zowe / zowe-install-packaging

Packaging repository for the Zowe install scripts and files
Eclipse Public License 2.0
27 stars 51 forks source link

Dependency and license scan for C applications #1959

Open jackjia-ibm opened 3 years ago

jackjia-ibm commented 3 years ago

Customer content

Is your feature request related to a problem? Please describe.

Some C applications have explicitly defined dependencies and we should include them into dependency and license scan.

For example, libYAML is imported and used by Zowe Launcher https://github.com/zowe/launcher/pull/16/files#diff-fe7afb5c9c916e521401d3fcfb4277d5071798c3baf83baf11d6071742823584R3 which is MIT license.

Describe the solution you'd like

@MarkAckert @FlappiTomic

MarkAckert commented 3 years ago

C dependencies, especially in Git submodules / makefile formats aren't as easy to pick up as in other languages and build tools. I think we'll need to create a new file format in the C repository which the license scanner can consume and use to generate the attribution report. I'd prefer an alternative if someone has another idea to tackle this...

The new file format would be something along the lines of zowe_license.json, which is a []Dependency:

With:

type Dependency = {
    Name: string
    Version: string
    RepoURL: string
    License: string // optional, we can scan RepoURL for a LICENSE file
}

And the repository file filled out as:

[ {
     "Name": "libYAML",
      "Version" : "1.2",
      "RepoURL": "https://github.com/yaml/libyaml"
}]
jackjia-ibm commented 3 years ago

It looks good to me. Or we can merge it into manifest.yaml and define it under dependencies or sourceDependencies like what we do on Zowe manifest.json. Zowe launcher manifest.yaml is here.