daml/oss-compliance
Gary Verhaegen 1872c668a5
replace DAML Authors with DA in copyright headers (#5228)
Change requested by Manoj.

CHANGELOG_BEGIN
CHANGELOG_END
2020-03-27 01:26:10 +01:00
..
.gitignore open-sourcing daml 2019-04-04 09:33:38 +01:00
check_oss_license.sh replace DAML Authors with DA in copyright headers (#5228) 2020-03-27 01:26:10 +01:00
check-oss-licenses.py replace DAML Authors with DA in copyright headers (#5228) 2020-03-27 01:26:10 +01:00
extract-js.py replace DAML Authors with DA in copyright headers (#5228) 2020-03-27 01:26:10 +01:00
LICENSES_WHITE_LIST.csv open-sourcing daml 2019-04-04 09:33:38 +01:00
Makefile open-sourcing daml 2019-04-04 09:33:38 +01:00
PACKAGES_WHITE_LIST.csv open-sourcing daml 2019-04-04 09:33:38 +01:00
Pipfile Update urllib version to avoid security vulns warning (#864) 2019-05-02 15:39:32 -04:00
Pipfile.lock Update version in Pipfile.lock (#867) 2019-05-02 23:38:45 +00:00
README.md Move code in daml-tools outside of daml-foundations (#2033) 2019-07-08 11:40:48 +02:00

Open Source Software Compliance

Overview

The package contains tools & processes to:

  • generate our open source Bill Of Materials
  • validate the open source licenses are in line with the permitted ones
  • [todo] validate the open source libraries are part of a

The tools ingest license information generated by language specific tools (e.g. mvn & scala) to produce a consistent report covering on all the open source libraries used.

Details about language specifics tools used as inputs:

JDK

To retrieve JDK dependencies we are using the license maven plugin:

mvn license:aggregate-download-licenses

generating an xml file containing all the relevant licenses extracted from the maven poms.

Haskell

The Haskell licensing checks are now done in ../../da-docs-daml-user-guide/licenses/extract.py

OSS Compliance in Action

The logical steps are the following:

  • generate a list of dependencies for both haskell and java (and javascript in the future)
  • for each single dependency, check:
  • any dependency whose license or package is not whitelisted is then considered non compliant

Licenses

We use a white list approach: explicitly defining which licenses are allowed.

The white listed licenses are defined in LICENSES_WHITE_LIST.csv

As you can see the file is grouped by license group (e.g. EPL, Eclipse Public License).

The license group is a logical constructor and it's only used to group similar licenses in the csv file.

Especially in the maven world, there are many variants on how a an underlying open source license is defined that makes sense to group them together.

Packages

PACKAGES_WHITE_LIST.csv is a way to filter packages created internally.

What if the check fails?

Failure due to a non white-listed dependency

Please coordinate with the SPG group to ensure the offending license is reviewed with CTO / General Counselor.

It may be a variation of an already approved license. If that's the case, once approved, it can be added to the white listed licenses.

TODO: provide a link to a list of approved licenses

How to invoke the compliance check

To invoke the oss compliance check, invoke:

make oss-compliance

This will then trigger the following:

check_oss_license.sh