docker: add support for org.opencontainers.image.version and org.opencontainers.image.revision

[yeikel]

What are you trying to accomplish?

Extends metadata extraction to handle digest-only image references, where no tag is present.

This new logic will run when one of the following additional OCI metadata fields are present along with the digest:

From the OCI docs:

• org.opencontainers.image.version: Packaged software version. This can sometimes be a tag
• org.opencontainers.image.revision: Source control revision identifier for the packaged software

How will you know you've accomplished your goal?

• The existing and new spec pass
• The new integration tests pass Add tests to validate metadata fetching  smoke-tests#362

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[yeikel]

The only change I applied to this test is to remove the sha256 prefix as the spec was misleading. Our source parser drops sha256 currently

[yeikel]

I am not sure if there is any easier way to do this other than to change how Source.from_url works which may cause undesired side-effects. I am open for feedback/ideas 👀

[Copilot]

Pull request overview

This PR extends Docker metadata extraction to support digest-only image references by utilizing OCI annotations org.opencontainers.image.version and org.opencontainers.image.revision. When an image is referenced by digest without a tag, the implementation now attempts to extract version information from these OCI metadata fields to construct a Dependabot::Source object with branch and commit information.

Key changes:

• Added logic to handle digest-only image references using OCI metadata annotations
• Extracted image_details method to centralize Docker image inspection logic
• Implemented build_source_from_image_version to construct Source objects from OCI version/revision labels

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
docker/lib/dependabot/docker/metadata_finder.rb	Refactored look_up_source to support digest-only images; extracted image_details method for image inspection; added build_source_from_image_version to build Source from OCI annotations
docker/spec/dependabot/docker/metadata_finder_spec.rb	Added test coverage for digest-only images with OCI version annotations, digest-only images without proper annotations, and fixed digest format consistency (removed "sha256:" prefix)

[kbukum1]

@yeikel ,

There are copilot suggestions. Will it be possible if you go over them? You can either apply the suggested fix or resolve with a feedback.

[kbukum1]

LGTM

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

[yeikel]

@kbukum1 I applied the latest round of feedback from copilot which dismissed your review again. Could you please take a look again?

Also, the only pending comment is #13855 (comment) which I don't really agree with unless you think I should do that. I personally feel that exposing the source object/properties just for this test is an overkill but I am open to do it

Thanks

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.