From eb5042f83e01c4f2a60c1ad27382705c67dfaeb3 Mon Sep 17 00:00:00 2001 From: Jeff DiNoto Date: Tue, 15 Jun 2021 19:05:29 -0400 Subject: [PATCH] Fossa Integration (#112) * Fossa Integration * Add fossa configuration file generated with `fossa init` * Add GH action to trigger tooling on pushes to master and on releases * Add temporary hook for pull_requests for testing * Split out and update workflows. * Fix typo * Restructure yaml * Fix typo * Testing * Disable other workflows for testing * Restructure * File will be autogenerated each run. * Debugging * More debug * Remove debug code * Debug release workflow * Switch to outputs from env variables * TEsting * More debug * Last test, getting close. * Final changes. * Revert test changes to other workflows * K8 ssand 488 fossa integration (#1) * Fossa Integration * Add fossa configuration file generated with `fossa init` * Add GH action to trigger tooling on pushes to master and on releases * Add temporary hook for pull_requests for testing * Split out and update workflows. * Fix typo * Restructure yaml * Fix typo * Testing * Disable other workflows for testing * Restructure * File will be autogenerated each run. * Debugging * More debug * Remove debug code * Debug release workflow * Switch to outputs from env variables * TEsting * More debug * Last test, getting close. * Final changes. * Revert test changes to other workflows * Remove testing on-push * K8 ssand 488 fossa integration (#2) * Fossa Integration * Add fossa configuration file generated with `fossa init` * Add GH action to trigger tooling on pushes to master and on releases * Add temporary hook for pull_requests for testing * Split out and update workflows. * Fix typo * Restructure yaml * Fix typo * Testing * Disable other workflows for testing * Restructure * File will be autogenerated each run. * Debugging * More debug * Remove debug code * Debug release workflow * Switch to outputs from env variables * TEsting * More debug * Last test, getting close. * Final changes. * Revert test changes to other workflows * Remove testing on-push * Fossa Integration * Add fossa configuration file generated with `fossa init` * Add GH action to trigger tooling on pushes to master and on releases * Add temporary hook for pull_requests for testing * Split out and update workflows. * Fix typo * Restructure yaml * Fix typo * Testing * Disable other workflows for testing * Restructure * Debugging * More debug * Remove debug code * Debug release workflow * Switch to outputs from env variables * TEsting * More debug * Last test, getting close. * Final changes. * Revert test changes to other workflows * Re-enable scanning on PRs * Remove the release check workflow * Switch to only on push to better fit the model Fossa exposes. * Update readme to include link to public scanning report. * Update changelog * Include the fossa configuration file in source control instead of generation. * limit checks to changes in code paths * Modify so that workflow is triggered on all pushes to master - this keeps the commits in sync between GH and Fossa's reports. --- .fossa.yml | 14 ++++++++++++++ .github/workflows/license-check.yml | 17 +++++++++++++++++ CHANGELOG.md | 3 +++ README.md | 4 ++++ 4 files changed, 38 insertions(+) create mode 100755 .fossa.yml create mode 100644 .github/workflows/license-check.yml diff --git a/.fossa.yml b/.fossa.yml new file mode 100755 index 00000000..127a6671 --- /dev/null +++ b/.fossa.yml @@ -0,0 +1,14 @@ +# Generated by FOSSA CLI (https://github.com/fossas/fossa-cli) +# Visit https://fossa.com to learn more + +version: 2 +cli: + server: https://app.fossa.com + fetcher: custom + project: cass-operator +analyze: + modules: + - name: github.com/k8ssandra/cass-operator/operator/cmd/manager + type: go + target: github.com/k8ssandra/cass-operator/operator/cmd/manager + path: operator/cmd/manager diff --git a/.github/workflows/license-check.yml b/.github/workflows/license-check.yml new file mode 100644 index 00000000..270c582b --- /dev/null +++ b/.github/workflows/license-check.yml @@ -0,0 +1,17 @@ +name: Dependency and License Scan +on: + push: + branches: + - master +jobs: + scan-repo: + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v2 + - name: Install Fossa CLI + run: | + curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install.sh | bash + - name: Scan for dependencies and licenses + run: | + FOSSA_API_KEY=${{ secrets.FOSSA_PUSH_ONLY_API_KEY }} fossa analyze diff --git a/CHANGELOG.md b/CHANGELOG.md index 4e370b1f..e494a841 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,9 @@ Changelog for Cass Operator, new PRs should update the `main / unreleased` secti * [BUGFIX] ``` +## Unreleased +* [CHANGE] #108 Integrate Fossa component/license scanning + ## v1.7.1 * [BUGFIX] #103 Fix upgrade of StatefulSet, do not change service name diff --git a/README.md b/README.md index 154664b9..045b76aa 100644 --- a/README.md +++ b/README.md @@ -362,3 +362,7 @@ Licensed under the Apache License, Version 2.0 (the "License"); you may not use http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. + +## Dependencies + +For information on the packaged dependencies of Cass Operator and their licenses, check out our [open source report](https://app.fossa.com/reports/ed8a8cc0-4bb4-405b-b07c-5316f9b524f5).