platform_build/tools/compliance
Ibrahim Kanouche 397a9cf430 Update generateSPDXNamespace to generate a unique spdx doc namespace
Test: m compliance_sbom
Change-Id: Icc1e5aec0e1758ee32c43cfa79b5b49b3d1d9d30
2023-04-20 17:43:12 +00:00
..
cmd Update generateSPDXNamespace to generate a unique spdx doc namespace 2023-04-20 17:43:12 +00:00
projectmetadata Merge "Optimized project selection for getProjectMetadata" 2022-11-10 15:28:12 +00:00
testfs Refactor projectmetadata into separate package. 2022-10-18 16:55:47 -07:00
Android.bp Added validation to SBOM generator 2023-04-13 16:10:12 +00:00
condition.go Change condition to match go/thirdpartylicenses 2022-11-30 10:52:41 -08:00
condition_test.go Policy change: GPL+CE is permissive. 2022-09-20 21:50:08 -07:00
conditionset.go Performance and scale. 2022-01-11 10:40:50 -08:00
conditionset_test.go Change condition to match go/thirdpartylicenses 2022-11-30 10:52:41 -08:00
doc.go Add some documentation and simplify data model. 2022-10-28 12:06:08 -07:00
go.mod Fix go.mod for tools/compliance 2022-08-01 14:24:21 -07:00
go.sum Fix go.mod for tools/compliance 2022-08-01 14:24:21 -07:00
graph.go Merge "Add deps tracking for SBOMs" 2023-01-18 16:11:49 +00:00
noticeindex.go An ActionSet doesn't need to walk the graph. 2023-01-04 00:01:49 +00:00
policy_policy.go Fix tests so they can fail. 2023-01-04 00:01:03 +00:00
policy_policy_test.go Change condition to match go/thirdpartylicenses 2022-11-30 10:52:41 -08:00
policy_resolve.go Fix concurrency bug in bottom-up resolution walk. 2023-01-04 00:02:02 +00:00
policy_resolve_test.go Change condition to match go/thirdpartylicenses 2022-11-30 10:52:41 -08:00
policy_resolvenotices.go Move policy subdirectory into package directory 2022-01-27 17:14:03 -08:00
policy_resolvenotices_test.go Fix tests so they can fail. 2023-01-04 00:01:03 +00:00
policy_resolveprivacy.go Move policy subdirectory into package directory 2022-01-27 17:14:03 -08:00
policy_resolveprivacy_test.go Fix tests so they can fail. 2023-01-04 00:01:03 +00:00
policy_resolveshare.go Move policy subdirectory into package directory 2022-01-27 17:14:03 -08:00
policy_resolveshare_test.go Fix tests so they can fail. 2023-01-04 00:01:03 +00:00
policy_shareprivacyconflicts.go Policy clarified: No need to share a "distribution medium" 2022-09-22 03:23:23 +00:00
policy_shareprivacyconflicts_test.go Move policy subdirectory into package directory 2022-01-27 17:14:03 -08:00
policy_shipped.go An ActionSet doesn't need to walk the graph. 2023-01-04 00:01:49 +00:00
policy_shipped_test.go Move policy subdirectory into package directory 2022-01-27 17:14:03 -08:00
policy_walk.go An ActionSet doesn't need to walk the graph. 2023-01-04 00:01:49 +00:00
policy_walk_test.go Create regression test to catch WalkAction error. 2023-01-04 00:01:26 +00:00
readgraph.go Fix tests so they can fail. 2023-01-04 00:01:03 +00:00
readgraph_test.go Refactor projectmetadata into separate package. 2022-10-18 16:55:47 -07:00
README.md Add some documentation and simplify data model. 2022-10-28 12:06:08 -07:00
resolution.go Run gofmt on compliance 2022-01-27 17:14:02 -08:00
resolutionset.go Policy clarified: No need to share a "distribution medium" 2022-09-22 03:23:23 +00:00
resolutionset_test.go Fix tests so they can fail. 2023-01-04 00:01:03 +00:00
test_util.go Fix tests so they can fail. 2023-01-04 00:01:03 +00:00

Compliance

Package compliance provides an approved means for reading, consuming, and analyzing license metadata graphs.

Assuming the license metadata and dependencies are fully and accurately recorded in the build system, any discrepancy between the official policy for open source license compliance and this code is a bug in this code.

Naming

All of the code that directly reflects a policy decision belongs in a file with a name begninning policy_. Changes to these files need to be authored or reviewed by someone in OSPO or whichever successor group governs policy.

The files with names not beginning policy_ describe data types, and general, reusable algorithms.

The source code for binary tools and utilities appears under the cmd/ subdirectory. Other subdirectories contain reusable components that are not compliance per se.

Data Types

A few principal types to understand are LicenseGraph, LicenseCondition, and ResolutionSet.

LicenseGraph

A LicenseGraph is an immutable graph of the targets and dependencies reachable from a specific set of root targets. In general, the root targets will be the artifacts in a release or distribution. While conceptually immutable, parts of the graph may be loaded or evaluated lazily.

Conceptually, the graph itself will always be a directed acyclic graph. One representation is a set of directed edges. Another is a set of nodes with directed edges to their dependencies.

The edges have annotations, which can distinguish between build tools, runtime dependencies, and dependencies like 'contains' that make a derivative work.

LicenseCondition

A LicenseCondition is an immutable tuple pairing a condition name with an originating target. e.g. Per current policy, a static library licensed under an MIT license would pair a "notice" condition with the static library target, and a dynamic license licensed under GPL would pair a "restricted" condition with the dynamic library target.

ResolutionSet

A ResolutionSet is an immutable set of AttachesTo, ActsOn, Resolves tuples describing how license conditions apply to targets.

AttachesTo is the trigger for acting. Distribution of the target invokes the policy.

ActsOn is the target to share, give notice for, hide etc.

Resolves is the set of conditions that the action resolves.

For most condition types, ActsOn will be the target where the condition originated. For example, a notice condition policy means attribution or notice must be given for the target where the condition originates. Likewise, a proprietary condition policy means the privacy of the target where the condition originates must be respected. i.e. The thing acted on is the origin.

Restricted conditions are different. The infectious nature of restricted often means sharing code that is not the target where the restricted condition originates. Linking an MIT library to a GPL library implies a policy to share the MIT library despite the MIT license having no source sharing requirement.

In this case, one or more resolution tuples will have the MIT license module in ActsOn and the restricted condition originating at the GPL library module in Resolves. These tuples will AttachTo every target that depends on the GPL library because shipping any of those targets trigger the policy to share the code.

Processes

ReadLicenseGraph

The principal means to ingest license metadata. Given the distribution targets, ReadLicenseGraph populates the LicenseGraph for those root targets.

NoticeIndex.IndexLicenseTexts

IndexLicenseTexts reads, deduplicates and caches license texts for notice files. Also reads and caches project metadata for deriving library names.

The algorithm for deriving library names has not been dictated by OSPO policy, but reflects a pragmatic attempt to comply with Android policy regarding unreleased product names, proprietary partner names etc.

projectmetadata.Index.MetadataForProjects

MetadataForProjects reads, deduplicates and caches project METADATA files used for notice library names, and various properties appearing in SBOMs.