Introduce a "no sources are available" curation

oss-review-toolkit / ort

A suite of tools to automate software compliance checks.

https://oss-review-toolkit.org

Apache License 2.0

1.57k stars 308 forks source link

Introduce a "no sources are available" curation #7808

Open fviernau opened 10 months ago

fviernau commented 10 months ago

The curation should add a flag no_sources_available analog to is_metadata_only with analog handling, e.g. if true no attempt to download or scan the package's source code.

Motivation:

Resolving via a boolean flag is better than via a resolution, for same reason as for is_metadata_only [1], [2]. curations with dedicated semantics provide a better matching based on identifier instead of regex, and have clear semantics as opposed to free text resolution messages. So, the curations provide more information which can be useful for automated consumption from e.g. the policy rules.
Why not merge is_metadata_only and no_sources_available -> Because it provides more information enabling use cases like: for packages with is_metadata_only=true it's ok if
the package does not have license, while for no_sources_available it isn't.

[1] https://github.com/oss-review-toolkit/ort/pull/2939 [2] https://github.com/oss-review-toolkit/ort/issues/2897

sschuberth commented 10 months ago

no attempt to download or scan the package's source code.

Just to capture some thought's from today's Kotlin Dev meeting: Basically we already have the skip_concluded mechanism for this. However, skip_concluded can only be enabled globally, and there could be cases where a concluded_license should be combined with detected copyrights from existing scan results. This would requite to copy these detected copyrights to authors in package curations currently, which might be undesired. A work-around for this could be to look for existing copyrights in the scan storage before skip_concluded is interpreted.

fviernau commented 1 week ago

Use case:

As a lawyer reviewing scan result in context of license compliance, I want to know the set of packages for which the report blindly trusts the provided license info (e.g. declared license or SBOM), without verification (running a license scanner against the codebase), in order to better understand the risks.

(I guess security would also have a use case for such flag)

sschuberth commented 1 week ago

I'm having trouble understanding how "blindly trust the provided license info" equals the "no sources are available" semantics because there could be cases where the source code is available, but you still decide to not take scan results into account (or scan at all) just for simplicity of the process.

fviernau commented 1 week ago

I'm having trouble understanding how "blindly trust the provided license info" equals the "no sources are available" semantics because there could be cases where the source code is available, but you still decide to not take scan results into account (or scan at all) just for simplicity of the process.

Scanning of the source if available might be a requirement.
One may want to identify / handle dependencies where one has to closed source related risks, e.g. has no choice