digital-asset/daml
1
1
Fork 0
mirror of https://github.com/digital-asset/daml.git synced 2024-09-11 04:45:57 +03:00
Code Issues Projects Releases Wiki Activity
e6c7421580
daml/oss-compliance
History
Brian Healey 805b54a2b1 Update version in Pipfile.lock (#867)
2019-05-02 23:38:45 +00:00
..
.gitignore open-sourcing daml 2019-04-04 09:33:38 +01:00
check_oss_license.sh update all references of old repo to new repo 2019-04-04 16:20:07 +02:00
check-oss-licenses.py open-sourcing daml 2019-04-04 09:33:38 +01:00
extract-js.py open-sourcing daml 2019-04-04 09:33:38 +01:00
LICENSES_WHITE_LIST.csv open-sourcing daml 2019-04-04 09:33:38 +01:00
Makefile open-sourcing daml 2019-04-04 09:33:38 +01:00
PACKAGES_WHITE_LIST.csv open-sourcing daml 2019-04-04 09:33:38 +01:00
Pipfile Update urllib version to avoid security vulns warning (#864) 2019-05-02 15:39:32 -04:00
Pipfile.lock Update version in Pipfile.lock (#867) 2019-05-02 23:38:45 +00:00
README.md open-sourcing daml 2019-04-04 09:33:38 +01:00

README.md

Open Source Software Compliance

Overview

The package contains tools & processes to:

  • generate our open source Bill Of Materials
  • validate the open source licenses are in line with the permitted ones
  • [todo] validate the open source libraries are part of a

The tools ingest license information generated by language specific tools (e.g. mvn & scala) to produce a consistent report covering on all the open source libraries used.

Details about language specifics tools used as inputs:

JDK

To retrieve JDK dependencies we are using the license maven plugin:

mvn license:aggregate-download-licenses

generating an xml file containing all the relevant licenses extracted from the maven poms.

Haskell

The Haskell licensing checks are now done in ../../da-docs-daml-user-guide/licenses/extract.py

OSS Compliance in Action

The logical steps are the following:

  • generate a list of dependencies for both haskell and java (and javascript in the future)
  • for each single dependency, check:
  • any dependency whose license or package is not whitelisted is then considered non compliant

Licenses

We use a white list approach: explicitly defining which licenses are allowed.

The white listed licenses are defined in LICENSES_WHITE_LIST.csv

As you can see the file is grouped by license group (e.g. EPL, Eclipse Public License).

The license group is a logical constructor and it's only used to group similar licenses in the csv file.

Especially in the maven world, there are many variants on how a an underlying open source license is defined that makes sense to group them together.

Packages

PACKAGES_WHITE_LIST.csv is a way to filter packages created internally.

What if the check fails?

Failure due to a non white-listed dependency

Please coordinate with the SPG group to ensure the offending license is reviewed with CTO / General Counselor.

It may be a variation of an already approved license. If that's the case, once approved, it can be added to the white listed licenses.

TODO: provide a link to a list of approved licenses

How to invoke the compliance check

To invoke the oss compliance check, invoke:

make oss-compliance

This will then trigger the following:

check_oss_license.sh