aquasecurity
feat(license): scan `vendor` directory for license for `go.mod` files
Description
There are cases when users use only vendor dir (go mod vendor) command.
For these cases we can't detect licenses from $GOPATH/pkg/mod dir.
New logic
graph TD
A[Detect licenses for go.mod files] --> B{vendor direxists?}
B -- yes --> C[use vendor dir to find licenses]
B -- no --> D[use $GOPATH/pkg/mod]
Discussed in https://github.com/aquasecurity/trivy/discussions/8517
Hi @DmitriyLewen !
Trivy reads go.mod files from $GOPATH/pkg/mod to collect dependencies (e.g. in gomodAnalyzer.collectDeps), but vendor packages don’t have that.
Is there a way to handle this case?
Hello @oneum20 What do you mean? Can you explain in more detail what you mean?
Packages under $GOPATH/pkg/mod have their own go.mod files.
$ ls $GOPATH/pkg/mod/connectrpc.com/[email protected]
LICENSE README.md buf.work.yaml grpchealth.go
MAINTAINERS.md SECURITY.md go.mod grpchealth_test.go
Makefile buf.gen.yaml go.sum internal
Packages in the vendor directory do not have their own go.mod files.
$ ls ./vendor/connectrpc.com/grpchealth
LICENSE Makefile SECURITY.md buf.work.yaml internal
MAINTAINERS.md README.md buf.gen.yaml grpchealth.go
In the following code, it looks like Trivy reads the package’s go.mod file to collect its dependencies.
https://github.com/aquasecurity/trivy/blob/bfa99d26faf31a9b41f0e09b13ec6a669c87d91b/pkg/fanal/analyzer/language/golang/mod/mod.go#L188-L191
hmm... You are right.
Packages from vendor directory don't have go.mod files.
This doesn't matter for license detection (we check LICENSE files), but it will affect the removal of unused dependencies.
But to avoid these problems - perhaps make senso to check both paths (i mean $GOPATH/pkg/mod and vendor dir)