New pipeline check that fails on deps licensing issues using ORT (#157)

sequentech · Nov 26, 2021 · b5b337b · b5b337b
1 parent ae13495
commit b5b337b
Show file tree

Hide file tree

Showing 15 changed files with 87 additions and 82 deletions.
diff --git a/.github/workflows/ort.yml b/.github/workflows/ort.yml
@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: 2014-2021 Agora Voting SL <[email protected]>
+#
+# SPDX-License-Identifier: AGPL-3.0-only
 name: ORT licensing
 
 on:
@@ -25,14 +28,14 @@ jobs:
         id: ort-action
         uses: edulix/ort-action@develop
         with:
-          fail-on: hints
           package-curations-dir: .ort-data/curations-dir/
           rules-file: .ort-data/rules.kts
           license-classifications-file: .ort-data/license-classifications.yml
           reporters: AdocTemplate,PdfTemplate,Excel,StaticHtml,WebApp
+          ort-extra-args: -P ort.severeRuleViolationThreshold=HINT --debug
           report-extra-args: >
             --report-option
-            ADocTemplate=template.path=/project/.ort-data/disclosure_document.ftl
+            PdfTemplate=template.path=/project/.ort-data/disclosure_document.ftl
 
       - uses: actions/upload-artifact@v2
         with:

diff --git a/.ort-data/curations-dir/agora-gui-booth.yml b/.ort-data/curations-dir/agora-gui-booth.yml
@@ -1,7 +1,10 @@
+# SPDX-FileCopyrightText: 2021 Agora Voting SL <[email protected]>
+#
+# SPDX-License-Identifier: AGPL-3.0-only
 - id: "Yarn::agora-gui-booth"
   curations:
     comment: "This package needs to be downloaded from git"
     vcs:
       type: "git"
-      url: "https://github.com/Bernardo-Castilho/dragdroptouch.git"
-      revision: "058f0eca96e57ad695f0d5dd2d7bd492ef1c4e47"
+      url: "https://github.com/agoravoting/agora-gui-common.git"
+      revision: "4.0.1"
diff --git a/.ort-data/curations-dir/bsd_license.yml b/.ort-data/curations-dir/bsd_license.yml
@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: 2021 Agora Voting SL <[email protected]>
+#
+# SPDX-License-Identifier: AGPL-3.0-only
 ---
 - id: "PyPI::babel"
   curations:

diff --git a/.ort-data/curations-dir/distlib.yml b/.ort-data/curations-dir/distlib.yml
@@ -1,6 +1,9 @@
+# SPDX-FileCopyrightText: 2021 Agora Voting SL <[email protected]>
+#
+# SPDX-License-Identifier: AGPL-3.0-only
 - id: "PyPI::distlib"
   curations:
     comment: "Invalid license with a space."
     declared_license_mapping:
       "BSD License": "BSD-3-Clause"
-      "Python license": "PSF-2.0"
+      "Python license": "PSF-2.0"
diff --git a/.ort-data/curations-dir/drangandroptouch.yml b/.ort-data/curations-dir/drangandroptouch.yml
@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: 2021 Agora Voting SL <[email protected]>
+#
+# SPDX-License-Identifier: AGPL-3.0-only
 - id: "dragandroptouch"
   curations:
     comment: "This package needs to be downloaded from git"

diff --git a/.ort-data/curations-dir/fractionjs.yml b/.ort-data/curations-dir/fractionjs.yml
@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: 2021 Agora Voting SL <[email protected]>
+#
+# SPDX-License-Identifier: AGPL-3.0-only
 - id: "NPM::fraction.js"
   curations:
     comment: "The package is detected as GPL because it's double licensed with GPL and MIT, so we use the MIT"

diff --git a/.ort-data/curations-dir/java.yml b/.ort-data/curations-dir/java.yml
@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: 2021 Agora Voting SL <[email protected]>
+#
+# SPDX-License-Identifier: AGPL-3.0-only
 - id: "Maven:javax.cache:cache-api"
   curations:
     comment: "Incorrectly matched license, see https://search.maven.org/artifact/javax.cache/cache-api"
@@ -14,4 +17,4 @@
   curations:
     comment: "H2 is dual licensed and available under the MPL 2.0 (Mozilla Public License Version 2.0) or under the EPL 1.0 (Eclipse Public License). http://h2database.com/html/license.html"
     declared_license_mapping:
-      "The H2 License, Version 1.0": "EPL-1.0"
+      "The H2 License, Version 1.0": "EPL-1.0"
diff --git a/.ort-data/curations-dir/jszip.yml b/.ort-data/curations-dir/jszip.yml
@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: 2021 Agora Voting SL <[email protected]>
+#
+# SPDX-License-Identifier: AGPL-3.0-only
 - id: "NPM::jszip"
   curations:
     comment: "The package is detected as GPL-3.0-only because it's double licensed with GPL-3.0-only and MIT, so we use the MIT"

diff --git a/.ort-data/curations-dir/psycopg2-binary.yml b/.ort-data/curations-dir/psycopg2-binary.yml
@@ -1,5 +1,8 @@
+# SPDX-FileCopyrightText: 2021 Agora Voting SL <[email protected]>
+#
+# SPDX-License-Identifier: AGPL-3.0-only
 - id: "PyPI::psycopg2-binary"
   curations:
     comment: "Incorrectly matched license."
     declared_license_mapping:
-      "LGPL with exceptions": "LGPL-2.0-only"
+      "LGPL with exceptions": "LGPL-2.0-only"
diff --git a/.ort-data/curations-dir/pycryptodomex.yml b/.ort-data/curations-dir/pycryptodomex.yml
@@ -1,6 +1,9 @@
+# SPDX-FileCopyrightText: 2021 Agora Voting SL <[email protected]>
+#
+# SPDX-License-Identifier: AGPL-3.0-only
 - id: "PyPI::pycryptodomex"
   curations:
     comment: "Incorrectly matched license."
     declared_license_mapping:
       "BSD, Public Domain": "BSD-3-Clause"
-      "BSD License": "BSD-3-Clause"
+      "BSD License": "BSD-3-Clause"
diff --git a/.ort-data/curations-dir/reportlab.yml b/.ort-data/curations-dir/reportlab.yml
@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: 2021 Agora Voting SL <[email protected]>
+#
+# SPDX-License-Identifier: AGPL-3.0-only
 - id: "PyPI::reportlab"
   curations:
     comment: "Incorrectly matched license."

diff --git a/.ort-data/curations-dir/rng-js.yml b/.ort-data/curations-dir/rng-js.yml
@@ -1,5 +1,8 @@
+# SPDX-FileCopyrightText: 2021 Agora Voting SL <[email protected]>
+#
+# SPDX-License-Identifier: AGPL-3.0-only
 - id: "NPM::rng-js"
   curations:
     comment: "Declared license is misspelled with a 'c' - UK vs. US English."
     declared_license_mapping:
-      Unlicence: "Unlicense"
+      Unlicence: "Unlicense"
diff --git a/.ort-data/disclosure_document.ftl b/.ort-data/disclosure_document.ftl
@@ -1,22 +1,9 @@
 [#--
-Copyright (C) 2020 HERE Europe B.V.
-Copyright (C) 2020-2021 Bosch.IO GmbH
-Copyright (C) 2021 Agora Voting SL
+SPDX-FileCopyrightText: 2020 HERE Europe B.V.
+SPDX-FileCopyrightText: 2020-2021 Bosch.IO GmbH
+SPDX-FileCopyrightText: 2021 Agora Voting SL
 
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-
-SPDX-License-Identifier: Apache-2.0
-License-Filename: LICENSE
+SPDX-License-Identifier: AGPL-3.0-only
 --]
 
 [#--
@@ -50,13 +37,37 @@ If not present, the text is displayed normally.
 :revdate: ${now?date?iso_local}
 :revnumber: 1.0.0
 
+== Issue Summary
+
+[#-- List all issues and their status --]
+[#if tabularScanRecord.issueSummary.rows?size > 0]
+
+[#assign
+issueErrors = tabularScanRecord
+    .issueSummary
+    .errorCount
+]
+
+[#assign
+issueWarns = tabularScanRecord
+    .issueSummary
+    .warningCount
+]
+
+[#assign
+issueHint = tabularScanRecord
+    .issueSummary
+    .hintCount
+]
+${issueErrors} errors, ${issueWarns} warnings, ${issueHint} hints to resolve
+[#else]
+0 errors, 0 warnings, 0 hints to resolve[/#if]
 
+== Projects Licenses
 [#if projects?has_content]
 [#--Merge the licenses and copyrights of all projects into a single list. The default LicenseView.ALL is used because--]
 [#--projects cannot have a concluded license (compare with the handling of packages below). --]
 
-== Projects Licenses
-
 [#list projects as project]
 
 === ${project.id.name}
@@ -71,14 +82,10 @@ If not present, the text is displayed normally.
 [#assign copyrights = resolvedLicense.getCopyrights(true)]
 [#list copyrights as copyright]
 ** +${copyright}+
-[#else]
-** No copyright found.
 [/#list]
-
 [/#list]
 [/#list]
 [/#if]
-<<<
 
 [#-- List all rule violations and their status --]
 == Rule Violation Summary
@@ -127,31 +134,6 @@ No rule violations found.
 
 [/#if]
 
-[#-- List all issues and their status --]
-[#if tabularScanRecord.issueSummary.rows?size > 0]
-== Issue Summary
-
-[#assign
-issueErrors = tabularScanRecord
-    .issueSummary
-    .errorCount
-]
-
-[#assign
-issueWarns = tabularScanRecord
-    .issueSummary
-    .warningCount
-]
-
-[#assign
-issueHint = tabularScanRecord
-    .issueSummary
-    .hintCount
-]
-${issueErrors} errors, ${issueWarns} warnings, ${issueHint} hints to resolve
-
-[/#if]
-
 [#-- Add the licenses of all dependencies. --]
 == Dependencies
 
@@ -179,8 +161,6 @@ License File: <<${ModelExtensions.toPurl(package.id)} ${licenseFile.path}, ${lic
 [#assign copyrights = licenseFile.getCopyrights()]
 [#list copyrights as copyright]
 ** +${copyright}+
-[#else]
-** No copyright found.
 [/#list]
 
 [/#list]
@@ -216,14 +196,11 @@ The following licenses and copyrights were found in the source code of this pack
 [#assign copyrights = resolvedLicense.getCopyrights(true)]
 [#list copyrights as copyright]
 ** +${copyright}+
-[#else]
-** No copyright found.
 [/#list]
 
 [/#list]
 [/#if]
 [/#list]
-<<<
 
 [#assign
 packagesWithLicenseFiles = 
@@ -297,6 +274,4 @@ ${exceptionText}
 
 [/#if]
 [/#if]
-++++
-<<<
-[/#list]
+[/#list]
diff --git a/.ort-data/license-classifications.yml b/.ort-data/license-classifications.yml
@@ -1,4 +1,9 @@
 ---
+# SPDX-FileCopyrightText: 2021 Agora Voting SL <[email protected]>
+# SPDX-FileCopyrightText: 2020-2021 Bosch.IO GmbH
+#
+# SPDX-License-Identifier: AGPL-3.0-only
+#
 # Example license-classifications.yml based on categorization from
 # https://github.com/nexB/scancode-toolkit/commit/ed644e4
 #

diff --git a/.ort-data/rules.kts b/.ort-data/rules.kts
@@ -1,20 +1,8 @@
 /*
- * Copyright (C) 2019 HERE Europe B.V.
+ * SPDX-FileCopyrightText: 2021 Agora Voting SL <[email protected]>
+ * SPDX-FileCopyrightText: 2019 HERE Europe B.V.
  *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * SPDX-License-Identifier: Apache-2.0
- * License-Filename: LICENSE
+ * SPDX-License-Identifier: AGPL-3.0-only
  */
 
 /*******************************************************
@@ -220,8 +208,9 @@ val ruleSet = ruleSet(ortResult, licenseInfoResolver) {
 
             issue(
                 Severity.ERROR,
-                "The project ${project.id.toCoordinates()} has a dependency licensed under the ScanCode " +
-                        "copyleft categorized license $license.",
+                "The project ${project.id.toCoordinates()} has the dependency " +
+                "${dependency.id.toCoordinates()} licensed under the ScanCode " +
+                "copyleft categorized license $license.",
                 howToFixDefault()
             )
         }