Unable to Detect License for Go Stdlib with `-std`

[brandon1024]

Hello 👋

Our organization is using cyclonedx-gomod to help automate software license clearing tasks ahead of our releases. We use the -licenses and -assert-licenses flags to attach license information to our components, like this:

$ go tool cyclonedx-gomod app -json -output $(OUTPUT_PATH).cdx.json -std -licenses -assert-licenses -output-version 1.6 -main ./cmd/mycommand

In most cases this works well and licenses are detected and asserted correctly in our BOMs. Unfortunately, cyclonedx-gomod has trouble detecting the license for the standard library (-std):

$ go tool cyclonedx-gomod app -json -output $(OUTPUT_PATH).cdx.json -std -licenses -assert-licenses -output-version 1.6 -main ./cmd/mycommand
8:38AM WRN no licenses detected module=std@go1.24.2

$ jq '.components[] | select(.name == "std")' $(OUTPUT_PATH).cdx.json
    {
      "bom-ref": "pkg:golang/std@go1.24.2?type=module",
      "type": "library",
      "name": "std",
      "version": "go1.24.2",
      "scope": "required",
      "purl": "pkg:golang/std@go1.24.2?type=module\u0026goos=linux\u0026goarch=amd64"
    }

We have some automation to massage the SBOM into a format suitable for our own license clearing efforts, which we've considered updating to additionally attach the license for the stdlib, but we thought this might be something worth bringing up here so that the wider community could benefit.