FOSSology

From OSSelot
Jump to navigation Jump to search

Installation

The Fossology software can be downloaded from the project's home page.

Manual addition of Scancode

In addition to the default installation, the Scancode Open Source scan tool should be installed, and an interface from the FOSSology instance to it should be configured. The rationale behind the recommendation to use a certain variety of scanners is that each scanner has its own strengths and weaknesses and by combining the individual scan findings, the overall result can be optimized.

Customization

In the SPDX standard, licenses are denoted by a short identifier (e.g. GPL-2.0-only or LicenseRef-MIT-customized). Licenses that are not listed in the SPDX License List are prefixed by "LicenseRef-", and in the section "License information" of the SPDX tag:value file, the full license text is given. Licenses with standard texts according to the SPDX License List do not carry the "LicenseRef-" prefix, and their license text is not given in the tag:value file. For the OSSelot project however, the SPDX tag:value file is intended to be self-consistent, i.e. for every short license identifier the corresponding full license text must be given. In order to achieve this while ensuring the SPDX file can be valid, we have patched our Fossology installation to add the "LicenseRef-" prefix to all license identifiers. In our Fossology installation (version 4.1.0.95), the patch directory is /usr/local/share/fossology/patches and the patch list-all-license-texts-in-spdxtv-export.patch looks as follows:

Index: fossology/spdx2/agent/template/spdx2-document.xml.twig
===================================================================
--- fossology.orig/spdx2/agent/template/spdx2-document.xml.twig
+++ fossology/spdx2/agent/template/spdx2-document.xml.twig
@@ -21,7 +21,7 @@
   <rdfs:comment>
     This document was created using license information and a generator from Fossology.
   </rdfs:comment>
-  {% for licenseId,licenseData in licenseTexts %}{% if licenseId starts with 'LicenseRef-' %}
+  {% for licenseId,licenseData in licenseTexts %}
   <spdx:hasExtractedLicensingInfo>
 {% if licenseId starts with 'LicenseRef-' %}
     <spdx:ExtractedLicensingInfo rdf:about="{{ uri }}#{{ licenseId|replace({' ': '-'})|url_encode }}">
@@ -36,7 +36,7 @@
       ]]></spdx:extractedText>
     </spdx:ExtractedLicensingInfo>
   </spdx:hasExtractedLicensingInfo>
-{% endif %}{% endfor %}
+{% endfor %}
   {{ packageNodes|replace({'\n':'\n  '}) }}
 </spdx:SpdxDocument>
 </rdf:RDF>

Index: fossology/spdx2/agent/template/spdx2tv-document.twig
===================================================================
--- fossology.orig/spdx2/agent/template/spdx2tv-document.twig
+++ fossology/spdx2/agent/template/spdx2tv-document.twig
@@ -40,10 +40,10 @@ LicenseListVersion: 2.6
 ## License Information
 ##-------------------------
 
-{% for licenseId,licenseData in licenseTexts %}{% if licenseId starts with 'LicenseRef-' %}
+{% for licenseId,licenseData in licenseTexts %}
 LicenseID: {{ licenseId|replace({' ': '-'}) }}
 LicenseName: {{ licenseData['name'] }}
 ExtractedText: <text> {{ licenseData['text']|replace({'<text>':'&lt;text&gt;','</text>':'&lt;/text&gt;'})
                                             |replace({'\f':''}) }} </text>
 
-{% endif %}{% endfor %}
+{% endfor %}

For newer Fossology versions, there might be a slight offset when applying the patch.

Community server

The reference community FOSSology server Fossy is available on the Internet and internally used for primary curation and review; however, it is not publicly available. Future contributors may be granted login to the Fossy server after they successfully underwent OSSelot curators' training.

Basic workflow

The basic workflow for clearing a package with Fossology is given on the Fossology project page.