Updated CNCF Fossa (markdown)

CNCF-Fossa.md

@@ -102,5 +102,85 @@ Github View
 Suggest to use servicedesk (https://cncfservicedesk.atlassian.net/servicedesk) which I believe is available to maintainers.
 - "File a Service Desk ticket with the topic of "Legal" (whatever that drop down is called) and cc @Amye Scavarda Perrin)"
 
-I have examined further and I am not sure it is a multiple license issue but rather that the deep scan is finding matches for license strings in some files within the source code repo of the dependency. Amye has been out of office until today Wed 25th May but I have reached out for further guidance.
+I have examined further and actually the problem licenses are being found in a deep scan for license strings within the source code repo of the dependency. Amye guidance is that we should use service desk tickets which will route us to Legal guidance or interaction to resolve the fossa issues.
+
+# Investigation into reported dependency issues
+## afl (attestation-agent, image-rs, td-shim)
+- Flagged: GPL-3.0-only in afl
+- https://crates.io/crates/afl/0.12.0 Apache-2.0 license 
+- https://github.com/rust-fuzz/afl.rs/blob/0.12.0/LICENSE Apache-2.0 license 
+- Problem seems to come from files in submodule AFLplusplus which links to https://github.com/AFLplusplus/AFLplusplus/tree/143c9d175e9357ba548413ee7dcee6a8de23f733
+
+## cortex-m-semihosting (attestation-agent, image-rs, ocicrypt-rs, td-shim)
+- Flagged: GPL-2.0-only in cortex-m-semihosting
+- https://crates.io/crates/cortex-m-semihosting/0.3.7 MIT or Apache 2.0 
+- https://github.com/rust-embedded/cortex-m/tree/master/cortex-m-semihosting MIT or Apache 2.0 
+- Problem seems to come from :- https://github.com/rust-embedded/cortex-m/blob/master/cortex-m-semihosting/src/lib.rs
+
+## freetype-sys (attestation-agent, image-rs, ocicrypt-rs, td-shim)
+- Flagged: GPL-2.0-only in freetype-sys
+- https://crates.io/crates/freetype-sys/0.13.1 MIT license
+- https://github.com/PistonDevelopers/freetype-sys/blob/master/LICENSE  MIT License
+- Problem seems to be with https://github.com/PistonDevelopers/freetype-sys/blob/master/freetype2/docs/GPLv2.TXT
+though
+https://github.com/PistonDevelopers/freetype-sys/blob/master/freetype2/docs/LICENSE.TXT
+suggests "This means  that *you* must choose  *one* of the  two licenses described
+below," "The FreeType License" or "The GNU General Public License version 2"
+
+## glommio (ocicrypt-rs)
+- Flagged: LGPL-2.1-only in glommio
+- Flagged: GPL-2.0-only in glommio
+- https://crates.io/crates/glommio Apache 2.0 or MIT 
+- https://github.com/DataDog/glommio Apache 2.0 or MIT 
+- https://github.com/DataDog/glommio/tree/master/glommio has a submodule liburing . This seems to pull in LPGPL code
+
+## gmp-mpfr-sys (attestation-agent, image-rs, ocicrypt-rs, td-shim)
+- Flagged: LGPL-3.0-only in gmp-mpfr-sys
+- Flagged: GPL-2.0-only in gmp-mpfr-sys
+- Flagged: GPL-3.0-only in gmp-mpfr-sys
+- https://crates.io/crates/gmp-mpfr-sys/1.4.7    LGPL-3.0-only
+- Requires you to (effectively) disclose your source code if the library is statically linked to your project. Not triggered if dynamically linked or a separate process.
+- https://gitlab.com/tspiteri/gmp-mpfr-sys    LGPL and GPL
+
+## lz4-sys (td-shim)
+- Flagged: GPL-2.0-only in lz4-sys
+- https://crates.io/crates/lz4-sys/1.9.2 MIT License 
+- https://github.com/10XGenomics/lz4-rs/blob/master/LICENSE MIT License 
+- Problem seems to come from files in submodule liblz4 which links to https://github.com/lz4/lz4/tree/d44371841a2f1728a3f36839fd4b7e872d0927d3
+  - liblz4/examples/COPYING
+  - liblz4/programs/COPYING
+  - liblz4/programs/README.md
+  - liblz4/tests/COPYING
+  - liblz4/tests/README.md
+
+## lzma-sys (attestation-agent, image-rs, ocicrypt-rs, td-shim)
+- Flagged: GPL-2.0-only in lzma-sys
+- Flagged: LGPL-2.1-only in lzma-sys
+- Flagged: GPL-3.0-only in lzma-sys
+- https://crates.io/crates/lzma-sys/0.1.17 MIT or Apache 2.0
+- https://github.com/alexcrichton/xz2-rs/tree/master/lzma-sys MIT or Apache 2.0
+- Problem seems to come from submodule xz2-rs which links to https://github.com/xz-mirror/xz/tree/2327a461e1afce862c22269b80d3517801103c1b
+
+## rug (attestation-agent, image-rs, ocicrypt-rs, td-shim)
+- Flagged: GPL-3.0-only in rug
+- Flagged: LGPL-3.0-only in rug
+- https://crates.io/crates/rug/1.15.0 LGPL-3.0+ 
+- https://gitlab.com/tspiteri/rug LPGL and GPL though README says "Rug is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. See the full text of the GNU LGPL and GNU GPL for details." 
+- Requires you to (effectively) disclose your source code if the library is statically linked to your project. Not triggered if dynamically linked or a separate process.
+
+## sdl2-sys (td-shim)
+- Flagged: GPL-3.0-only in sdl2-sys
+- https://crates.io/crates/sdl2-sys/0.35.2 MIT 
+- https://github.com/Rust-SDL2/rust-sdl2/blob/master/LICENSE MIT 
+- https://github.com/Rust-SDL2/rust-sdl2/tree/master/sdl2-sys has a submodule SDL which links to https://github.com/libsdl-org/SDL/tree/a1e992b110b9adf3305a5ebb5514f0e970f7911e 
+- This submodule seems to contain https://github.com/libsdl-org/SDL/blob/a1e992b110b9adf3305a5ebb5514f0e970f7911e/src/hidapi/LICENSE.txt which says "HIDAPI can be used under one of three licenses. 1. The GNU General Public License, version 3.0, in LICENSE-gpl3.txt 2. A BSD-Style License, in LICENSE-bsd.txt. 3. The more liberal original HIDAPI license. LICENSE-orig.txt" 
+
+## servo-freetype-sys (attestation-agent, image-rs, ocicrypt-rs, td-shim)
+- Flagged: GPL-2.0-only in servo-freetype-sys
+- https://crates.io/crates/servo-freetype-sys FTL or GPL-2.0 
+- https://github.com/servo/libfreetype2/blob/master/freetype2/docs/LICENSE.TXT This means that *you* must choose *one* of the two licenses described below The FreeType License, or The GNU General Public License version 2
+
+
+
+