Dependabot will going to replace apache docker image tag to nginx tag

[m1g0r]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

Docker

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

version: 2
registries:
  dockerhub:
    type: docker-registry
    url: registry.hub.docker.com
    username: ${{secrets.DOCKERHUB_USER}}
    password: ${{secrets.DOCKERHUB_PASSWORD}}
updates:
  - package-ecosystem: "docker" # See documentation for possible values
    directory: "/" # Location of package manifests
    schedule:
      interval: "daily"
    registries:
      - dockerhub
    # ignore:
    #   # For all images, ignore all major updates
    #   - dependency-name: "modsecurity-crs"
    #     update-types: ["version-update:semver-major", "version-update:semver-minor"]

Updated dependency

No response

What you expected to see, versus what you actually saw

Current Dockerfile is:

FROM owasp/modsecurity-crs:3.3-apache-202209221209

dependabot created PR to Bumps owasp/modsecurity-crs from 3.3-apache-202209221209 to 3-nginx-alpine-202312070812. <= this is a test repo

I expect that owasp/modsecurity-crs:3.3-apache-202209221209 will change to owasp/modsecurity-crs:3.3-apache-202312070812 but not to owasp/modsecurity-crs:3-nginx-alpine-202312070812

according to this comment in the code it should work correctly, or I miss something :thinking_face: ?

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

Dependabot Update logs:

  proxy | 2023/12/19 14:09:29 proxy starting, commit: 02a8910b917eff32ef3fe812e35a131d6286bc20
  proxy | 2023/12/19 14:09:29 Listening (:1080)
updater | 2023-12-19T14:09:30.098242291 [764170586:main:WARN:src/devices/src/legacy/serial.rs:222] Detached the serial input due to peer close/error.
updater | time="2023-12-19T14:09:32Z" level=info msg="guest starting" commit=eb5aa56302357f07a0e790713fa099f11a1af831
updater | time="2023-12-19T14:09:32Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=764170586 updater_timeout=45m0s updater_version=afb86de4cd8a6fd7fa479871b0cc5d11404a67d7-docker
updater | 2023/12/19 14:09:33 INFO Raven 3.1.2 ready to catch errors
updater | 2023/12/19 14:09:35 INFO <job_764170586> Starting job processing
  proxy | 2023/12/19 14:09:35 [002] GET https://api.github.com:443/repos/m1g0r/dependabot-test-ignore
  proxy | 2023/12/19 14:09:35 [002] * authenticating github api request with token for api.github.com
  proxy | 2023/12/19 14:09:36 [002] 200 https://api.github.com:443/repos/m1g0r/dependabot-test-ignore
  proxy | 2023/12/19 14:09:36 [004] GET https://api.github.com:443/repos/m1g0r/dependabot-test-ignore/git/refs/heads/main
  proxy | 2023/12/19 14:09:36 [004] * authenticating github api request with token for api.github.com
  proxy | 2023/12/19 14:09:36 [004] 200 https://api.github.com:443/repos/m1g0r/dependabot-test-ignore/git/refs/heads/main
  proxy | 2023/12/19 14:09:36 [006] GET https://api.github.com:443/repos/m1g0r/dependabot-test-ignore/contents/?ref=71eda42b8fa41bf4b343f571153140e34e7d6d52
  proxy | 2023/12/19 14:09:36 [006] * authenticating github api request with token for api.github.com
  proxy | 2023/12/19 14:09:36 [006] 200 https://api.github.com:443/repos/m1g0r/dependabot-test-ignore/contents/?ref=71eda42b8fa41bf4b343f571153140e34e7d6d52
  proxy | 2023/12/19 14:09:36 [008] GET https://api.github.com:443/repos/m1g0r/dependabot-test-ignore/contents/Dockerfile?ref=71eda42b8fa41bf4b343f571153140e34e7d6d52
  proxy | 2023/12/19 14:09:36 [008] * authenticating github api request with token for api.github.com
  proxy | 2023/12/19 14:09:36 [008] 200 https://api.github.com:443/repos/m1g0r/dependabot-test-ignore/contents/Dockerfile?ref=71eda42b8fa41bf4b343f571153140e34e7d6d52
updater | 2023/12/19 14:09:36 INFO <job_764170586> Finished job processing
updater | time="2023-12-19T14:09:36Z" level=info msg="task complete" container_id=job-764170586-file-fetcher exit_code=0 job_id=764170586 step=fetcher
updater | 2023/12/19 14:09:37 INFO Raven 3.1.2 ready to catch errors
updater | 2023/12/19 14:09:38 INFO <job_764170586> Starting job processing
updater | 2023/12/19 14:09:39 INFO <job_764170586> Starting update job for m1g0r/dependabot-test-ignore
updater | 2023/12/19 14:09:39 INFO <job_764170586> Checking all dependencies for version updates...
updater | 2023/12/19 14:09:39 INFO <job_764170586> Checking if owasp/modsecurity-crs 3.3-apache-202209221209 needs updating
  proxy | 2023/12/19 14:09:39 [014] GET https://registry.hub.docker.com:443/v2/owasp/modsecurity-crs/tags/list
  proxy | 2023/12/19 14:09:39 [014] * authenticating docker registry request (host: registry.hub.docker.com)
  proxy | 2023/12/19 14:09:39 [014] 200 https://registry.hub.docker.com:443/v2/owasp/modsecurity-crs/tags/list
  proxy | 2023/12/19 14:09:39 [018] HEAD https://registry.hub.docker.com:443/v2/owasp/modsecurity-crs/manifests/3.3-apache-202312070812
  proxy | 2023/12/19 14:09:39 [018] * authenticating docker registry request (host: registry.hub.docker.com)
  proxy | 2023/12/19 14:09:39 [018] 200 https://registry.hub.docker.com:443/v2/owasp/modsecurity-crs/manifests/3.3-apache-202312070812
  proxy | 2023/12/19 14:09:39 [020] HEAD https://registry.hub.docker.com:443/v2/owasp/modsecurity-crs/manifests/3-nginx-alpine-202312070812
  proxy | 2023/12/19 14:09:39 [020] * authenticating docker registry request (host: registry.hub.docker.com)
  proxy | 2023/12/19 14:09:40 [020] 200 https://registry.hub.docker.com:443/v2/owasp/modsecurity-crs/manifests/3-nginx-alpine-202312070812
updater | 2023/12/19 14:09:40 INFO <job_764170586> Latest version is 3-nginx-alpine-202312070812
updater | 2023/12/19 14:09:40 INFO <job_764170586> Pull request already exists for owasp/modsecurity-crs with latest version 3-nginx-alpine-202312070812
updater | 2023/12/19 14:09:40 INFO <job_764170586> Finished job processing
updater | time="2023-12-19T14:09:40Z" level=info msg="task complete" container_id=job-764170586-updater exit_code=0 job_id=764170586 step=updater

In Dependabot logs I see that new correct tag owasp/modsecurity-crs:3.3-apache-202312070812 was found but I don’t understand why it is not chosen

Smallest manifest that reproduces the issue

Current Dockerfile is:

FROM owasp/modsecurity-crs:3.3-apache-202209221209

[m1g0r]

Seems like regexes doesn’t find a prefix or a suffix. It sees the whole string as a version:

irb(main):046:0> version = "3.3-apache-202211030712"
=> "3.3-apache-202211030712"
irb(main):047:0> e.match(VERSION_WITH_PFX)
=> #<MatchData "3.3-apache-202211030712" prefix:nil version:"3.3-apache-202211030712">
irb(main):048:0> e.match(VERSION_WITH_SFX)
=> #<MatchData "3.3-apache-202211030712" version:"3.3-apache-202211030712" suffix:nil>
irb(main):049:0> e.match(VERSION_WITH_PFX_AND_SFX)
=> #<MatchData "3.3-apache-202211030712" prefix:nil version:"3.3-apache-202211030712" suffix:nil>
irb(main):050:0> :"<version>#{version.match(WORDS_WITH_BUILD).to_s.gsub(/-[0-9]+/, '-<build_num>')}"
=> :"<version>-apache-<build_num>"