Skip to content

Upgrade semver_dialects gem from 2.0.2 to 3.0.0

Oscar Tovar requested to merge otovar/upgrade-semver-dialects-gem-to-v3 into master

What does this MR do and why?

Upgrade semver_dialects gem from 2.0.2 to 3.0.0

This improves the accuracy of Continuous Vulnerability Scanning and License Scanning when comparing the version of a SBOM component to the advisory database and the license database, respectively.

Additionally, this changes the error handling of raised errors from license scanning so that they're always sent to Sentry as recommended by the developer documentation. Previously, the messages were only logged which meant that after the log TTL passed, we'd be left with a very hard to debug situation as was the case with the initial update to v3.0.0. Sentry does not have the same restrictions, so this improves our ability to debug any increase in the error rate.

Lastly, the error tracking now includes, the following information that provides more detail into what went wrong:

  • The version of the package being checked
  • The range of the licenses known - lowest and highest version strings
  • The package name and purl type

This means that we can check the license exports directly to find invalid constraints in the exports instead of requiring access to the instance database.

Relates to Upgrade to semver_dialects 3.0.0 – REVERTED (!151761 - merged) Relates to Upgrade to semver_dialects v3 (#462857 - closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Edited by Oscar Tovar

Merge request reports

Loading