RubyGems - dependabot-docker_compose - Versions diffs - 0.297.1 - Mend

dependabot-docker_compose 0.297.1

Files changed (17) hide show

checksums.yaml +7 -0
data/lib/dependabot/docker_compose/file_fetcher.rb +67 -0
data/lib/dependabot/docker_compose/file_parser.rb +76 -0
data/lib/dependabot/docker_compose/file_updater.rb +106 -0
data/lib/dependabot/docker_compose/metadata_finder.rb +39 -0
data/lib/dependabot/docker_compose/package_manager.rb +53 -0
data/lib/dependabot/docker_compose/requirement.rb +43 -0
data/lib/dependabot/docker_compose/tag.rb +144 -0
data/lib/dependabot/docker_compose/update_checker.rb +479 -0
data/lib/dependabot/docker_compose/version.rb +84 -0
data/lib/dependabot/docker_compose.rb +19 -0
data/lib/dependabot/shared/shared_file_fetcher.rb +99 -0
data/lib/dependabot/shared/shared_file_parser.rb +80 -0
data/lib/dependabot/shared/shared_file_updater.rb +261 -0
data/lib/dependabot/shared/utils/credentials_finder.rb +101 -0
data/lib/dependabot/shared/utils/helpers.rb +19 -0
metadata +285 -0

data/lib/dependabot/shared/shared_file_parser.rb ADDED Viewed

@@ -0,0 +1,80 @@
+# typed: strong
+# frozen_string_literal: true
+require "dependabot/dependency"
+require "dependabot/file_parsers"
+require "dependabot/file_parsers/base"
+require "sorbet-runtime"
+module Dependabot
+  module Shared
+    class SharedFileParser < Dependabot::FileParsers::Base
+      extend T::Sig
+      extend T::Helpers
+      abstract!
+      require "dependabot/file_parsers/base/dependency_set"
+      # Details of Docker regular expressions is at
+      # https://github.com/docker/distribution/blob/master/reference/regexp.go
+      DOMAIN_COMPONENT = /(?:[[:alnum:]]|[[:alnum:]][[[:alnum:]]-]*[[:alnum:]])/
+      DOMAIN = /(?:#{DOMAIN_COMPONENT}(?:\.#{DOMAIN_COMPONENT})+)/
+      REGISTRY = /(?<registry>#{DOMAIN}(?::\d+)?)/
+      NAME_COMPONENT = /(?:[a-z\d]+(?:(?:[._]|__|[-]*)[a-z\d]+)*)/
+      IMAGE = %r{(?<image>#{NAME_COMPONENT}(?:/#{NAME_COMPONENT})*)}
+      TAG = /:(?<tag>[\w][\w.-]{0,127})/
+      DIGEST = /@(?<digest>[^\s]+)/
+      NAME = /\s+AS\s+(?<name>[\w-]+)/
+      protected
+      sig { params(parsed_line: T::Hash[String, T.nilable(String)]).returns(T.nilable(String)) }
+      def version_from(parsed_line)
+        parsed_line.fetch("tag") || parsed_line.fetch("digest")
+      end
+      sig { params(parsed_line: T::Hash[String, T.nilable(String)]).returns(T::Hash[String, T.nilable(String)]) }
+      def source_from(parsed_line)
+        source = {}
+        source[:registry] = parsed_line.fetch("registry") if parsed_line.fetch("registry")
+        source[:tag] = parsed_line.fetch("tag") if parsed_line.fetch("tag")
+        source[:digest] = parsed_line.fetch("digest") if parsed_line.fetch("digest")
+        source
+      end
+      sig do
+        params(file: Dependabot::DependencyFile, details: T::Hash[String, T.nilable(String)],
+               version: String).returns(Dependabot::Dependency)
+      end
+      def build_dependency(file, details, version)
+        Dependency.new(
+          name: T.must(details.fetch("image")),
+          version: version,
+          package_manager: package_manager,
+          requirements: [
+            requirement: nil,
+            groups: [],
+            file: file.name,
+            source: source_from(details)
+          ]
+        )
+      end
+      private
+      sig { override.void }
+      def check_required_files; end
+      sig { abstract.returns(String) }
+      def package_manager; end
+      sig { abstract.returns(String) }
+      def file_type; end
+    end
+  end
+end

data/lib/dependabot/shared/shared_file_updater.rb ADDED Viewed

@@ -0,0 +1,261 @@
+# typed: strict
+# frozen_string_literal: true
+require "dependabot/file_updaters"
+require "dependabot/file_updaters/base"
+require "dependabot/errors"
+require "sorbet-runtime"
+require "dependabot/shared/utils/helpers"
+module Dependabot
+  module Shared
+    class SharedFileUpdater < Dependabot::FileUpdaters::Base
+      extend T::Sig
+      extend T::Helpers
+      abstract!
+      FROM_REGEX = /FROM(\s+--platform\=\S+)?/i
+      sig { override.returns(T::Array[Dependabot::DependencyFile]) }
+      def updated_dependency_files
+        updated_files = []
+        dependency_files.each do |file|
+          next unless requirement_changed?(file, T.must(dependency))
+          updated_files << if file.name.match?(T.must(yaml_file_pattern))
+                             updated_file(
+                               file: file,
+                               content: T.must(updated_yaml_content(file))
+                             )
+                           else
+                             updated_file(
+                               file: file,
+                               content: T.must(updated_dockerfile_content(file))
+                             )
+                           end
+        end
+        updated_files.reject! { |f| dependency_files.include?(f) }
+        raise "No files changed!" if updated_files.none?
+        updated_files
+      end
+      sig { abstract.returns(T.nilable(Regexp)) }
+      def yaml_file_pattern; end
+      sig { abstract.returns(T.nilable(Regexp)) }
+      def container_image_regex; end
+      private
+      sig { params(file: Dependabot::DependencyFile).returns(T.nilable(String)) }
+      def updated_dockerfile_content(file)
+        old_sources = previous_sources(file)
+        new_sources = sources(file)
+        updated_content = T.let(file.content, T.untyped)
+        T.must(old_sources).zip(new_sources).each do |old_source, new_source|
+          updated_content = update_digest_and_tag(updated_content, old_source, T.must(new_source))
+        end
+        raise "Expected content to change!" if updated_content == file.content
+        updated_content
+      end
+      sig do
+        params(previous_content: String, old_source: T::Hash[Symbol, T.nilable(String)],
+               new_source: T::Hash[Symbol, T.nilable(String)]).returns(String)
+      end
+      def update_digest_and_tag(previous_content, old_source, new_source)
+        old_digest = old_source[:digest]
+        new_digest = new_source[:digest]
+        old_tag = old_source[:tag]
+        new_tag = new_source[:tag]
+        old_declaration =
+          if private_registry_url(old_source)
+            "#{private_registry_url(old_source)}/"
+          else
+            ""
+          end
+        old_declaration += T.must(dependency).name
+        old_declaration +=
+          if specified_with_tag?(old_source)
+            ":#{old_tag}"
+          else
+            ""
+          end
+        old_declaration +=
+          if specified_with_digest?(old_source)
+            "@sha256:#{old_digest}"
+          else
+            ""
+          end
+        escaped_declaration = Regexp.escape(old_declaration)
+        old_declaration_regex = build_old_declaration_regex(escaped_declaration)
+        previous_content.gsub(old_declaration_regex) do |old_dec|
+          old_dec
+            .gsub("@sha256:#{old_digest}", "@sha256:#{new_digest}")
+            .gsub(":#{old_tag}", ":#{new_tag}")
+        end
+      end
+      sig { params(escaped_declaration: String).returns(Regexp) }
+      def build_old_declaration_regex(escaped_declaration)
+        %r{^#{FROM_REGEX}\s+(docker\.io/)?#{escaped_declaration}(?=\s|$)}
+      end
+      sig { params(file: Dependabot::DependencyFile).returns(T.nilable(String)) }
+      def updated_yaml_content(file)
+        updated_content = file.content
+        updated_content = update_helm(file, updated_content) if Shared::Utils.likely_helm_chart?(file)
+        updated_content = update_image(file, updated_content)
+        raise "Expected content to change!" if updated_content == file.content
+        updated_content
+      end
+      sig { params(file: Dependabot::DependencyFile, content: T.nilable(String)).returns(T.nilable(String)) }
+      def update_helm(file, content)
+        old_tags = old_helm_tags(file)
+        return if old_tags.empty?
+        modified_content = content
+        old_tags.each do |old_tag|
+          old_tag_regex = /^\s*(?:-\s)?(?:tag|version):\s+["']?#{old_tag}["']?(?=\s|$)/
+          modified_content = modified_content&.gsub(old_tag_regex) do |old_img_tag|
+            old_img_tag.gsub(old_tag.to_s, new_helm_tag(file).to_s)
+          end
+        end
+        modified_content
+      end
+      sig { params(file: Dependabot::DependencyFile, content: T.nilable(String)).returns(T.nilable(String)) }
+      def update_image(file, content)
+        old_images = old_yaml_images(file)
+        return if old_images.empty?
+        modified_content = content
+        old_images.each do |old_image|
+          old_image_regex = /^\s*(?:-\s)?image:\s+#{old_image}(?=\s|$)/
+          modified_content = modified_content&.gsub(old_image_regex) do |old_img|
+            old_img.gsub(old_image.to_s, new_yaml_image(file).to_s)
+          end
+        end
+        modified_content
+      end
+      sig { params(file: Dependabot::DependencyFile).returns(String) }
+      def new_yaml_image(file)
+        element = T.must(dependency).requirements.find { |r| r[:file] == file.name }
+        prefix = element&.dig(:source, :registry) ? "#{element.fetch(:source)[:registry]}/" : ""
+        digest = element&.dig(:source, :digest) ? "@sha256:#{element.fetch(:source)[:digest]}" : ""
+        tag = element&.dig(:source, :tag) ? ":#{element.fetch(:source)[:tag]}" : ""
+        "#{prefix}#{T.must(dependency).name}#{tag}#{digest}"
+      end
+      sig { params(file: Dependabot::DependencyFile).returns(T::Array[String]) }
+      def old_yaml_images(file)
+        T.must(previous_requirements(file)).map do |r|
+          prefix = r.fetch(:source)[:registry] ? "#{r.fetch(:source)[:registry]}/" : ""
+          digest = r.fetch(:source)[:digest] ? "@sha256:#{r.fetch(:source)[:digest]}" : ""
+          tag = r.fetch(:source)[:tag] ? ":#{r.fetch(:source)[:tag]}" : ""
+          "#{prefix}#{T.must(dependency).name}#{tag}#{digest}"
+        end
+      end
+      sig { params(file: Dependabot::DependencyFile).returns(T::Array[String]) }
+      def old_helm_tags(file)
+        T.must(previous_requirements(file)).map do |r|
+          tag = r.fetch(:source)[:tag] || ""
+          digest = r.fetch(:source)[:digest] ? "@sha256:#{r.fetch(:source)[:digest]}" : ""
+          "#{tag}#{digest}"
+        end
+      end
+      sig { params(file: Dependabot::DependencyFile).returns(String) }
+      def new_helm_tag(file)
+        element = T.must(dependency).requirements.find { |r| r[:file] == file.name }
+        tag = T.must(element).dig(:source, :tag) || ""
+        digest = T.must(element).dig(:source, :digest) ? "@sha256:#{T.must(element).dig(:source, :digest)}" : ""
+        "#{tag}#{digest}"
+      end
+      protected
+      sig { params(file: Dependabot::DependencyFile, dependency: Dependabot::Dependency).returns(T::Boolean) }
+      def requirement_changed?(file, dependency)
+        changed_requirements =
+          dependency.requirements - T.must(dependency.previous_requirements)
+        changed_requirements.any? { |f| f[:file] == file.name }
+      end
+      sig { params(source: T::Hash[Symbol, T.nilable(String)]).returns(T::Boolean) }
+      def specified_with_tag?(source)
+        !source[:tag].nil?
+      end
+      sig { params(source: T::Hash[Symbol, T.nilable(String)]).returns(T::Boolean) }
+      def specified_with_digest?(source)
+        !source[:digest].nil?
+      end
+      sig { params(file: Dependabot::DependencyFile).returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+      def requirements(file)
+        T.must(dependency).requirements
+         .select { |r| r[:file] == file.name }
+      end
+      sig { params(file: Dependabot::DependencyFile).returns(T.nilable(T::Array[T::Hash[Symbol, T.untyped]])) }
+      def previous_requirements(file)
+        T.must(dependency).previous_requirements
+         &.select { |r| r[:file] == file.name }
+      end
+      sig { params(source: T::Hash[Symbol, T.nilable(String)]).returns(T.nilable(String)) }
+      def private_registry_url(source)
+        source[:registry]
+      end
+      sig { params(file: Dependabot::DependencyFile).returns(T::Array[T::Hash[Symbol, T.nilable(String)]]) }
+      def sources(file)
+        requirements(file).map { |r| r.fetch(:source) }
+      end
+      sig { params(file: Dependabot::DependencyFile).returns(T.nilable(T::Array[T::Hash[Symbol, T.nilable(String)]])) }
+      def previous_sources(file)
+        previous_requirements(file)&.map { |r| r.fetch(:source) }
+      end
+      sig { returns(T.nilable(Dependabot::Dependency)) }
+      def dependency
+        # Files will only ever be updating a single dependency
+        dependencies.first
+      end
+      sig { override.void }
+      def check_required_files
+        return if dependency_files.any?
+        raise "No #{file_type}!"
+      end
+      private
+      sig { abstract.returns(String) }
+      def file_type; end
+    end
+  end
+end

data/lib/dependabot/shared/utils/credentials_finder.rb ADDED Viewed

@@ -0,0 +1,101 @@
+# typed: strict
+# frozen_string_literal: true
+require "aws-sdk-ecr"
+require "base64"
+require "sorbet-runtime"
+require "dependabot/credential"
+require "dependabot/errors"
+module Dependabot
+  module Shared
+    module Utils
+      class CredentialsFinder
+        extend T::Sig
+        AWS_ECR_URL = /dkr\.ecr\.(?<region>[^.]+)\.amazonaws\.com/
+        DEFAULT_DOCKER_HUB_REGISTRY = "registry.hub.docker.com"
+        sig { params(credentials: T::Array[Dependabot::Credential]).void }
+        def initialize(credentials)
+          @credentials = credentials
+        end
+        sig { params(registry_hostname: T.nilable(String)).returns(T.nilable(Dependabot::Credential)) }
+        def credentials_for_registry(registry_hostname)
+          registry_details =
+            credentials
+            .select { |cred| cred["type"] == "docker_registry" }
+            .find { |cred| cred.fetch("registry") == registry_hostname }
+          return unless registry_details
+          return registry_details unless registry_hostname&.match?(AWS_ECR_URL)
+          build_aws_credentials(registry_details)
+        end
+        sig { returns(T.nilable(String)) }
+        def base_registry
+          @base_registry ||= T.let(
+            credentials.find do |cred|
+              cred["type"] == "docker_registry" && cred.replaces_base?
+            end,
+            T.nilable(Dependabot::Credential)
+          )
+          @base_registry ||= Dependabot::Credential.new({ "registry" => DEFAULT_DOCKER_HUB_REGISTRY,
+                                                          "credentials" => nil })
+          @base_registry["registry"]
+        end
+        sig { params(registry: String).returns(T::Boolean) }
+        def using_dockerhub?(registry)
+          registry == DEFAULT_DOCKER_HUB_REGISTRY
+        end
+        private
+        sig { returns(T::Array[Dependabot::Credential]) }
+        attr_reader :credentials
+        sig { params(registry_details: Dependabot::Credential).returns(Dependabot::Credential) }
+        def build_aws_credentials(registry_details)
+          # If credentials have been generated from AWS we can just return them
+          return registry_details if registry_details["username"] == "AWS"
+          # Build a client either with explicit creds or default creds
+          registry_hostname = registry_details.fetch("registry")
+          region = registry_hostname.match(AWS_ECR_URL).named_captures.fetch("region")
+          aws_credentials = Aws::Credentials.new(
+            registry_details["username"],
+            registry_details["password"]
+          )
+          ecr_client =
+            if aws_credentials.set?
+              Aws::ECR::Client.new(region: region, credentials: aws_credentials)
+            else
+              # Let the client check default locations for credentials
+              Aws::ECR::Client.new(region: region)
+            end
+          # If the client still lacks credentials, we might be running within GitHub's
+          # Dependabot Service, in which case we might get them from the proxy
+          return registry_details if ecr_client.config.credentials.nil?
+          # Otherwise, we need to use the provided Access Key ID and secret to
+          # generate a temporary username and password
+          @authorization_tokens ||= T.let({}, T.nilable(T::Hash[String, String]))
+          @authorization_tokens[registry_hostname] ||=
+            ecr_client.get_authorization_token.authorization_data.first.authorization_token
+          username, password =
+            Base64.decode64(T.must(@authorization_tokens[registry_hostname])).split(":")
+          registry_details.merge(Dependabot::Credential.new({ "username" => username, "password" => password }))
+        rescue Aws::Errors::MissingCredentialsError,
+               Aws::ECR::Errors::UnrecognizedClientException,
+               Aws::ECR::Errors::InvalidSignatureException
+          raise PrivateSourceAuthenticationFailure, registry_hostname
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/shared/utils/helpers.rb ADDED Viewed

@@ -0,0 +1,19 @@
+# typed: strong
+# frozen_string_literal: true
+require "sorbet-runtime"
+module Dependabot
+  module Shared
+    module Utils
+      HELM_REGEXP = /values[\-a-zA-Z_0-9]*\.ya?ml$/i
+      extend T::Sig
+      sig { params(file: Dependabot::DependencyFile).returns(T::Boolean) }
+      def self.likely_helm_chart?(file)
+        file.name.match?(HELM_REGEXP)
+      end
+    end
+  end
+end