Thanks for cyclonedx-gomod! 😄
The tool works well for open-source dependencies, but we're experiencing some issues when using it with internal project libraries.
Our setup:
- We use internal libraries from a private GitLab instance
- GOPATH contains the related packages
When running:
cyclonedx-gomod mod -assert-licenses -json -licenses -output-version 1.6 -output sbom.json
We observe warnings that no licenses are detected for our internal libraries from the private GitLab instance. However, we can see the license files (LICENSE.md) in the GOPATH for these packages.
Expected behavior:
- License files should be identified for internal libraries
- For non-standard licenses (unlike Apache 2.0), the license name and content should be added in base64 format
I plan to share this feedback with the community since I believe other users might face similar issues when working with internal libraries in their projects.
Thanks for cyclonedx-gomod! 😄
The tool works well for open-source dependencies, but we're experiencing some issues when using it with internal project libraries.
Our setup:
When running:
We observe warnings that no licenses are detected for our internal libraries from the private GitLab instance. However, we can see the license files (LICENSE.md) in the GOPATH for these packages.
Expected behavior:
I plan to share this feedback with the community since I believe other users might face similar issues when working with internal libraries in their projects.