daml/NOTICES.md

# Open Source Software Compliance

## Overview

We currently use an asynchronous, daily cron job to check the compliance of our
libraries (and check for vulnerabilities at the same time). If the NOTICES file
needs changing, the cron job will generate a PR to update it.

The cron job leverages Bazel to generate the list of dependencies, and relies
on BlackDuck to flag license violations and security advisories.

## Licenses

Which licenses are or are not acceptable is maanged at the Blackduck level.

## What if the check fails?

Checks can fail for a number of reasons. Here are the common ones:

- A library is using a license we don't allow. Check with security & legal to
  see if the license can be added; if not, remove the dependency.
- A library is incorrectly classified on BlackDuck: it should have an allowed
  license, but somehow the information on BlackDuck disagrees with that.
  Contact Security to sort it out.
- A library triggers a security notice. That will depend on the specific issue;
  in general, upgrading the library may help.
cleanup oss-compliance & NOTICES.md (#8242) Mostly outdated/redundant information across those; hopefully this is now more accurate. CHANGELOG_BEGIN CHANGELOG_END 2020-12-10 18:45:56 +03:00			`# Open Source Software Compliance`
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> 2020-12-07 22:59:39 +03:00
cleanup oss-compliance & NOTICES.md (#8242) Mostly outdated/redundant information across those; hopefully this is now more accurate. CHANGELOG_BEGIN CHANGELOG_END 2020-12-10 18:45:56 +03:00			`## Overview`
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> 2020-12-07 22:59:39 +03:00
cleanup oss-compliance & NOTICES.md (#8242) Mostly outdated/redundant information across those; hopefully this is now more accurate. CHANGELOG_BEGIN CHANGELOG_END 2020-12-10 18:45:56 +03:00			`We currently use an asynchronous, daily cron job to check the compliance of our`
			`libraries (and check for vulnerabilities at the same time). If the NOTICES file`
			`needs changing, the cron job will generate a PR to update it.`
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> 2020-12-07 22:59:39 +03:00
cleanup oss-compliance & NOTICES.md (#8242) Mostly outdated/redundant information across those; hopefully this is now more accurate. CHANGELOG_BEGIN CHANGELOG_END 2020-12-10 18:45:56 +03:00			`The cron job leverages Bazel to generate the list of dependencies, and relies`
			`on BlackDuck to flag license violations and security advisories.`
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> 2020-12-07 22:59:39 +03:00
cleanup oss-compliance & NOTICES.md (#8242) Mostly outdated/redundant information across those; hopefully this is now more accurate. CHANGELOG_BEGIN CHANGELOG_END 2020-12-10 18:45:56 +03:00			`## Licenses`
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> 2020-12-07 22:59:39 +03:00
cleanup oss-compliance & NOTICES.md (#8242) Mostly outdated/redundant information across those; hopefully this is now more accurate. CHANGELOG_BEGIN CHANGELOG_END 2020-12-10 18:45:56 +03:00			`Which licenses are or are not acceptable is maanged at the Blackduck level.`
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> 2020-12-07 22:59:39 +03:00
cleanup oss-compliance & NOTICES.md (#8242) Mostly outdated/redundant information across those; hopefully this is now more accurate. CHANGELOG_BEGIN CHANGELOG_END 2020-12-10 18:45:56 +03:00			`## What if the check fails?`
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> 2020-12-07 22:59:39 +03:00
cleanup oss-compliance & NOTICES.md (#8242) Mostly outdated/redundant information across those; hopefully this is now more accurate. CHANGELOG_BEGIN CHANGELOG_END 2020-12-10 18:45:56 +03:00			`Checks can fail for a number of reasons. Here are the common ones:`
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> 2020-12-07 22:59:39 +03:00
cleanup oss-compliance & NOTICES.md (#8242) Mostly outdated/redundant information across those; hopefully this is now more accurate. CHANGELOG_BEGIN CHANGELOG_END 2020-12-10 18:45:56 +03:00			`- A library is using a license we don't allow. Check with security & legal to`
			`see if the license can be added; if not, remove the dependency.`
			`- A library is incorrectly classified on BlackDuck: it should have an allowed`
			`license, but somehow the information on BlackDuck disagrees with that.`
			`Contact Security to sort it out.`
			`- A library triggers a security notice. That will depend on the specific issue;`
			`in general, upgrading the library may help.`