Comments (9)
go list -m all
gives all transitive dependencies with version.
https://blog.golang.org/using-go-modules
from go-licenses.
I built a go license tool for kubeflow.org in
https://github.com/kubeflow/testing/tree/master/py/kubeflow/testing/go-license-tools (at that time, this tool didn't exist).
I don't have much bandwidth to keep maintaining it, so I wanted to discuss if there could be better ways to collaborate.
I took the approach described in this issue:
- find all dependencies (and transitive dependencies) via
go list -m all
(for repos using go.mod) - infer github repo name from the go import path
- use github license api to get the license
it doesn't automate as much as this tool did, because
- inferring github repo url from go import path was hard
- github license api doesn't recognize some licenses very well, especially BSD 3-clause
but maybe we can improve from there taking sth already built here.
from go-licenses.
Just got a new idea,
go mod download -json
shows a JSON representation of all the downloaded modules, including their local path (theDir
field)- then we can use a tool to scan these dirs for files like LICENSE, license.md, etc like this repo did
go mod download -json example
$ go mod download -json
go: finding github.com/aws/aws-sdk-go v1.14.5
go: finding github.com/aws/aws-lambda-go v1.2.0
{
"Path": "github.com/aws/aws-lambda-go",
"Version": "v1.2.0",
"Info": "/go/pkg/mod/cache/download/github.com/aws/aws-lambda-go/@v/v1.2.0.info",
"GoMod": "/go/pkg/mod/cache/download/github.com/aws/aws-lambda-go/@v/v1.2.0.mod",
"Zip": "/go/pkg/mod/cache/download/github.com/aws/aws-lambda-go/@v/v1.2.0.zip",
"Dir": "/go/pkg/mod/github.com/aws/[email protected]",
"Sum": "h1:2f0pbAKMNNhvOkjI9BCrwoeIiduSTlYpD0iKEN1neuQ=",
"GoModSum": "h1:zUsUQhAUjYzR8AuduJPCfhBuKWUaDbQiPOG+ouzmE1A="
}
{
"Path": "github.com/aws/aws-sdk-go",
"Version": "v1.14.5",
"Info": "/go/pkg/mod/cache/download/github.com/aws/aws-sdk-go/@v/v1.14.5.info",
"GoMod": "/go/pkg/mod/cache/download/github.com/aws/aws-sdk-go/@v/v1.14.5.mod",
"Zip": "/go/pkg/mod/cache/download/github.com/aws/aws-sdk-go/@v/v1.14.5.zip",
"Dir": "/go/pkg/mod/github.com/aws/[email protected]",
"Sum": "h1:+l1m6QH6LypE2kL0p/G0Oh7ceCv+IVQ1h5UEBt2xjjU=",
"GoModSum": "h1:ZRmQr0FajVIyZ4ZzBYKG5P3ZqPz9IHG41ZoMu1ADI3k="
}
https://stackoverflow.com/a/52082860/8745218
from go-licenses.
Nevermind, I just tried putting a module into GOPATH and run go mod vendor
,
after that, running
go-licenses csv <module-name>
generates all its dependencies' licenses.
However, urls are missing as stated
URLs may not be available if the library is not checked out as a Git repository (e.g. as is the case when Go Modules are enabled).
So what I suggested above can already be achieved by this tool.
from go-licenses.
Hmmm, not exactly.
I noticed a dangerous behavior, some repos do not have a license file. e.g. license file is embedded in README: https://github.com/upper/db/tree/v3.0.0.
However, this tool does not give a warning of a module missing license about it when used in this way.
from go-licenses.
I tried to implement ideas in this issue as https://github.com/Bobgy/go-mod-licenses to suit my own use-cases.
from go-licenses.
Hey Bobgy, can you explain a little bit more in detail what you achieved?
I just want to license check my local project's dependencies from go.mod
, is that the same you were asking for?
When yes, how you would do this?
My approach would be to:
- Read all transitive dependencies
- Perform go license check on every repo
- Collect in CSV and make them unique
from go-licenses.
@mreiche I've got a bit more requirements so did a few more complex things:
- my process requires public URLs of the license files (like this tool provides, but works for go modules), so I had to use go import semantics to figure out corresponding public repos of go modules
- also my process requires scanning every file of each used go module
- also I noticed the full transitive dependency graph of go modules tend to be very large and unnecessary (some dependencies not actually used in built binary), I changed to read the list of modules actually used in a built go binary instead
- there are a bunch more workflow related features to keep configurations for manually verified repos
- and auto redistribute source folders needed
- there're more that I don't have time to explain now
I've implemented a tool like described above and used it to generate licenses, example:
- https://github.com/kubeflow/pipelines/blob/master/v2/third_party/license_info.csv
- https://github.com/kubeflow/pipelines/blob/master/v2/third_party/NOTICES/licenses.txt
- config: https://github.com/kubeflow/pipelines/blob/master/v2/go-mod-licenses.yaml
I want to open source my tool, but I'm currently fairly busy with other stuff. Might not have time to do that soon.
Curious if these sound useful to others.
from go-licenses.
Implemented in #94
from go-licenses.
Related Issues (20)
- Libraries function returns non-licensed vendored package as the package with LICENSE from root project HOT 5
- Export local license paths HOT 2
- Improper `isStdlib()` path check using `strings.HasPrefix()` HOT 2
- Wrong GOROOT is used when go-licenses builds and runs on different environments HOT 6
- Enable module version logging in custom reports
- go-licenses with go vendoring HOT 2
- go-licenses command is not recognized HOT 1
- How to check all licenses in a project? HOT 2
- `LICENSE` file in repo root is ignored HOT 4
- LICENSE detection is OS specific HOT 5
- go-licenses doesn't work when installed with versioned go HOT 3
- insufficient confidence threshold when identifying a BSD 2-Clause like license HOT 3
- Upgrade to google/licenseclassifier v2 HOT 2
- Prepare for v2 release HOT 5
- Help needed resolving `github.com/otiai10/copy` diamond dependency problem HOT 5
- Flags stdilb as "does not have module info" when on `go 1.21.X` HOT 6
- Ignore `W0104 contains non-Go code` warnings in errors
- Migrate to newer go-git HOT 1
- Reporting warnings for external packages on Windows
- no way to legally construct a source.Client
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-licenses.