feat(license): prefer vendor directory for license detection when ava…

[Anwesh-Mahapatra]

What this PR does

• Enhance license detection for Go modules.
• Prefer scanning vendor/ directory if it exists before falling back to $GOPATH/pkg/mod.
• Improves Trivy's behavior for Go projects that use vendoring.

Why is this needed?

• Some projects vendor dependencies locally using go mod vendor.
• Vendored dependencies contain LICENSE files but not go.mod files.
• This PR ensures LICENSE files inside vendor/ are correctly detected and classified.

Testing done

• Built Trivy locally (mage build).
• Created a test project with go mod vendor and github.com/google/uuid dependency.
• Confirmed LICENSE file was detected correctly from vendor/ directory using:

./dist/trivy fs --scanners license ~/Desktop/trivy-test/vendor-test

[CLAassistant]

All committers have signed the CLA.

[Anwesh-Mahapatra]

Hi @DmitriyLewen and @knqyf263

My name is Anwesh, and I recently submitted my first pull request to the Trivy project (PR #8788). It’s been an amazing experience to contribute to an open-source project! In my PR, I updated the license detection logic to prefer the vendor/ directory when it’s available, falling back to GOPATH/pkg/mod if not.

I’d really appreciate it if you could take a look at my PR and share any feedback. I’m especially curious if there are any mistakes I might have made or ways I could improve it. I’m just starting out as an open-source contributor and would love to learn from your insights.

[DmitriyLewen]

Hello @Anwesh-Mahapatra Thanks for your work!

We already have PR with this update - https://github.com/aquasecurity/trivy/pull/8689

You can compare code and read comments.

Regards, Dmitriy