Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(golang): add license parsing from vendor dirs #3522

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(golang): add license parsing from vendor dirs #3522

wants to merge 1 commit into from

Conversation

dschmidt
Copy link

Description

This PR adds options to parse license information from local vendor dirs as they have a slightly different structure than mod cache dirs.

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (please discuss with the team first; Syft is 1.0 software and we won't accept breaking changes without going to 2.0)
  • Documentation (updates the documentation)
  • Chore (improve the developer experience, fix a test flake, etc, without changing the visible behavior of Syft)
  • Performance (make Syft run faster or use less memory, without changing visible behavior much)

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@spiffcs
Copy link
Contributor

spiffcs commented Dec 12, 2024

@dschmidt I kicked off the build and CI tooling for this PR.

We have a related PR where we parse the entire go source tree and will be able to pull license data from this. I think this would precludes the need for the vendor directory, but am interested in how these two might overlap.

#3452

@dschmidt
Copy link
Author

Thanks!

What's the state of your PR? Should I be able to test it?
If it solves my use case I'm happy to wait for that one. It's not superurgent, I just need a solution in the long run.

Forgot to check in the test fixtures... will fix tomorrow.

@dschmidt
Copy link
Author

Added the missing fixtures, can you approve the workflows again?

@dschmidt
Copy link
Author

dschmidt commented Dec 13, 2024
edited
Loading

We have a related PR where we parse the entire go source tree and will be able to pull license data from this. I think this would precludes the need for the vendor directory, but am interested in how these two might overlap.

#3452

I'm pretty new to syft (and trying to make it work in a project I'm working on), so I'm not so sure how everything is supposed to work:
Can I use the new source file cataloger when analyzing a docker image? (with the source code on the host, not inside the image)
How would I invoke syft to do that?

Without a docker image I've tried
syft scan --select-catalogers "+go-module-source-file-cataloger" . -ospdx-json | jq
on a smaller project I'm working on and don't see license information from the vendor dir.

in https://github.com/owncloud/ocis the same command crashes with

 ✔ Indexed file system                                                                                                                                                                                             .
 ⠸ Cataloging contents             ━━━━━━━━━━━━━━━━━━━━                                                                                             cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
   └── ⠸ Packages                        [2,531 packages]  
         └── ⠙ Go module source file         cataloger                       
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
[0046]  WARN found package with empty ID while adding to the collection: Pkg(name="prometheus" version="v0.4.2" type="go-module" id="")
runtime: goroutine stack exceeds 1000000000-byte limit
                                                      runtime: sp=0xc0575aa598 stack=[0xc0575aa000, 0xc0775aa000]
                                                                                                                 fatal error: stack overflow

                                                                                                                                            runtime stack:
                                                                                                                                                          runtime.throw({0x276e858?, 0x7fab857f9d50?})
                                                                                                                                                                                                        /usr/lib64/go/1.23/src/runtime/panic.go:1067 +0x48 fp=0x7fab857f9d10 sp=0x7fab857f9ce0 pc=0xdda568
                                                                                    runtime.newstack()
                                                                                                        /usr/lib64/go/1.23/src/runtime/stack.go:1117 +0x5bd fp=0x7fab857f9e50 sp=0x7fab857f9d10 pc=0xdbc19d
[…]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dschmidt @spiffcs