2019-09-11 ODP WG Meeting notes

Table of Contents


Wednesday, 2019-09-11, 12am ET


Maurizio PillituFINOS
Brian Ingenito (Deactivated)Morgan Stanley
James McLeod (Unlicensed)FINOS
Deepak MehtaFOSSA
Aitana MyohlFINOS
Rob Underwood (Deactivated)FINOS

Attendee Webex Screenshot

Outstanding Action Items

DescriptionDue dateAssigneeTask appears on
2019-12-18 ODP WG Meeting notes
2019-12-18 ODP WG Meeting notes
James McLeod (Unlicensed)2019-10-9 ODP WG Meeting notes
  • GitHub consolidation docs on handbook -  INT-748 - Getting issue details... STATUS
2019-08-28 ODP WG Meeting notes
2019-08-28 ODP WG Meeting notes
  • Add docs to GitHub consolidation re. security checks on GitHub
2019-08-14 ODP WG Meeting notes


Time ItemWhoNotes from the Meeting
5 minsConvene & Roll CallBrian Ingenito (Deactivated)
5 minsWelcome James!James McLeod (Unlicensed)James is the new FINOS Community Director
10 minsFOSSA
  1. Question on reporting format: does fossa-cli use a fossa-generated format, or is this following one of the standard BOM formats being developed by the community for greater reuse? See  ODP-10 - Getting issue details... STATUS  and https://gist.github.com/maoo/40a4f7a9df8315290a1b0c347dd018da
  2. Discuss mao proposal for FOSSA GitHub Action, see below
15 minsWhiteSource Webinar on Wednesday November 6Maurizio Pillitu
  • Update FINOS calendar to "merge" ODP WG call with WhiteSource webinar (Wednesday November 6) - OK from Brian.
  • Engage with members and invite them to attend
  • Great opportunity to socialize WhiteSource solution across FINOS community
  • Teaser for WhiteSource sessions at OSSF
5 minsRetrospective on current sprintGroup
10 minsNext Sprint prioritiesGroup
10 minsBacklog scrubbingGroup
5AOB & adjourn


FOSSA GitHub Action - (mao proposal)

Build a standard GitHub action that reacts on commits and Pull Requests (PRs) on a given GitHub repository, called FOSSA GitHub Action.

Every time that a commit is pushed or a PR is merged, the FOSSA GitHub Action is triggered, the action

  1. Reads a .fossa-licenses.yaml file, containing
    1. A list of SPDX IDs called "compatibleLicenses"
    2. A list of SPDX IDs called "incompatibleLicenses"
    3. A list of strings called "whitelistedLibraries"
    4. ... (more will come after the MVP)
  2. Reads the FOSSA_API_KEY (encrypted) environment variable, containing the key of FINOS account
  3. Invokes "fossa init" and "fossa report licenses --json", generating a JSON payload with all library and license definitions
  4. Parses the generated JSON (on step 5) and builds a report with
    1. List of libraries with compatible licenses (and the compatible license that applies)
    2. List of libraries with incompatible licenses
    3. List of libraries with unknown licenses 
  5. Format the report in Markdown and post on a new github issue. If the action was triggered by a PR, the check will succeed or fail based on the amount of incompatible /unknown licenses found 

Action Items

Need help? Email help@finos.org we'll get back to you.

Content on this page is licensed under the CC BY 4.0 license.
Code on this page is licensed under the Apache 2.0 license.