Change in golang component license URLs #4303
Description
What happened:
With v1.25.1 all golang components in the CycloneDX SBOMs that I produced had correct zip URLs.
With v1.34.2 some (about 2%) have license URLs that are relative to $GOPATH, e.g. file://$GOPATH/pkg/mod/golang.org/x/[email protected]/LICENSE.
What you expected to happen:
For the correct URLs to still be produced.
Steps to reproduce the issue:
I am producing SBOMs within a Docker multi-stage build with:
ENV SYFT_FORMAT_CYCLONEDX_JSON_PRETTY=true
ENV SYFT_LICENSE_INCLUDE_UNKNOWN_LICENSE_CONTENT=true
ENV SYFT_ENRICH=all
ENV SYFT_GOLANG_SEARCH_LOCAL_MOD_CACHE_LICENSES=true
ENV SYFT_GOLANG_SEARCH_LOCAL_VENDOR_LICENSES=true
ENV SYFT_GOLANG_SEARCH_REMOTE_LICENSES=true
ENV SYFT_JAVASCRIPT_SEARCH_REMOTE_LICENSES=true
ENV SYFT_JAVASCRIPT_INCLUDE_DEV_DEPENDENCIES=false
ENV SYFT_FILE_METADATA_SELECTION=none
RUN --mount=from=ghcr.io/anchore/syft:v1.34.2,source=/syft,target=/bin/syft \
syft scan dir:. \
--override-default-catalogers=go-module-file-cataloger,javascript-lock-cataloger \
--select-catalogers=-file \
--output=cyclonedx-json=/tmp/prod-src.cdx.json
Anything else we need to know?:
Example SBOM Component before:
{
"bom-ref": "pkg:golang/golang.org/x/[email protected]?package-id=pkg%3Agolang%2Fgolang.org%2Fx%2Fmod%40v0.16.0%3Fpackage-id%3D4a31ad877085024b",
"type": "library",
"name": "golang.org/x/mod",
"version": "v0.16.0",
"licenses": [
{
"license": {
"id": "BSD-3-Clause",
"url": "https://proxy.golang.org/golang.org/x/mod/@v/v0.16.0.zip#golang.org/x/[email protected]/LICENSE"
}
}
],
"cpe": "cpe:2.3:a:golang:x\\/mod:v0.16.0:*:*:*:*:*:*:*",
"purl": "pkg:golang/golang.org/x/[email protected]",
"properties": [
{
"name": "syft:package:foundBy",
"value": "sbom-cataloger"
},
{
"name": "syft:package:language",
"value": "go"
},
{
"name": "syft:package:type",
"value": "go-module"
},
{
"name": "syft:package:metadataType",
"value": "go-module-entry"
},
{
"name": "syft:location:0:path",
"value": "tmp/bluvisual-src.cdx.json"
},
{
"name": "syft:metadata:h1Digest",
"value": "h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic="
}
]
},Example SBOM component after:
{
"bom-ref": "pkg:golang/golang.org/x/[email protected]?package-id=pkg%3Agolang%2Fgolang.org%2Fx%2Fmod%40v0.16.0%3Fpackage-id%3D4a31ad877085024b",
"type": "library",
"name": "golang.org/x/mod",
"version": "v0.16.0",
"licenses": [
{
"license": {
"id": "BSD-3-Clause",
"url": "file://$GOPATH/pkg/mod/golang.org/x/[email protected]/LICENSE"
}
}
],
"cpe": "cpe:2.3:a:golang:x\\/mod:v0.16.0:*:*:*:*:*:*:*",
"purl": "pkg:golang/golang.org/x/[email protected]",
"properties": [
{
"name": "syft:package:foundBy",
"value": "sbom-cataloger"
},
{
"name": "syft:package:language",
"value": "go"
},
{
"name": "syft:package:type",
"value": "go-module"
},
{
"name": "syft:package:metadataType",
"value": "go-module-entry"
},
{
"name": "syft:location:0:path",
"value": "tmp/bluvisual-src.cdx.json"
},
{
"name": "syft:metadata:h1Digest",
"value": "h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic="
}
]
},For my cases the GOPATH URLs can be transformed into valid zip URLs so it isn't a blocker for me, just thought I would report what I noticed.
Possibly related to #4132
Environment:
The Docker image used for the build is alpine:3.19.