Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add licenses for Go packages on windows #1933

Open
sorokinmax opened this issue Jul 12, 2023 · 4 comments
Open

Add licenses for Go packages on windows #1933

sorokinmax opened this issue Jul 12, 2023 · 4 comments
Labels
bug Something isn't working windows regarding the windows OS

Comments

@sorokinmax
Copy link

What would you like to be added:
The filled in "licenses" field in the SBOM report for Go packages.

Why is this needed:
Now it looks like a disadvantage compared to other dependencies.
Tracking license purity is an important part of software development.

Additional context:
License information is easy to get at https://pkg.go.dev
For example:
image

@sorokinmax sorokinmax added the enhancement New feature or request label Jul 12, 2023
@kzantow
Copy link
Contributor

kzantow commented Jul 13, 2023

@sorokinmax license information is not present in the go.mod/go.sum files or in the binary go mod data, so it needs to get retrieved from other sources. Syft already has the ability to do this for Go packages, but it is not enabled by default. There are a few places Syft can attempt to find licenses: the local go mod cache, the configured go proxy, and finally a git repo matching the Go mod. As noted in the config file documentation:

golang:
   # search for go package licences in the GOPATH of the system running Syft, note that this is outside the
   # container filesystem and potentially outside the root of a local directory scan
   # SYFT_GOLANG_SEARCH_LOCAL_MOD_CACHE_LICENSES env var
   search-local-mod-cache-licenses: false
   
   # specify an explicit go mod cache directory, if unset this defaults to $GOPATH/pkg/mod or $HOME/go/pkg/mod
   # SYFT_GOLANG_LOCAL_MOD_CACHE_DIR env var
   local-mod-cache-dir: ""

   # search for go package licences by retrieving the package from a network proxy
   # SYFT_GOLANG_SEARCH_REMOTE_LICENSES env var
   search-remote-licenses: false

   # remote proxy to use when retrieving go packages from the network,
   # if unset this defaults to $GOPROXY followed by https://proxy.golang.org
   # SYFT_GOLANG_PROXY env var
   proxy: ""

   # specifies packages which should not be fetched by proxy
   # if unset this defaults to $GONOPROXY
   # SYFT_GOLANG_NOPROXY env var
   no-proxy: ""

e.g. to enable searching both the local go mod cache and remotes, you can enable this by executing Syft like:

SYFT_GOLANG_SEARCH_LOCAL_MOD_CACHE_LICENSES=true SYFT_GOLANG_SEARCH_REMOTE_LICENSES=true syft <source>

Does this work for you?

@sorokinmax
Copy link
Author

sorokinmax commented Jul 14, 2023

Thank you, @kzantow! I really overlooked these parameters. But it didn't work for me.
I tried to set these parameters through ENV variables, as well as through the configuration file. Reports are still generated without the "licenses" section for Go packages.

I am currently running Syft on Windows and scanning a docker image.
What other information can I give you?

@kzantow
Copy link
Contributor

kzantow commented Jul 14, 2023

@sorokinmax Are you able to send the output of the command you ran with the -vvv parameter?

@sorokinmax
Copy link
Author

sorokinmax commented Jul 17, 2023

@kzantow Thanks for the hint, I immediately moved on as soon as I saw the message "remote proxy walk failed for: %package-name%" in the log. I downloaded the source code of version 0.85.0 and ran it under the debugger. Here's what I managed to find in the syft/pkg/cataloger/golang/licenses.go file:
image

It seems to me that there is some kind of problem with Syft working on Windows.

P.S. At the same time, I saw in the debugger how packages are successfully downloaded up to this point.

@wagoodman wagoodman changed the title Add licenses for Go packages Add licenses for Go packages on windows Jul 27, 2023
@wagoodman wagoodman added bug Something isn't working and removed enhancement New feature or request labels Jul 27, 2023
@wagoodman wagoodman moved this to Backlog in OSS Jul 27, 2023
@spiffcs spiffcs added windows regarding the windows OS and removed ecosystem:windows labels Feb 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working windows regarding the windows OS
Projects
Status: Backlog
Development

No branches or pull requests

4 participants