Add FOSSA license scanning (#163)

trask · web-flow · commit 52c18c7081ff · 2025-02-10T09:31:18.000-08:00
diff --git a/.fossa.yml b/.fossa.yml
@@ -0,0 +1,11 @@
+version: 3
+
+targets:
+  only:
+    - type: gradle
+
+experimental:
+  gradle:
+    configurations-only:
+      # consumer will only be exposed to these dependencies
+      - runtimeClasspath
diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -12,7 +12,8 @@
       "groupName": "github actions"
     },
     {
-      // pin opentelemetry-api dependency to: avoid churn, for conservative api version requirement, and because opentelemetry-api is a compileOnly dependency
+      // pin opentelemetry-api dependency to: avoid churn, for conservative api version requirement,
+      // and because opentelemetry-api is a compileOnly dependency
       "matchPackageNames": ["io.opentelemetry:opentelemetry-api"],
       "matchCurrentVersion": "1.33.0",
       "enabled": false
diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
@@ -0,0 +1,19 @@
+name: FOSSA
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  fossa:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
+        with:
+          api-key: ${{secrets.FOSSA_API_KEY}}
diff --git a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
@@ -136,6 +136,8 @@ testing {
   suites.withType(JvmTestSuite::class).configureEach {
     dependencies {
       implementation(project(project.path))
+      implementation(enforcedPlatform("org.junit:junit-bom:5.11.4"))
+      implementation(enforcedPlatform("org.assertj:assertj-bom:3.27.3"))
 
       implementation("org.junit.jupiter:junit-jupiter-api")
       implementation("org.junit.jupiter:junit-jupiter-params")
diff --git a/dependencyManagement/build.gradle.kts b/dependencyManagement/build.gradle.kts
@@ -2,35 +2,19 @@ plugins {
   `java-platform`
 }
 
-data class DependencySet(val group: String, val version: String, val modules: List<String>)
-
-val dependencyVersions = hashMapOf<String, String>()
-rootProject.extra["versions"] = dependencyVersions
-
-val DEPENDENCY_BOMS = listOf(
-  "org.assertj:assertj-bom:3.27.3",
-  "org.junit:junit-bom:5.11.4",
-)
-
-val DEPENDENCIES = listOf(
-  "io.opentelemetry:opentelemetry-api:1.33.0"
-)
-
 javaPlatform {
   allowDependencies()
 }
 
 dependencies {
-  for (bom in DEPENDENCY_BOMS) {
-    api(enforcedPlatform(bom))
-    val split = bom.split(':')
-    dependencyVersions[split[0]] = split[2]
-  }
+  // boms that are only used by tests should be added in otel.java-conventions.gradle.kts
+  // under JvmTestSuite so they don't show up as runtime dependencies in license and vulnerability scans
+  // (the constraints section below doesn't have this issue, and will only show up
+  // as runtime dependencies if they are actually used as runtime dependencies)
+
   constraints {
-    for (dependency in DEPENDENCIES) {
-      api(dependency)
-      val split = dependency.split(':')
-      dependencyVersions[split[0]] = split[2]
-    }
+    // pinned to: avoid churn, for conservative api version requirement,
+    // and because opentelemetry-api is a compileOnly dependency
+    api("io.opentelemetry:opentelemetry-api:1.33.0")
   }
 }
