Remove Self-Built Dependencies from List of Locators

Dependency List Background

The list of FOSSA locators (aka dependencies) is used to determine whether two different runs of fossa-with-cache are operating on the same dependencies. If the list is identical (hashes to the same SHA), then we can feel safe using the NOTICE file from the previous run. This is the main feature of fossa-with-cache.

Self-Built Dependencies

The maven-based projects from OSDU generally use a parent-child pom relationship, creating several different jar artifacts as a result of compilation. These artifacts are combined together to form the final product, but that causes some of them to show up as dependencies of others.

For example, when building osdu/platform/system/search-service>, the dependency org.opengroup.osdu:search-core shows up in the list of dependencies. The version number of this dependency on a release branch will be X.Y.Z-SNAPSHOT. Once that release branch is stablized, the SNAPSHOT is removed and the result is tagged. This causes the dependency list to technically different, preventing the cached usage of the release branch NOTICE file. Since tags only have a single SHA associated, and can't be corrected with minor changes to the NOTICE file, this is removing the cached using of FOSSA in a moment when it is most needed.

Proposed Solution

When generating the clean dependency list from FOSSA's raw dependency list, remove entries that refer to self-built libraries. These libraries aren't essential -- they weren't going to generate an attribution entry anyway (you generally don't attribute yourself in your own NOTICE).