cleanup oss-compliance & NOTICES.md (digital-asset#8242)

Mostly outdated/redundant information across those; hopefully this is now more accurate. CHANGELOG_BEGIN CHANGELOG_END
TuranDev · Dec 10, 2020 · 2de96b7 · 2de96b7
1 parent 4478d63
commit 2de96b7
Show file tree

Hide file tree

Showing 11 changed files with 18 additions and 903 deletions.
diff --git a/NOTICES.md b/NOTICES.md
@@ -1,33 +1,26 @@
-## Generating NOTICES file
+# Open Source Software Compliance
 
-The notices file is generated after the completion of an automated Blackduck scan of the entire daml repo.
+## Overview
 
-At present this needs to be updated by running the scan manually and checking in the updated NOTICES file on a PR. In future a PR will be automatically created when a change in the NOTICES file is detected as part of the Blackduck scan within the daily compat job on master.
+We currently use an asynchronous, daily cron job to check the compliance of our
+libraries (and check for vulnerabilities at the same time). If the NOTICES file
+needs changing, the cron job will generate a PR to update it.
 
-To generate the file locally, you should run the Blackduck scan after performing a full Bazel build on the DAML repo
+The cron job leverages Bazel to generate the list of dependencies, and relies
+on BlackDuck to flag license violations and security advisories.
 
-Full details on running a Blackduck scan can be found @ https://github.com/DACH-NY/security-blackduck/blob/master/README.md
+## Licenses
 
+Which licenses are or are not acceptable is maanged at the Blackduck level.
 
-1) Run full Bazel build
-```bazel build //...```
+## What if the check fails?
 
-2) Create personal Blackduck token and add to environment variable
-Create a personal Blackduck token by authenticating to the Blackduck site with your DA Google account
-https://digitalasset.blackducksoftware.com/api/current-user/tokens
-
-Click Create New Token and give yourself read and write access, giving a memorable name (<username>-<machine> or similar)
-Copy the contents of this token and define in a local environment variable called BLACKDUCK_HUBDETECT_TOKEN
-```export BLACKDUCK_HUB_DETECT_TOKEN=<token_you_have_just_created>``` 
-
-2) Run Haskell Blackduck scan
-https://github.com/digital-asset/daml/blob/a17b340b47a711b53a1a5eb141c7835a9fb9bbbe/ci/cron/daily-compat.yml#L227-L234
-
-3) Run Scan for all remaining languages, waiting for notices file to be generated
-https://github.com/digital-asset/daml/blob/a17b340b47a711b53a1a5eb141c7835a9fb9bbbe/ci/cron/daily-compat.yml#L241-L257
-
-4) Remove windows line endings and rename file to NOTICES
-```tr -d '\015' <*_Black_Duck_Notices_Report.txt | grep -v dach-ny_daml-on-corda >NOTICES```
-
-5) Create a new PR with the changes and submit for review for merge to master
+Checks can fail for a number of reasons. Here are the common ones:
 
+- A library is using a license we don't allow. Check with security & legal to
+  see if the license can be added; if not, remove the dependency.
+- A library is incorrectly classified on BlackDuck: it should have an allowed
+  license, but somehow the information on BlackDuck disagrees with that.
+  Contact Security to sort it out.
+- A library triggers a security notice. That will depend on the specific issue;
+  in general, upgrading the library may help.
diff --git a/oss-compliance/.gitignore b/oss-compliance/.gitignore
diff --git a/oss-compliance/LICENSES_WHITE_LIST.csv b/oss-compliance/LICENSES_WHITE_LIST.csv
diff --git a/oss-compliance/Makefile b/oss-compliance/Makefile
diff --git a/oss-compliance/PACKAGES_WHITE_LIST.csv b/oss-compliance/PACKAGES_WHITE_LIST.csv
diff --git a/oss-compliance/Pipfile b/oss-compliance/Pipfile
diff --git a/oss-compliance/Pipfile.lock b/oss-compliance/Pipfile.lock
diff --git a/oss-compliance/README.md b/oss-compliance/README.md