go-license-report

command module

v0.0.0-...-e22862c Latest Latest Go to latest Published: Feb 26, 2023 License: MIT Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/richardfontana/go-license-report

Links

Open Source Insights

README ¶

go-license-report

This primitive tool creates reports on component licensing of Go binaries built from module-aware source code. It is particularly intended to be used with source bundles generated by Cachito for use in creating corresponding source artifacts available through container registries, but it should work with any (module-aware) Go source repository.

Information on the Go runtime and any non-standard modules distributed with the Go binary release is not provided, on the rationale that it would normally be obtained in some other way (for example, by analyzing the source code of that Go binary release or a Linux distribution's package of it).

Currently, go-license-report has to be run at the top level of the source directory of the project you want to report on and it takes no command-line arguments.

go-license-report assumes that you can determine an approximately complete set of the non-standard dependencies compiled into a Go binary based on the modules reported in the output of 'go list -deps'. Currently, go-license-report generates a TSV file providing the name, version, upstream repository URL, description and license for each reported dependency.

For the name, go-license-report uses the import path for the module. For the version, go-license-report uses the version given by the Go build tools including pseudo-versions.

The tool attempts to extract the other three types of information from the pkgsite, although this may later be replaced by a more sophisticated approach. For the description, the tool attempts to get the first sentence of the README file contents displayed on the relevant pkgsite page, using the sentences tokenizer. This approach actually seems to work well about 90% of the time. See the pkgsite's explanation of its approach to license detection.

Choice of implementation language

The only particular reason this tool is written in Go is that I thought it would be useful educationally given the subject matter. Conceivably, this tool could be extended to provide comparable reports for source repositories in other languages. The most cursory review of the source code will reveal that I am a complete novice at coding in Go.

License

Except where otherwise indicated, this project is licensed under the MIT license.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL