Add support for Golang pseudo versions in License Scanning (semver_dialects limitation)
Summary
In the context of License Scanning, we need to verify if a given version of a package is within a version range to determine its license.
For Go modules, pseudo versions could end up as the boundary of a version range for a license and in some cases the range matching will fail due to incorrect comparison involving pseudo version. As a result, License Scanning will return an unknown
or incorrect license while we actually have the right information in the database.
This is due to Semver dialect limitations. Semver dialect is a ruby gem we leverage to make version comparison and range matching in our License Scanning, Dependency Scanning and Container Scanning features and it currently does not support go pseudo version like it does for some other pre-release segments
Example:
PASS:
expect(SemanticVersion.new('5.0.0-RC')).to be < SemanticVersion.new('5.0.0')
FAIL:
expect(SemanticVersion.new('5.0.0-20210902205210-b0ae7e3229d9')).to be < SemanticVersion.new('5.0.0')
Zendesk ticket - internal only
Steps to reproduce
- create a go project
- add
github.com/golang-jwt/jwt/v5
versionv5.0.0
to yourgo.mod
- enabled DS
- check the pipeline's licenses tab
Example Project
What is the current bug behavior?
github.com/golang-jwt/jwt/v5
license is unknown
What is the expected correct behavior?
github.com/golang-jwt/jwt/v5
license is MIT
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
- add support for go pseudo version as a pre-release segments