Research FOSS/OSS License Compliance tools and POC it
Problem to solve
License Finder is not well maintained and is not fitting our needs. We need to replace it with either another OSS tool or our own code.
Proposal
Based on the objectives and requirements in the epic, please research currently available open source license compliance tools, select one to do a POC on, and do a POC.
The proof of concept should help you to evaluate if the tool meets the criteria, and allow you to make guesstimates on what work would be needed and how difficult it is, to take that tool to be the replacement for license finder, including an estimate: if 1 developer or two developers worked on it, how long until License Finder parity was reached?
UPDATE: Based off #7153 (comment 741712195), it looks like we no longer need to consider OSS Review Toolkit (ORT) as they are publishing their own integration, so you can skip that when researching currently available solutions.
Testing
Based on the list - https://gitlab-org.gitlab.io/quality/ci/secure-test-project-orchestrator/ - sorted by license-scanning
- SET should ensure tests for supported test projects pass the License Scanning and QA jobs.
🤖
Auto-Summary Discoto Usage
Points
Discussion points are declared by headings, list items, and single lines that start with the text (case-insensitive)
point:
. For example, the following are all valid points:
#### POINT: This is a point
* point: This is a point
+ Point: This is a point
- pOINT: This is a point
point: This is a **point**
Note that any markdown used in the point text will also be propagated into the topic summaries.
Topics
Topics can be stand-alone and contained within an issuable (epic, issue, MR), or can be inline.
Inline topics are defined by creating a new thread (discussion) where the first line of the first comment is a heading that starts with (case-insensitive)
topic:
. For example, the following are all valid topics:
# Topic: Inline discussion topic 1
## TOPIC: **{+A Green, bolded topic+}**
### tOpIc: Another topic
Quick Actions
Action Description /discuss sub-topic TITLE
Create an issue for a sub-topic. Does not work in epics /discuss link ISSUABLE-LINK
Link an issuable as a child of this discussion
Last updated by this job
-
TOPIC Overview of License Compliance tool that doesn't match our criteria #343399 (comment 831209631)
- FossID #343399 (comment 831209631)
- Licensed #343399 (comment 831209631)
- FOSSA #343399 (comment 831209631)
- DependencyTrack #343399 (comment 831209631)
- SCANOSS #343399 (comment 831209631)
- Licensee #343399 (comment 831209631)
-
TOPIC Scancode #343399 (comment 832607220)
- Overview #343399 (comment 832607220)
- Code #343399 (comment 832607220)
- License (from README) #343399 (comment 832607220)
- Methods of fetching licenses #343399 (comment 832607220)
- Wish list check #343399 (comment 832607220)
- CycloneDX #343399 (comment 832607220)
- Report #343399 (comment 832607220)
- More than a license detection tool #343399 (comment 853919707)
- Custom licenses #343399 (comment 853924221)
-
TOPIC GitLab ORT integration #343399 (comment 840153444)
- How it works #343399 (comment 840153444)
- Set up #343399 (comment 840153444)
Discoto Settings
---
summary:
max_items: -1
sort_by: created
sort_direction: ascending
See the settings schema for details.