forked from antrea-io/antrea
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Go dependeny scan using golicense
We add a script and a corresponding CI job to analyze the Antrea binaries and extract their Go dependencies. I could not find any good tool for source-based dependency analysis (https://github.com/google/go-licenses seems to have many issues, and fails for quite a lot of depedencies, without any possibility of manual override). Analyzing binaries also mean that we can avoid some false positives for transitive dependencies that end up not actually being used by Antrea. The CI job will help us automatically detect licensing issues (e.g. non business-friendly license, such as GPL/LGPL) with new dependencies before we merge a patch. With the CI integration, we can also publish a list of the Go dependencies for the Antrea binaries with each release. TODO: for releases, upload full dependency list to Antrea S3 account. Fixes antrea-io#345
- Loading branch information
1 parent
91e2c34
commit 6941d7b
Showing
3 changed files
with
133 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| name: Golicense | ||
| on: | ||
| pull_request: | ||
| branches: | ||
| - master | ||
| - release-* | ||
| paths: | ||
| - '**go.mod' | ||
| push: | ||
| branches: | ||
| - master | ||
| - release-* | ||
| release: | ||
| types: | ||
| - created | ||
|
|
||
| jobs: | ||
| golicense: | ||
| runs-on: [ubuntu-latest] | ||
| steps: | ||
| - name: Set up Go 1.13 | ||
| uses: actions/setup-go@v1 | ||
| with: | ||
| go-version: 1.13 | ||
| - uses: actions/checkout@v2 | ||
| - run: mkdir antrea-bins | ||
| # - name: Build assets | ||
| # run: | | ||
| # export VERSION="$(head VERSION)" | ||
| # ./hack/release/prepare-assets.sh ./antrea-bins | ||
| - name: Build Linux binaries | ||
| run: BINDIR=./antrea-bins make bin | ||
| - name: Run golicense | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: ./ci/golicense/run.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| { | ||
| "allow": [ | ||
| "MIT", | ||
| "Apache-2.0", | ||
| "BSD-2-Clause", | ||
| "BSD-3-Clause", | ||
| "MPL-2.0", | ||
| "ISC", | ||
| "EPL-1.0" | ||
| ], | ||
| "deny": [ | ||
| "GPL-1.0-only", | ||
| "GPL-1.0-or-later", | ||
| "GPL-1.0", | ||
| "GPL-1.0+", | ||
| "GPL-2.0-only", | ||
| "GPL-2.0-or-later", | ||
| "GPL-2.0", | ||
| "GPL-2.0+", | ||
| "GPL-3.0-only", | ||
| "GPL-3.0-or-later", | ||
| "GPL-3.0", | ||
| "GPL-3.0+", | ||
| "LGPL-2.0-only", | ||
| "LGPL-2.0-or-later", | ||
| "LGPL-2.0", | ||
| "LGPL-2.0+", | ||
| "LGPL-2.1-only", | ||
| "LGPL-2.1-or-later", | ||
| "LGPL-2.1", | ||
| "LGPL-2.1+", | ||
| "LGPL-3.0-only", | ||
| "LGPL-3.0-or-later", | ||
| "LGPL-3.0", | ||
| "LGPL-3.0+", | ||
| "MPL-1.0", | ||
| "MPL-1.1", | ||
| "AGPL-3.0-only", | ||
| "AGPL-3.0-or-later", | ||
| "AGPL-3.0", | ||
| "AGPL-3.0+", | ||
| "FTL" | ||
| ], | ||
| "override": { | ||
| "github.com/gogo/protobuf": "BSD-3-Clause", | ||
| "sigs.k8s.io/yaml": "MIT", | ||
| "../../": "Apache-2.0", | ||
| "github.com/golang/freetype": "FTL", | ||
| "github.com/docker/spdystream": "Apache-2.0" | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| #!/usr/bin/env bash | ||
|
|
||
| set -eo pipefail | ||
|
|
||
| if [ "$#" -ne 2 ]; then | ||
| echo "Invalid number of parameters. Usage: $0 <PATH TO ANTREA BINARIES DIRECTORY> <OUT PATH FOR REPORTS>" | ||
| exit 1 | ||
| fi | ||
|
|
||
| if [ -z "$GITHUB_TOKEN" ]; then | ||
| echo "GITHUB_TOKEN environment variable must be set to avoid aggressive API rate limiting" | ||
| exit 1 | ||
| fi | ||
|
|
||
| THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" | ||
|
|
||
| failed_binaries="" | ||
|
|
||
| for f in "$1"/*; do | ||
| [ -e "$f" ] || continue | ||
| if [[ $f =~ antrea-agent || $f =~ antrea-controller || $f =~ antrea-cni || $f =~ antctl || $f =~ antrea-octant-plugin ]]; then | ||
| if [[ $f =~ exe ]]; then | ||
| # skip Windows binaries for now | ||
| continue | ||
| fi | ||
| base=$(basename $f) | ||
| echo "Processing $base" | ||
| echo "****************" | ||
| docker run --rm -e GITHUB_TOKEN -v $THIS_DIR:/conf -v $1:/bins antrea/golicense /conf/conf.json /bins/$base | tee "$2/$base.deps.txt" || failed_binaries="$failed_binaries $base" | ||
| echo "****************" | ||
| fi | ||
| done | ||
|
|
||
| echo "Merging all files as $2/ALL.deps.txt" | ||
| echo "****************" | ||
| # The 'grep -v' is to remove the dependency of the Antrea Octant plugin to Antrea | ||
| cat "$2"/*.deps.txt | grep -v "\.\./\.\." | uniq | tee "$2/ALL.deps.txt" | ||
| echo "****************" | ||
|
|
||
| if [ -z "$failed_binaries" ]; then | ||
| echo "#### SUCCESS ####" | ||
| else | ||
| echo "#### FAILURE ####" | ||
| echo "Scan failed for the following binaries: $failed_binaries" | ||
| echo "Check $2/ALL.deps.txt for more info" | ||
| fi |