Merge pull request #1 from rajuljha/chore/fossology_action

chore(fossology action): Add fossology action

Reviewed-by: [email protected], [email protected]
Tested-by: [email protected]

.github/workflows/test.yaml

@@ -0,0 +1,22 @@
+# SPDX-FileCopyrightText: 2024 Rajul Jha <[email protected]>
+#
+# SPDX-License-Identifier: GPL-2.0-only
+name: Test Fossology Action
+on:
+  push:
+    branches:
+      - main
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Run action
+        uses: ./
+        with:
+          scan_mode: "repo"
+          scanners: "nomos ojo copyright keyword"
+          report_format: "SPDX_JSON"

.gitignore

@@ -1,2 +1,6 @@
+# SPDX-FileCopyrightText: 2024 Rajul Jha <[email protected]>
+#
+# SPDX-License-Identifier: GPL-2.0-only
+
 # MacOS
 .DS_Store

README.md

@@ -0,0 +1,159 @@
+<!-- SPDX-FileCopyrightText: 2024 Rajul Jha <[email protected]>
+
+ SPDX-License-Identifier: GPL-2.0-only -->
+
+<p align="center">
+  <a href="https://fossology.github.io">
+  <img src="static/logo.png" alt="Fossology logo" width="144">
+  </a>
+  <br>
+  <strong> FOSSology Scan Action </strong><br>
+<br>
+
+<a href=https://github.com/fossology/fossology/wiki/FOSSology-scanners-in-CI><img alt="Fossology-action" src="https://img.shields.io/badge/Fossology-action-red"></a>
+<a href=https://join.slack.com/t/fossology/shared_invite/enQtNzI0OTEzMTk0MjYzLTYyZWQxNDc0N2JiZGU2YmI3YmI1NjE4NDVjOGYxMTVjNGY3Y2MzZmM1OGZmMWI5NTRjMzJlNjExZGU2N2I5NGY><img alt="Artifacts generation" src="https://img.shields.io/badge/slack-fossology-blue.svg?longCache=true&logo=slack"></a>
+<a href=https://www.youtube.com/channel/UCZGPJnQZVnEPQWxOuNamLpw><img alt="GitHub last commit (branch)" src="https://img.shields.io/badge/youtube-FOSSology-red.svg?&logo=youtube&link=https://www.youtube.com/channel/UCZGPJnQZVnEPQWxOuNamLpw"></a>
+
+</p>
+
+# Fossology Action
+
+## Overview
+
+The **Fossology Scan** GitHub Action allows you to run license and copyright scans using the Fossology scanner within your GitHub Actions workflows. This action is highly customizable and supports various scanning modes and configurations to fit your compliance needs.
+
+## Features
+
+### Types of scanners
+- Perform license and copyright scans
+  - [`Nomos`](https://github.com/fossology/fossology/tree/master/src/nomos): It is a very precise license scanner.
+  - [`Ojo`](https://github.com/fossology/fossology/tree/master/src/ojo): It is a precise license scanner that looks for `SPDX-License-Identifier text` statements.
+- Copyright and Keyword Scanning
+  - [`Copyright`](https://github.com/fossology/fossology/tree/master/src/copyright): Scans for Copyrighted text like `Copyright 2024 @ Fossology-contributors`
+  - [`Keyword`](https://github.com/fossology/fossology/tree/master/src/copyright): Scans for potentially harmful keywords like `patented`, `copied__from` etc. (Customizable)
+
+### Different Scanning Modes
+  - **Diff Scan (Default)**: This scans for only the diff content of the Pull Request on which it is triggered. This is a good option to run via a Pull Request trigger.
+  - **Repo Scan**: This scans the entire repo from which the pipeline is triggered. It is a good option to run on PR's or publishing releases.
+  - **Differential Scan**: This scans for the changes between any two tags. User can provide any tow tags to scan between. It is a good option to scan between any two tags or any two versions of the repo.
+
+You can learn more about CI Scanners in fossology [here](https://github.com/fossology/fossology/wiki/FOSSology-scanners-in-CI)
+
+## Inputs
+
+### User customizable inputs:
+```yaml
+scan_mode:
+  description: "Specifies whether to perform diff scans, repo scans, or differential scans.
+    Leave blank for diff scans."
+  required: false
+  default: ""
+scanners:
+  description: "Space-separated list of scanners to invoke."
+  required: true
+  default: "nomos ojo copyright keyword"
+report_format:
+  description: "Report format (SPDX_JSON,SPDX_RDF,SPDX_YAML,SPDX_TAG_VALUE) to print the results in."
+  required: false
+  default: ""
+keyword_conf_file_path:
+  description: "Path to custom keyword.conf file. (Use only with keyword scanner set to True)"
+  required: false
+  default: ""
+allowlist_file_path:
+  description: "Path to allowlist.json file."
+  required: false
+  default: ""
+from_tag:
+  description: "Starting tag to scan from. (Use only with differential mode)"
+  required: false
+  default: ""
+to_tag:
+  description: "Ending tag to scan to. (Use only with differential mode)"
+  required: false
+  default: ""
+```
+
+### Inputs used internally by the action:
+
+```yaml
+github_api_url:
+  description: "Base URL of the GitHub API (default: ${{ github.api_url }})"
+  required: false
+  default: ${{ github.api_url }}
+github_repository:
+  description: "Repository name (default: ${{ github.repository }})"
+  required: false
+  default: ${{ github.repository }}
+github_token:
+  description: "GitHub Token (default: ${{ github.token }})"
+  required: false
+  default: ${{ github.token }}
+github_pull_request:
+  description: "GitHub PR number (default: ${{ github.event.number }})"
+  required: false
+  default: ${{ github.event.number }}
+github_repo_url:
+  description: "GitHub Repo URL (default: ${{ github.repositoryUrl }})"
+  required: false
+  default: ${{ github.repositoryUrl }}
+github_repo_owner:
+  description: "GitHub Repo Owner (default: ${{ github.repository_owner }})"
+  required: false
+  default: ${{ github.repository_owner }}
+```
+
+## Example Workflow
+Below is an example of how to use the **Fossology Scan** GitHub Action in your workflows.
+
+### Pull request scans
+```yaml
+name: License scan on PR
+
+on: [pull_request]
+
+jobs:
+  compliance_check:
+    runs-on: ubuntu-latest
+    name: Perform license scan
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2
+
+    - name: License check
+      id: compliance
+      uses: fossology/fossology-action@v1
+      with:
+        scan_mode: ''
+        scanners: 'nomos ojo'
+        report_format: 'SPDX_JSON'
+
+```
+
+### Tag scans 
+```yaml
+name: License scan on tags
+
+on: [tags]
+
+jobs:
+  compliance_check:
+    runs-on: ubuntu-latest
+    name: Perform license scan
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2
+    - name: License check
+      id: compliance
+      uses: fossology/fossology-action@v1
+      with:
+        scan_mode: 'differential'
+        scanners: 'nomos ojo copyright keyword'
+        from_tag: 'v003'
+        to_tag: 'v004'
+        report_format: 'SPDX_JSON'
+```
+
+## License
+
+This project is licensed under the [GNU GENERAL PUBLIC LICENSE Version 2, June 1991](LICENSE).

action.yaml

@@ -0,0 +1,98 @@
+# SPDX-FileCopyrightText: 2024 Rajul Jha <[email protected]>
+#
+# SPDX-License-Identifier: GPL-2.0-only
+
+name: "FOSSology Scan"
+description: "Run license and copyright scans"
+author: "Rajul Jha"
+branding:
+  icon: "search"
+  color: "orange"
+inputs:
+  # Customizable input variables
+  scan_mode:
+    description: "Whether to do diff scans or repo scan. Leave blank for diff."
+    required: false
+    default: ""
+  scanners:
+    description: "Which scanners to invoke"
+    required: false
+    default: "nomos ojo copyright keyword"
+  report_format:
+    description: "Report format to generate reports in: SPDX_JSON, SPDX_YAML, SPDX_RDF, SPDX_TAG_VALUE"
+    required: false
+    default: ""
+  keyword_conf_file_path:
+    description: "Path to custom keyword.conf file"
+    required: false
+    default: ""
+  allowlist_file_path:
+    description: "Path to allowlist.json file"
+    required: false
+    default: ""
+  from_tag:
+    description: "Starting tag to scan from"
+    required: false
+    default: ""
+  to_tag:
+    description: "Ending tag to scan to"
+    required: false
+    default: ""
+# Internal Variables. Not meant to be passed by the user. These are set up by the action itself.
+  github_api_url:
+    description: "Base URL of Github API"
+    required: false
+    default: ${{ github.api_url }}
+  github_repository:
+    description: "Repository name"
+    required: false
+    default: ${{ github.repository }}
+  github_token:
+    description: "Github Token"
+    required: false
+    default: ${{ github.token }}
+  github_pull_request:
+    description: "Github PR"
+    required: false
+    default: ${{ github.event.number }}
+  github_repo_url:
+    description: "Github Repo URL"
+    required: false
+    default: ${{ github.repositoryUrl }}
+  github_repo_owner:
+    description: "Github Repo Owner"
+    required: false
+    default: ${{ github.repository_owner }}
+
+runs:
+  using: "composite"
+  steps:
+
+    - name: Docker Setup QEMU
+      uses: docker/[email protected]
+
+    - name: Run Fossology scan in Docker
+      env:
+        GITHUB_API_URL: ${{ inputs.github_api_url }}
+        GITHUB_REPOSITORY: ${{ inputs.github_repository }}
+        GITHUB_TOKEN: ${{ inputs.github_token }}
+        GITHUB_PULL_REQUEST: ${{ inputs.github_pull_request }}
+        GITHUB_REPO_URL: ${{ inputs.github_repo_url }}
+        GITHUB_REPO_OWNER: ${{ inputs.github_repo_owner }}
+        GITHUB_WORKSPACE: ${{ inputs.github_workspace }}
+        SCAN_MODE: ${{ inputs.scan_mode }}
+        SCANNERS: ${{ inputs.scanners }}
+        REPORT_FORMAT: ${{ inputs.report_format }}
+        KEYWORD_CONF_FILE_PATH: ${{ inputs.keyword_conf_file_path }}
+        ALLOWLIST_FILE_PATH: ${{ inputs.allowlist_file_path }}
+        FROM_TAG: ${{ inputs.from_tag }}
+        TO_TAG: ${{ inputs.to_tag }}
+      run: $GITHUB_ACTION_PATH/script.sh
+      shell: bash
+
+    - name: Upload Scan Results Artifact
+      if: success() || failure()
+      uses: actions/upload-artifact@v3
+      with:
+        name: Fossology scan results
+        path: results/

script.sh

@@ -0,0 +1,43 @@
+#!/bin/bash -e
+
+# SPDX-FileCopyrightText: 2024 Rajul Jha <[email protected]>
+#
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Prepare docker run command with arguments
+docker_cmd="docker run --rm --name fossologyscanner -w /opt/repo -v ${PWD}:/opt/repo \
+    -e GITHUB_TOKEN=${GITHUB_TOKEN} \
+    -e GITHUB_PULL_REQUEST=${GITHUB_PULL_REQUEST} \
+    -e GITHUB_REPOSITORY=${GITHUB_REPOSITORY} \
+    -e GITHUB_API=${GITHUB_API_URL} \
+    -e GITHUB_REPO_URL=${GITHUB_REPO_URL} \
+    -e GITHUB_REPO_OWNER=${GITHUB_REPO_OWNER} \
+    -e GITHUB_ACTIONS"
+
+if [ "${KEYWORD_CONF_FILE_PATH}" != "" ]; then
+    docker_cmd+=" -v ${GITHUB_WORKSPACE}/${KEYWORD_CONF_FILE_PATH}:/bin/${KEYWORD_CONF_FILE_PATH}"
+fi
+if [ "${ALLOWLIST_FILE_PATH}" != "" ]; then
+    docker_cmd+=" -v ${GITHUB_WORKSPACE}/${ALLOWLIST_FILE_PATH}:/bin/${ALLOWLIST_FILE_PATH}"
+fi
+docker_cmd+=" fossology/fossology:scanner /bin/fossologyscanner"
+docker_cmd+=" ${SCANNERS}"
+docker_cmd+=" ${SCAN_MODE}"
+
+# Add additional conditions
+if [ "${SCAN_MODE}" == "differential" ]; then
+    docker_cmd+=" --tags ${FROM_TAG} ${TO_TAG}"
+fi
+if [ "${KEYWORD_CONF_FILE_PATH}" != "" ]; then
+    docker_cmd+=" --keyword-conf ${KEYWORD_CONF_FILE_PATH}"
+fi
+if [ "${ALLOWLIST_FILE_PATH}" != "" ]; then
+    docker_cmd+=" --allowlist-path ${ALLOWLIST_FILE_PATH}"
+fi
+if [ "${REPORT_FORMAT}" != "" ]; then
+    docker_cmd+=" --report ${REPORT_FORMAT}"
+fi
+
+# Run the command
+echo $docker_cmd
+eval $docker_cmd