Introduce automated license check reviews

marcdumais-work · marcdumais-work · commit 3908d525939a · 2022-10-13T15:34:37.000-04:00
In this PR we introduce the option to use our license check tool, "dash-licenses", in "Automatic IP Team Review Requests" mode [1]. In this mode, any dependency that's found to have an unclear or suspicious license will be automatically submitted to the Eclipse Foundation for review. Each such dependency will have a ticket opened on the Foundation's Gitlab and be automatically reviewed. If the automated review is not conclusive, a manual assessment will be performed by the Foundation's IP team. In our experience, most dependencies are approved automatically within minutes. To perform a license check with automated reviews, use the new script: $> yarn license:check:review To perform the license check without the automated review, do as before: $> yarn license:check Note: for review mode to work, a Personal Access Token from the Foundation's Gitlab is required, created from a project committer's Gitlab profile. Set it in an environment variable named "DASH_LICENSES_PAT". E.g. in bash: $> export DASH_LICENSES_PAT=<token> [1] https://github.com/eclipse/dash-licenses#automatic-ip-team-review-requests Signed-off-by: Marc Dumais <marc.dumais@ericsson.com>
diff --git a/package.json b/package.json
@@ -71,6 +71,7 @@
     "download:plugins": "theia download:plugins",
     "electron": "yarn -s --cwd examples/electron",
     "license:check": "node scripts/check_3pp_licenses.js",
+    "license:check:review": "node scripts/check_3pp_licenses.js --review",
     "lint": "lerna run lint",
     "lint:clean": "rimraf .eslintcache",
     "lint:oneshot": "node --max-old-space-size=4096 node_modules/eslint/bin/eslint.js --cache=true \"{dev-packages,packages,examples}/**/*.{ts,tsx}\"",
diff --git a/scripts/check_3pp_licenses.js b/scripts/check_3pp_licenses.js
@@ -18,13 +18,30 @@
 const cp = require('child_process');
 const fs = require('fs');
 const path = require('path');
+const { env, argv } = require('process');
 const readline = require('readline');
+// Submit any suspicious dependencies for review by the Eclipse Foundation, using dash-license "review" mode?
+const autoReviewMode = (process.argv.slice(2))[0] == "--review" ? true:false
 
 const NO_COLOR = Boolean(process.env['NO_COLOR']);
 const dashLicensesJar = path.resolve(__dirname, 'download/dash-licenses.jar');
 const dashLicensesSummary = path.resolve(__dirname, '../dependency-check-summary.txt');
 const dashLicensesBaseline = path.resolve(__dirname, '../dependency-check-baseline.json');
 const dashLicensesUrl = 'https://repo.eclipse.org/service/local/artifact/maven/redirect?r=dash-licenses&g=org.eclipse.dash&a=org.eclipse.dash.licenses&v=LATEST';
+const project = "ecd.theia";
+
+// A Eclipse Foundation Gitlab Personal Access Token, generated by an Eclipse committer,
+// is required to use dash-licenses in "review" mode. For more information see: 
+//  https://github.com/eclipse/dash-licenses#automatic-ip-team-review-requests
+// e.g. Set the token like so (bash shell): 
+// $> export DASH_LICENSES_PAT="<PAT>"
+const gitlabTokenDefined = env.DASH_LICENSES_PAT ? true : false;
+
+if (autoReviewMode && !gitlabTokenDefined) {
+    console.error("Please setup an Eclipse Foundation Gitlab Personal Access Token to run the license check in 'review' mode");
+    console.error("It should be set in an environment variable named 'DASH_LICENSES_PAT'");
+    process.exit(1);
+}
 
 main().catch(error => {
     console.error(error);
@@ -48,9 +65,19 @@ async function main() {
         fs.renameSync(dashLicensesSummary, `${dashLicensesSummary}.old`);
     }
     info('Running dash-licenses...');
+    var args = ['-jar', dashLicensesJar, 'yarn.lock', '-batch', '50', '-timeout', '240', '-summary', dashLicensesSummary]
+    if (autoReviewMode && gitlabTokenDefined) {
+        info('using "review" mode');
+        args.push('-review', '-token', '$DASH_LICENSES_PAT', '-project', project);
+    }
+
+    // note: "shell:true" is required so we can reference the 
+    // Gitlab Personal Access Token through an environment variable
+    // at invocation of "dash-license". This is necessary to avoid 
+    // leaking the token's value
     const dashError = getErrorFromStatus(spawn(
-        'java', ['-jar', dashLicensesJar, 'yarn.lock', '-batch', '50', '-timeout', '240', '-summary', dashLicensesSummary],
-        { stdio: ['ignore', 'ignore', 'inherit'] },
+        'java', args,
+        { stdio: ['ignore', 'ignore', 'inherit'], shell: true }
     ));
     if (dashError) {
         warn(dashError);
