[license] Add license scanning of third_party dependencies

.github/workflows/ci.yml

@@ -154,23 +154,40 @@ jobs:
         uses: ./.github/actions/prepare-env
       - name: Check Python licenses
         run: |
+		  # Last two entries are an exception made for dev-only tool
+		  # scancode-toolkit, which is used to scan third_party dependencies'
+		  # licenses. The scancode-toolkit is Apache-2.0-licensed but contains
+		  # GPL dependencies.
           ALLOWED=(
             'apache'
+            'apache-2.0 AND bsd-simplified-darwin AND (bsd-simplified AND public-domain AND bsd-new AND isc AND (bsd-new OR gpl-1.0-plus) AND bsd-original)'
+            'apache-2.0 AND lgpl-2.1 and unrar and brian-gladman-3-clause'
+            'apache-2.0 AND bsd-simplified'
+            'Apache-2'
             'Apache-2.0'
+            'Apache 2.0'
+            'Apache-2.0 AND BSD-3-Clause AND MIT'
             'Apache Software License'
             'BSD'
+            'BSD-2-Clause'
             'BSD-3-Clause'
+            'BSD-3-Clause and Public-Domain'
             'BSD License'
+            '3-Clause BSD License'
             'Freeware'
             'GNU Lesser General Public License v2 or later (LGPLv2+)'
             'GNU Lesser General Public License v3 (LGPLv3)'
+            'GNU Lesser General Public License v3 or later (LGPLv3+)'
             'GNU Library or Lesser General Public License (LGPL)'
+            'GPL-3.0-or-later OR MIT'
             'MIT'
             'MIT License'
             'Mozilla Public License 2.0 (MPL 2.0)'
             'Public Domain'
             'Python Software Foundation License'
             'UNKNOWN'
+            'Artistic License; GNU General Public License (GPL); GNU General Public License v2 or later (GPLv2+)'
+            'Apache-2.0 AND CC-BY-4.0 AND LicenseRef-scancode-other-permissive AND LicenseRef-scancode-other-copyleft'
           )
           ALLOWED_SEMI=${ALLOWED[0]}
           for lic in "${ALLOWED[@]}"; do
@@ -186,7 +203,12 @@ jobs:
           cargo install cargo-deny --version 0.18.4
           cargo deny --all-features --manifest-path third_party/rust/Cargo.toml check licenses
           cargo deny --all-features --manifest-path third_party/tock/Cargo.toml check licenses
-
+      - name: Scan third_party libraries for incompatible licenses
+        run: |
+            ./bazelisk.sh test \
+                --test_tag_filters=supply_chain \
+                --test_output=all \
+                //...
   verible_lint:
     name: Verible lint
     runs-on:

BUILD.bazel

@@ -25,6 +25,20 @@ filegroup(
     ],
 )
 
+filegroup(
+    name = "all_files",
+    srcs = glob(
+        ["**/*"],
+        exclude = [
+            "bazel-*/**",
+            "build-bin/**",
+            ".git/**",
+            "scratch/**",
+            ".venv/**",
+        ],
+    ),
+)
+
 alias(
     name = "gen_rust_project",
     actual = "@rules_rust//tools/rust_analyzer:gen_rust_project",

MODULE.bazel

@@ -6,7 +6,7 @@ module(name = "lowrisc_opentitan")
 
 # Dependencies:
 bazel_dep(name = "abseil-cpp", version = "20240116.1")
-bazel_dep(name = "bazel_skylib", version = "1.7.1")
+bazel_dep(name = "bazel_skylib", version = "1.8.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
 bazel_dep(name = "platforms", version = "0.0.11")
 bazel_dep(name = "rules_cc", version = "0.1.2")

apt-requirements.txt

@@ -12,6 +12,7 @@
 autoconf
 brotli
 build-essential
+clang
 cmake
 curl
 file
@@ -22,6 +23,7 @@ libelf1
 libelf-dev
 libftdi1-2
 libftdi1-dev
+libicu-dev
 # A requirement of the prebuilt clang toolchain.
 libncursesw5
 libpcsclite-dev
@@ -36,6 +38,7 @@ openssl
 perl
 pkgconf
 python3
+python3-icu
 python3-pip
 python3-setuptools
 python3-urllib3

pyproject.toml

@@ -69,8 +69,20 @@ dependencies = [
 
   "peakrdl-systemrdl >= 1.0",
 
-  # Dependency license checker
+  # Development version of minimal ChipWhisperer toolchain with latest features
+  # and bug fixes. We fix the version for improved stability and manually update
+  # if necessary.
+  "chipwhisperer@https://github.com/newaetech/chipwhisperer-minimal/archive/2643131b71e528791446ee1bab7359120288f4ab.zip",
+
+  # Dependency license checking tools.
   "pip-licenses==5.0.0",
+  "scancode-toolkit==32.4.1",
+  "extractcode-libarchive==3.5.1.210531",
+  "typecode-libmagic==5.39.210531",
+  # scancode-toolkit 32.4.1 pulls in click==8.3.0 by default, which is broken. We
+  # manually downgrade `click` to avoid this issue.
+  # See also: https://github.com/aboutcode-org/scancode-toolkit/issues/4572
+  "click==8.2.1",
 ]
 
 [tool.setuptools]

quality/supply_chain/BUILD

@@ -0,0 +1,24 @@
+# Copyright zeroRISC Inc.
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+load("@rules_python//python/entry_points:py_console_script_binary.bzl", "py_console_script_binary")
+
+package(default_visibility = ["//visibility:public"])
+
+exports_files([
+    "policy.yaml",
+    "dev_policy.yaml",
+    "scancode_test.sh",
+    "lint.sh",
+])
+
+# ScanCode binary
+py_console_script_binary(
+    name = "scancode",
+    pkg = "@ot_python_deps//scancode_toolkit",
+    deps = [
+        "@ot_python_deps//extractcode_libarchive",
+        "@ot_python_deps//typecode_libmagic",
+    ],
+)

quality/supply_chain/dev_policy.yaml

@@ -0,0 +1,124 @@
+# Copyright zeroRISC Inc.
+# Licensed under the Apache License, Version 2.0, see LICENSE for details.
+# SPDX-License-Identifier: Apache-2.0
+
+license_policies:
+  # PERMITTED LICENSES
+
+  # SPDX: MIT
+  - license_key: mit
+    label: Approved License
+    compliance_alert: ''
+
+  # SPDX: Apache-2.0
+  - license_key: apache-2.0
+    label: Approved License
+    compliance_alert: ''
+
+  # SPDX: BSD-2-clause
+  # SPDX: BSD-3-clause
+  - license_key: bsd-new
+    label: Approved License
+    compliance_alert: ''
+
+  # Public Domain
+  - license_key: LicenseRef-scancode-public-domain
+    compliance_alert: ''
+
+  # RESTRICTED USE LICENSES
+
+  # SPDX: MPL-2.0
+  - license_key: mpl-2.0
+    label: Restricted License
+    compliance_alert: warning
+
+  # SPDX: MPL-2.0-or-later
+  - license_key: mpl-2.0-plus
+    label: Restricted License
+    compliance_alert: warning
+
+  # SPDX: LGPL-2.0
+  - license_key: lgpl-2.0
+    label: Restricted License
+    compliance_alert: warning
+
+  # SPDX: LGPL-2.0-or-later
+  - license_key: lgpl-2.0-plus
+    label: Restricted License
+    compliance_alert: warning
+
+  # SPDX: LGPL-3.0
+  - license_key: lgpl-3.0
+    label: Restricted License
+    compliance_alert: warning
+
+  # SPDX: LGPL-3.0-or-later
+  - license_key: lgpl-3.0-plus
+    label: Restricted License
+    compliance_alert: warning
+
+  # SPDX: GPL-1.0
+  - license_key: gpl-1.0
+    label: Restricted License
+    compliance_alert: warning
+
+  # SPDX: GPL-1.0-or-later
+  - license_key: gpl-1.0-plus
+    label: Restricted License
+    compliance_alert: warning
+
+  # SPDX: GPL-2.0
+  - license_key: gpl-2.0
+    label: Restricted License
+    compliance_alert: warning
+
+  # SPDX: GPL-2.0-or-later
+  - license_key: gpl-2.0-plus
+    label: Restricted License
+    compliance_alert: warning
+
+  # SPDX: GPL-3.0
+  - license_key: gpl-3.0
+    label: Restricted License
+    compliance_alert: warning
+
+  # SPDX: GPL-3.0-or-later
+  - license_key: gpl-3.0-plus
+    label: Restricted License
+    compliance_alert: warning
+
+  # SPDX: AGPL-1.0
+  - license_key: agpl-1.0
+    label: Restricted License
+    compliance_alert: warning
+
+  # SPDX: AGPL-1.0-or-later
+  - license_key: agpl-1.0-plus
+    label: Restricted License
+    compliance_alert: warning
+
+  # SPDX: AGPL-2.0
+  - license_key: agpl-2.0
+    label: Restricted License
+    compliance_alert: warning
+
+  # SPDX: AGPL-2.0-or-later
+  - license_key: agpl-2.0-plus
+    label: Restricted License
+    compliance_alert: warning
+
+  # SPDX: AGPL-3.0
+  - license_key: agpl-3.0
+    label: Restricted License
+    compliance_alert: warning
+
+  # SPDX: AGPL-3.0-or-later
+  - license_key: agpl-3.0-plus
+    label: Restricted License
+    compliance_alert: warning
+
+  # PROHIBITED LICENSES
+
+  # Unknown license
+  - license_key: LicenseRef-scancode-unknown-license-reference
+    compliance_alert: error