Run FOSSA scan

Author: trask

.fossa.yml

@@ -125,6 +125,7 @@ settings](https://github.com/open-telemetry/community/blob/main/docs/how-to-conf
 
 ### Organization secrets
 
+- `FOSSA_API_KEY`
 - `OPENTELEMETRYBOT_GITHUB_TOKEN`
 - `OTELBOT_CLIENT_ID`
 - `OTELBOT_PRIVATE_KEY`

.github/repository-settings.md

@@ -0,0 +1,19 @@
+name: FOSSA
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  fossa:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
+        with:
+          api-key: ${{secrets.FOSSA_API_KEY}}

.github/workflows/fossa.yml

@@ -106,3 +106,52 @@ if (gradle.startParameter.taskNames.contains("listTestsInPartition")) {
     }
   }
 }
+
+if (gradle.startParameter.taskNames.contains("writeFossaConfig")) {
+  tasks {
+    val writeFossaConfig by registering {
+      group = "Help"
+      description = "Write .fossa.yml config file"
+
+      doLast {
+        File(".fossa.yml").printWriter().use { writer ->
+          writer.println("version: 3")
+          writer.println()
+          writer.println("targets:")
+          writer.println("  only:")
+          writer.println("    # only scanning the modules which are published")
+          writer.println("    # (as opposed to internal testing modules")
+          rootProject.subprojects
+            .sortedBy { it.findProperty("archivesName") as String? }
+            .filter { !it.name.startsWith("bom") }
+            .filter { it.plugins.hasPlugin("maven-publish") }
+            .forEach {
+              writer.println("    - type: gradle")
+              writer.println("      path: ./")
+              writer.println("      target: '${it.path}'")
+            }
+          writer.println()
+          writer.println("experimental:")
+          writer.println("  gradle:")
+          writer.println("    configurations-only:")
+          writer.println("      # consumer will only be exposed to these dependencies")
+          writer.println("      - runtimeClasspath")
+        }
+      }
+
+      // disable all tasks to stop build
+      subprojects {
+        tasks.configureEach {
+          enabled = false
+        }
+      }
+    }
+  }
+
+  // disable all tasks to stop build
+  project.tasks.configureEach {
+    if (this.name != "writeFossaConfig") {
+      enabled = false
+    }
+  }
+}

build.gradle.kts

@@ -4,9 +4,6 @@ plugins {
 
 data class DependencySet(val group: String, val version: String, val modules: List<String>)
 
-val dependencyVersions = hashMapOf<String, String>()
-rootProject.extra["versions"] = dependencyVersions
-
 // this line is managed by .github/scripts/update-sdk-version.sh
 val otelSdkVersion = "1.46.0"
 val otelContribVersion = "1.43.0-alpha"
@@ -27,15 +24,16 @@ val groovyVersion = "4.0.25"
 // configurations.testRuntimeClasspath.resolutionStrategy.force "com.google.guava:guava:19.0"
 
 val DEPENDENCY_BOMS = listOf(
+  // for some reason boms show up as runtime dependencies in license and vulnerability scans
+  // even if they are only used by test dependencies, so not using junit bom since it is LGPL
+
   "com.fasterxml.jackson:jackson-bom:2.18.2",
   "com.squareup.okio:okio-bom:3.10.2", // see https://github.com/open-telemetry/opentelemetry-java/issues/5637
   "com.google.guava:guava-bom:33.4.0-jre",
   "org.apache.groovy:groovy-bom:${groovyVersion}",
   "io.opentelemetry:opentelemetry-bom:${otelSdkVersion}",
   "io.opentelemetry:opentelemetry-bom-alpha:${otelSdkAlphaVersion}",
-  "org.junit:junit-bom:5.11.4",
-  "org.testcontainers:testcontainers-bom:1.20.4",
-  "org.spockframework:spock-bom:2.4-M5-groovy-4.0"
+  "org.testcontainers:testcontainers-bom:1.20.4"
 )
 
 val autoServiceVersion = "1.1.1"
@@ -83,6 +81,10 @@ val CORE_DEPENDENCIES = listOf(
 // There are dependencies included here that appear to have no usages, but are maintained at
 // this top level to help consistently satisfy large numbers of transitive dependencies.
 val DEPENDENCIES = listOf(
+  "org.junit.jupiter:junit-jupiter-api:5.11.4",
+  "org.spockframework:spock-core:2.4-M5-groovy-4.0",
+  "org.spockframework:spock-junit4:2.4-M5-groovy-4.0",
+
   "io.r2dbc:r2dbc-proxy:1.1.5.RELEASE",
   "ch.qos.logback:logback-classic:1.3.15", // 1.4+ requires Java 11+
   "com.github.stefanbirkner:system-lambda:1.2.1",
@@ -127,19 +129,13 @@ javaPlatform {
 dependencies {
   for (bom in DEPENDENCY_BOMS) {
     api(enforcedPlatform(bom))
-    val split = bom.split(':')
-    dependencyVersions[split[0]] = split[2]
   }
   constraints {
     for (dependency in CORE_DEPENDENCIES) {
       api(dependency)
-      val split = dependency.split(':')
-      dependencyVersions[split[0]] = split[2]
     }
     for (dependency in DEPENDENCIES) {
       api(dependency)
-      val split = dependency.split(':')
-      dependencyVersions[split[0]] = split[2]
     }
   }
 }

dependencyManagement/build.gradle.kts

@@ -8,7 +8,7 @@ group = "io.opentelemetry.instrumentation"
 val springBootVersion = "2.6.15"
 
 dependencies {
-  api("org.springframework.boot:spring-boot-starter:$springBootVersion")
+  compileOnly("org.springframework.boot:spring-boot-starter:$springBootVersion")
   api(project(":instrumentation:spring:starters:spring-boot-starter"))
   api("io.opentelemetry:opentelemetry-exporter-zipkin")
 }