dependabot-docker_compose 0.298.0 → 0.299.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8a3db024dd3fcc06548464dfcc4d200d9902985db3370b63a8a19780982c5e9d
-  data.tar.gz: 3b72a87e970f39783a4043ff3b8fb1e5046edb836458c2b11d0a0a202fa996bc
+  metadata.gz: 861d5c42bba5e0e574cfafdf438e749b62be2948c015641006cc24484f600089
+  data.tar.gz: 458e5b67bc719d3d38f353049098acf6770895e864695a9da763cc20a551b9bf
 SHA512:
-  metadata.gz: c725b06c42e3dc9ff8d8d835ea54c877a6d8c8dd3a033685e3aca5b3816cf36e5a012859f3b0b2dc6a078696c5034fdf8bcfd60f52a44972b82813478652832e
-  data.tar.gz: 566b2fb4658e7f06ca74520791f5b20c3a426baa50540bd0886e4ea93a5ffba1b97e26a86649c996f8aa80a94e6923a3db3f06392592607e6824d70658330df1
+  metadata.gz: c9c01ed28d5c74d401305cc5a0476adf12b476467f145631f49ce7dd480f6d578e31d9378bc87e9e05ebbfc0467c2ca1d12f8acdd39c0913a72293af1ee8fa8a
+  data.tar.gz: 07326f38f060f039037f14fe307a3c36e65f31f37299f322be6a64f5d66fa272875f8942e54e3499c18acbfa7d34137bb7ae3f53887ece99d7013e04a235f29a

data/lib/dependabot/docker_compose/file_fetcher.rb

@@ -11,7 +11,7 @@ module Dependabot
       sig { override.returns(T::Array[DependencyFile]) }
       def fetch_files
         fetched_files = []
-        fetched_files += correctly_encoded_docker_compose_files if allow_beta_ecosystems?
+        fetched_files += correctly_encoded_docker_compose_files
 
         return fetched_files if fetched_files.any?
 

data/lib/dependabot/docker_compose/file_parser.rb

@@ -10,7 +10,16 @@ module Dependabot
     class FileParser < Dependabot::Shared::SharedFileParser
       extend T::Sig
 
-      FROM_IMAGE = %r{^(?:#{REGISTRY}/)?#{IMAGE}(?:#{TAG})?(?:#{DIGEST})?(?:#{NAME})?}
+      ENV_VAR = /\${[^}]+}/
+      DIGEST = /(?<digest>[0-9a-f]{64})/
+      IMAGE_REGEX = %r{^(#{REGISTRY}/)?#{IMAGE}#{TAG}?(?:@sha256:#{DIGEST})?#{NAME}?}x
+
+      FROM = /FROM/i
+      PLATFORM = /--platform\=(?<platform>\S+)/
+
+      FROM_LINE =
+        %r{^#{FROM}\s+(#{PLATFORM}\s+)?(#{REGISTRY}/)?
+          #{IMAGE}#{TAG}?(?:@sha256:#{DIGEST})?#{NAME}?}x
 
       sig { returns(Ecosystem) }
       def ecosystem
@@ -28,9 +37,15 @@ module Dependabot
         dependency_set = DependencySet.new
 
         composefiles.each do |composefile|
-          yaml = YAML.safe_load(T.must(composefile.content))
+          yaml = YAML.safe_load(T.must(composefile.content), aliases: true)
+          next unless yaml["services"].is_a?(Hash)
+
           yaml["services"].each do |_, service|
-            parsed_from_image = T.must(FROM_IMAGE.match(service["image"])).named_captures
+            next unless service.is_a?(Hash)
+
+            parsed_from_image = parse_image_spec(service)
+            next unless parsed_from_image
+
             parsed_from_image["registry"] = nil if parsed_from_image["registry"] == "docker.io"
 
             version = version_from(parsed_from_image)
@@ -45,6 +60,32 @@ module Dependabot
 
       private
 
+      sig { params(service: T.untyped).returns(T.nilable(T::Hash[String, T.nilable(String)])) }
+      def parse_image_spec(service)
+        return nil unless service
+
+        if service["image"]
+          return nil if service["image"].match?(/^\${[^}]+}$/)
+
+          match = IMAGE_REGEX.match(service["image"])
+          return match&.named_captures
+        elsif service["build"].is_a?(Hash) && service["build"]["dockerfile_inline"]
+          return nil if service["build"]["dockerfile_inline"].match?(/^FROM\s+\${[^}]+}$/)
+
+          match = FROM_LINE.match(service["build"]["dockerfile_inline"])
+          return match&.named_captures
+        end
+
+        nil
+      end
+
+      sig { params(parsed_image: T::Hash[String, T.nilable(String)]).returns(T.nilable(String)) }
+      def version_from(parsed_image)
+        return nil if parsed_image["tag"]&.match?(ENV_VAR)
+
+        super
+      end
+
       sig { override.returns(String) }
       def package_manager
         "docker_compose"

data/lib/dependabot/docker_compose/file_updater.rb

@@ -10,7 +10,7 @@ module Dependabot
       extend T::Helpers
 
       YAML_REGEXP = /(docker-)?compose(?>\.[\w-]+)?\.ya?ml/i
-      IMAGE_REGEX = /image:\s*/
+      IMAGE_REGEX = /(?:from|image:\s*)/i
 
       sig { override.returns(T::Array[Regexp]) }
       def self.updated_files_regex
@@ -34,7 +34,7 @@ module Dependabot
 
       sig { override.params(escaped_declaration: String).returns(Regexp) }
       def build_old_declaration_regex(escaped_declaration)
-        %r{#{IMAGE_REGEX}\s+(docker\.io/)?#{escaped_declaration}(?=\s|$)}
+        %r{#{IMAGE_REGEX}\s+["']?(docker\.io/)?#{escaped_declaration}["']?(?=\s|$)}
       end
 
       sig { override.returns(T::Array[Dependabot::DependencyFile]) }
@@ -54,48 +54,6 @@ module Dependabot
 
         updated_files
       end
-
-      sig do
-        override.params(previous_content: String, old_source: T::Hash[Symbol, T.nilable(String)],
-                        new_source: T::Hash[Symbol, T.nilable(String)]).returns(String)
-      end
-      def update_digest_and_tag(previous_content, old_source, new_source)
-        old_digest = old_source[:digest]
-        new_digest = new_source[:digest]
-
-        old_tag = old_source[:tag]
-        new_tag = new_source[:tag]
-
-        old_declaration =
-          if private_registry_url(old_source)
-            "#{private_registry_url(old_source)}/"
-          else
-            ""
-          end
-        old_declaration += T.must(dependency).name
-        old_declaration +=
-          if specified_with_tag?(old_source)
-            ":#{old_tag}"
-          else
-            ""
-          end
-        old_declaration +=
-          if old_digest&.start_with?("sha256:")
-            "@#{old_digest}"
-          else
-            ""
-          end
-
-        escaped_declaration = Regexp.escape(old_declaration)
-
-        old_declaration_regex = build_old_declaration_regex(escaped_declaration)
-
-        previous_content.gsub(old_declaration_regex) do |old_dec|
-          old_dec
-            .gsub(":#{old_tag}", ":#{new_tag}")
-            .gsub(old_digest.to_s, new_digest.to_s)
-        end
-      end
     end
   end
 end

data/lib/dependabot/docker_compose/package_manager.rb

@@ -2,9 +2,7 @@
 # frozen_string_literal: true
 
 require "sorbet-runtime"
-require "dependabot/docker_compose/version"
 require "dependabot/ecosystem"
-require "dependabot/docker_compose/requirement"
 
 module Dependabot
   module DockerCompose

data/lib/dependabot/docker_compose.rb

@@ -3,13 +3,17 @@
 
 # These all need to be required so the various classes can be registered in a
 # lookup table of package manager names to concrete classes.
+
+require "dependabot/docker"
+
 require "dependabot/docker_compose/file_fetcher"
 require "dependabot/docker_compose/file_parser"
-require "dependabot/docker_compose/update_checker"
 require "dependabot/docker_compose/file_updater"
-require "dependabot/docker_compose/metadata_finder"
-require "dependabot/docker_compose/requirement"
-require "dependabot/docker_compose/version"
+
+Dependabot::Utils.register_version_class("docker_compose", Dependabot::Docker::Version)
+Dependabot::UpdateCheckers.register("docker_compose", Dependabot::Docker::UpdateChecker)
+Dependabot::Utils.register_requirement_class("docker_compose", Dependabot::Docker::Requirement)
+Dependabot::MetadataFinders.register("docker_compose", Dependabot::Docker::MetadataFinder)
 
 require "dependabot/pull_request_creator/labeler"
 Dependabot::PullRequestCreator::Labeler

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-docker_compose
 version: !ruby/object:Gem::Version
-  version: 0.298.0
+  version: 0.299.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-02-20 00:00:00.000000000 Z
+date: 2025-02-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.298.0
+        version: 0.299.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.298.0
+        version: 0.299.0
+- !ruby/object:Gem::Dependency
+  name: dependabot-docker
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.299.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.299.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -246,23 +260,13 @@ files:
 - lib/dependabot/docker_compose/file_fetcher.rb
 - lib/dependabot/docker_compose/file_parser.rb
 - lib/dependabot/docker_compose/file_updater.rb
-- lib/dependabot/docker_compose/metadata_finder.rb
 - lib/dependabot/docker_compose/package_manager.rb
-- lib/dependabot/docker_compose/requirement.rb
-- lib/dependabot/docker_compose/tag.rb
-- lib/dependabot/docker_compose/update_checker.rb
-- lib/dependabot/docker_compose/version.rb
-- lib/dependabot/shared/shared_file_fetcher.rb
-- lib/dependabot/shared/shared_file_parser.rb
-- lib/dependabot/shared/shared_file_updater.rb
-- lib/dependabot/shared/utils/credentials_finder.rb
-- lib/dependabot/shared/utils/helpers.rb
 homepage: https://github.com/dependabot/dependabot-core
 licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.298.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.299.0
 post_install_message:
 rdoc_options: []
 require_paths:

data/lib/dependabot/docker_compose/metadata_finder.rb

@@ -1,39 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-
-require "dependabot/metadata_finders"
-require "dependabot/metadata_finders/base"
-require "dependabot/shared_helpers"
-require "sorbet-runtime"
-
-module Dependabot
-  module DockerCompose
-    class MetadataFinder < Dependabot::MetadataFinders::Base
-      extend T::Sig
-
-      private
-
-      sig { override.returns(T.nilable(Dependabot::Source)) }
-      def look_up_source
-        return if dependency.requirements.empty?
-
-        new_source = dependency.requirements.first&.fetch(:source)
-        return unless new_source && new_source[:registry] && new_source[:tag]
-
-        image_ref = "#{new_source[:registry]}/#{dependency.name}:#{new_source[:tag]}"
-        image_details_output = SharedHelpers.run_shell_command("regctl image inspect #{image_ref}")
-        image_details = JSON.parse(image_details_output)
-        image_source = image_details.dig("config", "Labels", "org.opencontainers.image.source")
-        return unless image_source
-
-        Dependabot::Source.from_url(image_source)
-      rescue StandardError => e
-        Dependabot.logger.warn("Error looking up Docker Compose source: #{e.message}")
-        nil
-      end
-    end
-  end
-end
-
-Dependabot::MetadataFinders
-  .register("docker_compose", Dependabot::DockerCompose::MetadataFinder)

data/lib/dependabot/docker_compose/requirement.rb

@@ -1,43 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-
-require "sorbet-runtime"
-
-require "dependabot/requirement"
-require "dependabot/utils"
-
-module Dependabot
-  module DockerCompose
-    # Lifted from the bundler package manager
-    class Requirement < Dependabot::Requirement
-      extend T::Sig
-
-      # For consistency with other languages, we define a requirements array.
-      # Ruby doesn't have an `OR` separator for requirements, so it always
-      # contains a single element.
-      sig { override.params(requirement_string: T.nilable(String)).returns(T::Array[Requirement]) }
-      def self.requirements_array(requirement_string)
-        [new(T.must(requirement_string))]
-      end
-
-      sig { override.params(version: Version).returns(T::Boolean) }
-      def satisfied_by?(version)
-        super(version.release_part)
-      end
-
-      # Patches Gem::Requirement to make it accept requirement strings like
-      # "~> 4.2.5, >= 4.2.5.1" without first needing to split them.
-      sig { params(requirements: T.any(T.nilable(String), T::Array[T.nilable(String)])).void }
-      def initialize(*requirements)
-        requirements = requirements.flatten.flat_map do |req_string|
-          req_string.to_s.split(",").map(&:strip)
-        end
-
-        super(requirements)
-      end
-    end
-  end
-end
-
-Dependabot::Utils
-  .register_requirement_class("docker_compose", Dependabot::DockerCompose::Requirement)

data/lib/dependabot/docker_compose/tag.rb

@@ -1,144 +0,0 @@
-# typed: strong
-# frozen_string_literal: true
-
-require "sorbet-runtime"
-
-module Dependabot
-  module DockerCompose
-    class Tag
-      extend T::Sig
-      WORDS_WITH_BUILD = /(?:(?:-[a-z]+)+-[0-9]+)+/
-      VERSION_REGEX = /v?(?<version>[0-9]+(?:[_.][0-9]+)*(?:\.[a-z0-9]+|#{WORDS_WITH_BUILD}|-(?:kb)?[0-9]+)*)/i
-      VERSION_WITH_SFX = /^#{VERSION_REGEX}(?<suffix>-[a-z][a-z0-9.\-]*)?$/i
-      VERSION_WITH_PFX = /^(?<prefix>[a-z][a-z0-9.\-_]*-)?#{VERSION_REGEX}$/i
-      VERSION_WITH_PFX_AND_SFX = /^(?<prefix>[a-z\-_]+-)?#{VERSION_REGEX}(?<suffix>-[a-z\-]+)?$/i
-      NAME_WITH_VERSION =
-        /
-          #{VERSION_WITH_PFX}|
-          #{VERSION_WITH_SFX}|
-          #{VERSION_WITH_PFX_AND_SFX}
-      /x
-      DIGEST = /@(?<digest>[^\s]+)/
-
-      sig { returns(String) }
-      attr_reader :name
-
-      sig { params(name: String).void }
-      def initialize(name)
-        @name = name
-      end
-
-      sig { returns(String) }
-      def to_s
-        name
-      end
-
-      sig { returns(T::Boolean) }
-      def digest?
-        name.match?(DIGEST)
-      end
-
-      sig { returns(T.nilable(T::Boolean)) }
-      def looks_like_prerelease?
-        numeric_version&.match?(/[a-zA-Z]/)
-      end
-
-      sig { params(other: Tag).returns(T::Boolean) }
-      def comparable_to?(other)
-        return false unless comparable?
-
-        other_prefix = other.prefix
-        other_suffix = other.suffix
-        other_format = other.format
-
-        equal_prefix = prefix == other_prefix
-        equal_format = format == other_format
-        return equal_prefix && equal_format if other_format == :sha_suffixed
-
-        equal_suffix = suffix == other_suffix
-        equal_prefix && equal_format && equal_suffix
-      end
-
-      sig { returns(T::Boolean) }
-      def comparable?
-        name.match?(NAME_WITH_VERSION)
-      end
-
-      sig { params(other: Tag).returns(T::Boolean) }
-      def same_precision?(other)
-        other.precision == precision
-      end
-
-      sig { params(other: Tag).returns(T::Boolean) }
-      def same_but_less_precise?(other)
-        other.segments.zip(segments).all? do |segment, other_segment|
-          segment == other_segment || other_segment.nil?
-        end
-      end
-
-      sig { returns(T.nilable(T::Boolean)) }
-      def canonical?
-        return false unless numeric_version
-        return true if name == numeric_version
-
-        # .NET tags are suffixed with -sdk
-        return true if numeric_version && name == numeric_version.to_s + "-sdk"
-
-        numeric_version && name == "jdk-" + T.must(numeric_version)
-      end
-
-      sig { returns T.nilable(String) }
-      def prefix
-        name.match(NAME_WITH_VERSION)&.named_captures&.fetch("prefix")
-      end
-
-      sig { returns T.nilable(String) }
-      def suffix
-        name.match(NAME_WITH_VERSION)&.named_captures&.fetch("suffix")
-      end
-
-      sig { returns T.nilable(String) }
-      def version
-        name.match(NAME_WITH_VERSION)&.named_captures&.fetch("version")
-      end
-
-      sig { returns(Symbol) }
-      def format
-        return :sha_suffixed if name.match?(/(^|\-g?)[0-9a-f]{7,}$/)
-        return :year_month if version&.match?(/^[12]\d{3}(?:[.\-]|$)/)
-        return :year_month_day if version&.match?(/^[12](?:\d{5}|\d{7})(?:[.\-]|$)/)
-        return :build_num if version&.match?(/^\d+$/)
-
-        # As an example, "21-ea-32", "22-ea-7", and "22-ea-jdk-nanoserver-1809"
-        # are mapped to "<version>-ea-<build_num>", "<version>-ea-<build_num>",
-        # and "<version>-ea-jdk-nanoserver-<build_num>" respectively.
-        #
-        # That means only "22-ea-7" will be considered as a viable update
-        # candidate for "21-ea-32", since it's the only one that respects that
-        # format.
-        if version&.match?(WORDS_WITH_BUILD)
-          return :"<version>#{T.must(version).match(WORDS_WITH_BUILD).to_s.gsub(/-[0-9]+/, '-<build_num>')}"
-        end
-
-        :normal
-      end
-
-      sig { returns(T.nilable(String)) }
-      def numeric_version
-        return unless comparable?
-
-        version&.gsub(/kb/i, "")&.gsub(/-[a-z]+/, "")&.downcase
-      end
-
-      sig { returns(Integer) }
-      def precision
-        segments.length
-      end
-
-      sig { returns(T::Array[String]) }
-      def segments
-        T.must(numeric_version).split(/[.-]/)
-      end
-    end
-  end
-end