diff --git a/.fossa.yml b/.fossa.yml new file mode 100644 index 00000000000..87c35f5bcae --- /dev/null +++ b/.fossa.yml @@ -0,0 +1,40 @@ +version: 3 + +targets: + only: + - type: gradle + exclude: + # these modules are not published and so consumers will not be exposed to them + - type: gradle + path: ./ + target: ':api:testing-internal' + - type: gradle + path: ./ + target: ':exporters:otlp:testing-internal' + - type: gradle + path: ./ + target: ':integration-tests' + - type: gradle + path: ./ + target: ':integration-tests:graal' + - type: gradle + path: ./ + target: ':integration-tests:graal-incubating' + - type: gradle + path: ./ + target: ':integration-tests:otlp' + - type: gradle + path: ./ + target: ':integration-tests:tracecontext' + - type: gradle + path: ./ + target: ':perf-harness' + - type: gradle + path: ./ + target: ':testing-internal' + +experimental: + gradle: + configurations-only: + # consumer will only be exposed to these dependencies + - runtimeClasspath diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml new file mode 100644 index 00000000000..23cabfc684d --- /dev/null +++ b/.github/workflows/fossa.yml @@ -0,0 +1,19 @@ +name: FOSSA + +on: + push: + branches: + - main + +permissions: + contents: read + +jobs: + fossa: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0 + with: + api-key: ${{secrets.FOSSA_API_KEY}} diff --git a/custom-checks/build.gradle.kts b/custom-checks/build.gradle.kts index 5167a979be0..0139c392ffc 100644 --- a/custom-checks/build.gradle.kts +++ b/custom-checks/build.gradle.kts @@ -3,7 +3,7 @@ plugins { } dependencies { - implementation("com.google.errorprone:error_prone_core") + compileOnly("com.google.errorprone:error_prone_core") testImplementation("com.google.errorprone:error_prone_test_helpers") } diff --git a/dependencyManagement/build.gradle.kts b/dependencyManagement/build.gradle.kts index 95d51cf04a0..d7cd7d90f89 100644 --- a/dependencyManagement/build.gradle.kts +++ b/dependencyManagement/build.gradle.kts @@ -8,10 +8,14 @@ val dependencyVersions = hashMapOf() rootProject.extra["versions"] = dependencyVersions val DEPENDENCY_BOMS = listOf( + // for some reason boms show up as runtime dependencies in license and vulnerability scans + // even if they are only used by test dependencies, so not using junit bom here + // (which is EPL licensed) or armeria bom (which is Apache licensed but is getting flagged + // by FOSSA for containing EPL-licensed) + "com.fasterxml.jackson:jackson-bom:2.18.2", "com.google.guava:guava-bom:33.4.0-jre", "com.google.protobuf:protobuf-bom:4.29.3", - "com.linecorp.armeria:armeria-bom:1.31.3", "com.squareup.okhttp3:okhttp-bom:4.12.0", "com.squareup.okio:okio-bom:3.10.2", // applies to transitive dependencies of okhttp "io.grpc:grpc-bom:1.70.0", @@ -19,7 +23,6 @@ val DEPENDENCY_BOMS = listOf( "io.zipkin.brave:brave-bom:6.0.3", "io.zipkin.reporter2:zipkin-reporter-bom:3.4.3", "org.assertj:assertj-bom:3.27.3", - "org.junit:junit-bom:5.11.4", "org.testcontainers:testcontainers-bom:1.20.4", "org.snakeyaml:snakeyaml-engine:2.9" ) @@ -33,8 +36,18 @@ val slf4jVersion = "2.0.16" val opencensusVersion = "0.31.1" val prometheusClientVersion = "0.16.0" val prometheusServerVersion = "1.3.5" +val armeriaVersion = "1.31.3" +val junitVersion = "5.11.4" val DEPENDENCIES = listOf( + "org.junit.jupiter:junit-jupiter-api:${junitVersion}", + "org.junit.jupiter:junit-jupiter-params:${junitVersion}", + "org.junit.jupiter:junit-jupiter-pioneer:${junitVersion}", + "com.linecorp.armeria:armeria:${armeriaVersion}", + "com.linecorp.armeria:armeria-grpc:${armeriaVersion}", + "com.linecorp.armeria:armeria-grpc-protocol:${armeriaVersion}", + "com.linecorp.armeria:armeria-junit5:${armeriaVersion}", + "com.google.auto.value:auto-value:${autoValueVersion}", "com.google.auto.value:auto-value-annotations:${autoValueVersion}", "com.google.errorprone:error_prone_annotations:${errorProneVersion}",