Steps to reproduce:

1. Create Go project with some external package as dependency and run go mod vendor to place this package inside vendor folder
2. Delete LICENSE file from this package inside vendor folder
3. Run go-licenses report or go-licenses check on your project. The command lists external package as package without a license (as it should be)
4. Now add some default LICENSE in the root folder of your project. Project folder looks like this: go.mod go.sum LICENSE main.go vendor/
5. Run go-licenses report or go-licenses check on your project again. Now commands consider external package as having LICENSE from the root project folder: go-licenses check doesn't fire an error and go-licenses report doesn't list external package at all (considering this as the part of root project).

I guess it's because when Libraries function calls Find function, it passes p.Module.Dir as rootDir (which is nil for vendored packages for some reason) and then Find does rootDir, err = filepath.Abs(rootDir), nil turns into working directory (root package folder) and findUpwards looks for license file until it finds it in root package folder.