Comments (5)
Not currently - this tool was intended to work without access to the source code of the compiled binaries that are passed to it.
Is your usecase around private modules that have been vendored and aren't reachable from where you'd intend to use lichen?
from lichen.
Not currently - this tool was intended to work without access to the source code of the compiled binaries that are passed to it.
Is your usecase around private modules that have been vendored and aren't reachable from where you'd intend to use lichen?
It's not necessarily that it's private modules (though there are a couple that we use). But yes -- mostly that it's not easily possible to re-pull them from github.com from the internal build system we are using.
from lichen.
I've considered a few options here, but I can't see a simple way of making this work. On a general level, I can't find a way of taking a module reference and being certain that the version sitting under vendor/
really is that version - the tool could assume, or perhaps read modules.txt
.. neither sound particularly great. go list -m -json -mod=vendor <module>
does not work. With the normal way lichen
operates, it's basically guaranteeing that the version used when the binary was compiled is the version that the license is grabbed from.
Beyond all of that, if we were to get to a point where we can translate module references to directories under vendor
, I can't see this working without throwing more configuration or CLI flags into the mix, as the tool would need to be pointed to where the vendor directory is. I'd be fairly reluctant to add further configuration or CLI flags to cater for this. I'm completely open to suggestions, though.
from lichen.
I see what you're saying.... since lichen is based on just looking at the binary (and not needing local access to the source).
Thank you for taking the time to look. We are able to use lichen, and it's working great so far... we just periodically have corporate-inflicted networking issues with getting out to github.com :)
from lichen.
I have CI pipeline that populates and caches vendor (populated with go mod vendor
on miss) between steps and runs, that allows to save tremendous amount of traffic compared to caching or populating ~/go/pkg/mod
. An example from real build: 27M uncompressed (5M compressed) vendor
vs 629M in ~/go/pkg/mod
.
It would be great if lichen
could make all necessary assumptions and allow using vendor
as a source of licenses.
from lichen.
Related Issues (13)
- It returns an unexpected error when there are no modules used in the project HOT 1
- unrecognised version line: my-binary: devel +b7a85e0003 HOT 2
- Fails with Go 1.18 HOT 5
- Fails with Go 1.18 again HOT 3
- New release? HOT 1
- Fails with Go 1.18 dep lines instead of mod lines HOT 4
- unrecognised line: build -compiler=gc HOT 2
- Include copyright notices HOT 2
- Additional config for ignoring "unresolvable licence"
- Create new release tag HOT 1
- Allow overrides for unresolvable modules HOT 3
- Including internal, closed source repos causes lookup failures HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lichen.