Adopt a license scanning tool

[csantanapr]

Adopt a license scanning tool, like FOSSA

Take into account this is a license-related scan.

This is something that needs to be done on all git repos across the two github orgs.

Related to [INCUBATING PROJECT ONBOARDING] Knative cncf/sandbox#218

[csantanapr]

Can someone from @knative/technical-oversight-committee help with this action item for CNCF onboarding, maybe you can work in conjunction with productivity working group on setting up this type of license scanning and alerting or maybe blocking PRs

Maybe we some of this in place, I think TOC would be best to look into this

[dprotaso]

/assign @dprotaso

[csantanapr]

/assign @dprotaso

On today's TOC meeting @dprotaso said will look in to this

[csantanapr]

We might have this covered with the current setup we have or not, Dave is going to look into it

[dprotaso]

Created a ticket to engage with CNCF legal

From: https://cncfservicedesk.atlassian.net/servicedesk/customer/portal/1/CNCFSD-1216

Hey folks - as part of the Knative incubation onboarding I'm taking a look at the licenses and scanning requirements (cncf/sandbox#218)

Background

So right now Knative uses some Google OSS tooling to scan go code and collect licenses.
The tools are
https://github.com/google/licenseclassifier
https://github.com/google/go-licenses

We gather these licenses and ship them as part of our container images. What's notable is that for certain licenses we'll even include the original source (ie. https://github.com/google/go-licenses/blob/5b654af5dcd3ef8090baaceae6009c20d75a87e8/save.go#L101-L111). I don't believe we have many of those.

This tooling seems to allow more licenses than the CNCF allow list https://github.com/google/licenseclassifier/blob/main/license_type.go#L179 (probably because we're compliant by shipping the source as well)
allow list for ref: https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md#approved-licenses-for-allowlist

Moving Forward

I guess before adjusting our current process I'm curious what expectations does the CNCF have wrt. to compliance and disclosure. ie. I don't believe I see other projects shipping disclosures in containers (ie. k8s).

Also in the meantime if I could get access to team FOSSA account I can test it out against our GitHub orgs.

thanks,
dave protasowski

[csantanapr]

@dprotaso Any progress on this front or any blockers?

[dprotaso]

Followed up on the issue - waiting to get access to FOSSA to check it out

[csantanapr]

@dprotaso Any updates on this?

[upodroid]

Productivity WG needs Snyk for knative/test-infra#3135

[dprotaso]

Following up on this - we have access to FOSSA but I wanted to know from the CNCF what are the licensing disclosure requirements. If we're ok dropping licenses in when shipping containers and suppling SBOMs is that enough?

https://cncfservicedesk.atlassian.net/servicedesk/customer/portal/1/CNCFSD-1652

[cardil]

Knative is using the https://github.com/google/go-licenses tool, which does the scanning for invalid licenses already.

See: https://github.com/knative/hack/blob/38316f28f0bfabcf698e3217236dee1e12d92bc8/library.sh#L804

[aliok]

Related to FOSSA: cncf/sandbox#218

[csantanapr]

I met with CNCF this morning and configure FOSSA to scan Knative repo, access to the FOSSA is in the 1password productivity vault @dprotaso @aliok @cardil @upodroid