Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add FOSSA license scan report and status #12023

Closed
wants to merge 1 commit into from

Conversation

fossabot
Copy link

Your FOSSA integration was successful! Attached in this PR is a badge and license report to track scan status in your README.

Below are docs for integrating FOSSA license checks into your CI:

Signed off by: fossabot <badges@fossa.com>
@agilgur5 agilgur5 added the area/docs Incorrect, missing, or mistakes in docs label Oct 17, 2023
@agilgur5
Copy link
Contributor

agilgur5 commented Oct 17, 2023

Oh, I added an integration for #9769 and apparently it created an automatic PR (I did not tell it to do so though...). FOSSA was already set-up for Argoproj and is used by Argo CD, for reference.

I'll create a new PR to add the badge for #9769 and fully integrate it. EDIT: See #12032

@fossabot
Copy link
Author

Your license scan is passing -- congrats!

Your badge status is now updated and ready to merge:

FOSSA Status

@agilgur5
Copy link
Contributor

agilgur5 commented Jan 14, 2024

Your license scan is passing -- congrats!

For reference, I thought this was failing due to a build error on FOSSA's side (as it is not building daily despite me setting it that way), but it was actually due to license issues.

Getting it to pass required me to "ignore" a handful of license issues that FOSSA found. Basically they were all false positives along the lines of FOSSA seeing GPL and reporting an "issue" without further context (where is it used, dev or prod? is it dual licensed?).

5/6 of the license issues were FOSSA “discovering” a different license in the codebase than "declared" in a dep’s LICENSE file:

The last dep was node-forge which is a transitive dep of webpack-dev-server. We only use webpack-dev-server as a devDep and as a separate process, which is proper usage of GPL without obligations.

  • annnd it turns out that node-forge is actually also dual licensed BSD-3/GPL, so either way we are fine

I added all those details in the ignore comments on FOSSA as well.

@agilgur5
Copy link
Contributor

Also I did have an earlier historical ignore, bufpipe before it had a LICENSE file: #12033

@agilgur5 agilgur5 added the solution/superseded This PR or issue has been superseded by another one (slightly different from a duplicate) label Feb 17, 2024
@agilgur5 agilgur5 changed the title Add license scan report and status Add FOSSA license scan report and status May 31, 2024
@agilgur5
Copy link
Contributor

agilgur5 commented Aug 24, 2024

Had a few deps recently flagged that were all MPL. I ignored those with the comment "We do not modify nor relicense code of dependencies. Argo/CNCF is Apache licensed, which is compatible with MPL".

Impacted transitive deps were:

  • github.com/go-sql-driver/mysql
  • github.com/hashicorp/go-uuid
  • github.com/hashicorp/hcl
  • and vendored Hashicorp deps of github.com/docker/docker

@agilgur5
Copy link
Contributor

agilgur5 commented Oct 27, 2024

Most recent false positive was on Go's x/crypto standard library, being marked as "unlicensed". I flagged it as an error in FOSSA with the note:

"This is the Go standard module crypto library. It follows the same license as the rest of Golang. Can also see its license in the linked repo: https://go.googlesource.com/crypto/+/refs/heads/master/LICENSE as well as its mirror on GitHub: https://github.com/golang/crypto/blob/master/LICENSE"

EDIT: FOSSA has resolved this now after I flagged it.

@agilgur5
Copy link
Contributor

agilgur5 commented Oct 27, 2024

5/6 of the license issues were FOSSA “discovering” a different license in the codebase than "declared" in a dep’s LICENSE file:

I did also flag all these to FOSSA recently, but for most of them they said they have no "warning" system when something is dual licensed and one of the licenses is compatible, so it will currently always raise a flag 😕

FOSSA staff kindly pointed out that newer throttle-debounce v5.0.1+ is no longer dual licensed as of niksy/throttle-debounce#65 / niksy/throttle-debounce#64

  • gettext-go (2/6) is imported by k8s and is BSD-3 licensed. There was GPL code in testdata, but that is not part of the prod binary

And they removed this false positive from their DB once they realized it was in test data and not prod code

@agilgur5
Copy link
Contributor

FOSSA staff kindly pointed out that newer throttle-debounce v5.0.1+ is no longer dual licensed as of niksy/throttle-debounce#65 / niksy/throttle-debounce#64

Ah and throttle-debounce no longer exists in our deps either as it was a transitive dep of antd so was removed in the argo-ui update that removed the unused antd dep in argoproj/argo-ui#554 and #13169

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/docs Incorrect, missing, or mistakes in docs solution/superseded This PR or issue has been superseded by another one (slightly different from a duplicate)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants