Snyk high severity issue due to A-GPL license #2209
Description
Describe your feature request
Hi, we're trying to use frankenphp in our production environment, but the Snyk scanner complains about the AGPL 3.0 license of Vulcain and Mercure.
I'm trying to build frankenphp without these modules which we are not currently leveraging, but Snyk continues to complain.
✗ High severity issue found in github.com/dunglas/vulcain/caddy
Description: AGPL-3.0 license
Info: https://snyk.io/vuln/snyk:lic:golang:github.com:dunglas:vulcain:caddy:AGPL-3.0
Introduced through: github.com/dunglas/vulcain/[email protected]
From: github.com/dunglas/vulcain/[email protected]
✗ High severity issue found in github.com/dunglas/vulcain
Description: AGPL-3.0 license
Info: https://snyk.io/vuln/snyk:lic:golang:github.com:dunglas:vulcain:AGPL-3.0
Introduced through: github.com/dunglas/[email protected]
From: github.com/dunglas/[email protected]
✗ High severity issue found in github.com/dunglas/mercure/caddy
Description: AGPL-3.0 license
Info: https://snyk.io/vuln/snyk:lic:golang:github.com:dunglas:mercure:caddy:AGPL-3.0
Introduced through: github.com/dunglas/mercure/[email protected]
From: github.com/dunglas/mercure/[email protected]
✗ High severity issue found in github.com/dunglas/mercure
Description: AGPL-3.0 license
Info: https://snyk.io/vuln/snyk:lic:golang:github.com:dunglas:mercure:AGPL-3.0
Introduced through: github.com/dunglas/[email protected]
From: github.com/dunglas/[email protected]
This is the build command we are using:
CGO_ENABLED=1 \
XCADDY_GO_BUILD_FLAGS="-ldflags='-w -s' -tags=nobadger,nomysql,nopgx" \
CGO_CFLAGS=$(php-config --includes) \
CGO_LDFLAGS="$(php-config --ldflags) $(php-config --libs)" \
xcaddy build \
--output frankenphp \
--with github.com/dunglas/frankenphp/caddy \
--with github.com/dunglas/caddy-cbrotli
# Add extra Caddy modules and FrankenPHP extensions here
# optionally, if you would like to compile from your frankenphp sources:
# --with github.com/dunglas/frankenphp=$(pwd) \
# --with github.com/dunglas/frankenphp/caddy=$(pwd)/caddy
Do you think this is because throughout the repository there are imports of Vulcain and Mercure, although these are not actually compiled? Any way I could avoid this?
I'm doing some tests myself and will be back with findings.