mitchellh / golicense Goto Github PK

Scan and analyze OSS dependencies and licenses from compiled Go binaries

License: MIT License

Go 100.00%

golicense's Introduction

golicense - Go Binary OSS License Scanner

golicense is a tool that scans compiled Go binaries and can output all the dependencies, their versions, and their respective licenses (if known). golicense only works with Go binaries compiled using Go modules for dependency management.

golicense determines the dependency list quickly and with exact accuracy since it uses metadata from the Go compiler to determine the exact set of dependencies embedded in a compiled Go binary. This excludes dependencies that are not used in the final binary. For example, if a library depends on "foo" in function "F" but "F" is never called, then the dependency "foo" will not be present in the final binary.

golicense is not meant to be a complete replacement for open source compliance companies such as FOSSA or BlackDuck, both of which provide hundreds of additional features related to open source compliance.

Warning: The binary itself must be trusted and untampered with to provide accurate results. It is trivial to modify the dependency information of a compiled binary. This is the opposite side of the same coin with source-based dependency analysis where the source must not be tampered.

Features

List dependencies and their associated licenses
Cross-reference dependency licenses against an allow/deny list
Output reports in the terminal and Excel (XLSX) format
Manually specify overrides for specific dependencies if the detection is incorrect.

Example

The example below runs golicense against itself from a recent build.

Installation

To install golicense, download the appropriate release for your platform from the releases page.

You can also compile from source using Go 1.11 or later using standard go build. Please ensure that Go modules are enabled (GOPATH not set or GO111MODULE set to "on").

Usage

golicense is used with one or two required arguments. In the one-argument form, the dependencies and their licenses are listed. In the two-argument form, a configuration file can be given to specify an allow/deny list of licenses and more.

$ golicense [flags] [BINARY]
$ golicense [flags] [CONFIG] [BINARY]

You may also pass mutliple binaries (but only if you are providing a CONFIG).

Configuration File

The configuration file can specify allow/deny lists of licenses for reports, license overrides for specific dependencies, and more. The configuration file format is HCL or JSON.

Example:

allow = ["MIT", "Apache-2.0"]
deny  = ["GNU General Public License v2.0"]

{
  "allow": ["MIT", "Apache-2.0"],
  "deny": ["GNU General Public License v2.0"]
}

Supported configurations:

allow (array<string>) - A list of names or SPDX IDs of allowed licenses.
deny (array<string>) - A list of names or SPDX IDs of denied licenses.
override (map<string, string>) - A mapping of Go import identifiers to translate into a specific license by SPDX ID. This can be used to set the license of imports that golicense cannot detect so that reports pass.
translate (map<string, string>) - A mapping of Go import identifiers to translate into alternate import identifiers. Example: "gopkg.in/foo/bar.v2" to "github.com/foo/bar". If the map key starts and ends with / then it is treated as a regular expression. In this case, the map value can use \1, \2, etc. to reference capture groups.

GitHub Authentication

golicense uses the GitHub API to look up licenses. This doesn't require any authentication out of the box but will be severely rate limited. It is recommended that you generate a personal access token to increase the rate limit. The personal access token doesn't require any special access unless it needs to look at private repositories you have access to, in which case it should be granted the repo permission. Specify your token using the GITHUB_TOKEN environment variable.

$ export GITHUB_TOKEN=abcd1234
$ golicense ./binary

Excel (XLSX) Reporting Output

If the -out-xlsx flag is specified, then an Excel report is generated and written to the path specified in addition to the terminal output.

$ golicense -out-xlsx=report.xlsx ./my-program

The Excel report contains the list of dependencies, their versions, the detected license, and whether the license is allowed or not. The dependencies are listed in alphabetical order. The row of the dependency will have a green background if everything is okay, a yellow background if a license is unknown, or a red background is a license is denied. An example screenshot is shown below:

Limitations

There are a number of limitations to golicense currently. These are fixable but work hasn't been done to address these yet. If you feel like taking a stab at any of these, please do and contribute!

GitHub API: The license detected by golicense may be incorrect if a GitHub project changes licenses. golicense uses the GitHub API which only returns the license currently detected; we can't lookup licenses for specific commit hashes.

golicense's People

Contributors

Stargazers

Watchers

golicense's Issues

does not see the license

I have protobuf dependency and during its analysis the following error occurs: «license not found or detected». However there is a protobuf license.
Could you kindly tell me what might I do with this problem?

https://github.com/gogo/protobuf/blob/master/LICENSE

Is golicense abandoned?

@mitchellh Can you please shed some light on the status of this project? Do you think you will be able to look into some of the open issues & PRs in the near-ish future or are you busy?
In case of the latter: would you be open to adding contributors to the project?

Release 0.1.2?

@mitchellh First: thanks for the great project!
I found it as I wanted to add an OS license scanner to a CI pipeline.
When do you think there will be a new release? Without the fix for #10 it is quite cumbersome to have a pipeline fail on a forbidden license.

"This executable was compiled without using Go modules"

I just gave it a run with ddev and get

$ golicense ddev
⚠️  "ddev" ⚠️

This executable was compiled without using Go modules or has
zero dependencies. golicense considers this an error (exit code 1).

Well, it uses dep, not go modules... but it has lots in the vendor directory. Most projects haven't converted to modules yet. To test, you can just download ddev from releases.

Allow ignoring specific packages

Awesome project! Thank you :)

I tried running this on a binary that depended on a package in a private repository, and the license for that package could not be found, surely.

It would be nice if the configuration allowed a list of packages to ignore when fetching licenses.

This executable was compiled without using Go modules

I'm trying to get golicense to run on windows with go 1.11.2 and modules enabled.
Golicense tells me that the module was not compiled with go modules or has no dependencies.
Both is not correct.

Error Message:

golicense.exe ro.exe
⚠️  "ro.exe" ⚠️

This executable was compiled without using Go modules or has
zero dependencies. golicense considers this an error (exit code 1).

Go Modules:
GO111MODULE=on

Go Env:

set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\xxx\AppData\Local\go-build
set GOEXE=.exe
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOOS=windows
set GOPATH=C:\...
set GOPROXY=
set GORACE=
set GOROOT=C:\...
set GOTMPDIR=
set GOTOOLDIR=C:\...
set GCCGO=gccgo
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=C:\...
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\...=/tmp/go-build -gno-record-gcc-switches

go.mod:

module my.corp.com/ro

require (
	cloud.google.com/go v0.32.0 // indirect
	github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf
	github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973 // indirect
	github.com/coreos/prometheus-operator v0.25.0 // indirect
	github.com/emicklei/go-restful v2.8.0+incompatible // indirect
	github.com/ghodss/yaml v1.0.0 // indirect
	github.com/go-logr/logr v0.1.0 // indirect
	github.com/go-logr/zapr v0.1.0 // indirect
	github.com/go-openapi/spec v0.17.2 // indirect
	github.com/gogo/protobuf v1.1.1 // indirect
	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b // indirect
	github.com/golang/groupcache v0.0.0-20181024230925-c65c006176ff // indirect
	github.com/golang/mock v1.1.1
	github.com/golang/protobuf v1.2.0 // indirect
	github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c // indirect
	github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf // indirect
	github.com/googleapis/gnostic v0.2.0 // indirect
	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
	github.com/hashicorp/golang-lru v0.5.0 // indirect
	github.com/imdario/mergo v0.3.6 // indirect
	github.com/json-iterator/go v1.1.5 // indirect
	github.com/mattbaird/jsonpatch v0.0.0-20171005235357-81af80346b1a // indirect
	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
	github.com/modern-go/reflect2 v1.0.1 // indirect

	github.com/openshift/api v3.9.0+incompatible // v3.9.0
	github.com/operator-framework/operator-sdk v0.1.0 // v0.1.0
	github.com/pborman/uuid v1.2.0 // indirect
	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
	github.com/pkg/errors v0.8.0 // indirect
	github.com/prometheus/client_golang v0.9.1
	github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910 // indirect
	github.com/prometheus/common v0.0.0-20181020173914-7e9e6cabbd39 // indirect
	github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d // indirect
	github.com/sirupsen/logrus v1.2.0
	github.com/spf13/pflag v1.0.3 // indirect
	github.com/stretchr/testify v1.2.2
	go.uber.org/atomic v1.3.2 // indirect
	go.uber.org/multierr v1.1.0 // indirect
	go.uber.org/zap v1.9.1 // indirect
	golang.org/x/crypto v0.0.0-20181030102418-4d3f4d9ffa16 // indirect
	golang.org/x/net v0.0.0-20181102091132-c10e9556a7bc // indirect
	golang.org/x/oauth2 v0.0.0-20181105165119-ca4130e427c7 // indirect
	golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2 // indirect
	gopkg.in/inf.v0 v0.9.1 // indirect
	k8s.io/api v0.0.0-20180712090710-2d6f90ab1293 // kubernetes-1.11.2
	k8s.io/apiextensions-apiserver v0.0.0-20180808065829-408db4a50408 // kubernetes-1.11.2
	k8s.io/apimachinery v0.0.0-20180621070125-103fd098999d // kubernetes-1.11.2
	k8s.io/client-go v0.0.0-20180806134042-1f13a808da65 // kubernetes-1.11.2
	k8s.io/kube-openapi v0.0.0-20181031203759-72693cb1fadd // indirect
	sigs.k8s.io/controller-runtime v0.1.4 //  v0.1.4

)

Make errors more visible

Specifically, reporting errors is lacking a bit at the moment. golicense exits with status 1 correctly in the case of a disallowed or unknown license, but it's really hard to get a quick overview of what package failed if you have a lot of dependencies, since it doesn't print something like a summary when it's finished. It requires the user to go back in the terminal/log and look for an emoji/special colour to find the offending package (is there a better way?). This can be a tedious exercise when logs are several thousand lines long and you don't have a key on your keyboard for \u26a0 (⚠).

It doesn't help that golicense seems to detect when a tty is present and switch to plain mode, so you can't run something like golicense | ripgrep '\x{26a0}', as far as I can tell.

I propose adding a summary at the end for failing packages.

Support for Mac ARM based CPU builds

Configure goreleaser to provide builds for Mac with ARM-based M1 chips

go pkg analyze

Hello Everyone!
Is it possible to analyze go pkg files?

ModError:replace a third_party pkg

it's a very common use when you use a thrid party and you do you own changes on this pkg.
you use :
replace xxxxx => ./xxxxx
and the golicense take error

"Rate limited by github"

Mostly when I get this to work I get a bunch of things like ⚠️ github.com/aws/aws-sdk-go rate limited by GitHub, waiting 46m59.238793s

Seems this may not be altogether practical with github the way it is.

not compiling with goModules on

from root:

GO111MODULE=on go build -o /bin/main main.go
# command-line-arguments
./main.go:36:14: undefined: TermOutput
./main.go:112:10: undefined: MultiOutput
./main.go:114:38: undefined: XLSXOutput
./main.go:151:9: undefined: NewSemaphore
./main.go:162:42: undefined: StatusListener
[go-build] Error 2

go env:

x-MacBook-Pro:bin-parse apple$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/apple/Library/Caches/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/apple/workspace/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/opt/go/libexec"
GOTMPDIR=""
GOTOOLDIR="/usr/local/opt/go/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/wp/ff6sz9qs6g71jnm12nj2kbyw0000gp/T/go-build332320505=/tmp/go-build -gno-record-gcc-switches -fno-common"

golicense seems to be not `go get`-able at the moment

Trying to go get in a fresh container, I'm getting this:

$ docker run --rm -it golang:1.11
[...]
Status: Downloaded newer image for golang:1.11
root@ec782cdbbd79:/go# go version
go version go1.11.2 linux/amd64
root@ec782cdbbd79:/go# go get github.com/mitchellh/golicense
package github.com/google/go-github/v18/github: cannot find package "github.com/google/go-github/v18/github" in any of:
	/usr/local/go/src/github.com/google/go-github/v18/github (from $GOROOT)
	/go/src/github.com/google/go-github/v18/github (from $GOPATH)

Running with -plain causes exit code to not be impacted by if licenses are allowed/denied

Can not handle kubectl

Hi, it look like can not handle kubectl (the cli tool of kubernetes):

$ which kubectl
/usr/local/bin/kubectl
$ ./golicense /usr/local/bin/kubectl
⚠️  "/usr/local/bin/kubectl" ⚠️

This executable was compiled without using Go modules or has
zero dependencies. golicense considers this an error (exit code 1).
$
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.0", GitCommit:"91e7b4fd31fcd3d5f436da26c980becec37ceefe", GitTreeState:"clean", BuildDate:"2018-06-27T20:17:28Z", GoVersion:"go1.10.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.0", GitCommit:"fc32d2f3698e36b93322a3465f63a14e9f0eaead", GitTreeState:"clean", BuildDate:"2018-04-10T12:46:31Z", GoVersion:"go1.9.4", Compiler:"gc", Platform:"linux/amd64"}
$

And can detect its own:

$ ./golicense ./golicense
github.com/hashicorp/go-multierror        Mozilla Public License 2.0
github.com/hashicorp/go-cleanhttp         Mozilla Public License 2.0
github.com/hashicorp/errwrap              Mozilla Public License 2.0
...
github.com/google/go-github               BSD 3-Clause "New" or "Revised" License
github.com/gosuri/uilive                  MIT License
github.com/360EntSecGroup-Skylar/excelize BSD 3-Clause "New" or "Revised" License
github.com/apparentlymart/go-textseg      Apache License 2.0
$

But they are the same statically linked, so what's wrong with processing kubeclt? Thanks!

$ file /usr/local/bin/kubectl
/usr/local/bin/kubectl: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped
$
$ file ./golicense
./golicense: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
$

go version -m -v `which golicense`
/usr/local/bin/golicense: go1.13.4
	path	github.com/mitchellh/golicense
	mod	github.com/mitchellh/golicense	(devel)	
	dep	github.com/360EntSecGroup-Skylar/excelize	v1.4.0	h1:43rak9uafmwSJpXfFO1heKQph8tP3nlfWJWFQQtW1R0=
	...

This is particularly telling because no devel git-ref currently exists in the project.

Error parsing dependencies

https://github.com/gohugoio/hugo

▶ golicense ./hugo
❗️ Error parsing dependencies: Unexpected raw dependency format: dep	github.com/markbates/inflect	v1.0.0%