License Overrides for Go

[hmmh-dominik-saeume]

What would you like to be added:
I want to define a specific licence ID (or in my case a Licese-Ref, as It's not in SPDX) for a private go package, that will be used when I generate an SBOM with Syft.
This could be through some file. In the repository of the private package, or me providing syft with a Licenses Text, and what ID it should be, so it will match it in its scanns.

Why is this needed:
Go has no Licence Field in its go.mod and won't add it.
This means that Syft currently can only detect FOSS Licences, resulting in unknowns for private or Internal packages.

[kzantow]

Thanks @hmmh-dominik-saeume -- I'm having a hard time envisioning exactly how this would work. Am I correct that what you are trying to do is effectively provide a template SBOM to apply to the results to fill in (or override) gaps in what Syft is able to detect?

I have been trying to figure out how a generic feature like this could work, as it will need to match packages in the Syft SBOM somewhere but you probably won't know the ID of the package (it's a hash based on the field values). If we matched based on partial PURL, would that make sense? E.g. you could provide something like:

syft --override overrides.json <args>

where overrides.json was a real, partial SBOM:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.2",
  // omit much of the metadata, since you're not trying to override this
  "components": [
    {
      "licenses": [
        {
          "license": {
            "name": "My-Custom-License",
            "text": "the custom text here",
          }
        }
      ],
      "purl": "pkg:npm/body-parser@1.19.0",
    }
  }
}

Are there other ideas you had for this feature?

[hmmh-dominik-saeume]

Thanks @hmmh-dominik-saeume -- I'm having a hard time envisioning exactly how this would work. Am I correct that what you are trying to do is effectively provide a template SBOM to apply to the results to fill in (or override) gaps in what Syft is able to detect?

I have been trying to figure out how a generic feature like this could work, as it will need to match packages in the Syft SBOM somewhere but you probably won't know the ID of the package (it's a hash based on the field values). If we matched based on partial PURL, would that make sense? E.g. you could provide something like:

syft --override overrides.json <args>

where overrides.json was a real, partial SBOM:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.2",
  // omit much of the metadata, since you're not trying to override this
  "components": [
    {
      "licenses": [
        {
          "license": {
            "name": "My-Custom-License",
            "text": "the custom text here",
          }
        }
      ],
      "purl": "pkg:npm/body-parser@1.19.0",
    }
  }
}

Are there other ideas you had for this feature?

I could provide a handcrafted SBOM with overrides like in your example.
though mine would prolly be v1.6 (because that's what Dependency track and Gitlab use) and might also contain SPDX expressions for the licences, just like the spec says.

Besides that: completely what I'm searching for <3

[wagoodman]

This is related to #31

[kzantow]

We talked about this on the livestream this week and we're going to look for a better solution, but I just wanted to mention that there is a possible way for this to work today for golang licenses, specifically: if you enable golang license enrichment using the --enrich flag, enable license content capturing, and provide the license in a directory matching the layout of the go mod cache (or just use an existing go mod cache if you have that already and it has the correct license information). Something along these lines, using <go module name>@<version> as github.com/anchore/syft@v1.42.1 as an example:

$ mkdir -P go-mod-licenses/pkg/mod/github.com/anchore/syft@v1.42.1
$ cp YOUR-LICENSE-FILE go-mod-licenses/pkg/mod/github.com/anchore/syft@v1.42.1/LICENSE
$ SYFT_LICENSE_CONTENT=unknown SYFT_GOLANG_LOCAL_MOD_CACHE_DIR=$(pwd)/go-mod-licenses syft --enrich golang <source>

Using this method, I don't think you'll get a name exactly, but you should be able to export to SPDX, for example, and have the license contents referenced in the other licenses section, and of course Syft format should have this info, too.

Of course, if your module's repository actually has the license in a known filename LICENSE, LICENSE.txt, etc., and it is available from the host you are scanning on, you can just use --enrich to download the module directly and include the license, again, with the SYFT_LICENSE_CONTENT=unknown type option.

The relevant configuration options (which you can always see using syft config) are:

license:
  # include the content of licenses in the SBOM for a given syft scan; valid values are: [all unknown none] (env: SYFT_LICENSE_CONTENT)
  content: 'none'

...

golang:
  # search for go package licences in the GOPATH of the system running Syft, note that this is outside the
  # container filesystem and potentially outside the root of a local directory scan (env: SYFT_GOLANG_SEARCH_LOCAL_MOD_CACHE_LICENSES)
  search-local-mod-cache-licenses:

  # specify an explicit go mod cache directory, if unset this defaults to $GOPATH/pkg/mod or $HOME/go/pkg/mod (env: SYFT_GOLANG_LOCAL_MOD_CACHE_DIR)
  local-mod-cache-dir: '~/go/pkg/mod'

  # search for go package licences in the vendor folder on the system running Syft, note that this is outside the
  # container filesystem and potentially outside the root of a local directory scan (env: SYFT_GOLANG_SEARCH_LOCAL_VENDOR_LICENSES)
  search-local-vendor-licenses:

  # specify an explicit go vendor directory, if unset this defaults to ./vendor (env: SYFT_GOLANG_LOCAL_VENDOR_DIR)
  local-vendor-dir: ''

  # search for go package licences by retrieving the package from a network proxy (env: SYFT_GOLANG_SEARCH_REMOTE_LICENSES)
  search-remote-licenses:

  # remote proxy to use when retrieving go packages from the network,
  # if unset this defaults to $GOPROXY followed by https://proxy.golang.org (env: SYFT_GOLANG_PROXY)
  proxy: 'https://proxy.golang.org,direct'

  # specifies packages which should not be fetched by proxy
  # if unset this defaults to $GONOPROXY (env: SYFT_GOLANG_NO_PROXY)
  no-proxy: ''