What happened:

Given a Golang package that imports from a URL, licenseConcluded in the associated SPDX file is "none". The remote package has a clearly identifiable license file.

What you expected to happen:

The remote repo (https://github.com/aws/aws-sdk-go) has a LICENSE.txt. I expected that to be deferenced and used.

How to reproduce it (as minimally and precisely as possible):

I have a golang file:
./test.go

Containing a remote import:

package test
import (
        awsSDK "github.com/aws/aws-sdk-go/aws"

I process the file using the syft cli and generate spdx. The spdx code generated is:

 "packages": [
  {
   "SPDXID": "SPDXRef-320fa0ac8fde1360",
   "name": "github.com/aws/aws-sdk-go",
   "licenseConcluded": "NONE",

Anything else we need to know?:

Environment:

• Output of syft version:

syft 0.46.3

• OS (e.g: cat /etc/os-release or similar):

OS X 11.6

** Screenshot**