-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from rajuljha/chore/fossology_action
chore(fossology action): Add fossology action Reviewed-by: opensouce@avinal.space, mishra.gaurav@siemens.com Tested-by: mishra.gaurav@siemens.com
- Loading branch information
Showing
6 changed files
with
326 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# SPDX-FileCopyrightText: 2024 Rajul Jha <rajuljha49@gmail.com> | ||
# | ||
# SPDX-License-Identifier: GPL-2.0-only | ||
name: Test Fossology Action | ||
on: | ||
push: | ||
branches: | ||
- main | ||
jobs: | ||
test: | ||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v2 | ||
|
||
- name: Run action | ||
uses: ./ | ||
with: | ||
scan_mode: "repo" | ||
scanners: "nomos ojo copyright keyword" | ||
report_format: "SPDX_JSON" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,6 @@ | ||
# SPDX-FileCopyrightText: 2024 Rajul Jha <rajuljha49@gmail.com> | ||
# | ||
# SPDX-License-Identifier: GPL-2.0-only | ||
|
||
# MacOS | ||
.DS_Store |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,159 @@ | ||
<!-- SPDX-FileCopyrightText: 2024 Rajul Jha <rajuljha49@gmail.com> | ||
SPDX-License-Identifier: GPL-2.0-only --> | ||
|
||
<p align="center"> | ||
<a href="https://fossology.github.io"> | ||
<img src="static/logo.png" alt="Fossology logo" width="144"> | ||
</a> | ||
<br> | ||
<strong> FOSSology Scan Action </strong><br> | ||
<br> | ||
|
||
<a href=https://github.com/fossology/fossology/wiki/FOSSology-scanners-in-CI><img alt="Fossology-action" src="https://img.shields.io/badge/Fossology-action-red"></a> | ||
<a href=https://join.slack.com/t/fossology/shared_invite/enQtNzI0OTEzMTk0MjYzLTYyZWQxNDc0N2JiZGU2YmI3YmI1NjE4NDVjOGYxMTVjNGY3Y2MzZmM1OGZmMWI5NTRjMzJlNjExZGU2N2I5NGY><img alt="Artifacts generation" src="https://img.shields.io/badge/slack-fossology-blue.svg?longCache=true&logo=slack"></a> | ||
<a href=https://www.youtube.com/channel/UCZGPJnQZVnEPQWxOuNamLpw><img alt="GitHub last commit (branch)" src="https://img.shields.io/badge/youtube-FOSSology-red.svg?&logo=youtube&link=https://www.youtube.com/channel/UCZGPJnQZVnEPQWxOuNamLpw"></a> | ||
|
||
</p> | ||
|
||
# Fossology Action | ||
|
||
## Overview | ||
|
||
The **Fossology Scan** GitHub Action allows you to run license and copyright scans using the Fossology scanner within your GitHub Actions workflows. This action is highly customizable and supports various scanning modes and configurations to fit your compliance needs. | ||
|
||
## Features | ||
|
||
### Types of scanners | ||
- Perform license and copyright scans | ||
- [`Nomos`](https://github.com/fossology/fossology/tree/master/src/nomos): It is a very precise license scanner. | ||
- [`Ojo`](https://github.com/fossology/fossology/tree/master/src/ojo): It is a precise license scanner that looks for `SPDX-License-Identifier text` statements. | ||
- Copyright and Keyword Scanning | ||
- [`Copyright`](https://github.com/fossology/fossology/tree/master/src/copyright): Scans for Copyrighted text like `Copyright 2024 @ Fossology-contributors` | ||
- [`Keyword`](https://github.com/fossology/fossology/tree/master/src/copyright): Scans for potentially harmful keywords like `patented`, `copied__from` etc. (Customizable) | ||
|
||
### Different Scanning Modes | ||
- **Diff Scan (Default)**: This scans for only the diff content of the Pull Request on which it is triggered. This is a good option to run via a Pull Request trigger. | ||
- **Repo Scan**: This scans the entire repo from which the pipeline is triggered. It is a good option to run on PR's or publishing releases. | ||
- **Differential Scan**: This scans for the changes between any two tags. User can provide any tow tags to scan between. It is a good option to scan between any two tags or any two versions of the repo. | ||
|
||
You can learn more about CI Scanners in fossology [here](https://github.com/fossology/fossology/wiki/FOSSology-scanners-in-CI) | ||
|
||
## Inputs | ||
|
||
### User customizable inputs: | ||
```yaml | ||
scan_mode: | ||
description: "Specifies whether to perform diff scans, repo scans, or differential scans. | ||
Leave blank for diff scans." | ||
required: false | ||
default: "" | ||
scanners: | ||
description: "Space-separated list of scanners to invoke." | ||
required: true | ||
default: "nomos ojo copyright keyword" | ||
report_format: | ||
description: "Report format (SPDX_JSON,SPDX_RDF,SPDX_YAML,SPDX_TAG_VALUE) to print the results in." | ||
required: false | ||
default: "" | ||
keyword_conf_file_path: | ||
description: "Path to custom keyword.conf file. (Use only with keyword scanner set to True)" | ||
required: false | ||
default: "" | ||
allowlist_file_path: | ||
description: "Path to allowlist.json file." | ||
required: false | ||
default: "" | ||
from_tag: | ||
description: "Starting tag to scan from. (Use only with differential mode)" | ||
required: false | ||
default: "" | ||
to_tag: | ||
description: "Ending tag to scan to. (Use only with differential mode)" | ||
required: false | ||
default: "" | ||
``` | ||
### Inputs used internally by the action: | ||
```yaml | ||
github_api_url: | ||
description: "Base URL of the GitHub API (default: ${{ github.api_url }})" | ||
required: false | ||
default: ${{ github.api_url }} | ||
github_repository: | ||
description: "Repository name (default: ${{ github.repository }})" | ||
required: false | ||
default: ${{ github.repository }} | ||
github_token: | ||
description: "GitHub Token (default: ${{ github.token }})" | ||
required: false | ||
default: ${{ github.token }} | ||
github_pull_request: | ||
description: "GitHub PR number (default: ${{ github.event.number }})" | ||
required: false | ||
default: ${{ github.event.number }} | ||
github_repo_url: | ||
description: "GitHub Repo URL (default: ${{ github.repositoryUrl }})" | ||
required: false | ||
default: ${{ github.repositoryUrl }} | ||
github_repo_owner: | ||
description: "GitHub Repo Owner (default: ${{ github.repository_owner }})" | ||
required: false | ||
default: ${{ github.repository_owner }} | ||
``` | ||
## Example Workflow | ||
Below is an example of how to use the **Fossology Scan** GitHub Action in your workflows. | ||
### Pull request scans | ||
```yaml | ||
name: License scan on PR | ||
|
||
on: [pull_request] | ||
|
||
jobs: | ||
compliance_check: | ||
runs-on: ubuntu-latest | ||
name: Perform license scan | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v2 | ||
|
||
- name: License check | ||
id: compliance | ||
uses: fossology/fossology-action@v1 | ||
with: | ||
scan_mode: '' | ||
scanners: 'nomos ojo' | ||
report_format: 'SPDX_JSON' | ||
|
||
``` | ||
|
||
### Tag scans | ||
```yaml | ||
name: License scan on tags | ||
|
||
on: [tags] | ||
|
||
jobs: | ||
compliance_check: | ||
runs-on: ubuntu-latest | ||
name: Perform license scan | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v2 | ||
- name: License check | ||
id: compliance | ||
uses: fossology/fossology-action@v1 | ||
with: | ||
scan_mode: 'differential' | ||
scanners: 'nomos ojo copyright keyword' | ||
from_tag: 'v003' | ||
to_tag: 'v004' | ||
report_format: 'SPDX_JSON' | ||
``` | ||
## License | ||
This project is licensed under the [GNU GENERAL PUBLIC LICENSE Version 2, June 1991](LICENSE). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
# SPDX-FileCopyrightText: 2024 Rajul Jha <rajuljha49@gmail.com> | ||
# | ||
# SPDX-License-Identifier: GPL-2.0-only | ||
|
||
name: "FOSSology Scan" | ||
description: "Run license and copyright scans" | ||
author: "Rajul Jha" | ||
branding: | ||
icon: "search" | ||
color: "orange" | ||
inputs: | ||
# Customizable input variables | ||
scan_mode: | ||
description: "Whether to do diff scans or repo scan. Leave blank for diff." | ||
required: false | ||
default: "" | ||
scanners: | ||
description: "Which scanners to invoke" | ||
required: false | ||
default: "nomos ojo copyright keyword" | ||
report_format: | ||
description: "Report format to generate reports in: SPDX_JSON, SPDX_YAML, SPDX_RDF, SPDX_TAG_VALUE" | ||
required: false | ||
default: "" | ||
keyword_conf_file_path: | ||
description: "Path to custom keyword.conf file" | ||
required: false | ||
default: "" | ||
allowlist_file_path: | ||
description: "Path to allowlist.json file" | ||
required: false | ||
default: "" | ||
from_tag: | ||
description: "Starting tag to scan from" | ||
required: false | ||
default: "" | ||
to_tag: | ||
description: "Ending tag to scan to" | ||
required: false | ||
default: "" | ||
# Internal Variables. Not meant to be passed by the user. These are set up by the action itself. | ||
github_api_url: | ||
description: "Base URL of Github API" | ||
required: false | ||
default: ${{ github.api_url }} | ||
github_repository: | ||
description: "Repository name" | ||
required: false | ||
default: ${{ github.repository }} | ||
github_token: | ||
description: "Github Token" | ||
required: false | ||
default: ${{ github.token }} | ||
github_pull_request: | ||
description: "Github PR" | ||
required: false | ||
default: ${{ github.event.number }} | ||
github_repo_url: | ||
description: "Github Repo URL" | ||
required: false | ||
default: ${{ github.repositoryUrl }} | ||
github_repo_owner: | ||
description: "Github Repo Owner" | ||
required: false | ||
default: ${{ github.repository_owner }} | ||
|
||
runs: | ||
using: "composite" | ||
steps: | ||
|
||
- name: Docker Setup QEMU | ||
uses: docker/setup-qemu-action@v3.1.0 | ||
|
||
- name: Run Fossology scan in Docker | ||
env: | ||
GITHUB_API_URL: ${{ inputs.github_api_url }} | ||
GITHUB_REPOSITORY: ${{ inputs.github_repository }} | ||
GITHUB_TOKEN: ${{ inputs.github_token }} | ||
GITHUB_PULL_REQUEST: ${{ inputs.github_pull_request }} | ||
GITHUB_REPO_URL: ${{ inputs.github_repo_url }} | ||
GITHUB_REPO_OWNER: ${{ inputs.github_repo_owner }} | ||
GITHUB_WORKSPACE: ${{ inputs.github_workspace }} | ||
SCAN_MODE: ${{ inputs.scan_mode }} | ||
SCANNERS: ${{ inputs.scanners }} | ||
REPORT_FORMAT: ${{ inputs.report_format }} | ||
KEYWORD_CONF_FILE_PATH: ${{ inputs.keyword_conf_file_path }} | ||
ALLOWLIST_FILE_PATH: ${{ inputs.allowlist_file_path }} | ||
FROM_TAG: ${{ inputs.from_tag }} | ||
TO_TAG: ${{ inputs.to_tag }} | ||
run: $GITHUB_ACTION_PATH/script.sh | ||
shell: bash | ||
|
||
- name: Upload Scan Results Artifact | ||
if: success() || failure() | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: Fossology scan results | ||
path: results/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
#!/bin/bash -e | ||
|
||
# SPDX-FileCopyrightText: 2024 Rajul Jha <rajuljha49@gmail.com> | ||
# | ||
# SPDX-License-Identifier: GPL-2.0-only | ||
|
||
# Prepare docker run command with arguments | ||
docker_cmd="docker run --rm --name fossologyscanner -w /opt/repo -v ${PWD}:/opt/repo \ | ||
-e GITHUB_TOKEN=${GITHUB_TOKEN} \ | ||
-e GITHUB_PULL_REQUEST=${GITHUB_PULL_REQUEST} \ | ||
-e GITHUB_REPOSITORY=${GITHUB_REPOSITORY} \ | ||
-e GITHUB_API=${GITHUB_API_URL} \ | ||
-e GITHUB_REPO_URL=${GITHUB_REPO_URL} \ | ||
-e GITHUB_REPO_OWNER=${GITHUB_REPO_OWNER} \ | ||
-e GITHUB_ACTIONS" | ||
|
||
if [ "${KEYWORD_CONF_FILE_PATH}" != "" ]; then | ||
docker_cmd+=" -v ${GITHUB_WORKSPACE}/${KEYWORD_CONF_FILE_PATH}:/bin/${KEYWORD_CONF_FILE_PATH}" | ||
fi | ||
if [ "${ALLOWLIST_FILE_PATH}" != "" ]; then | ||
docker_cmd+=" -v ${GITHUB_WORKSPACE}/${ALLOWLIST_FILE_PATH}:/bin/${ALLOWLIST_FILE_PATH}" | ||
fi | ||
docker_cmd+=" fossology/fossology:scanner /bin/fossologyscanner" | ||
docker_cmd+=" ${SCANNERS}" | ||
docker_cmd+=" ${SCAN_MODE}" | ||
|
||
# Add additional conditions | ||
if [ "${SCAN_MODE}" == "differential" ]; then | ||
docker_cmd+=" --tags ${FROM_TAG} ${TO_TAG}" | ||
fi | ||
if [ "${KEYWORD_CONF_FILE_PATH}" != "" ]; then | ||
docker_cmd+=" --keyword-conf ${KEYWORD_CONF_FILE_PATH}" | ||
fi | ||
if [ "${ALLOWLIST_FILE_PATH}" != "" ]; then | ||
docker_cmd+=" --allowlist-path ${ALLOWLIST_FILE_PATH}" | ||
fi | ||
if [ "${REPORT_FORMAT}" != "" ]; then | ||
docker_cmd+=" --report ${REPORT_FORMAT}" | ||
fi | ||
|
||
# Run the command | ||
echo $docker_cmd | ||
eval $docker_cmd |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.