go-license-report
This primitive tool creates reports on component licensing of Go
binaries built from module-aware source code. It is particularly
intended to be used with source bundles generated by Cachito for
use in creating corresponding source artifacts available through
container registries, but it should work with any (module-aware) Go
source repository.
Information on the Go runtime and any non-standard modules distributed
with the Go binary release is not provided, on the rationale that it
would normally be obtained in some other way (for example, by
analyzing the source code of that Go binary release or a Linux
distribution's package of it).
Currently, go-license-report has to be run at the top level of the
source directory of the project you want to report on and it takes no
command-line arguments.
go-license-report assumes that you can determine an approximately
complete set of the non-standard dependencies compiled into a Go
binary based on the modules reported in the output of 'go list
-deps'. Currently, go-license-report generates a TSV file providing
the name, version, upstream repository URL, description and license
for each reported dependency.
For the name, go-license-report uses the import path for the
module. For the version, go-license-report uses the version given by
the Go build tools including pseudo-versions.
The tool attempts to extract the other three types of information from
the pkgsite, although this may later be
replaced by a more sophisticated approach. For the description, the
tool attempts to get the first sentence of the README file contents
displayed on the relevant pkgsite page, using the
sentences tokenizer. This
approach actually seems to work well about 90% of the time. See the
pkgsite's explanation of its
approach to license detection.
Choice of implementation language
The only particular reason this tool is written in Go is that I
thought it would be useful educationally given the subject
matter. Conceivably, this tool could be extended to provide comparable
reports for source repositories in other languages. The most cursory
review of the source code will reveal that I am a complete novice at
coding in Go.
License
Except where otherwise indicated, this project is licensed under the
MIT license.