Grant consumes syft as it's default SBOM generator when users don't bring their own bill of material. This issue is a placeholder to incorporate changes in syft where source analysis of Golang programs is done by reading the entrypoint and building a dependency tree parsed from import statements in the different files.
AST (Abstract syntax tree) analysis of the source is objectively better than leveraging the go mod which has limitations of including licenses that might not be linked against the the final binary.
Grant consumes syft as it's default SBOM generator when users don't bring their own bill of material. This issue is a placeholder to incorporate changes in syft where source analysis of Golang programs is done by reading the entrypoint and building a dependency tree parsed from import statements in the different files.
AST (Abstract syntax tree) analysis of the source is objectively better than leveraging the go mod which has limitations of including licenses that might not be linked against the the final binary.