Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

NameOrganisation
Maurizio PillituFINOS
Former user (Deleted)Morgan Stanley
Tosha EllisonFINOS
Alexandra StratigosFINOS
Gabriele ColumbroJames McLeod (Unlicensed)FINOS
Tom SchadyGreenKey Technologies
Deepak MehtaFOSSAMicheal
HollanderAitana MyohlWhiteSource
Rhys ArkinsWhiteSource
David HabushaWhiteSourceFINOS
Rob Underwood (Deactivated)FINOS

Attendee Webex Screenshot

...

Time ItemWhoNotes from the Meeting
5 minsConvene & Roll CallFormer user (Deleted)
5 minsWelcome James!James McLeod (Unlicensed)James is the new FINOS Community Director
10 minsFOSSA
  1. Question on reporting format: does fossa-cli use a fossa-generated format, or is this following one of the standard BOM formats being developed by the community for greater reuse? See 
    Jira Legacy
    serverSystem JIRA
    serverIde094b874-9a54-31ee-9f8d-4884bef69f3e
    keyODP-10
     and https://gist.github.com/maoo/40a4f7a9df8315290a1b0c347dd018da
  2. Discuss mao proposal for FOSSA GitHub Action, see below
15 minsWhiteSource Webinar on Wednesday November 6Maurizio Pillitu
  • Update FINOS calendar to "merge" ODP WG call with WhiteSource webinar (Wednesday November 6) - OK from Brian.
  • Engage with members and invite them to attend
  • Great opportunity to socialize WhiteSource solution across FINOS community
  • Teaser for WhiteSource sessions at OSSF
5 minsRetrospective on current sprintGroup
10 minsPlanning next Next Sprint prioritiesGroup
10 minsBacklog scrubbingGroup
5AOB & adjourn

Group


FOSSA GitHub Action - (mao proposal)


Build a standard GitHub action that reacts on commits and Pull Requests (PRs) on a given GitHub repository, called FOSSA GitHub Action.

Every time that a commit is pushed or a PR is merged, the FOSSA GitHub Action is triggered, the action

  1. Reads a .fossa-licenses.yaml file, containing
    1. A list of SPDX IDs called "compatibleLicenses"
    2. A list of SPDX IDs called "incompatibleLicenses"
    3. A list of strings called "whitelistedLibraries"
    4. ... (more will come after the MVP)
  2. Reads the FOSSA_API_KEY (encrypted) environment variable, containing the key of FINOS account
  3. Invokes "fossa init" and "fossa report licenses --json", generating a JSON payload with all library and license definitions
  4. Parses the generated JSON (on step 5) and builds a report with
    1. List of libraries with compatible licenses (and the compatible license that applies)
    2. List of libraries with incompatible licenses
    3. List of libraries with unknown licenses 
  5. Format the report in Markdown and post on a new github issue. If the action was triggered by a PR, the check will succeed or fail based on the amount of incompatible /unknown licenses found 

Action Items