Fix FOSSA for all repositories

[yurishkuro]

UPDATE: 2020-09-01 main repo FOSSA check was fixed in #2347, but we need to add them to client libs as well.

• Java https://github.com/jaegertracing/jaeger-client-java
• Go https://github.com/jaegertracing/jaeger-client-go
• Go lib https://github.com/jaegertracing/jaeger-lib
• Python https://github.com/jaegertracing/jaeger-client-python
• Node.js https://github.com/jaegertracing/jaeger-client-node
• C/C++ (https://github.com/jaegertracing/cpp-client)
• C# / dotNET (https://github.com/jaegertracing/jaeger-client-csharp)

We used to have FOSSA checks run on many repositories, but now it only runs on 5 of them (excluding the main one), and we cannot add more.

According to Kevin Wang from FOSSA:

I’ve noticed that Jaeger is enrolled in Automated Builds, which is not the ideal integration method.

In this model, fossa has to “guess” your dependencies by running every build path — its convenient since you can import code through the UI, but not scalable if you want to make continuous scans. You will likely experience performance issues and false positives if you run this on a large project per commit.

I suggest we integrate Jaeger through Provided Builds, where you deploy our build client (https://github.com/fossas/fossa-cli) into your CI to report dependencies back to fossa. This model should enable extremely fast and high scale builds/scans from within your CI.

See “from a local dev machine” in this article below:

https://docs.fossa.io/docs/importing-a-project

[isaachier]

It seems like they don't/won't support C++ (see here). I don't blame them because package management in C++ is a train-wreck. If there is anything I can do for that project, please let me know. For the record, the system I use (Hunter package manager) preserves the license files in the dependency installation directory under a subdirectory named licenses. Not sure if that helps, but I thought I'd mention it.

[xizhao]

Kevin here from FOSSA. Excited to help you get integrated:

• We've upgraded your account to ensure you can import more projects -- I see 3 organizations in FOSSA (Jaeger, Jaegertracing, and CNCF); maybe you integrated with a different account?

• To work ideally with CI/CD, we have to integrate as part of the build path. That integration method is called Provided Builds and relies on reporting dependencies from within your build environment using fossa-cli and uploading a report to FOSSA per-build. This is significantly faster and scales very well, as it takes advantage of your already-running build rather than asking FOSSA to build for you.

• @isaachier, our build analysis is open source, and we use it to support all sorts of weird configurations -- including some cases where there is no formal dependency management system (like C/C++). Check out our example for Arbitrary Archive Support, [(source])[https://github.com/fossas/fossa-cli/blob/master/builders/archive/archive.go]. Would love to see a proposal or PR for how we can support your environment.

[isaachier]

Thanks @xizhao I will look into it.

[elldritch]

Leo from FOSSA here. We've been working on CLI v0.7.0, which is a total overhaul of our Go build analysis. If you'd like to try it out, we have a preview available here with an example usage here, and I'm happy to assist (available over email and Slack). Jaeger is actually one of the canonical projects that we use for automated acceptance testing.

[idvoretskyi]

@yurishkuro I'm happy to help with setting up FOSSA properly for this repo. I've just finished integrating FOSSA for CNCF's Kudo project (kedacore/keda#937), and suggest doing the same here - with GitHub Actions and fossa-cli.

[yurishkuro]

@idvoretskyi that would be great. Just one concern - when I tried to run fossa-cli locally, it took forever on our repo, not sure why.

[idvoretskyi]

@yurishkuro I've tried to run a build in my fork (see here - https://github.com/idvoretskyi/jaeger/runs/879002640?check_suite_focus=true), and it also stuck forever for me.

Looking deeper into the logs on the FOSSA side, I've discovered the following (log attached):

�[0KRunning with fossa-ci 0.5.2 (7ad0d786)
�[0;m�[0K  on FOSSA Build Runner p1l0op5j
�[0;m�[0KUsing Kubernetes namespace: runners
�[0;m�[0KUsing Kubernetes executor with image quay.io/fossa/fossa-core-srclib:v1.0.6 and helper quay.io/fossa/fossa:2.20.1

Running on runner-p1l0op5j-build-9356613-concurrent-0rz8tn via fossa-runner-0...
section_end:1594925210:prepare_script
�[0Ksection_start:1594925210:get_sources
�[0K�[32;1mNot downloading source code�[0;m
�[32;1mSkipping Git checkout�[0;m
�[32;1mSkipping Git submodules setup�[0;m
section_end:1594925210:get_sources
�[0Ksection_start:1594925210:restore_cache
�[0Ksection_end:1594925210:restore_cache
�[0Ksection_start:1594925210:download_artifacts
�[0Ksection_end:1594925210:download_artifacts
�[0Ksection_start:1594925210:build_script
�[0K�[32;1m$ /fossa/tsnode /fossa/ci/buildTools.ts parse --taskId=9356613 --buildId=4376332 --locator='custom+162/github.com/idvoretskyi/jaeger$a493f8f6825805269dd19537c660f9fd3e7b4f4f' --traceparent=00-bf023ba20eaf5b8d92d9ad6228f6f6b1-e117c4390bbea818-01�[0;m

Parsing dependencies from build data...
Discovered (0) direct dependencies for locator <custom+162/github.com/idvoretskyi/jaeger$a493f8f6825805269dd19537c660f9fd3e7b4f4f>
Discovered (236) deep dependencies for locator <custom+162/github.com/idvoretskyi/jaeger$a493f8f6825805269dd19537c660f9fd3e7b4f4f>
error resolving locator of deep dependency <go+go.mongodb.org/mongo-driver$v1.3.0>: Unable to generate Project from locator: go+go.mongodb.org/mongo-driver$v1.3.0 (Invalid go-import tag.)
error resolving locator of deep dependency <go+go.uber.org/zap$v1.13.0>: operation timed out
Finished parse with status SUCCEEDED
section_end:1594925867:build_script
�[0Ksection_start:1594925867:after_script
�[0Ksection_end:1594925868:after_script
�[0Ksection_start:1594925868:archive_cache
�[0Ksection_end:1594925868:archive_cache
�[0Ksection_start:1594925868:upload_artifacts_on_success
�[0Ksection_end:1594925868:upload_artifacts_on_success
�[0K�[32;1mJob succeeded
�[0;m

[idvoretskyi]

@yurishkuro also, can you please assign this issue to me? Thanks.

[idvoretskyi]

@yurishkuro UPD. The test took a while, however, it's ready - https://app.fossa.com/reports/6d16fa2a-88e1-467f-9076-e177b2f3fc72.

[idvoretskyi]

Submitted a PR here - #2347

[yurishkuro]

We need to add FOSSA checks for all other repositories, especially to client libraries. I am going to add links to the main description of this ticket.

@idvoretskyi do we need to do any preliminary setup in FOSSA itself?

[idvoretskyi]

@yurishkuro this was my plan, so no worries, I'll work on it (once we'll agree that the current setup is good for us).

Nothing extra from the FOSSA side.

[idvoretskyi]

@yurishkuro added scans to a couple of repos:

• FOSSA scan enabled jaeger-operator#1188
• FOSSA scan enabled jaeger-client-go#530
• FOSSA scan enabled jaeger-lib#80

[yurishkuro]

Per #3362, we're sunsetting Jaeger clients, which is the scope of this issue.