Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add multiple license scanning tools check (instead of just FOSSA) #50

Closed
idvoretskyi opened this issue Feb 14, 2022 · 6 comments · Fixed by #110
Closed

Add multiple license scanning tools check (instead of just FOSSA) #50

idvoretskyi opened this issue Feb 14, 2022 · 6 comments · Fixed by #110

Comments

@idvoretskyi
Copy link
Member

CNCF does require license scanning enabled for all projects. However, FOSSA is not the only tool that the project can use, e.g., various projects use Snyk - (cncf/foundation#109 (comment)).

Let's check for the license scanning badge more broadly, not just for the "FOSSA badge".

@dims
Copy link
Member

dims commented Feb 14, 2022

Also note that snyk badges are not available for golang repos ( https://support.snyk.io/hc/en-us/articles/360003997277-Badge-Support-for-Repositories - only Node.js, Ruby or Java)

@caniszczyk
Copy link

caniszczyk commented Feb 14, 2022 via email

@dims
Copy link
Member

dims commented Feb 14, 2022

@idvoretskyi
Copy link
Member Author

@caniszczyk, can we provide this data manually for those projects that can't be checked automatically? E.g., if a project uses the Snyk account provided by CNCF, we can pull this data manually from our Snyk dashboard.

@caniszczyk
Copy link

caniszczyk commented Feb 14, 2022 via email

tegioz added a commit that referenced this issue Feb 28, 2022
- The check has been renamed from FOSSA badge to License scanning
- It's now able to detect Snyk badges in README files
- A link to the license scanning report is stored and exposed in the UI
- In addition to FOSSA and Snyk, it's now possible to provide a custom
  license scanning url in the `.clomonitor.yml` metadata file

Closes #50

Signed-off-by: Sergio Castaño Arteaga <[email protected]>
Signed-off-by: Cintia Sanchez Garcia <[email protected]>
Co-authored-by: Sergio Castaño Arteaga <[email protected]>
Co-authored-by: Cintia Sanchez Garcia <[email protected]>
tegioz added a commit that referenced this issue Feb 28, 2022
- The check has been renamed from FOSSA badge to License scanning
- It's now able to detect Snyk badges in README files
- A link to the license scanning report is stored and exposed in the UI
- In addition to FOSSA and Snyk, it's now possible to provide a custom
  license scanning url in the `.clomonitor.yml` metadata file

Closes #50

Signed-off-by: Sergio Castaño Arteaga <[email protected]>
Signed-off-by: Cintia Sanchez Garcia <[email protected]>
Co-authored-by: Sergio Castaño Arteaga <[email protected]>
Co-authored-by: Cintia Sanchez Garcia <[email protected]>
@tegioz
Copy link
Contributor

tegioz commented Feb 28, 2022

Hi 👋

We've made some improvements to this check:

  • It has been renamed from FOSSA badge to License scanning
  • It is now able to also detect Snyk badges in README files
  • A link to the license scanning results is stored and exposed in the UI
  • In addition to FOSSA and Snyk, it's now possible to provide a custom license scanning url in the .clomonitor.yml metadata file. This should help when projects use other license scanning solution that we don't support yet (or when badges are not available as @dims mentioned).

In the case of the Kubernetes project, adding a CloMonitor metadata file (.clomonitor.yml) to the repository with the following content should make this check pass:

licenseScanning:
  url: https://testgrid.k8s.io/sig-security-snyk-scan#ci-kubernetes-snyk-master

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants