Merge branch 'development' into 'master'

master: bump version

See merge request !228

Dockerfile

@@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry1.dso.mil
 ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs14
 ARG BASE_TAG=14.17.3
 
-FROM renovate/renovate:25.56.0 as builder
+FROM renovate/renovate:25.56.1 as builder
 
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
 

dist/manager/ironbank/artifacts.js

@@ -33,7 +33,9 @@ async function updateArtifacts({ packageFileName, updatedDeps, newPackageFileCon
     }
     let manifest;
     try {
-        manifest = js_yaml_1.default.load(newPackageFileContent, { json: true });
+        manifest = js_yaml_1.default.load(newPackageFileContent, {
+            json: true,
+        });
     }
     catch (err) {
         logger_1.logger.error('Failed to parse hardening_manifest.yaml');
@@ -52,7 +54,6 @@ async function updateArtifacts({ packageFileName, updatedDeps, newPackageFileCon
         }
     }
     for (const dep of updatedDeps) {
-        logger_1.logger.debug(`updatedDep(${dep})`);
         if (charts.has(dep)) {
             const result = await postUpgrade(charts.get(dep), upath_1.join(admin_1.getAdminConfig(), dep));
             if (!result) {

dist/manager/ironbank/artifacts.js.map

-{"version":3,"file":"artifacts.js","sourceRoot":"","sources":["../../../lib/manager/ironbank/artifacts.ts"],"names":[],"mappings":";;;;;;AAAA,0DAAkC;AAClC,sDAA2B;AAC3B,iCAA6B;AAC7B,8CAAoD;AACpD,yCAAsC;AACtC,0CAAuC;AACvC,sCAA8C;AAC9C,wCAA+C;AAI/C,KAAK,UAAU,WAAW,CAAC,GAAW,EAAE,IAAY;IAClD,eAAM,CAAC,KAAK,CAAC,wBAAwB,GAAG,KAAK,IAAI,GAAG,CAAC,CAAC;IACtD,IAAI;QACF,MAAM,GAAG,GAAG,kBAAkB,CAAC;QAC/B,MAAM,IAAI,GAAG,cAAc,GAAG,IAAI,GAAG,SAAS,GAAG,GAAG,CAAC;QACrD,MAAM,WAAI,CAAC,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,CAAC;KAC9B;IAAC,OAAO,GAAG,EAAE;QACZ,eAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,KAAK,CAAC;KACd;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAEM,KAAK,UAAU,eAAe,CAAC,EACpC,eAAe,EACf,WAAW,EACX,qBAAqB,EACrB,MAAM,GACS;;IACf,eAAM,CAAC,KAAK,CAAC,4BAA4B,eAAe,GAAG,CAAC,CAAC;IAC7D,IAAI,CAAC,YAAE,CAAC,aAAa,CAAC,WAAW,CAAC,EAAE;QAClC,OAAO,IAAI,CAAC;KACb;IAED,IAAI,QAA2B,CAAC;IAChC,IAAI;QACF,QAAQ,GAAG,iBAAI,CAAC,IAAI,CAAC,qBAAqB,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAsB,CAAC;KAClF;IAAC,OAAO,GAAG,EAAE;QACZ,eAAM,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC;KACb;IAED,IAAI,CAAC,CAAC,QAAQ,IAAI,YAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE;QAC/C,OAAO,IAAI,CAAC;KACb;IAED,IAAI,CAAC,CAAA,MAAA,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,GAAG,0CAAE,UAAU,CAAC,SAAS,CAAC,CAAA,EAAE;QACrD,OAAO,IAAI,CAAC;KACb;IAED,MAAM,MAAM,GAAG,IAAI,GAAG,EAAE,CAAC;IACzB,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,SAAS,EAAE;QACrC,IAAI,MAAA,IAAI,CAAC,GAAG,0CAAE,UAAU,CAAC,SAAS,CAAC,EAAE;YACnC,MAAM,CAAC,GAAG,CACR,IAAI,CAAC,IAAI,EACT,GAAG,MAAM,CAAC,UAAU,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE,CACxD,CAAC;SACH;KACF;IAED,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE;QAC7B,eAAM,CAAC,KAAK,CAAC,cAAc,GAAG,GAAG,CAAC,CAAC;QACnC,IAAI,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE;YACnB,MAAM,MAAM,GAAG,MAAM,WAAW,CAC9B,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,EACf,YAAI,CAAC,sBAAc,EAAE,EAAE,GAAG,CAAC,CAC5B,CAAC;YACF,IAAI,CAAC,MAAM,EAAE;gBACX,OAAO,IAAI,CAAC;aACb;SACF;KACF;IAGD,MAAM,GAAG,GAAG,EAAE,CAAC;IACf,MAAM,MAAM,GAAG,MAAM,mBAAa,EAAE,CAAC;IAErC,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE;QACxD,GAAG,CAAC,IAAI,CAAC;YACP,IAAI,EAAE;gBACJ,IAAI,EAAE,CAAC;gBACP,QAAQ,EAAE,MAAM,kBAAa,CAAC,CAAC,CAAC;aACjC;SACF,CAAC,CAAC;KACJ;IAED,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,IAAI,EAAE,EAAE;QACpC,GAAG,CAAC,IAAI,CAAC;YACP,IAAI,EAAE;gBACJ,IAAI,EAAE,UAAU;gBAChB,QAAQ,EAAE,CAAC;aACZ;SACF,CAAC,CAAC;KACJ;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAzED,0CAyEC","sourcesContent":["import is from '@sindresorhus/is';\nimport yaml from 'js-yaml';\nimport { join } from 'upath';\nimport { getAdminConfig } from '../../config/admin';\nimport { logger } from '../../logger';\nimport { exec } from '../../util/exec';\nimport { readLocalFile } from '../../util/fs';\nimport { getRepoStatus } from '../../util/git';\nimport { UpdateArtifact, UpdateArtifactsResult } from '../types';\nimport { HardeningManifest } from './extract';\n\nasync function postUpgrade(url: string, path: string): Promise<boolean> {\n  logger.debug(`ironbank.postUpgrade(${url}, ${path})`);\n  try {\n    const cmd = 'ironbank-helm.sh';\n    const args = '--directory ' + path + ' --url ' + url;\n    await exec(`${cmd} ${args}`);\n  } catch (err) {\n    logger.error(err);\n    return false;\n  }\n  return true;\n}\n\nexport async function updateArtifacts({\n  packageFileName,\n  updatedDeps,\n  newPackageFileContent,\n  config,\n}: UpdateArtifact): Promise<UpdateArtifactsResult[] | null> {\n  logger.debug(`ironbank.updateArtifacts(${packageFileName})`);\n  if (!is.nonEmptyArray(updatedDeps)) {\n    return null;\n  }\n\n  let manifest: HardeningManifest;\n  try {\n    manifest = yaml.load(newPackageFileContent, { json: true }) as HardeningManifest;\n  } catch (err) {\n    logger.error('Failed to parse hardening_manifest.yaml');\n    return null;\n  }\n\n  if (!(manifest && is.array(manifest.resources))) {\n    return null;\n  }\n\n  if (!manifest.resources[0].url?.startsWith('helm://')) {\n    return null;\n  }\n\n  const charts = new Map();\n  for (const item of manifest.resources) {\n    if (item.url?.startsWith('helm://')) {\n      charts.set(\n        item.name,\n        `${String('https://')}${String(item.url.substring(7))}`\n      );\n    }\n  }\n\n  for (const dep of updatedDeps) {\n    logger.debug(`updatedDep(${dep})`);\n    if (charts.has(dep)) {\n      const result = await postUpgrade(\n        charts.get(dep),\n        join(getAdminConfig(), dep)\n      );\n      if (!result) {\n        return null;\n      }\n    }\n  }\n\n\n  const res = [];\n  const status = await getRepoStatus();\n\n  for (const f of status.modified.concat(status.not_added)) {\n    res.push({\n      file: {\n        name: f,\n        contents: await readLocalFile(f),\n      },\n    });\n  }\n\n  for (const f of status.deleted || []) {\n    res.push({\n      file: {\n        name: '|delete|',\n        contents: f,\n      },\n    });\n  }\n\n  return res;\n}\n"]}
\ No newline at end of file
+{"version":3,"file":"artifacts.js","sourceRoot":"","sources":["../../../lib/manager/ironbank/artifacts.ts"],"names":[],"mappings":";;;;;;AAAA,0DAAkC;AAClC,sDAA2B;AAC3B,iCAA6B;AAC7B,8CAAoD;AACpD,yCAAsC;AACtC,0CAAuC;AACvC,sCAA8C;AAC9C,wCAA+C;AAI/C,KAAK,UAAU,WAAW,CAAC,GAAW,EAAE,IAAY;IAClD,eAAM,CAAC,KAAK,CAAC,wBAAwB,GAAG,KAAK,IAAI,GAAG,CAAC,CAAC;IACtD,IAAI;QACF,MAAM,GAAG,GAAG,kBAAkB,CAAC;QAC/B,MAAM,IAAI,GAAG,cAAc,GAAG,IAAI,GAAG,SAAS,GAAG,GAAG,CAAC;QACrD,MAAM,WAAI,CAAC,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,CAAC;KAC9B;IAAC,OAAO,GAAG,EAAE;QACZ,eAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,KAAK,CAAC;KACd;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAEM,KAAK,UAAU,eAAe,CAAC,EACpC,eAAe,EACf,WAAW,EACX,qBAAqB,EACrB,MAAM,GACS;;IACf,eAAM,CAAC,KAAK,CAAC,4BAA4B,eAAe,GAAG,CAAC,CAAC;IAC7D,IAAI,CAAC,YAAE,CAAC,aAAa,CAAC,WAAW,CAAC,EAAE;QAClC,OAAO,IAAI,CAAC;KACb;IAED,IAAI,QAA2B,CAAC;IAChC,IAAI;QACF,QAAQ,GAAG,iBAAI,CAAC,IAAI,CAAC,qBAAqB,EAAE;YAC1C,IAAI,EAAE,IAAI;SACX,CAAsB,CAAC;KACzB;IAAC,OAAO,GAAG,EAAE;QACZ,eAAM,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC;KACb;IAED,IAAI,CAAC,CAAC,QAAQ,IAAI,YAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE;QAC/C,OAAO,IAAI,CAAC;KACb;IAED,IAAI,CAAC,CAAA,MAAA,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,GAAG,0CAAE,UAAU,CAAC,SAAS,CAAC,CAAA,EAAE;QACrD,OAAO,IAAI,CAAC;KACb;IAED,MAAM,MAAM,GAAG,IAAI,GAAG,EAAE,CAAC;IACzB,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,SAAS,EAAE;QACrC,IAAI,MAAA,IAAI,CAAC,GAAG,0CAAE,UAAU,CAAC,SAAS,CAAC,EAAE;YACnC,MAAM,CAAC,GAAG,CACR,IAAI,CAAC,IAAI,EACT,GAAG,MAAM,CAAC,UAAU,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE,CACxD,CAAC;SACH;KACF;IAED,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE;QAC7B,IAAI,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE;YACnB,MAAM,MAAM,GAAG,MAAM,WAAW,CAC9B,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,EACf,YAAI,CAAC,sBAAc,EAAE,EAAE,GAAG,CAAC,CAC5B,CAAC;YACF,IAAI,CAAC,MAAM,EAAE;gBACX,OAAO,IAAI,CAAC;aACb;SACF;KACF;IAED,MAAM,GAAG,GAAG,EAAE,CAAC;IACf,MAAM,MAAM,GAAG,MAAM,mBAAa,EAAE,CAAC;IAErC,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE;QACxD,GAAG,CAAC,IAAI,CAAC;YACP,IAAI,EAAE;gBACJ,IAAI,EAAE,CAAC;gBACP,QAAQ,EAAE,MAAM,kBAAa,CAAC,CAAC,CAAC;aACjC;SACF,CAAC,CAAC;KACJ;IAED,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,IAAI,EAAE,EAAE;QACpC,GAAG,CAAC,IAAI,CAAC;YACP,IAAI,EAAE;gBACJ,IAAI,EAAE,UAAU;gBAChB,QAAQ,EAAE,CAAC;aACZ;SACF,CAAC,CAAC;KACJ;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAzED,0CAyEC","sourcesContent":["import is from '@sindresorhus/is';\nimport yaml from 'js-yaml';\nimport { join } from 'upath';\nimport { getAdminConfig } from '../../config/admin';\nimport { logger } from '../../logger';\nimport { exec } from '../../util/exec';\nimport { readLocalFile } from '../../util/fs';\nimport { getRepoStatus } from '../../util/git';\nimport { UpdateArtifact, UpdateArtifactsResult } from '../types';\nimport { HardeningManifest } from './extract';\n\nasync function postUpgrade(url: string, path: string): Promise<boolean> {\n  logger.debug(`ironbank.postUpgrade(${url}, ${path})`);\n  try {\n    const cmd = 'ironbank-helm.sh';\n    const args = '--directory ' + path + ' --url ' + url;\n    await exec(`${cmd} ${args}`);\n  } catch (err) {\n    logger.error(err);\n    return false;\n  }\n  return true;\n}\n\nexport async function updateArtifacts({\n  packageFileName,\n  updatedDeps,\n  newPackageFileContent,\n  config,\n}: UpdateArtifact): Promise<UpdateArtifactsResult[] | null> {\n  logger.debug(`ironbank.updateArtifacts(${packageFileName})`);\n  if (!is.nonEmptyArray(updatedDeps)) {\n    return null;\n  }\n\n  let manifest: HardeningManifest;\n  try {\n    manifest = yaml.load(newPackageFileContent, {\n      json: true,\n    }) as HardeningManifest;\n  } catch (err) {\n    logger.error('Failed to parse hardening_manifest.yaml');\n    return null;\n  }\n\n  if (!(manifest && is.array(manifest.resources))) {\n    return null;\n  }\n\n  if (!manifest.resources[0].url?.startsWith('helm://')) {\n    return null;\n  }\n\n  const charts = new Map();\n  for (const item of manifest.resources) {\n    if (item.url?.startsWith('helm://')) {\n      charts.set(\n        item.name,\n        `${String('https://')}${String(item.url.substring(7))}`\n      );\n    }\n  }\n\n  for (const dep of updatedDeps) {\n    if (charts.has(dep)) {\n      const result = await postUpgrade(\n        charts.get(dep),\n        join(getAdminConfig(), dep)\n      );\n      if (!result) {\n        return null;\n      }\n    }\n  }\n\n  const res = [];\n  const status = await getRepoStatus();\n\n  for (const f of status.modified.concat(status.not_added)) {\n    res.push({\n      file: {\n        name: f,\n        contents: await readLocalFile(f),\n      },\n    });\n  }\n\n  for (const f of status.deleted || []) {\n    res.push({\n      file: {\n        name: '|delete|',\n        contents: f,\n      },\n    });\n  }\n\n  return res;\n}\n"]}
\ No newline at end of file

dist/manager/ironbank/extract.js

@@ -73,8 +73,10 @@ function parseUrl(urlString) {
     return null;
 }
 function extractPackageFile(content) {
+    var _a, _b, _c, _d, _e;
     const deps = [];
-    // let man: HardeningManifest;
+    let hasBase = false;
+    let hasResource = false;
     let manifest;
     try {
         manifest = js_yaml_1.default.load(content, { json: true });
@@ -83,10 +85,40 @@ function extractPackageFile(content) {
         logger_1.logger.debug('Failed to parse hardening_manifest.yaml');
         return null;
     }
-    if (!(manifest && is_1.default.array(manifest.resources))) {
-        logger_1.logger.debug('hardening_manifest.yaml has no dependencies');
+    if (!((_a = manifest.args) === null || _a === void 0 ? void 0 : _a.BASE_TAG) || !((_b = manifest.args) === null || _b === void 0 ? void 0 : _b.BASE_IMAGE) || !manifest) {
         return null;
     }
+    // extract base image
+    if (!(manifest === null) &&
+        'BASE_TAG' in manifest.args &&
+        'BASE_IMAGE' in manifest.args) {
+        hasBase = true;
+        const baseResource = {
+            url: manifest.args.BASE_IMAGE,
+            tag: manifest.args.BASE_TAG,
+        };
+        const baseDep = { managerData: { baseResource } };
+        baseDep.depType = 'ironbank-base';
+        baseDep.depName = `registry1.dso.mil/ironbank/${String(manifest.args.BASE_IMAGE)}`;
+        baseDep.datasource = datasourceDocker.id;
+        baseDep.versioning = dockerVersioning.id;
+        baseDep.lookupName = `registry1.dso.mil/ironbank/${String(manifest.args.BASE_IMAGE)}`;
+        baseDep.currentValue = manifest.args.BASE_TAG;
+        deps.push(baseDep);
+    }
+    // check if there are resource in the HM resource block
+    if (is_1.default.array(manifest.resources)) {
+        hasResource = true;
+    }
+    // no base or resources, return null
+    if (!hasBase && !hasResource) {
+        return null;
+    }
+    // has base but no resources
+    if (!hasResource) {
+        return { deps };
+    }
+    // extract resources list in manifest resource block
     for (const item of manifest.resources) {
         const dep = { managerData: { item } };
         if (item.url) {
@@ -117,12 +149,12 @@ function extractPackageFile(content) {
             // helm
             else if (item.url.startsWith('helm://')) {
                 const regex = new RegExp('helm://(?<registryUrl>.*/)(?<lookupName>.*?)-(?<currentValue>.*?).tgz');
-                const groups = regex.exec(item.url).groups;
-                if ((groups === null || groups === void 0 ? void 0 : groups.registryUrl) && groups.lookupName && groups.currentValue) {
+                const groups = (_c = regex.exec(item.url)) === null || _c === void 0 ? void 0 : _c.groups;
+                if ((groups === null || groups === void 0 ? void 0 : groups.registryUrl) && (groups === null || groups === void 0 ? void 0 : groups.lookupName) && (groups === null || groups === void 0 ? void 0 : groups.currentValue)) {
                     logger_1.logger.info(groups.registryUrl);
                     dep.depType = 'ironbank-helm';
                     dep.depName = item.name;
-                    dep.datasource = datasourceHelm.id;
+                    dep.datasource = datasourceHelm.HelmDatasource.id;
                     dep.registryUrls = [
                         `${String('https://')}${String(groups.registryUrl)}`,
                     ];
@@ -134,8 +166,8 @@ function extractPackageFile(content) {
             // rubygems
             else if (item.url.startsWith('https://rubygems.org')) {
                 const regex = new RegExp('https://(?<registryUrl>.*)/(.*/)(?<lookupName>.*-?)-(?<currentValue>.*?).gem');
-                const groups = regex.exec(item.url).groups;
-                if ((groups === null || groups === void 0 ? void 0 : groups.registryUrl) && groups.lookupName && groups.currentValue) {
+                const groups = (_d = regex.exec(item.url)) === null || _d === void 0 ? void 0 : _d.groups;
+                if ((groups === null || groups === void 0 ? void 0 : groups.registryUrl) && (groups === null || groups === void 0 ? void 0 : groups.lookupName) && (groups === null || groups === void 0 ? void 0 : groups.currentValue)) {
                     dep.depType = 'ironbank-rubygems';
                     dep.depName = groups.lookupName;
                     dep.lookupName = groups.lookupName;
@@ -148,9 +180,9 @@ function extractPackageFile(content) {
                 }
             }
             else if (item.url.startsWith('https://files.pythonhosted.org')) {
-                const regex = new RegExp('https://(.*)/(.*)/(.*)/(.*)/(.*)/(?<lookupName>.*?)-(?<version>.*?)-(.*)');
-                const group = regex.exec(item.url).groups;
-                if (group.lookupName && group.version) {
+                const regex = new RegExp('https://(.*)/(.*)/(.*)/(.*)/(.*)/(?<lookupName>.*?)-(?<version>([0-9]+).([0-9]+).([0-9]+))[-|.](.*)');
+                const group = (_e = regex.exec(item.url)) === null || _e === void 0 ? void 0 : _e.groups;
+                if ((group === null || group === void 0 ? void 0 : group.lookupName) && (group === null || group === void 0 ? void 0 : group.version)) {
                     dep.depType = 'ironbank-pypi';
                     dep.currentDigest = item.validation.value;
                     dep.currentValue = group.version;

dist/manager/ironbank/update.js

@@ -75,6 +75,13 @@ async function getPypiData(url) {
 async function updateDependency({ fileContent, upgrade, }) {
     // let newContent = fileContent;
     switch (upgrade.depType) {
+        case 'ironbank-base': {
+            const oldTag = upgrade.currentValue;
+            const newTag = upgrade.newValue;
+            let newContent = fileContent;
+            newContent = newContent.replace(oldTag, newTag);
+            return newContent;
+        }
         case 'ironbank-docker': {
             const oldTag = upgrade.lookupName + ':' + upgrade.currentValue;
             const newTag = upgrade.lookupName + ':' + upgrade.newValue;

hardening_manifest.yaml

@@ -8,7 +8,7 @@ name: "container-hardening-tools/renovate/renovate"
 # The most specific version should be the first tag and will be shown
 # on ironbank.dsop.io
 tags:
-- "25.56.0"
+- "25.56.1"
 - "latest"
 
 # Build args passed to Dockerfile ARGs
@@ -27,7 +27,7 @@ labels:
   org.opencontainers.image.url: "https://github.com/renovatebot/renovate"
   ## Name of the distributing entity, organization or individual
   org.opencontainers.image.vendor: "WhiteSource"
-  org.opencontainers.image.version: "25.56.0"
+  org.opencontainers.image.version: "25.56.1"
   ## Keywords to help with search (ex. "cicd,gitops,golang")
   mil.dso.ironbank.image.keywords: "automation,dependency,updates"
   ## This value can be "opensource" or "commercial"
@@ -37,8 +37,8 @@ labels:
 
 # List of resources to make available to the offline build context
 resources:
-- tag: renovate/renovate:25.56.0
-  url: docker://docker.io/renovate/renovate@sha256:0f8804cdd4d4d0117b7cd74969919266c72555546df09f237aff6de324fea56e
+- tag: renovate/renovate:25.56.1
+  url: docker://docker.io/renovate/renovate@sha256:082f2dc8a68061c2d2fc0ec3f7ab9a98697d6b57a15acf71db396a7adf1346f1
 - filename: helm-docs.tar.gz
   url: https://github.com/norwoodj/helm-docs/releases/download/v1.5.0/helm-docs_1.5.0_Linux_x86_64.tar.gz
   validation:

lib/manager/ironbank/__fixtures__/hardening_manifest.yaml

+args:
+  BASE_IMAGE: "opensource/nodejs/nodejs14"
+  BASE_TAG: "14.16.1"
+
 resources:
-  - url: "docker://docker.io/jboss/keycloak@sha256:ca713e87ad163da71ab329010de2464a41ff030a25ae0aef15c1c290252f3d7f"
-    tag: "jboss/keycloak:14.0.0"
-  - url: "https://github.com/etcd-io/etcd/releases/download/v3.5.0/etcd-v3.5.0-linux-amd64.tar.gz"
+  - url: "docker://docker.io/jboss/keycloak@sha256:3720b5ace316b5790a58ce838f46e8cd44cedbdb7e35d3866311ddc5a5e71466"
+    tag: "jboss/keycloak:12.0.3"
+  - url: "https://github.com/etcd-io/etcd/releases/download/v3.4.8/etcd-v3.4.8-linux-amd64.tar.gz"
     filename: etcd.tar.gz
     validation:
       type: sha256
-      value: 864baa0437f8368e0713d44b83afe21dce1fb4ee7dae4ca0f9dd5f0df22d01c4
-  - url: "https://github.com/fluent/fluentd/archive/v1.13.1.tar.gz"
+      value: a3a332a68fe8dedf20149c1a4b8746fe8061b72d75d3a5850b17e04de9ed7942
+  - url: "https://github.com/fluent/fluentd/archive/v1.10.3.tar.gz"
     filename: fluentd.tar.gz
     validation:
       type: sha256
-      value: b6296aa45da03d3a9217265f52196969f46f52a6ece00e3aed3947ebe322bafe
+      value: c2b5bbb6c2236f73310b22c748e32a88f25288f3e6e1bd272f3dccc6a2322160
   - filename: urllib3-1.25.10-py2.py3-none-any.whl
-    url: https://files.pythonhosted.org/packages/5f/64/43575537846896abac0b15c3e5ac678d787a4021e906703f1766bfb8ea11/urllib3-1.26.6-py2.py3-none-any.whl
+    url: https://files.pythonhosted.org/packages/9f/f0/a391d1463ebb1b233795cabfc0ef38d3db4442339de68f847026199e69d7/urllib3-1.25.10-py2.py3-none-any.whl
     validation:
       type: sha256
-      value: 39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4
+      value: e7983572181f5e1522d9c98453462384ee92a0be7fac5f1413a1e35c56cc0461
   - filename: gitlab-triage-1.15.0.gem
-    url: https://rubygems.org/downloads/gitlab-triage-1.20.0.gem
+    url: https://rubygems.org/downloads/gitlab-triage-1.15.0.gem
     validation:
       type: sha256
-      value: b20fd88119e9d7e11c4dc06ab26f2f66b57462e1d348910593fc21856f009fa8
+      value: e516d720a67c9e3447db858775b48f44aae210b184dd96f7a20fe4fbb4022834

lib/manager/ironbank/__snapshots__/extract.spec.ts.snap

@@ -2,6 +2,20 @@
 
 exports[`lib/manager/ironbank/extract extractPackageFile() extracts single image lines 1`] = `
 Array [
+  Object {
+    "currentValue": "14.16.1",
+    "datasource": "docker",
+    "depName": "registry1.dso.mil/ironbank/opensource/nodejs/nodejs14",
+    "depType": "ironbank-base",
+    "lookupName": "registry1.dso.mil/ironbank/opensource/nodejs/nodejs14",
+    "managerData": Object {
+      "baseResource": Object {
+        "tag": "14.16.1",
+        "url": "opensource/nodejs/nodejs14",
+      },
+    },
+    "versioning": "docker",
+  },
   Object {
     "currentDigest": "sha256:3720b5ace316b5790a58ce838f46e8cd44cedbdb7e35d3866311ddc5a5e71466",
     "currentValue": "12.0.3",

lib/manager/ironbank/artifacts.ts

@@ -35,7 +35,9 @@ export async function updateArtifacts({
 
   let manifest: HardeningManifest;
   try {
-    manifest = yaml.load(newPackageFileContent, { json: true }) as HardeningManifest;
+    manifest = yaml.load(newPackageFileContent, {
+      json: true,
+    }) as HardeningManifest;
   } catch (err) {
     logger.error('Failed to parse hardening_manifest.yaml');
     return null;
@@ -60,7 +62,6 @@ export async function updateArtifacts({
   }
 
   for (const dep of updatedDeps) {
-    logger.debug(`updatedDep(${dep})`);
     if (charts.has(dep)) {
       const result = await postUpgrade(
         charts.get(dep),
@@ -72,7 +73,6 @@ export async function updateArtifacts({
     }
   }
 
-
   const res = [];
   const status = await getRepoStatus();
 

lib/manager/ironbank/extract.spec.ts

@@ -14,7 +14,7 @@ describe('lib/manager/ironbank/extract', () => {
     it('extracts single image lines', () => {
       const res = extractPackageFile(yamlFile);
       expect(res.deps).toMatchSnapshot();
-      expect(res.deps).toHaveLength(5);
+      expect(res.deps).toHaveLength(6);
     });
   });
 });

lib/manager/ironbank/extract.ts

@@ -91,7 +91,7 @@ function parseUrl(urlString: string): UrlParsedResult | null {
   }
   if (path[2] === 'archive') {
     if (path[3] === 'refs') {
-      currentValue = path[5].replace(/\.tar\.gz$/, '')
+      currentValue = path[5].replace(/\.tar\.gz$/, '');
     } else {
       currentValue = path[3].replace(/\.tar\.gz$/, '');
     }
@@ -105,22 +105,63 @@ function parseUrl(urlString: string): UrlParsedResult | null {
 
 export function extractPackageFile(content: string): PackageFile {
   const deps: PackageDependency[] = [];
-  // let man: HardeningManifest;
+  let hasBase = false;
+  let hasResource = false;
 
   let manifest: HardeningManifest;
 
   try {
-    manifest = yaml.load(content, { json: true} ) as HardeningManifest
+    manifest = yaml.load(content, { json: true }) as HardeningManifest;
   } catch (err) {
     logger.debug('Failed to parse hardening_manifest.yaml');
     return null;
   }
 
-  if (!(manifest && is.array(manifest.resources))) {
-    logger.debug('hardening_manifest.yaml has no dependencies');
+  if (!manifest.args?.BASE_TAG || !manifest.args?.BASE_IMAGE || !manifest) {
     return null;
   }
 
+  // extract base image
+  if (
+    !(manifest === null) &&
+    'BASE_TAG' in manifest.args &&
+    'BASE_IMAGE' in manifest.args
+  ) {
+    hasBase = true;
+    const baseResource: Resource = {
+      url: manifest.args.BASE_IMAGE,
+      tag: manifest.args.BASE_TAG,
+    };
+    const baseDep: PackageDependency = { managerData: { baseResource } };
+    baseDep.depType = 'ironbank-base';
+    baseDep.depName = `registry1.dso.mil/ironbank/${String(
+      manifest.args.BASE_IMAGE
+    )}`;
+    baseDep.datasource = datasourceDocker.id;
+    baseDep.versioning = dockerVersioning.id;
+    baseDep.lookupName = `registry1.dso.mil/ironbank/${String(
+      manifest.args.BASE_IMAGE
+    )}`;
+    baseDep.currentValue = manifest.args.BASE_TAG;
+    deps.push(baseDep);
+  }
+
+  // check if there are resource in the HM resource block
+  if (is.array(manifest.resources)) {
+    hasResource = true;
+  }
+
+  // no base or resources, return null
+  if (!hasBase && !hasResource) {
+    return null;
+  }
+
+  // has base but no resources
+  if (!hasResource) {
+    return { deps };
+  }
+
+  // extract resources list in manifest resource block
   for (const item of manifest.resources) {
     const dep: PackageDependency = { managerData: { item } };
     if (item.url) {
@@ -153,12 +194,12 @@ export function extractPackageFile(content: string): PackageFile {
         const regex = new RegExp(
           'helm://(?<registryUrl>.*/)(?<lookupName>.*?)-(?<currentValue>.*?).tgz'
         );
-        const groups = regex.exec(item.url).groups;
-        if (groups?.registryUrl && groups.lookupName && groups.currentValue) {
+        const groups = regex.exec(item.url)?.groups;
+        if (groups?.registryUrl && groups?.lookupName && groups?.currentValue) {
           logger.info(groups.registryUrl);
           dep.depType = 'ironbank-helm';
           dep.depName = item.name;
-          dep.datasource = datasourceHelm.id;
+          dep.datasource = datasourceHelm.HelmDatasource.id;
           dep.registryUrls = [
             `${String('https://')}${String(groups.registryUrl)}`,
           ];
@@ -172,8 +213,8 @@ export function extractPackageFile(content: string): PackageFile {
         const regex = new RegExp(
           'https://(?<registryUrl>.*)/(.*/)(?<lookupName>.*-?)-(?<currentValue>.*?).gem'
         );
-        const groups = regex.exec(item.url).groups;
-        if (groups?.registryUrl && groups.lookupName && groups.currentValue) {
+        const groups = regex.exec(item.url)?.groups;
+        if (groups?.registryUrl && groups?.lookupName && groups?.currentValue) {
           dep.depType = 'ironbank-rubygems';
           dep.depName = groups.lookupName;
           dep.lookupName = groups.lookupName;
@@ -186,11 +227,11 @@ export function extractPackageFile(content: string): PackageFile {
         }
       } else if (item.url.startsWith('https://files.pythonhosted.org')) {
         const regex = new RegExp(
-          'https://(.*)/(.*)/(.*)/(.*)/(.*)/(?<lookupName>.*?)-(?<version>.*?)-(.*)'
+          'https://(.*)/(.*)/(.*)/(.*)/(.*)/(?<lookupName>.*?)-(?<version>([0-9]+).([0-9]+).([0-9]+))[-|.](.*)'
         );
-        const group = regex.exec(item.url).groups;
+        const group = regex.exec(item.url)?.groups;
 
-        if (group.lookupName && group.version) {
+        if (group?.lookupName && group?.version) {
           dep.depType = 'ironbank-pypi';
           dep.currentDigest = item.validation.value;
           dep.currentValue = group.version;
@@ -204,7 +245,6 @@ export function extractPackageFile(content: string): PackageFile {
     }
   }
 
-
   if (!deps.length) {
     return null;
   }

lib/manager/ironbank/update.ts

@@ -86,6 +86,15 @@ export async function updateDependency({
   // let newContent = fileContent;
 
   switch (upgrade.depType) {
+    case 'ironbank-base': {
+      const oldTag = upgrade.currentValue;
+      const newTag = upgrade.newValue;
+
+      let newContent = fileContent;
+      newContent = newContent.replace(oldTag, newTag);
+
+      return newContent;
+    }
     case 'ironbank-docker': {
       const oldTag = upgrade.lookupName + ':' + upgrade.currentValue;
       const newTag = upgrade.lookupName + ':' + upgrade.newValue;

renovate.json

-{
-  "assignees": [
-    "@sean.melissari"
-  ],
-  "baseBranches": [
-    "development"
-  ],
-  "packageRules": [
-    {
-      "datasources": [
-        "docker"
-      ],
-      "packageNames": [
-        "renovate/renovate"
-      ],
-      "major": {
-        "enabled": true
-      }
-    },
-    {
-      "datasources": [
-        "docker"
-      ],
-      "packageNames": [
-        "registry1.dso.mil/ironbank/opensource/nodejs/nodejs14"
-      ],
-      "prBodyNotes": ["This is an upstream base image update"]
-    }
-  ],
-  "regexManagers": [
-    {
-      "fileMatch": [
-        "^hardening_manifest.yaml$"
-      ],
-      "matchStrings": [
-        "org\\.opencontainers\\.image\\.version:\\s+\"(?<currentValue>.+?)\"",
-        "tags:\\s+-\\s+\"(?<currentValue>.+?)\""
-      ],
-      "depNameTemplate": "renovate/renovate",
-      "datasourceTemplate": "docker"
-    },
-    {
-      "fileMatch": [
-        "^hardening_manifest.yaml$"
-      ],
-      "matchStrings": [
-        "BASE_TAG: \"(?<currentValue>.*?)\""
-      ],
-      "depNameTemplate": "registry1.dso.mil/ironbank/opensource/nodejs/nodejs14",
-      "datasourceTemplate": "docker"
-    }
-  ]
-}