gh: check copyrights and make Apache only approved #9098
Conversation
CT Test Results 1 files 11 suites 3m 58s ⏱️ Results for commit 42b6136. ♻️ This comment has been updated with latest results. To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass. See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally. Artifacts// Erlang/OTP Github Action Bot |
kikofernandez
force-pushed
the
kiko/codescan/compliance-pr
branch
from
21e0b4d
to
37cd5de
Compare
| ~"openssl-ssleay", ~"cc-by-sa-3.0", ~"cc-by-4.0", ~"dco-1.1", ~"fsf-ap", | ||
| ~"agpl-1.0-plus", ~"agpl-1.0", ~"agpl-3.0-plus", ~"classpath-exception-2.0", | ||
| ~"ietf-trust"]. | ||
| [ <<"apache-2.0">> ]. |
There was a problem hiding this comment.
We only accept Apache
scripts/scan-code.escript
Outdated
| reviewed() -> | ||
| [ <<"mit">>, <<"boost-1.0">>, <<"llvm-exception">>, | ||
| <<"cc0-1.0">>, <<"bsd-simplified">>, <<"bsd-new">>, <<"pcre">>, | ||
| <<"fsf-free">>, <<"autoconf-exception-3.0">>, <<"public-domain">>, | ||
| <<"autoconf-simple-exception">>, <<"unicode">>, <<"tcl">>, <<"gpl-2.0 WITH classpath-exception-2.0">>, | ||
| <<"zlib">>, <<"lgpl-2.0-plus WITH wxwindows-exception-3.1">>, | ||
| <<"openssl-ssleay">>, <<"cc-by-sa-3.0">>, <<"cc-by-4.0">>, <<"dco-1.1">>, <<"fsf-ap">>, | ||
| <<"classpath-exception-2.0">>, <<"ietf-trust">> ]. |
There was a problem hiding this comment.
in cases of auto-generated code or special cases, we could review contributions under these licenses, but these must be very special cases.
The idea is that the automated check marks these for review, and we accept them on an ongoing basis.
No PR should be merged without its corresponding license approval
scripts/scan-code.escript
Outdated
| [<<"gpl">>, <<"gpl-3.0-plus">>, <<"gpl-2.0">>, <<"gpl-1.0-plus">>, <<"unlicense">>, | ||
| <<"lgpl-2.0-plus">>, <<"lgpl-2.1-plus">>, <<"agpl-1.0-plus">>, <<"agpl-1.0">>, | ||
| <<"agpl-3.0-plus">>, <<"erlangpl-1.1">>, <<"gpl-2.0-plus">>, <<"null">>, <<"agpl-3.0">>, | ||
| <<"mpl-1.1">>, 'null']. |
There was a problem hiding this comment.
we do not approve some licenses, and I mess up the list initially
kikofernandez
force-pushed
the
kiko/codescan/compliance-pr
branch
5 times, most recently
from
f45272b
to
fc3a872
Compare
|
this is a meta error. the introduction of the LICENSE rule to correctly change AND rules by ORs cannot be applied to itself, so it reports a license compliance error when it is ok. |
|
The change seems to crash when run on a push and not a pr: https://github.com/kikofernandez/otp/actions/runs/11958065364/job/33336711990 |
kikofernandez
force-pushed
the
kiko/codescan/compliance-pr
branch
from
77ea5db
to
1c12d7e
Compare
kikofernandez
force-pushed
the
kiko/codescan/compliance-pr
branch
from
1c12d7e
to
35fd4ed
Compare
There was a problem hiding this comment.
As we are reporting copyright and license information now we need to remove any duplicate files from the SARIF artifact array. For example like this:
~"artifacts" =>
[ #{
~"location" => #{
~"uri" => File
},
~"length" => -1
} || File <- lists:usort([F || {_, F, _} <- Errors])]
],The error shows up here: https://github.com/kikofernandez/otp/actions/runs/11973269459/job/33382224159
|
Thanks, I was thinking that it was ok to report the same file for copyright issues and for license issues, but that should not be the case for the sarif generation, since files should be unique. Thanks again! Change pushed |
Adds the checks on copyrights, and makes Apache the only accepted license.
Anything outside Apache should be flagged and approved in the Security panel.