oss-review-toolkit support

[RobertBerger]

A new "cool" feature.

"The analyzer is a Software Composition Analysis (SCA) tool that determines the dependencies of software projects inside the specified input directory ..."

https://github.com/heremaps/oss-review-toolkit

[priv-kweihmann]

I'll have a look at that - but this needs JAVA for building, so it's going to take a while...

[priv-kweihmann]

In what part are you exactly interested in? I'm just asking because the tools seems to be a wrapper around a bunch of other stuff. For the license compliance part I currently favor scancode (https://github.com/priv-kweihmann/meta-sca/issues/696) as it matches the use cases I had initially in mind. Those would be:

• some dev didn't care a lot about licensing (happens more than often, sic) and as part of CI based checker it should warn about that (including cases of mixing CLOSED and FOSS things)
• there is a license set in a recipe, but the info is wrong/outdated or incomplete -> that should lead to a warning as well
• in combination with the yocto builtin GPL3 checker it should be possible to raise a red flag if some GPLV3 code slips through (otherwise that would be unnoticed)
• for what ever reason the policy is set that code from some company/author should not be used (let's call that the McHardy rule;-)) that could be done as well.

tl;dr:

Is there any other use cases I didn't mentioned, which should be covered? I currently don't want to add another dependency layer (in this case meta-java, which is pretty bad shape atm) to make it work - so I would rather go cherry pick some of the used tools from that one to achieve the same in the end.

Any thoughts?

[RobertBerger]

Sent from my mobile device: Well one thing would be to teach the tool bitbake. Then yocto integration I guess. There are 6 questions for the integration to answer. Stay tuned. I'll try to answer them. Also I managed to build OpenJDK with yocto zeus if that helps.

On Sun, Feb 2, 2020, 12:00 Konrad Weihmann notifications@github.com wrote:

In what part are you exactly interested in? I'm just asking because the tools seems to be a wrapper around a bunch of other stuff. For the license compliance part I currently favor scancode (#696 https://github.com/priv-kweihmann/meta-sca/issues/696) as it matches the use cases I had initially in mind. Those would be:

• some dev didn't care a lot about licensing (happens more than often, sic) and as part of CI based checker it should warn about that (including cases of mixing CLOSED and FOSS things)
• there is a license set in a recipe, but the info is wrong/outdated or incomplete -> that should lead to a warning as well
• in combination with the yocto builtin GPL3 checker it should be possible to raise a red flag if some GPLV3 code slips through (otherwise that would be unnoticed)
• for what ever reason the policy is set that code from some company/author should not be used (let's call that the McHardy rule;-)) that could be done as well.

tl;dr:

Is there any other use cases I didn't mentioned, which should be covered? I currently don't want to add another dependency layer (in this case meta-java, which is pretty bad shape atm) to make it work - so I would rather go cherry pick some of the used tools from that one to achieve the same in the end.

Any thoughts?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/priv-kweihmann/meta-sca/issues/782?email_source=notifications&email_token=ABAHODYIQTL7UPLQTW7GRDTRA2RTDA5CNFSM4KOYKPO2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKRT5UA#issuecomment-581123792, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABAHOD3SUI2ZDFOORFMQDQDRA2RTDANCNFSM4KOYKPOQ .

[priv-kweihmann]

@RobertBerger any update for this one here?

[RobertBerger]

As a first step I started to answer some of the questions from ort (but it's not finished yet):

https://docs.google.com/document/d/1HjGCUwgfgKFBCNqDNX38gBAh6LKiFcLISmg9Aj3tpY0/edit?usp=sharing

[priv-kweihmann]

@RobertBerger I have no read permission for the doc. Maybe, in case you don't want to share it publicly yet, just mail me the doc.

[priv-kweihmann]

@RobertBerger haven't heard from you in a while - lately I added https://github.com/priv-kweihmann/meta-sca/blob/master/classes/sca-licensecheck.bbclass, does this address a few of your use cases?

[priv-kweihmann]

Java/Kotlin base of ORT IMO will never be fully usable from Yocto. The current license-check (from meta-sca) + spdx support from core should cover all bases, so let's close that one here