-
Notifications
You must be signed in to change notification settings - Fork 593
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to identify license on Golang packages imported by URL #1056
Comments
Thanks for filing the issue @lucasgonze. We're currently taking a look at making license detection consistent for all outputs of syft. I'll add this issue in with the group of other license bugs that have been filed. |
I have been struggling with a similar issue. My sample package main
import (
"fmt"
"github.com/eriknordmark/ipinfo"
)
func main() {
fmt.Println(ipinfo.IPInfo{})
} and the relevant part of spdx-json: {
"name": "github.com/eriknordmark/ipinfo",
"SPDXID": "SPDXRef-Package-go-module-github.com-eriknordmark-ipinfo-fd9b9f9ec75774ef",
"versionInfo": "v0.0.0-20190220084921-7ee0839158f9",
"downloadLocation": "NOASSERTION",
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "0e2222f1766f677ea05598fe650e31313fd9927289035c9162ff32aa2e8371b9"
}
],
"sourceInfo": "acquired package info from go module information: /tmp/spdxtest/dtest",
"licenseConcluded": "NONE", The license file exists at https://github.com/eriknordmark/ipinfo/blob/master/LICENSE, just like the original poster. So what am I missing? More to the point, how can I help fix this? |
I just spent a while going through the syft code. I gained a bit of an understanding of how it works. As far as I can tell, there is no stage wherein it gets the golang pkg license. Is that correct? The package info is added here, which includes no information about the license. I can see a few ways to get the license:
Is my analysis correct @spiffcs ? Is there anything in progress? If not, how can we assist? |
OK, so it is a fair analysis. @spiffcs I am willing to take a stab at this, if you (or someone else on the team) can point me as to which approach to take from the above. |
Hey @deitch -- one thing we want to be very cautious of is connecting to external (network) sources. We have users of Syft on air-gapped environments where this won't work. We are not opposed to adding things that reach out to the internet, but need to make sure these are not enabled by default and/or can be disabled. We are currently searching for Node package licenses in That said, are there any |
I'll dig back into the tools, but I don't recall any that provides it offhand. The challenge with relying on the pkg directory is that it only exists on the build machine. If you scan it elsewhere - very obvious example is a container image - then all of that doesn't exist. I agree about reaching out to the network as a problem for airgapped environments, or anyone who doesn't want to be connecting outwards. My thought was to do it as an option. Something like
Or That says, "if you come across a package (of any kind) whose license might be retrievable from the network, attempt to do so if the option is Would that work? |
What happened:
Given a Golang package that imports from a URL, licenseConcluded in the associated SPDX file is "none". The remote package has a clearly identifiable license file.
What you expected to happen:
The remote repo (https://github.com/aws/aws-sdk-go) has a LICENSE.txt. I expected that to be deferenced and used.
How to reproduce it (as minimally and precisely as possible):
I have a golang file:
./test.go
Containing a remote import:
I process the file using the syft cli and generate spdx. The spdx code generated is:
Anything else we need to know?:
Environment:
syft version
:syft 0.46.3
cat /etc/os-release
or similar):OS X 11.6
** Screenshot**
The text was updated successfully, but these errors were encountered: