github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #122250 from thockin/fix_verify-licenses

Browse Source 
Fix verify-licenses.sh
This commit is contained in:
Kubernetes Prow Robot
2023-12-14 07:27:39 +01:00
committed by GitHub
parent ac425531b1 7dfe3d866b
commit 485e57c395
1 changed files with 58 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

135
hack/verify-licenses.sh
View File

@@ -26,26 +26,25 @@ KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
source "${KUBE_ROOT}/hack/lib/init.sh" source "${KUBE_ROOT}/hack/lib/init.sh"
source "${KUBE_ROOT}/hack/lib/util.sh" source "${KUBE_ROOT}/hack/lib/util.sh"
# This sets up the environment, like GOCACHE, which keeps the worktree cleaner. # This sets up the environment, like GOCACHE, which keeps the worktree cleaner.
kube::golang::setup_env kube::golang::setup_env
kube::util::ensure-temp-dir kube::util::ensure-temp-dir
# Creating a new repository tree # Creating a new repository tree
# Deleting vendor directory to make go-licenses fetch license URLs from go-packages source repository # Deleting vendor directory to make go-licenses fetch license URLs from go-packages source repository
git worktree add -f "${KUBE_TEMP}"/tmp_test_licenses/kubernetes HEAD >/dev/null 2>&1 || true git worktree add -f "${KUBE_TEMP}"/tmp_test_licenses/kubernetes HEAD >/dev/null 2>&1 || true
cd "${KUBE_TEMP}"/tmp_test_licenses/kubernetes && rm -rf vendor cd "${KUBE_TEMP}"/tmp_test_licenses/kubernetes && rm -rf vendor
# Ensure that we find the binaries we build before anything else. # Ensure that we find the binaries we build before anything else.
export GOBIN="${KUBE_OUTPUT_BINPATH}" export GOBIN="${KUBE_OUTPUT_BINPATH}"
PATH="${GOBIN}:${PATH}" PATH="${GOBIN}:${PATH}"
# Explicitly opt into go modules, even though we're inside a GOPATH directory # Explicitly opt into go modules, even though we're inside a GOPATH directory
export GO111MODULE=on export GO111MODULE=on
function http_code() {
curl -I -s -o /dev/null -w "%{http_code}" "$1"
}
allowed_licenses=() allowed_licenses=()
packages_flagged=() packages_flagged=()
@@ -60,97 +59,79 @@ go install github.com/google/go-licenses@latest
# Refer: https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md # Refer: https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md
curl -s 'https://spdx.org/licenses/licenses.json' -o "${KUBE_TEMP}"/licenses.json curl -s 'https://spdx.org/licenses/licenses.json' -o "${KUBE_TEMP}"/licenses.json
number_of_licenses=$(jq '.licenses | length' "${KUBE_TEMP}"/licenses.json)
loop_index_length=$(( number_of_licenses - 1 ))
echo '[INFO] Fetching current list of CNCF approved licenses...' echo '[INFO] Fetching current list of CNCF approved licenses...'
for index in $(seq 0 $loop_index_length); while read -r L; do
do allowed_licenses+=("${L}")
licenseID=$(jq ".licenses[$index] .licenseId" "${KUBE_TEMP}"/licenses.json) done < <(jq -r '.licenses[] | select(.isDeprecatedLicenseId==false) .licenseId' "${KUBE_TEMP}"/licenses.json)
if [[ $(jq ".licenses[$index] .isDeprecatedLicenseId" "${KUBE_TEMP}"/licenses.json) == false ]]
then
allowed_licenses+=("${licenseID}")
fi
done
# Scanning go-packages under the project & verifying against the CNCF approved list of licenses # Scanning go-packages under the project & verifying against the CNCF approved list of licenses
echo '[INFO] Starting license scan on go-packages...' echo '[INFO] Starting license scan on go-packages...'
go-licenses report ./... >> "${KUBE_TEMP}"/licenses.csv go-licenses report ./... >> "${KUBE_TEMP}"/licenses.csv
echo -e 'PACKAGE_NAME LICENSE_NAME LICENSE_URL\n' >> "${KUBE_TEMP}"/approved_licenses.dump echo -e 'PACKAGE_NAME LICENSE_NAME LICENSE_URL\n' >> "${KUBE_TEMP}"/approved_licenses.dump
while IFS=, read -r GO_PACKAGE LICENSE_URL LICENSE_NAME while IFS=, read -r GO_PACKAGE LICENSE_URL LICENSE_NAME; do
do if ! printf -- "%s\n" "${allowed_licenses[@]}" | grep -q "^${LICENSE_NAME}$"; then
FORMATTED_LICENSE_URL= echo "${GO_PACKAGE} ${LICENSE_NAME} ${LICENSE_URL}" >> "${KUBE_TEMP}"/notapproved_licenses.dump
if [[ " ${allowed_licenses[*]} " == *"${LICENSE_NAME}"* ]]; packages_flagged+=("${GO_PACKAGE}")
then continue
if [[ "${LICENSE_URL}" == 'Unknown' ]]; fi
then
if [[ "${GO_PACKAGE}" != k8s.io/* ]]; if [[ "${LICENSE_URL}" == 'Unknown' ]]; then
then if [[ "${GO_PACKAGE}" != k8s.io/* ]]; then
echo "${GO_PACKAGE} ${LICENSE_NAME} ${LICENSE_URL}" >> "${KUBE_TEMP}"/approved_licenses_with_missing_urls.dump echo "${GO_PACKAGE} ${LICENSE_NAME} ${LICENSE_URL}" >> "${KUBE_TEMP}"/approved_licenses_with_missing_urls.dump
packages_url_missing+=("${GO_PACKAGE}") packages_url_missing+=("${GO_PACKAGE}")
else else
LICENSE_URL='https://github.com/kubernetes/kubernetes/blob/master/LICENSE' LICENSE_URL='https://github.com/kubernetes/kubernetes/blob/master/LICENSE'
echo "${GO_PACKAGE} ${LICENSE_NAME} ${LICENSE_URL}" >> "${KUBE_TEMP}"/approved_licenses.dump echo "${GO_PACKAGE} ${LICENSE_NAME} ${LICENSE_URL}" >> "${KUBE_TEMP}"/approved_licenses.dump
fi fi
elif curl -Is "${LICENSE_URL}" | head -1 | grep -q 404; continue
then fi
# Check whether the License URL is incorrectly formed
# TODO: Remove this workaround check once PR https://github.com/google/go-licenses/pull/110 is merged if [[ "$(http_code "${LICENSE_URL}")" != 404 ]]; then
IFS='/' read -r -a split_license_url <<< ${LICENSE_URL} echo "${GO_PACKAGE} ${LICENSE_NAME} ${LICENSE_URL}" >> "${KUBE_TEMP}"/approved_licenses.dump
for part_of_url in "${split_license_url[@]}" continue
do fi
if [[ ${part_of_url} == '' ]]
then # The URL 404'ed. Try parent-paths.
continue
elif [[ ${part_of_url} == 'https:' ]] #echo -e "DBG: err 404 ${LICENSE_URL}"
then dir="$(dirname "${LICENSE_URL}")"
FORMATTED_LICENSE_URL+='https://' file="$(basename "${LICENSE_URL}")"
else
if [[ ${part_of_url} =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]] while [[ "${dir}" != "." ]]; do
then dir="$(dirname "${dir}")"
FORMATTED_LICENSE_URL+="${part_of_url}/${split_license_url[-1]}" #echo "DBG: try ${dir}/${file}"
break if [[ "$(http_code "${dir}/${file}")" != 404 ]]; then
else #echo "DBG: it worked"
FORMATTED_LICENSE_URL+="${part_of_url}/" echo "${GO_PACKAGE} ${LICENSE_NAME} ${dir}/${file}" >> "${KUBE_TEMP}"/approved_licenses.dump
fi break
fi fi
done #echo "DBG: still 404"
if curl -Is "${FORMATTED_LICENSE_URL}" | head -1 | grep -q 404; done
then if [[ "${dir}" == "." ]];then
packages_url_missing+=("${GO_PACKAGE}") #echo "DBG: failed to find a license"
echo "${GO_PACKAGE} ${LICENSE_NAME} ${LICENSE_URL}" >> "${KUBE_TEMP}"/approved_licenses_with_missing_urls.dump packages_url_missing+=("${GO_PACKAGE}")
else echo "${GO_PACKAGE} ${LICENSE_NAME} ${LICENSE_URL}" >> "${KUBE_TEMP}"/approved_licenses_with_missing_urls.dump
echo "${GO_PACKAGE} ${LICENSE_NAME} ${FORMATTED_LICENSE_URL}" >> "${KUBE_TEMP}"/approved_licenses.dump fi
fi
else
echo "${GO_PACKAGE} ${LICENSE_NAME} ${LICENSE_URL}" >> "${KUBE_TEMP}"/approved_licenses.dump
fi
else
echo "${GO_PACKAGE} ${LICENSE_NAME} ${LICENSE_URL}" >> "${KUBE_TEMP}"/notapproved_licenses.dump
packages_flagged+=("${GO_PACKAGE}")
fi
done < "${KUBE_TEMP}"/licenses.csv done < "${KUBE_TEMP}"/licenses.csv
awk '{ printf "%-100s : %-20s : %s\n", $1, $2, $3 }' "${KUBE_TEMP}"/approved_licenses.dump awk '{ printf "%-100s : %-20s : %s\n", $1, $2, $3 }' "${KUBE_TEMP}"/approved_licenses.dump
if [[ ${#packages_url_missing[@]} -gt 0 ]]; then if [[ ${#packages_url_missing[@]} -gt 0 ]]; then
echo -e '\n[ERROR] The following go-packages in the project have unknown or unreachable license URL:' echo -e '\n[ERROR] The following go-packages in the project have unknown or unreachable license URL:'
awk '{ printf "%-100s : %-20s : %s\n", $1, $2, $3 }' "${KUBE_TEMP}"/approved_licenses_with_missing_urls.dump awk '{ printf "%-100s : %-20s : %s\n", $1, $2, $3 }' "${KUBE_TEMP}"/approved_licenses_with_missing_urls.dump
exit_code=1 exit_code=1
fi fi
if [[ ${#packages_flagged[@]} -gt 0 ]]; then if [[ ${#packages_flagged[@]} -gt 0 ]]; then
kube::log::error "[ERROR] The following go-packages in the project are using non-CNCF approved licenses. Please refer to the CNCF's approved licence list for further information: https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md" kube::log::error "[ERROR] The following go-packages in the project are using non-CNCF approved licenses. Please refer to the CNCF's approved licence list for further information: https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md"
awk '{ printf "%-100s : %-20s : %s\n", $1, $2, $3 }' "${KUBE_TEMP}"/notapproved_licenses.dump awk '{ printf "%-100s : %-20s : %s\n", $1, $2, $3 }' "${KUBE_TEMP}"/notapproved_licenses.dump
exit_code=1 exit_code=1
elif [[ "${exit_code}" -eq 1 ]]; then elif [[ "${exit_code}" -eq 1 ]]; then
kube::log::status "[ERROR] Project is using go-packages with unknown or unreachable license URLs. Please refer to the CNCF's approved licence list for further information: https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md" kube::log::status "[ERROR] Project is using go-packages with unknown or unreachable license URLs. Please refer to the CNCF's approved licence list for further information: https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md"
else else
kube::log::status "[SUCCESS] Scan complete! All go-packages under the project are using current CNCF approved licenses!" kube::log::status "[SUCCESS] Scan complete! All go-packages under the project are using current CNCF approved licenses!"
fi fi
exit "${exit_code}" exit "${exit_code}"