ANE 966: first party license scans [1/4] #1187
Conversation
spatten
force-pushed
the
ane-966-first-party-scans
branch
2 times, most recently
from
31cdc28
to
0db91b4
Compare
spatten
changed the title
src/App/Fossa/Analyze/Upload.hs
Outdated
| uploadFirstPartyAnalysisToS3AndCore :: | ||
| ( Has Diagnostics sig m | ||
| , Has FossaApiClient sig m | ||
| , Has StickyLogger sig m | ||
| ) => | ||
| ProjectRevision -> | ||
| ProjectMetadata -> | ||
| NE.NonEmpty FullSourceUnit -> | ||
| FullFileUploads -> | ||
| m UploadResponse | ||
| uploadFirstPartyAnalysisToS3AndCore revision metadata mergedUnits fullFileUploads = do | ||
| _ <- uploadFirstPartyAnalysisToS3 revision mergedUnits | ||
| uploadFirstPartyAnalysis revision metadata fullFileUploads | ||
|
|
||
| uploadFirstPartyAnalysisToS3 :: | ||
| ( Has Diagnostics sig m | ||
| , Has FossaApiClient sig m | ||
| , Has StickyLogger sig m | ||
| ) => | ||
| ProjectRevision -> | ||
| NE.NonEmpty FullSourceUnit -> | ||
| m () | ||
| uploadFirstPartyAnalysisToS3 revision mergedUnits = do | ||
| signedURL <- getSignedFirstPartyScanUrl $ PackageRevision{packageVersion = projectRevision revision, packageName = projectName revision} | ||
| logSticky $ "Uploading '" <> projectName revision <> "' to secure S3 bucket" | ||
| -- TODO: copy/paste/modify of uploadLicenseScanResult |
There was a problem hiding this comment.
I think these functions should be in the src/Control/Carrier/FossaApiClient/Internal directory where uploadAnalyis is located. Is there a circular dependency or something else preventing them from being in that API directory?
There was a problem hiding this comment.
I don't think these fit into the src/Control/Carrier/FossaApiClient/Internal directory. Those functions are all readers that have already had runFossaApiClient apiOpts run on them and just talk directly to the API.
These functions are calling out to the API (with getSignedFirstPartyScanUrl, uploadFirstPartyScanResult and uploadFirstPartyAnalysis) and logging things.
The uploadFirstPartyAnalysis and uploadFirstPartyScanResult functions are the equivalent of uploadAnalysis, and they live in the src/Control/Carrier/FossaApiClient/Internal directory
src/App/Fossa/FirstPartyScan.hs
Outdated
| firstPartyScanWithOrgInfo :: | ||
| ( Has Diagnostics sig m | ||
| , Has (Lift IO) sig m | ||
| , Has StickyLogger sig m | ||
| , Has Logger sig m | ||
| , Has Exec sig m | ||
| , Has ReadFS sig m | ||
| , Has FossaApiClient sig m | ||
| ) => | ||
| Path Abs Dir -> | ||
| StandardAnalyzeConfig -> | ||
| m (Maybe LicenseSourceUnit) | ||
| firstPartyScanWithOrgInfo root cfg = do | ||
| org <- getOrganization | ||
| firstPartyScanMain root cfg org |
There was a problem hiding this comment.
Does this function need to exist or could we have a new do block and grab org info right after we get Just apiOpts in the block above? This could also exist as a where function in the block above. Is this done to satisfy the FossaApiClient effect?
There was a problem hiding this comment.
I think we need this so that we can run runFossaApiClient apiOpts and satisfy the FossaApiClient effect.
There may be a way to do it in a where block, but I played around and this felt like the best solution to me
| @@ -615,6 +623,31 @@ uploadAnalysis apiOpts ProjectRevision{..} metadata sourceUnits = fossaReq $ do | |||
| resp <- req POST (uploadUrl baseUrl) (ReqBodyJson $ NE.toList sourceUnits) jsonResponse (baseOpts <> opts) | |||
| pure (responseBody resp) | |||
|
|
|||
| uploadFirstPartyAnalysis :: | |||
There was a problem hiding this comment.
| uploadFirstPartyAnalysis :: | |
| uploadFirstPartyLicenseAnalysis :: |
I would add something to clarify that this is a license scan. FirstPartyAnalysis sounds the same to me as Analysis outside of the context of this PR.
There was a problem hiding this comment.
I see what you're saying, but I think it obscures the fact that the upload contains both license and non-license analysis results.
It's a merger of results from the first-party scan and the normal analysis.
I'm going to go with uploadAnalysisWithFirstPartyLicenses. Does that work for you?
There was a problem hiding this comment.
Yea, I think thats better! As much as I don't love how long the function name is.
| Fixtures.sourceUnits | ||
| Nothing | ||
| locator `shouldBe'` expectedLocator | ||
| it' "aborts when uploading to a monorepo" |
There was a problem hiding this comment.
I think you could ignore this test if Jess's monorepo PR merges before this PR.
There was a problem hiding this comment.
I'll leave it for now so that things compile (it's mostly a whitespace change, but I also had to add another parameter to uploadSuccessfulAnalysis to make things work
I'll delete the test once I merge Jess's PR - I'm assuming that I'll get a merge conflict if I don't
…urceUnit into FullSourceUnit
… flag but the FOSSA server does not support first-party scans
…and --experimental-force-no-first-party-scans flags
…st party analysis
…ts to the right spot
…imental-block-first-party-scans"
…ith the --output flag
spatten
force-pushed
the
ane-966-first-party-scans
branch
from
2af8acc
to
5c89913
Compare
spatten
changed the title
Overview
ANE-966 - First party license scans
If requested, the CLI will license scan the full directory, merge the license scan data with the standard dependency data and upload the results to S3. Core will analyze the uploaded data so that licenses found in the project are shown as "Directly in Code" in the FOSSA UI.
The core side of this PR is https://github.com/fossas/FOSSA/pull/10219
Three more things are coming in future PRs:
I'll add the Changelog as part of the user facing documentation.
Acceptance criteria
Note: the first-party scan results should be included when you use the
--outputflag, but I missed that in this PR. It's fixed in #1198Testing plan
The first step is to check out this branch on both Core and the CLI and get core running.
Scan a project that has licenses and dependencies in it. I scanned broker, but it has ~300 dependencies so you might want to try something with fewer deps in it.
The debug logs should tell you that it is running a first-party scan:
The result of that build will have a few licenses that are labelled as "directly in code". If you look, you'll see that most of them are in the target directory.
So, let's filter that out by adding some vendored dependency excludes to broker's
.fossa.yml:Run again. You should now only see one license that is "directly in code"
Turn on the "default to first party scans" feature flag in local core:
Run an analysis without the "--experimental-force-first-party-scans" flag. It should still run a first-party scan:
Turn the feature flag off and run
fossa-dev analyzeagain. It should now skip the first-party scan.Turn the first-party scans feature flag back on, and run with and without the "Full file uploads for cli-license scans" feature flag on.
It should work both ways. With it on, you should see the full file in the UI like this:
With the feature flag off, you should only see the part of the file that was a license match:
Run a scan with
--experimental-force-first-party-scansagainst a version of Core that does not support first party scans:This should just run a normal scan.
Risks
References
https://fossa.atlassian.net/browse/ANE-966
Checklist
docs/.Changelog.md. If this PR did not mark a release, I added my changes into an# Unreleasedsection at the top..fossa.ymlorfossa-deps.{json.yml}, I updateddocs/references/files/*.schema.json. You may also need to update these if you have added/removed new dependency type (e.g.pip) or analysis target type (e.g.poetry).