search

google / go-licenses

A lightweight tool to report on the licenses used by a Go package and its dependencies. Highlight! Versioned external URL to licenses can be found at the same time.
Apache License 2.0
833 stars 125 forks source link

Works around missing Module.dir for vendored Modules #178

Open jaxesn opened 1 year ago

jaxesn commented 1 year ago

Fixes: #143

When scanning for a license for a particular module, go-licenses will traverse up the directory structure looking for LICENSE (or some variant of) file. The find code tries to use the module's rootdir as a guard rail for this traversal up. The intent being that a license should be found at some point within the module's root, not above.

In the case of vendored modules, the Module.Dir returned from the golang tools package is actually empty. I do not know exactly why this is, but it seems to be something about about what metadata exists, or does not exist, in the vendor directory for these modules. Since Module.Dir is empty and is used as the stopping point for traversal up the directory structure, if a module is missing a LICENSE the code will continue searching until it ultimately finds the LICENSE in the root of the repo, which in these cases is incorrect since these dependencies should have their own licenses.

Since the root license is found, go-licenses does not inform the user of the missing license for that module, which it would normally do. In addition, this results in an odd side effect when running the csv subcommand. When go-licenses finds multiple packages using the same LICENSE file it groups them together and uses this to determine its final name in the csv file, typically github.com//. Since deps missing LICENSES files match with the root package, the csv file ends up having github.com listed in one of the rows since its the commonAncestor. I believe this matching of packages is to handle legit cases where modules have subfolders/submodules which are licensed together.

The library code already had specific handling for vendored modules later in the process. This was extract out to be shared during the finding license process so that when vendor modules are detected the rootDir is inferred based on the vendor directory and the package path to ensure the traversal stops at the module root.

google-cla[bot] commented 1 year ago

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.