The concourse pipeline is using the pivnet-resource definition below pulling from Tanzu Network/Support Portal.

source:
  api_token: ((pivnet_token))
  product_slug: cf
  product_version: 10\.\d+\.\d+

It is matching 10.2.8+LTS but not 10.3.5

Is the pivnet-resource pulling the first one that matches the regex?

• pivnet-resource v3.0.2

PivNet Resource is a tool use to interact with Tanzu Network/Support Portal from concourse.

Yes, generally it picks the first version that matches the provided regex or glob pattern.

When doing a check, pivnet-resource defaults to using the server-provided order. This works fine for simple cases where the response from the server is already in semver order.

Some products do not group into major or major.minor groups in their responses. This is usually because a product has multiple concurrent version releases. For example, stemcells typically have multiple major versions available. When a CVE is announced that affects them, multiple releases may occur at once.

To fix use sort_by: semver in your resource definition.

Example:

# In the pivnet resource source
source:
  api_token: ((pivnet_token))
  product_slug: cf
  product_version: 10\.\d+\.\d+
  sort_by: semver   # pick highest matching version, not first in API order

Reference
https://github.com/pivotal-cf/pivnet-resource#using-check-resource-for-sorted-but-non-sequential-releases-eg-buildpacks-stemcells