Skip to content

ci: add license lint wf for cncf approved licenses #2461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sozercan merged 12 commits into from
Jan 20, 2023
Merged

ci: add license lint wf for cncf approved licenses #2461

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
6e529a9
make yml file for current g8r licenses
acpana Dec 15, 2022
dbfbc1d
add gh wf for license-lint
acpana Dec 15, 2022
31425d7
cncf aligned config for lgk
acpana Dec 20, 2022
4e73471
cherry pick script at 124fd62ad25
acpana Jan 4, 2023
c510205
replace some k8s references, fix path
acpana Jan 6, 2023
6236261
swap out license linter
acpana Jan 5, 2023
3e5fc32
delete license-lint config
acpana Jan 5, 2023
d2fb3cd
designer commits: specify CF url, add exception, include tests
acpana Jan 6, 2023
46e88a8
add wf paths
acpana Jan 6, 2023
ac84f2c
add readme
acpana Jan 18, 2023
16f7cb5
remove dependencies
acpana Jan 19, 2023
a14778e
Merge branch 'master' into acpana/license-lint
acpana Jan 19, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions .github/workflows/license-lint.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: license-lint
on:
push:
paths:
- "go.mod"
- "go.sum"
- "vendor/**"
pull_request:
paths:
- "go.mod"
- "go.sum"
- "vendor/**"

jobs:
license-lint:
name: "license-lint"
runs-on: ubuntu-22.04
Comment thread
acpana marked this conversation as resolved.
timeout-minutes: 5
permissions:
contents: read
steps:
- name: Set up Go 1.19
uses: actions/setup-go@v3
with:
go-version: 1.19

- name: Check out code into the Go module directory
uses: actions/checkout@v2

- name: license-lint
run: |
export GOPATH="$HOME/go"
PATH="$GOPATH/bin:$PATH"
Comment thread
acpana marked this conversation as resolved.
./third_party/k8s.io/kubernetes/hack/verify-licenses.sh
7 changes: 7 additions & 0 deletions third_party/k8s.io/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# k8s.io/kubernetes

Forked from k8s.io/kubernetes@124fd62ad253f8362d78d5710d8d363aa1b376df

This is a light fork to use scripts from kubernetes/kubernetes for gatekeeper's use cases.

The original code can be found at https://github.com/kubernetes/kubernetes/tree/124fd62ad253f8362d78d5710d8d363aa1b376df .
161 changes: 161 additions & 0 deletions third_party/k8s.io/kubernetes/hack/verify-licenses.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,161 @@
#!/usr/bin/env bash
Comment thread
acpana marked this conversation as resolved.

# Copyright 2016 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Usage: `hack/verify-licenses.sh`.


set -o errexit
set -o nounset
set -o pipefail

KUBE_TEMP=$(mktemp -d 2>/dev/null || mktemp -d -t kubernetes.XXXXXX)


# Creating a new repository tree
# Deleting vendor directory to make go-licenses fetch license URLs from go-packages source repository
git worktree add -f "${KUBE_TEMP}"/tmp_test_licenses/gatekeeper HEAD >/dev/null 2>&1 || true
cd "${KUBE_TEMP}"/tmp_test_licenses/gatekeeper && rm -rf vendor


# Explicitly opt into go modules, even though we're inside a GOPATH directory
export GO111MODULE=on


allowed_licenses=()
packages_flagged=()
packages_url_missing=()
exit_code=0

# Install go-licenses
echo '[INFO] Installing go-licenses...'
go install github.com/google/go-licenses@latest

# Fetching CNCF Approved List Of Licenses
# Refer: https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md
curl -s 'https://spdx.org/licenses/licenses.json' -o "${KUBE_TEMP}"/licenses.json

number_of_licenses=$(jq '.licenses | length' "${KUBE_TEMP}"/licenses.json)
loop_index_length=$(( number_of_licenses - 1 ))


echo '[INFO] Fetching current list of CNCF approved licenses...'
for index in $(seq 0 $loop_index_length);
do
licenseID=$(jq ".licenses[$index] .licenseId" "${KUBE_TEMP}"/licenses.json)
if [[ $(jq ".licenses[$index] .isDeprecatedLicenseId" "${KUBE_TEMP}"/licenses.json) == false ]]
then
allowed_licenses+=("${licenseID}")
fi
done


# Scanning go-packages under the project & verifying against the CNCF approved list of licenses
echo '[INFO] Starting license scan on go-packages...'
go-licenses report ./... --include_tests >> "${KUBE_TEMP}"/licenses.csv

echo -e 'PACKAGE_NAME LICENSE_NAME LICENSE_URL\n' >> "${KUBE_TEMP}"/approved_licenses.dump
while IFS=, read -r GO_PACKAGE LICENSE_URL LICENSE_NAME
do
FORMATTED_LICENSE_URL=
if [[ " ${allowed_licenses[*]} " == *"${LICENSE_NAME}"* ]];
then
if [[ "${LICENSE_URL}" == 'Unknown' ]];
then
if [[ "${GO_PACKAGE}" != k8s.io/* ]];
then
echo "${GO_PACKAGE} ${LICENSE_NAME} ${LICENSE_URL}" >> "${KUBE_TEMP}"/approved_licenses_with_missing_urls.dump
packages_url_missing+=("${GO_PACKAGE}")
else
LICENSE_URL='https://github.com/kubernetes/kubernetes/blob/master/LICENSE'
echo "${GO_PACKAGE} ${LICENSE_NAME} ${LICENSE_URL}" >> "${KUBE_TEMP}"/approved_licenses.dump
fi
elif curl -Is "${LICENSE_URL}" | head -1 | grep -q 404;
then
# For gatekeeper, the script won't find the constraint frameworks's license atm.
if [[ "${GO_PACKAGE}" == github.com/open-policy-agent/frameworks/* ]];
then
LICENSE_URL='https://github.com/open-policy-agent/frameworks/blob/master/LICENSE'
echo "${GO_PACKAGE} ${LICENSE_NAME} ${LICENSE_URL}" >> "${KUBE_TEMP}"/approved_licenses.dump
continue
fi

# Check whether the License URL is incorrectly formed
# TODO: Remove this workaround check once PR https://github.com/google/go-licenses/pull/110 is merged
IFS='/' read -r -a split_license_url <<< ${LICENSE_URL}
for part_of_url in "${split_license_url[@]}"
do
if [[ ${part_of_url} == '' ]]
then
continue
elif [[ ${part_of_url} == 'https:' ]]
then
FORMATTED_LICENSE_URL+='https://'
else
if [[ ${part_of_url} =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]]
then
FORMATTED_LICENSE_URL+="${part_of_url}/${split_license_url[-1]}"
break
else
FORMATTED_LICENSE_URL+="${part_of_url}/"
fi
fi
done
if curl -Is "${FORMATTED_LICENSE_URL}" | head -1 | grep -q 404;
then
packages_url_missing+=("${GO_PACKAGE}")
echo "${GO_PACKAGE} ${LICENSE_NAME} ${LICENSE_URL}" >> "${KUBE_TEMP}"/approved_licenses_with_missing_urls.dump
else
echo "${GO_PACKAGE} ${LICENSE_NAME} ${FORMATTED_LICENSE_URL}" >> "${KUBE_TEMP}"/approved_licenses.dump
fi
else
echo "${GO_PACKAGE} ${LICENSE_NAME} ${LICENSE_URL}" >> "${KUBE_TEMP}"/approved_licenses.dump
fi
else
# Not all packages at this point should go to the not approved dump.
# there are a few exceptions approved by CNCF as per: https://github.com/cncf/foundation/tree/main/license-exceptions
# Currently gatekeeper uses just one of those so we are not going to do a general solution.

if [[ "${GO_PACKAGE}" == "github.com/rcrowley/go-metrics" ]] && [[ "${LICENSE_NAME}" == "BSD-2-Clause-FreeBSD" ]];
then
# as per https://github.com/cncf/foundation/blob/main/license-exceptions/cncf-exceptions-2019-11-01.json#L723-L726
echo "${GO_PACKAGE} ${LICENSE_NAME} ${LICENSE_URL}" >> "${KUBE_TEMP}"/approved_licenses.dump
else
echo "${GO_PACKAGE} ${LICENSE_NAME} ${LICENSE_URL}" >> "${KUBE_TEMP}"/notapproved_licenses.dump
packages_flagged+=("${GO_PACKAGE}")
fi
fi
done < "${KUBE_TEMP}"/licenses.csv
awk '{ printf "%-100s : %-20s : %s\n", $1, $2, $3 }' "${KUBE_TEMP}"/approved_licenses.dump


if [[ ${#packages_url_missing[@]} -gt 0 ]]; then
echo -e '\n[ERROR] The following go-packages in the project have unknown or unreachable license URL:'
awk '{ printf "%-100s : %-20s : %s\n", $1, $2, $3 }' "${KUBE_TEMP}"/approved_licenses_with_missing_urls.dump
exit_code=1
fi


if [[ ${#packages_flagged[@]} -gt 0 ]]; then
echo "[ERROR] The following go-packages in the project are using non-CNCF approved licenses. Please refer to the CNCF's approved licence list for further information: https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md"
awk '{ printf "%-100s : %-20s : %s\n", $1, $2, $3 }' "${KUBE_TEMP}"/notapproved_licenses.dump
exit_code=1
elif [[ "${exit_code}" -eq 1 ]]; then
echo "[ERROR] Project is using go-packages with unknown or unreachable license URLs. Please refer to the CNCF's approved licence list for further information: https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md"
else
echo "[SUCCESS] Scan complete! All go-packages under the project are using current CNCF approved licenses!"
fi

exit "${exit_code}"