Open sgnn7 opened 4 years ago
We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.
The labels on this github issue will be updated when the story is started.
@sgnn7 Those paths listed are the ones that are explicitly inside of the go.mod file. The license is unknown because there does not look like there is a way to find the license unless we actually hit the web. Is this more about the fact they are unknown or you are expecting to see more than just the vendored stuff because of the -mod=vendor
flag? This was done a while ago so I forget why we explicitly put that flag in there :S
@xtreme-shane-lattanzio
Those paths listed are the ones that are explicitly inside of the go.mod file
The paths in error are the ones from go list
that instead of using the cache path ($GOPATH/pkg/mod
) or downloading them from the web are forced to look into ./vendored/<pkgname>
The license is unknown because there does not look like there is a way to find the license unless we actually hit the web
go mod download
should be able to fetch these into the local GOPATH
cache for checking of licenses
Is this more about the fact they are unknown or you are expecting to see more than just the vendored stuff because of the -mod=vendor flag?
It's more about the unknown
part of this - without the license identification, there's no point in running license_checker
at all since it's pretty much just giving out formatted go list
output and appending unknown
to it. If you change the -mod=vendor
in the code to -mod=readonly
you can see a clear difference in internal resolution of paths.
We rely on having the code and having everything vendored in to get the source information. The prepare
command that LF is running is GO111MODULE=on go mod tidy && GO111MODULE=on go mod vendor
If there is no code, tidy will just clear everything out. We want to just affect the project itself and not the system.
Looking quickly regarding the -mod=vendor
flag, I see the difference and in this example the path is just blank but there is still not license information that is reported. There is also one additional package that is shown.
@xtreme-shane-lattanzio Yeah maybe this particular example I've given isn't the best (I was initially running this example on this repo) but doing a go mod download
and removing the -mod=vendor
returned about 1/2 of the import_path
s correctly from read_package
which is much better than the current output.
When using this codebase against a
go.mod
GO111MODULES
-backed codebase that doesn't have code vendored, no license data for dependencies is returned as the path prefix for the packages is marked as<CWD>/vendored/...
. May be related to this upstream issue when the listing is done hereTo replicate save and run this file:
Output (notice the
unknown
s for everything):