Comments (6)
@mykaul check out the golang section of the Syft configuration file: https://github.com/anchore/syft/wiki/configuration -- there are two settings,
search-local-mod-cache-licenses
andsearch-remote-licenses
that can be enabled to retrieve license data.
Thanks! I think what tricked me is that by default (syft-text?) you do not see the license, so I did not even bother to look further. Very helpful, thanks again.
from syft.
@kzantow - why is Go marked as checked? How do we get the license of Go modules?
from syft.
@mykaul check out the golang section of the Syft configuration file: https://github.com/anchore/syft/wiki/configuration -- there are two settings, search-local-mod-cache-licenses
and search-remote-licenses
that can be enabled to retrieve license data.
from syft.
Any idea why I get different output report when scanning the same package with remote search licenses: true
for Go modules on different machines?
On one machine - licenses info is presented:
{
"id": "5a2f10fe8c37697d",
"name": "github.com/alecthomas/units",
"version": "v0.0.0-20211218093645-b94a6e3cc137",
"type": "go-module",
"foundBy": "go-module-binary-cataloger",
"locations": [
{
"path": "/opt/scylladb/node_exporter/node_exporter",
"layerID": "sha256:2f9c5474dfcad40cab09d578dfc5c919a38e0125c99501a8d7abb8540ef14188",
"accessPath": "/opt/scylladb/node_exporter/node_exporter",
"annotations": {
"evidence": "primary"
}
}
],
"licenses": [
{
"value": "MIT",
"spdxExpression": "MIT",
"type": "concluded",
"urls": [],
"locations": [
{
"path": "github.com/alecthomas/[email protected]/COPYING",
"accessPath": "github.com/alecthomas/[email protected]/COPYING"
}
]
}
],
"language": "go",
"cpes": [
{
"cpe": "cpe:2.3:a:alecthomas:units:v0.0.0-20211218093645-b94a6e3cc137:*:*:*:*:*:*:*",
"source": "syft-generated"
}
],
"purl": "pkg:golang/github.com/alecthomas/[email protected]",
"metadataType": "go-module-buildinfo-entry",
"metadata": {
"goCompiledVersion": "go1.21.4",
"architecture": "amd64",
"h1Digest": "h1:s6gZFSlWYmbqAuRjVTiNNhvNRfY2Wxp9nhfyel4rklc=",
"mainModule": "github.com/prometheus/node_exporter"
}
},
On another machine the license info is missing:
{
"id": "67d84fc35f370e95",
"name": "github.com/alecthomas/units",
"version": "v0.0.0-20211218093645-b94a6e3cc137",
"type": "go-module",
"foundBy": "go-module-binary-cataloger",
"locations": [
{
"path": "/opt/scylladb/node_exporter/node_exporter",
"layerID": "sha256:2f9c5474dfcad40cab09d578dfc5c919a38e0125c99501a8d7abb8540ef14188",
"accessPath": "/opt/scylladb/node_exporter/node_exporter",
"annotations": {
"evidence": "primary"
}
}
],
"licenses": [],
"language": "go",
"cpes": [
{
"cpe": "cpe:2.3:a:alecthomas:units:v0.0.0-20211218093645-b94a6e3cc137:*:*:*:*:*:*:*",
"source": "syft-generated"
}
],
"purl": "pkg:golang/github.com/alecthomas/[email protected]",
"metadataType": "go-module-buildinfo-entry",
"metadata": {
"goCompiledVersion": "go1.21.4",
"architecture": "amd64",
"h1Digest": "h1:s6gZFSlWYmbqAuRjVTiNNhvNRfY2Wxp9nhfyel4rklc=",
"mainModule": "github.com/prometheus/node_exporter"
}
},
both machines are installed with Fedora release 37
from syft.
Very the configuration file is identical and accessible in both machines. Perhaps run syft with debug will show it.
from syft.
Any idea why I get different output report when scanning the same package with
remote search licenses: true
for Go modules on different machines?On one machine - licenses info is presented:
{ "id": "5a2f10fe8c37697d", "name": "github.com/alecthomas/units", "version": "v0.0.0-20211218093645-b94a6e3cc137", "type": "go-module", "foundBy": "go-module-binary-cataloger", "locations": [ { "path": "/opt/scylladb/node_exporter/node_exporter", "layerID": "sha256:2f9c5474dfcad40cab09d578dfc5c919a38e0125c99501a8d7abb8540ef14188", "accessPath": "/opt/scylladb/node_exporter/node_exporter", "annotations": { "evidence": "primary" } } ], "licenses": [ { "value": "MIT", "spdxExpression": "MIT", "type": "concluded", "urls": [], "locations": [ { "path": "github.com/alecthomas/[email protected]/COPYING", "accessPath": "github.com/alecthomas/[email protected]/COPYING" } ] } ], "language": "go", "cpes": [ { "cpe": "cpe:2.3:a:alecthomas:units:v0.0.0-20211218093645-b94a6e3cc137:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:golang/github.com/alecthomas/[email protected]", "metadataType": "go-module-buildinfo-entry", "metadata": { "goCompiledVersion": "go1.21.4", "architecture": "amd64", "h1Digest": "h1:s6gZFSlWYmbqAuRjVTiNNhvNRfY2Wxp9nhfyel4rklc=", "mainModule": "github.com/prometheus/node_exporter" } },
On another machine the license info is missing:
{ "id": "67d84fc35f370e95", "name": "github.com/alecthomas/units", "version": "v0.0.0-20211218093645-b94a6e3cc137", "type": "go-module", "foundBy": "go-module-binary-cataloger", "locations": [ { "path": "/opt/scylladb/node_exporter/node_exporter", "layerID": "sha256:2f9c5474dfcad40cab09d578dfc5c919a38e0125c99501a8d7abb8540ef14188", "accessPath": "/opt/scylladb/node_exporter/node_exporter", "annotations": { "evidence": "primary" } } ], "licenses": [], "language": "go", "cpes": [ { "cpe": "cpe:2.3:a:alecthomas:units:v0.0.0-20211218093645-b94a6e3cc137:*:*:*:*:*:*:*", "source": "syft-generated" } ], "purl": "pkg:golang/github.com/alecthomas/[email protected]", "metadataType": "go-module-buildinfo-entry", "metadata": { "goCompiledVersion": "go1.21.4", "architecture": "amd64", "h1Digest": "h1:s6gZFSlWYmbqAuRjVTiNNhvNRfY2Wxp9nhfyel4rklc=", "mainModule": "github.com/prometheus/node_exporter" } },
both machines are installed with Fedora release 37
seems it is related to the same issue #2798
The creation of $HOME/go/pkg/mod
directory - solved the issue
waiting for #2852 for official fix
from syft.
Related Issues (20)
- Scanning a git repository folder present in /tmp produce an empty sbom HOT 1
- Install Issue - Ubuntu Image on Mac M1 Pro HOT 3
- SBOM generated for JAR doesn't parsing all pom.xml HOT 2
- SBOM generation is missing a few Python packages listed in the requirements.txt file HOT 1
- Option in parameter or configuration to set value in metadata > authors in SBOM (CycloneDX) HOT 3
- Syft incorrectly identifying jruby jar files HOT 1
- Parameter confirmation of docker _registry scanning HOT 1
- install.sh: check checksums file's signature HOT 2
- Reverse conversion of metadata mode is broken HOT 4
- syft does not find anything in archives if /tmp is a tmpfs HOT 1
- Support cataloging dlopen ELF metadata
- Syft Directory Source: Git Tag and Metadata Information
- syft outputs incorrect license LicenseRef-AND HOT 1
- Detect fluent-bit binaries
- Binary detection workflow enhancements
- SYFT_PACKAGE_EXCLUDE_BINARY_OVERLAP_BY_OWNERSHIP=false is not working HOT 3
- syft-table option adds escape chars at the end of each row HOT 2
- python cataloger: adding a support additionally to classify licenses by `License-File` field in metadata file HOT 2
- Add additional image tags to source metadata
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from syft.