uw-labs / lichen Goto Github PK
View Code? Open in Web Editor NEWGo binary license checker. Extracts module usage information from binaries and analyses their licenses.
License: MIT License
Go binary license checker. Extracts module usage information from binaries and analyses their licenses.
License: MIT License
If a binary is built with a development build of Go, the go version -m ...
output cannot be parsed. I observed this when trying go-licenses v2: https://github.com/Bobgy/go-licenses/blob/initial/v2/README.md
$ ~/git/go-licenses/v2/go-licenses csv
ListModulesInGoBinary(Path='my-binary'): unrecognised version line: my-binary: devel +b7a85e0003
$ go version -m my-binary
my-binary: devel +b7a85e0003
path my-binary/cmd/my-binary
mod my-binary (devel)
dep gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
$ go version
go version devel +b7a85e0003 linux/amd64
This doesn't occur when analyzing a binary built with a normal release of Go.
Would it make sense to also include any NOTICE found in packages? This is something that go-licenses
can do https://github.com/google/go-licenses/blob/5b654af5dcd3ef8090baaceae6009c20d75a87e8/save.go#L109
Hello and thank you for your work with lichen!
I’m currently in need of running lichen in environments where a substantial amount of "unresolvable licence" errors can happen (running it as part of a tool for other developers to use at my company). In my case returning an empty licence is a much better default than returning an error. And there might be others with similar needs so I suggest we add a config for this?
I have two different suggestions for additional configs:
A:
ignoreUnresolvableLicense: true
Would result in ´func ignoreUnresolvable()´ always returning true.
Or B:
unresolvableLicense:
- regex: true
- path: "github.com/test/.*"
regex: true would result in unresolvableLicense's path beeing a regular expression.
Which of these suggestions would be best for lichen?
I can create a PR with this if you wan't to test it in practice, the additional code will be short.
Would it be possible to create a new release tag? Now that support for Windows binaries was fixed (1d6c981). Thanks!
Lichen returns an unexpected error when there are no modules used in the project.
To reproduce it:
main.go
file:package main
import "fmt"
func main() {
fmt.Println("Hi!")
}
go.mod
file:module my-module
go 1.15
go build
lichen ./my-module
Expected behavior:
Current behavior:
failed to evaluate licenses: failed to fetch: exit status 1 (output: go mod download: no modules specified (see 'go help mod download')
Hi - I am working on replacing https://github.com/mitchellh/golicense with lichen for Project Antrea, since golicense is no longer actively maintained and lichen offers me support for Windows binaries.
I am running into one issue during module fetching:
2021/01/29 00:26:16 failed to evaluate licenses: failed to fetch: exit status 1 (output: go: cannot use relative path ../../@ to specify module
This is because Antrea uses a replace
directive pointing to a local directory in one of our go.mod files: https://github.com/vmware-tanzu/antrea/blob/57dcaec0c561875dac6dee9bac72a66b9aefbab6/plugins/octant/go.mod#L14. This is a "trick" that enables us to ensure that plugins are built using the correct version of the "parent" Go module. And it works great for building.
When using golicense, I was able to provide an override ("../../": "Apache-2.0"
) in the config to handle that case. I'd like to be able to do something similar with lichen, but lichen applies unresolvableLicense
config overrides after fetching modules and will error out early if a module cannot be fetched.
Would it be possible to provide a new exception type (e.g. moduleUnfetchable
) in the config that would apply when a module cannot be fetched, instead of returning right away. Thanks!
Is there a way for this to support resolving modules from a vendor directory?
I get this error when scanning binaries built with Go 1.18 beta2.
2022/02/16 14:46:01 failed to evaluate licenses: unrecognised line: build -compiler=gc
We have a private gitlab where we host our own go repos, and it seems, even with overrides or exceptions, I can't prevent the sum.golang.org
lookup, which causes a failure -- thus preventing us from using this in CI. To be clear, our gitlab instance isn't accessible except on internal networks, so this lookup fails. See snippet for more details (I anonymized the URL, but I think you'll get the point).
$ (lichen -c lichen.yaml ./${PROJECT_NAME} | tee license_report.txt) || true
2021/07/22 15:04:44 failed to evaluate licenses: failed to fetch: exit status 1 (output:
{
"Path": "github.com/hashicorp/hcl",
"Version": "v1.0.0",
"Info": "/go/pkg/mod/cache/download/github.com/hashicorp/hcl/@v/v1.0.0.info",
"GoMod": "/go/pkg/mod/cache/download/github.com/hashicorp/hcl/@v/v1.0.0.mod",
"Zip": "/go/pkg/mod/cache/download/github.com/hashicorp/hcl/@v/v1.0.0.zip",
"Dir": "/go/pkg/mod/github.com/hashicorp/[email protected]",
"Sum": "h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=",
"GoModSum": "h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ="
}
{
"Path": "github.com/spf13/afero",
"Version": "v1.3.4",
"Info": "/go/pkg/mod/cache/download/github.com/spf13/afero/@v/v1.3.4.info",
"GoMod": "/go/pkg/mod/cache/download/github.com/spf13/afero/@v/v1.3.4.mod",
"Zip": "/go/pkg/mod/cache/download/github.com/spf13/afero/@v/v1.3.4.zip",
"Dir": "/go/pkg/mod/github.com/spf13/[email protected]",
"Sum": "h1:8q6vk3hthlpb2SouZcnBVKboxWQWMDNF38bwholZrJc=",
"GoModSum": "h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I="
}
# ...
# truncated ...
# ...
{
"Path": "gitlab.ourcompany.com/software/whatever/thing",
"Version": "v0.0.0-20210610205813-eb9a997ab73f",
"Error": "gitlab.ourcompany.com/software/whatever/[email protected]: verifying go.mod: gitlab.ourcompany.com/software/whatever/[email protected]/go.mod: reading https://sum.golang.org/lookup/gitlab.ourcompany.com/software/whatever/[email protected]: 410 Gone\n\tserver response: not found: gitlab.ourcompany.com/software/whatever/[email protected]: unrecognized import path \"gitlab.ourcompany.com/software/whatever/thing\": https fetch: Get \"https://gitlab.ourcompany.com/software/whatever/thing?go-get=1\": dial tcp: lookup gitlab.everactive.com on 8.8.8.8:53: no such host",
"Info": "/go/pkg/mod/cache/download/gitlab.ourcompany.com/software/whatever/thing/@v/v0.0.0-20210610205813-eb9a997ab73f.info"
}
Not sure if this is really a bug or a feature request, so I'll leave that up to you, but I would imagine maybe adding some sort of config option to ignore modules that start with a certain URL?
ignoreURL: gitlab.ourcompany.com
Or making it so that override directives don't query sum.golang.org
at all.
Hi,
Would it be possible to tag a new release? Installing lichen
on a system with Go 1.18 now results in a binary which fails in certain circumstances (#15). It’s possible to build a binary from master of course but being able to install directly would be much more convenient.
Regards,
Stephen
It appears to be failing on blank lines in the output of go version -m
. This is the complete output:
2022/03/15 12:49:04 failed to evaluate licenses: unrecognised line:
At least in some circumstances, go version -m
with Go 1.18 on a binary built with Go 1.18 outputs the current module as a dep
line instead of the previous mod
line, i.e.
dep github.com/submariner-io/submariner (devel)
instead of
mod github.com/submariner-io/submariner (devel)
lichen
then fails with
{
"Path": "github.com/submariner-io/submariner",
"Version": "(devel)",
"Error": "github.com/submariner-io/submariner@(devel): invalid version: reading https://proxy.golang.org/github.com/submariner-io/submariner/@v/%28devel%29.info: 410 Gone\n\ts
erver response: not found: github.com/submariner-io/submariner@(devel): invalid version: unknown revision (devel)"
}
I don't know why it's happening on fan2go
lichen /var/tmp/portage/sys-power/fan2go-0.6.2/image/usr/bin/fan2go
2022/05/07 05:08:29 failed to evaluate licenses: unrecognised line: build -compiler=gc
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.