search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.71k stars 1.02k forks source link

Correctly handle multiple tags for same terraform module version #4616

Open gavinclarkeuk opened 2 years ago

gavinclarkeuk commented 2 years ago

Dependabot is raising unnecessary PRs for private github terraform modules which are tagged using multiple tags to pin at major/minor or patch versions (e.g. v2, v2.2, v2.2.0). A module dependency on v2 is causing a PR to be raised to change the dependency to v2.2, despite both tags pointing at the same version.

Package ecosystem terraform

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "terraform" # See documentation for possible values
    directory: "/" # Location of package manifests
    schedule:
      interval: "daily"

Updated dependency

Dependency was for an internal terraform module stored in a private github repo. The module is tagged with 3 tags for pinning at different levels - e.g. v2, v2.2, v2.2.0

The project being scanned had a dependency on v2 of the module.

What you expected to see, versus what you actually saw Saw a PR raised to update the version from v2to v2.2. Given the v2, v2.2, v2.2.0 tags all point to the same version. I would expect no PR to be raised

🕹 Bonus points: Smallest manifest that reproduces the issue

example.tf module "example_module" { source = "git@github.com:my-org/my-module/?ref=v2" }

jeffwidman commented 1 year ago

We do consider this a bug, we should retain the specificity of the tag.

We fixed something similar for GitHub actions a few months ago:

I don't know when we'll get to this, but the great thing is this library is open source so if it's affecting you feel free to use the above examples to create a similar PR for Terraform.

deivid-rodriguez commented 1 year ago

Yeah, those PRs implemented that actual git checking logic to be able to do this, so adding the same fix to terraform should be pretty easy now. From a first look, I think it may be enough to change

https://github.com/dependabot/dependabot-core/blob/4663b2c1d8d60bf9e23e95efa6002ae0c7f791f6/terraform/lib/dependabot/terraform/update_checker.rb#L124

to

latest_tag = git_commit_checker.local_ref_for_latest_version_matching_existing_precision&.

You're welcome to experiment with this solution. Ideally you'd have a public repo available with this kind of versioning so that you can capture some responses and use them for the specs.