jmertic
commented
4 years ago Hey @nkocsis - I know one thing I'm working with @swinslow is streamlining these processes as we scale up this service across the LF. I'd love any feedback you might have on how to improve the workflow so that the Zowe team can review and remediate anything that comes up, along with providing more visibility of these scans to the public. Zowe is a great community to build best practices around in this area.
armstro
We need to get the steps documented that Stephen Winslow does and then provide audit trail with its outcomes and ensure that all conflicts are resolved.
This is a a note I received from Steve about what he did/does. This might have changed.
Here are some more details on the license scan: I'll be using a tool called FOSSology (which is itself an LF open source project, https://www.fossology.org/). I'll run an automated scan that looks inside the scanned code for license notices, such as the standard license headers for Apache-2.0 or the GNU family of licenses. FOSSology uses a couple of different strategies (bulk text matching and also regular expression matching) to look for possible matches, and also looks for potential non-standard license references and statements. After the FOSSology agents run, I will review the results in detail to clear out false positives and provide clearer reporting.
For the initial (pre-load) scan, I'll primarily be looking just for significant red flags. This might include, e.g., strong copyleft licenses such as the GPL or AGPL, or references to proprietary / non-open source licenses -- things that could cause more significant concern if included in an EPL-2.0 project. If I do find anything along those lines, I'll notify you and the team so that it can be addressed and remediated prior to bringing the code into a public repo.
On an ongoing basis, if we proceed with ongoing license scan services for the project, then on approximately a monthly basis I can run and review an updated license scan. For the ongoing scans we can get into more details about ways to handle third party licenses (such as "permissive" / attribution-style licenses like MIT or BSD-3-Clause). I can also help facilitate approvals by the Governing Board or TSC for exceptions to the main project license, depending on how it is structured in the project's governing documents.