Integrate host go module resolution with --enrich flag #4361
Description
Golang cataloger partially searches the host outside the scan source and downloads packages from the network without the user specifying --enrich or otherwise opting-in to this behavior. This occurs for both directory scans as well other scan sources, such as when scanning images.
Additionally, there are now two different code paths that look up licenses for go modules in the host's go mod directory, but one of these cannot be disabled.
We should consolidate both of these code paths to behave as consistently as possible and determine what the right defaults are (or enable it by default only for directory scans, etc.).
Previous license lookup:
- looks only in the root directory of the module for license files
- downloads modules from go proxy or git if not found locally only with
--enrich - for licenses found in mod cache, sets
file://$GOPATH/...locations, sets appropriate URL locations when downloaded
Source available code path:
- looks up licenses in many subdirectories of the module, regardless of whether the packages are being used, notably including test packages
- uses go tooling to download modules over the network regardless of
--enrich - does not set locations
I think including tests and data within testdata directories is incorrect in terms of identifying distributable licenses. Using the go tooling to download modules is probably the most accurate, but we should figure out how to set locations indicating where we found license information, ideally pointing to proxy URLs if that's where syft ultimately obtained them.