{"id":28167386,"url":"https://github.com/uw-labs/lichen","last_synced_at":"2025-07-19T08:07:38.339Z","repository":{"id":37614916,"uuid":"276904143","full_name":"uw-labs/lichen","owner":"uw-labs","description":"Go binary license checker. Extracts module usage information from binaries and analyses their licenses.","archived":false,"fork":false,"pushed_at":"2024-01-05T14:18:55.000Z","size":10616,"stargazers_count":69,"open_issues_count":4,"forks_count":13,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-06-18T15:19:46.053Z","etag":null,"topics":["dependency","dependency-checker","detector","go","golang","golicense","gomodule","license","license-checking","license-detector","license-extractor","license-management"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/uw-labs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-07-03T13:16:30.000Z","updated_at":"2024-05-21T02:48:33.000Z","dependencies_parsed_at":"2022-09-05T10:50:07.571Z","dependency_job_id":null,"html_url":"https://github.com/uw-labs/lichen","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uw-labs%2Flichen","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uw-labs%2Flichen/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uw-labs%2Flichen/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uw-labs%2Flichen/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/uw-labs","download_url":"https://codeload.github.com/uw-labs/lichen/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254355394,"owners_count":22057356,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dependency","dependency-checker","detector","go","golang","golicense","gomodule","license","license-checking","license-detector","license-extractor","license-management"],"created_at":"2025-05-15T14:12:36.416Z","updated_at":"2025-07-19T08:07:38.321Z","avatar_url":"https://github.com/uw-labs.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# lichen 🍃\n\nGo binary license checker. Extracts module usage information from binaries and analyses their licenses.\n\n## Features\n\n- Accurate module usage extraction (including transitive) from Go compiled binaries.\n- License files are resolved from local module storage.\n- Licenses are always checked against their respective versions.\n- Multi-license usage is covered out the box.\n- Local license checking using [google/licenseclassifier](https://github.com/google/licenseclassifier).\n- Customisable output via text/template.\n- JSON output for further analysis and transforming into CSV, XLSX, etc.\n\n### Improvements over existing tooling\n\n- Some tools attempt to extract module use information from scanning code. This can be flawed, as transitive\ndependencies are not well represented (if at all). `lichen` executes `go version -m [exes]` to obtain accurate module\nusage information; only those that are required at compile time will be included. Also note that \n[rsc/goversion](https://github.com/rsc/goversion) has been avoided due to known issues in relation to binaries compiled\nwith CGO enabled, and a lack of development activity.\n- Existing tools have been known to make requests against the GitHub API for license information. Unfortunately this can\nbe flawed: the API only returns license details obtained from the HEAD of the `master` branch of a given repository. \nThis also typically requires a GitHub API token to be available, as rate-limiting will kick in quite quickly. The\nGitHub API license detection doesn't offer any significant advantages; it itself simply uses \n[licensee/licensee](https://github.com/licensee/licensee) for license checking. `lichen` does not use the GitHub API at\nall.\n- In some instances, existing tools will clone the repository relating to the module. Often this is suffers from the\nsame flaws as hitting the GitHub API, as the master branch ends up being inspected. Furthermore, some module URLs do\nnot easily map to a git repository, resulting in the need for manual mapping in some instances. Finally, this process\nhas a tendency to be slow. `lichen` takes advantage of Go tooling to retrieve the relevant file(s) in an accurate and \ntime effective manner - `go mod download` is executed, and the local copy of the module is inspected for license\ninformation.\n\n## Install\n\n```\ngo install github.com/uw-labs/lichen@latest\n```\n\nNote that Go must be installed wherever `lichen` is intended to be run, as `lichen` executes various Go commands (as\ndiscussed in the previous section).\n\n## Usage\n\nBy default `lichen` simply prints each module with its respective license. A path to at least one Go compiled binary\nmust be supplied. Permitted licenses can be configured, along with overrides and exceptions (see [Config](#Config)).\n\n```\nlichen --config=path/to/lichen.yaml [binary ...]\n```\n\nRun ```lichen --help``` for further information on flags.\n\nNote that the where `lichen` runs the Go executable, the process is created with the same environment as `lichen`\nitself - therefore you can set [Go related environment variables](https://pkg.go.dev/cmd/go#hdr-Environment_variables)\n(e.g. `GOPRIVATE`) and these will be respected.\n\n## Example\n\nWe can run lichen on itself:\n\n```\n$ lichen $GOPATH/bin/lichen\ngithub.com/cpuguy83/go-md2man/v2@v2.0.0-20190314233015-f79a8a8ca69d: MIT (allowed)\ngithub.com/google/goterm@v0.0.0-20190703233501-fc88cf888a3f: BSD-3-Clause (allowed)\ngithub.com/google/licenseclassifier@v0.0.0-20200402202327-879cb1424de0: Apache-2.0 (allowed)\ngithub.com/hashicorp/errwrap@v1.0.0: MPL-2.0 (allowed)\ngithub.com/hashicorp/go-multierror@v1.1.0: MPL-2.0 (allowed)\ngithub.com/lucasb-eyer/go-colorful@v1.0.3: MIT (allowed)\ngithub.com/mattn/go-isatty@v0.0.12: MIT (allowed)\ngithub.com/muesli/termenv@v0.5.2: MIT (allowed)\ngithub.com/russross/blackfriday/v2@v2.0.1: BSD-2-Clause (allowed)\ngithub.com/sergi/go-diff@v1.0.0: MIT (allowed)\ngithub.com/shurcooL/sanitized_anchor_name@v1.0.0: MIT (allowed)\ngithub.com/urfave/cli/v2@v2.2.0: MIT (allowed)\ngolang.org/x/sys@v0.0.0-20200116001909-b77594299b42: BSD-3-Clause (allowed)\ngopkg.in/yaml.v2@v2.3.0: Apache-2.0, MIT (allowed)\n```\n\n...and using a custom template:\n\n```\n$ lichen --template=\"{{range .Modules}}{{range .Module.Licenses}}{{.Name | printf \\\"%s\\n\\\"}}{{end}}{{end}}\" $GOPATH/bin/lichen | sort | uniq -c | sort -nr\n   8 MIT\n   2 MPL-2.0\n   2 BSD-3-Clause\n   2 Apache-2.0\n   1 BSD-2-Clause\n```\n\n## Config\n\nConfiguration is entirely optional. If you wish to use lichen to ensure only permitted licenses are in use, you can\nuse the configuration to specify these. You can also override certain defaults or force a license if lichen cannot \ndetect one.\n\nExample:\n\n```yaml\n# minimum confidence percentage used during license classification\nthreshold: .80\n\n# all permitted licenses - if no list is specified, all licenses are assumed to be allowed\nallow:\n  - \"MIT\"\n  - \"Apache-2.0\"\n  - \"0BSD\"\n  - \"BSD-3-Clause\"\n  - \"BSD-2-Clause\"\n  - \"BSD-2-Clause-FreeBSD\"\n  - \"MPL-2.0\"\n  - \"ISC\"\n  - \"PostgreSQL\"\n\n# overrides for cases where a license cannot be detected, but the software is licensed\noverride:\n  - path: \"github.com/abc/xyz\"\n    version: \"v0.1.0\" # version is optional - if specified, the override will only apply for the configured version\n    licenses: [\"MIT\"] # specify licenses\n\n# exceptions for violations\nexceptions:\n  # exceptions for \"license not permitted\" type violations\n  licenseNotPermitted:\n    - path: \"github.com/foo/bar\"\n      version: \"v0.1.0\" # version is optional - if specified, the exception will only apply to the configured version\n      licenses: [\"LGPL-3.0\"] # licenses is optional - if specified only violations in relation to the listed licenses will be ignored\n    - path: \"github.com/baz/xyz\"\n  # exceptions for \"unresolvable license\" type violations\n  unresolvableLicense:\n    - path: \"github.com/test/foo\"\n      version: \"v1.0.1\" # version is optional - if unspecified, the exception will apply to all versions\n```\n\n## Credit\n\nThis project was very much inspired by [mitchellh/golicense](https://github.com/mitchellh/golicense)\n\n## Caveat emptor\n\nJust as a linter cannot _guarantee_ working and correct code, this tool cannot guarantee dependencies and their licenses\nare determined with absolute correctness. `lichen` is designed to help catch cases that might fall through the net, but\nit is by no means a replacement for manual inspection and evaluation of dependencies.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fuw-labs%2Flichen","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fuw-labs%2Flichen","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fuw-labs%2Flichen/lists"}