Roll out FOSSA + Open Source Legal Policy

[chadwhitacre]

To Do

• wrap in our own action
• vary key based on availability
• add error messaging
• don't run in forks
• ensure notifications are coming through properly
• publish notion doc - done
  • update develop.sentry.dev - Drop manual license guidance develop#569
  • update open.sentry.io - https://github.com/getsentry/static-sites/pull/995
• deploy CLA Lite: CLA Lite .github#76
  • override in key private repos
    • Create pull_request_template.md eng-pipes#295
    • https://github.com/getsentry/getsentry/pull/7359
    • https://github.com/getsentry/lookml/pull/411
    • https://github.com/getsentry/ops/pull/4603
    • https://github.com/getsentry/static-sites/pull/984
  • flip to only BSL repos: Remove the global PR template after all .github#92
    • Bring in CLA Lite sentry-docs#4998
    • Bring in CLA Lite sentry#34182
    • Bring in CLA Lite self-hosted#1439
    • Bring in CLA Lite relay#1257
    • Bring in CLA Lite snuba#2667
  • unoverride in key private repos
    • Revert "Create pull_request_template.md" eng-pipes#297
    • https://github.com/getsentry/getsentry/pull/7460
    • https://github.com/getsentry/lookml/pull/421
    • https://github.com/getsentry/ops/pull/4673
    • https://github.com/getsentry/static-sites/pull/1007
• roll out
  • Pilot
    • meta(gha): Deploy workflow enforce-license-compliance.yml sentry-docs#4849
    • meta(gha): Deploy workflow enforce-license-compliance.yml self-hosted#1388
    • meta(gha): Deploy workflow enforce-license-compliance.yml craft#367
  • Main
    • meta(gha): Deploy action enforce-license-compliance.yml sentry#33460
    • https://github.com/getsentry/getsentry/pull/7308
  • Ingest
    • meta(gha): Deploy action enforce-license-compliance.yml relay#1222
    • meta(gha): Deploy action enforce-license-compliance.yml symbolic#532
    • meta(gha): Deploy action enforce-license-compliance.yml symbolicator#752
  • SNS
    • snuba
    • snuba-sdk
    • arroyo
    • cdc - broken build
    • wal2json - bailed
  • SDKs
    • meta(gha): Deploy action enforce-license-compliance.yml sentry-javascript#4961
    • meta(gha): Deploy action enforce-license-compliance.yml sentry-python#1400
    • meta(gha): Deploy action enforce-license-compliance.yml sentry-native#704
    • meta(gha): Deploy action enforce-license-compliance.yml sentry-java#2000
  • SDK bonus
• require
  • Pilot
    • sentry-docs
    • self-hosted
    • craft
  • Main
    • sentry
    • getsentry
  • Ingest
    • relay
    • symbolic
    • symbolicator
  • SNS
    • snuba
    • snuba-sdk
    • arroyo
    • cdc - broken build
    • wal2json - bailed
  • SDKs
    • sentry-javascript
    • sentry-python
    • sentry-native
    • sentry-java
    • bonus repos
• implement attribution
• send shipped email

FOSSA Punchlist

• http:// vs. git://
• whack-a-fork
• timeouts, API failures - again and again
• license column blank
• only scan first level
• only scan code in repo (no third-party libraries via requirements.txt, etc.)
• awkward creating users (email vs. SSO)

[chadwhitacre]

Moving here from internal Slack ...

---

Sooooooooo ... my goal at this point is to roll out FOSSA to one repo ever now.

I am targeting https://github.com/getsentry/sentry-docs as self-hosted a) doesn't really have interesting deps and b) is fubar'd wrt CI 😖, whereas sentry-docs a) I have admin perms on, b) it has a meaningful amount of deps (npm) and c) it's "out of the way" in terms of traffic.

Current status is I added a workflow but it breaks for forks because forks don't have access to GH Secrets, and that's where the FOSSA_API_KEY is stored.

The suggestion FOSSA support gave me is a self-hosted runner that bakes in the api key.

I'll look into that I guess but it sure feels like a gross thing to have to do. Alternate to explore would be building out something more complicated/featureful, probably in eng-pipes.

We recommend that you only use self-hosted runners with private repositories.

Talk about an anti-pattern. 🙄 😖

This token was created with open source project maintainers in mind.

https://docs.fossa.com/docs/api-reference#push-only-api-token

I tried a push-only token at first and ended up bumping to full, I think because of the limited feedback to devs w/ push-only? Revisiting ...

[chadwhitacre]

No diff so far ...

$ FOSSA_API_KEY=[push-only] fossa analyze
[ INFO] Analyzing npm project at /Users/chadwhitacre/workbench/getsentry/sentry-docs/src/gatsby/plugins/gatsby-remark-variables/
[ INFO] Analyzing npm project at /Users/chadwhitacre/workbench/getsentry/sentry-docs/src/gatsby/plugins/gatsby-redirects/
[ INFO] Analyzing npm project at /Users/chadwhitacre/workbench/getsentry/sentry-docs/src/gatsby/plugins/gatsby-plugin-openapi/
[ INFO] Analyzing npm project at /Users/chadwhitacre/workbench/getsentry/sentry-docs/src/gatsby/plugins/gatsby-plugin-include/
[ INFO] Analyzing npm project at /Users/chadwhitacre/workbench/getsentry/sentry-docs/src/gatsby/plugins/gatsby-plugin-code-tabs/
[ INFO] Analyzing yarn project at /Users/chadwhitacre/workbench/getsentry/sentry-docs/
[ INFO]
[ INFO] Using project name: `git@github.com:getsentry/sentry-docs.git`
[ INFO] Using revision: `a48d933a3a22c16d4e3118653433091ec9f1b5c4`
[ INFO] Using branch: `cwlw/add-fossa`
[ INFO] ============================================================

      View FOSSA Report:
      https://app.fossa.com/projects/custom+29430%2fgit@github.com%3agetsentry%2fsentry-docs.git/refs/branch/cwlw%2fadd-fossa/a48d933a3a22c16d4e3118653433091ec9f1b5c4

  ============================================================
$
$ FOSSA_API_KEY=[full] fossa analyze
[ INFO] Analyzing npm project at /Users/chadwhitacre/workbench/getsentry/sentry-docs/src/gatsby/plugins/gatsby-remark-variables/
[ INFO] Analyzing npm project at /Users/chadwhitacre/workbench/getsentry/sentry-docs/src/gatsby/plugins/gatsby-redirects/
[ INFO] Analyzing npm project at /Users/chadwhitacre/workbench/getsentry/sentry-docs/src/gatsby/plugins/gatsby-plugin-openapi/
[ INFO] Analyzing npm project at /Users/chadwhitacre/workbench/getsentry/sentry-docs/src/gatsby/plugins/gatsby-plugin-include/
[ INFO] Analyzing npm project at /Users/chadwhitacre/workbench/getsentry/sentry-docs/src/gatsby/plugins/gatsby-plugin-code-tabs/
[ INFO] Analyzing yarn project at /Users/chadwhitacre/workbench/getsentry/sentry-docs/
[ INFO] 
[ INFO] Using project name: `git@github.com:getsentry/sentry-docs.git`
[ INFO] Using revision: `a48d933a3a22c16d4e3118653433091ec9f1b5c4`
[ INFO] Using branch: `cwlw/add-fossa`
[ INFO] ============================================================

      View FOSSA Report:
      https://app.fossa.com/projects/custom+29430%2fgit@github.com%3agetsentry%2fsentry-docs.git/refs/branch/cwlw%2fadd-fossa/a48d933a3a22c16d4e3118653433091ec9f1b5c4

  ============================================================
$

[chadwhitacre]

$ FOSSA_API_KEY=$FULL fossa test   
[ INFO] 
[ INFO] Using project name: `git@github.com:getsentry/sentry-docs.git`
[ INFO] Using revision: `c293e7a1efdbde2dd8bd313acf124d03882acd1a`
[ INFO] 
[ERROR] Test failed. Number of issues found: 13
[ERROR] ========================================================================
  Flagged by Policy
  ========================================================================
  Dependency           Revision             License             

  tslib                2.1.0                                    
  style-value-types    4.0.1                                    
  tslib                2.0.1                                    
  tslib                1.13.0                                   
  tweetnacl            0.14.5                                   
  spdx-exceptions      2.3.0                                    
  prettier             2.1.2                                    
  popmotion            9.1.0                                    
  node-sass            4.14.1                                   
  jsonify              0.0.0                                    
  framer-motion        3.3.0                                    
  spdx-exceptions      2.3.0                                    

  ========================================================================
  Unlicensed Dependency
  ========================================================================
  Dependency           Revision            

  @sentry-internal/global-search 0.1.3                                    

[ERROR] ----------
  An error occurred:

      An exception occurred: ExitFailure 1

      Traceback:
        

$

[chadwhitacre]

$ FOSSA_API_KEY=$PUSH_ONLY fossa test
[ INFO] 
[ INFO] Using project name: `git@github.com:getsentry/sentry-docs.git`
[ INFO] Using revision: `c293e7a1efdbde2dd8bd313acf124d03882acd1a`
[ INFO] 
[ERROR] Test failed. Number of issues found: 13
[ERROR] Check the webapp for more details, or use a full-access API key (currently using a push-only API key)
[ERROR] ----------
  An error occurred:

      An exception occurred: ExitFailure 1

      Traceback:
        

$

[chadwhitacre]

I tried a push-only token at first and ended up bumping to full, I think because of the limited feedback to devs w/ push-only?

Yup, that was the reason:

Check the webapp for more details, or use a full-access API key (currently using a push-only API key)

🤔

[chadwhitacre]

Result of call:

• Some concern about using even a push-only API key associated with a highly privileged account. Fair enough, though sounds muddy to me. I can see this as defense-in-depth but I would expect push-only to be safe on its face.
• FOSSA is manually configuring an unprivileged bot account (using means inaccessible for self-serve) to hold the push-only API token.
• We could probably self-serve configure our own low-privilege role and attach it to a bot account (we have bot accounts via email on GitHub, e.g. @getsentry-bot @getsentry-release; precedent).
• Could we configure a custom role with limited enough permissions that we could publicly use a full API key associated with it?
• Baseline risk seems to be third parties using our FOSSA account to scan their own codebases, we would notice random projects showing up in our account. Does FOSSA have no way to limit based on GitHub org? Only scan if org == getsentry?

[chadwhitacre]

Plan

1. Reattempt sentry-docs rollout using bespoke push-only API key once available.

2. Wrap error exit to provide some minimal error messaging beyond basic CI red/green:

   Afaict this PR introduces a license violation. Did you add any libraries? Do they use one of these unapproved licenses? X, Y, Z. If you're stuck cc: @|getsentry/open-source in a comment to investigate.

3. Vary key based on availability, if secrets.KEY use that, otherwise push-only.

4. Store push-only key somewhere in https://github.com/getsentry/.github and fetch each time in the action so that it's easy to roll if needed.

[chadwhitacre]

We had our first license violation failure reported in getsentry/sentry-docs#4838. Turned out to be a false positive. Take-aways:

1. It was difficult to find where to approve in FOSSA, no link from error output, couldn't find it in UI, could only find master branch and manually modified URL with branch SHA
2. Definitely need that error messaging to help dev react to failure.
3. Should clean up license in platformicons repo: License mismatch platformicons#53
4. Product feedback for FOSSA - be smart about same GH org, no need to flag this as we own it
5. Need to turn off in forks - discovered garbage in FOSSA due to action running in forms

[chadwhitacre]

It was difficult to find where to approve in FOSSA

Answer is to click on the link in the email notification. We configured email notifications for better visibility. 👍

[chadwhitacre]

Product feedback for FOSSA - be smart about same GH org, no need to flag this as we own it

Found the "ignore dependency" feature, using that. 👍

[chadwhitacre]

Here is the action of our dreams.

[chadwhitacre]

FOSSA has basically shipped but it has evolved into a challenge as we have turned it off twice due to instability on their side that has cascaded into CI/eng incidents on our side. It is currently off and we need to regroup to get this back on track.

[chadwhitacre]

We are back on track by now. 👍