10 CNCF Fossa

James Magowan edited this page 2022-05-26 00:31:54 +01:00

Table of Contents

• Setup connection between Fossa and Github Organisation
• Add a Project
• Initial Repository License Status
• image-rs
• ocicrypt-rs
• operator
• td-shim
• enclave-cc
• Attestation Agent
• Attestation Service
• kbs
• simple-kbs
• cloud-api-adaptor
• community
• .github
• documentation
• Other repos
• Addressing reported Issues
• Investigation into reported dependency issues
• afl (attestation-agent, image-rs, td-shim)
• cortex-m-semihosting (attestation-agent, image-rs, ocicrypt-rs, td-shim)
• freetype-sys (attestation-agent, image-rs, ocicrypt-rs, td-shim)
• glommio (ocicrypt-rs)
• gmp-mpfr-sys (attestation-agent, image-rs, ocicrypt-rs, td-shim)
• lz4-sys (td-shim)
• lzma-sys (attestation-agent, image-rs, ocicrypt-rs, td-shim)
• rug (attestation-agent, image-rs, ocicrypt-rs, td-shim)
• sdl2-sys (td-shim)
• servo-freetype-sys (attestation-agent, image-rs, ocicrypt-rs, td-shim)

Work in Progress to record using CNCF Fossa to fulfil our license scanning requirement for onboarding

• Request from @jeefy in CNCF access to Fossa for Confidential Containers
• Accept invite to https://app.fossa.com/projects

Setup connection between Fossa and Github Organisation

• Integrating FOSSA with GitHub instructions
• Add Projects

• Quick Import from Github

From https://github.com/organizations/confidential-containers/settings/oauth_application_policy

• Connect with Service (Choosing Proceed without linking)

• Ensure Fossa is an approved third party application for confidential containers

Fossa View

Github View

• Finally Authorise Fossa using your Github Account (??Should we eventually setup a service account for this??)

Add a Project

• Add Projects

• Quick Import - From Github

• select Confidential Container organization from drop down and should now see list of repositories

• Check a repository and import

Initial Repository License Status

image-rs

• Scan 29th April 2022
  • images-rs_issues.csv

ocicrypt-rs

• Scan 30th April 2022
  • ocicrypt-rs_issues.csv

operator

• Scan 30th April 2022
  • No Issues found

td-shim

• Scan 30th April 2022
  • td-shim_issues.csv

enclave-cc

• Scan 4th May 2022
  • No Issues found

Attestation Agent

• Scan 4th May 2022
  • attestation-agent_issues.csv

Attestation Service

• Scan 8th May 2022
  • No Issues

kbs

• Scan 8th May 2022
  • No Issues found

simple-kbs

• Scan 8th May 2022
  • No Issues found

cloud-api-adaptor

• Scan 8th May 2022
  • No Issues found

community

• Scan 8th May 2022
  • No Issues found

.github

• Scan 8th May 2022
  • No Issues found

documentation

• Scan 8th May 2022
  • No Issues found

Other repos

• https://github.com/confidential-containers/tests-CCv0 (Working with kata community)
• https://github.com/confidential-containers/kata-containers-CCv0 (Working with kata community)
• https://github.com/confidential-containers/containerd (A CNCF project so will be OK)

Addressing reported Issues

Suggest to use servicedesk (https://cncfservicedesk.atlassian.net/servicedesk) which I believe is available to maintainers.

• "File a Service Desk ticket with the topic of "Legal" (whatever that drop down is called) and cc @Amye Scavarda Perrin)"

I have examined further and actually the problem licenses are being found in a deep scan for license strings within the source code repo of the dependency. Amye guidance is that we should use service desk tickets which will route us to Legal guidance or interaction to resolve the fossa issues.

Investigation into reported dependency issues

afl (attestation-agent, image-rs, td-shim)

• Flagged: GPL-3.0-only in afl
• https://crates.io/crates/afl/0.12.0 Apache-2.0 license
• https://github.com/rust-fuzz/afl.rs/blob/0.12.0/LICENSE Apache-2.0 license
• Problem seems to come from files in submodule AFLplusplus which links to 143c9d175e

cortex-m-semihosting (attestation-agent, image-rs, ocicrypt-rs, td-shim)

• Flagged: GPL-2.0-only in cortex-m-semihosting
• https://crates.io/crates/cortex-m-semihosting/0.3.7 MIT or Apache 2.0
• https://github.com/rust-embedded/cortex-m/tree/master/cortex-m-semihosting MIT or Apache 2.0
• Problem seems to come from :- https://github.com/rust-embedded/cortex-m/blob/master/cortex-m-semihosting/src/lib.rs

freetype-sys (attestation-agent, image-rs, ocicrypt-rs, td-shim)

• Flagged: GPL-2.0-only in freetype-sys
• https://crates.io/crates/freetype-sys/0.13.1 MIT license
• https://github.com/PistonDevelopers/freetype-sys/blob/master/LICENSE MIT License
• Problem seems to be with https://github.com/PistonDevelopers/freetype-sys/blob/master/freetype2/docs/GPLv2.TXT though https://github.com/PistonDevelopers/freetype-sys/blob/master/freetype2/docs/LICENSE.TXT suggests "This means that you must choose one of the two licenses described below," "The FreeType License" or "The GNU General Public License version 2"

glommio (ocicrypt-rs)

• Flagged: LGPL-2.1-only in glommio
• Flagged: GPL-2.0-only in glommio
• https://crates.io/crates/glommio Apache 2.0 or MIT
• https://github.com/DataDog/glommio Apache 2.0 or MIT
• https://github.com/DataDog/glommio/tree/master/glommio has a submodule liburing . This seems to pull in LPGPL code

gmp-mpfr-sys (attestation-agent, image-rs, ocicrypt-rs, td-shim)

• Flagged: LGPL-3.0-only in gmp-mpfr-sys
• Flagged: GPL-2.0-only in gmp-mpfr-sys
• Flagged: GPL-3.0-only in gmp-mpfr-sys
• https://crates.io/crates/gmp-mpfr-sys/1.4.7 LGPL-3.0-only
• Requires you to (effectively) disclose your source code if the library is statically linked to your project. Not triggered if dynamically linked or a separate process.
• https://gitlab.com/tspiteri/gmp-mpfr-sys LGPL and GPL

lz4-sys (td-shim)

• Flagged: GPL-2.0-only in lz4-sys
• https://crates.io/crates/lz4-sys/1.9.2 MIT License
• https://github.com/10XGenomics/lz4-rs/blob/master/LICENSE MIT License
• Problem seems to come from files in submodule liblz4 which links to d44371841a
  • liblz4/examples/COPYING
  • liblz4/programs/COPYING
  • liblz4/programs/README.md
  • liblz4/tests/COPYING
  • liblz4/tests/README.md

lzma-sys (attestation-agent, image-rs, ocicrypt-rs, td-shim)

• Flagged: GPL-2.0-only in lzma-sys
• Flagged: LGPL-2.1-only in lzma-sys
• Flagged: GPL-3.0-only in lzma-sys
• https://crates.io/crates/lzma-sys/0.1.17 MIT or Apache 2.0
• https://github.com/alexcrichton/xz2-rs/tree/master/lzma-sys MIT or Apache 2.0
• Problem seems to come from submodule xz2-rs which links to 2327a461e1

rug (attestation-agent, image-rs, ocicrypt-rs, td-shim)

• Flagged: GPL-3.0-only in rug
• Flagged: LGPL-3.0-only in rug
• https://crates.io/crates/rug/1.15.0 LGPL-3.0+
• https://gitlab.com/tspiteri/rug LPGL and GPL though README says "Rug is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. See the full text of the GNU LGPL and GNU GPL for details."
• Requires you to (effectively) disclose your source code if the library is statically linked to your project. Not triggered if dynamically linked or a separate process.

sdl2-sys (td-shim)

• Flagged: GPL-3.0-only in sdl2-sys
• https://crates.io/crates/sdl2-sys/0.35.2 MIT
• https://github.com/Rust-SDL2/rust-sdl2/blob/master/LICENSE MIT
• https://github.com/Rust-SDL2/rust-sdl2/tree/master/sdl2-sys has a submodule SDL which links to a1e992b110
• This submodule seems to contain a1e992b110/src/hidapi/LICENSE.txt which says "HIDAPI can be used under one of three licenses. 1. The GNU General Public License, version 3.0, in LICENSE-gpl3.txt 2. A BSD-Style License, in LICENSE-bsd.txt. 3. The more liberal original HIDAPI license. LICENSE-orig.txt"

servo-freetype-sys (attestation-agent, image-rs, ocicrypt-rs, td-shim)

• Flagged: GPL-2.0-only in servo-freetype-sys
• https://crates.io/crates/servo-freetype-sys FTL or GPL-2.0
• https://github.com/servo/libfreetype2/blob/master/freetype2/docs/LICENSE.TXT This means that you must choose one of the two licenses described below The FreeType License, or The GNU General Public License version 2