)
+        return image unless image.split("/").count < 2
+
+        "library/#{image}"
+      end
+
+      def docker_registry_client(registry)
+        if registry
+          credentials = registry_credentials(registry)
+
+          DockerRegistry2::Registry.new(
+            "https://#{registry}",
+            user: credentials&.fetch("username"),
+            password: credentials&.fetch("password")
+          )
+        else
+          DockerRegistry2::Registry.new("https://registry.hub.docker.com")
+        end
+      end
+
+      def registry_credentials(registry_url)
+        credentials_finder.credentials_for_registry(registry_url)
+      end
+
+      def credentials_finder
+        @credentials_finder ||= Utils::CredentialsFinder.new(credentials)
+      end
+
+      def standard_registry?(registry)
+        return true if registry.nil?
+
+        registry == "registry.hub.docker.com"
+      end
+
+      def check_required_files
+        # Just check if there are any files at all.
+        return if dependency_files.any?
+
+        raise "No Dockerfile!"
+      end
+    end
+  end
+end
+
+Dependabot::FileParsers.
+  register("docker", Dependabot::Docker::FileParser)

data/lib/dependabot/docker/file_updater.rb

@@ -0,0 +1,135 @@
+# frozen_string_literal: true
+
+require "dependabot/file_updaters"
+require "dependabot/file_updaters/base"
+require "dependabot/errors"
+
+module Dependabot
+  module Docker
+    class FileUpdater < Dependabot::FileUpdaters::Base
+      FROM_REGEX = /[Ff][Rr][Oo][Mm]/.freeze
+
+      def self.updated_files_regex
+        [/dockerfile/]
+      end
+
+      def updated_dependency_files
+        updated_files = []
+
+        dependency_files.each do |file|
+          next unless requirement_changed?(file, dependency)
+
+          updated_files <<
+            updated_file(
+              file: file,
+              content: updated_dockerfile_content(file)
+            )
+        end
+
+        updated_files.reject! { |f| dependency_files.include?(f) }
+        raise "No files changed!" if updated_files.none?
+
+        updated_files
+      end
+
+      private
+
+      def dependency
+        # Dockerfiles will only ever be updating a single dependency
+        dependencies.first
+      end
+
+      def check_required_files
+        # Just check if there are any files at all.
+        return if dependency_files.any?
+
+        raise "No Dockerfile!"
+      end
+
+      def updated_dockerfile_content(file)
+        updated_content =
+          if specified_with_digest?(file)
+            update_digest_and_tag(file)
+          else
+            update_tag(file)
+          end
+
+        raise "Expected content to change!" if updated_content == file.content
+
+        updated_content
+      end
+
+      def update_digest_and_tag(file)
+        old_declaration_regex = /^#{FROM_REGEX}\s+.*@#{old_digest(file)}/
+
+        file.content.gsub(old_declaration_regex) do |old_dec|
+          old_dec.
+            gsub("@#{old_digest(file)}", "@#{new_digest(file)}").
+            gsub(":#{dependency.previous_version}",
+                 ":#{dependency.version}")
+        end
+      end
+
+      def update_tag(file)
+        return unless old_tag(file)
+
+        old_declaration =
+          if private_registry_url(file) then "#{private_registry_url(file)}/"
+          else ""
+          end
+        old_declaration += "#{dependency.name}:#{old_tag(file)}"
+        escaped_declaration = Regexp.escape(old_declaration)
+
+        old_declaration_regex = /^#{FROM_REGEX}\s+#{escaped_declaration}/
+
+        file.content.gsub(old_declaration_regex) do |old_dec|
+          old_dec.gsub(":#{old_tag(file)}", ":#{new_tag(file)}")
+        end
+      end
+
+      def specified_with_digest?(file)
+        dependency.
+          requirements.
+          find { |r| r[:file] == file.name }.
+          fetch(:source)[:digest]
+      end
+
+      def new_digest(file)
+        return unless specified_with_digest?(file)
+
+        dependency.requirements.
+          find { |r| r[:file] == file.name }.
+          fetch(:source).fetch(:digest)
+      end
+
+      def old_digest(file)
+        return unless specified_with_digest?(file)
+
+        dependency.previous_requirements.
+          find { |r| r[:file] == file.name }.
+          fetch(:source).fetch(:digest)
+      end
+
+      def new_tag(file)
+        dependency.requirements.
+          find { |r| r[:file] == file.name }.
+          fetch(:source)[:tag]
+      end
+
+      def old_tag(file)
+        dependency.previous_requirements.
+          find { |r| r[:file] == file.name }.
+          fetch(:source)[:tag]
+      end
+
+      def private_registry_url(file)
+        dependency.requirements.
+          find { |r| r[:file] == file.name }.
+          fetch(:source)[:registry]
+      end
+    end
+  end
+end
+
+Dependabot::FileUpdaters.
+  register("docker", Dependabot::Docker::FileUpdater)

data/lib/dependabot/docker/metadata_finder.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require "dependabot/metadata_finders"
+require "dependabot/metadata_finders/base"
+
+module Dependabot
+  module Docker
+    class MetadataFinder < Dependabot::MetadataFinders::Base
+      private
+
+      def look_up_source
+        # TODO: Find a way to add links to PRs
+        nil
+      end
+    end
+  end
+end
+
+Dependabot::MetadataFinders.
+  register("docker", Dependabot::Docker::MetadataFinder)

data/lib/dependabot/docker/update_checker.rb

@@ -0,0 +1,291 @@
+# frozen_string_literal: true
+
+require "docker_registry2"
+
+require "dependabot/update_checkers"
+require "dependabot/update_checkers/base"
+require "dependabot/errors"
+require "dependabot/docker/utils/credentials_finder"
+
+module Dependabot
+  module Docker
+    class UpdateChecker < Dependabot::UpdateCheckers::Base
+      VERSION_REGEX = /(?<version>[0-9]+(?:\.[a-zA-Z0-9]+)*)/.freeze
+      VERSION_WITH_SUFFIX =
+        /^#{VERSION_REGEX}(?<affix>-[a-z0-9.\-]+)?$/.freeze
+      VERSION_WITH_PREFIX =
+        /^(?<affix>[a-z0-9.\-]+-)?#{VERSION_REGEX}$/.freeze
+      NAME_WITH_VERSION =
+        /#{VERSION_WITH_PREFIX}|#{VERSION_WITH_SUFFIX}/.freeze
+
+      def latest_version
+        @latest_version ||= fetch_latest_version
+      end
+
+      def latest_resolvable_version
+        # Resolvability isn't an issue for Docker containers.
+        latest_version
+      end
+
+      def latest_resolvable_version_with_no_unlock
+        # No concept of "unlocking" for Docker containers
+        dependency.version
+      end
+
+      def updated_requirements
+        dependency.requirements.map do |req|
+          updated_source = req.fetch(:source).dup
+          updated_source[:digest] = updated_digest if req[:source][:digest]
+          updated_source[:tag] = latest_version if req[:source][:tag]
+
+          req.merge(source: updated_source)
+        end
+      end
+
+      private
+
+      def latest_version_resolvable_with_full_unlock?
+        # Full unlock checks aren't relevant for Dockerfiles
+        false
+      end
+
+      def updated_dependencies_after_full_unlock
+        raise NotImplementedError
+      end
+
+      def version_can_update?(*)
+        !version_up_to_date?
+      end
+
+      def version_up_to_date?
+        # If the tag isn't up-to-date then we can definitely update
+        return false if version_tag_up_to_date? == false
+
+        # Otherwise, if the Dockerfile specifies a digest check that that is
+        # up-to-date
+        digest_up_to_date?
+      end
+
+      def version_tag_up_to_date?
+        return unless dependency.version.match?(NAME_WITH_VERSION)
+
+        old_v = numeric_version_from(dependency.version)
+        latest_v = numeric_version_from(latest_version)
+
+        return true if version_class.new(latest_v) <= version_class.new(old_v)
+
+        # Check the precision of the potentially higher tag is the same as the
+        # one it would replace. In the event that it's not the same, check the
+        # digests are also unequal. Avoids 'updating' ruby-2 -> ruby-2.5.1
+        return false if old_v.split(".").count == latest_v.split(".").count
+
+        digest_of(dependency.version) == digest_of(latest_version)
+      end
+
+      def digest_up_to_date?
+        dependency.requirements.all? do |req|
+          next true unless req.fetch(:source)[:digest]
+
+          req.fetch(:source).fetch(:digest) == digest_of(dependency.version)
+        end
+      end
+
+      # Note: It's important that this *always* returns a version (even if
+      # it's the existing one) as it is what we later check the digest of.
+      def fetch_latest_version
+        unless dependency.version.match?(NAME_WITH_VERSION)
+          return dependency.version
+        end
+
+        # Prune out any downgrade tags before checking for pre-releases
+        # (which requires a call to the registry for each tag, so can be slow)
+        candidate_tags = comparable_tags_from_registry
+        non_downgrade_tags = remove_version_downgrades(candidate_tags)
+        candidate_tags = non_downgrade_tags if non_downgrade_tags.any?
+
+        wants_prerelease = prerelease?(dependency.version)
+        candidate_tags =
+          candidate_tags.
+          reject { |tag| prerelease?(tag) && !wants_prerelease }.
+          reject do |tag|
+            version = version_class.new(numeric_version_from(tag))
+            ignore_reqs.any? { |r| r.satisfied_by?(version) }
+          end
+
+        latest_tag =
+          candidate_tags.
+          max_by { |tag| version_class.new(numeric_version_from(tag)) }
+
+        latest_tag || dependency.version
+      end
+
+      def comparable_tags_from_registry
+        original_affix = affix_of(dependency.version)
+
+        tags_from_registry.
+          select { |tag| tag.match?(NAME_WITH_VERSION) }.
+          select { |tag| affix_of(tag) == original_affix }.
+          reject { |tag| commit_sha_suffix?(tag) }
+      end
+
+      def remove_version_downgrades(candidate_tags)
+        candidate_tags.select do |tag|
+          version_class.new(numeric_version_from(tag)) >=
+            version_class.new(numeric_version_from(dependency.version))
+        end
+      end
+
+      def commit_sha_suffix?(tag)
+        # Some people suffix their versions with commit SHAs. Dependabot
+        # can't order on those but will try to, so instead we should exclude
+        # them (unless there's a `latest` version pushed to the registry, in
+        # which case we'll use that to find the latest version)
+        return false unless tag.match?(/(^|\-)[0-9a-f]{7,}$/)
+
+        !tag.match?(/(^|\-)20[0-1]\d{5}$/)
+      end
+
+      def version_of_latest_tag
+        return unless latest_digest
+
+        tags_from_registry.
+          select { |tag| canonical_version?(tag) }.
+          select { |t| digest_of(t) == latest_digest }.
+          map { |t| version_class.new(numeric_version_from(t)) }.
+          max
+      end
+
+      def canonical_version?(tag)
+        return false unless numeric_version_from(tag)
+        return true if tag == numeric_version_from(tag)
+
+        # .NET tags are suffixed with -sdk. There may be other cases we need
+        # to consider in future, too.
+        tag == numeric_version_from(tag) + "-sdk"
+      end
+
+      def updated_digest
+        @updated_digest ||=
+          begin
+            docker_registry_client.digest(docker_repo_name, latest_version)
+          rescue RestClient::Exceptions::Timeout
+            attempt ||= 1
+            attempt += 1
+            raise if attempt > 3
+
+            retry
+          end
+      rescue DockerRegistry2::RegistryAuthenticationException,
+             RestClient::Forbidden
+        raise PrivateSourceAuthenticationFailure, registry_hostname
+      end
+
+      def tags_from_registry
+        @tags_from_registry ||=
+          begin
+            docker_registry_client.tags(docker_repo_name).fetch("tags")
+          rescue RestClient::Exceptions::Timeout
+            attempt ||= 1
+            attempt += 1
+            raise if attempt > 3
+
+            retry
+          end
+      rescue DockerRegistry2::RegistryAuthenticationException,
+             RestClient::Forbidden
+        raise PrivateSourceAuthenticationFailure, registry_hostname
+      end
+
+      def latest_digest
+        return unless tags_from_registry.include?("latest")
+
+        digest_of("latest")
+      end
+
+      def digest_of(tag)
+        @digests ||= {}
+        return @digests[tag] if @digests.key?(tag)
+
+        @digests[tag] =
+          begin
+            docker_registry_client.digest(docker_repo_name, tag)
+          rescue *transient_docker_errors => e
+            attempt ||= 1
+            attempt += 1
+            return if attempt > 3 && e.is_a?(DockerRegistry2::NotFound)
+            raise if attempt > 3
+
+            retry
+          end
+      end
+
+      def transient_docker_errors
+        [RestClient::Exceptions::Timeout, DockerRegistry2::NotFound]
+      end
+
+      def affix_of(tag)
+        tag.match(NAME_WITH_VERSION).named_captures.fetch("affix")
+      end
+
+      def prerelease?(tag)
+        return true if numeric_version_from(tag).match?(/[a-zA-Z]/)
+
+        # If we're dealing with a numeric version we can compare it against
+        # the digest for the `latest` tag.
+        return false unless numeric_version_from(tag)
+        return false unless latest_digest
+        return false unless version_of_latest_tag
+
+        version_class.new(numeric_version_from(tag)) > version_of_latest_tag
+      end
+
+      def numeric_version_from(tag)
+        return unless tag.match?(NAME_WITH_VERSION)
+
+        tag.match(NAME_WITH_VERSION).named_captures.fetch("version")
+      end
+
+      def registry_hostname
+        dependency.requirements.first[:source][:registry] ||
+          "registry.hub.docker.com"
+      end
+
+      def using_dockerhub?
+        registry_hostname == "registry.hub.docker.com"
+      end
+
+      def registry_credentials
+        credentials_finder.credentials_for_registry(registry_hostname)
+      end
+
+      def credentials_finder
+        @credentials_finder ||= Utils::CredentialsFinder.new(credentials)
+      end
+
+      def docker_repo_name
+        return dependency.name unless using_dockerhub?
+        return dependency.name unless dependency.name.split("/").count < 2
+
+        "library/#{dependency.name}"
+      end
+
+      def docker_registry_client
+        @docker_registry_client ||=
+          DockerRegistry2::Registry.new(
+            "https://#{registry_hostname}",
+            user: registry_credentials&.fetch("username"),
+            password: registry_credentials&.fetch("password")
+          )
+      end
+
+      def ignore_reqs
+        # Note: we use Gem::Requirement here because ignore conditions will
+        # be passed as Ruby ranges
+        ignored_versions.map { |req| Gem::Requirement.new(req.split(",")) }
+      end
+    end
+  end
+end
+
+Dependabot::UpdateCheckers.
+  register("docker", Dependabot::Docker::UpdateChecker)

data/lib/dependabot/docker/utils/credentials_finder.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require "aws-sdk-ecr"
+require "base64"
+
+require "dependabot/errors"
+
+module Dependabot
+  module Docker
+    module Utils
+      class CredentialsFinder
+        AWS_ECR_URL = /dkr\.ecr\.(?<region>[^.]+).amazonaws\.com/.freeze
+
+        def initialize(credentials)
+          @credentials = credentials
+        end
+
+        def credentials_for_registry(registry_hostname)
+          registry_details =
+            credentials.
+            select { |cred| cred["type"] == "docker_registry" }.
+            find { |cred| cred.fetch("registry") == registry_hostname }
+          return unless registry_details
+          return registry_details unless registry_hostname.match?(AWS_ECR_URL)
+
+          build_aws_credentials(registry_details)
+        end
+
+        private
+
+        attr_reader :credentials
+
+        def build_aws_credentials(registry_details)
+          # If credentials have been generated from AWS we can just return them
+          return registry_details if registry_details.fetch("username") == "AWS"
+
+          # Otherwise, we need to use the provided Access Key ID and secret to
+          # generate a temporary username and password
+          aws_credentials = Aws::Credentials.new(
+            registry_details.fetch("username"),
+            registry_details.fetch("password")
+          )
+
+          registry_hostname = registry_details.fetch("registry")
+          region = registry_hostname.match(AWS_ECR_URL).
+                   named_captures.fetch("region")
+
+          @authorization_tokens ||= {}
+          @authorization_tokens[registry_hostname] ||=
+            Aws::ECR::Client.new(region: region, credentials: aws_credentials).
+            get_authorization_token.authorization_data.first.
+            authorization_token
+
+          username, password =
+            Base64.decode64(@authorization_tokens[registry_hostname]).split(":")
+
+          registry_details.merge("username" => username, "password" => password)
+        rescue Aws::Errors::MissingCredentialsError,
+               Aws::ECR::Errors::UnrecognizedClientException
+          raise PrivateSourceAuthenticationFailure, registry_hostname
+        end
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,176 @@
+--- !ruby/object:Gem::Specification
+name: dependabot-docker
+version: !ruby/object:Gem::Version
+  version: 0.77.0
+platform: ruby
+authors:
+- Dependabot
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-12-07 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: dependabot-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.77.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.77.0
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+- !ruby/object:Gem::Dependency
+  name: rspec-its
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: rspec_junit_formatter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.61'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.61'
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+description: Automated dependency management for Ruby, JavaScript, Python, PHP, Elixir,
+  Rust, Java, .NET, Elm and Go
+email: support@dependabot.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/dependabot/docker/file_fetcher.rb
+- lib/dependabot/docker/file_parser.rb
+- lib/dependabot/docker/file_updater.rb
+- lib/dependabot/docker/metadata_finder.rb
+- lib/dependabot/docker/update_checker.rb
+- lib/dependabot/docker/utils/credentials_finder.rb
+homepage: https://github.com/dependabot/dependabot-core
+licenses:
+- Nonstandard
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: Terraform support for dependabot-core
+test_files: []