Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Solve license compliance (again) #92

Closed
9 tasks done
Tracked by #64
chadwhitacre opened this issue Jan 25, 2023 · 16 comments
Closed
9 tasks done
Tracked by #64

Solve license compliance (again) #92

chadwhitacre opened this issue Jan 25, 2023 · 16 comments
Assignees
@chadwhitacre
Labels
Type: Epic

Comments

@chadwhitacre
Copy link
Member

chadwhitacre commented Jan 25, 2023
edited by hubertdeng123
Loading

Last year we deployed FOSSA to help us manage open source license compliance. However, persistent stability issues forced us to turn FOSSA off in August. We need to solve license compliance again, either by turning FOSSA back on (we've been in conversation with them about product improvements to address our concerns) or through some other means.

To Do

Punchlist

┆Issue is synchronized with this Jira Epic by Unito
@chadwhitacre chadwhitacre mentioned this issue Jan 25, 2023
Closed
36 tasks
@chadwhitacre chadwhitacre self-assigned this Feb 3, 2023
@chadwhitacre
Copy link
Member Author

We had a call with FOSSA yesterday. Most of the eng work on their side is done, there's one more small feature we're waiting for (est. next week or two).

@chadwhitacre
Copy link
Member Author

FOSSA has shipped everything we we were waiting for!

@hubertdeng123

This comment was marked as off-topic.

Sign in to view
@hubertdeng123
Copy link
Member

Ah probably this one, it looks like the latest release has the changes we want:
fossas/fossa-cli#1165

@hubertdeng123
Copy link
Member

hubertdeng123 commented Mar 27, 2023
edited
Loading

Notes after investigating FOSSA and the past incidents

  1. How will we know if FOSSA api is down? Is there an endpoint to query accurately to determine if FOSSA scanning is down?
  2. It seems like fossa-action is using fossa-cli to perform fossa analyze and fossa test. Will properly detect when there is an issue with FOSSA? How will that be surfaced in GitHub?
  3. If our GitHub action uses fossa-cli analyze and fossa-cli test instead, will that return appropriate erroring for Sentry to ignore the CI run? Seeing this change here but unsure if that applies to just error message or error code.

@hubertdeng123
Copy link
Member

hubertdeng123 commented Mar 29, 2023
edited
Loading

From FOSSA:

I reached out to our engineering team to give you all the info you need. This is our health endpoint that you can use:
https://app.fossa.com/health

The FOSSA action (which uses the CLI) will detect/fail on issues, such as not providing a token, providing the right access token (push-only tokens generated by users with the editor/admin role), no available targets to scan, etc. Those are pretty much application level issues that will exit on 1.
FOSSA will exit on non-zero codes for networked related events as well, whether

  • FOSSA is down (maintenance upgrades or w/e reasons)
  • GH action runners went down for some reason
    • Network between GH and FOSSA is somehow slow/blocking

If our health check passes, there's no guarantee that the FOSSA scan will then work (after you check) since they're independent events.
We recommend that if you don’t want to gate CI on FOSSA, either

  • Add continue-on-error: true to the FOSSA action step, or
  • If you run FOSSA manually (using the CLI), you can do fossa analyze || true in a step
    I'm not sure if you run fossa test afterwards, but if you do I'd place some Actions logic to say if the analysis step failed then bypass the fossa test step.

As such, it seems reasonable to add the continue-on-error to the FOSSA action step. I've verified that the FOSSA scan will not error out if there is a license compliance issue, the FOSSA test step will. FOSSA scan shouldn't fail for any important reason for us, and we should ignore the failure and skip the scan if it does.

@hubertdeng123
Copy link
Member

hubertdeng123 commented Apr 3, 2023
edited
Loading

Weekly Update 04/03

  • check in with legal on FOSSA license compliance
  • add Sentry to enforce license compliance action

@chadwhitacre
Copy link
Member Author

https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review#about-configuring-the-dependency-review-action 👀

@hubertdeng123
Copy link
Member

hubertdeng123 commented Apr 10, 2023
edited
Loading

Weekly Update 04/10

  • discuss whether or not we want to continue using FOSSA
  • check to see if it is possible to parse output of FOSSA action

@hubertdeng123
Copy link
Member

hubertdeng123 commented Apr 17, 2023
edited
Loading

Weekly Update 04/17

@hubertdeng123
Copy link
Member

hubertdeng123 commented Apr 24, 2023
edited
Loading

Weekly Update 04/24

  • Enable FOSSA across pinned repos (sentry, getsentry, snuba)
  • shipped post

@hubertdeng123
Copy link
Member

done! 🚢

@chadwhitacre
Copy link
Member Author

Link the shipped! :)

@chadwhitacre
Copy link
Member Author

https://vanguard.getsentry.net/p/clgy6bddv0000s60lkfcxlgha

@hubertdeng123
Copy link
Member

FYI, I did link the shipped post above in the issue body and in the last weekly update for reference

@chadwhitacre
Copy link
Member Author

Heeeeeeeey! 💃 🥔 @hubertdeng123

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chadwhitacre chadwhitacre

Labels
Type: Epic
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chadwhitacre @hubertdeng123