As one packaging Go daily for a distro, this doesn't surprise me (though thanks God we are not affected, probably because we unbundle everything and the license for each lib is then verified). Contrary to the Rust ecosystem, there is no central repo location or Cargo.toml that easily allow to parse the licenses used. So no cargo license commands. For static binaries we build, we don't have the entire set of licenses because the chain of dependencies can reach up to 650 packages.