Improve Docker tag component detection and comparison

[robaiken]

What are you trying to accomplish?

I'm improving how Dependabot selects Docker images for updates by enhancing the tag comparison logic. Currently, we sometimes incorrectly select images with different component patterns - for example, suggesting an update from image:3.3-apache to image:4-apache-alpine when we should only be matching images with identical components (just "apache" in this case).

This refactoring makes tag comparison more intelligent by analyzing patterns in image tags to identify their key components (like OS, packages, etc.) and using those patterns as a basis to filter out images that don't match the original structure. By dynamically identifying these components across all available tags, we can ensure we only suggest updates that maintain the same component structure as the original dependency.

Related issues: #8648, #390

Anything you want to highlight for special attention from reviewers?

I've taken a component-based approach to image selection rather than the previous method of stripping characters. The key strategy involves:

1. Analyzing all available tags to identify recurring components (like alpine, apache, amd64)
2. Extracting these components from both the original dependency and candidate updates
3. Ensuring exact component matching between tags (so apache doesn't match with apache-alpine)

This approach makes more semantic sense for Docker tags and better respects their internal structure. I've also split the logic into smaller, focused methods for better maintainability. The refactoring preserves all existing functionality while adding more precise tag filtering.

How will you know you've accomplished your goal?

We'll see more accurate image selection during updates, particularly:

When updating from owasp/modsecurity-crs:3.3-apache-202209221209 we won't incorrectly select owasp/modsecurity-crs:4-apache-alpine-202502070602 (adding alpine)

Users should experience more predictable and semantically correct Docker dependency updates.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[kbukum1]

Maybe that can be changed into?

components << component if tag_name.include?(component)

[robaiken]

I want to use word boundaries to ensure we only match complete component names, not partial substrings. If we have a component like "ruby" and we use include?, it will incorrectly match in tags like "rubygem" as substrings. I don't know if there is going to be a real world scenario where this would happen, but it's a possibility and I want to play it safe to avoid potentially creating issues.

[kbukum1]

@robaiken, I’ve added a few suggestions, but overall, this looks good to me! 👍 If you’re considering a feature flag, it could help with a smoother rollout in case any issues arise.

[markhallen]

LGTM

Nice idea!