Skip to content

Rails backend should perform case insensitive look up for license scanning with Golang packages

Summary

In PMDB we normalize package names for Golang. That means that any case sensitive golang package name is stored in lower case in PMDB.

Steps to reproduce

  • configure a golang project with the dependency: github.com/Docker/docker@v25.0.2+incompatible (using capital letter)
  • configure DS job
  • check result of license scanning (unknown)

When using full downcase for the dependency the result is Apache License 2.0.

Example Project

https://gitlab.com/gitlab-org/secure/tests/go-modules-missing-version/-/pipelines/1283509995/licenses

What is the current bug behavior?

License is unknown when project's dependency is not lowercased.

What is the expected correct behavior?

License is correctly detected independently of the project's dependency being lowercased or not.

Possible fixes

Update Rails backend to perform a case insensitive lookup for Golang packages when looking for license data.

Relates to

Package with too many versions lead to inconsis... (#442419 - closed)

Edited by Olivier Gonzalez