False positives for strange tag versions

[michbeck100]

I have some strange version checks with popular images and I think there is something missing in the checking algorithm.

For the image grafana/grafana version-checker says the latest version is 9799770991, which is obviously correct if you compare just version numbers. But this tag is 8 months old and the actual latest tag currently would be 10.2.2. Another example would be quay.io/jetstack/cert-manager-webhook-arm64: v1.13.2 vs. 608111629.

I am wondering if it would be better to always take the publish date into account when checking versions?

Maybe there is another trick how to avoid these false positives?

[davidcollom]

Hi @michbeck100, Thanks for raising this... I have seen this myself and was meant to raise an issue about it! I think the publish date needs to play some part in the sorting process. Its actually an area of version-checker I've not explored just yet.

[michbeck100]

Is there any progress on this?

[hawksight]

@michbeck100 nothing as of yet that I'm aware of.

I was looking into validating some "latest" images and came across 2 cases where this type of problem is present with other tooling such as oras. I think it could have something to do with the API returning Lexical ordering.

Take this example making use of the --last feature

oras repo tags docker.io/grafana/grafana --exclude-digest-tags --last 9.5.7
oras repo tags docker.io/grafana/grafana --exclude-digest-tags --last 10.1.8

In that case above because of the alphabetic ordering, the second command actually brings back many more results than the first, despite what you would imagine to be less.

I'll have to review the code here, but I suspect that version-checker might be doing something similar perhaps?