Missing Go module package versions in Package Metadata DB

Summary

A customer has reported some go modules being classified as unknown by our license scanning feature. (internal link: https://gitlab.com/gitlab-com/sec-sub-department/section-sec-request-for-help/-/issues/175#note_1753503756)

It looks like the Package Metadata DB is still missing some versions and thus do not provide the correct license when these missing versions are used in projects.

Steps to reproduce

add github.com/docker/docker version v25.0.2+incompatible to your go.mod
enabled DS
check the pipeline license tab

Example Project

https://gitlab.com/gitlab-org/secure/tests/go-modules-missing-version/-/pipelines/1161310413

What is the current bug behavior?

github.com/docker/docker@v25.0.2+incompatible license is unknown

What is the expected correct behavior?

github.com/docker/docker@v25.0.2+incompatible license is MIT

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info


(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes

Investigate why we are missing some versions for some Go modules

Edited Mar 18, 2024 by Olivier Gonzalez