mitchellh / golicense Goto Github PK
View Code? Open in Web Editor NEWScan and analyze OSS dependencies and licenses from compiled Go binaries
License: MIT License
Scan and analyze OSS dependencies and licenses from compiled Go binaries
License: MIT License
I have protobuf dependency and during its analysis the following error occurs: «license not found or detected». However there is a protobuf license.
Could you kindly tell me what might I do with this problem?
@mitchellh First: thanks for the great project!
I found it as I wanted to add an OS license scanner to a CI pipeline.
When do you think there will be a new release? Without the fix for #10 it is quite cumbersome to have a pipeline fail on a forbidden license.
Specifically, reporting errors is lacking a bit at the moment. golicense
exits with status 1 correctly in the case of a disallowed or unknown license, but it's really hard to get a quick overview of what package failed if you have a lot of dependencies, since it doesn't print something like a summary when it's finished. It requires the user to go back in the terminal/log and look for an emoji/special colour to find the offending package (is there a better way?). This can be a tedious exercise when logs are several thousand lines long and you don't have a key on your keyboard for \u26a0 (⚠)
.
It doesn't help that golicense
seems to detect when a tty is present and switch to plain mode, so you can't run something like golicense | ripgrep '\x{26a0}'
, as far as I can tell.
I propose adding a summary at the end for failing packages.
Hi, it look like can not handle kubectl (the cli tool of kubernetes):
$ which kubectl
/usr/local/bin/kubectl
$ ./golicense /usr/local/bin/kubectl
⚠️ "/usr/local/bin/kubectl" ⚠️
This executable was compiled without using Go modules or has
zero dependencies. golicense considers this an error (exit code 1).
$
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.0", GitCommit:"91e7b4fd31fcd3d5f436da26c980becec37ceefe", GitTreeState:"clean", BuildDate:"2018-06-27T20:17:28Z", GoVersion:"go1.10.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.0", GitCommit:"fc32d2f3698e36b93322a3465f63a14e9f0eaead", GitTreeState:"clean", BuildDate:"2018-04-10T12:46:31Z", GoVersion:"go1.9.4", Compiler:"gc", Platform:"linux/amd64"}
$
And can detect its own:
$ ./golicense ./golicense
github.com/hashicorp/go-multierror Mozilla Public License 2.0
github.com/hashicorp/go-cleanhttp Mozilla Public License 2.0
github.com/hashicorp/errwrap Mozilla Public License 2.0
...
github.com/google/go-github BSD 3-Clause "New" or "Revised" License
github.com/gosuri/uilive MIT License
github.com/360EntSecGroup-Skylar/excelize BSD 3-Clause "New" or "Revised" License
github.com/apparentlymart/go-textseg Apache License 2.0
$
But they are the same statically linked, so what's wrong with processing kubeclt? Thanks!
$ file /usr/local/bin/kubectl
/usr/local/bin/kubectl: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
$
$ file ./golicense
./golicense: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
$
I just gave it a run with ddev and get
$ golicense ddev
⚠️ "ddev" ⚠️
This executable was compiled without using Go modules or has
zero dependencies. golicense considers this an error (exit code 1).
Well, it uses dep, not go modules... but it has lots in the vendor directory. Most projects haven't converted to modules yet. To test, you can just download ddev from releases.
For my use case I just need the aggregate license analysis from multiple binaries. The goal here would be to avoid a lot of the duplication that comes from checking multiple binaries individually, which have a lot of shared dependencies.
Hello Everyone!
Is it possible to analyze go pkg files?
@mitchellh Can you please shed some light on the status of this project? Do you think you will be able to look into some of the open issues & PRs in the near-ish future or are you busy?
In case of the latter: would you be open to adding contributors to the project?
Awesome project! Thank you :)
I tried running this on a binary that depended on a package in a private repository, and the license for that package could not be found, surely.
It would be nice if the configuration allowed a list of packages to ignore when fetching licenses.
Mostly when I get this to work I get a bunch of things like ⚠️ github.com/aws/aws-sdk-go rate limited by GitHub, waiting 46m59.238793s
Seems this may not be altogether practical with github the way it is.
from root:
GO111MODULE=on go build -o /bin/main main.go
# command-line-arguments
./main.go:36:14: undefined: TermOutput
./main.go:112:10: undefined: MultiOutput
./main.go:114:38: undefined: XLSXOutput
./main.go:151:9: undefined: NewSemaphore
./main.go:162:42: undefined: StatusListener
[go-build] Error 2
go env:
x-MacBook-Pro:bin-parse apple$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/apple/Library/Caches/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/apple/workspace/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/opt/go/libexec"
GOTMPDIR=""
GOTOOLDIR="/usr/local/opt/go/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/wp/ff6sz9qs6g71jnm12nj2kbyw0000gp/T/go-build332320505=/tmp/go-build -gno-record-gcc-switches -fno-common"
I'm trying to get golicense to run on windows with go 1.11.2 and modules enabled.
Golicense tells me that the module was not compiled with go modules or has no dependencies.
Both is not correct.
Error Message:
golicense.exe ro.exe
⚠️ "ro.exe" ⚠️
This executable was compiled without using Go modules or has
zero dependencies. golicense considers this an error (exit code 1).
Go Modules:
GO111MODULE=on
Go Env:
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\xxx\AppData\Local\go-build
set GOEXE=.exe
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOOS=windows
set GOPATH=C:\...
set GOPROXY=
set GORACE=
set GOROOT=C:\...
set GOTMPDIR=
set GOTOOLDIR=C:\...
set GCCGO=gccgo
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=C:\...
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\...=/tmp/go-build -gno-record-gcc-switches
go.mod:
module my.corp.com/ro
require (
cloud.google.com/go v0.32.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973 // indirect
github.com/coreos/prometheus-operator v0.25.0 // indirect
github.com/emicklei/go-restful v2.8.0+incompatible // indirect
github.com/ghodss/yaml v1.0.0 // indirect
github.com/go-logr/logr v0.1.0 // indirect
github.com/go-logr/zapr v0.1.0 // indirect
github.com/go-openapi/spec v0.17.2 // indirect
github.com/gogo/protobuf v1.1.1 // indirect
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b // indirect
github.com/golang/groupcache v0.0.0-20181024230925-c65c006176ff // indirect
github.com/golang/mock v1.1.1
github.com/golang/protobuf v1.2.0 // indirect
github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c // indirect
github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf // indirect
github.com/googleapis/gnostic v0.2.0 // indirect
github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
github.com/hashicorp/golang-lru v0.5.0 // indirect
github.com/imdario/mergo v0.3.6 // indirect
github.com/json-iterator/go v1.1.5 // indirect
github.com/mattbaird/jsonpatch v0.0.0-20171005235357-81af80346b1a // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.1 // indirect
github.com/openshift/api v3.9.0+incompatible // v3.9.0
github.com/operator-framework/operator-sdk v0.1.0 // v0.1.0
github.com/pborman/uuid v1.2.0 // indirect
github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
github.com/pkg/errors v0.8.0 // indirect
github.com/prometheus/client_golang v0.9.1
github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910 // indirect
github.com/prometheus/common v0.0.0-20181020173914-7e9e6cabbd39 // indirect
github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d // indirect
github.com/sirupsen/logrus v1.2.0
github.com/spf13/pflag v1.0.3 // indirect
github.com/stretchr/testify v1.2.2
go.uber.org/atomic v1.3.2 // indirect
go.uber.org/multierr v1.1.0 // indirect
go.uber.org/zap v1.9.1 // indirect
golang.org/x/crypto v0.0.0-20181030102418-4d3f4d9ffa16 // indirect
golang.org/x/net v0.0.0-20181102091132-c10e9556a7bc // indirect
golang.org/x/oauth2 v0.0.0-20181105165119-ca4130e427c7 // indirect
golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
k8s.io/api v0.0.0-20180712090710-2d6f90ab1293 // kubernetes-1.11.2
k8s.io/apiextensions-apiserver v0.0.0-20180808065829-408db4a50408 // kubernetes-1.11.2
k8s.io/apimachinery v0.0.0-20180621070125-103fd098999d // kubernetes-1.11.2
k8s.io/client-go v0.0.0-20180806134042-1f13a808da65 // kubernetes-1.11.2
k8s.io/kube-openapi v0.0.0-20181031203759-72693cb1fadd // indirect
sigs.k8s.io/controller-runtime v0.1.4 // v0.1.4
)
https://github.com/gohugoio/hugo
▶ golicense ./hugo
❗️ Error parsing dependencies: Unexpected raw dependency format: dep github.com/markbates/inflect v1.0.0%
Trying to go get
in a fresh container, I'm getting this:
$ docker run --rm -it golang:1.11
[...]
Status: Downloaded newer image for golang:1.11
root@ec782cdbbd79:/go# go version
go version go1.11.2 linux/amd64
root@ec782cdbbd79:/go# go get github.com/mitchellh/golicense
package github.com/google/go-github/v18/github: cannot find package "github.com/google/go-github/v18/github" in any of:
/usr/local/go/src/github.com/google/go-github/v18/github (from $GOROOT)
/go/src/github.com/google/go-github/v18/github (from $GOPATH)
Since golicense is distributed in binary form, it would help debugging and differentiation for it to respond to -version
in the conventional way.
While go version -m -v /path/to/golicense
can provide some detail, this is not necessarily the same thing as a known SemVer identifier. Example:
go version -m -v `which golicense`
/usr/local/bin/golicense: go1.13.4
path github.com/mitchellh/golicense
mod github.com/mitchellh/golicense (devel)
dep github.com/360EntSecGroup-Skylar/excelize v1.4.0 h1:43rak9uafmwSJpXfFO1heKQph8tP3nlfWJWFQQtW1R0=
...
This is particularly telling because no devel
git-ref currently exists in the project.
Configure goreleaser to provide builds for Mac with ARM-based M1 chips
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.