Skip to content

Commit

Permalink
Merge pull request #1 from rajuljha/chore/fossology_action
Browse files Browse the repository at this point in the history
chore(fossology action): Add fossology action

Reviewed-by: opensouce@avinal.space, mishra.gaurav@siemens.com
Tested-by: mishra.gaurav@siemens.com
  • Loading branch information
GMishx authored Aug 2, 2024
2 parents 6581019 + 068756e commit 22587a4
Show file tree
Hide file tree
Showing 6 changed files with 326 additions and 0 deletions.
22 changes: 22 additions & 0 deletions .github/workflows/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# SPDX-FileCopyrightText: 2024 Rajul Jha <rajuljha49@gmail.com>
#
# SPDX-License-Identifier: GPL-2.0-only
name: Test Fossology Action
on:
push:
branches:
- main
jobs:
test:
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v2

- name: Run action
uses: ./
with:
scan_mode: "repo"
scanners: "nomos ojo copyright keyword"
report_format: "SPDX_JSON"
4 changes: 4 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,2 +1,6 @@
# SPDX-FileCopyrightText: 2024 Rajul Jha <rajuljha49@gmail.com>
#
# SPDX-License-Identifier: GPL-2.0-only

# MacOS
.DS_Store
159 changes: 159 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,159 @@
<!-- SPDX-FileCopyrightText: 2024 Rajul Jha <rajuljha49@gmail.com>
SPDX-License-Identifier: GPL-2.0-only -->

<p align="center">
<a href="https://fossology.github.io">
<img src="static/logo.png" alt="Fossology logo" width="144">
</a>
<br>
<strong> FOSSology Scan Action </strong><br>
<br>

<a href=https://github.com/fossology/fossology/wiki/FOSSology-scanners-in-CI><img alt="Fossology-action" src="https://img.shields.io/badge/Fossology-action-red"></a>
<a href=https://join.slack.com/t/fossology/shared_invite/enQtNzI0OTEzMTk0MjYzLTYyZWQxNDc0N2JiZGU2YmI3YmI1NjE4NDVjOGYxMTVjNGY3Y2MzZmM1OGZmMWI5NTRjMzJlNjExZGU2N2I5NGY><img alt="Artifacts generation" src="https://img.shields.io/badge/slack-fossology-blue.svg?longCache=true&logo=slack"></a>
<a href=https://www.youtube.com/channel/UCZGPJnQZVnEPQWxOuNamLpw><img alt="GitHub last commit (branch)" src="https://img.shields.io/badge/youtube-FOSSology-red.svg?&logo=youtube&link=https://www.youtube.com/channel/UCZGPJnQZVnEPQWxOuNamLpw"></a>

</p>

# Fossology Action

## Overview

The **Fossology Scan** GitHub Action allows you to run license and copyright scans using the Fossology scanner within your GitHub Actions workflows. This action is highly customizable and supports various scanning modes and configurations to fit your compliance needs.

## Features

### Types of scanners
- Perform license and copyright scans
- [`Nomos`](https://github.com/fossology/fossology/tree/master/src/nomos): It is a very precise license scanner.
- [`Ojo`](https://github.com/fossology/fossology/tree/master/src/ojo): It is a precise license scanner that looks for `SPDX-License-Identifier text` statements.
- Copyright and Keyword Scanning
- [`Copyright`](https://github.com/fossology/fossology/tree/master/src/copyright): Scans for Copyrighted text like `Copyright 2024 @ Fossology-contributors`
- [`Keyword`](https://github.com/fossology/fossology/tree/master/src/copyright): Scans for potentially harmful keywords like `patented`, `copied__from` etc. (Customizable)

### Different Scanning Modes
- **Diff Scan (Default)**: This scans for only the diff content of the Pull Request on which it is triggered. This is a good option to run via a Pull Request trigger.
- **Repo Scan**: This scans the entire repo from which the pipeline is triggered. It is a good option to run on PR's or publishing releases.
- **Differential Scan**: This scans for the changes between any two tags. User can provide any tow tags to scan between. It is a good option to scan between any two tags or any two versions of the repo.

You can learn more about CI Scanners in fossology [here](https://github.com/fossology/fossology/wiki/FOSSology-scanners-in-CI)

## Inputs

### User customizable inputs:
```yaml
scan_mode:
description: "Specifies whether to perform diff scans, repo scans, or differential scans.
Leave blank for diff scans."
required: false
default: ""
scanners:
description: "Space-separated list of scanners to invoke."
required: true
default: "nomos ojo copyright keyword"
report_format:
description: "Report format (SPDX_JSON,SPDX_RDF,SPDX_YAML,SPDX_TAG_VALUE) to print the results in."
required: false
default: ""
keyword_conf_file_path:
description: "Path to custom keyword.conf file. (Use only with keyword scanner set to True)"
required: false
default: ""
allowlist_file_path:
description: "Path to allowlist.json file."
required: false
default: ""
from_tag:
description: "Starting tag to scan from. (Use only with differential mode)"
required: false
default: ""
to_tag:
description: "Ending tag to scan to. (Use only with differential mode)"
required: false
default: ""
```
### Inputs used internally by the action:
```yaml
github_api_url:
description: "Base URL of the GitHub API (default: ${{ github.api_url }})"
required: false
default: ${{ github.api_url }}
github_repository:
description: "Repository name (default: ${{ github.repository }})"
required: false
default: ${{ github.repository }}
github_token:
description: "GitHub Token (default: ${{ github.token }})"
required: false
default: ${{ github.token }}
github_pull_request:
description: "GitHub PR number (default: ${{ github.event.number }})"
required: false
default: ${{ github.event.number }}
github_repo_url:
description: "GitHub Repo URL (default: ${{ github.repositoryUrl }})"
required: false
default: ${{ github.repositoryUrl }}
github_repo_owner:
description: "GitHub Repo Owner (default: ${{ github.repository_owner }})"
required: false
default: ${{ github.repository_owner }}
```
## Example Workflow
Below is an example of how to use the **Fossology Scan** GitHub Action in your workflows.
### Pull request scans
```yaml
name: License scan on PR

on: [pull_request]

jobs:
compliance_check:
runs-on: ubuntu-latest
name: Perform license scan
steps:
- name: Checkout
uses: actions/checkout@v2

- name: License check
id: compliance
uses: fossology/fossology-action@v1
with:
scan_mode: ''
scanners: 'nomos ojo'
report_format: 'SPDX_JSON'

```

### Tag scans
```yaml
name: License scan on tags

on: [tags]

jobs:
compliance_check:
runs-on: ubuntu-latest
name: Perform license scan
steps:
- name: Checkout
uses: actions/checkout@v2
- name: License check
id: compliance
uses: fossology/fossology-action@v1
with:
scan_mode: 'differential'
scanners: 'nomos ojo copyright keyword'
from_tag: 'v003'
to_tag: 'v004'
report_format: 'SPDX_JSON'
```
## License
This project is licensed under the [GNU GENERAL PUBLIC LICENSE Version 2, June 1991](LICENSE).
98 changes: 98 additions & 0 deletions action.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
# SPDX-FileCopyrightText: 2024 Rajul Jha <rajuljha49@gmail.com>
#
# SPDX-License-Identifier: GPL-2.0-only

name: "FOSSology Scan"
description: "Run license and copyright scans"
author: "Rajul Jha"
branding:
icon: "search"
color: "orange"
inputs:
# Customizable input variables
scan_mode:
description: "Whether to do diff scans or repo scan. Leave blank for diff."
required: false
default: ""
scanners:
description: "Which scanners to invoke"
required: false
default: "nomos ojo copyright keyword"
report_format:
description: "Report format to generate reports in: SPDX_JSON, SPDX_YAML, SPDX_RDF, SPDX_TAG_VALUE"
required: false
default: ""
keyword_conf_file_path:
description: "Path to custom keyword.conf file"
required: false
default: ""
allowlist_file_path:
description: "Path to allowlist.json file"
required: false
default: ""
from_tag:
description: "Starting tag to scan from"
required: false
default: ""
to_tag:
description: "Ending tag to scan to"
required: false
default: ""
# Internal Variables. Not meant to be passed by the user. These are set up by the action itself.
github_api_url:
description: "Base URL of Github API"
required: false
default: ${{ github.api_url }}
github_repository:
description: "Repository name"
required: false
default: ${{ github.repository }}
github_token:
description: "Github Token"
required: false
default: ${{ github.token }}
github_pull_request:
description: "Github PR"
required: false
default: ${{ github.event.number }}
github_repo_url:
description: "Github Repo URL"
required: false
default: ${{ github.repositoryUrl }}
github_repo_owner:
description: "Github Repo Owner"
required: false
default: ${{ github.repository_owner }}

runs:
using: "composite"
steps:

- name: Docker Setup QEMU
uses: docker/setup-qemu-action@v3.1.0

- name: Run Fossology scan in Docker
env:
GITHUB_API_URL: ${{ inputs.github_api_url }}
GITHUB_REPOSITORY: ${{ inputs.github_repository }}
GITHUB_TOKEN: ${{ inputs.github_token }}
GITHUB_PULL_REQUEST: ${{ inputs.github_pull_request }}
GITHUB_REPO_URL: ${{ inputs.github_repo_url }}
GITHUB_REPO_OWNER: ${{ inputs.github_repo_owner }}
GITHUB_WORKSPACE: ${{ inputs.github_workspace }}
SCAN_MODE: ${{ inputs.scan_mode }}
SCANNERS: ${{ inputs.scanners }}
REPORT_FORMAT: ${{ inputs.report_format }}
KEYWORD_CONF_FILE_PATH: ${{ inputs.keyword_conf_file_path }}
ALLOWLIST_FILE_PATH: ${{ inputs.allowlist_file_path }}
FROM_TAG: ${{ inputs.from_tag }}
TO_TAG: ${{ inputs.to_tag }}
run: $GITHUB_ACTION_PATH/script.sh
shell: bash

- name: Upload Scan Results Artifact
if: success() || failure()
uses: actions/upload-artifact@v3
with:
name: Fossology scan results
path: results/
43 changes: 43 additions & 0 deletions script.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
#!/bin/bash -e

# SPDX-FileCopyrightText: 2024 Rajul Jha <rajuljha49@gmail.com>
#
# SPDX-License-Identifier: GPL-2.0-only

# Prepare docker run command with arguments
docker_cmd="docker run --rm --name fossologyscanner -w /opt/repo -v ${PWD}:/opt/repo \
-e GITHUB_TOKEN=${GITHUB_TOKEN} \
-e GITHUB_PULL_REQUEST=${GITHUB_PULL_REQUEST} \
-e GITHUB_REPOSITORY=${GITHUB_REPOSITORY} \
-e GITHUB_API=${GITHUB_API_URL} \
-e GITHUB_REPO_URL=${GITHUB_REPO_URL} \
-e GITHUB_REPO_OWNER=${GITHUB_REPO_OWNER} \
-e GITHUB_ACTIONS"

if [ "${KEYWORD_CONF_FILE_PATH}" != "" ]; then
docker_cmd+=" -v ${GITHUB_WORKSPACE}/${KEYWORD_CONF_FILE_PATH}:/bin/${KEYWORD_CONF_FILE_PATH}"
fi
if [ "${ALLOWLIST_FILE_PATH}" != "" ]; then
docker_cmd+=" -v ${GITHUB_WORKSPACE}/${ALLOWLIST_FILE_PATH}:/bin/${ALLOWLIST_FILE_PATH}"
fi
docker_cmd+=" fossology/fossology:scanner /bin/fossologyscanner"
docker_cmd+=" ${SCANNERS}"
docker_cmd+=" ${SCAN_MODE}"

# Add additional conditions
if [ "${SCAN_MODE}" == "differential" ]; then
docker_cmd+=" --tags ${FROM_TAG} ${TO_TAG}"
fi
if [ "${KEYWORD_CONF_FILE_PATH}" != "" ]; then
docker_cmd+=" --keyword-conf ${KEYWORD_CONF_FILE_PATH}"
fi
if [ "${ALLOWLIST_FILE_PATH}" != "" ]; then
docker_cmd+=" --allowlist-path ${ALLOWLIST_FILE_PATH}"
fi
if [ "${REPORT_FORMAT}" != "" ]; then
docker_cmd+=" --report ${REPORT_FORMAT}"
fi

# Run the command
echo $docker_cmd
eval $docker_cmd
Binary file added static/logo.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 22587a4

Please sign in to comment.