Scan local go mod licenses for golang packages #1645
Conversation
deitch
force-pushed
the
golang-licenses-local
branch
from
dfff145
to
f4b3419
Compare
|
Note: I did not remove the remote package retrieval code, as it has been tested and works. Instead, I put in a |
Signed-off-by: Avi Deitcher <avi@deitcher.net>
deitch
force-pushed
the
golang-licenses-local
branch
from
f4b3419
to
f399e5c
Compare
|
CI is clean. What else can I do to help move this along? |
Signed-off-by: Keith Zantow <kzantow@gmail.com>
kzantow
changed the title
Signed-off-by: Keith Zantow <kzantow@gmail.com>
There was a problem hiding this comment.
Deferred resolver stuff for finding resolver outside of the source looks good to me. Thanks for updating this from the fs pattern to the internal resolver stuff.
I just had some minor comments about licenses being nil vs empty and if the check for splitting on the go.mod ever runs into cases where we get 2 parts for a valid module name
kzantow
changed the title
|
Thanks for pushing the rewrite onto it. How does this work now, then? As far as I can tell, you pushed in a few key changes:
Is that about correct? So would golang license searching happen only if the env var is set And if so, would a similar env var enable network search, e.g. Also, why is it And does it work when scanning a go binary, rather than source? (in which case the |
Yes, exactly.
Also correct.
I think that's the idea for the follow-on network search PR, something like that.
It is
It works for scanning both source and go binaries. I hope that all makes sense! |
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
|
Based on feedback, I've updated the env var to: |
|
Yup. All clear. I would request (as a user) that we document that capabilities somewhere? Whether CLI flag with |
|
@deitch good call, I'll add it to the configuration section of the documentation. NOTE: you can always dump the application config by running The environment variables are always prefixed by |
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
| if err != nil { | ||
| log.Debug("unable to determine user home dir: %v", err) | ||
| } | ||
| goPath = path.Join(homeDir, "go") |
There was a problem hiding this comment.
it doesn't look like we should use the value of homeDir if error != nil... should we return an error instead (and remove the log statement)?
There was a problem hiding this comment.
See above comment. I don't think we should try and recreate the GOPATH. Either it is set and we look there, or it is not, and we do not even try.
If we get requests later that lots of people want us to determine this automatically, we always can add it later.
There was a problem hiding this comment.
actually, I think I like that better. If goPath is empty, then return don't return a resolver to search against at all.
There was a problem hiding this comment.
According to the go docs, the default gopath is:
The GOPATH environment variable specifies the location of your workspace. It defaults to a directory named go inside your home directory, so $HOME/go on Unix, $home/go on Plan 9, and %USERPROFILE%\go (usually C:\Users\YourName\go) on Windows.
Why wouldn't we default to this same location if GOPATH is not explicitly set?
There was a problem hiding this comment.
Unfortunately, you are right. I was thinking that the logic of, "if you set this flag, we will look wherever GOPATH points, trusting that you know where you want us to go; if not, we will not check." But that is not aligned with the go standard, as @kzantow pointed out.
That leaves us with two possibilities, based on two assumptions:
- we assume that the user only wants us to go where they explicitly declare; therefore if
GOPATHis not set, we do not go anywhere. - we assume that the user wants to follow the go standard, whether
GOPATHis implicit or explicit; therefore ifGOPATHis not set, we replicate the logic
Much as I like the first, I think the second is what people will expect. Requiring them to set the env var to enable it is sufficient for them to say, "go where GOPATH takes you, whether explicit or implicit." If you don't want us to go there, do not enable it.
I was hoping the go command's resolution of GOPATH was a library we could just hook into, but not such luck; it is a private func inside src/cmd/go/internal/cfg/, i.e. internal.
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
I just got the train rolling; I think that @kzantow did all of the real heavy lifting here. Either way, I am happy to see this go in. Network-based should be straightforward after that, methinks? |
…e#1645) Signed-off-by: Avi Deitcher <avi@deitcher.net> Co-authored-by: Keith Zantow <kzantow@gmail.com>
Partial replacement for #1630
After discussions with @kzantow , it was decided to split #1630 into 2 PRs: one that scans local
$GOPATH/mod, which is guaranteed to be safe, and another (after) that will take a CLI option to enable pulling down the golang package from the Internet via the GOPROXY, if it is not found in local GOPATH.This is the first part: look for the go package in
GOPATH/mod, and thus has no CLI changes, and does not reach out to the Internet.