Add multiple license scanning tools check (instead of just FOSSA)

[idvoretskyi]

CNCF does require license scanning enabled for all projects. However, FOSSA is not the only tool that the project can use, e.g., various projects use Snyk - (cncf/foundation#109 (comment)).

Let's check for the license scanning badge more broadly, not just for the "FOSSA badge".

[dims]

Also note that snyk badges are not available for golang repos ( https://support.snyk.io/hc/en-us/articles/360003997277-Badge-Support-for-Repositories - only Node.js, Ruby or Java)

[caniszczyk]

There's other ways to check, you can check say build files for a snyk action etc I don't think there is a SUPER easy way to do this but we can try some standardized checking in CNCF land.

…

On Mon, Feb 14, 2022 at 3:06 PM Davanum Srinivas ***@***.***> wrote: Also note that snyk badges are not available for golang repos ( https://support.snyk.io/hc/en-us/articles/360003997277-Badge-Support-for-Repositories - only Node.js, Ruby or Java) — Reply to this email directly, view it on GitHub <#50 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAPSII6WYZGUULIBPKUEDDU3FVDNANCNFSM5OMSJ3EQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

-- Cheers, Chris Aniszczyk https://aniszczyk.org

[dims]

yep, in our case, we publish to testgrid https://testgrid.k8s.io/sig-security-snyk-scan#ci-kubernetes-snyk-master

from a prow ci job - https://cs.k8s.io/?q=ci-kubernetes-snyk-master&i=nope&files=&excludeFiles=&repos=

[idvoretskyi]

@caniszczyk, can we provide this data manually for those projects that can't be checked automatically? E.g., if a project uses the Snyk account provided by CNCF, we can pull this data manually from our Snyk dashboard.

[caniszczyk]

there's so many ways to check, we can even add a metadata attribute to the landscape etc ;p For now, let's just continue improving the tool before we audit all projects :)

…

On Mon, Feb 14, 2022 at 3:21 PM Ihor Dvoretskyi ***@***.***> wrote: @caniszczyk <https://github.com/caniszczyk>, can we provide this data manually for those projects that can't be checked automatically? E.g., if a project uses the Snyk account provided by CNCF, we can pull this data manually from our Snyk dashboard. — Reply to this email directly, view it on GitHub <#50 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAPSIKNBLX3EMSHQBODETDU3FW7DANCNFSM5OMSJ3EQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- Cheers, Chris Aniszczyk https://aniszczyk.org

[tegioz]

Hi 👋

We've made some improvements to this check:

• It has been renamed from FOSSA badge to License scanning
• It is now able to also detect Snyk badges in README files
• A link to the license scanning results is stored and exposed in the UI
• In addition to FOSSA and Snyk, it's now possible to provide a custom license scanning url in the .clomonitor.yml metadata file. This should help when projects use other license scanning solution that we don't support yet (or when badges are not available as @dims mentioned).

In the case of the Kubernetes project, adding a CloMonitor metadata file (.clomonitor.yml) to the repository with the following content should make this check pass:

licenseScanning:
  url: https://testgrid.k8s.io/sig-security-snyk-scan#ci-kubernetes-snyk-master