Enhance Compliance Mechanisms and CI Provider Support

Organization: AboutCode

Projects: Scancode.io and Scancode-action

Mentee: Manit Singh (NucleonGodX)

Mentors:

• Thomas Druez

• Dennis Clark

• Pranay Das

• Avishrant Sharma

Overview

ScanCode.io previously supported compliance mechanisms only based on license policies, which limited the comprehensive assessment of software projects for organizations with diverse compliance requirements.

This project enhanced ScanCode.io to support additional compliance mechanisms beyond license policies, including license clarity scores, vulnerability levels, and scorecard scores. Additionally, the project expanded scancode-action support to multiple CI providers beyond GitHub Actions, including Azure Pipelines and Jenkins CI.

---

Implementation

• Independent Compliance Mechanisms:

  • Developed an independent mechanism for compliance based on scorecard scores and license clarity scores.

  • Integrated these mechanisms into the database’s project extra_data field, API endpoints, check compliance command, and UI project view.

  • Created a unified threshold mechanism for both license clarity and scorecard compliance, reducing code duplication and improving maintainability.

• Unified Script Structure:

  • Implemented a unified Python script structure that generates bash code for use across different CI providers including GitHub Actions, Azure Pipelines, and Jenkins CI.

  • This approach significantly reduces redundancy in CI provider implementations and ensures consistent behavior across platforms.

• CI Provider Expansion:

  • Added comprehensive support for Azure Pipelines with proper configuration templates and integration workflows.

  • Added PR for using scancode-action with Jenkins.

  • Ensured all CI providers utilize the same core scanning functionality through the unified script approach.

• Policy Validation Improvements:

  • Fixed policy validation logic to properly handle different compliance mechanisms without requiring license_policies for all policy files.

  • Enhanced error handling and validation messages for better user experience.

Linked Pull Requests

Sr. no	Name	Link	Status
1	Introduce Independent License Clarity Thresholds Mechanism	scancode.io#1689	Merged
2	Integration of Clarity compliance mechanism	scancode.io#1705	Merged
3	Refactor a common threshold mechanism for both license clarity and scorecard score	scancode.io#1799	Merged
4	Add compliance support based on OpenSSF Scorecard score	scancode.io#1800	Merged
5	Fix policies validation	scancode.io#1814	Merged
6	Add Azure pipelines support	scancode-action#19	Open
7	Add support for jenkins-ci	scancode-action#21	Open
8	Add support for python script for ci providers	scancode-action#23	Open

Related Issues

Sr. no	Name	Link
1	Add license clarity score-based Compliance support	#1678
2	Add Vulnerability Severity-Based Compliance Support	#1679
3	Add support for Azure pipelines	#18
4	Add support for Jenkins	#20
5	Add scorecard based compliance support	#1794
6	Add a mechanism to eliminate redundant Bash code across CI providers	#22
7	Refactor License Clarity and Scorecard Compliance Thresholds into Unified Module	#1797
8	Policies validation incorrectly requires license_policies for all policy files	#1813

Pre GSoC Work

Here are some of the PRs I submitted before GSoC:

• Enhanced package detection and improved license detection accuracy

• Fixed vulnerability data processing issues

• Improved license classification and detection mechanisms

• Enhanced vulnerability database integration

Post GSoC

I plan to continue contributing by:

• Completing the Pull requests of integrating other CI providers in scancode-action

Links

• Project Idea

• Official GSoC project page

• GSoC Proposal

• Project Board

Acknowledgements

I would like to thank my mentors:

• Thomas Druez

• Dennis Clark

• Pranay Das

• Avishrant Sharma

Their guidance was instrumental throughout the project development. The regular feedback sessions helped me navigate complex architectural decisions, especially when designing the unified compliance mechanism.