Skip to content

Commit

Permalink
Initial LPVS release v1.0.0
Browse files Browse the repository at this point in the history
Signed-off-by: Oleg Kopysov <[email protected]>
  • Loading branch information
o-kopysov committed Jul 29, 2022
1 parent 26895b4 commit 46e14a6
Show file tree
Hide file tree
Showing 24 changed files with 1,850 additions and 1 deletion.
43 changes: 43 additions & 0 deletions .github/Docker_Usage.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
# Additional information and tips for Docker usage

#### There are three ways to execute the Docker container with LPVS after the image was built by command `docker build -t lpvs .` :

1. Terminal mode: the log is shown in the terminal in real-time, but the terminal must be open for running the application in the container:

```bash
docker run -p 7896:7896 --name lpvs lpvs:latest
```

2. Background mode: the container is not going to be restarted after reboot, to see the log additional commands should be used: `docker logs -f lpvs`:

```bash
docker run -d -p 7896:7896 --name lpvs lpvs:latest
```

3. Background mode with constant usage: the container is going to be restarted after the reboot (other behavior is similar to the background mode):

```bash
docker run -d -p 7896:7896 --restart unless-stopped --name lpvs lpvs:latest
```

***It is better (for disk space economy) to stop and start the same container which is created by the command `docker run`.***

#### Useful Docker commands

To stop the running container use the following commands:

```bash
docker stop lpvs
```

To start the stopped container use the following commands:

```bash
docker start lpvs
```

To clean unused containers (if the command `docker run` was used a few times), _only stopped containers will be deleted_:

```bash
docker rm lpvs
```
28 changes: 28 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Compiled class file
*.class

# Log file
*.log

# BlueJ files
*.ctxt

# Mobile Tools for Java (J2ME)
.mtj.tmp/

# Package Files #
*.jar
*.war
*.nar
*.ear
*.zip
*.tar.gz
*.rar

# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
hs_err_pid*

.idea/*
target/
Projects/
*.iml
36 changes: 36 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# Basic image
FROM openjdk:11

# Install dependencies and remove tmp files
RUN apt-get update && \
apt-get upgrade -y && \
apt-get install -y python3-pip maven && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

# Setup env variables
ENV PRJ_DIR="LPVS"

# Create project dir
RUN mkdir $PRJ_DIR

# Set workdir
WORKDIR /$PRJ_DIR

# Copy source code into container
COPY . .

# Install SCANOSS
RUN pip3 install scanoss

# Build LPVS-open-source application
RUN mvn clean install

# Allow to listen port 7896
EXPOSE 7896

# Set workdir for running jar
WORKDIR /$PRJ_DIR/target

# Run application in container
CMD ["java", "-jar", "lpvs-1.0.0.jar"]
19 changes: 19 additions & 0 deletions LICENSE
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
Copyright (c) 2022, Samsung Research. All rights reserved.

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
81 changes: 80 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1 +1,80 @@
# LPVS

![License Pre-Validation Service (LPVS)](lpvslogo.png)
[![Build](https://github.sec.samsung.net/SRK-PSL/LPVS-open-source/workflows/Build/badge.svg)](https://github.sec.samsung.net/SRK-PSL/LPVS-open-source/actions?query=workflow%3ABuild)

## Introduction
OpenSource code [refers](https://en.wikipedia.org/wiki/Open-source_software) to software available for use, study, change, and distribution by anyone and for any purpose provided that the corresponding license conditions are met. License violation may end up with litigations, damage compensation, obligation to disclose intellectual property as well as reputational losses.

In a project with many external dependencies it might be really difficult to trace license obligations. Also if many collaborators are involved, a risk of non-intentional license violation (such as via Copy-Paste) grows. There are even more tricky nuances such as double-licensed dependencies or license change (because of owner, purpose, legislation change) that may make a previously safe dependency to become an unsafe one over time.

License Pre-Validation Service (LPVS) helps to mitigate license-related risks for OpenSource code. The tool analyzes the project, identifies its components and their respective licenses at every commit. Then it returns the list of potential issue cases as GitHub comments. LPVS provides the comprehensive description of possible license violations, including risky code location and license issue overview.

## Features

- available license scanners: [SCANOSS](https://www.scanoss.com)
- LPVS supports GitHub review system

## LPVS GitHub Integration

LPVS license scan shall be enabled on a project via GitHub Hooks:

1. In `src/main/resources/application.properties` specify the account to be used for posting scan results as a review message. The following fields should be filled: `github.token`.

2. Add the user specified in `github.token` as a collaborator to your GitHub project.

3. Configure webhook in your GitHub repository settings:
- go to `Settings` -> `Hooks`
- press `Add webhook`
- fill in Payload URL with: `http://<IP where LPVS is running>:7896/webhooks`
- specify content type: `application/json`
- fill in `Secret` field with the passphrase: `LPVS`
- select `Let me select individual events` -> `Pull requests` (make sure that only `Pull requests` is selected)
- make it `Active`
- press `Add Webhook`

Create a new pull request and update it with commits.
LPVS will start scanning automatically, then provide comments about the licenses found in the project.

## LPVS Backend Configuration

1. Install SCANOSS Python package by following the [guideline](https://github.com/scanoss/scanoss.py#installation).

2. Fill in the lines of the `src/main/resources/application.properties` file:
```text
# Used license scanner
scanner=scanoss
# Used license conflicts source (take from 'licenses.json' ("json")
# or from scanner response("scanner"))
license_conflict=json
```
3. Fill in `src/main/resources/licenses.json` file with the information about permitted, restricted, and prohibited licenses as well as their compatibility specifics. An example of the `licenses.json` file can be found in the repository.
4. Build LPVS application with Maven, then run it:
```bash
mvn clean install
cd target/
java -jar lpvs-1.0.0.jar
```
Or alternatively build and run the Docker container with LPVS:
```bash
docker build -t lpvs .
docker run -p 7896:7896 --name lpvs lpvs:latest
```
For additional information about using Docker and tips, please check file [Docker_Usage](.github/Docker_Usage.md).
5. Install [ngrok](https://dashboard.ngrok.com/get-started) (step 1 and 2) and run it with the following command:
```bash
./ngrok http 7896
```
At this point LPVS is ready for work.
## License
The LPVS source code is distributed under the [MIT](https://opensource.org/licenses/MIT) open source license.
## Contributing
You are welcome to contribute to LPVS project.
Contributing is also a great way to practice social coding at Github, study new technologies and enrich your public portfolio.
Binary file added lpvslogo.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
61 changes: 61 additions & 0 deletions pom.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>

<groupId>com.lpvs</groupId>
<artifactId>lpvs</artifactId>
<version>1.0.0</version>
<packaging>jar</packaging>

<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.2.6.RELEASE</version>
</parent>


<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
</properties>

<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>5.2.22.RELEASE</version>
</dependency>
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<version>[2.8.9,)</version>
</dependency>
<dependency>
<groupId>org.kohsuke</groupId>
<artifactId>github-api</artifactId>
<version>1.114</version>
</dependency>
</dependencies>

<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<version>2.1.2.RELEASE</version>
</plugin>
</plugins>
</build>

</project>
44 changes: 44 additions & 0 deletions src/main/java/com/lpvs/LicensePreValidationSystem.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
/**
* Copyright (c) 2022, Samsung Research. All rights reserved.
*
* Use of this source code is governed by a MIT license that can be
* found in the LICENSE file.
*/

package com.lpvs;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration;
import org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration;
import org.springframework.context.annotation.Bean;
import org.springframework.core.task.TaskExecutor;
import org.springframework.scheduling.annotation.EnableAsync;
import org.springframework.scheduling.concurrent.ThreadPoolTaskExecutor;


@SpringBootApplication
@EnableAutoConfiguration(exclude={DataSourceAutoConfiguration.class, HibernateJpaAutoConfiguration.class})
@EnableAsync
public class LicensePreValidationSystem {

@Value("${lpvs.cores:8}")
private int corePoolSize;

public static void main(String[] args) {
SpringApplication app = new SpringApplication(LicensePreValidationSystem.class);
app.run(args);
}

@Bean("threadPoolTaskExecutor")
public TaskExecutor getAsyncExecutor(){
ThreadPoolTaskExecutor executor = new ThreadPoolTaskExecutor();
executor.setCorePoolSize(corePoolSize);
executor.setThreadNamePrefix("LPVS-ASYNC::");
return executor;
}

}

67 changes: 67 additions & 0 deletions src/main/java/com/lpvs/controller/GitHubWebhooksController.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
/**
* Copyright (c) 2022, Samsung Research. All rights reserved.
*
* Use of this source code is governed by a MIT license that can be
* found in the LICENSE file.
*/

package com.lpvs.controller;

import com.lpvs.entity.config.WebhookConfig;
import com.lpvs.service.GitHubService;
import com.lpvs.service.QueueService;
import com.lpvs.util.WebhookUtil;
import com.lpvs.entity.ResponseWrapper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.web.bind.annotation.RequestBody;
import java.util.Date;


@RestController
public class GitHubWebhooksController {

@Autowired
private QueueService queueService;

@Autowired
private GitHubService gitHubService;

private static Logger LOG = LoggerFactory.getLogger(GitHubWebhooksController.class);

private static final String SIGNATURE = "X-Hub-Signature";
private static final String SUCCESS = "Success";
private static final String ERROR = "Error";

@RequestMapping(value = "/webhooks", method = RequestMethod.POST)
public ResponseEntity<ResponseWrapper> gitHubWebhooks(@RequestHeader(SIGNATURE) String signature, @RequestBody String payload) throws InterruptedException {
LOG.info("New webhook request received");

// if signature is empty return 401
if (!StringUtils.hasText(signature)) {
return new ResponseEntity<>(new ResponseWrapper(ERROR), HttpStatus.FORBIDDEN);
}

// if payload is empty, don't do anything
if (!StringUtils.hasText(payload)) {
LOG.info("Response to empty payload sent");
return new ResponseEntity<>(new ResponseWrapper(SUCCESS), HttpStatus.OK);
} else if (WebhookUtil.checkPayload(payload)) {
WebhookConfig webhookConfig = WebhookUtil.getGitHubWebhookConfig(payload);
webhookConfig.setDate(new Date());
LOG.info("Repository scanning is enabled: On");
gitHubService.setPendingCheck(webhookConfig);
queueService.addFirst(webhookConfig);
}
LOG.info("Response sent");
return new ResponseEntity<>(new ResponseWrapper(SUCCESS), HttpStatus.OK);
}
}
Loading

0 comments on commit 46e14a6

Please sign in to comment.