{"id":13614708,"url":"https://github.com/mitchellh/golicense","last_synced_at":"2025-04-13T18:33:37.473Z","repository":{"id":45156632,"uuid":"156012474","full_name":"mitchellh/golicense","owner":"mitchellh","description":"Scan and analyze OSS dependencies and licenses from compiled Go binaries","archived":true,"fork":false,"pushed_at":"2021-03-23T09:33:08.000Z","size":1560,"stargazers_count":666,"open_issues_count":15,"forks_count":54,"subscribers_count":11,"default_branch":"master","last_synced_at":"2024-08-02T20:46:27.740Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mitchellh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-11-03T18:33:20.000Z","updated_at":"2024-04-29T19:51:51.000Z","dependencies_parsed_at":"2022-07-13T16:47:59.950Z","dependency_job_id":null,"html_url":"https://github.com/mitchellh/golicense","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitchellh%2Fgolicense","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitchellh%2Fgolicense/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitchellh%2Fgolicense/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitchellh%2Fgolicense/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mitchellh","download_url":"https://codeload.github.com/mitchellh/golicense/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223600410,"owners_count":17171663,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T20:01:04.745Z","updated_at":"2024-11-07T22:31:54.958Z","avatar_url":"https://github.com/mitchellh.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# golicense - Go Binary OSS License Scanner\n\ngolicense is a tool that scans [compiled Go binaries](https://golang.org/)\nand can output all the dependencies, their versions, and their respective\nlicenses (if known). golicense only works with Go binaries compiled using\nGo modules for dependency management.\n\ngolicense determines the dependency list quickly and with exact accuracy\nsince it uses metadata from the Go compiler to determine the _exact_ set of\ndependencies embedded in a compiled Go binary. This excludes dependencies that\nare not used in the final binary. For example, if a library depends on \"foo\"\nin function \"F\" but \"F\" is never called, then the dependency \"foo\" will not\nbe present in the final binary.\n\ngolicense is not meant to be a complete replacement for open source compliance\ncompanies such as [FOSSA](https://fossa.io/) or\n[BlackDuck](https://www.blackducksoftware.com/black-duck-home), both of\nwhich provide hundreds of additional features related to open source\ncompliance.\n\n**Warning:** The binary itself must be trusted and untampered with to provide\naccurate results. It is trivial to modify the dependency information of a\ncompiled binary. This is the opposite side of the same coin with source-based\ndependency analysis where the source must not be tampered.\n\n## Features\n\n  * List dependencies and their associated licenses\n  * Cross-reference dependency licenses against an allow/deny list\n  * Output reports in the terminal and Excel (XLSX) format\n  * Manually specify overrides for specific dependencies if the detection\n    is incorrect.\n\n## Example\n\nThe example below runs `golicense` against itself from a recent build.\n\n![golicense Example](https://user-images.githubusercontent.com/1299/48667166-468d1080-ea85-11e8-8005-5a44c6a0d10a.gif)\n\n## Installation\n\nTo install `golicense`, download the appropriate release for your platform\nfrom the [releases page](https://github.com/mitchellh/golicense/releases).\n\nYou can also compile from source using Go 1.11 or later using standard\n`go build`. Please ensure that Go modules are enabled (GOPATH not set or\n`GO111MODULE` set to \"on\").\n\n## Usage\n\n`golicense` is used with one or two required arguments. In the one-argument\nform, the dependencies and their licenses are listed. In the two-argument\nform, a configuration file can be given to specify an allow/deny list of\nlicenses and more.\n\n```\n$ golicense [flags] [BINARY]\n$ golicense [flags] [CONFIG] [BINARY]\n```\n\nYou may also pass mutliple binaries (but only if you are providing a CONFIG).\n\n### Configuration File\n\nThe configuration file can specify allow/deny lists of licenses for reports,\nlicense overrides for specific dependencies, and more. The configuration file\nformat is [HCL](https://github.com/hashicorp/hcl2) or JSON.\n\nExample:\n\n```hcl\nallow = [\"MIT\", \"Apache-2.0\"]\ndeny  = [\"GNU General Public License v2.0\"]\n```\n\n```json\n{\n  \"allow\": [\"MIT\", \"Apache-2.0\"],\n  \"deny\": [\"GNU General Public License v2.0\"]\n}\n```\n\nSupported configurations:\n\n  * `allow` (`array\u003cstring\u003e`) - A list of names or SPDX IDs of allowed licenses.\n  * `deny` (`array\u003cstring\u003e`) - A list of names or SPDX IDs of denied licenses.\n  * `override` (`map\u003cstring, string\u003e`) - A mapping of Go import identifiers\n    to translate into a specific license by SPDX ID. This can be used to\n\tset the license of imports that `golicense` cannot detect so that reports\n\tpass.\n  * `translate` (`map\u003cstring, string\u003e`) - A mapping of Go import identifiers\n    to translate into alternate import identifiers. Example:\n\t\"gopkg.in/foo/bar.v2\" to \"github.com/foo/bar\". If the map key starts and\n\tends with `/` then it is treated as a regular expression. In this case,\n\tthe map value can use `\\1`, `\\2`, etc. to reference capture groups.\n\n### GitHub Authentication\n\n`golicense` uses the GitHub API to look up licenses. This doesn't require\nany authentication out of the box but will be severely rate limited.\nIt is recommended that you generate a [personal access token](https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/) to increase the rate limit. The personal access token doesn't require any\nspecial access unless it needs to look at private repositories you have\naccess to, in which case it should be granted the `repo` permission.\nSpecify your token using the `GITHUB_TOKEN` environment variable.\n\n```\n$ export GITHUB_TOKEN=abcd1234\n$ golicense ./binary\n```\n\n### Excel (XLSX) Reporting Output\n\nIf the `-out-xlsx` flag is specified, then an Excel report is generated\nand written to the path specified in addition to the terminal output.\n\n```\n$ golicense -out-xlsx=report.xlsx ./my-program\n```\n\nThe Excel report contains the list of dependencies, their versions, the\ndetected license, and whether the license is allowed or not. The dependencies\nare listed in alphabetical order. The row of the dependency will have a\ngreen background if everything is okay, a yellow background if a\nlicense is unknown, or a red background is a license is denied. An example\nscreenshot is shown below:\n\n![Excel Report](https://user-images.githubusercontent.com/1299/48667086-84893500-ea83-11e8-925c-7929ed441b1b.png)\n\n## Limitations\n\nThere are a number of limitations to `golicense` currently. These are fixable\nbut work hasn't been done to address these yet. If you feel like taking a stab\nat any of these, please do and contribute!\n\n**GitHub API:** The license detected by `golicense` may be incorrect if\na GitHub project changes licenses. `golicense` uses the GitHub API which only\nreturns the license currently detected; we can't lookup licenses for specific\ncommit hashes.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmitchellh%2Fgolicense","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmitchellh%2Fgolicense","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmitchellh%2Fgolicense/lists"}