Jenkin plugin versions should be comparable

yeikel · yeikel · commit e36d11b7804f · 2026-01-21T23:46:37.000-05:00
diff --git a/maven/lib/dependabot/maven/shared/shared_version_finder.rb b/maven/lib/dependabot/maven/shared/shared_version_finder.rb
@@ -68,10 +68,40 @@ def matches_dependency_version_type?(comparison_version)
           current_suffix = extract_version_suffix(current_version_string)
           candidate_suffix = extract_version_suffix(candidate_version_string)
 
+          return true if contains_git_sha?(current_suffix) && contains_git_sha?(candidate_suffix)
+
           # If both versions share the exact suffix or no suffix, they are compatible
           current_suffix == candidate_suffix
         end
 
+        GIT_COMMIT = /\A[0-9a-f]{7,40}\z/i.freeze
+
+        def git_sha?(version)
+          return false unless version
+
+          return true if version.match?(GIT_COMMIT)
+
+          # Strip leading v if any and try again (e.g., v018aa6b0d3)
+          version = version[1..-1] if version.start_with?('v')
+
+          version.match?(GIT_COMMIT)
+        end
+
+        sig { params(version: T.nilable(String)).returns(T::Boolean) }
+        def contains_git_sha?(version)
+          return false unless version
+
+          # Split by common delimiters
+          split = version.split(/[-._]/)
+
+          # Return true if any part is a commit
+          return true if split.any? { |part| git_sha?(part) }
+
+          # Matches if the entire suffix is a commit
+          # Example: va_b_018a_a_6b_0d3
+          git_sha?(split.join)
+        end
+
         private
 
         # Extracts the qualifier/suffix from a Maven version string.
@@ -100,8 +130,7 @@ def extract_version_suffix(version_string)
             # e.g., "1.0.0-1" or "1.0.0_2" are not considered to have a meaningful suffix
             return nil if suffix.match?(/^_?\d+$/)
 
-            # Must contain a hyphen to be considered a valid suffix
-            return suffix if suffix.include?("-") || suffix.include?("_")
+            return suffix if suffix.include?("-") || suffix.include?("_") || git_sha?(suffix)
           end
 
           nil
diff --git a/maven/spec/dependabot/maven/shared/shared_version_finder_spec.rb b/maven/spec/dependabot/maven/shared/shared_version_finder_spec.rb
@@ -400,6 +400,58 @@
           end
         end
       end
+
+      context "when the dependency uses Jenkin's plugin release conventions" do
+        # See
+        # https://www.jenkins.io/doc/developer/publishing/releasing-cd/
+        # https://github.com/jenkinsci/jep/blob/master/jep/305/README.adoc
+
+        context "when the version contains embedded git commits" do
+          let(:dependency_version) { "5933.vcf06f7b_5d1a_2" }
+          let(:comparison_version) { "5857.vb_f3dd0731f44" }
+          it { is_expected.to be true }
+        end
+
+        context "when the version has a single embedded git commit" do
+          let(:dependency_version) { "5622.c9c3051619f5" }
+          let(:comparison_version) { "5681.79d2ddf61465" }
+          it { is_expected.to be true }
+        end
+
+        context "when the version has a single embedded git commit using different delimiters" do
+          let(:dependency_version) { "5622-c9c3051619f5" }
+          let(:comparison_version) { "5681.79d2ddf61465" }
+          it { is_expected.to be true }
+        end
+
+        context "when the version has a single embedded git commit with the v suffix" do
+          # Example: https://github.com/jenkinsci/bom/releases/tag/5622.vc9c3051619f5
+          let(:dependency_version) { "5622.vc9c3051619f5" }
+          let(:comparison_version) { "5681.79d2ddf61465" }
+          it { is_expected.to be true }
+        end
+
+        context "when the version contains embedded git commit with a delimiter" do
+          # Example: https://github.com/jenkinsci/bom/releases/tag/5701.va_b_018a_a_6b_0d3
+          let(:dependency_version) { "5701.va_b_018a_a_6b_0d3" }
+          let(:comparison_version) { "5622.c9c3051619f5" }
+          it { is_expected.to be true }
+        end
+
+        context "when the version contains embedded git commit with a delimiter and leading character" do
+          # Example: https://github.com/jenkinsci/bom/releases/tag/5723.v6f9c6b_d1218a_
+          let(:dependency_version) { "5723.v6f9c6b_d1218a_" }
+          let(:comparison_version) { "5622.c9c3051619f5" }
+          it { is_expected.to be true }
+        end
+
+        context "when only one of the version contains embedded git commits" do
+          let(:dependency_version) { "5933.vcf06f7b_5d1a_2" }
+          let(:comparison_version) { "5933" }
+          it { is_expected.to be false }
+        end
+
+      end
     end
   end
 end
