search

pivotal / LicenseFinder

Find licenses for your project's dependencies.
MIT License
1.72k stars 339 forks source link

RuntimeError fetching golang dependencies - fixed updating golang version to latest #934

Open SergioRosello opened 2 years ago

SergioRosello commented 2 years ago

Using Golang 1.18 in the projec to analise.

Steps to reproduce:

  1. have a golang project that imports a library (Such as spf13/viper, or spf13/cobra) that import standard package lib "io/fs'
  2. cd to project's directory
  3. run command: docker run -v $PWD:/scan -it licensefinder/license_finder /bin/bash -lc "cd /scan && license_finder"

Investigation:

Entering the container with the following command, and not exiting the container for the rest of the code blocks shown: docker run -v $PWD:/scan -it licensefinder/license_finder /bin/bash -l

Below is the output of the underlying command license_finder executes.

root@53acf1a7b888:/scan# GO111MODULE=on go list -mod=readonly -deps -f '{{ if and (.DepOnly) (.Module) (not .Standard) }}{{ $mod := (or .Module.Replace .Module) }}{{ $mod.Path }},{{ $mod.Version }},{{ or $mod.Dir .Dir }}{{ end }}' ./...
go: downloading github.com/spf13/cobra v1.5.0
go: downloading github.com/spf13/viper v1.12.0
go: downloading github.com/DataDog/datadog-api-client-go v1.16.1-0.20220720151909-d2945a79b528
go: downloading github.com/spf13/pflag v1.0.5
go: downloading github.com/fsnotify/fsnotify v1.5.4
go: downloading github.com/mitchellh/mapstructure v1.5.0
go: downloading github.com/spf13/cast v1.5.0
go: downloading github.com/spf13/jwalterweatherman v1.1.0
go: downloading github.com/spf13/afero v1.8.2
go: downloading github.com/subosito/gotenv v1.3.0
go: downloading github.com/hashicorp/hcl v1.0.0
go: downloading github.com/magiconair/properties v1.8.6
go: downloading gopkg.in/yaml.v3 v3.0.0
go: downloading golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a
go: downloading github.com/pelletier/go-toml v1.9.5
go: downloading gopkg.in/ini.v1 v1.66.4
go: downloading golang.org/x/text v0.3.7
go: downloading github.com/pelletier/go-toml/v2 v2.0.1
go: downloading golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5
go: downloading github.com/DataDog/zstd v1.5.0
go: downloading golang.org/x/net v0.0.0-20220520000938-2e3eb7b945c2
go: updates to go.sum needed, disabled by -mod=readonly

Checking the return value of the command, this explains the error.

root@53acf1a7b888:/scan# echo $?
1

Following golang's instructions from previous command, we see the issue at the end of this command:

root@53acf1a7b888:/scan# go mod tidy
go: downloading github.com/stretchr/testify v1.7.1
go: downloading github.com/inconshreveable/mousetrap v1.0.0
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading google.golang.org/appengine v1.6.7
go: downloading gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15
go: downloading github.com/frankban/quicktest v1.14.3
go: downloading github.com/davecgh/go-spew v1.1.1
go: downloading github.com/kr/pretty v0.3.0
go: downloading github.com/google/go-cmp v0.5.8
go: downloading github.com/pmezard/go-difflib v1.0.0
go: downloading github.com/kr/text v0.2.0
go: downloading github.com/rogpeppe/go-internal v1.6.1
go: downloading github.com/golang/protobuf v1.5.2
go: downloading google.golang.org/protobuf v1.28.0
my-custom-project imports
    github.com/spf13/viper imports
    io/fs: package io/fs is not in GOROOT (/go/src/io/fs)
my-custom-project imports
    github.com/spf13/viper tested by
    github.com/spf13/viper.test imports
    testing/fstest: package testing/fstest is not in GOROOT (/go/src/testing/fstest)

It seems projects that my project requires, use package io/fs, first introduced in go 1.16 Checking the golang version, we can see now, why the command is failing.

root@53acf1a7b888:/scan# go version
go version go1.14.3 linux/amd64

Fix:

The golang version embedded in the container image should be updated to the latest golang version in order for projects that require packages introduced later than golang 1.14 to use the license_finder application.

cf-gitbot commented 2 years ago

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

xtreme-shane-lattanzio commented 2 years ago

@SergioRosello This has been asked for a bunch but I haven't got around to testing it. It definitely makes sense since 1.14.x is super old. The work around for now has been to just manually bump the version in the image but I know that isn't ideal. I just put up a PR to bump it and I will just see how CI reacts!

g3kk0 commented 2 years ago

Also experiencing this issue. Hopefully there will be a new Docker image with an updated version of Go shortly.

xtreme-shane-lattanzio commented 2 years ago

The docker pull licensefinder/license_finder:edge version of the image is now updated to 1.17.13. I will be making a new release within the next couple weeks. Just fixing up some other things first!