Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: separate golang license caches from mod dir #2852

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

fix: separate golang license caches from mod dir #2852

wants to merge 4 commits into from

Conversation

kzantow
Copy link
Contributor

@kzantow kzantow commented May 7, 2024
edited

Previously, license handling in Golang had a few quirks and may not function if the go mod directory did not exist.

This PR makes the following changes:

  • Separate local go mod cache directory from remote download cache
  • Use known cache directory using XDG if not specified in config; create the directory if it does not exist
  • No longer download files into a go mod directory, only the syft cache

TODO:

  • ensure this cache directory is excluded during scans (e.g. syft /)

Fixes: #2798 #1933

@kzantow
fix: separate golang license caches from mod dir
47c723f 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
wagoodman
wagoodman reviewed May 8, 2024
View reviewed changes
Copy link
Contributor

@wagoodman wagoodman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great! I feel like this is something we can build on over time too.

Since this PR doesn't introduce mechanisms for cache invalidation, users will start to have new cache directories that will continue to grow (this is different than grype, where new DBs get replaced).

I feel like before merging this there should be an answer to how a user would delete the cache or how syft would automatically do this... this could be:

  • like you brought up on the call, allow for TTL configuration and track in the cache dir track last write date so we can clean up periodically.
  • maybe add a cache list and cache delete subcommands to syft

@kzantow
chore: address pr feedback
abf7545 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
Merge remote-tracking branch 'origin/main' into fix/go-licenses-witho…
937b9fd 
…ut-mod-dir
@kzantow
chore: update readme
7092f74 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Golang: Search remote licenses not working in a CI pipeline when scanning Docker image
2 participants
@kzantow @wagoodman