Fetch details remotely for Go dependencies.

[S3j5b0]

Hi, I'm currently looking at this project because I had heard that I would be able to easily scan, and check whether or not my license was harmonizing with the licenses of my dependencies.

So now for running the command, i used the flag -ic, because I thought scanning for licenses and copyrights would probably be appropriate.
I run this:

scancode -ic devops-21/ --json-pp output.json

And get a nice output file. However, the file really makes no sense to me, and I don't know what to use it for.
Maybe this is case of me using the wrong flags, in that case maybe someone can point me in the correct direction?

File walkthrough

First this header, which seems correct enough, albeit a little verbose:

  "headers": [
    {
      "tool_name": "scancode-toolkit",
      "tool_version": "21.3.31",
      "options": {
        "input": [
          "devops-21/"
        ],
        "--copyright": true,
        "--info": true,
        "--json-pp": "outut.json"
      },
      "notice": "Generated with ScanCode and provided on an \"AS IS\" BASIS, WITHOUT WARRANTIES\nOR CONDITIONS OF ANY KIND, either express or implied. No content created from\nScanCode should be considered or used as legal advice. Consult an Attorney\nfor any legal advice.\nScanCode is a free software code scanning tool from nexB Inc. and others.\nVisit https://github.com/nexB/scancode-toolkit/ for support and download.",
      "start_timestamp": "2021-04-13T190800.885116",
      "end_timestamp": "2021-04-13T190952.168478",
      "duration": 111.28337836265564,
      "message": null,
      "errors": [],
      "extra_data": {
        "files_count": 90
      }
    }
  ],

Then comes a small section for each file in the project., that looks like this, and all the files in my project have somewhat this layout.

{
  "path": "devops-21/controllers/api/messageController.go",
  "type": "file",
  "name": "messageController.go",
  "base_name": "messageController",
  "extension": ".go",
  "size": 3996,
  "date": "2021-04-03",
  "sha1": "6c4bb1ae7fc641e865bea63435325843bfe1a259",
  "md5": "991e97b9d8a1ec0b8b4bf6958aa36274",
  "sha256": "d2dfd3843f992198e34b1a83a7262afe40d206f47e03cf6d15a651c4deb8209d",
  "mime_type": "text/plain",
  "file_type": "ASCII text",
  "programming_language": "Go",
  "is_binary": false,
  "is_text": true,
  "is_archive": false,
  "is_media": false,
  "is_source": true,
  "is_script": false,
  "copyrights": [],
  "holders": [],
  "authors": [],
  "files_count": 0,
  "dirs_count": 0,
  "size_count": 0,
  "scan_errors": []
},

And thats about it. Now, I just really don't know what any of this says anything about my dependencies.

How can I use this tool to decipher some things regarding the licenses of my dependencies?

thanks

[AyanSinhaMahapatra]

@S3j5b0

reiterating my comment from here

Use more options to scan for more things, see docs at scan example and all CLI options for more details.

You have to use the -l or --license option for license detection.

Please take a look at the docs.

[pombredanne]

Now, I just really don't know what any of this says anything about my dependencies.
How can I use this tool to decipher some things regarding the licenses of my dependencies?

Assuming your dependencies are present in the directory you scan, you should use the --package option to get the package details (and that would also cover dependencies)

@S3j5b0 what is your typical platform/programming language?

[pombredanne]

Gentle ping, before I close this

[pombredanne]

I renamed the issue. We will be adding a feature to fetch remotely the dependency details when not available in the scanned code

[pombredanne]

See also #1237

[pombredanne]

@S3j5b0 I would like to keep this open until fixed.