Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

This project's go.sum contains references to packages released under GPL v3 #1422

Closed
ItalyPaleAle opened this issue Aug 1, 2022 · 7 comments
Closed

This project's go.sum contains references to packages released under GPL v3 #1422

ItalyPaleAle opened this issue Aug 1, 2022 · 7 comments
Labels
bug Something isn't working

Comments

@ItalyPaleAle
Copy link

Although this project is released under an Apache2 license, the go.sum seems to include references to dependencies that are licensed as GPL-3.0-only, as reported by our FOSSA scans (we recently added a dependency on the crane library for some build tools):

unknown

I cannot find any reference to GPL'd dependencies in the go.mod file, and all (?) of the GPL'd deps seem to derive from golangci-lint.

Can you please confirm that this library is indeed licensed as Apache2 and the GPL'd licenses are either included by error, or not actually referenced by the code/library (so that projects depending on this would not be "infected" by the GPL)?
@ItalyPaleAle ItalyPaleAle added the bug Something isn't working label Aug 1, 2022
@imjasonh
Copy link
Collaborator

imjasonh commented Aug 1, 2022

This library is licensed as Apache 2.0.

When determining what dependencies a Go module has, go.mod is always authoritative. go.sum doesn't list current (or possibly even past?) dependencies. It's only a list of all versions and hashes that have ~ever been encountered as a result of managing the module, for the purposes of failing if a previously-seen module@version has an unexpected digest different than what had previously been encountered.

In all cases, it's still correct to delete go.sum from any repo or remove any items from it (though you're exposing yourself to future dependency hash updates) or add items to it (so long as their hashes match what's seen if that module is ever pulled).

@ItalyPaleAle
Copy link
Author

@imjasonh thanks for the quick response.

I understand how go.sum works, and its role in listing current or past dependencies, even transitive ones. It's good to see that there's no (apparent) GPL'd dependency in go.mod.

Sadly, FOSSA (the most common tools used by CNCF projects to scan for dependencies) considers all dependencies listed in go.sum too when scanning for licensing compliance.

If those dependencies are not actually used, do you think it would be possible for a maintainer to clean up the go.sum? What I suspect happened is that some time in the past, golangci-lint was installed with go get (probably before go install was a thing) and that polluted the go.sum file? As long as the dependency was just a linter, it shouldn't cause this module to become infected by the GPL, but scanners could still flag the dependency as non-compliant.

@imjasonh imjasonh mentioned this issue Aug 1, 2022
Closed
@imjasonh
Copy link
Collaborator

imjasonh commented Aug 1, 2022

I'd prefer for FOSSA to generate reliable reports, rather than ask module maintainers to curate their go.sum files.

I've filed fossas/fossa-cli#1008

@imjasonh imjasonh closed this as completed Aug 1, 2022
@imjasonh
Copy link
Collaborator

imjasonh commented Aug 1, 2022

I recommend that you update to the latest version of the FOSSA CLI, which has better overall support for Golang analysis and will ensure that you get any of the updates we release.

fossas/fossa-cli#1008 (comment)

🤷

@zlav
Copy link

zlav commented Aug 1, 2022

Hi @ItalyPaleAle, I wanted to close the loop here in case you are still having issues with license detection in Golang. I'm not entirely sure why we are detecting golangci-lint, but I would recommend filing a ticket with support@fossa.com if you are still blocked.

If you're looking for more information about how we analyze Golang projects, this is a pretty good walkthrough: https://github.com/fossas/fossa-cli/blob/master/docs/references/strategies/languages/golang/gomodules.md. The main reason we rely on a go list command and not on go.mod is because the file does not reliably give us the full dependency graph and often overreports the true dependency graph.

@shubham1172
Copy link
Contributor

shubham1172 commented Aug 2, 2022
edited

I analyzed via FOSSA a bit more and turns out this is not due to go.sum, it's some transitive dependency. For example, this is one of the flagged dependencies
image

Most of the ones that I reviewed manually comes from the same dependency path:

  1. dapr/dapr
  2. google/go-containerregistry v0.9.0 (go.mod)
  3. opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 (go.mod)
  4. golangci/golangci-lint
  5. bad dependencies

The new commits of opencontainers/image-spec no more contain this bad dependency, so if this repository can take up the latest version of opencontainers/image-spec, we won't see this error anymore. PR: #1423

@imjasonh
Copy link
Collaborator

imjasonh commented Aug 2, 2022

Thanks for investigating @shubham1172! Always happy to bump a dependency. :)

@shubham1172 shubham1172 mentioned this issue Aug 2, 2022
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ItalyPaleAle @imjasonh @shubham1172 @zlav