golicense is a dependency and license scanning tool for Go binaries fromcompiledScan and analyze OSS dependencies and licenses in Go binaries. golicense Only applies toA Go binary compiled with a Go module, which outputs all dependencies, their versions, and their respective licenses (if known).

golicense can output a list of dependencies quickly and accurately because it uses metadata from the Go compiler to determine the exact set of dependencies embedded in the compiled Go binary. Note: this does not include dependencies that are not used in the final binary. For example, if a library depends on “foo” in function “F”, but “F” is never called, then the dependency “foo” will not appear in the final binary.

warn:The binary itself must be trusted and not tampered with to provide accurate results. Modifying the dependency information of a compiled binary is simple. This is the other side of the same coin as source-based dependency analysis, where the source cannot be tampered with.

feature

• List dependencies and their associated licenses
• Cross-references to allow/deny lists depend on licenses
• Output reports in terminal and Excel (XLSX) formats
• If the detection is incorrect, manually specify overrides for specific dependencies.

example

Example belowgolicenseRun from the most recent build.

Install

To install, from the version pagegolicenseDownload the version for your platform.

You can also compile from source using standard Go 1.11 or later go build.Make sure to enable Go modules (GOPATH is not set or GO111MODULEset to “on”).

usage

golicenseUsed with one or two required parameters. In single-argument form, dependencies and their licenses are listed. In the form of two arguments, a configuration file can be given to specify a list of allow/deny licenses, etc.

$ golicense [flags] [BINARY]
$ golicense [flags] [CONFIG] [BINARY]

You can also pass multiple binaries (but only if you provide CONFIG).

configuration file

Profiles can specify allow/deny license lists for reports, license overrides for specific dependencies, and more. The configuration file format is HCL or JSON.

example:

allow = ["MIT", "Apache-2.0"]
deny  = ["GNU General Public License v2.0"]

{
  "allow": ["MIT", "Apache-2.0"],
  "deny": ["GNU General Public License v2.0"]
}

Supported configurations:

• allow( array<string>) – List of names or SPDX IDs of allowed licenses.
• deny( array<string>) – A list of names or SPDX IDs of denied licenses.
• override( map<string, string>) – a map of Go import identifiers to convert to a specific license by SPDX ID.This can be used to setgolicenseUndetectable import license for reporting pass.
• translate( map<string, string>) – a map of Go import identifiers to convert to alternate import identifiers. Example: “gopkg.in/foo/bar.v2” to “github.com/foo/bar”. If the map key starts and ends then it is treated as a regular expression.In this case the map value can be used\1,\2etc. to refer to capturing groups.

Excel (XLSX) report output

if-out-xlsxIf the flag is specified, an Excel report is generated and written to the specified path as well as terminal output.

$ golicense -out-xlsx=report.xlsx ./my-program

The Excel report contains a list of dependencies, their versions, detected licenses, and whether the licenses are allowed. Dependencies are listed alphabetically. Lines for dependencies will have a green background if everything is OK, a yellow background if the license is unknown, or a red background if the license is denied. A sample screenshot is shown below: