search

google / go-licenses

A lightweight tool to report on the licenses used by a Go package and its dependencies. Highlight! Versioned external URL to licenses can be found at the same time.
Apache License 2.0
833 stars 125 forks source link

LICENSE detection is OS specific #187

Open dprotaso opened 1 year ago

dprotaso commented 1 year ago

We noticed that go-licenses will produce different results depending on the host operating system.

ie. https://github.com/opencontainers/selinux on linux will pull in golang.org/x/sys but on Mac it does not.

evankanderson commented 1 year ago

Repro case:

git clone https://github.com/knative/func
cd func
go install github.com/google/go-licenses@v1.6.0
GOOS=darwin go-licenses save ./... --save_path=third_party/VENDOR-LICENSE --force
git status
# shows two deleted files and one untracked directory
GOOS=linux go-licenses save ./... --save_path=third_party/VENDOR-LICENSE --force
git status
# shows no diffs

In particular, this may affect both go-licenses ability to detect unwanted licenses which are only present for certain architectures.

Ideally, it would be possible to override the use of GOOS through a command-line flag, and be able to supply a list of operating systems (or OS + Arch combinations) which should be combined.

Bobgy commented 1 year ago

Good catch!

So far I think this is intended behavior.

To know complete dependency under all OS, arch and even build tags require running the same license detection process in each combination. (Theoretically, we can dedup license text detection and just iterate through deps for each combination)

I would prefer leaving the choice to users.

Welcome adding documentation for this.

dprotaso commented 1 year ago

So far I think this is intended behavior.

This is a bug. Since the go.mod declares it's go version as go1.17 all the indirect dependencies are present. This list contains all the dependencies for all OS versions - but the license saving functionality doesn't include some of them.

dprotaso commented 1 year ago

Even vendoring (ie. go mod vendor) includes the license - https://github.com/knative/func/tree/main/vendor/golang.org/x/sys

Bobgy commented 1 year ago

You have a point! Welcome contributions! The main challenge is that go licenses is implemented like go build by using an official go dep traversal library, so you can specify GOOS and build tags etc, but it only builds for this version. It's worth looking at whether it has options to allow traversing over all OS