New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
This project's go.sum contains references to packages released under GPL v3 #1422
Comments
This library is licensed as Apache 2.0. When determining what dependencies a Go module has, In all cases, it's still correct to delete |
@imjasonh thanks for the quick response. I understand how Sadly, FOSSA (the most common tools used by CNCF projects to scan for dependencies) considers all dependencies listed in If those dependencies are not actually used, do you think it would be possible for a maintainer to clean up the |
I'd prefer for FOSSA to generate reliable reports, rather than ask module maintainers to curate their I've filed fossas/fossa-cli#1008 |
fossas/fossa-cli#1008 (comment) 🤷 |
Hi @ItalyPaleAle, I wanted to close the loop here in case you are still having issues with license detection in Golang. I'm not entirely sure why we are detecting golangci-lint, but I would recommend filing a ticket with support@fossa.com if you are still blocked. If you're looking for more information about how we analyze Golang projects, this is a pretty good walkthrough: https://github.com/fossas/fossa-cli/blob/master/docs/references/strategies/languages/golang/gomodules.md. The main reason we rely on a |
I analyzed via FOSSA a bit more and turns out this is not due to go.sum, it's some transitive dependency. For example, this is one of the flagged dependencies Most of the ones that I reviewed manually comes from the same dependency path:
The new commits of opencontainers/image-spec no more contain this bad dependency, so if this repository can take up the latest version of opencontainers/image-spec, we won't see this error anymore. PR: #1423 |
Thanks for investigating @shubham1172! Always happy to bump a dependency. :) |
Although this project is released under an Apache2 license, the
go.sum
seems to include references to dependencies that are licensed as GPL-3.0-only, as reported by our FOSSA scans (we recently added a dependency on the crane library for some build tools):I cannot find any reference to GPL'd dependencies in the
go.mod
file, and all (?) of the GPL'd deps seem to derive from golangci-lint.Can you please confirm that this library is indeed licensed as Apache2 and the GPL'd licenses are either included by error, or not actually referenced by the code/library (so that projects depending on this would not be "infected" by the GPL)?
The text was updated successfully, but these errors were encountered: