diff --git a/cmd/syft/internal/options/catalog.go b/cmd/syft/internal/options/catalog.go index 22cb286a445..14ca1b0bc87 100644 --- a/cmd/syft/internal/options/catalog.go +++ b/cmd/syft/internal/options/catalog.go @@ -156,6 +156,8 @@ func (cfg Catalog) ToPackagesConfig() pkgcataloging.Config { Golang: golang.DefaultCatalogerConfig(). WithSearchLocalModCacheLicenses(*multiLevelOption(false, enrichmentEnabled(cfg.Enrich, task.Go, task.Golang), cfg.Golang.SearchLocalModCacheLicenses)). WithLocalModCacheDir(cfg.Golang.LocalModCacheDir). + WithSearchLocalVendorLicenses(*multiLevelOption(false, enrichmentEnabled(cfg.Enrich, task.Go, task.Golang), cfg.Golang.SearchLocalVendorLicenses)). + WithLocalVendorDir(cfg.Golang.LocalVendorDir). WithSearchRemoteLicenses(*multiLevelOption(false, enrichmentEnabled(cfg.Enrich, task.Go, task.Golang), cfg.Golang.SearchRemoteLicenses)). WithProxy(cfg.Golang.Proxy). WithNoProxy(cfg.Golang.NoProxy). diff --git a/cmd/syft/internal/options/golang.go b/cmd/syft/internal/options/golang.go index 59fe421fe56..8eb8e4ba04a 100644 --- a/cmd/syft/internal/options/golang.go +++ b/cmd/syft/internal/options/golang.go @@ -10,6 +10,8 @@ import ( type golangConfig struct { SearchLocalModCacheLicenses *bool `json:"search-local-mod-cache-licenses" yaml:"search-local-mod-cache-licenses" mapstructure:"search-local-mod-cache-licenses"` LocalModCacheDir string `json:"local-mod-cache-dir" yaml:"local-mod-cache-dir" mapstructure:"local-mod-cache-dir"` + SearchLocalVendorLicenses *bool `json:"search-local-vendor-licenses" yaml:"search-local-vendor-licenses" mapstructure:"search-local-vendor-licenses"` + LocalVendorDir string `json:"local-vendor-dir" yaml:"local-vendor-dir" mapstructure:"local-vendor-dir"` SearchRemoteLicenses *bool `json:"search-remote-licenses" yaml:"search-remote-licenses" mapstructure:"search-remote-licenses"` Proxy string `json:"proxy" yaml:"proxy" mapstructure:"proxy"` NoProxy string `json:"no-proxy" yaml:"no-proxy" mapstructure:"no-proxy"` @@ -24,6 +26,9 @@ func (o *golangConfig) DescribeFields(descriptions clio.FieldDescriptionSet) { descriptions.Add(&o.SearchLocalModCacheLicenses, `search for go package licences in the GOPATH of the system running Syft, note that this is outside the container filesystem and potentially outside the root of a local directory scan`) descriptions.Add(&o.LocalModCacheDir, `specify an explicit go mod cache directory, if unset this defaults to $GOPATH/pkg/mod or $HOME/go/pkg/mod`) + descriptions.Add(&o.SearchLocalVendorLicenses, `search for go package licences in the vendor folder on the system running Syft, note that this is outside the +container filesystem and potentially outside the root of a local directory scan`) + descriptions.Add(&o.LocalVendorDir, `specify an explicit go vendor directory, if unset this defaults to ./vendor`) descriptions.Add(&o.SearchRemoteLicenses, `search for go package licences by retrieving the package from a network proxy`) descriptions.Add(&o.Proxy, `remote proxy to use when retrieving go packages from the network, if unset this defaults to $GOPROXY followed by https://proxy.golang.org`) @@ -49,6 +54,8 @@ func defaultGolangConfig() golangConfig { return golangConfig{ SearchLocalModCacheLicenses: nil, // this defaults to false, which is the API default LocalModCacheDir: def.LocalModCacheDir, + SearchLocalVendorLicenses: nil, // this defaults to false, which is the API default + LocalVendorDir: def.LocalVendorDir, SearchRemoteLicenses: nil, // this defaults to false, which is the API default Proxy: strings.Join(def.Proxies, ","), NoProxy: strings.Join(def.NoProxy, ","), diff --git a/syft/pkg/cataloger/golang/config.go b/syft/pkg/cataloger/golang/config.go index aa7bc7708a1..9ae3185a658 100644 --- a/syft/pkg/cataloger/golang/config.go +++ b/syft/pkg/cataloger/golang/config.go @@ -22,6 +22,8 @@ var ( type CatalogerConfig struct { SearchLocalModCacheLicenses bool `yaml:"search-local-mod-cache-licenses" json:"search-local-mod-cache-licenses" mapstructure:"search-local-mod-cache-licenses"` LocalModCacheDir string `yaml:"local-mod-cache-dir" json:"local-mod-cache-dir" mapstructure:"local-mod-cache-dir"` + SearchLocalVendorLicenses bool `yaml:"search-local-vendor-licenses" json:"search-local-vendor-licenses" mapstructure:"search-local-vendor-licenses"` + LocalVendorDir string `yaml:"local-vendor-dir" json:"local-vendor-dir" mapstructure:"local-vendor-dir"` SearchRemoteLicenses bool `yaml:"search-remote-licenses" json:"search-remote-licenses" mapstructure:"search-remote-licenses"` Proxies []string `yaml:"proxies,omitempty" json:"proxies,omitempty" mapstructure:"proxies"` NoProxy []string `yaml:"no-proxy,omitempty" json:"no-proxy,omitempty" mapstructure:"no-proxy"` @@ -42,6 +44,7 @@ func DefaultCatalogerConfig() CatalogerConfig { g := CatalogerConfig{ MainModuleVersion: DefaultMainModuleVersionConfig(), LocalModCacheDir: defaultGoModDir(), + LocalVendorDir: defaultGoVendorDir(), } // first process the proxy settings @@ -71,6 +74,15 @@ func DefaultCatalogerConfig() CatalogerConfig { return g } +func defaultGoVendorDir() string { + cwd, err := os.Getwd() + if err != nil { + return "" + } + + return filepath.Join(cwd, "vendor") +} + // defaultGoModDir returns $GOPATH/pkg/mod or $HOME/go/pkg/mod based on environment variables available func defaultGoModDir() string { goPath := os.Getenv("GOPATH") @@ -108,6 +120,19 @@ func (g CatalogerConfig) WithLocalModCacheDir(input string) CatalogerConfig { return g } +func (g CatalogerConfig) WithSearchLocalVendorLicenses(input bool) CatalogerConfig { + g.SearchLocalVendorLicenses = input + return g +} + +func (g CatalogerConfig) WithLocalVendorDir(input string) CatalogerConfig { + if input == "" { + return g + } + g.LocalVendorDir = input + return g +} + func (g CatalogerConfig) WithSearchRemoteLicenses(input bool) CatalogerConfig { g.SearchRemoteLicenses = input return g diff --git a/syft/pkg/cataloger/golang/config_test.go b/syft/pkg/cataloger/golang/config_test.go index 2720dc1b33c..93f447bb6bd 100644 --- a/syft/pkg/cataloger/golang/config_test.go +++ b/syft/pkg/cataloger/golang/config_test.go @@ -10,11 +10,12 @@ import ( func Test_Config(t *testing.T) { type opts struct { - local bool - cacheDir string - remote bool - proxy string - noProxy string + local bool + cacheDir string + vendorDir string + remote bool + proxy string + noProxy string } homedirCacheDisabled := homedir.DisableCache @@ -45,10 +46,15 @@ func Test_Config(t *testing.T) { "GOPRIVATE": "my.private", "GONOPROXY": "no.proxy", }, - opts: opts{}, + opts: opts{ + // defaults to $cwd/vendor, we need to set it to make the output predictable + vendorDir: "/vendor", + }, expected: CatalogerConfig{ SearchLocalModCacheLicenses: false, LocalModCacheDir: filepath.Join("/go", "pkg", "mod"), + SearchLocalVendorLicenses: false, + LocalVendorDir: "/vendor", SearchRemoteLicenses: false, Proxies: []string{"https://my.proxy"}, NoProxy: []string{"my.private", "no.proxy"}, @@ -64,15 +70,18 @@ func Test_Config(t *testing.T) { "GONOPROXY": "no.proxy", }, opts: opts{ - local: true, - cacheDir: "/go-cache", - remote: true, - proxy: "https://alt.proxy,direct", - noProxy: "alt.no.proxy", + local: true, + cacheDir: "/go-cache", + vendorDir: "/vendor", + remote: true, + proxy: "https://alt.proxy,direct", + noProxy: "alt.no.proxy", }, expected: CatalogerConfig{ SearchLocalModCacheLicenses: true, LocalModCacheDir: "/go-cache", + SearchLocalVendorLicenses: true, + LocalVendorDir: "/vendor", SearchRemoteLicenses: true, Proxies: []string{"https://alt.proxy", "direct"}, NoProxy: []string{"alt.no.proxy"}, @@ -92,6 +101,8 @@ func Test_Config(t *testing.T) { got := DefaultCatalogerConfig(). WithSearchLocalModCacheLicenses(test.opts.local). WithLocalModCacheDir(test.opts.cacheDir). + WithSearchLocalVendorLicenses(test.opts.local). + WithLocalVendorDir(test.opts.vendorDir). WithSearchRemoteLicenses(test.opts.remote). WithProxy(test.opts.proxy). WithNoProxy(test.opts.noProxy) diff --git a/syft/pkg/cataloger/golang/licenses.go b/syft/pkg/cataloger/golang/licenses.go index 402a014485a..e119d32666a 100644 --- a/syft/pkg/cataloger/golang/licenses.go +++ b/syft/pkg/cataloger/golang/licenses.go @@ -42,6 +42,7 @@ type goLicenseResolver struct { catalogerName string opts CatalogerConfig localModCacheDir fs.FS + localVendorDir fs.FS licenseCache cache.Resolver[[]goLicense] lowerLicenseFileNames *strset.Set } @@ -52,10 +53,16 @@ func newGoLicenseResolver(catalogerName string, opts CatalogerConfig) goLicenseR localModCacheDir = os.DirFS(opts.LocalModCacheDir) } + var localVendorDir fs.FS + if opts.SearchLocalVendorLicenses && opts.LocalVendorDir != "" { + localVendorDir = os.DirFS(opts.LocalVendorDir) + } + return goLicenseResolver{ catalogerName: catalogerName, opts: opts, localModCacheDir: localModCacheDir, + localVendorDir: localVendorDir, licenseCache: cache.GetResolverCachingErrors[[]goLicense]("golang", "v1"), lowerLicenseFileNames: strset.New(lowercaseLicenseFiles()...), } @@ -91,7 +98,15 @@ func (c *goLicenseResolver) getLicenses(ctx context.Context, scanner licenses.Sc // look in the local host mod directory... if c.opts.SearchLocalModCacheLicenses { - goLicenses, err = c.getLicensesFromLocal(ctx, scanner, moduleName, moduleVersion) + goLicenses, err = c.getLicensesFromLocal(ctx, scanner, c.localModCacheDir, moduleDirCache(moduleName, moduleVersion)) + if err != nil || len(goLicenses) > 0 { + return toPkgLicenses(goLicenses), err + } + } + + // look in the local vendor directory... + if c.opts.SearchLocalVendorLicenses { + goLicenses, err = c.getLicensesFromLocal(ctx, scanner, c.localVendorDir, moduleDirVendor(moduleName)) if err != nil || len(goLicenses) > 0 { return toPkgLicenses(goLicenses), err } @@ -105,15 +120,13 @@ func (c *goLicenseResolver) getLicenses(ctx context.Context, scanner licenses.Sc return toPkgLicenses(goLicenses), err } -func (c *goLicenseResolver) getLicensesFromLocal(ctx context.Context, scanner licenses.Scanner, moduleName, moduleVersion string) ([]goLicense, error) { - if c.localModCacheDir == nil { +func (c *goLicenseResolver) getLicensesFromLocal(ctx context.Context, scanner licenses.Scanner, moduleDir fs.FS, moduleSubdir string) ([]goLicense, error) { + if moduleDir == nil { return nil, nil } - subdir := moduleDir(moduleName, moduleVersion) - // get the local subdirectory containing the specific go module - dir, err := fs.Sub(c.localModCacheDir, subdir) + dir, err := fs.Sub(moduleDir, moduleSubdir) if err != nil { return nil, err } @@ -121,7 +134,7 @@ func (c *goLicenseResolver) getLicensesFromLocal(ctx context.Context, scanner li // if we're running against a directory on the filesystem, it may not include the // user's homedir / GOPATH, so we defer to using the localModCacheResolver // we use $GOPATH/pkg/mod to avoid leaking information about the user's system - return c.findLicensesInFS(ctx, scanner, "file://$GOPATH/pkg/mod/"+subdir+"/", dir) + return c.findLicensesInFS(ctx, scanner, "file://$GOPATH/pkg/mod/"+moduleSubdir+"/", dir) } func (c *goLicenseResolver) getLicensesFromRemote(ctx context.Context, scanner licenses.Scanner, moduleName, moduleVersion string) ([]goLicense, error) { @@ -221,10 +234,14 @@ func (c *goLicenseResolver) parseLicenseFromLocation(ctx context.Context, scanne return out, nil } -func moduleDir(moduleName, moduleVersion string) string { +func moduleDirCache(moduleName, moduleVersion string) string { return fmt.Sprintf("%s@%s", processCaps(moduleName), moduleVersion) } +func moduleDirVendor(moduleName string) string { + return processCaps(moduleName) +} + func requireCollection[T any](licenses []T) []T { if licenses == nil { return make([]T, 0) diff --git a/syft/pkg/cataloger/golang/licenses_test.go b/syft/pkg/cataloger/golang/licenses_test.go index 0acde6de95c..99d122535d9 100644 --- a/syft/pkg/cataloger/golang/licenses_test.go +++ b/syft/pkg/cataloger/golang/licenses_test.go @@ -23,7 +23,7 @@ import ( "github.com/anchore/syft/syft/pkg" ) -func Test_LocalLicenseSearch(t *testing.T) { +func Test_LocalModCacheLicenseSearch(t *testing.T) { loc1 := file.NewLocation("github.com/someorg/somename@v0.3.2/LICENSE") loc2 := file.NewLocation("github.com/!cap!o!r!g/!cap!project@v4.111.5/LICENSE.txt") loc3 := file.NewLocation("github.com/someorg/strangelicense@v1.2.3/LiCeNsE.tXt") @@ -92,6 +92,75 @@ func Test_LocalLicenseSearch(t *testing.T) { } } +func Test_LocalVendorLicenseSearch(t *testing.T) { + loc1 := file.NewLocation("github.com/someorg/somename/LICENSE") + loc2 := file.NewLocation("github.com/!cap!o!r!g/!cap!project/LICENSE.txt") + loc3 := file.NewLocation("github.com/someorg/strangelicense/LiCeNsE.tXt") + + licenseScanner := licenses.TestingOnlyScanner() + + tests := []struct { + name string + version string + expected pkg.License + }{ + { + name: "github.com/someorg/somename", + version: "v0.3.2", + expected: pkg.License{ + Value: "Apache-2.0", + SPDXExpression: "Apache-2.0", + Type: license.Concluded, + URLs: []string{"file://$GOPATH/pkg/mod/" + loc1.RealPath}, + Locations: file.NewLocationSet(), + }, + }, + { + name: "github.com/CapORG/CapProject", + version: "v4.111.5", + expected: pkg.License{ + Value: "MIT", + SPDXExpression: "MIT", + Type: license.Concluded, + URLs: []string{"file://$GOPATH/pkg/mod/" + loc2.RealPath}, + Locations: file.NewLocationSet(), + }, + }, + { + name: "github.com/someorg/strangelicense", + version: "v1.2.3", + expected: pkg.License{ + Value: "Apache-2.0", + SPDXExpression: "Apache-2.0", + Type: license.Concluded, + URLs: []string{"file://$GOPATH/pkg/mod/" + loc3.RealPath}, + Locations: file.NewLocationSet(), + }, + }, + } + + wd, err := os.Getwd() + require.NoError(t, err) + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + l := newGoLicenseResolver( + "", + CatalogerConfig{ + SearchLocalVendorLicenses: true, + LocalVendorDir: filepath.Join(wd, "test-fixtures", "licenses-vendor"), + }, + ) + lics, err := l.getLicenses(context.Background(), licenseScanner, fileresolver.Empty{}, test.name, test.version) + require.NoError(t, err) + + require.Len(t, lics, 1) + + require.Equal(t, test.expected, lics[0]) + }) + } +} + func Test_RemoteProxyLicenseSearch(t *testing.T) { loc1 := file.NewLocation("github.com/someorg/somename@v0.3.2/LICENSE") loc2 := file.NewLocation("github.com/!cap!o!r!g/!cap!project@v4.111.5/LICENSE.txt") @@ -117,7 +186,7 @@ func Test_RemoteProxyLicenseSearch(t *testing.T) { for _, f := range entries { // the zip files downloaded contain a path to the repo that somewhat matches where it ends up on disk, // so prefix entries with something similar - writer, err := archive.Create(path.Join(moduleDir(modPath, modVersion), f.Name())) + writer, err := archive.Create(path.Join(moduleDirCache(modPath, modVersion), f.Name())) require.NoError(t, err) contents, err := os.ReadFile(filepath.Join(testDir, f.Name())) require.NoError(t, err) @@ -307,7 +376,7 @@ func Test_noLocalGoModDir(t *testing.T) { SearchLocalModCacheLicenses: true, LocalModCacheDir: test.dir, }) - _, err := resolver.getLicensesFromLocal(context.Background(), licenseScanner, "mod", "ver") + _, err := resolver.getLicensesFromLocal(context.Background(), licenseScanner, resolver.localModCacheDir, moduleDirCache("mod", "ver")) test.wantErr(t, err) }) } diff --git a/syft/pkg/cataloger/golang/test-fixtures/licenses-vendor/github.com/!cap!o!r!g/!cap!project/LICENSE.txt b/syft/pkg/cataloger/golang/test-fixtures/licenses-vendor/github.com/!cap!o!r!g/!cap!project/LICENSE.txt new file mode 100644 index 00000000000..1519c29debd --- /dev/null +++ b/syft/pkg/cataloger/golang/test-fixtures/licenses-vendor/github.com/!cap!o!r!g/!cap!project/LICENSE.txt @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2014 Someone Cool + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. \ No newline at end of file diff --git a/syft/pkg/cataloger/golang/test-fixtures/licenses-vendor/github.com/someorg/somename/LICENSE b/syft/pkg/cataloger/golang/test-fixtures/licenses-vendor/github.com/someorg/somename/LICENSE new file mode 100644 index 00000000000..0c44dcefe3d --- /dev/null +++ b/syft/pkg/cataloger/golang/test-fixtures/licenses-vendor/github.com/someorg/somename/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright (c) 2009-present, Alibaba Cloud All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/syft/pkg/cataloger/golang/test-fixtures/licenses-vendor/github.com/someorg/strangelicense/LiCeNsE.tXt b/syft/pkg/cataloger/golang/test-fixtures/licenses-vendor/github.com/someorg/strangelicense/LiCeNsE.tXt new file mode 100644 index 00000000000..0c44dcefe3d --- /dev/null +++ b/syft/pkg/cataloger/golang/test-fixtures/licenses-vendor/github.com/someorg/strangelicense/LiCeNsE.tXt @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright (c) 2009-present, Alibaba Cloud All rights reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License.