-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ANE 966: first party license scans [1/4] #1187
Conversation
31cdc28
to
0db91b4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks good! I had a number of questions and small suggestions so I'm requesting changes until those are addressed.
src/App/Fossa/Analyze/Upload.hs
Outdated
uploadFirstPartyAnalysisToS3AndCore :: | ||
( Has Diagnostics sig m | ||
, Has FossaApiClient sig m | ||
, Has StickyLogger sig m | ||
) => | ||
ProjectRevision -> | ||
ProjectMetadata -> | ||
NE.NonEmpty FullSourceUnit -> | ||
FullFileUploads -> | ||
m UploadResponse | ||
uploadFirstPartyAnalysisToS3AndCore revision metadata mergedUnits fullFileUploads = do | ||
_ <- uploadFirstPartyAnalysisToS3 revision mergedUnits | ||
uploadFirstPartyAnalysis revision metadata fullFileUploads | ||
|
||
uploadFirstPartyAnalysisToS3 :: | ||
( Has Diagnostics sig m | ||
, Has FossaApiClient sig m | ||
, Has StickyLogger sig m | ||
) => | ||
ProjectRevision -> | ||
NE.NonEmpty FullSourceUnit -> | ||
m () | ||
uploadFirstPartyAnalysisToS3 revision mergedUnits = do | ||
signedURL <- getSignedFirstPartyScanUrl $ PackageRevision{packageVersion = projectRevision revision, packageName = projectName revision} | ||
logSticky $ "Uploading '" <> projectName revision <> "' to secure S3 bucket" | ||
-- TODO: copy/paste/modify of uploadLicenseScanResult |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think these functions should be in the src/Control/Carrier/FossaApiClient/Internal directory where uploadAnalyis
is located. Is there a circular dependency or something else preventing them from being in that API directory?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think these fit into the src/Control/Carrier/FossaApiClient/Internal directory. Those functions are all readers that have already had runFossaApiClient apiOpts
run on them and just talk directly to the API.
These functions are calling out to the API (with getSignedFirstPartyScanUrl
, uploadFirstPartyScanResult
and uploadFirstPartyAnalysis
) and logging things.
The uploadFirstPartyAnalysis
and uploadFirstPartyScanResult
functions are the equivalent of uploadAnalysis
, and they live in the src/Control/Carrier/FossaApiClient/Internal directory
src/App/Fossa/FirstPartyScan.hs
Outdated
firstPartyScanWithOrgInfo :: | ||
( Has Diagnostics sig m | ||
, Has (Lift IO) sig m | ||
, Has StickyLogger sig m | ||
, Has Logger sig m | ||
, Has Exec sig m | ||
, Has ReadFS sig m | ||
, Has FossaApiClient sig m | ||
) => | ||
Path Abs Dir -> | ||
StandardAnalyzeConfig -> | ||
m (Maybe LicenseSourceUnit) | ||
firstPartyScanWithOrgInfo root cfg = do | ||
org <- getOrganization | ||
firstPartyScanMain root cfg org |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this function need to exist or could we have a new do
block and grab org info right after we get Just apiOpts
in the block above? This could also exist as a where
function in the block above. Is this done to satisfy the FossaApiClient
effect?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need this so that we can run runFossaApiClient apiOpts
and satisfy the FossaApiClient
effect.
There may be a way to do it in a where block, but I played around and this felt like the best solution to me
@@ -615,6 +623,31 @@ uploadAnalysis apiOpts ProjectRevision{..} metadata sourceUnits = fossaReq $ do | |||
resp <- req POST (uploadUrl baseUrl) (ReqBodyJson $ NE.toList sourceUnits) jsonResponse (baseOpts <> opts) | |||
pure (responseBody resp) | |||
|
|||
uploadFirstPartyAnalysis :: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
uploadFirstPartyAnalysis :: | |
uploadFirstPartyLicenseAnalysis :: |
I would add something to clarify that this is a license scan. FirstPartyAnalysis
sounds the same to me as Analysis
outside of the context of this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see what you're saying, but I think it obscures the fact that the upload contains both license and non-license analysis results.
It's a merger of results from the first-party scan and the normal analysis.
I'm going to go with uploadAnalysisWithFirstPartyLicenses
. Does that work for you?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yea, I think thats better! As much as I don't love how long the function name is.
Fixtures.sourceUnits | ||
Nothing | ||
locator `shouldBe'` expectedLocator | ||
it' "aborts when uploading to a monorepo" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you could ignore this test if Jess's monorepo PR merges before this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll leave it for now so that things compile (it's mostly a whitespace change, but I also had to add another parameter to uploadSuccessfulAnalysis
to make things work
I'll delete the test once I merge Jess's PR - I'm assuming that I'll get a merge conflict if I don't
…urceUnit into FullSourceUnit
… flag but the FOSSA server does not support first-party scans
…and --experimental-force-no-first-party-scans flags
…st party analysis
…ts to the right spot
…imental-block-first-party-scans"
…ith the --output flag
2af8acc
to
5c89913
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Overview
ANE-966 - First party license scans
If requested, the CLI will license scan the full directory, merge the license scan data with the standard dependency data and upload the results to S3. Core will analyze the uploaded data so that licenses found in the project are shown as "Directly in Code" in the FOSSA UI.
The core side of this PR is https://github.com/fossas/FOSSA/pull/10219
Three more things are coming in future PRs:
I'll add the Changelog as part of the user facing documentation.
Acceptance criteria
Note: the first-party scan results should be included when you use the
--output
flag, but I missed that in this PR. It's fixed in #1198Testing plan
The first step is to check out this branch on both Core and the CLI and get core running.
Scan a project that has licenses and dependencies in it. I scanned broker, but it has ~300 dependencies so you might want to try something with fewer deps in it.
The debug logs should tell you that it is running a first-party scan:
The result of that build will have a few licenses that are labelled as "directly in code". If you look, you'll see that most of them are in the target directory.
So, let's filter that out by adding some vendored dependency excludes to broker's
.fossa.yml
:Run again. You should now only see one license that is "directly in code"
Turn on the "default to first party scans" feature flag in local core:
Run an analysis without the "--experimental-force-first-party-scans" flag. It should still run a first-party scan:
Turn the feature flag off and run
fossa-dev analyze
again. It should now skip the first-party scan.Turn the first-party scans feature flag back on, and run with and without the "Full file uploads for cli-license scans" feature flag on.
It should work both ways. With it on, you should see the full file in the UI like this:
With the feature flag off, you should only see the part of the file that was a license match:
Run a scan with
--experimental-force-first-party-scans
against a version of Core that does not support first party scans:This should just run a normal scan.
Risks
References
https://fossa.atlassian.net/browse/ANE-966
Checklist
docs/
.Changelog.md
. If this PR did not mark a release, I added my changes into an# Unreleased
section at the top..fossa.yml
orfossa-deps.{json.yml}
, I updateddocs/references/files/*.schema.json
. You may also need to update these if you have added/removed new dependency type (e.g.pip
) or analysis target type (e.g.poetry
).