Canonicalize dependency list names
What does this MR do and why?
this merge request overrides the default name getter for Gitlab::Ci::Reports::LicenseScanning::Dependency, extending it with package name normalization provided by Sbom::PackageUrl::Normalizer.
this was necessary because we normalize package names elsewhere in the system, resulting in a situation where comparisons were being made between canonical and non-canonical representations (e.g. Django versus django) and licenses were not being shown in the user interface.
Screenshots or screen recordings
Before
Django is shown without a license next to it:
After
Django is shown with a license next to it (unknown because my local development environment has not been synced with the license-db bucket):
How to set up and validate locally
enable the new license scanning feature flags in a rails console:
[6] pry(main)> Feature.enable(:license_scanning_sbom_scanner)
[7] pry(main)> Feature.enable(:package_metadata_synchronization)clone python-pipenv test project into a new project and edit the .gitlab-ci.yml to:
stages:
- test
include:
- template: Dependency-Scanning.gitlab-ci.ymlpush the updated .gitlab-ci.yml to your new project. after the dependency scanning job runs you should be able to see information in:
-
Security & Compliance>License Compliance -
Security & Compliance>Dependency list
this fix has worked as expected if Django is shown on the Security & Compliance > Dependency list page with a license next to it (unknown if your database isn't in sync with license-db).
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.