-
Notifications
You must be signed in to change notification settings - Fork 26
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Oleg Kopysov <[email protected]>
- Loading branch information
Showing
24 changed files
with
1,850 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
# Additional information and tips for Docker usage | ||
|
||
#### There are three ways to execute the Docker container with LPVS after the image was built by command `docker build -t lpvs .` : | ||
|
||
1. Terminal mode: the log is shown in the terminal in real-time, but the terminal must be open for running the application in the container: | ||
|
||
```bash | ||
docker run -p 7896:7896 --name lpvs lpvs:latest | ||
``` | ||
|
||
2. Background mode: the container is not going to be restarted after reboot, to see the log additional commands should be used: `docker logs -f lpvs`: | ||
|
||
```bash | ||
docker run -d -p 7896:7896 --name lpvs lpvs:latest | ||
``` | ||
|
||
3. Background mode with constant usage: the container is going to be restarted after the reboot (other behavior is similar to the background mode): | ||
|
||
```bash | ||
docker run -d -p 7896:7896 --restart unless-stopped --name lpvs lpvs:latest | ||
``` | ||
|
||
***It is better (for disk space economy) to stop and start the same container which is created by the command `docker run`.*** | ||
|
||
#### Useful Docker commands | ||
|
||
To stop the running container use the following commands: | ||
|
||
```bash | ||
docker stop lpvs | ||
``` | ||
|
||
To start the stopped container use the following commands: | ||
|
||
```bash | ||
docker start lpvs | ||
``` | ||
|
||
To clean unused containers (if the command `docker run` was used a few times), _only stopped containers will be deleted_: | ||
|
||
```bash | ||
docker rm lpvs | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
# Compiled class file | ||
*.class | ||
|
||
# Log file | ||
*.log | ||
|
||
# BlueJ files | ||
*.ctxt | ||
|
||
# Mobile Tools for Java (J2ME) | ||
.mtj.tmp/ | ||
|
||
# Package Files # | ||
*.jar | ||
*.war | ||
*.nar | ||
*.ear | ||
*.zip | ||
*.tar.gz | ||
*.rar | ||
|
||
# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml | ||
hs_err_pid* | ||
|
||
.idea/* | ||
target/ | ||
Projects/ | ||
*.iml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
# Basic image | ||
FROM openjdk:11 | ||
|
||
# Install dependencies and remove tmp files | ||
RUN apt-get update && \ | ||
apt-get upgrade -y && \ | ||
apt-get install -y python3-pip maven && \ | ||
apt-get clean && \ | ||
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* | ||
|
||
# Setup env variables | ||
ENV PRJ_DIR="LPVS" | ||
|
||
# Create project dir | ||
RUN mkdir $PRJ_DIR | ||
|
||
# Set workdir | ||
WORKDIR /$PRJ_DIR | ||
|
||
# Copy source code into container | ||
COPY . . | ||
|
||
# Install SCANOSS | ||
RUN pip3 install scanoss | ||
|
||
# Build LPVS-open-source application | ||
RUN mvn clean install | ||
|
||
# Allow to listen port 7896 | ||
EXPOSE 7896 | ||
|
||
# Set workdir for running jar | ||
WORKDIR /$PRJ_DIR/target | ||
|
||
# Run application in container | ||
CMD ["java", "-jar", "lpvs-1.0.0.jar"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
Copyright (c) 2022, Samsung Research. All rights reserved. | ||
|
||
Permission is hereby granted, free of charge, to any person obtaining a copy | ||
of this software and associated documentation files (the "Software"), to deal | ||
in the Software without restriction, including without limitation the rights | ||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
copies of the Software, and to permit persons to whom the Software is | ||
furnished to do so, subject to the following conditions: | ||
|
||
The above copyright notice and this permission notice shall be included in | ||
all copies or substantial portions of the Software. | ||
|
||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
SOFTWARE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,80 @@ | ||
# LPVS | ||
|
||
![License Pre-Validation Service (LPVS)](lpvslogo.png) | ||
[![Build](https://github.sec.samsung.net/SRK-PSL/LPVS-open-source/workflows/Build/badge.svg)](https://github.sec.samsung.net/SRK-PSL/LPVS-open-source/actions?query=workflow%3ABuild) | ||
|
||
## Introduction | ||
OpenSource code [refers](https://en.wikipedia.org/wiki/Open-source_software) to software available for use, study, change, and distribution by anyone and for any purpose provided that the corresponding license conditions are met. License violation may end up with litigations, damage compensation, obligation to disclose intellectual property as well as reputational losses. | ||
|
||
In a project with many external dependencies it might be really difficult to trace license obligations. Also if many collaborators are involved, a risk of non-intentional license violation (such as via Copy-Paste) grows. There are even more tricky nuances such as double-licensed dependencies or license change (because of owner, purpose, legislation change) that may make a previously safe dependency to become an unsafe one over time. | ||
|
||
License Pre-Validation Service (LPVS) helps to mitigate license-related risks for OpenSource code. The tool analyzes the project, identifies its components and their respective licenses at every commit. Then it returns the list of potential issue cases as GitHub comments. LPVS provides the comprehensive description of possible license violations, including risky code location and license issue overview. | ||
|
||
## Features | ||
|
||
- available license scanners: [SCANOSS](https://www.scanoss.com) | ||
- LPVS supports GitHub review system | ||
|
||
## LPVS GitHub Integration | ||
|
||
LPVS license scan shall be enabled on a project via GitHub Hooks: | ||
|
||
1. In `src/main/resources/application.properties` specify the account to be used for posting scan results as a review message. The following fields should be filled: `github.token`. | ||
|
||
2. Add the user specified in `github.token` as a collaborator to your GitHub project. | ||
|
||
3. Configure webhook in your GitHub repository settings: | ||
- go to `Settings` -> `Hooks` | ||
- press `Add webhook` | ||
- fill in Payload URL with: `http://<IP where LPVS is running>:7896/webhooks` | ||
- specify content type: `application/json` | ||
- fill in `Secret` field with the passphrase: `LPVS` | ||
- select `Let me select individual events` -> `Pull requests` (make sure that only `Pull requests` is selected) | ||
- make it `Active` | ||
- press `Add Webhook` | ||
|
||
Create a new pull request and update it with commits. | ||
LPVS will start scanning automatically, then provide comments about the licenses found in the project. | ||
|
||
## LPVS Backend Configuration | ||
|
||
1. Install SCANOSS Python package by following the [guideline](https://github.com/scanoss/scanoss.py#installation). | ||
|
||
2. Fill in the lines of the `src/main/resources/application.properties` file: | ||
```text | ||
# Used license scanner | ||
scanner=scanoss | ||
# Used license conflicts source (take from 'licenses.json' ("json") | ||
# or from scanner response("scanner")) | ||
license_conflict=json | ||
``` | ||
3. Fill in `src/main/resources/licenses.json` file with the information about permitted, restricted, and prohibited licenses as well as their compatibility specifics. An example of the `licenses.json` file can be found in the repository. | ||
4. Build LPVS application with Maven, then run it: | ||
```bash | ||
mvn clean install | ||
cd target/ | ||
java -jar lpvs-1.0.0.jar | ||
``` | ||
Or alternatively build and run the Docker container with LPVS: | ||
```bash | ||
docker build -t lpvs . | ||
docker run -p 7896:7896 --name lpvs lpvs:latest | ||
``` | ||
For additional information about using Docker and tips, please check file [Docker_Usage](.github/Docker_Usage.md). | ||
5. Install [ngrok](https://dashboard.ngrok.com/get-started) (step 1 and 2) and run it with the following command: | ||
```bash | ||
./ngrok http 7896 | ||
``` | ||
At this point LPVS is ready for work. | ||
## License | ||
The LPVS source code is distributed under the [MIT](https://opensource.org/licenses/MIT) open source license. | ||
## Contributing | ||
You are welcome to contribute to LPVS project. | ||
Contributing is also a great way to practice social coding at Github, study new technologies and enrich your public portfolio. |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<project xmlns="http://maven.apache.org/POM/4.0.0" | ||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> | ||
<modelVersion>4.0.0</modelVersion> | ||
|
||
<groupId>com.lpvs</groupId> | ||
<artifactId>lpvs</artifactId> | ||
<version>1.0.0</version> | ||
<packaging>jar</packaging> | ||
|
||
<parent> | ||
<groupId>org.springframework.boot</groupId> | ||
<artifactId>spring-boot-starter-parent</artifactId> | ||
<version>2.2.6.RELEASE</version> | ||
</parent> | ||
|
||
|
||
<properties> | ||
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> | ||
<maven.compiler.source>1.8</maven.compiler.source> | ||
<maven.compiler.target>1.8</maven.compiler.target> | ||
</properties> | ||
|
||
<dependencies> | ||
<dependency> | ||
<groupId>org.springframework.boot</groupId> | ||
<artifactId>spring-boot-starter-web</artifactId> | ||
</dependency> | ||
<dependency> | ||
<groupId>org.springframework.boot</groupId> | ||
<artifactId>spring-boot-starter-data-jpa</artifactId> | ||
</dependency> | ||
<dependency> | ||
<groupId>org.springframework</groupId> | ||
<artifactId>spring-core</artifactId> | ||
<version>5.2.22.RELEASE</version> | ||
</dependency> | ||
<dependency> | ||
<groupId>com.google.code.gson</groupId> | ||
<artifactId>gson</artifactId> | ||
<version>[2.8.9,)</version> | ||
</dependency> | ||
<dependency> | ||
<groupId>org.kohsuke</groupId> | ||
<artifactId>github-api</artifactId> | ||
<version>1.114</version> | ||
</dependency> | ||
</dependencies> | ||
|
||
<build> | ||
<plugins> | ||
<plugin> | ||
<groupId>org.springframework.boot</groupId> | ||
<artifactId>spring-boot-maven-plugin</artifactId> | ||
<version>2.1.2.RELEASE</version> | ||
</plugin> | ||
</plugins> | ||
</build> | ||
|
||
</project> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
/** | ||
* Copyright (c) 2022, Samsung Research. All rights reserved. | ||
* | ||
* Use of this source code is governed by a MIT license that can be | ||
* found in the LICENSE file. | ||
*/ | ||
|
||
package com.lpvs; | ||
|
||
import org.springframework.beans.factory.annotation.Value; | ||
import org.springframework.boot.SpringApplication; | ||
import org.springframework.boot.autoconfigure.EnableAutoConfiguration; | ||
import org.springframework.boot.autoconfigure.SpringBootApplication; | ||
import org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration; | ||
import org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration; | ||
import org.springframework.context.annotation.Bean; | ||
import org.springframework.core.task.TaskExecutor; | ||
import org.springframework.scheduling.annotation.EnableAsync; | ||
import org.springframework.scheduling.concurrent.ThreadPoolTaskExecutor; | ||
|
||
|
||
@SpringBootApplication | ||
@EnableAutoConfiguration(exclude={DataSourceAutoConfiguration.class, HibernateJpaAutoConfiguration.class}) | ||
@EnableAsync | ||
public class LicensePreValidationSystem { | ||
|
||
@Value("${lpvs.cores:8}") | ||
private int corePoolSize; | ||
|
||
public static void main(String[] args) { | ||
SpringApplication app = new SpringApplication(LicensePreValidationSystem.class); | ||
app.run(args); | ||
} | ||
|
||
@Bean("threadPoolTaskExecutor") | ||
public TaskExecutor getAsyncExecutor(){ | ||
ThreadPoolTaskExecutor executor = new ThreadPoolTaskExecutor(); | ||
executor.setCorePoolSize(corePoolSize); | ||
executor.setThreadNamePrefix("LPVS-ASYNC::"); | ||
return executor; | ||
} | ||
|
||
} | ||
|
67 changes: 67 additions & 0 deletions
67
src/main/java/com/lpvs/controller/GitHubWebhooksController.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
/** | ||
* Copyright (c) 2022, Samsung Research. All rights reserved. | ||
* | ||
* Use of this source code is governed by a MIT license that can be | ||
* found in the LICENSE file. | ||
*/ | ||
|
||
package com.lpvs.controller; | ||
|
||
import com.lpvs.entity.config.WebhookConfig; | ||
import com.lpvs.service.GitHubService; | ||
import com.lpvs.service.QueueService; | ||
import com.lpvs.util.WebhookUtil; | ||
import com.lpvs.entity.ResponseWrapper; | ||
import org.slf4j.Logger; | ||
import org.slf4j.LoggerFactory; | ||
import org.springframework.beans.factory.annotation.Autowired; | ||
import org.springframework.http.HttpStatus; | ||
import org.springframework.http.ResponseEntity; | ||
import org.springframework.util.StringUtils; | ||
import org.springframework.web.bind.annotation.RestController; | ||
import org.springframework.web.bind.annotation.RequestMapping; | ||
import org.springframework.web.bind.annotation.RequestMethod; | ||
import org.springframework.web.bind.annotation.RequestHeader; | ||
import org.springframework.web.bind.annotation.RequestBody; | ||
import java.util.Date; | ||
|
||
|
||
@RestController | ||
public class GitHubWebhooksController { | ||
|
||
@Autowired | ||
private QueueService queueService; | ||
|
||
@Autowired | ||
private GitHubService gitHubService; | ||
|
||
private static Logger LOG = LoggerFactory.getLogger(GitHubWebhooksController.class); | ||
|
||
private static final String SIGNATURE = "X-Hub-Signature"; | ||
private static final String SUCCESS = "Success"; | ||
private static final String ERROR = "Error"; | ||
|
||
@RequestMapping(value = "/webhooks", method = RequestMethod.POST) | ||
public ResponseEntity<ResponseWrapper> gitHubWebhooks(@RequestHeader(SIGNATURE) String signature, @RequestBody String payload) throws InterruptedException { | ||
LOG.info("New webhook request received"); | ||
|
||
// if signature is empty return 401 | ||
if (!StringUtils.hasText(signature)) { | ||
return new ResponseEntity<>(new ResponseWrapper(ERROR), HttpStatus.FORBIDDEN); | ||
} | ||
|
||
// if payload is empty, don't do anything | ||
if (!StringUtils.hasText(payload)) { | ||
LOG.info("Response to empty payload sent"); | ||
return new ResponseEntity<>(new ResponseWrapper(SUCCESS), HttpStatus.OK); | ||
} else if (WebhookUtil.checkPayload(payload)) { | ||
WebhookConfig webhookConfig = WebhookUtil.getGitHubWebhookConfig(payload); | ||
webhookConfig.setDate(new Date()); | ||
LOG.info("Repository scanning is enabled: On"); | ||
gitHubService.setPendingCheck(webhookConfig); | ||
queueService.addFirst(webhookConfig); | ||
} | ||
LOG.info("Response sent"); | ||
return new ResponseEntity<>(new ResponseWrapper(SUCCESS), HttpStatus.OK); | ||
} | ||
} |
Oops, something went wrong.