-
Notifications
You must be signed in to change notification settings - Fork 521
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scan local go mod licenses for golang packages #1645
Conversation
dfff145
to
f4b3419
Compare
Note: I did not remove the remote package retrieval code, as it has been tested and works. Instead, I put in a |
Signed-off-by: Avi Deitcher <avi@deitcher.net>
f4b3419
to
f399e5c
Compare
CI is clean. What else can I do to help move this along? |
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Deferred resolver stuff for finding resolver
outside of the source looks good to me. Thanks for updating this from the fs pattern to the internal resolver stuff.
I just had some minor comments about licenses being nil vs empty and if the check for splitting on the go.mod ever runs into cases where we get 2 parts for a valid module name
Thanks for pushing the rewrite onto it. How does this work now, then? As far as I can tell, you pushed in a few key changes:
Is that about correct? So would golang license searching happen only if the env var is set And if so, would a similar env var enable network search, e.g. Also, why is it And does it work when scanning a go binary, rather than source? (in which case the |
Yes, exactly.
Also correct.
I think that's the idea for the follow-on network search PR, something like that.
It is
It works for scanning both source and go binaries. I hope that all makes sense! |
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Based on feedback, I've updated the env var to: |
Yup. All clear. I would request (as a user) that we document that capabilities somewhere? Whether CLI flag with |
@deitch good call, I'll add it to the configuration section of the documentation. NOTE: you can always dump the application config by running
The environment variables are always prefixed by |
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
if err != nil { | ||
log.Debug("unable to determine user home dir: %v", err) | ||
} | ||
goPath = path.Join(homeDir, "go") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it doesn't look like we should use the value of homeDir
if error != nil... should we return an error instead (and remove the log statement)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See above comment. I don't think we should try and recreate the GOPATH
. Either it is set and we look there, or it is not, and we do not even try.
If we get requests later that lots of people want us to determine this automatically, we always can add it later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
actually, I think I like that better. If goPath
is empty, then return don't return a resolver to search against at all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to the go docs, the default gopath is:
The GOPATH environment variable specifies the location of your workspace. It defaults to a directory named go inside your home directory, so $HOME/go on Unix, $home/go on Plan 9, and %USERPROFILE%\go (usually C:\Users\YourName\go) on Windows.
Why wouldn't we default to this same location if GOPATH is not explicitly set?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately, you are right. I was thinking that the logic of, "if you set this flag, we will look wherever GOPATH
points, trusting that you know where you want us to go; if not, we will not check." But that is not aligned with the go standard, as @kzantow pointed out.
That leaves us with two possibilities, based on two assumptions:
- we assume that the user only wants us to go where they explicitly declare; therefore if
GOPATH
is not set, we do not go anywhere. - we assume that the user wants to follow the go standard, whether
GOPATH
is implicit or explicit; therefore ifGOPATH
is not set, we replicate the logic
Much as I like the first, I think the second is what people will expect. Requiring them to set the env var to enable it is sufficient for them to say, "go where GOPATH takes you, whether explicit or implicit." If you don't want us to go there, do not enable it.
I was hoping the go
command's resolution of GOPATH was a library we could just hook into, but not such luck; it is a private func inside src/cmd/go/internal/cfg/
, i.e. internal.
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just got the train rolling; I think that @kzantow did all of the real heavy lifting here. Either way, I am happy to see this go in. Network-based should be straightforward after that, methinks? |
…e#1645) Signed-off-by: Avi Deitcher <avi@deitcher.net> Co-authored-by: Keith Zantow <kzantow@gmail.com>
Partial replacement for #1630
After discussions with @kzantow , it was decided to split #1630 into 2 PRs: one that scans local
$GOPATH/mod
, which is guaranteed to be safe, and another (after) that will take a CLI option to enable pulling down the golang package from the Internet via the GOPROXY, if it is not found in local GOPATH.This is the first part: look for the go package in
GOPATH/mod
, and thus has no CLI changes, and does not reach out to the Internet.