Roll out FOSSA scanning to all repositories #2574

trask · 2025-02-14T23:16:24Z

FOSSA does both license and security scanning. Our initial focus is on license scanning since there may be overlap with other tools on the security scanning side.

I'm planning on asking @opentelemetrybot to fork and open PRs to all repos to add a fossa.yml workflow like https://github.com/open-telemetry/opentelemetry-java/blob/main/.github/workflows/fossa.yml.

Update: expand this for the script @opentelemetrybot is running

#!/usr/bin/env python3
from github3 import login
import os
import subprocess
import shutil

# Need to use a classic token with the following permissions:
# - repo
# - workflow
#
# I can't find any supporting documentation, but it doesn't seem that you can
# set "Allow edits and access to secrets by maintainers" on a PR from a fork
# when using a fine-grained token.
TOKEN = os.environ['GITHUB_TOKEN']

log_file=open('fossa.log', 'w')

gh = login(token=TOKEN)
temp_dir = 'repos'

def setup_local_repo(repo_name):
    upstream_repo = gh.repository('open-telemetry', repo_name)
    fork = upstream_repo.create_fork()

    repo_dir=os.path.join(temp_dir, repo_name)

    if not os.path.exists(repo_dir):
        subprocess.run(['git', 'clone', fork.clone_url], cwd=temp_dir)

    subprocess.run(['git', 'config', 'user.name', 'otelbot'], cwd=repo_dir)
    subprocess.run(['git', 'config', 'user.email', '197425009+otelbot@users.noreply.github.com'], cwd=repo_dir)

    subprocess.run(['git', 'stash'], cwd=repo_dir)
    subprocess.run(['git', 'clean', '-d', '-f'], cwd=repo_dir)

    existing_branches = subprocess.run(['git', 'branch', '--format=%(refname:short)'], cwd=repo_dir,
                                       capture_output=True, text=True).stdout.split()
    subprocess.run(['git', 'checkout', 'main'], cwd=repo_dir)
    for branch in existing_branches:
        if branch != 'main':
            subprocess.run(['git', 'branch', '-D', branch], cwd=repo_dir)

    existing_remotes = subprocess.run(['git', 'remote'], cwd=repo_dir, capture_output=True, text=True).stdout.split()
    if 'upstream' not in existing_remotes:
        subprocess.run(['git', 'remote', 'add', 'upstream', upstream_repo.clone_url], cwd=repo_dir)

    subprocess.run(['git', 'fetch', 'upstream'], cwd=repo_dir)

def create_fossa_pr(repo_name):

    # need a token with org permissions to create the PR
    upstream_repo = gh.repository('open-telemetry', repo_name)

    existing_prs = upstream_repo.pull_requests(state='open', head=f'opentelemetrybot:fossa')
    if any(True for _ in existing_prs):
        print("Found existing PR, skipping")
        return

    repo_dir=os.path.join(temp_dir, repo_name)

    subprocess.run(['git', 'checkout', '-b', 'fossa', 'upstream/main'], cwd=repo_dir)
    workflow_file_path = os.path.join(repo_dir, '.github', 'workflows', 'fossa.yml')
    if os.path.exists(workflow_file_path):
        print("Found existing FOSSA workflow file, skipping")
        return

    os.makedirs(os.path.dirname(workflow_file_path), exist_ok=True)
    shutil.copy('workflow-templates/fossa.yml', workflow_file_path)

    subprocess.run(['git', 'add', '.github/workflows/fossa.yml'], cwd=repo_dir)
    subprocess.run(['git', 'commit', '-a', '-m', 'Add FOSSA scanning workflow'], cwd=repo_dir)

    subprocess.run(['git', 'push', '-f', f'https://{TOKEN}@github.com/opentelemetrybot/{repo_name}.git', 'fossa'],
                   cwd=repo_dir)

    pr = upstream_repo.create_pull(title='Add FOSSA scanning workflow',
                                   body='See https://github.com/open-telemetry/community/issues/2574 for details',
                                   base='main',
                                   head='opentelemetrybot:fossa')

    print(f'PR created: {pr.html_url}')
    log_file.write(f'PR created: {pr.html_url}\n')

def process_all():

    org = gh.organization('open-telemetry')
    repos = [repo for repo in org.repositories() if not repo.archived]

    for repo in repos:
        setup_local_repo(repo.name)
        create_fossa_pr(repo.name)

process_all()

Maintainers: if you would like access to FOSSA, just DM me your email address on Slack (note: it needs to be an email address that is not already associated with a FOSSA account). I will collect the email addresses for a few days and then ask the CNCF to send out invites to the first batch (we are under the CNCF's FOSSA enterprise account and don't have access to send out invites ourselves).

Once we get a clean bill of health from FOSSA, we would like to publish the (passing) badges to https://github.com/open-telemetry/community/blob/main/reports/compliance.md. And folks can of course add the badges directly on their repos as well.

We haven't figured out yet the best way to track new licensing issues after initial compliance, though if you request access to FOSSA then you'll be able to have it send you notifications for a given repo(s).

The text was updated successfully, but these errors were encountered:

trask · 2025-02-15T00:33:39Z

Sent a few PRs in the first batch, will wait until next week to send to the remaining repos.

See open-telemetry/community#2574 for details Co-authored-by: Trask Stalnaker <trask.stalnaker@gmail.com>

trask · 2025-02-18T05:00:00Z

all PRs are created now

See open-telemetry/community#2574 for details Co-authored-by: otelbot <197425009+otelbot@users.noreply.github.com> Co-authored-by: Damien Mathieu <42@dmathieu.com>

See open-telemetry/community#2574 for details Co-authored-by: otelbot <197425009+otelbot@users.noreply.github.com>

trask · 2025-03-11T20:26:44Z

Just a heads up for anyone watching this, we will come back to this work sometime after KubeCon

mx-psi pushed a commit to open-telemetry/opentelemetry-collector-contrib that referenced this issue Feb 17, 2025

Add FOSSA scanning workflow (#37947)

92468af

See open-telemetry/community#2574 for details Co-authored-by: Trask Stalnaker <trask.stalnaker@gmail.com>

github-merge-queue bot pushed a commit to open-telemetry/opentelemetry-collector that referenced this issue Feb 17, 2025

Add FOSSA scanning workflow (#12394)

d703f78

See open-telemetry/community#2574 for details Co-authored-by: Trask Stalnaker <trask.stalnaker@gmail.com>

github-merge-queue bot pushed a commit to open-telemetry/opentelemetry-collector that referenced this issue Feb 17, 2025

Add FOSSA scanning workflow (#12394)

36e0467

See open-telemetry/community#2574 for details Co-authored-by: Trask Stalnaker <trask.stalnaker@gmail.com>

svrnm added area/legal area/project-infra Non-GitHub project infra (DockerHub, etc.) labels Feb 17, 2025

florianl mentioned this issue Feb 18, 2025

FOSSA scanning workflow flagged 3 license issues open-telemetry/opentelemetry-ebpf-profiler#359

Open

trask self-assigned this Feb 18, 2025

trask added the triage:accepted This issue has been accepted and will be worked. label Feb 18, 2025

github-project-automation bot added this to GC Work Feb 18, 2025

Kielek mentioned this issue Feb 20, 2025

OTel .NET Contrib - Hangfire.Core license dependency verification #2585

Open

lquerel pushed a commit to open-telemetry/otel-arrow that referenced this issue Feb 23, 2025

Add FOSSA scanning workflow (#291)

54de428

See open-telemetry/community#2574 for details Co-authored-by: otelbot <197425009+otelbot@users.noreply.github.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Roll out FOSSA scanning to all repositories #2574

Roll out FOSSA scanning to all repositories #2574

trask commented Feb 14, 2025 •

edited

Loading

trask commented Feb 15, 2025

trask commented Feb 18, 2025

trask commented Mar 11, 2025

Roll out FOSSA scanning to all repositories #2574

Roll out FOSSA scanning to all repositories #2574

Comments

trask commented Feb 14, 2025 • edited Loading

trask commented Feb 15, 2025

trask commented Feb 18, 2025

trask commented Mar 11, 2025

trask commented Feb 14, 2025 •

edited

Loading