Integrate OSS Review Toolkit #116

jfinkhaeuser commented 2023年05月05日 09:13:39 +02:00

See https://github.com/oss-review-toolkit/ort

The toolkit scans sources for dependencies, then downloads dependencies and scans them for used FOSS licenses. It then creates a report that shows license violations (i.e. non-FOSS code in dependencies, or some such). It can additionally generate SBOMs.

While it's possible to integrate a docker image of ort into a pipeline (I haven't done so yet, but want to tackle that soon-ish), the downloading and scanning of dependencies takes time.

For that reason, ORT lets you set up storage backends, which can share scan results across pipeline runs and across projects.

Similarly, for vulnerability scanning, it's possible to consult multiple advisors, some of which can be locally installed.

It seems to me that running a storage backend and/or advisors, and documenting how to use them in a pipeline would be a useful minimum integration effort that reduces load and storage requirements when projects use ORT, and offers some of the advanced tooling of the larger forges that integrate such functionality in some payment tiers.

I'd be happy to provide a test bed in the form of a pipeline that uses ORT, for what it's worth.

See https://github.com/oss-review-toolkit/ort The toolkit scans sources for dependencies, then downloads dependencies and scans them for used FOSS licenses. It then creates a report that shows license violations (i.e. non-FOSS code in dependencies, or some such). It can additionally generate SBOMs. While it's possible to integrate a docker image of ort into a pipeline (I haven't done so yet, but want to tackle that soon-ish), the downloading and scanning of dependencies takes time. For that reason, ORT lets you set up [storage backends](https://github.com/oss-review-toolkit/ort#storage-backends), which can share scan results across pipeline runs *and* across projects. Similarly, for vulnerability scanning, it's possible to consult multiple advisors, some of which can be locally installed. It seems to me that running a storage backend and/or advisors, and documenting how to use them in a pipeline would be a useful minimum integration effort that reduces load and storage requirements when projects use ORT, and offers some of the advanced tooling of the larger forges that integrate such functionality in some payment tiers. I'd be happy to provide a test bed in the form of a pipeline that uses ORT, for what it's worth.

6543 commented 2023年06月30日 04:05:44 +02:00

I think this is a plugin request ?!?

I think this is a plugin request ?!?

jfinkhaeuser commented 2023年06月30日 08:27:19 +02:00

I don't know if this is a plugin request. Like I said, integrating a docker image to do the scanning is pretty straightforward.

There are two non-straightforward things:

1. Provide infrastructure in the form of the storage backend to use/share.
2. Make the results visible in the frontend.

The latter part can be arbitrarily complex, really, and crosses over into forgejo territory. The former part includes documentation of the service.

When it comes to the frontend, some of that is easily available in the form of a failed CI run. You click through to the CI, see the failure log, job done. There is no need for coding.

However, one might like better reports showing up, or have issues created for failures, etc. That then requires coding.

The overall goal is to stay competitive with the larger forges, whilst - obviously - investing only a small amount of time. I believe the infrastructure + documentation part can be done with relatively little effort, whereas better user interface integration might be worth investigating a sovereign tech fund grant for, or some such.

I don't know if this is a plugin request. Like I said, integrating a docker image to do the scanning is pretty straightforward. There are two non-straightforward things: 1. Provide infrastructure in the form of the storage backend to use/share. 1. Make the results visible in the frontend. The latter part can be arbitrarily complex, really, and crosses over into forgejo territory. The former part includes documentation of the service. When it comes to the frontend, some of that is easily available in the form of a failed CI run. You click through to the CI, see the failure log, job done. There is no need for coding. However, one might like better reports showing up, or have issues created for failures, etc. That then requires coding. The overall goal is to stay competitive with the larger forges, whilst - obviously - investing only a small amount of time. I believe the infrastructure + documentation part can be done with relatively little effort, whereas better user interface integration might be worth investigating a sovereign tech fund grant for, or some such.

captainepoch commented 2023年06月30日 11:29:07 +02:00

Wouldn't be the cost of storage a bit much for Codeberg right now? Because I'm guessing here that all the information the toolkit needs has to be stored by Codeberg in order to be used for all the members of Codeberg that have access to the CI.

Wouldn't be the cost of storage a bit much for Codeberg right now? Because I'm guessing here that all the information the toolkit needs has to be stored by Codeberg in order to be used for all the members of Codeberg that have access to the CI.

6543 commented 2023年06月30日 13:40:47 +02:00

We would decide to host the http cache and then we can add global secret, so people dont need to know the secret/endpoint but can work with it

We would decide to host the http cache and then we can add global secret, so people dont need to know the secret/endpoint but can work with it

jfinkhaeuser commented 2023年07月05日 09:40:02 +02:00

@captainepoch That's the whole point: by sharing the storage, you'd reduce the associated cost over multiple projects using it independently.

@captainepoch That's the whole point: by sharing the storage, you'd reduce the associated cost over multiple projects using it independently.

captainepoch commented 2023年07月05日 09:43:55 +02:00

@jfinkhaeuser Sorry, I didn't grasp that in the thread, my bad.

Then it'd be a good idea to have this in the long-term for those who want to use it, for sure!

@jfinkhaeuser Sorry, I didn't grasp that in the thread, my bad. Then it'd be a good idea to have this in the long-term for those who want to use it, for sure!

jfinkhaeuser commented 2023年07月05日 10:03:58 +02:00

@captainepoch I'm sure I could have put it better.

There are essentially three components to it:

1. Make a good docker image for it (I kind of want to do that anyway, so that's not really an issue here. But we'd have to e.g. sync on this hidden secret, for example.).
2. Set up this shared storage to reduce costs. This is very much codeberg territory.
3. Maybe integrate the results better into the UI. This is more forgejo territory.

I'm just filing this here because I figure we'll get all parties in on this. I know I'm talking to e.g. @Ryuno-Ki separately, because he has an interest in dealing with vulnerability scanning within forgejo. I happen to think this toolkit is one of the better umbrella projects for this (YMMV).

@captainepoch I'm sure I could have put it better. There are essentially three components to it: 1. Make a good docker image for it (I kind of want to do that anyway, so that's not really an issue here. But we'd have to e.g. sync on this hidden secret, for example.). 2. Set up this shared storage to reduce costs. This is very much codeberg territory. 3. Maybe integrate the results better into the UI. This is more forgejo territory. I'm just filing this here because I figure we'll get all parties in on this. I know I'm talking to e.g. @Ryuno-Ki separately, because he has an interest in dealing with vulnerability scanning within forgejo. I happen to think this toolkit is one of the better umbrella projects for this (YMMV).

pat-s commented 2024年06月04日 11:09:23 +02:00

@jfinkhaeuser I have read through this in more detail for the first time now.
Here are my thoughts:

• Certainly sounds like an interesting project!
• We could create a new repo for it which builds "generic" images that could also be used by the community.
• Yes, it could be made a WP plugin but I would see this as a separate step. For the start, the docker image could be run without being a WP plugin.
• Storage shouldn't be an issue (unless we're talking about TB?)
• The repo could live in Codeberg-CI and I could grant you admin access for it if you are interested in leading this? (Maybe longterm it should live in the Codeberg org but there granting permissions is not "so easy"

@jfinkhaeuser I have read through this in more detail for the first time now. Here are my thoughts: - Certainly sounds like an interesting project! - We could create a new repo for it which builds "generic" images that could also be used by the community. - Yes, it could be made a WP plugin but I would see this as a separate step. For the start, the docker image could be run without being a WP plugin. - Storage shouldn't be an issue (unless we're talking about TB?) - The repo could live in `Codeberg-CI` and I could grant you admin access for it if you are interested in leading this? (Maybe longterm it should live in the `Codeberg` org but there granting permissions is not "so easy"

jfinkhaeuser commented 2024年06月24日 16:27:21 +02:00

Hi @pat-s, apologies for the silence.

I have the Native-CI project for this kind of thing, which I update when I need it. We can do it elsewhere for sure, but that'd be the other option.

Also an action based on the image is a possibility.

Hi @pat-s, apologies for the silence. I have the [Native-CI](/native-ci) project for this kind of thing, which I update when I need it. We can do it elsewhere for sure, but that'd be the other option. Also an action based on the image is a possibility.

pat-s commented 2024年07月10日 10:36:10 +02:00

For public visibility and "broader" integration within CB, it would be helpful to host it within the Codeberg-CI org I think (if it should not be "only" a WP plugin).

Also an action based on the image is a possibility.

Sure, anything can be done here.

I've created Codeberg-CI/oss-review-toolkit and gave you admin access. Feel free to start!

For public visibility and "broader" integration within CB, it would be helpful to host it within the `Codeberg-CI` org I think (if it should not be "only" a WP plugin). > Also an action based on the image is a possibility. Sure, anything can be done here. I've created `Codeberg-CI/oss-review-toolkit` and gave you admin access. Feel free to start!

jfinkhaeuser commented 2025年05月29日 18:04:40 +02:00

And I only just discovered this - wow. But then, the last year has been crazy. Thanks, I will look into it!

And I only just discovered this - wow. But then, the last year has been crazy. Thanks, I will look into it!