trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 3 weeks ago • verified publisher icon aquasecurity

feat(license): scan vendor directory for license for go.mod files

Open oneum20 opened this issue 8 months ago • 3 comments

Description

This PR adds support for scanning the vendor directory when detecting licenses for Go modules. Currently, Trivy only checks for licenses in $GOPATH/pkg/mod, but when users use go mod vendor command, the dependencies are stored in the vendor directory without their own go.mod files.

Related issues

Checklist

  • [x] I've read the guidelines for contributing to this repository.
  • [x] I've followed the conventions in the PR title.
  • [x] I've added tests that prove my fix is effective or that my feature works.
  • [ ] I've updated the documentation with the relevant information (if needed).
  • [ ] I've added usage information (if the PR introduces new options)
  • [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

oneum20 avatar Apr 05 '25 04:04 oneum20

Hi @DmitriyLewen!

Thanks for your review! I've addressed the feedback and updated the code accordingly. Could you please take another look when you have a moment?

Thanks!

oneum20 avatar Apr 10 '25 15:04 oneum20

@oneum20 I refactored a bit, can you take a look and confirm that i didn't break your logic? 😄

DmitriyLewen avatar Apr 16 '25 04:04 DmitriyLewen

@DmitriyLewen Thanks for the refactor! Everything looks fine on my end. 😃

oneum20 avatar Apr 16 '25 10:04 oneum20

Hello @oneum20 Do you have time to resolve conflict?

If no - tell me, i will do that.

DmitriyLewen avatar May 05 '25 10:05 DmitriyLewen

Hi @DmitriyLewen, I’ve tried resolving the conflicts. 😄

oneum20 avatar May 05 '25 15:05 oneum20

I found that this test doesn't respect the vendor dir as it is not added to mapfs. It just reads a license file from GOPATH. I'll fix it in another PR.

knqyf263 avatar May 07 '25 11:05 knqyf263