Skip to content

Update fossa-with-cache logic

David Diederich requested to merge upgrade-fossa-with-cache into master

This MR updates the fossa-with-cache image to use the latest features from v0.9.

Notable Features

Restores use of the FOSSA Cache

We turned off the caching part of the fossa-with-cache several months back as part of the merging feature. This restores its use. The cache will cause the fossa-check-notice to compare against a cached version (rather than the generated one from FOSSA) if the local dependencies haven't changed. This will reduce the number of notice failures related to FOSSA's system giving slightly different package names, URLs, etc.

Every couple weeks, the cache will expire and require updating fresh. This is to ensure that any improvements in FOSSA's license database is reflected in our attribution files.

Turn off local NOTICE Merging

The merging feature prevented attributions from ever being deleted. A bug in FOSSA a few months back caused large swaths of attributions to be lost; and this was our emergency reaction. That bug has since been addressed, so we can remove this.

Keep looping if no license error count is provided

Occasionally the fossa-analyze fails with an invalid comparison between NoneType and Int. I believe that this meant that the FOSSA scans weren't available yet, in part because re-running the job always fixed the issue. Now, if the license error count is None, it waits a few seconds and then tries again. I'm hopeful this will remove failures cases like this.

Remove self-built libraries from dependency list

When the self-built libraries (artifacts built by the pom files themselves) change versions, that's treated as a dependency change and the cache is ignored. However, during the tagging process, this happens when the tag is applied. In these moments, using the cache is preferred to avoid failures in the check-notice stage for the tag pipeline

Similar problems can occur in release branches, and on the default branch, around the release process time.

NOTICE Failures after merge

Anybody using the default branch of this project will immediately get these changes, which can lead to a number of fossa-check-notice failures. I will attempt to fix all of the default branches as part of merging this MR. Branches that already existed can be fixed by merging from the default branch, or by following the normal procedure to download / commit o new NOTICE file.

Merge request reports