Fossa Integration (#112)

* Fossa Integration * Add fossa configuration file generated with `fossa init` * Add GH action to trigger tooling on pushes to master and on releases * Add temporary hook for pull_requests for testing * Split out and update workflows. * Fix typo * Restructure yaml * Fix typo * Testing * Disable other workflows for testing * Restructure * File will be autogenerated each run. * Debugging * More debug * Remove debug code * Debug release workflow * Switch to outputs from env variables * TEsting * More debug * Last test, getting close. * Final changes. * Revert test changes to other workflows * K8 ssand 488 fossa integration (#1) * Fossa Integration * Add fossa configuration file generated with `fossa init` * Add GH action to trigger tooling on pushes to master and on releases * Add temporary hook for pull_requests for testing * Split out and update workflows. * Fix typo * Restructure yaml * Fix typo * Testing * Disable other workflows for testing * Restructure * File will be autogenerated each run. * Debugging * More debug * Remove debug code * Debug release workflow * Switch to outputs from env variables * TEsting * More debug * Last test, getting close. * Final changes. * Revert test changes to other workflows * Remove testing on-push * K8 ssand 488 fossa integration (#2) * Fossa Integration * Add fossa configuration file generated with `fossa init` * Add GH action to trigger tooling on pushes to master and on releases * Add temporary hook for pull_requests for testing * Split out and update workflows. * Fix typo * Restructure yaml * Fix typo * Testing * Disable other workflows for testing * Restructure * File will be autogenerated each run. * Debugging * More debug * Remove debug code * Debug release workflow * Switch to outputs from env variables * TEsting * More debug * Last test, getting close. * Final changes. * Revert test changes to other workflows * Remove testing on-push * Fossa Integration * Add fossa configuration file generated with `fossa init` * Add GH action to trigger tooling on pushes to master and on releases * Add temporary hook for pull_requests for testing * Split out and update workflows. * Fix typo * Restructure yaml * Fix typo * Testing * Disable other workflows for testing * Restructure * Debugging * More debug * Remove debug code * Debug release workflow * Switch to outputs from env variables * TEsting * More debug * Last test, getting close. * Final changes. * Revert test changes to other workflows * Re-enable scanning on PRs * Remove the release check workflow * Switch to only on push to better fit the model Fossa exposes. * Update readme to include link to public scanning report. * Update changelog * Include the fossa configuration file in source control instead of generation. * limit checks to changes in code paths * Modify so that workflow is triggered on all pushes to master - this keeps the commits in sync between GH and Fossa's reports.
k8ssandra · Jun 15, 2021 · eb5042f · eb5042f
1 parent ece4469
commit eb5042f
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 0 deletions.
diff --git a/.fossa.yml b/.fossa.yml
@@ -0,0 +1,14 @@
+# Generated by FOSSA CLI (https://github.com/fossas/fossa-cli)
+# Visit https://fossa.com to learn more
+
+version: 2
+cli:
+  server: https://app.fossa.com
+  fetcher: custom
+  project: cass-operator
+analyze:
+  modules:
+  - name: github.com/k8ssandra/cass-operator/operator/cmd/manager
+    type: go
+    target: github.com/k8ssandra/cass-operator/operator/cmd/manager
+    path: operator/cmd/manager
diff --git a/.github/workflows/license-check.yml b/.github/workflows/license-check.yml
@@ -0,0 +1,17 @@
+name: Dependency and License Scan
+on:
+  push:
+    branches:
+      - master
+jobs:
+  scan-repo:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+      - name: Install Fossa CLI
+        run: |
+          curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install.sh | bash
+      - name: Scan for dependencies and licenses
+        run: |
+          FOSSA_API_KEY=${{ secrets.FOSSA_PUSH_ONLY_API_KEY }} fossa analyze
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,9 @@ Changelog for Cass Operator, new PRs should update the `main / unreleased` secti
 * [BUGFIX]
 ```
 
+## Unreleased
+* [CHANGE] #108 Integrate Fossa component/license scanning
+
 ## v1.7.1
 * [BUGFIX] #103 Fix upgrade of StatefulSet, do not change service name
 

diff --git a/README.md b/README.md
@@ -362,3 +362,7 @@ Licensed under the Apache License, Version 2.0 (the "License"); you may not use
 http://www.apache.org/licenses/LICENSE-2.0
 
 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+
+## Dependencies
+
+For information on the packaged dependencies of Cass Operator and their licenses, check out our [open source report](https://app.fossa.com/reports/ed8a8cc0-4bb4-405b-b07c-5316f9b524f5).