Check supported versions when querying compressed package metadata

What does this MR do and why?

This merge request adds further checks when given versions don't match what's stored as other_licenses in pm_packages. Following this change, if it doesn't match the regular expression used in the license-db exporter then we treat it as unknown. Similarly, if the given version is not within the highest_version and lowest_version bounds in pm_packages then we treat it as unknown. These capabilities were not supported in previous iterations and this merge request will help avoid misclassifications where an invalid version gets licenses from the default license set.

Related Issue

Add highest version support when querying compr... (#410434 - closed)

Related Merge Request

Update package metadata license lookup to use c... (!119607 - merged)

Relevant Discussion

!119607 (comment 1379416980)

Screenshots or screen recordings

Invalid Version

Before	After

Version Too High

Before	After

Existing Go Project

Sense checking existing behaviour:

After

How to set up and validate locally

Invalid Version

1. Sync package metadata and confirm the example package is present in your Rails console:

   [2] pry(main)> PackageMetadata::Package.where.not(licenses: nil).where(purl_type: "golang", name: "github.com/alexbyk/panicif")
     PackageMetadata::Package Load (0.7ms)  SELECT "pm_packages".* FROM "pm_packages" WHERE "pm_packages"."licenses" IS NOT NULL AND "pm_packages"."purl_type" = 4 AND "pm_packages"."name" = 'github.com/alexbyk/panicif' /*application:console,db_config_name:main,console_hostname:skomer.local,console_username:mcfilib,line:bin/rails:4:in `<main>'*/
   => [#<PackageMetadata::Package:0x00000001354dcb60
     id: 706180,
     purl_type: "golang",
     name: "github.com/alexbyk/panicif",
     created_at: Thu, 16 Mar 2023 14:29:04.417532000 UTC +00:00,
     updated_at: Wed, 04 Oct 2023 14:13:43.578573000 UTC +00:00,
     licenses: [[1], "0.0.0-20171212234513-42f8ecbb0dc8", "1.1.0", []]>]

2. Create a .gitlab-ci.yml with the following contents:

   stages:
   - build
   
   manual-sbom-upload:
     stage: build
     script:
       - echo "hello, world!"
     artifacts:
       paths:
         - "**/gl-sbom-*.cdx.json"
       reports:
         cyclonedx: "**/gl-sbom-*.cdx.json"

3. Add a file called gl-sbom-go-go.cdx.json with the following contents:

   {
     "bomFormat": "CycloneDX",
     "specVersion": "1.4",
     "serialNumber": "urn:uuid:32dc3b6b-22ba-43ec-8dd0-34a98f61db89",
     "version": 1,
     "metadata": {
       "timestamp": "2023-10-04T12:46:41Z",
       "tools": [
         {
           "vendor": "GitLab",
           "name": "Gemnasium",
           "version": "4.2.0"
         }
       ],
       "authors": [
         {
           "name": "GitLab",
           "email": "support@gitlab.com"
         }
       ],
       "properties": [
         {
           "name": "gitlab:dependency_scanning:input_file",
           "value": "go.sum"
         },
         {
           "name": "gitlab:dependency_scanning:input_file:path",
           "value": "go.sum"
         },
         {
           "name": "gitlab:dependency_scanning:package_manager",
           "value": "go"
         },
         {
           "name": "gitlab:dependency_scanning:package_manager:name",
           "value": "go"
         },
         {
           "name": "gitlab:meta:schema_version",
           "value": "1"
         }
       ]
     },
     "components": [
       {
         "name": "github.com/84KaliPleXon3/g",
         "version": "1.1.0",
         "purl": "pkg:golang/github.com/alexbyk/panicif@1.1.0",
         "type": "library",
         "bom-ref": "pkg:golang/github.com/alexbyk/panicif@1.1.0"
       }
     ]
   }

4. Manually add an invalid version to the package:

   {
     "bomFormat": "CycloneDX",
     "specVersion": "1.4",
     "serialNumber": "urn:uuid:32dc3b6b-22ba-43ec-8dd0-34a98f61db89",
     "version": 1,
     "metadata": {
       "timestamp": "2023-10-04T12:46:41Z",
       "tools": [
         {
           "vendor": "GitLab",
           "name": "Gemnasium",
           "version": "4.2.0"
         }
       ],
       "authors": [
         {
           "name": "GitLab",
           "email": "support@gitlab.com"
         }
       ],
       "properties": [
         {
           "name": "gitlab:dependency_scanning:input_file",
           "value": "go.sum"
         },
         {
           "name": "gitlab:dependency_scanning:input_file:path",
           "value": "go.sum"
         },
         {
           "name": "gitlab:dependency_scanning:package_manager",
           "value": "go"
         },
         {
           "name": "gitlab:dependency_scanning:package_manager:name",
           "value": "go"
         },
         {
           "name": "gitlab:meta:schema_version",
           "value": "1"
         }
       ]
     },
     "components": [
       {
         "name": "github.com/84KaliPleXon3/g",
         "version": "invalid-version",
         "purl": "pkg:golang/github.com/alexbyk/panicif@invalid-version",
         "type": "library",
         "bom-ref": "pkg:golang/github.com/alexbyk/panicif@invalid-version"
       }
     ]
   }

5. Verify that the list of licenses displays unknown.

Version Too High

The steps are the same as above except that you change the package's version number in the SBOM to something like 9.9.9 so that it is outside of the version bounds.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.