feat(golang): add license parsing from vendor dirs

[dschmidt]

Description

This PR adds options to parse license information from local vendor dirs as they have a slightly different structure than mod cache dirs.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (please discuss with the team first; Syft is 1.0 software and we won't accept breaking changes without going to 2.0)
• Documentation (updates the documentation)
• Chore (improve the developer experience, fix a test flake, etc, without changing the visible behavior of Syft)
• Performance (make Syft run faster or use less memory, without changing visible behavior much)

Checklist:

• I have added unit tests that cover changed behavior
• I have tested my code in common scenarios and confirmed there are no regressions
• I have added comments to my code, particularly in hard-to-understand sections

[spiffcs]

@dschmidt I kicked off the build and CI tooling for this PR.

We have a related PR where we parse the entire go source tree and will be able to pull license data from this. I think this would precludes the need for the vendor directory, but am interested in how these two might overlap.

#3452

[dschmidt]

Thanks!

What's the state of your PR? Should I be able to test it?
If it solves my use case I'm happy to wait for that one. It's not superurgent, I just need a solution in the long run.

Forgot to check in the test fixtures... will fix tomorrow.

[dschmidt]

Added the missing fixtures, can you approve the workflows again?

[dschmidt]

We have a related PR where we parse the entire go source tree and will be able to pull license data from this. I think this would precludes the need for the vendor directory, but am interested in how these two might overlap.

#3452

I'm pretty new to syft (and trying to make it work in a project I'm working on), so I'm not so sure how everything is supposed to work:
Can I use the new source file cataloger when analyzing a docker image? (with the source code on the host, not inside the image)
How would I invoke syft to do that?

Without a docker image I've tried
syft scan --select-catalogers "+go-module-source-file-cataloger" . -ospdx-json | jq
on a smaller project I'm working on and don't see license information from the vendor dir.

in https://github.com/owncloud/ocis the same command crashes with

 ✔ Indexed file system                                                                                                                                                                                             .
 ⠸ Cataloging contents             ━━━━━━━━━━━━━━━━━━━━                                                                                             cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
   └── ⠸ Packages                        [2,531 packages]  
         └── ⠙ Go module source file         cataloger                       
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
[0046]  WARN found package with empty ID while adding to the collection: Pkg(name="prometheus" version="v0.4.2" type="go-module" id="")
runtime: goroutine stack exceeds 1000000000-byte limit
                                                      runtime: sp=0xc0575aa598 stack=[0xc0575aa000, 0xc0775aa000]
                                                                                                                 fatal error: stack overflow

                                                                                                                                            runtime stack:
                                                                                                                                                          runtime.throw({0x276e858?, 0x7fab857f9d50?})
                                                                                                                                                                                                        /usr/lib64/go/1.23/src/runtime/panic.go:1067 +0x48 fp=0x7fab857f9d10 sp=0x7fab857f9ce0 pc=0xdda568
                                                                                    runtime.newstack()
                                                                                                        /usr/lib64/go/1.23/src/runtime/stack.go:1117 +0x5bd fp=0x7fab857f9e50 sp=0x7fab857f9d10 pc=0xdbc19d
[…]

[kzantow]

This PR looks very close -- there is one small change I'd like to see and it needs to be rebased; I could take care of this if you like.

[dschmidt]

This PR looks very close -- there is one small change I'd like to see and it needs to be rebased; I could take care of this if you like.

I'd be happy if you could take over!
Feel free to push to my fork/this PR, if you're allowed to or send a successor PR otherwise.

[kzantow]

Hi @dschmidt, sorry I seem to have missed the question you posted above 🤦 :

Can I use the new source file cataloger when analyzing a docker image? (with the source code on the host, not inside the image)
How would I invoke syft to do that?

Without a docker image I've tried
syft scan --select-catalogers "+go-module-source-file-cataloger" . -ospdx-json | jq

Given this PR is doing what the question asks, I think you already know the answer. TL;DR: syft does not scan anything outside of what you tell it to scan by default and has to get specialized handling for each task as is done in this PR.

I made a few tweaks to resolve conflicts. I'm impressed by how well you adhered to the existing code patterns! Thanks for the contribution 👍