Skip to content

Commit f545a4f

Browse files
christian-stephenchristian-stephen
committedMar 4, 2025
Use go-licenses for Go license attributions
We're moving away from Snyk in the long term. In addition, Snyk would often be unable to detect the licenses for certain packages consistently.
1 parent c9d4c23 commit f545a4f

File tree

8 files changed

+102
-249
lines changed

8 files changed

+102
-249
lines changed
 

‎.circleci/config.yml

+26-18
Original file line numberDiff line numberDiff line change
@@ -14,10 +14,17 @@ orbs:
1414
slack: circleci/slack@5.1.1
1515
vuln-scanner: cci-internal/vuln-scanner@0.11.3
1616

17+
x-data:
18+
go_image: &goimage cimg/go:1.24.0
19+
1720
executors:
21+
go-medium:
22+
docker:
23+
- image: *goimage
24+
resource_class: circleci-runner/rum
1825
go:
1926
docker:
20-
- image: cimg/go:1.24
27+
- image: *goimage
2128
resource_class: circleci-runner/rum-large
2229
ccc:
2330
docker:
@@ -47,8 +54,7 @@ workflows:
4754
- vuln-scanner/vuln_scan:
4855
context: [ security-scanning, dockerhub-readonly, github-readonly ]
4956
upload_on_merge: true
50-
- oss-acknowledgement-check:
51-
requires: [ vuln-scanner/vuln_scan ]
57+
- check-license-attributions:
5258
context: [ org-global ]
5359
- images:
5460
context: [ org-global, runner-image-signing ]
@@ -199,27 +205,29 @@ jobs:
199205
paths:
200206
- environment
201207

202-
oss-acknowledgement-check:
203-
environment:
204-
SNYK_LICENSE_RESULT_FILE: "scan_results.csv"
205-
executor: go
208+
check-license-attributions:
209+
executor: go-medium
206210
steps:
207211
- checkout
208-
- run:
209-
name: "Check Current Direct Dependency Licenses"
210-
command: ./do oss_acknowledge
212+
- run: ./do license-attributions
211213
- run:
212-
name: "Compare to Existing Licenses"
214+
name: "Check all third-party Go licenses are attributed"
213215
command: |
214-
diff <( cat "$SNYK_LICENSE_RESULT_FILE" | sort ) <( cat snyk-project-licenses.csv | sort )
215-
if [[ ! "$?" -eq "0" ]];then
216-
echo "Open source acknowledgments need to be updated."
217-
echo "1) See `./do oss_acknowledgment` for generating new acknowledgements"
218-
echo "2) Update the Open Source Acknowledgments documentation for runner-init at: https://github.com/circleci/circleci-docs/blob/master/jekyll/_cci2/runner-init.csv using the generated CSV file"
216+
diff_output=$(git diff HEAD -- ./go-project-licenses.csv)
217+
if [[ -n "$diff_output" ]]; then
218+
echo "Changes detected in 'go-project-licenses.csv':"
219+
echo
220+
echo "${diff_output}"
221+
echo
222+
echo "1) Run './do license-attributions' locally and commit the results."
223+
echo "2) Update the Open Source Acknowledgments in 'runner-init.csv':"
224+
echo " https://github.com/circleci/circleci-docs/blob/master/jekyll/_cci2/runner-init.csv"
225+
echo " Unknown licenses may require manual intervention."
219226
exit 1
227+
else
228+
echo "No changes detected in 'go-project-licenses.csv'."
220229
fi
221-
cat $SNYK_LICENSE_RESULT_FILE
222-
230+
223231
scan:
224232
executor: ccc
225233
parallelism: 4

‎.circleci/oss-scan.go

-212
This file was deleted.

‎do

+4-10
Original file line numberDiff line numberDiff line change
@@ -18,16 +18,10 @@ build() {
1818
echo "${BUILD_VERSION:-dev}" | tee ./target/version.txt
1919
}
2020

21-
help_oss_acknowledge="Populate the license attribution file"
22-
oss_acknowledge() {
23-
# to get around the hard fail for unbound variables
24-
TOKEN=${SNYK_TOKEN:-}
25-
if [[ -z "${TOKEN}" ]]; then
26-
echo "Set \$SNYK_TOKEN with API token from https://app.snyk.io/account"
27-
exit 1
28-
fi
29-
echo "updating snyk-project-licenses.csv with current direct dependency licenses"
30-
SNYK_PROJECT_ID="fe17322a-c8ab-442d-96cb-1658da1cd57b" go run .circleci/oss-scan.go
21+
help_license_attributions="Regenerate the third-party license attributions file."
22+
license-attributions() {
23+
go tool go-licenses report --ignore=gotest ./... \
24+
--template ./templates/licenses-csv.tpl >${LICENSE_ATTRIBUTIONS_FILE:-./go-project-licenses.csv}
3125
}
3226

3327
# This variable is used, but shellcheck can't tell.

‎go-project-licenses.csv

+59
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
Name,License,URL
2+
github.com/DataDog/datadog-go/statsd,MIT,https://github.com/DataDog/datadog-go/blob/v4.8.3/LICENSE.txt
3+
github.com/alecthomas/kong,MIT,https://github.com/alecthomas/kong/blob/v1.8.1/COPYING
4+
github.com/cenkalti/backoff/v4,MIT,https://github.com/cenkalti/backoff/blob/v4.3.0/LICENSE
5+
github.com/circleci/ex,MIT,https://github.com/circleci/ex/blob/v1.0.14377-f64ffce/LICENSE
6+
github.com/circleci/runner-init,Apache-2.0,https://github.com/circleci/runner-init/blob/HEAD/LICENSE
7+
github.com/facebookgo/clock,MIT,https://github.com/facebookgo/clock/blob/600d898af40a/LICENSE
8+
github.com/facebookgo/limitgroup,BSD-3-Clause,https://github.com/facebookgo/limitgroup/blob/6abd8d71ec01/license
9+
github.com/facebookgo/muster,BSD-3-Clause,https://github.com/facebookgo/muster/blob/fd3d7953fd52/license
10+
github.com/fsnotify/fsnotify,BSD-3-Clause,https://github.com/fsnotify/fsnotify/blob/v1.8.0/LICENSE
11+
github.com/gabriel-vasile/mimetype,MIT,https://github.com/gabriel-vasile/mimetype/blob/v1.4.8/LICENSE
12+
github.com/gin-contrib/sse,MIT,https://github.com/gin-contrib/sse/blob/v0.1.0/LICENSE
13+
github.com/gin-gonic/gin,MIT,https://github.com/gin-gonic/gin/blob/v1.10.0/LICENSE
14+
github.com/go-logr/logr,Apache-2.0,https://github.com/go-logr/logr/blob/v1.4.2/LICENSE
15+
github.com/go-logr/stdr,Apache-2.0,https://github.com/go-logr/stdr/blob/v1.2.2/LICENSE
16+
github.com/go-playground/locales,MIT,https://github.com/go-playground/locales/blob/v0.14.1/LICENSE
17+
github.com/go-playground/universal-translator,MIT,https://github.com/go-playground/universal-translator/blob/v0.18.1/LICENSE
18+
github.com/go-playground/validator/v10,MIT,https://github.com/go-playground/validator/blob/v10.24.0/LICENSE
19+
github.com/goccy/go-json,MIT,https://github.com/goccy/go-json/blob/v0.10.5/LICENSE
20+
github.com/google/go-cmp/cmp,BSD-3-Clause,https://github.com/google/go-cmp/blob/v0.7.0/LICENSE
21+
github.com/google/uuid,BSD-3-Clause,https://github.com/google/uuid/blob/v1.6.0/LICENSE
22+
github.com/grpc-ecosystem/grpc-gateway/v2,BSD-3-Clause,https://github.com/grpc-ecosystem/grpc-gateway/blob/v2.25.1/LICENSE
23+
github.com/hashicorp/go-reap,MPL-2.0,https://github.com/hashicorp/go-reap/blob/bf69c61a7b71/LICENSE
24+
github.com/hellofresh/health-go/v5,Apache-2.0,https://github.com/hellofresh/health-go/blob/v5.5.3/LICENSE.txt
25+
github.com/honeycombio/beeline-go,Apache-2.0,https://github.com/honeycombio/beeline-go/blob/v1.18.0/LICENSE
26+
github.com/honeycombio/dynsampler-go,Apache-2.0,https://github.com/honeycombio/dynsampler-go/blob/v0.6.0/LICENSE
27+
github.com/honeycombio/libhoney-go,Apache-2.0,https://github.com/honeycombio/libhoney-go/blob/v1.25.0/LICENSE
28+
github.com/klauspost/compress,MIT,https://github.com/klauspost/compress/blob/v1.18.0/LICENSE
29+
github.com/klauspost/compress,Apache-2.0,https://github.com/klauspost/compress/blob/v1.18.0/LICENSE
30+
github.com/klauspost/compress,BSD-3-Clause,https://github.com/klauspost/compress/blob/v1.18.0/LICENSE
31+
github.com/klauspost/compress/internal/snapref,BSD-3-Clause,https://github.com/klauspost/compress/blob/v1.18.0/internal/snapref/LICENSE
32+
github.com/klauspost/compress/zstd/internal/xxhash,MIT,https://github.com/klauspost/compress/blob/v1.18.0/zstd/internal/xxhash/LICENSE.txt
33+
github.com/leodido/go-urn,MIT,https://github.com/leodido/go-urn/blob/v1.4.0/LICENSE
34+
github.com/mattn/go-isatty,MIT,https://github.com/mattn/go-isatty/blob/v0.0.20/LICENSE
35+
github.com/pelletier/go-toml/v2,MIT,https://github.com/pelletier/go-toml/blob/v2.2.3/LICENSE
36+
github.com/rollbar/rollbar-go,MIT,https://github.com/rollbar/rollbar-go/blob/v1.4.5/LICENSE
37+
github.com/ugorji/go/codec,MIT,https://github.com/ugorji/go/blob/codec/v1.2.12/codec/LICENSE
38+
github.com/vmihailenco/msgpack/v5,BSD-2-Clause,https://github.com/vmihailenco/msgpack/blob/v5.4.1/LICENSE
39+
github.com/vmihailenco/tagparser/v2,BSD-2-Clause,https://github.com/vmihailenco/tagparser/blob/v2.0.0/LICENSE
40+
go.opentelemetry.io/auto/sdk,Apache-2.0,https://github.com/open-telemetry/opentelemetry-go-instrumentation/blob/sdk/v1.1.0/sdk/LICENSE
41+
go.opentelemetry.io/otel,Apache-2.0,https://github.com/open-telemetry/opentelemetry-go/blob/v1.34.0/LICENSE
42+
go.opentelemetry.io/otel/exporters/otlp/otlptrace,Apache-2.0,https://github.com/open-telemetry/opentelemetry-go/blob/exporters/otlp/otlptrace/v1.34.0/exporters/otlp/otlptrace/LICENSE
43+
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc,Apache-2.0,https://github.com/open-telemetry/opentelemetry-go/blob/exporters/otlp/otlptrace/otlptracegrpc/v1.34.0/exporters/otlp/otlptrace/otlptracegrpc/LICENSE
44+
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp,Apache-2.0,https://github.com/open-telemetry/opentelemetry-go/blob/exporters/otlp/otlptrace/otlptracehttp/v1.34.0/exporters/otlp/otlptrace/otlptracehttp/LICENSE
45+
go.opentelemetry.io/otel/metric,Apache-2.0,https://github.com/open-telemetry/opentelemetry-go/blob/metric/v1.34.0/metric/LICENSE
46+
go.opentelemetry.io/otel/sdk,Apache-2.0,https://github.com/open-telemetry/opentelemetry-go/blob/sdk/v1.34.0/sdk/LICENSE
47+
go.opentelemetry.io/otel/trace,Apache-2.0,https://github.com/open-telemetry/opentelemetry-go/blob/trace/v1.34.0/trace/LICENSE
48+
go.opentelemetry.io/proto/otlp,Apache-2.0,https://github.com/open-telemetry/opentelemetry-proto-go/blob/otlp/v1.5.0/otlp/LICENSE
49+
golang.org/x/crypto/sha3,BSD-3-Clause,https://cs.opensource.google/go/x/crypto/+/v0.33.0:LICENSE
50+
golang.org/x/net,BSD-3-Clause,https://cs.opensource.google/go/x/net/+/v0.35.0:LICENSE
51+
golang.org/x/sync/errgroup,BSD-3-Clause,https://cs.opensource.google/go/x/sync/+/v0.11.0:LICENSE
52+
golang.org/x/sys,BSD-3-Clause,https://cs.opensource.google/go/x/sys/+/v0.30.0:LICENSE
53+
golang.org/x/text,BSD-3-Clause,https://cs.opensource.google/go/x/text/+/v0.22.0:LICENSE
54+
google.golang.org/genproto/googleapis/api/httpbody,Apache-2.0,https://github.com/googleapis/go-genproto/blob/1a7da9e5054f/googleapis/api/LICENSE
55+
google.golang.org/genproto/googleapis/rpc,Apache-2.0,https://github.com/googleapis/go-genproto/blob/29210b9bc287/googleapis/rpc/LICENSE
56+
google.golang.org/grpc,Apache-2.0,https://github.com/grpc/grpc-go/blob/v1.70.0/LICENSE
57+
google.golang.org/protobuf,BSD-3-Clause,https://github.com/protocolbuffers/protobuf-go/blob/v1.36.5/LICENSE
58+
gopkg.in/alexcesaro/statsd.v2,MIT,https://github.com/alexcesaro/statsd/blob/v2.0.0/LICENSE
59+
gopkg.in/yaml.v3,MIT,https://github.com/go-yaml/yaml/blob/v3.0.1/LICENSE

‎go.mod

+4
Original file line numberDiff line numberDiff line change
@@ -274,9 +274,11 @@ require (
274274
github.com/google/go-containerregistry v0.20.3 // indirect
275275
github.com/google/go-github/v55 v55.0.0 // indirect
276276
github.com/google/go-github/v63 v63.0.0 // indirect
277+
github.com/google/go-licenses/v2 v2.0.0-alpha.1 // indirect
277278
github.com/google/go-querystring v1.1.0 // indirect
278279
github.com/google/gofuzz v1.2.0 // indirect
279280
github.com/google/ko v0.15.4 // indirect
281+
github.com/google/licenseclassifier/v2 v2.0.0 // indirect
280282
github.com/google/rpmpack v0.6.1-0.20240329070804-c2247cbb881a // indirect
281283
github.com/google/s2a-go v0.1.9 // indirect
282284
github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 // indirect
@@ -412,6 +414,7 @@ require (
412414
github.com/opencontainers/go-digest v1.0.0 // indirect
413415
github.com/opencontainers/image-spec v1.1.0 // indirect
414416
github.com/opentracing/opentracing-go v1.2.0 // indirect
417+
github.com/otiai10/copy v1.14.0 // indirect
415418
github.com/pborman/uuid v1.2.1 // indirect
416419
github.com/pelletier/go-toml v1.9.5 // indirect
417420
github.com/pelletier/go-toml/v2 v2.2.3 // indirect
@@ -619,6 +622,7 @@ require (
619622

620623
tool (
621624
github.com/golangci/golangci-lint/cmd/golangci-lint
625+
github.com/google/go-licenses/v2
622626
github.com/goreleaser/goreleaser/v2
623627
github.com/sigstore/cosign/v2/cmd/cosign
624628
gotest.tools/gotestsum

0 commit comments

Comments
 (0)
Failed to load comments.