From 5a9c5383236c4a2b64debeb7b66d77078a62f6dc Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Tue, 11 Mar 2025 22:06:06 +0000
Subject: [PATCH 1/2] NF-1014: Incorporate FOSSology into CI for license
 compliance
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

• Added run_license_scan.sh script for license compliance scanning
• Added license compliance scan job to CI workflow
• Added VSCode task for local license compliance scanning

Co-Authored-By: zfields@blues.com <zfields@blues.com>
---
 .github/workflows/ci.yml    | 19 +++++++++
 .vscode/tasks.json          | 15 +++++++
 scripts/run_license_scan.sh | 84 +++++++++++++++++++++++++++++++++++++
 3 files changed, 118 insertions(+)
 create mode 100755 scripts/run_license_scan.sh

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 44da2839..4ae375b5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -187,6 +187,25 @@ jobs:
         run: |
           docker run --rm --volume $(pwd):/note-c/ --workdir /note-c/ --entrypoint ./scripts/run_cppcheck.sh ghcr.io/blues/note_c_ci:latest
 
+  run_license_scan:
+    runs-on: ubuntu-latest
+    if: ${{ always() }}
+    needs: [build_ci_docker_image]
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Load CI Docker image
+        # Only load the Docker image artifact if build_ci_docker_image actually
+        # ran (e.g. it wasn't skipped and was successful).
+        if: ${{ needs.build_ci_docker_image.result == 'success' }}
+        uses: ./.github/actions/load-ci-image
+
+      - name: Run license compliance scan
+        run: |
+          docker run --rm --volume $(pwd):/note-c/ --workdir /note-c/ --entrypoint ./scripts/run_license_scan.sh ghcr.io/blues/note_c_ci:latest
+
   publish_ci_image:
     runs-on: ubuntu-latest
     # Make sure unit tests unit tests passed before publishing.
diff --git a/.vscode/tasks.json b/.vscode/tasks.json
index b00c48ce..a0d20cc9 100644
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -119,6 +119,21 @@
                 "$gcc"
             ],
             "group": "test"
+        },
+        {
+            "label": "Note-C: Run License Compliance Scan",
+            "type": "shell",
+            "command": "${workspaceFolder}/scripts/run_license_scan.sh",
+            "options": {
+                "cwd": "${workspaceFolder}",
+                "env": {
+                    "LC_ALL": "C"
+                }
+            },
+            "problemMatcher": [
+                "$gcc"
+            ],
+            "group": "test"
         }
     ]
 }
diff --git a/scripts/run_license_scan.sh b/scripts/run_license_scan.sh
new file mode 100755
index 00000000..bfe094bc
--- /dev/null
+++ b/scripts/run_license_scan.sh
@@ -0,0 +1,84 @@
+#!/bin/bash
+set -eo pipefail
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+SRC_DIR="$SCRIPT_DIR/.."
+
+echo "Running License Compliance Analysis..."
+echo
+
+# Create a function to generate the summary
+generate_summary() {
+    {
+        # Initialize flag
+        has_critical_issues=false
+
+        echo
+
+        # Always generate and display summary regardless of exit code
+        echo "=== License Compliance Summary ==="
+        echo
+
+        # Display critical issues
+        echo "Critical License Issues:"
+        echo "------------------------"
+        grep -E "Critical:" fossology_output.txt | sort | uniq || echo "None found"
+        echo
+
+        # Display license findings
+        echo "License Findings:"
+        echo "----------------"
+        grep -E "License:" fossology_output.txt | grep -v "Critical:" | sort | uniq || echo "None found"
+        echo
+
+        # Display copyright findings
+        echo "Copyright Findings:"
+        echo "------------------"
+        grep -E "Copyright:" fossology_output.txt | sort | uniq || echo "None found"
+        echo
+
+        # Count issues by category
+        echo " Issue Count by Category: "
+        echo "-------------------------"
+        for category in "Critical" "License" "Copyright" "Keyword"; do
+            count=$(grep -c "${category}:" fossology_output.txt) || true
+            printf "%-15s %3d findings\n" "${category}:" "$count"
+
+            # Check if 'category' is 'Critical' and if 'count' is greater than 0
+            if [[ "$category" == "Critical" ]] && [ "$count" -gt 0 ]; then
+                has_critical_issues=true
+            fi
+        done
+        echo
+
+        # Display status and details
+        if $has_critical_issues; then
+            echo "Status: FAILED - Critical license issues found"
+            echo
+            echo "Review and fix critical license issues before proceeding"
+        else
+            echo "Status: PASSED - No critical license issues found"
+            echo
+            echo "Note: Review non-critical findings for potential improvements"
+        fi
+    }
+
+    # Return 1 if critical issues found, 0 otherwise
+    if $has_critical_issues; then
+        return 1
+    else
+        return 0
+    fi
+}
+
+# Run FOSSology scanner and capture output and exit code
+docker run --rm \
+    --volume "$SRC_DIR:/note-c/" \
+    --workdir /note-c/ \
+    fossology/fossology:scanner \
+    /bin/fossologyscanner nomos ojo copyright keyword repo 2>&1 | tee fossology_output.txt
+
+generate_summary
+
+# Exit with FOSSology's status code
+exit $?

From 96ef1bc18dabcaeb881b90e26a812c2123824fd9 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Tue, 11 Mar 2025 22:09:14 +0000
Subject: [PATCH 2/2] NF-1014: Fix license scan script to run without
 Docker-in-Docker
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

• Modified run_license_scan.sh to install and use FOSSology tools directly
• Removed Docker container usage to ensure compatibility with CI environment
• Added direct file scanning with nomossa and copyright tools

Co-Authored-By: zfields@blues.com <zfields@blues.com>
---
 scripts/run_license_scan.sh | 70 +++++++++++++++++++++++++++++++++----
 1 file changed, 63 insertions(+), 7 deletions(-)

diff --git a/scripts/run_license_scan.sh b/scripts/run_license_scan.sh
index bfe094bc..83f1d216 100755
--- a/scripts/run_license_scan.sh
+++ b/scripts/run_license_scan.sh
@@ -7,6 +7,32 @@ SRC_DIR="$SCRIPT_DIR/.."
 echo "Running License Compliance Analysis..."
 echo
 
+# Install FOSSology scanners if not already installed
+if ! command -v nomossa &> /dev/null || ! command -v copyright &> /dev/null; then
+    echo "Installing FOSSology scanners..."
+    apt-get update -qq
+    apt-get install -y --no-install-recommends wget ca-certificates
+    
+    # Create a temporary directory for FOSSology tools
+    mkdir -p /tmp/fossology
+    cd /tmp/fossology
+    
+    # Download and extract FOSSology CLI tools
+    wget -q https://github.com/fossology/fossology/releases/download/4.4.0/fossology-4.4.0-1_amd64.deb
+    dpkg -x fossology-4.4.0-1_amd64.deb .
+    
+    # Copy the scanner binaries to a location in PATH
+    cp -f usr/lib/fossology/agents/nomossa /usr/local/bin/
+    cp -f usr/lib/fossology/agents/ojo /usr/local/bin/
+    cp -f usr/lib/fossology/agents/copyright /usr/local/bin/
+    
+    # Clean up
+    cd -
+    rm -rf /tmp/fossology
+    
+    echo "FOSSology scanners installed successfully."
+fi
+
 # Create a function to generate the summary
 generate_summary() {
     {
@@ -71,14 +97,44 @@ generate_summary() {
     fi
 }
 
-# Run FOSSology scanner and capture output and exit code
-docker run --rm \
-    --volume "$SRC_DIR:/note-c/" \
-    --workdir /note-c/ \
-    fossology/fossology:scanner \
-    /bin/fossologyscanner nomos ojo copyright keyword repo 2>&1 | tee fossology_output.txt
+# Create output file
+touch fossology_output.txt
+
+# Run license scanners directly
+echo "Running Nomos license scanner..."
+find "$SRC_DIR" -type f -not -path "*/\.*" -not -path "*/build/*" | while read -r file; do
+    if [ -f "$file" ]; then
+        # Run nomos scanner
+        if command -v nomossa &> /dev/null; then
+            result=$(nomossa "$file" 2>/dev/null || echo "No license found")
+            if [ "$result" != "No license found" ]; then
+                echo "License: $result in $file" >> fossology_output.txt
+                
+                # Check for non-MIT licenses (example of a critical issue)
+                if [[ "$result" != *"MIT"* ]] && [[ "$result" != *"SPDX"* ]]; then
+                    echo "Critical: Non-MIT license found: $result in $file" >> fossology_output.txt
+                fi
+            fi
+        fi
+        
+        # Run copyright scanner
+        if command -v copyright &> /dev/null; then
+            copyright_result=$(copyright "$file" 2>/dev/null || echo "")
+            if [ -n "$copyright_result" ]; then
+                echo "Copyright: $copyright_result in $file" >> fossology_output.txt
+            fi
+        fi
+    fi
+done
+
+# Run keyword scanner (simple implementation)
+echo "Running keyword scanner..."
+grep -r --include="*.c" --include="*.h" --include="*.cpp" --include="*.hpp" -l "GPL\|GNU" "$SRC_DIR" | while read -r file; do
+    echo "Keyword: Potential GPL reference in $file" >> fossology_output.txt
+    echo "Critical: Potential GPL license reference in $file" >> fossology_output.txt
+done
 
 generate_summary
 
-# Exit with FOSSology's status code
+# Exit with summary's status code
 exit $?