go-licenses icon indicating copy to clipboard operation
go-licenses copied to clipboard
verified publisher icon google

No dependencies are reported despite go.mod being available & resolvable

Open aeneasr opened this issue 1 year ago • 2 comments

Running the following commands:

git clone [email protected]:ory/x.git
cd x
go-licenses report github.com/ory/x

results in one license reported

+W1230 09:01:11.509776   20797 library.go:394] module github.com/ory/x has empty version, defaults to HEAD. The license URL may be incorrect. Please verify!
github.com/ory/x,https://github.com/ory/x/blob/HEAD/LICENSE,Apache-2.0

Despite go.mod having several dependencies with proper licensing set up (https://github.com/ory/x/blob/master/go.mod).

which go
/Users/*/go/pkg/mod/golang.org/[email protected]/bin/go

The command works fine in other repositories like (https://github.com/ory/kratos):

kratos %  .bin/go-licenses report github.com/ory/kratos

code.dny.dev/ssrf,https://github.com/daenney/ssrf/blob/v0.2.0/LICENSE,MIT
dario.cat/mergo,https://github.com/imdario/mergo/blob/v1.0.0/LICENSE,BSD-3-Clause
filippo.io/edwards25519,https://github.com/FiloSottile/edwards25519/blob/v1.1.0/LICENSE,BSD-3-Clause
github.com/Masterminds/goutils,https://github.com/Masterminds/goutils/blob/v1.1.1/LICENSE.txt,Apache-2.0
...

It also works for direct dependencies in that directory:

kratos % go-licenses report github.com/hashicorp/go-retryablehttp 
github.com/hashicorp/go-cleanhttp,https://github.com/hashicorp/go-cleanhttp/blob/v0.5.2/LICENSE,MPL-2.0
github.com/hashicorp/go-retryablehttp,https://github.com/hashicorp/go-retryablehttp/blob/v0.7.7/LICENSE,MPL-2.0

However, again, for the other repo it does not show any dependencies:

kratos %  go-licenses report github.com/ory/kratos
github.com/ory/x,https://github.com/ory/x/blob/v0.0.675/LICENSE,Apache-2.0

aeneasr avatar Dec 30 '24 08:12 aeneasr

Interestingly, I can list the licenses of the dependencies in the ory/x package:

x % go-licenses report github.com/ghodss/yaml
github.com/ghodss/yaml,https://github.com/ghodss/yaml/blob/v1.0.0/LICENSE,MIT
github.com/ghodss/yaml,https://github.com/ghodss/yaml/blob/v1.0.0/LICENSE,BSD-3-Clause
gopkg.in/yaml.v2,https://github.com/go-yaml/yaml/blob/v2.4.0/LICENSE,Apache-2.0

aeneasr avatar Dec 30 '24 08:12 aeneasr

The following command works as a workaround:

go list -f "{{if not .Indirect}}{{.Path}}{{end}}" -m ... | xargs -I {} sh -c '.bin/go-licenses report --template .bin/license-template-go.tpl {}' 2>/dev/null

I have attached the errs.log file, maybe it offers clues as to why the command fails. It contains several false positives.

aeneasr avatar Dec 30 '24 09:12 aeneasr