Add FOSSA license scanning (#7090)

.fossa.yml

@@ -0,0 +1,40 @@
+version: 3
+
+targets:
+  only:
+    - type: gradle
+  exclude:
+    # these modules are not published and so consumers will not be exposed to them
+    - type: gradle
+      path: ./
+      target: ':api:testing-internal'
+    - type: gradle
+      path: ./
+      target: ':exporters:otlp:testing-internal'
+    - type: gradle
+      path: ./
+      target: ':integration-tests'
+    - type: gradle
+      path: ./
+      target: ':integration-tests:graal'
+    - type: gradle
+      path: ./
+      target: ':integration-tests:graal-incubating'
+    - type: gradle
+      path: ./
+      target: ':integration-tests:otlp'
+    - type: gradle
+      path: ./
+      target: ':integration-tests:tracecontext'
+    - type: gradle
+      path: ./
+      target: ':perf-harness'
+    - type: gradle
+      path: ./
+      target: ':testing-internal'
+
+experimental:
+  gradle:
+    configurations-only:
+      # consumer will only be exposed to these dependencies
+      - runtimeClasspath

.github/workflows/fossa.yml

@@ -0,0 +1,19 @@
+name: FOSSA
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  fossa:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
+        with:
+          api-key: ${{secrets.FOSSA_API_KEY}}

custom-checks/build.gradle.kts

@@ -3,7 +3,7 @@ plugins {
 }
 
 dependencies {
-  implementation("com.google.errorprone:error_prone_core")
+  compileOnly("com.google.errorprone:error_prone_core")
 
   testImplementation("com.google.errorprone:error_prone_test_helpers")
 }

dependencyManagement/build.gradle.kts

@@ -8,10 +8,14 @@ val dependencyVersions = hashMapOf<String, String>()
 rootProject.extra["versions"] = dependencyVersions
 
 val DEPENDENCY_BOMS = listOf(
+  // for some reason boms show up as runtime dependencies in license and vulnerability scans
+  // even if they are only used by test dependencies, so not using junit bom here
+  // (which is EPL licensed) or armeria bom (which is Apache licensed but is getting flagged
+  // by FOSSA for containing EPL-licensed)
+
   "com.fasterxml.jackson:jackson-bom:2.18.2",
   "com.google.guava:guava-bom:33.4.0-jre",
   "com.google.protobuf:protobuf-bom:4.29.3",
-  "com.linecorp.armeria:armeria-bom:1.31.3",
   "com.squareup.okhttp3:okhttp-bom:4.12.0",
   "com.squareup.okio:okio-bom:3.10.2", // applies to transitive dependencies of okhttp
   "io.grpc:grpc-bom:1.70.0",
@@ -19,7 +23,6 @@ val DEPENDENCY_BOMS = listOf(
   "io.zipkin.brave:brave-bom:6.0.3",
   "io.zipkin.reporter2:zipkin-reporter-bom:3.4.3",
   "org.assertj:assertj-bom:3.27.3",
-  "org.junit:junit-bom:5.11.4",
   "org.testcontainers:testcontainers-bom:1.20.4",
   "org.snakeyaml:snakeyaml-engine:2.9"
 )
@@ -33,8 +36,18 @@ val slf4jVersion = "2.0.16"
 val opencensusVersion = "0.31.1"
 val prometheusClientVersion = "0.16.0"
 val prometheusServerVersion = "1.3.5"
+val armeriaVersion = "1.31.3"
+val junitVersion = "5.11.4"
 
 val DEPENDENCIES = listOf(
+  "org.junit.jupiter:junit-jupiter-api:${junitVersion}",
+  "org.junit.jupiter:junit-jupiter-params:${junitVersion}",
+  "org.junit.jupiter:junit-jupiter-pioneer:${junitVersion}",
+  "com.linecorp.armeria:armeria:${armeriaVersion}",
+  "com.linecorp.armeria:armeria-grpc:${armeriaVersion}",
+  "com.linecorp.armeria:armeria-grpc-protocol:${armeriaVersion}",
+  "com.linecorp.armeria:armeria-junit5:${armeriaVersion}",
+
   "com.google.auto.value:auto-value:${autoValueVersion}",
   "com.google.auto.value:auto-value-annotations:${autoValueVersion}",
   "com.google.errorprone:error_prone_annotations:${errorProneVersion}",