search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.71k stars 1.02k forks source link

Dependabot will going to replace apache docker image tag to nginx tag #8648

Open m1g0r opened 10 months ago

m1g0r commented 10 months ago

Is there an existing issue for this?

Package ecosystem

Docker

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

version: 2
registries:
  dockerhub:
    type: docker-registry
    url: registry.hub.docker.com
    username: ${{secrets.DOCKERHUB_USER}}
    password: ${{secrets.DOCKERHUB_PASSWORD}}
updates:
  - package-ecosystem: "docker" # See documentation for possible values
    directory: "/" # Location of package manifests
    schedule:
      interval: "daily"
    registries:
      - dockerhub
    # ignore:
    #   # For all images, ignore all major updates
    #   - dependency-name: "modsecurity-crs"
    #     update-types: ["version-update:semver-major", "version-update:semver-minor"]

Updated dependency

No response

What you expected to see, versus what you actually saw

Current Dockerfile is:

FROM owasp/modsecurity-crs:3.3-apache-202209221209

dependabot created PR to Bumps owasp/modsecurity-crs from 3.3-apache-202209221209 to 3-nginx-alpine-202312070812. <= this is a test repo

I expect that owasp/modsecurity-crs:3.3-apache-202209221209 will change to owasp/modsecurity-crs:3.3-apache-202312070812 but not to owasp/modsecurity-crs:3-nginx-alpine-202312070812

according to this comment in the code it should work correctly, or I miss something :thinking_face: ?

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

Dependabot Update logs:

  proxy | 2023/12/19 14:09:29 proxy starting, commit: 02a8910b917eff32ef3fe812e35a131d6286bc20
  proxy | 2023/12/19 14:09:29 Listening (:1080)
updater | 2023-12-19T14:09:30.098242291 [764170586:main:WARN:src/devices/src/legacy/serial.rs:222] Detached the serial input due to peer close/error.
updater | time="2023-12-19T14:09:32Z" level=info msg="guest starting" commit=eb5aa56302357f07a0e790713fa099f11a1af831
updater | time="2023-12-19T14:09:32Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=764170586 updater_timeout=45m0s updater_version=afb86de4cd8a6fd7fa479871b0cc5d11404a67d7-docker
updater | 2023/12/19 14:09:33 INFO Raven 3.1.2 ready to catch errors
updater | 2023/12/19 14:09:35 INFO <job_764170586> Starting job processing
  proxy | 2023/12/19 14:09:35 [002] GET https://api.github.com:443/repos/m1g0r/dependabot-test-ignore
  proxy | 2023/12/19 14:09:35 [002] * authenticating github api request with token for api.github.com
  proxy | 2023/12/19 14:09:36 [002] 200 https://api.github.com:443/repos/m1g0r/dependabot-test-ignore
  proxy | 2023/12/19 14:09:36 [004] GET https://api.github.com:443/repos/m1g0r/dependabot-test-ignore/git/refs/heads/main
  proxy | 2023/12/19 14:09:36 [004] * authenticating github api request with token for api.github.com
  proxy | 2023/12/19 14:09:36 [004] 200 https://api.github.com:443/repos/m1g0r/dependabot-test-ignore/git/refs/heads/main
  proxy | 2023/12/19 14:09:36 [006] GET https://api.github.com:443/repos/m1g0r/dependabot-test-ignore/contents/?ref=71eda42b8fa41bf4b343f571153140e34e7d6d52
  proxy | 2023/12/19 14:09:36 [006] * authenticating github api request with token for api.github.com
  proxy | 2023/12/19 14:09:36 [006] 200 https://api.github.com:443/repos/m1g0r/dependabot-test-ignore/contents/?ref=71eda42b8fa41bf4b343f571153140e34e7d6d52
  proxy | 2023/12/19 14:09:36 [008] GET https://api.github.com:443/repos/m1g0r/dependabot-test-ignore/contents/Dockerfile?ref=71eda42b8fa41bf4b343f571153140e34e7d6d52
  proxy | 2023/12/19 14:09:36 [008] * authenticating github api request with token for api.github.com
  proxy | 2023/12/19 14:09:36 [008] 200 https://api.github.com:443/repos/m1g0r/dependabot-test-ignore/contents/Dockerfile?ref=71eda42b8fa41bf4b343f571153140e34e7d6d52
updater | 2023/12/19 14:09:36 INFO <job_764170586> Finished job processing
updater | time="2023-12-19T14:09:36Z" level=info msg="task complete" container_id=job-764170586-file-fetcher exit_code=0 job_id=764170586 step=fetcher
updater | 2023/12/19 14:09:37 INFO Raven 3.1.2 ready to catch errors
updater | 2023/12/19 14:09:38 INFO <job_764170586> Starting job processing
updater | 2023/12/19 14:09:39 INFO <job_764170586> Starting update job for m1g0r/dependabot-test-ignore
updater | 2023/12/19 14:09:39 INFO <job_764170586> Checking all dependencies for version updates...
updater | 2023/12/19 14:09:39 INFO <job_764170586> Checking if owasp/modsecurity-crs 3.3-apache-202209221209 needs updating
  proxy | 2023/12/19 14:09:39 [014] GET https://registry.hub.docker.com:443/v2/owasp/modsecurity-crs/tags/list
  proxy | 2023/12/19 14:09:39 [014] * authenticating docker registry request (host: registry.hub.docker.com)
  proxy | 2023/12/19 14:09:39 [014] 200 https://registry.hub.docker.com:443/v2/owasp/modsecurity-crs/tags/list
  proxy | 2023/12/19 14:09:39 [018] HEAD https://registry.hub.docker.com:443/v2/owasp/modsecurity-crs/manifests/3.3-apache-202312070812
  proxy | 2023/12/19 14:09:39 [018] * authenticating docker registry request (host: registry.hub.docker.com)
  proxy | 2023/12/19 14:09:39 [018] 200 https://registry.hub.docker.com:443/v2/owasp/modsecurity-crs/manifests/3.3-apache-202312070812
  proxy | 2023/12/19 14:09:39 [020] HEAD https://registry.hub.docker.com:443/v2/owasp/modsecurity-crs/manifests/3-nginx-alpine-202312070812
  proxy | 2023/12/19 14:09:39 [020] * authenticating docker registry request (host: registry.hub.docker.com)
  proxy | 2023/12/19 14:09:40 [020] 200 https://registry.hub.docker.com:443/v2/owasp/modsecurity-crs/manifests/3-nginx-alpine-202312070812
updater | 2023/12/19 14:09:40 INFO <job_764170586> Latest version is 3-nginx-alpine-202312070812
updater | 2023/12/19 14:09:40 INFO <job_764170586> Pull request already exists for owasp/modsecurity-crs with latest version 3-nginx-alpine-202312070812
updater | 2023/12/19 14:09:40 INFO <job_764170586> Finished job processing
updater | time="2023-12-19T14:09:40Z" level=info msg="task complete" container_id=job-764170586-updater exit_code=0 job_id=764170586 step=updater

In Dependabot logs I see that new correct tag owasp/modsecurity-crs:3.3-apache-202312070812 was found but I don’t understand why it is not chosen

Smallest manifest that reproduces the issue

Current Dockerfile is:

FROM owasp/modsecurity-crs:3.3-apache-202209221209
m1g0r commented 10 months ago

Seems like regexes doesn’t find a prefix or a suffix. It sees the whole string as a version:

irb(main):046:0> version = "3.3-apache-202211030712"
=> "3.3-apache-202211030712"
irb(main):047:0> e.match(VERSION_WITH_PFX)
=> #<MatchData "3.3-apache-202211030712" prefix:nil version:"3.3-apache-202211030712">
irb(main):048:0> e.match(VERSION_WITH_SFX)
=> #<MatchData "3.3-apache-202211030712" version:"3.3-apache-202211030712" suffix:nil>
irb(main):049:0> e.match(VERSION_WITH_PFX_AND_SFX)
=> #<MatchData "3.3-apache-202211030712" prefix:nil version:"3.3-apache-202211030712" suffix:nil>
irb(main):050:0> :"<version>#{version.match(WORDS_WITH_BUILD).to_s.gsub(/-[0-9]+/, '-<build_num>')}"
=> :"<version>-apache-<build_num>"