anchore / grant

Search an SBOM for licenses and the packages they belong to
Apache License 2.0
68 stars 7 forks source link

feature: update default SBOM configuration to improve source detection for Golang code #42

Open spiffcs opened 8 months ago

spiffcs commented 8 months ago

Grant consumes syft as it's default SBOM generator when users don't bring their own bill of material. This issue is a placeholder to incorporate changes in syft where source analysis of Golang programs is done by reading the entrypoint and building a dependency tree parsed from import statements in the different files.

AST (Abstract syntax tree) analysis of the source is objectively better than leveraging the go mod which has limitations of including licenses that might not be linked against the the final binary.