Missing Go module package versions in Package Metadata DB
Summary
A customer has reported some go modules being classified as unknown
by our license scanning feature. (internal link: https://gitlab.com/gitlab-com/sec-sub-department/section-sec-request-for-help/-/issues/175#note_1753503756)
It looks like the Package Metadata DB is still missing some versions and thus do not provide the correct license when these missing versions are used in projects.
Steps to reproduce
- add
github.com/docker/docker
versionv25.0.2+incompatible
to yourgo.mod
- enabled DS
- check the pipeline license tab
Example Project
https://gitlab.com/gitlab-org/secure/tests/go-modules-missing-version/-/pipelines/1161310413
What is the current bug behavior?
github.com/docker/docker@v25.0.2+incompatible
license is unknown
What is the expected correct behavior?
github.com/docker/docker@v25.0.2+incompatible
license is MIT
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
-
Investigate why we are missing some versions for some Go modules