Comments (6)
mykaul
commented on June 22, 2024
1
@mykaul check out the golang section of the Syft configuration file: https://github.com/anchore/syft/wiki/configuration -- there are two settings,
search-local-mod-cache-licensesandsearch-remote-licensesthat can be enabled to retrieve license data.
Thanks! I think what tricked me is that by default (syft-text?) you do not see the license, so I did not even bother to look further. Very helpful, thanks again.
from syft.
mykaul
commented on June 22, 2024
@kzantow - why is Go marked as checked? How do we get the license of Go modules?
from syft.
tgerla
commented on June 22, 2024
@mykaul check out the golang section of the Syft configuration file: https://github.com/anchore/syft/wiki/configuration -- there are two settings, search-local-mod-cache-licenses and search-remote-licenses that can be enabled to retrieve license data.
from syft.
Annamikhlin
commented on June 22, 2024
Any idea why I get different output report when scanning the same package with remote search licenses: true for Go modules on different machines?
On one machine - licenses info is presented:
{
"id": "5a2f10fe8c37697d",
"name": "github.com/alecthomas/units",
"version": "v0.0.0-20211218093645-b94a6e3cc137",
"type": "go-module",
"foundBy": "go-module-binary-cataloger",
"locations": [
{
"path": "/opt/scylladb/node_exporter/node_exporter",
"layerID": "sha256:2f9c5474dfcad40cab09d578dfc5c919a38e0125c99501a8d7abb8540ef14188",
"accessPath": "/opt/scylladb/node_exporter/node_exporter",
"annotations": {
"evidence": "primary"
}
}
],
"licenses": [
{
"value": "MIT",
"spdxExpression": "MIT",
"type": "concluded",
"urls": [],
"locations": [
{
"path": "github.com/alecthomas/[email protected]/COPYING",
"accessPath": "github.com/alecthomas/[email protected]/COPYING"
}
]
}
],
"language": "go",
"cpes": [
{
"cpe": "cpe:2.3:a:alecthomas:units:v0.0.0-20211218093645-b94a6e3cc137:*:*:*:*:*:*:*",
"source": "syft-generated"
}
],
"purl": "pkg:golang/github.com/alecthomas/[email protected]",
"metadataType": "go-module-buildinfo-entry",
"metadata": {
"goCompiledVersion": "go1.21.4",
"architecture": "amd64",
"h1Digest": "h1:s6gZFSlWYmbqAuRjVTiNNhvNRfY2Wxp9nhfyel4rklc=",
"mainModule": "github.com/prometheus/node_exporter"
}
},
On another machine the license info is missing:
{
"id": "67d84fc35f370e95",
"name": "github.com/alecthomas/units",
"version": "v0.0.0-20211218093645-b94a6e3cc137",
"type": "go-module",
"foundBy": "go-module-binary-cataloger",
"locations": [
{
"path": "/opt/scylladb/node_exporter/node_exporter",
"layerID": "sha256:2f9c5474dfcad40cab09d578dfc5c919a38e0125c99501a8d7abb8540ef14188",
"accessPath": "/opt/scylladb/node_exporter/node_exporter",
"annotations": {
"evidence": "primary"
}
}
],
"licenses": [],
"language": "go",
"cpes": [
{
"cpe": "cpe:2.3:a:alecthomas:units:v0.0.0-20211218093645-b94a6e3cc137:*:*:*:*:*:*:*",
"source": "syft-generated"
}
],
"purl": "pkg:golang/github.com/alecthomas/[email protected]",
"metadataType": "go-module-buildinfo-entry",
"metadata": {
"goCompiledVersion": "go1.21.4",
"architecture": "amd64",
"h1Digest": "h1:s6gZFSlWYmbqAuRjVTiNNhvNRfY2Wxp9nhfyel4rklc=",
"mainModule": "github.com/prometheus/node_exporter"
}
},
both machines are installed with Fedora release 37
from syft.
mykaul
commented on June 22, 2024
Very the configuration file is identical and accessible in both machines. Perhaps run syft with debug will show it.
from syft.
Annamikhlin
commented on June 22, 2024
Any idea why I get different output report when scanning the same package with
remote search licenses: truefor Go modules on different machines?On one machine - licenses info is presented:
{ "id": "5a2f10fe8c37697d", "name": "github.com/alecthomas/units", "version": "v0.0.0-20211218093645-b94a6e3cc137", "type": "go-module", "foundBy": "go-module-binary-cataloger", "locations": [ { "path": "/opt/scylladb/node_exporter/node_exporter", "layerID": "sha256:2f9c5474dfcad40cab09d578dfc5c919a38e0125c99501a8d7abb8540ef14188", "accessPath": "/opt/scylladb/node_exporter/node_exporter", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "concluded", "urls": [], "locations": [ { "path": "github.com/alecthomas/[email protected]/COPYING", "accessPath": "github.com/alecthomas/[email protected]/COPYING" } ] } ], "language": "go", "cpes": [ { "cpe": "cpe:2.3:a:alecthomas:units:v0.0.0-20211218093645-b94a6e3cc137:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:golang/github.com/alecthomas/[email protected]", "metadataType": "go-module-buildinfo-entry", "metadata": { "goCompiledVersion": "go1.21.4", "architecture": "amd64", "h1Digest": "h1:s6gZFSlWYmbqAuRjVTiNNhvNRfY2Wxp9nhfyel4rklc=", "mainModule": "github.com/prometheus/node_exporter" } },On another machine the license info is missing:
{ "id": "67d84fc35f370e95", "name": "github.com/alecthomas/units", "version": "v0.0.0-20211218093645-b94a6e3cc137", "type": "go-module", "foundBy": "go-module-binary-cataloger", "locations": [ { "path": "/opt/scylladb/node_exporter/node_exporter", "layerID": "sha256:2f9c5474dfcad40cab09d578dfc5c919a38e0125c99501a8d7abb8540ef14188", "accessPath": "/opt/scylladb/node_exporter/node_exporter", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "go", "cpes": [ { "cpe": "cpe:2.3:a:alecthomas:units:v0.0.0-20211218093645-b94a6e3cc137:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:golang/github.com/alecthomas/[email protected]", "metadataType": "go-module-buildinfo-entry", "metadata": { "goCompiledVersion": "go1.21.4", "architecture": "amd64", "h1Digest": "h1:s6gZFSlWYmbqAuRjVTiNNhvNRfY2Wxp9nhfyel4rklc=", "mainModule": "github.com/prometheus/node_exporter" } },both machines are installed with Fedora release 37
seems it is related to the same issue #2798
The creation of $HOME/go/pkg/mod directory - solved the issue
waiting for #2852 for official fix
from syft.
Related Issues (20)
- Scanning a git repository folder present in /tmp produce an empty sbom HOT 1
- Install Issue - Ubuntu Image on Mac M1 Pro HOT 3
- SBOM generated for JAR doesn't parsing all pom.xml HOT 2
- SBOM generation is missing a few Python packages listed in the requirements.txt file HOT 1
- Option in parameter or configuration to set value in metadata > authors in SBOM (CycloneDX) HOT 3
- Syft incorrectly identifying jruby jar files HOT 1
- Parameter confirmation of docker _registry scanning HOT 1
- install.sh: check checksums file's signature HOT 2
- Reverse conversion of metadata mode is broken HOT 4
- syft does not find anything in archives if /tmp is a tmpfs HOT 1
- Support cataloging dlopen ELF metadata
- Syft Directory Source: Git Tag and Metadata Information
- syft outputs incorrect license LicenseRef-AND HOT 1
- Detect fluent-bit binaries
- Binary detection workflow enhancements
- SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=false is not working HOT 3
- syft-table option adds escape chars at the end of each row HOT 2
- python cataloger: adding a support additionally to classify licenses by `License-File` field in metadata file HOT 2
- Add additional image tags to source metadata
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from syft.