Use go-licenses for Go license attributions (#137)

We're moving away from Snyk in the long term. In addition, Snyk would often be unable to detect the licenses for certain packages consistently.

Author: christian-stephen

.circleci/config.yml

@@ -14,10 +14,17 @@ orbs:
   slack: circleci/slack@5.1.1
   vuln-scanner: cci-internal/vuln-scanner@0.11.3
 
+x-data:
+  go_image: &goimage cimg/go:1.24.0
+
 executors:
+  go-medium:
+    docker:
+      - image: *goimage
+    resource_class: circleci-runner/rum
   go:
     docker:
-      - image: cimg/go:1.24
+      - image: *goimage
     resource_class: circleci-runner/rum-large
   ccc:
     docker:
@@ -47,8 +54,7 @@ workflows:
       - vuln-scanner/vuln_scan:
           context: [ security-scanning, dockerhub-readonly, github-readonly ]
           upload_on_merge: true
-      - oss-acknowledgement-check:
-          requires: [ vuln-scanner/vuln_scan ]
+      - check-license-attributions:
           context: [ org-global ]
       - images:
           context: [ org-global, runner-image-signing ]
@@ -199,27 +205,29 @@ jobs:
                 paths:
                   - environment
 
-  oss-acknowledgement-check:
-    environment:
-      SNYK_LICENSE_RESULT_FILE: "scan_results.csv"
-    executor: go
+  check-license-attributions:
+    executor: go-medium
     steps:
       - checkout
-      - run: 
-          name: "Check Current Direct Dependency Licenses"
-          command: ./do oss_acknowledge
+      - run: ./do license-attributions
       - run:
-          name: "Compare to Existing Licenses"
+          name: "Check all third-party Go licenses are attributed"
           command: |
-            diff <( cat "$SNYK_LICENSE_RESULT_FILE" | sort ) <( cat snyk-project-licenses.csv | sort )
-            if [[ ! "$?" -eq "0" ]];then
-              echo "Open source acknowledgments need to be updated."
-              echo "1) See `./do oss_acknowledgment` for generating new acknowledgements"
-              echo "2) Update the Open Source Acknowledgments documentation for runner-init at: https://github.com/circleci/circleci-docs/blob/master/jekyll/_cci2/runner-init.csv using the generated CSV file"
+            diff_output=$(git diff HEAD -- ./go-project-licenses.csv)
+            if [[ -n "$diff_output" ]]; then
+              echo "Changes detected in 'go-project-licenses.csv':"
+              echo
+              echo "${diff_output}"
+              echo
+              echo "1) Run './do license-attributions' locally and commit the results."
+              echo "2) Update the Open Source Acknowledgments in 'runner-init.csv':"
+              echo "   https://github.com/circleci/circleci-docs/blob/master/jekyll/_cci2/runner-init.csv"
+              echo "   Unknown licenses may require manual intervention."
               exit 1
+            else
+              echo "No changes detected in 'go-project-licenses.csv'."
             fi
-            cat $SNYK_LICENSE_RESULT_FILE
-  
+
   scan:
     executor: ccc
     parallelism: 4

.circleci/oss-scan.go

@@ -18,16 +18,10 @@ build() {
     echo "${BUILD_VERSION:-dev}" | tee ./target/version.txt
 }
 
-help_oss_acknowledge="Populate the license attribution file"
-oss_acknowledge() {
-   # to get around the hard fail for unbound variables
-   TOKEN=${SNYK_TOKEN:-}
-   if [[ -z "${TOKEN}" ]]; then
-      echo "Set \$SNYK_TOKEN with API token from https://app.snyk.io/account"
-      exit 1
-   fi
-   echo "updating snyk-project-licenses.csv with current direct dependency licenses"
-   SNYK_PROJECT_ID="fe17322a-c8ab-442d-96cb-1658da1cd57b" go run .circleci/oss-scan.go
+help_license_attributions="Regenerate the third-party license attributions file."
+license-attributions() {
+  go tool go-licenses report --ignore=gotest  ./... \
+    --template ./templates/licenses-csv.tpl >${LICENSE_ATTRIBUTIONS_FILE:-./go-project-licenses.csv}
 }
 
 # This variable is used, but shellcheck can't tell.

do

@@ -0,0 +1,59 @@
+Name,License
+github.com/DataDog/datadog-go/statsd,MIT
+github.com/alecthomas/kong,MIT
+github.com/cenkalti/backoff/v4,MIT
+github.com/circleci/ex,MIT
+github.com/circleci/runner-init,Apache-2.0
+github.com/facebookgo/clock,MIT
+github.com/facebookgo/limitgroup,BSD-3-Clause
+github.com/facebookgo/muster,BSD-3-Clause
+github.com/fsnotify/fsnotify,BSD-3-Clause
+github.com/gabriel-vasile/mimetype,MIT
+github.com/gin-contrib/sse,MIT
+github.com/gin-gonic/gin,MIT
+github.com/go-logr/logr,Apache-2.0
+github.com/go-logr/stdr,Apache-2.0
+github.com/go-playground/locales,MIT
+github.com/go-playground/universal-translator,MIT
+github.com/go-playground/validator/v10,MIT
+github.com/goccy/go-json,MIT
+github.com/google/go-cmp/cmp,BSD-3-Clause
+github.com/google/uuid,BSD-3-Clause
+github.com/grpc-ecosystem/grpc-gateway/v2,BSD-3-Clause
+github.com/hashicorp/go-reap,MPL-2.0
+github.com/hellofresh/health-go/v5,Apache-2.0
+github.com/honeycombio/beeline-go,Apache-2.0
+github.com/honeycombio/dynsampler-go,Apache-2.0
+github.com/honeycombio/libhoney-go,Apache-2.0
+github.com/klauspost/compress,MIT
+github.com/klauspost/compress,Apache-2.0
+github.com/klauspost/compress,BSD-3-Clause
+github.com/klauspost/compress/internal/snapref,BSD-3-Clause
+github.com/klauspost/compress/zstd/internal/xxhash,MIT
+github.com/leodido/go-urn,MIT
+github.com/mattn/go-isatty,MIT
+github.com/pelletier/go-toml/v2,MIT
+github.com/rollbar/rollbar-go,MIT
+github.com/ugorji/go/codec,MIT
+github.com/vmihailenco/msgpack/v5,BSD-2-Clause
+github.com/vmihailenco/tagparser/v2,BSD-2-Clause
+go.opentelemetry.io/auto/sdk,Apache-2.0
+go.opentelemetry.io/otel,Apache-2.0
+go.opentelemetry.io/otel/exporters/otlp/otlptrace,Apache-2.0
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc,Apache-2.0
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp,Apache-2.0
+go.opentelemetry.io/otel/metric,Apache-2.0
+go.opentelemetry.io/otel/sdk,Apache-2.0
+go.opentelemetry.io/otel/trace,Apache-2.0
+go.opentelemetry.io/proto/otlp,Apache-2.0
+golang.org/x/crypto/sha3,BSD-3-Clause
+golang.org/x/net,BSD-3-Clause
+golang.org/x/sync/errgroup,BSD-3-Clause
+golang.org/x/sys,BSD-3-Clause
+golang.org/x/text,BSD-3-Clause
+google.golang.org/genproto/googleapis/api/httpbody,Apache-2.0
+google.golang.org/genproto/googleapis/rpc,Apache-2.0
+google.golang.org/grpc,Apache-2.0
+google.golang.org/protobuf,BSD-3-Clause
+gopkg.in/alexcesaro/statsd.v2,MIT
+gopkg.in/yaml.v3,MIT

go-project-licenses.csv

@@ -274,9 +274,11 @@ require (
 	github.com/google/go-containerregistry v0.20.3 // indirect
 	github.com/google/go-github/v55 v55.0.0 // indirect
 	github.com/google/go-github/v63 v63.0.0 // indirect
+	github.com/google/go-licenses/v2 v2.0.0-alpha.1 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/ko v0.15.4 // indirect
+	github.com/google/licenseclassifier/v2 v2.0.0 // indirect
 	github.com/google/rpmpack v0.6.1-0.20240329070804-c2247cbb881a // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 // indirect
@@ -412,6 +414,7 @@ require (
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/otiai10/copy v1.14.0 // indirect
 	github.com/pborman/uuid v1.2.1 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
@@ -619,6 +622,7 @@ require (
 
 tool (
 	github.com/golangci/golangci-lint/cmd/golangci-lint
+	github.com/google/go-licenses/v2
 	github.com/goreleaser/goreleaser/v2
 	github.com/sigstore/cosign/v2/cmd/cosign
 	gotest.tools/gotestsum