feat: adding fossa scan to workflow (#50)

Author: uoboda-splunk

.github/workflows/reusable-build-test-release.yml

@@ -30,6 +30,9 @@ on:
       OTHER_TA_REQUIRED_CONFIGS:
         description: other required configs
         required: true
+      FOSSA_API_KEY:
+        description: API token for FOSSA app
+        required: true
 
 jobs:
   meta:
@@ -95,33 +98,30 @@ jobs:
         id: sample-scanner
         env:
           REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GH_TOKEN }}
-  compliance-dependencies:
-    name: compliance-dependencies
-    runs-on: ubuntu-latest
 
+  fossa-scan:
+    continue-on-error: true
+    runs-on: ubuntu-latest
     steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: ort-action
-        uses: splunk/addonfactory-ort-action@v1.6
-        id: ort-action
-        with:
-          WorkDir: .
-          UsePython3: "3.7"
-      - name: ort-action-artifacts-reports
-        uses: actions/upload-artifact@v2
-        with:
-          name: analysis-reports
-          path: |
-            .ort/reports/*
-        if: always()
-      - name: ort-action-artifacts-analyzer
+      - uses: actions/checkout@v3
+      - name: run fossa anlyze and create report
+        run: |
+          curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash
+          fossa analyze --debug
+          fossa report attribution --format text > /tmp/THIRDPARTY
+        env:
+          FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }}
+      - name: upload THIRDPARTY file
         uses: actions/upload-artifact@v2
         with:
-          name: analysis-analyzer
-          path: |
-            .ort/analyzer/*
-        if: always()
+          name: THIRDPARTY
+          path: /tmp/THIRDPARTY
+      - name: run fossa test
+        run: |
+          fossa test --debug
+        env:
+          FOSSA_API_KEY: ${{ secrets.FOSSA_API_KEY }}
+
   compliance-copyrights:
     name: compliance-copyrights
     runs-on: ubuntu-latest
@@ -183,37 +183,11 @@ jobs:
         with:
           publishToken: ${{ secrets.SEMGREP_PUBLISH_TOKEN }}
 
-#   Commentig it out as a INFRA-35392
-#   TODO use FOSSA instead of SNYK
-
-#   snyk:
-#     name: security-vuln-snyk
-#     runs-on: ubuntu-latest
-#     steps:
-#       - uses: actions/checkout@v2
-#       - name: Setup python
-#         uses: actions/setup-python@v2
-#         with:
-#           python-version: 3.7
-#       - uses: snyk/actions/setup@master
-#       - uses: actions/setup-go@v2.1.5
-#         with:
-#           go-version: "1.13"
-#       - name: Snyk monitor
-#         run: snyk test --sarif-file-output=snyk-scan_requirements.sarif --all-projects --print-deps --severity-threshold=high
-#         env:
-#           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-#       - uses: actions/upload-artifact@v2
-#         if: always()
-#         with:
-#           name: snyk-results
-#           path: snyk-scan_requirements.sarif
-      
   build:
     name: build
     runs-on: ubuntu-latest
     needs:
-      - compliance-dependencies
+      - fossa-scan
     outputs:
       buildname: ${{ steps.buildupload.outputs.name }}
     steps:
@@ -278,12 +252,11 @@ jobs:
           PrNumber: ${{ github.event.number }}
       - uses: actions/download-artifact@v2
         with:
-          name: analysis-reports
-          path: /tmp/analysis-reports
+          name: THIRDPARTY
+          path: /tmp/THIRDPARTY
       - name: Update Notices
         run: |
-          cp -f /tmp/analysis-reports/NOTICE_default THIRDPARTY || true
-          cp -f /tmp/analysis-reports/NOTICE_default package/THIRDPARTY || true
+          cp -f /tmp/THIRDPARTY package/THIRDPARTY
       - name: Build Package
         id: uccgen
         uses: splunk/addonfactory-ucc-generator-action@v1
@@ -1272,7 +1245,6 @@ jobs:
     needs:
       - meta
       - compliance-sample-scanner
-      - compliance-dependencies
       - compliance-copyrights
       - lint
       - review_secrets

README.md

@@ -104,38 +104,26 @@ compliance-sample-scanner
 <img src="images/sample_scanner/report_link.png" alt="report_link" style="width:200px;"/>
 
 
-compliance-dependencies
+fossa-scan
 =======================
 
 **Description:**
 
-- This action scans a project for third party components and reports the results. This action contains a curation file managed by Splunk Inc.
-
-**Action used:** https://github.com/splunk/addonfactory-ort-action
+- This action scans a project for third party components and reports the results. This action checks license compliance and vulnerabilities. This file uses `.fossa.yml` configuration file
 
 **Pass/fail behaviour:**
 
-- This stage fails if there are any errors or dependencies while installing requirements.txt generated from pyproject.toml
+- This stage fails if FOSSA finds any license or security issues. Detected issues can be found in FOSSA app site https://app.fossa.com/. Link to direct report is generated per job and printed in logs. License issues should be checked by legal team, vulnerabilities should be solved by TA-dev or TA-qa team with assist of prodsec team if needed (some issues with critical status for example).
 
 **Troubleshooting steps for failures if any:** 
 
-- The error log is present in the stage as well as in the artifacts scan-report.xlsx , user should be able to reproduce that in local and fix/update the requirements accordingly.
-
-i.e <img src="images/compliance-dependencies/scan-reports-error.png" alt="scan-reports-error" style="width:200px;"/>
+- The error log is present in the stage as well user should be able to reproduce that in local environment with FOSSA CLI tool https://github.com/fossas/fossa-cli
 
 
 **Artifacts:**
 
 ```
-analysis-analyzer
-    - analyzer-result.json
-
-analysis-reports
-    - scan-report.xlsx
-    - NOTICE_summary
-    - NOTICE_default
-    - bom.spdx.yml
-    - AsciiDoc_disclosure_document.pdf
+THIRDPARTY
 ```
 
 compliance-copyrights