community Adopt a license scanning tool

Adopt a license scanning tool, like FOSSA

Take into account this is a license-related scan.

This is something that needs to be done on all git repos across the two github orgs.

Related to [INCUBATING PROJECT ONBOARDING] Knative https://github.com/cncf/toc/issues/794

Mar 10 '22 19:03 csantanapr

Can someone from @knative/technical-oversight-committee help with this action item for CNCF onboarding, maybe you can work in conjunction with productivity working group on setting up this type of license scanning and alerting or maybe blocking PRs

Maybe we some of this in place, I think TOC would be best to look into this

Apr 07 '22 15:04 csantanapr

/assign @dprotaso

Apr 07 '22 16:04 dprotaso

/assign @dprotaso

On today's TOC meeting @dprotaso said will look in to this

Apr 07 '22 16:04 csantanapr

We might have this covered with the current setup we have or not, Dave is going to look into it

Apr 07 '22 16:04 csantanapr

Created a ticket to engage with CNCF legal

From: https://cncfservicedesk.atlassian.net/servicedesk/customer/portal/1/CNCFSD-1216

Hey folks - as part of the Knative incubation onboarding I'm taking a look at the licenses and scanning requirements (https://github.com/cncf/toc/issues/794)

Background

So right now Knative uses some Google OSS tooling to scan go code and collect licenses. The tools are https://github.com/google/licenseclassifier https://github.com/google/go-licenses

We gather these licenses and ship them as part of our container images. What's notable is that for certain licenses we'll even include the original source (ie. https://github.com/google/go-licenses/blob/5b654af5dcd3ef8090baaceae6009c20d75a87e8/save.go#L101-L111). I don't believe we have many of those.

This tooling seems to allow more licenses than the CNCF allow list https://github.com/google/licenseclassifier/blob/main/license_type.go#L179 (probably because we're compliant by shipping the source as well) allow list for ref: https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md#approved-licenses-for-allowlist

Moving Forward

I guess before adjusting our current process I'm curious what expectations does the CNCF have wrt. to compliance and disclosure. ie. I don't believe I see other projects shipping disclosures in containers (ie. k8s).

Also in the meantime if I could get access to team FOSSA account I can test it out against our GitHub orgs.

thanks, dave protasowski

Apr 20 '22 20:04 dprotaso

@dprotaso Any progress on this front or any blockers?

Apr 28 '22 21:04 csantanapr

Followed up on the issue - waiting to get access to FOSSA to check it out

Apr 29 '22 15:04 dprotaso

@dprotaso Any updates on this?

Jun 16 '22 16:06 csantanapr

Productivity WG needs Snyk for https://github.com/knative/test-infra/issues/3135

Jun 16 '22 16:06 upodroid

Following up on this - we have access to FOSSA but I wanted to know from the CNCF what are the licensing disclosure requirements. If we're ok dropping licenses in when shipping containers and suppling SBOMs is that enough?

https://cncfservicedesk.atlassian.net/servicedesk/customer/portal/1/CNCFSD-1652

Mar 21 '23 13:03 dprotaso

Knative is using the https://github.com/google/go-licenses tool, which does the scanning for invalid licenses already.

See: https://github.com/knative/hack/blob/38316f28f0bfabcf698e3217236dee1e12d92bc8/library.sh#L804

Sep 19 '23 16:09 cardil

Related to FOSSA: https://github.com/cncf/toc/issues/794#issuecomment-1725626990

Sep 19 '23 16:09 aliok

I met with CNCF this morning and configure FOSSA to scan Knative repo, access to the FOSSA is in the 1password productivity vault @dprotaso @aliok @cardil @upodroid

Oct 05 '23 12:10 csantanapr