Cache FOSSA NOTICE files
FOSSA's generated attribution files (NOTICE) are sometimes erratic, and change in ways that are not legally significant. I've seen many cases of changes like:
- Different ordering of packages
- Duplicate packages with different counts (package listed 2 times vs 3 times)
- Changing project names, usually in case (Package Name vs package-name)
- Changing project URLs, where both are valid (github.com/project vs mvnrepository.com/project)
To address this, the
fossa-with-cache attempts to serve as an intermediary between the GitLab CI Pipelines and the FOSSA servers.
Purpose of this Issue
This issue is tracking the evolution of the
fossa-with-cache tool until it gets enough stability to be included in the
scanners/fossa-*.yml files. To begin, the logic has been applied to pilot services, where it will be adjusted based on real development experience. Unfortunately, in order to really test it we must merge it to the default branch first. So, this issue will remain as a common source for feedback, rather than an issue or MR on the pilot services. Then, this will be closed out once the logic has been moved into this project for general use.
Storage Service Pilot
The first pilot service is storage. Initial logic was included in osdu/platform/system/storage!308 (merged).
Wellbore Domain Services Pilot
The second pilot service is wellbore domain services. Initial logic was included in osdu/platform/domain-data-mgmt-services/wellbore/wellbore-domain-services!336 (merged).