Merge pull request #6115 from dependabot/deivid-rodriguez/docker-vers…

…ion-update-ignores Support `version-update:ignore-{patch,minor,major}` in docker ecosystem
dependabot · Feb 8, 2023 · 7d0ff2b · 7d0ff2b
2 parents 4f79b92 + abd11c4
commit 7d0ff2b
Show file tree

Hide file tree

Showing 34 changed files with 147 additions and 76 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -20,7 +20,7 @@ on:
     paths-ignore:
       - '*/spec/fixtures/**'
       - 'CHANGELOG.md'
-      - 'common/lib/dependabot/version.rb'
+      - 'common/lib/dependabot.rb'
   schedule:
     - cron: '41 4 * * 3'
 

diff --git a/.github/workflows/images-latest.yml b/.github/workflows/images-latest.yml
@@ -8,7 +8,7 @@ on:
       - main
     paths-ignore:
       - "CHANGELOG.md"
-      - "common/lib/dependabot/version.rb"
+      - "common/lib/dependabot.rb"
 
 jobs:
   date-version:

diff --git a/.github/workflows/images-updater-core.yml b/.github/workflows/images-updater-core.yml
@@ -29,6 +29,6 @@ jobs:
       - name: Push tagged image
         if: contains(github.ref, 'refs/tags')
         run: |
-          VERSION="$(grep -Eo "[0-9]+\.[0-9]+\.[0-9]+" common/lib/dependabot/version.rb)"
+          VERSION="$(grep -Eo "[0-9]+\.[0-9]+\.[0-9]+" common/lib/dependabot.rb)"
           docker tag "$UPDATER_CORE_IMAGE:latest" "$UPDATER_CORE_IMAGE:$VERSION"
           docker push "$UPDATER_CORE_IMAGE:$VERSION"
diff --git a/Dockerfile.development b/Dockerfile.development
@@ -22,7 +22,7 @@ ARG HOME=/home/dependabot
 ARG CODE_DIR=${HOME}/dependabot-core
 
 COPY --chown=dependabot:dependabot common/Gemfile common/dependabot-common.gemspec ${CODE_DIR}/common/
-COPY --chown=dependabot:dependabot common/lib/dependabot/version.rb ${CODE_DIR}/common/lib/dependabot/
+COPY --chown=dependabot:dependabot common/lib/dependabot.rb ${CODE_DIR}/common/lib/
 COPY --chown=dependabot:dependabot omnibus/Gemfile omnibus/dependabot-omnibus.gemspec ${CODE_DIR}/omnibus/
 
 COPY --chown=dependabot:dependabot bundler/Gemfile bundler/dependabot-bundler.gemspec ${CODE_DIR}/bundler/

diff --git a/Rakefile b/Rakefile
@@ -7,7 +7,7 @@ require "uri"
 require "json"
 require "rubygems/package"
 require "bundler"
-require "./common/lib/dependabot/version"
+require "./common/lib/dependabot"
 require "yaml"
 
 GEMSPECS = %w(

diff --git a/bin/bump-version.rb b/bin/bump-version.rb
@@ -53,8 +53,7 @@ def proposed_changes(version, _new_version)
 end
 
 # Update version file
-version_path = File.join(__dir__, "..", "common", "lib", "dependabot",
-                         "version.rb")
+version_path = File.join(__dir__, "..", "common", "lib", "dependabot.rb")
 version_contents = File.read(version_path)
 
 version = version_contents.scan(/\d+.\d+.\d+/).first
@@ -74,7 +73,7 @@ def proposed_changes(version, _new_version)
   puts new_version_contents
 else
   File.write(version_path, new_version_contents)
-  puts "☑️  common/lib/dependabot/version.rb updated"
+  puts "☑️  common/lib/dependabot.rb updated"
 
 end
 
@@ -101,7 +100,7 @@ def proposed_changes(version, _new_version)
   puts "commit, tag, and push the release:"
   puts
   puts "git checkout -b v#{new_version}-release-notes"
-  puts "git add CHANGELOG.md common/lib/dependabot/version.rb"
+  puts "git add CHANGELOG.md common/lib/dependabot.rb"
   puts "git commit -m 'v#{new_version}'"
   puts "git push origin HEAD:v#{new_version}-release-notes"
   puts "# ... create PR, verify, merge, for example:"

diff --git a/bundler/lib/dependabot/bundler/version.rb b/bundler/lib/dependabot/bundler/version.rb
@@ -1,10 +1,11 @@
 # frozen_string_literal: true
 
+require "dependabot/version"
 require "dependabot/utils"
 
 module Dependabot
   module Bundler
-    class Version < Gem::Version
+    class Version < Dependabot::Version
     end
   end
 end

diff --git a/cargo/lib/dependabot/cargo/version.rb b/cargo/lib/dependabot/cargo/version.rb
@@ -1,15 +1,15 @@
 # frozen_string_literal: true
 
+require "dependabot/version"
 require "dependabot/utils"
-require "rubygems_version_patch"
 
 # Rust pre-release versions use 1.0.1-rc1 syntax, which Gem::Version
 # converts into 1.0.1.pre.rc1. We override the `to_s` method to stop that
 # alteration.
 
 module Dependabot
   module Cargo
-    class Version < Gem::Version
+    class Version < Dependabot::Version
       VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' \
                         '(-[0-9A-Za-z-]+(\.[0-9a-zA-Z-]+)*)?' \
                         '(\+[0-9a-zA-Z-]+(\.[0-9a-zA-Z-]+)*)?'

diff --git a/common/dependabot-common.gemspec b/common/dependabot-common.gemspec
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require "./lib/dependabot/version"
+require "./lib/dependabot"
 
 Gem::Specification.new do |spec|
   spec.name         = "dependabot-common"

diff --git a/common/lib/dependabot.rb b/common/lib/dependabot.rb
@@ -1,4 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
+  VERSION = "0.215.0"
 end
diff --git a/common/lib/dependabot/config/ignore_condition.rb b/common/lib/dependabot/config/ignore_condition.rb
@@ -32,25 +32,26 @@ def transformed_update_types
       end
 
       def versions_by_type(dependency)
-        return [] unless dependency.version
+        version = correct_version_for(dependency)
+        return [] unless version
+
+        semver = version.to_semver
 
         transformed_update_types.flat_map do |t|
           case t
           when PATCH_VERSION_TYPE
-            ignore_patch(dependency.version)
+            ignore_patch(semver)
           when MINOR_VERSION_TYPE
-            ignore_minor(dependency.version)
+            ignore_minor(semver)
           when MAJOR_VERSION_TYPE
-            ignore_major(dependency.version)
+            ignore_major(semver)
           else
             []
           end
         end.compact
       end
 
       def ignore_patch(version)
-        return [] unless rubygems_compatible?(version)
-
         parts = version.split(".")
         version_parts = parts.fill(0, parts.length...2)
         upper_parts = version_parts.first(1) + [version_parts[1].to_i + 1]
@@ -61,8 +62,6 @@ def ignore_patch(version)
       end
 
       def ignore_minor(version)
-        return [] unless rubygems_compatible?(version)
-
         parts = version.split(".")
         version_parts = parts.fill(0, parts.length...2)
         lower_parts = version_parts.first(1) + [version_parts[1].to_i + 1] + ["a"]
@@ -74,19 +73,27 @@ def ignore_minor(version)
       end
 
       def ignore_major(version)
-        return [] unless rubygems_compatible?(version)
-
         version_parts = version.split(".")
         lower_parts = [version_parts[0].to_i + 1] + ["a"]
         lower_bound = ">= #{lower_parts.join('.')}"
 
         [lower_bound]
       end
 
-      def rubygems_compatible?(version)
-        return false if version.nil? || version.empty?
+      def correct_version_for(dependency)
+        version = dependency.version
+        return if version.nil? || version.empty?
+
+        version_class = version_class_for(dependency.package_manager)
+        return unless version_class.correct?(version)
+
+        version_class.new(version)
+      end
 
-        Gem::Version.correct?(version)
+      def version_class_for(package_manager)
+        Utils.version_class_for_package_manager(package_manager)
+      rescue StandardError
+        Dependabot::Version
       end
     end
   end

diff --git a/common/lib/dependabot/dependency.rb b/common/lib/dependabot/dependency.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require "rubygems_version_patch"
+require "dependabot/version"
 
 module Dependabot
   class Dependency

diff --git a/common/lib/dependabot/security_advisory.rb b/common/lib/dependabot/security_advisory.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require "rubygems_version_patch"
+require "dependabot/version"
 
 module Dependabot
   class SecurityAdvisory

diff --git a/common/lib/dependabot/shared_helpers.rb b/common/lib/dependabot/shared_helpers.rb
@@ -12,7 +12,7 @@
 
 require "dependabot/utils"
 require "dependabot/errors"
-require "dependabot/version"
+require "dependabot"
 
 module Dependabot
   module SharedHelpers

diff --git a/common/lib/dependabot/version.rb b/common/lib/dependabot/version.rb
@@ -1,5 +1,22 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.215.0"
+  class Version < Gem::Version
+    def initialize(version)
+      @original_version = version
+
+      super
+    end
+
+    # Opt-in to Rubygems 4 behavior
+    def self.correct?(version)
+      return false if version.nil?
+
+      version.to_s.match?(ANCHORED_VERSION_PATTERN)
+    end
+
+    def to_semver
+      @original_version
+    end
+  end
 end
diff --git a/common/lib/rubygems_version_patch.rb b/common/lib/rubygems_version_patch.rb
diff --git a/common/spec/dependabot/config/ignore_condition_spec.rb b/common/spec/dependabot/config/ignore_condition_spec.rb
@@ -9,14 +9,15 @@
   let(:dependency_version) { "1.2.3" }
   let(:ignore_condition) { described_class.new(dependency_name: dependency_name) }
   let(:security_updates_only) { false }
+  let(:package_manager) { "dummy" }
 
   describe "#ignored_versions" do
     subject(:ignored_versions) { ignore_condition.ignored_versions(dependency, security_updates_only) }
     let(:dependency) do
       Dependabot::Dependency.new(
         name: dependency_name,
         requirements: [],
-        package_manager: "npm_and_yarn",
+        package_manager: package_manager,
         version: dependency_version
       )
     end
@@ -25,7 +26,7 @@
     def expect_allowed(versions)
       reqs = ignored_versions.map { |v| Gem::Requirement.new(v.split(",").map(&:strip)) }
       versions.each do |v|
-        version = Gem::Version.new(v)
+        version = Dependabot::Utils.version_class_for_package_manager(package_manager).new(v)
         ignored = reqs.any? { |req| req.satisfied_by?(version) }
         expect(ignored).to eq(false), "Expected #{v} to be allowed, but was ignored"
       end
@@ -34,7 +35,7 @@ def expect_allowed(versions)
     def expect_ignored(versions)
       reqs = ignored_versions.map { |v| Gem::Requirement.new(v.split(",").map(&:strip)) }
       versions.each do |v|
-        version = Gem::Version.new(v)
+        version = Dependabot::Version.new(v)
         ignored = reqs.any? { |req| req.satisfied_by?(version) }
         expect(ignored).to eq(true), "Expected #{v} to be ignored, but was allowed"
       end
@@ -287,6 +288,24 @@ def expect_ignored(versions)
         end
       end
 
+      context "with a semver dependency, but according to another package manager" do
+        let(:dependency_version) { "v11.0.14" }
+
+        context "with ignore_major_versions" do
+          let(:update_types) { ["version-update:semver-major"] }
+
+          it "ignores expected versions" do
+            expect_allowed(["11"])
+            expect_ignored(["17"])
+            expect_allowed([dependency_version])
+          end
+
+          it "returns the expected range" do
+            expect(ignored_versions).to eq([">= 12.a"])
+          end
+        end
+      end
+
       context "when the dependency version isn't known" do
         let(:dependency_version) { nil }
 

diff --git a/common/spec/dependabot/config/update_config_spec.rb b/common/spec/dependabot/config/update_config_spec.rb
@@ -13,7 +13,7 @@
         name: "@types/node",
         requirements: [],
         version: "12.12.6",
-        package_manager: "npm_and_yarn"
+        package_manager: "dummy"
       )
     end
     let(:ignore_conditions) { [] }

diff --git a/common/spec/dummy_package_manager/version.rb b/common/spec/dummy_package_manager/version.rb
@@ -1,9 +1,10 @@
 # frozen_string_literal: true
 
+require "dependabot/version"
 require "dependabot/utils"
 
 module DummyPackageManager
-  class Version < Gem::Version
+  class Version < Dependabot::Version
     def initialize(version)
       version = Version.remove_leading_v(version)
       super
@@ -19,6 +20,10 @@ def self.correct?(version)
       version = Version.remove_leading_v(version)
       super
     end
+
+    def to_semver
+      @original_version
+    end
   end
 end
 

diff --git a/composer/lib/dependabot/composer/version.rb b/composer/lib/dependabot/composer/version.rb
@@ -1,15 +1,15 @@
 # frozen_string_literal: true
 
+require "dependabot/version"
 require "dependabot/utils"
-require "rubygems_version_patch"
 
 # PHP pre-release versions use 1.0.1-rc1 syntax, which Gem::Version
 # converts into 1.0.1.pre.rc1. We override the `to_s` method to stop that
 # alteration.
 
 module Dependabot
   module Composer
-    class Version < Gem::Version
+    class Version < Dependabot::Version
       def initialize(version)
         @version_string = version.to_s
         super

diff --git a/docker/lib/dependabot/docker/version.rb b/docker/lib/dependabot/docker/version.rb
@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "dependabot/version"
 require "dependabot/utils"
 
 module Dependabot
@@ -9,13 +10,21 @@ module Docker
     # See https://www.oracle.com/java/technologies/javase/versioning-naming.html
     # for a description of Java versions.
     #
-    class Version < Gem::Version
+    class Version < Dependabot::Version
       def initialize(version)
         release_part, update_part = version.split("_", 2)
 
-        @release_part = Gem::Version.new(release_part.tr("-", "."))
+        @release_part = Dependabot::Version.new(release_part.tr("-", "."))
 
-        @update_part = Gem::Version.new(update_part&.start_with?(/[0-9]/) ? update_part : 0)
+        @update_part = Dependabot::Version.new(update_part&.start_with?(/[0-9]/) ? update_part : 0)
+      end
+
+      def self.correct?(version)
+        super(new(version).to_semver)
+      end
+
+      def to_semver
+        @release_part.to_semver
       end
 
       attr_reader :release_part