Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix FOSSA for all repositories #854

Closed
7 tasks
yurishkuro opened this issue May 31, 2018 · 14 comments · Fixed by #2347
Closed
7 tasks

Fix FOSSA for all repositories #854

yurishkuro opened this issue May 31, 2018 · 14 comments · Fixed by #2347
Assignees
Labels
good first issue Good for beginners help wanted Features that maintainers are willing to accept but do not have cycles to implement meta-issue An tracking issue that requires work in other repos

Comments

@yurishkuro
Copy link
Member

yurishkuro commented May 31, 2018

UPDATE: 2020-09-01 main repo FOSSA check was fixed in #2347, but we need to add them to client libs as well.

We used to have FOSSA checks run on many repositories, but now it only runs on 5 of them (excluding the main one), and we cannot add more.

According to Kevin Wang from FOSSA:

I’ve noticed that Jaeger is enrolled in Automated Builds, which is not the ideal integration method.

In this model, fossa has to “guess” your dependencies by running every build path — its convenient since you can import code through the UI, but not scalable if you want to make continuous scans. You will likely experience performance issues and false positives if you run this on a large project per commit.

I suggest we integrate Jaeger through Provided Builds, where you deploy our build client (https://github.com/fossas/fossa-cli) into your CI to report dependencies back to fossa. This model should enable extremely fast and high scale builds/scans from within your CI.

See “from a local dev machine” in this article below:

https://docs.fossa.io/docs/importing-a-project

@yurishkuro yurishkuro added meta-issue An tracking issue that requires work in other repos help wanted Features that maintainers are willing to accept but do not have cycles to implement labels May 31, 2018
@isaachier
Copy link
Contributor

It seems like they don't/won't support C++ (see here). I don't blame them because package management in C++ is a train-wreck. If there is anything I can do for that project, please let me know. For the record, the system I use (Hunter package manager) preserves the license files in the dependency installation directory under a subdirectory named licenses. Not sure if that helps, but I thought I'd mention it.

@xizhao
Copy link

xizhao commented Jun 1, 2018

Kevin here from FOSSA. Excited to help you get integrated:

  • We've upgraded your account to ensure you can import more projects -- I see 3 organizations in FOSSA (Jaeger, Jaegertracing, and CNCF); maybe you integrated with a different account?

  • To work ideally with CI/CD, we have to integrate as part of the build path. That integration method is called Provided Builds and relies on reporting dependencies from within your build environment using fossa-cli and uploading a report to FOSSA per-build. This is significantly faster and scales very well, as it takes advantage of your already-running build rather than asking FOSSA to build for you.

  • @isaachier, our build analysis is open source, and we use it to support all sorts of weird configurations -- including some cases where there is no formal dependency management system (like C/C++). Check out our example for Arbitrary Archive Support, [(source])[https://github.com/fossas/fossa-cli/blob/master/builders/archive/archive.go]. Would love to see a proposal or PR for how we can support your environment.

@isaachier
Copy link
Contributor

Thanks @xizhao I will look into it.

@elldritch
Copy link

Leo from FOSSA here. We've been working on CLI v0.7.0, which is a total overhaul of our Go build analysis. If you'd like to try it out, we have a preview available here with an example usage here, and I'm happy to assist (available over email and Slack). Jaeger is actually one of the canonical projects that we use for automated acceptance testing.

@idvoretskyi
Copy link
Contributor

@yurishkuro I'm happy to help with setting up FOSSA properly for this repo. I've just finished integrating FOSSA for CNCF's Kudo project (kedacore/keda#937), and suggest doing the same here - with GitHub Actions and fossa-cli.

@yurishkuro
Copy link
Member Author

@idvoretskyi that would be great. Just one concern - when I tried to run fossa-cli locally, it took forever on our repo, not sure why.

@idvoretskyi
Copy link
Contributor

@yurishkuro I've tried to run a build in my fork (see here - https://github.com/idvoretskyi/jaeger/runs/879002640?check_suite_focus=true), and it also stuck forever for me.

Looking deeper into the logs on the FOSSA side, I've discovered the following (log attached):

�[0KRunning with fossa-ci 0.5.2 (7ad0d786)
�[0;m�[0K  on FOSSA Build Runner p1l0op5j
�[0;m�[0KUsing Kubernetes namespace: runners
�[0;m�[0KUsing Kubernetes executor with image quay.io/fossa/fossa-core-srclib:v1.0.6 and helper quay.io/fossa/fossa:2.20.1

Running on runner-p1l0op5j-build-9356613-concurrent-0rz8tn via fossa-runner-0...
section_end:1594925210:prepare_script
�[0Ksection_start:1594925210:get_sources
�[0K�[32;1mNot downloading source code�[0;m
�[32;1mSkipping Git checkout�[0;m
�[32;1mSkipping Git submodules setup�[0;m
section_end:1594925210:get_sources
�[0Ksection_start:1594925210:restore_cache
�[0Ksection_end:1594925210:restore_cache
�[0Ksection_start:1594925210:download_artifacts
�[0Ksection_end:1594925210:download_artifacts
�[0Ksection_start:1594925210:build_script
�[0K�[32;1m$ /fossa/tsnode /fossa/ci/buildTools.ts parse --taskId=9356613 --buildId=4376332 --locator='custom+162/github.com/idvoretskyi/jaeger$a493f8f6825805269dd19537c660f9fd3e7b4f4f' --traceparent=00-bf023ba20eaf5b8d92d9ad6228f6f6b1-e117c4390bbea818-01�[0;m

Parsing dependencies from build data...
Discovered (0) direct dependencies for locator <custom+162/github.com/idvoretskyi/jaeger$a493f8f6825805269dd19537c660f9fd3e7b4f4f>
Discovered (236) deep dependencies for locator <custom+162/github.com/idvoretskyi/jaeger$a493f8f6825805269dd19537c660f9fd3e7b4f4f>
error resolving locator of deep dependency <go+go.mongodb.org/mongo-driver$v1.3.0>: Unable to generate Project from locator: go+go.mongodb.org/mongo-driver$v1.3.0 (Invalid go-import tag.)
error resolving locator of deep dependency <go+go.uber.org/zap$v1.13.0>: operation timed out
Finished parse with status SUCCEEDED
section_end:1594925867:build_script
�[0Ksection_start:1594925867:after_script
�[0Ksection_end:1594925868:after_script
�[0Ksection_start:1594925868:archive_cache
�[0Ksection_end:1594925868:archive_cache
�[0Ksection_start:1594925868:upload_artifacts_on_success
�[0Ksection_end:1594925868:upload_artifacts_on_success
�[0K�[32;1mJob succeeded
�[0;m

@idvoretskyi
Copy link
Contributor

@yurishkuro also, can you please assign this issue to me? Thanks.

@idvoretskyi
Copy link
Contributor

@yurishkuro UPD. The test took a while, however, it's ready - https://app.fossa.com/reports/6d16fa2a-88e1-467f-9076-e177b2f3fc72.

@idvoretskyi
Copy link
Contributor

Submitted a PR here - #2347

@yurishkuro
Copy link
Member Author

We need to add FOSSA checks for all other repositories, especially to client libraries. I am going to add links to the main description of this ticket.

@idvoretskyi do we need to do any preliminary setup in FOSSA itself?

@yurishkuro yurishkuro reopened this Sep 1, 2020
@yurishkuro yurishkuro added the good first issue Good for beginners label Sep 1, 2020
@idvoretskyi
Copy link
Contributor

@yurishkuro this was my plan, so no worries, I'll work on it (once we'll agree that the current setup is good for us).

Nothing extra from the FOSSA side.

@idvoretskyi
Copy link
Contributor

@yurishkuro
Copy link
Member Author

Per #3362, we're sunsetting Jaeger clients, which is the scope of this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue Good for beginners help wanted Features that maintainers are willing to accept but do not have cycles to implement meta-issue An tracking issue that requires work in other repos
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants