Skip to content

License Scanning: Disable using vendored dependencies to detect licenses in golang projects

Summary

Gitlab CI's license_scanning job returns an error for golang projects using Go modules and vendored dependencies

Steps to reproduce

  1. Create a golang project that uses Go modules for dependency management
  2. Run go mod vendor to vendor the dependencies in a directory named vendor
  3. Include the license_scanning job in your project's Gitlab CI file.

Example Project

https://gitlab.com/heila/golang-license-bug

What is the current bug behavior?

The license_scanning job successfully completes, but it does not show any licenses due to an error in the go list command:

https://gitlab.com/heila/golang-license-bug/-/jobs/572935024#L49

 ERROR -- : go list -m: can't compute 'all' using the vendor directory
	(Use -mod=mod or -mod=readonly to bypass.)

What is the expected correct behavior?

The license_scanning job successfully completes with the licenses detected and shown in a tab on the pipeline.

heila/golang-license-bug!2 https://gitlab.com/heila/golang-license-bug/pipelines/150872238 https://gitlab.com/heila/golang-license-bug/-/jobs/572939271

Output of checks

This bug happens on GitLab.com

Possible fixes

The license_scanning job was working before, but in a (recent commit)[https://gitlab.com/gitlab-org/security-products/license-management/-/blob/0b976fcffe0a9b8e80587adb076bcdf279c9331c/config/.tool-versions] the golang version was bumped to 1.14. This version of golang implicitly adds the -mod=vendor flag to all golang commands. However, there is a known issue that go list all does not work with vendoring:

https://github.com/golang/go/issues/35589#issuecomment-554488544 https://github.com/golang/go/issues/33848#issuecomment-537222782

Dependency analysis Because the approach proposed here does not retain go.mod files for modules that do not contribute packages to the build (including older-than-selected versions of > > > packages that do contribute packages), the vendor directory will not support analysis of the module graph (go list -m all, go mod why -m, and go mod graph).

My proposal to fix this issue is to disable using the vendor directory to determine dependencies. I have submitted a MR as a possible fix for this bug.

~bug devopssecure ~"Category:License Compliance"

Edited by 🤖 GitLab Bot 🤖