feat(license): scan vendor directory for license for go.mod files

[oneum20]

Description

This PR adds support for scanning the vendor directory when detecting licenses for Go modules. Currently, Trivy only checks for licenses in $GOPATH/pkg/mod, but when users use go mod vendor command, the dependencies are stored in the vendor directory without their own go.mod files.

Related issues

• ISSUES - 8527

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[DmitriyLewen]

Hello @oneum20
Thanks for your work!

Left a few comments. Take a look, when you have time, please
Also we need to update docs (see https://trivy.dev/latest/docs/coverage/language/golang/#license)

[DmitriyLewen]

if $GOPATH/pkg/mod doesn't exist - you will not check vendor dir.

trivy/pkg/fanal/analyzer/language/golang/mod/mod.go

Lines 140 to 144 in 118cd99

	if !fsutils.DirExists(modPath) {
	a.logger.Debug("GOPATH not found. Need 'go mod download' to fill licenses and dependency relationships",
	log.String("GOPATH", modPath))
	return nil
	}

[DmitriyLewen]

If repository contains required files - we try to add them into CompositeFS.
e.g. node_modules dir for npm and yarn.
So i suggest to add vendor dir into CompositeFS (use Required function)

[DmitriyLewen]

I think it will be easier to understand this way.

Suggested change

	modDirSuffix := fmt.Sprintf("@%s", lib.Version)
	if modPath == vendorPath {
	modDirSuffix = ""
	}
	modDir := filepath.Join(modPath, fmt.Sprintf("%s%s", normalizeModName(lib.Name), modDirSuffix))
	// Package dir from `vendor` dir doesn't have version suffix.
	modDirName := normalizeModName(lib.Name)
	if modPath != vendorPath {
	// Add version suffix for packages from $$GOPATH
	// e.g. $GOPATH/pkg/mod/github.com/aquasecurity/go-dep-parser@v1.0.0
	modDirName = fmt.Sprintf("%s@%s", modDirName, lib.Version)
	}
	modDir := filepath.Join(modPath, modDirName)

[DmitriyLewen]

I think we can add verndorDirFound bool variable for that.

[DmitriyLewen]

We need to add comment why we use another path here.

[oneum20]

Hi @DmitriyLewen!

Thanks for your review!
I've addressed the feedback and updated the code accordingly.
Could you please take another look when you have a moment?

Thanks!

[DmitriyLewen]

LGTM, left small comments

[DmitriyLewen]

I think we can remove vendor dir check here.
As we told in #8527 (comment) - vendor dir doesn't have go.mod/go.sum files.

But we can add comment about this case with link to your comment,

[DmitriyLewen]

use errors.Is(err, os.ErrNotExist) to check that dir exists

[DmitriyLewen]

and we need to check that this is dir (not file)

[DmitriyLewen]

We can add check here or in collectDeps func

Suggested change

	// Collect dependencies of the direct dependency from $GOPATH/pkg/mod because the vendor directory doesn't have go.mod files.
	gopathModDir := filepath.Join(gopath, "pkg", "mod", fmt.Sprintf("%s@%s", normalizeModName(lib.Name), lib.Version))
	if !gopathModDirFound {
	continue
	}
	// Collect dependencies of the direct dependency from $GOPATH/pkg/mod because the vendor directory doesn't have go.mod files.
	gopathModDir := filepath.Join(gopath, "pkg", "mod", fmt.Sprintf("%s@%s", normalizeModName(lib.Name), lib.Version))

[oneum20]

Thank you for the review. :)
I've addressed the other points and looked into this suggestion.

It seems the check is already implemented here:

trivy/pkg/fanal/analyzer/language/golang/mod/mod.go

Lines 188 to 198 in b7cbbdc

	func (a *gomodAnalyzer) collectDeps(modDir, pkgID string) (types.Dependency, error) {
	// e.g. $GOPATH/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237/go.mod
	modPath := filepath.Join(modDir, "go.mod")
	f, err := os.Open(modPath)
	if errors.Is(err, fs.ErrNotExist) {
	a.logger.Debug("Unable to identify dependencies as it doesn't support Go modules",
	log.String("module", pkgID))
	return types.Dependency{}, nil
	} else if err != nil {
	return types.Dependency{}, xerrors.Errorf("file open error: %w", err)
	}

Was there perhaps a different intention I might have missed?

[DmitriyLewen]

there are 2 point:

1. We try to use "early return" logic.
2. We will check go.mod file for each dependency (but you know that GOPATH dir doesn't exist), so this is extra resources.

[DmitriyLewen]

@oneum20 I refactored a bit, can you take a look and confirm that i didn't break your logic? 😄

[oneum20]

@DmitriyLewen
Thanks for the refactor!
Everything looks fine on my end. 😃

[DmitriyLewen]

@knqyf263 can you also take a look, please?