-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle OSS licenses and attribution #2917
Comments
is this something that can be built into the openssf tooling ? |
Not sure. At this time, the openssf license validation only checks that a license for the project exists. There's this issue: ossf/scorecard#3840, but if focuses on the license in use by the project, not its dependencies. There's this issue: ossf/scorecard#2531 that deals with dependencies. IMHO, this should be a reusable CNCF util, as it's meant to enforce CNCF-specific requirements. |
Please assign me |
@shahar-h - there are two options that we discussed in this context:
|
@guydc FOSSA is commonly used by CNCF projects: cncf/foundation#109 |
+1 for FOSSA, will reach out to CNCF to get a key |
@arkodg @guydc
|
Update: FOSSA scan was done against some default license policy which is not compliant with CNCF policy.
Both declare Both dependencies are transitive and used by BTW osv-scanner which is used by OpenSSF for vulnerability scanning also supports license scanning. I tested it and it found the same violations with some few false positives. The problem that it's still experimental. We can consider using it in the future. @arkodg can please refer to my questions in the previous comment? Did you manage to get FOSSA api key? |
thanks for digging into this @shahar-h ! I'm still waiting to hear back from CNCF, will reach out again |
Thanks, and what about the second point(api token)? |
yeah read the context from the distribution PR, CNCF + FOSSA is a +1 with that approach so we can just follow it, also include them in the PR, to make sure we're doing the right thing |
@Xunzhuo logged a CNCF Service Desk request. I invited (most) all of the maintainers to join the CNCF Organizaion on FOSSA. FOSSA Invites are valid for 48 hours. https://docs.fossa.com/docs/inviting-users @Xunzhuo please spread the word and ask the invitees to accept their invitations. I need just one maintainer to accept the invite who can then add repos following these instructions: https://docs.fossa.com/docs/quick-import Any issues reach out to me on CNCF Slack or update the Service Request. |
thanks @RobertKielty, I do have access to the API key, will share it with you @shahar-h
2 makes sense here so we can proactively catch any violations |
Regarding
|
thanks for driving this work @shahar-h ! For other following this issue wanted to highlight why Envoy Gateway is trying to adopt
having said this, if we cannot achieve the goal of license scanning via |
A more detailed context about
|
@shahar-h I note your work and comments with interest! I will pass your feedback back to the Project Team in the CNCF. One way of testing your work with osv-scanner is to add the same project to the team I created on FOSSA and manualy run the scan there to compare the results that osv-scanner produces. |
This was discussed in the community meeting. For the time being, we can proceed with:
|
There is an additional issue: osv license scan can only be run together with vulnerability scan. Since we want to run vulnerability scan recursively(to be aligned with |
Description:
Envoy Gateway should adhere to CNCF guidelines for dependency licenses. As an Apache-2.0 project, EG may have licensing implications from using copyleft dependencies that are licensed under GPLv3.
Some projects enforce these guidelines using tools like go-licenses, e.g. cilium. Automated validation of of approved licenses should be a part of the PR approval flow.
Additionally, the CNCF guidelines for OSS attribution should be followed, by generating and maintaining the appropriate documentation.
The text was updated successfully, but these errors were encountered: