dependabot-docker_compose 0.297.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: e8800055af3f3a9fc1a7b056288ea510770fd65dcf8933eb69a66a4aed591914
+  data.tar.gz: 05c25842d1a91b7fc0cddff8e51b0687d5ff0f1cb200276409e25671cf245f46
+SHA512:
+  metadata.gz: c8f586a6ee7a26cb2e0e92abca5e23a0304537236df1fac702a667dfb8117494ce16d3d3243e20b4003e181c129e998381c7e5cca72da98ffaab7f2ff5aaf9b1
+  data.tar.gz: 72d33eae6923a14d9ffc8f12ab9cfdf0cddab97ce91afa51a39be2bf8fa618bbb678cdc6408166f54745d3c5305800be91d5328c6c2a9eef8d421cfc7664499e

data/lib/dependabot/docker_compose/file_fetcher.rb

@@ -0,0 +1,67 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "dependabot/shared/shared_file_fetcher"
+
+module Dependabot
+  module DockerCompose
+    class FileFetcher < Dependabot::Shared::SharedFileFetcher
+      FILENAME_REGEX = /(docker-)?compose(-[\w]+)?(?>\.[\w-]+)?\.ya?ml/i
+
+      sig { override.returns(T::Array[DependencyFile]) }
+      def fetch_files
+        fetched_files = []
+        fetched_files += correctly_encoded_docker_compose_files if allow_beta_ecosystems?
+
+        return fetched_files if fetched_files.any?
+
+        raise_appropriate_error
+      end
+
+      sig { override.returns(Regexp) }
+      def self.filename_regex
+        FILENAME_REGEX
+      end
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def docker_compose_files
+        @docker_compose_files ||=
+          T.let(repo_contents(raise_errors: false)
+          .select { |f| f.type == "file" && f.name.match?(FILENAME_REGEX) }
+          .map { |f| fetch_file_from_host(f.name) }, T.nilable(T::Array[DependencyFile]))
+      end
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def correctly_encoded_docker_compose_files
+        docker_compose_files.select { |f| T.must(f.content).valid_encoding? }
+      end
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def incorrectly_encoded_docker_compose_files
+        docker_compose_files.reject { |f| T.must(f.content).valid_encoding? }
+      end
+
+      sig { override.returns(String) }
+      def self.required_files_message
+        "Repo must contain a docker-compose.yaml file."
+      end
+
+      private
+
+      sig { override.returns(String) }
+      def default_file_name
+        "docker-compose.yml"
+      end
+
+      sig { override.returns(String) }
+      def file_type
+        "Docker Compose"
+      end
+    end
+  end
+end
+
+Dependabot::FileFetchers.register(
+  "docker_compose",
+  Dependabot::DockerCompose::FileFetcher
+)

data/lib/dependabot/docker_compose/file_parser.rb

@@ -0,0 +1,76 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "yaml"
+require "dependabot/shared/shared_file_parser"
+require "dependabot/docker_compose/package_manager"
+
+module Dependabot
+  module DockerCompose
+    class FileParser < Dependabot::Shared::SharedFileParser
+      extend T::Sig
+
+      FROM_IMAGE = %r{^(?:#{REGISTRY}/)?#{IMAGE}(?:#{TAG})?(?:#{DIGEST})?(?:#{NAME})?}
+
+      sig { returns(Ecosystem) }
+      def ecosystem
+        @ecosystem ||= T.let(
+          Ecosystem.new(
+            name: ECOSYSTEM,
+            package_manager: DockerPackageManager.new
+          ),
+          T.nilable(Ecosystem)
+        )
+      end
+
+      sig { override.returns(T::Array[Dependabot::Dependency]) }
+      def parse
+        dependency_set = DependencySet.new
+
+        composefiles.each do |composefile|
+          yaml = YAML.safe_load(T.must(composefile.content))
+          yaml["services"].each do |_, service|
+            parsed_from_image = T.must(FROM_IMAGE.match(service["image"])).named_captures
+            parsed_from_image["registry"] = nil if parsed_from_image["registry"] == "docker.io"
+
+            version = version_from(parsed_from_image)
+            next unless version
+
+            dependency_set << build_dependency(composefile, parsed_from_image, version)
+          end
+        end
+
+        dependency_set.dependencies
+      end
+
+      private
+
+      sig { override.returns(String) }
+      def package_manager
+        "docker_compose"
+      end
+
+      sig { override.returns(String) }
+      def file_type
+        "docker-compose.yml"
+      end
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def composefiles
+        dependency_files
+      end
+
+      sig { override.void }
+      def check_required_files
+        return if dependency_files.any?
+
+        raise "No #{file_type}!"
+      end
+    end
+  end
+end
+
+Dependabot::FileParsers.register(
+  "docker_compose",
+  Dependabot::DockerCompose::FileParser
+)

data/lib/dependabot/docker_compose/file_updater.rb

@@ -0,0 +1,106 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "dependabot/shared/shared_file_updater"
+
+module Dependabot
+  module DockerCompose
+    class FileUpdater < Dependabot::Shared::SharedFileUpdater
+      extend T::Sig
+      extend T::Helpers
+
+      YAML_REGEXP = /(docker-)?compose(?>\.[\w-]+)?\.ya?ml/i
+      IMAGE_REGEX = /image:\s*/
+
+      sig { override.returns(T::Array[Regexp]) }
+      def self.updated_files_regex
+        [YAML_REGEXP]
+      end
+
+      sig { override.returns(String) }
+      def file_type
+        "Docker compose"
+      end
+
+      sig { override.returns(Regexp) }
+      def yaml_file_pattern
+        YAML_REGEXP
+      end
+
+      sig { override.returns(Regexp) }
+      def container_image_regex
+        IMAGE_REGEX
+      end
+
+      sig { override.params(escaped_declaration: String).returns(Regexp) }
+      def build_old_declaration_regex(escaped_declaration)
+        %r{#{IMAGE_REGEX}\s+(docker\.io/)?#{escaped_declaration}(?=\s|$)}
+      end
+
+      sig { override.returns(T::Array[Dependabot::DependencyFile]) }
+      def updated_dependency_files
+        updated_files = []
+        dependency_files.each do |file|
+          next unless requirement_changed?(file, T.must(dependency))
+
+          updated_files << updated_file(
+            file: file,
+            content: T.must(updated_dockerfile_content(file))
+          )
+        end
+
+        updated_files.reject! { |f| dependency_files.include?(f) }
+        raise "No files changed!" if updated_files.none?
+
+        updated_files
+      end
+
+      sig do
+        override.params(previous_content: String, old_source: T::Hash[Symbol, T.nilable(String)],
+                        new_source: T::Hash[Symbol, T.nilable(String)]).returns(String)
+      end
+      def update_digest_and_tag(previous_content, old_source, new_source)
+        old_digest = old_source[:digest]
+        new_digest = new_source[:digest]
+
+        old_tag = old_source[:tag]
+        new_tag = new_source[:tag]
+
+        old_declaration =
+          if private_registry_url(old_source)
+            "#{private_registry_url(old_source)}/"
+          else
+            ""
+          end
+        old_declaration += T.must(dependency).name
+        old_declaration +=
+          if specified_with_tag?(old_source)
+            ":#{old_tag}"
+          else
+            ""
+          end
+        old_declaration +=
+          if old_digest&.start_with?("sha256:")
+            "@#{old_digest}"
+          else
+            ""
+          end
+
+        escaped_declaration = Regexp.escape(old_declaration)
+
+        old_declaration_regex = build_old_declaration_regex(escaped_declaration)
+
+        previous_content.gsub(old_declaration_regex) do |old_dec|
+          old_dec
+            .gsub(":#{old_tag}", ":#{new_tag}")
+            .gsub(old_digest.to_s, new_digest.to_s)
+        end
+      end
+    end
+  end
+end
+
+Dependabot::FileUpdaters.register(
+  "docker_compose",
+  Dependabot::DockerCompose::FileUpdater
+)

data/lib/dependabot/docker_compose/metadata_finder.rb

@@ -0,0 +1,39 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "dependabot/metadata_finders"
+require "dependabot/metadata_finders/base"
+require "dependabot/shared_helpers"
+require "sorbet-runtime"
+
+module Dependabot
+  module DockerCompose
+    class MetadataFinder < Dependabot::MetadataFinders::Base
+      extend T::Sig
+
+      private
+
+      sig { override.returns(T.nilable(Dependabot::Source)) }
+      def look_up_source
+        return if dependency.requirements.empty?
+
+        new_source = dependency.requirements.first&.fetch(:source)
+        return unless new_source && new_source[:registry] && new_source[:tag]
+
+        image_ref = "#{new_source[:registry]}/#{dependency.name}:#{new_source[:tag]}"
+        image_details_output = SharedHelpers.run_shell_command("regctl image inspect #{image_ref}")
+        image_details = JSON.parse(image_details_output)
+        image_source = image_details.dig("config", "Labels", "org.opencontainers.image.source")
+        return unless image_source
+
+        Dependabot::Source.from_url(image_source)
+      rescue StandardError => e
+        Dependabot.logger.warn("Error looking up Docker Compose source: #{e.message}")
+        nil
+      end
+    end
+  end
+end
+
+Dependabot::MetadataFinders
+  .register("docker_compose", Dependabot::DockerCompose::MetadataFinder)

data/lib/dependabot/docker_compose/package_manager.rb

@@ -0,0 +1,53 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/docker_compose/version"
+require "dependabot/ecosystem"
+require "dependabot/docker_compose/requirement"
+
+module Dependabot
+  module DockerCompose
+    ECOSYSTEM = "docker_compose"
+
+    SUPPORTED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+
+    DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+
+    class DockerPackageManager < Dependabot::Ecosystem::VersionManager
+      extend T::Sig
+
+      NAME = "docker_compose"
+
+      # As docker_compose updater is an in house custom utility, We use a placeholder
+      # version number for docker_compose updater
+      VERSION = "1.0.0"
+
+      SUPPORTED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+
+      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+
+      sig do
+        void
+      end
+      def initialize
+        super(
+          name: NAME,
+          version: Version.new(VERSION),
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS
+       )
+      end
+
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        false
+      end
+
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        false
+      end
+    end
+  end
+end

data/lib/dependabot/docker_compose/requirement.rb

@@ -0,0 +1,43 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/requirement"
+require "dependabot/utils"
+
+module Dependabot
+  module DockerCompose
+    # Lifted from the bundler package manager
+    class Requirement < Dependabot::Requirement
+      extend T::Sig
+
+      # For consistency with other languages, we define a requirements array.
+      # Ruby doesn't have an `OR` separator for requirements, so it always
+      # contains a single element.
+      sig { override.params(requirement_string: T.nilable(String)).returns(T::Array[Requirement]) }
+      def self.requirements_array(requirement_string)
+        [new(T.must(requirement_string))]
+      end
+
+      sig { override.params(version: Version).returns(T::Boolean) }
+      def satisfied_by?(version)
+        super(version.release_part)
+      end
+
+      # Patches Gem::Requirement to make it accept requirement strings like
+      # "~> 4.2.5, >= 4.2.5.1" without first needing to split them.
+      sig { params(requirements: T.any(T.nilable(String), T::Array[T.nilable(String)])).void }
+      def initialize(*requirements)
+        requirements = requirements.flatten.flat_map do |req_string|
+          req_string.to_s.split(",").map(&:strip)
+        end
+
+        super(requirements)
+      end
+    end
+  end
+end
+
+Dependabot::Utils
+  .register_requirement_class("docker_compose", Dependabot::DockerCompose::Requirement)

data/lib/dependabot/docker_compose/tag.rb

@@ -0,0 +1,144 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  module DockerCompose
+    class Tag
+      extend T::Sig
+      WORDS_WITH_BUILD = /(?:(?:-[a-z]+)+-[0-9]+)+/
+      VERSION_REGEX = /v?(?<version>[0-9]+(?:[_.][0-9]+)*(?:\.[a-z0-9]+|#{WORDS_WITH_BUILD}|-(?:kb)?[0-9]+)*)/i
+      VERSION_WITH_SFX = /^#{VERSION_REGEX}(?<suffix>-[a-z][a-z0-9.\-]*)?$/i
+      VERSION_WITH_PFX = /^(?<prefix>[a-z][a-z0-9.\-_]*-)?#{VERSION_REGEX}$/i
+      VERSION_WITH_PFX_AND_SFX = /^(?<prefix>[a-z\-_]+-)?#{VERSION_REGEX}(?<suffix>-[a-z\-]+)?$/i
+      NAME_WITH_VERSION =
+        /
+          #{VERSION_WITH_PFX}|
+          #{VERSION_WITH_SFX}|
+          #{VERSION_WITH_PFX_AND_SFX}
+      /x
+      DIGEST = /@(?<digest>[^\s]+)/
+
+      sig { returns(String) }
+      attr_reader :name
+
+      sig { params(name: String).void }
+      def initialize(name)
+        @name = name
+      end
+
+      sig { returns(String) }
+      def to_s
+        name
+      end
+
+      sig { returns(T::Boolean) }
+      def digest?
+        name.match?(DIGEST)
+      end
+
+      sig { returns(T.nilable(T::Boolean)) }
+      def looks_like_prerelease?
+        numeric_version&.match?(/[a-zA-Z]/)
+      end
+
+      sig { params(other: Tag).returns(T::Boolean) }
+      def comparable_to?(other)
+        return false unless comparable?
+
+        other_prefix = other.prefix
+        other_suffix = other.suffix
+        other_format = other.format
+
+        equal_prefix = prefix == other_prefix
+        equal_format = format == other_format
+        return equal_prefix && equal_format if other_format == :sha_suffixed
+
+        equal_suffix = suffix == other_suffix
+        equal_prefix && equal_format && equal_suffix
+      end
+
+      sig { returns(T::Boolean) }
+      def comparable?
+        name.match?(NAME_WITH_VERSION)
+      end
+
+      sig { params(other: Tag).returns(T::Boolean) }
+      def same_precision?(other)
+        other.precision == precision
+      end
+
+      sig { params(other: Tag).returns(T::Boolean) }
+      def same_but_less_precise?(other)
+        other.segments.zip(segments).all? do |segment, other_segment|
+          segment == other_segment || other_segment.nil?
+        end
+      end
+
+      sig { returns(T.nilable(T::Boolean)) }
+      def canonical?
+        return false unless numeric_version
+        return true if name == numeric_version
+
+        # .NET tags are suffixed with -sdk
+        return true if numeric_version && name == numeric_version.to_s + "-sdk"
+
+        numeric_version && name == "jdk-" + T.must(numeric_version)
+      end
+
+      sig { returns T.nilable(String) }
+      def prefix
+        name.match(NAME_WITH_VERSION)&.named_captures&.fetch("prefix")
+      end
+
+      sig { returns T.nilable(String) }
+      def suffix
+        name.match(NAME_WITH_VERSION)&.named_captures&.fetch("suffix")
+      end
+
+      sig { returns T.nilable(String) }
+      def version
+        name.match(NAME_WITH_VERSION)&.named_captures&.fetch("version")
+      end
+
+      sig { returns(Symbol) }
+      def format
+        return :sha_suffixed if name.match?(/(^|\-g?)[0-9a-f]{7,}$/)
+        return :year_month if version&.match?(/^[12]\d{3}(?:[.\-]|$)/)
+        return :year_month_day if version&.match?(/^[12](?:\d{5}|\d{7})(?:[.\-]|$)/)
+        return :build_num if version&.match?(/^\d+$/)
+
+        # As an example, "21-ea-32", "22-ea-7", and "22-ea-jdk-nanoserver-1809"
+        # are mapped to "<version>-ea-<build_num>", "<version>-ea-<build_num>",
+        # and "<version>-ea-jdk-nanoserver-<build_num>" respectively.
+        #
+        # That means only "22-ea-7" will be considered as a viable update
+        # candidate for "21-ea-32", since it's the only one that respects that
+        # format.
+        if version&.match?(WORDS_WITH_BUILD)
+          return :"<version>#{T.must(version).match(WORDS_WITH_BUILD).to_s.gsub(/-[0-9]+/, '-<build_num>')}"
+        end
+
+        :normal
+      end
+
+      sig { returns(T.nilable(String)) }
+      def numeric_version
+        return unless comparable?
+
+        version&.gsub(/kb/i, "")&.gsub(/-[a-z]+/, "")&.downcase
+      end
+
+      sig { returns(Integer) }
+      def precision
+        segments.length
+      end
+
+      sig { returns(T::Array[String]) }
+      def segments
+        T.must(numeric_version).split(/[.-]/)
+      end
+    end
+  end
+end