FOSSA scanning enabled for the repo

[idvoretskyi]

Fixes #854

Signed-off-by: Ihor Dvoretskyi ihor@linux.com

[codecov]

Codecov Report

Merging #2347 into master will decrease coverage by 0.00%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #2347      +/-   ##
==========================================
- Coverage   95.58%   95.57%   -0.01%     
==========================================
  Files         208      208              
  Lines       10682    10682              
==========================================
- Hits        10210    10209       -1     
  Misses        401      401              
- Partials       71       72       +1     

Impacted Files	Coverage Δ
cmd/query/app/static_handler.go	84.16% <0.00%> (-1.67%)	⬇️
plugin/storage/integration/integration.go	80.86% <0.00%> (+0.47%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9aada2c...ea3dede. Read the comment docs.

[yurishkuro]

Seems that it also timed out. When it says "still being analyzed on fossa.com", is the analysis done locally in CI or remotely via FOSSA?

[yurishkuro]

What is the origin of this key? Please add a comment describing it.

[idvoretskyi]

@yurishkuro it's a FOSSA's push-only API token - https://docs.fossa.com/docs/api-reference#push-only-api-token; which is safe to be exposed publicly.

[yurishkuro]

but where does it come from? Is this ID specific to Jaeger project?

[idvoretskyi]

Yes, it was created for Jaeger only.

[yurishkuro]

will it take 1.14.x?

[idvoretskyi]

@yurishkuro let's try :)

[idvoretskyi]

Seems that it also timed out. When it says "still being analyzed on fossa.com", is the analysis done locally in CI or remotely via FOSSA?

@yurishkuro remotely.

[idvoretskyi]

@yurishkuro great, so it failed now due to the licensing issues found by FOSSA, not because of the wrong configuration.

[yurishkuro]

@idvoretskyi a couple questions:

1. is there a way to tweak the GH action so that it posts the link to the report? For example, when you click on Details of the Codecov checks it takes you to their code coverage report, but FOSAA details take you to GH action log and you have to hunt for the URL of the report. Ideally it would be linked directly from Details, or even better posted as a summary as comment, like FOSSA scanning enabled for the repo #2347 (comment)
2. The link from the logs shows NotFound, why is that? If we run this scan on all PRs, then anyone should be able to view the reports.

https://app.fossa.com/projects/custom+162%2Fgithub.com%2Fjaegertracing%2Fjaeger/refs/branch/HEAD/da0020c14818c479a6272614e192674a7ad48993

[idvoretskyi]

@yurishkuro

1. I'll check this and get back to you;
2. It's the default setting, let me take a look at how can it be updated.

[idvoretskyi]

@yurishkuro I've updated the FOSSA configuration here, and PR won't be blocked by the code scanning issues - they will be handled separately and should not block the PRs.

Regarding the report access - access is limited to the FOSSA UI users only, I'll go ahead and invite you (and other project maintainers) so you could have access to them.

[idvoretskyi]

@yurishkuro anything else is missing to merge the PR?

[yurishkuro]

I am still getting Not Found when I go to the report link shown in the logs: https://app.fossa.com/projects/custom+162%2Fgithub.com%2Fjaegertracing%2Fjaeger/refs/branch/HEAD/80a27b16e68b355ee80308f8f36e6f3ff1391541 (even after I log in to Fossa).

[idvoretskyi]

@yurishkuro I don't think you've joined the CNCF FOSSA org, this is an issue.

I'll DM you with further details.

[idvoretskyi]

@yurishkuro anything else is needed to get this merged?

[yurishkuro]

@idvoretskyi I am confused about how this GH action is supposed to work. Before I rebased this just now, the Fossa step was showing green while the report that it was pointing to was showing 2 license issues. Shouldn't the action be shown as failed in that case?

[idvoretskyi]

@yurishkuro no, we want this action to just collect reports for now. There's no need to block PRs by FOSSA reports.

[yurishkuro]

Whether to block PR or not is a setting in our repo, we can make FOSSA checks non-mandatory. But for maintainers it would be good to see the actual outcome of the check when approving PR. Right now doing that is pretty involved - not only the check comes back green, but also the report itself is quite hard to get to, you have to fish out the link from one of the step logs in the GH action. As I mentioned previously, it would be much better if

1. the check would go red if there are license violations
2. the link next to the check would go to a report directly, OR there would be a comment posted back into PR with a brief summary, similar to code coverage FOSSA scanning enabled for the repo #2347 (comment)

Having said that, an always green check is not going to hurt anything, so I am not opposed to merging this.

@objectiser @jpkrohling @pavolloffay any thoughts?

[objectiser]

+1 sounds ok to merge, but create an issue to make sure the actions you have suggested are investigated.

[idvoretskyi]

Umbrella issue (for the record) - cncf/foundation#109

[jpkrohling]

Can we set a target date for us to decide to keep or remove it? Having it always green even on license violations might mean that we just won't care about it at all in the future... Suggestion: by v1.21.0, we decide if we want to keep it.

[yurishkuro]

Technically, we've been in this situation for several years already - the scans were running somewhere in the background, and the badge in the README kind-of reflects them, but we didn't pay attention (because it was always so noisy). The ticket #2432 lists the additional improvements.