Go dependencies report licenses as unkown
Summary
We got the ~"license management" to work for Gitaly (gitaly!1076 (merged)). Unfortunately a lot of dependencies report the license as "unknown". Which still means that those have to be checked manually.
Steps to reproduce
Create MR in Gitaly project (just change readme) and wait CI to run LM job. You can observe output of LM job
We should improve the experience of the license scanning. It also is a bit unclear to why this happens, as the vendored dependencies actually contain license information:
What is the expected correct behavior?
LM should be able to find all dependencie's licenses
Findings
This is the current situation with Gitaly at the moment
We only have 7 dependencies with unknown licenses. When issue was reported it was 19.
Reason they shown and unknown is some of these dependencies don't use any of the following that License finder supports
some of the packages are indirectly included. like github.com/kr/pretty. is a dependency of a dependency but since those dependencies don't have proper go.mod setup LM might not able to find license for them properly.
For example github.com/kr/pretty
is used un gitaly indirectly.
go mod why github.com/kr/pretty
gitlab.com/gitlab-org/gitaly/cmd/gitaly
gitlab.com/gitlab-org/labkit/tracing
gitlab.com/gitlab-org/labkit/tracing/impl
github.com/lightstep/lightstep-tracer-go
github.com/lightstep/lightstep-tracer-go.test
github.com/onsi/gomega
github.com/onsi/gomega/matchers
gopkg.in/yaml.v2
gopkg.in/yaml.v2.test
gopkg.in/check.v1
github.com/kr/pretty
gopkg.in/check.v1
doesn't any dependency tool set that LM can work with. It seems it is effecting LM to find license for github.com/kr/pretty
Include github.com/kr/pretty
as direct dependency in my own go project and LM was able to detect that. Because github.com/kr/pretty
proper gomod setup.
Possible fixes
There is no possible fix that we can apply at the moment. Upstream projects and their dependencies have to adapt go.mod