Open kzantow opened 3 months ago
@kzantow - why is Go marked as checked? How do we get the license of Go modules?
@mykaul check out the golang section of the Syft configuration file: https://github.com/anchore/syft/wiki/configuration -- there are two settings, search-local-mod-cache-licenses
and search-remote-licenses
that can be enabled to retrieve license data.
@mykaul check out the golang section of the Syft configuration file: https://github.com/anchore/syft/wiki/configuration -- there are two settings,
search-local-mod-cache-licenses
andsearch-remote-licenses
that can be enabled to retrieve license data.
Thanks! I think what tricked me is that by default (syft-text?) you do not see the license, so I did not even bother to look further. Very helpful, thanks again.
Any idea why I get different output report when scanning the same package with remote search licenses: true
for Go modules on different machines?
On one machine - licenses info is presented:
{
"id": "5a2f10fe8c37697d",
"name": "github.com/alecthomas/units",
"version": "v0.0.0-20211218093645-b94a6e3cc137",
"type": "go-module",
"foundBy": "go-module-binary-cataloger",
"locations": [
{
"path": "/opt/scylladb/node_exporter/node_exporter",
"layerID": "sha256:2f9c5474dfcad40cab09d578dfc5c919a38e0125c99501a8d7abb8540ef14188",
"accessPath": "/opt/scylladb/node_exporter/node_exporter",
"annotations": {
"evidence": "primary"
}
}
],
"licenses": [
{
"value": "MIT",
"spdxExpression": "MIT",
"type": "concluded",
"urls": [],
"locations": [
{
"path": "github.com/alecthomas/units@v0.0.0-20211218093645-b94a6e3cc137/COPYING",
"accessPath": "github.com/alecthomas/units@v0.0.0-20211218093645-b94a6e3cc137/COPYING"
}
]
}
],
"language": "go",
"cpes": [
{
"cpe": "cpe:2.3:a:alecthomas:units:v0.0.0-20211218093645-b94a6e3cc137:*:*:*:*:*:*:*",
"source": "syft-generated"
}
],
"purl": "pkg:golang/github.com/alecthomas/units@v0.0.0-20211218093645-b94a6e3cc137",
"metadataType": "go-module-buildinfo-entry",
"metadata": {
"goCompiledVersion": "go1.21.4",
"architecture": "amd64",
"h1Digest": "h1:s6gZFSlWYmbqAuRjVTiNNhvNRfY2Wxp9nhfyel4rklc=",
"mainModule": "github.com/prometheus/node_exporter"
}
},
On another machine the license info is missing:
{
"id": "67d84fc35f370e95",
"name": "github.com/alecthomas/units",
"version": "v0.0.0-20211218093645-b94a6e3cc137",
"type": "go-module",
"foundBy": "go-module-binary-cataloger",
"locations": [
{
"path": "/opt/scylladb/node_exporter/node_exporter",
"layerID": "sha256:2f9c5474dfcad40cab09d578dfc5c919a38e0125c99501a8d7abb8540ef14188",
"accessPath": "/opt/scylladb/node_exporter/node_exporter",
"annotations": {
"evidence": "primary"
}
}
],
"licenses": [],
"language": "go",
"cpes": [
{
"cpe": "cpe:2.3:a:alecthomas:units:v0.0.0-20211218093645-b94a6e3cc137:*:*:*:*:*:*:*",
"source": "syft-generated"
}
],
"purl": "pkg:golang/github.com/alecthomas/units@v0.0.0-20211218093645-b94a6e3cc137",
"metadataType": "go-module-buildinfo-entry",
"metadata": {
"goCompiledVersion": "go1.21.4",
"architecture": "amd64",
"h1Digest": "h1:s6gZFSlWYmbqAuRjVTiNNhvNRfY2Wxp9nhfyel4rklc=",
"mainModule": "github.com/prometheus/node_exporter"
}
},
both machines are installed with Fedora release 37
Very the configuration file is identical and accessible in both machines. Perhaps run syft with debug will show it.
Any idea why I get different output report when scanning the same package with
remote search licenses: true
for Go modules on different machines?On one machine - licenses info is presented:
{ "id": "5a2f10fe8c37697d", "name": "github.com/alecthomas/units", "version": "v0.0.0-20211218093645-b94a6e3cc137", "type": "go-module", "foundBy": "go-module-binary-cataloger", "locations": [ { "path": "/opt/scylladb/node_exporter/node_exporter", "layerID": "sha256:2f9c5474dfcad40cab09d578dfc5c919a38e0125c99501a8d7abb8540ef14188", "accessPath": "/opt/scylladb/node_exporter/node_exporter", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "concluded", "urls": [], "locations": [ { "path": "github.com/alecthomas/units@v0.0.0-20211218093645-b94a6e3cc137/COPYING", "accessPath": "github.com/alecthomas/units@v0.0.0-20211218093645-b94a6e3cc137/COPYING" } ] } ], "language": "go", "cpes": [ { "cpe": "cpe:2.3:a:alecthomas:units:v0.0.0-20211218093645-b94a6e3cc137:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:golang/github.com/alecthomas/units@v0.0.0-20211218093645-b94a6e3cc137", "metadataType": "go-module-buildinfo-entry", "metadata": { "goCompiledVersion": "go1.21.4", "architecture": "amd64", "h1Digest": "h1:s6gZFSlWYmbqAuRjVTiNNhvNRfY2Wxp9nhfyel4rklc=", "mainModule": "github.com/prometheus/node_exporter" } },
On another machine the license info is missing:
{ "id": "67d84fc35f370e95", "name": "github.com/alecthomas/units", "version": "v0.0.0-20211218093645-b94a6e3cc137", "type": "go-module", "foundBy": "go-module-binary-cataloger", "locations": [ { "path": "/opt/scylladb/node_exporter/node_exporter", "layerID": "sha256:2f9c5474dfcad40cab09d578dfc5c919a38e0125c99501a8d7abb8540ef14188", "accessPath": "/opt/scylladb/node_exporter/node_exporter", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "go", "cpes": [ { "cpe": "cpe:2.3:a:alecthomas:units:v0.0.0-20211218093645-b94a6e3cc137:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:golang/github.com/alecthomas/units@v0.0.0-20211218093645-b94a6e3cc137", "metadataType": "go-module-buildinfo-entry", "metadata": { "goCompiledVersion": "go1.21.4", "architecture": "amd64", "h1Digest": "h1:s6gZFSlWYmbqAuRjVTiNNhvNRfY2Wxp9nhfyel4rklc=", "mainModule": "github.com/prometheus/node_exporter" } },
both machines are installed with Fedora release 37
seems it is related to the same issue https://github.com/anchore/syft/issues/2798
The creation of $HOME/go/pkg/mod
directory - solved the issue
waiting for https://github.com/anchore/syft/pull/2852 for official fix
Syft should be able to include license information for packages it finds. Sometimes this information is present in the metadata on disk, other times it is only available by some remote source. This is an uber-issue about capturing licenses for all packages. Each ecosystem will likely have a different mechanism of capturing license information.
Ecosystems:
Some related issues: