/
2019-09-11 ODP WG Meeting notes

2019-09-11 ODP WG Meeting notes

Sept 11, 2019

Table of Contents

Date/Time

Wednesday, 2019-09-11, 12am ET

Attendees

Name

Organisation

Name

Organisation

@Maurizio Pillitu

FINOS

@Former user (Deleted)

Morgan Stanley

@James McLeod (Unlicensed)

FINOS

Deepak Mehta

FOSSA

Aitana Myohl

FINOS

@Rob Underwood (Deactivated)

FINOS

Attendee Webex Screenshot

Outstanding Action Items





Agenda

Time 

Item

Who

Notes from the Meeting

Time 

Item

Who

Notes from the Meeting

5 mins

Convene & Roll Call

@Former user (Deleted)



5 mins

Welcome James!

@James McLeod (Unlicensed)

James is the new FINOS Community Director

10 mins

FOSSA



  1. Question on reporting format: does fossa-cli use a fossa-generated format, or is this following one of the standard BOM formats being developed by the community for greater reuse? See ODP-10: [SPIKE] Parse Fossa text reportResolved and https://gist.github.com/maoo/40a4f7a9df8315290a1b0c347dd018da

  2. Discuss mao proposal for FOSSA GitHub Action, see below

15 mins

WhiteSource Webinar on Wednesday November 6

@Maurizio Pillitu

  • Update FINOS calendar to "merge" ODP WG call with WhiteSource webinar (Wednesday November 6) - OK from Brian.

  • Engage with members and invite them to attend

  • Great opportunity to socialize WhiteSource solution across FINOS community

  • Teaser for WhiteSource sessions at OSSF

5 mins

Retrospective on current sprint

Group



10 mins

Next Sprint priorities

Group



10 mins

Backlog scrubbing

Group



5

AOB & adjourn

Group



FOSSA GitHub Action - (mao proposal)



Build a standard GitHub action that reacts on commits and Pull Requests (PRs) on a given GitHub repository, called FOSSA GitHub Action.

Every time that a commit is pushed or a PR is merged, the FOSSA GitHub Action is triggered, the action

  1. Reads a .fossa-licenses.yaml file, containing

  2.  

    1. A list of SPDX IDs called "compatibleLicenses"

    2. A list of SPDX IDs called "incompatibleLicenses"

    3. A list of strings called "whitelistedLibraries"

    4. ... (more will come after the MVP)

  3. Reads the FOSSA_API_KEY (encrypted) environment variable, containing the key of FINOS account

  4. Invokes "fossa init" and "fossa report licenses --json", generating a JSON payload with all library and license definitions

  5. Parses the generated JSON (on step 5) and builds a report with

  6.  

    1. List of libraries with compatible licenses (and the compatible license that applies)

    2. List of libraries with incompatible licenses

    3. List of libraries with unknown licenses 

  7. Format the report in Markdown and post on a new github issue. If the action was triggered by a PR, the check will succeed or fail based on the amount of incompatible /unknown licenses found 

Action Items

Need help? Email help@finos.org we'll get back to you.

Content on this page is licensed under the CC BY 4.0 license.
Code on this page is licensed under the Apache 2.0 license.