🌱 Add licence-scan for pull requests

[killianmuldoon]

This adds a trivy license scan to the Makefile verify target which runs on all pull requests. This should allow detection of undesired license changes in go dependencies.

Related to #9181

[killianmuldoon]

/area ci

[killianmuldoon]

/cherry-pick release-1.5

[k8s-infra-cherrypick-robot]

@killianmuldoon: once the present PR merges, I will cherry-pick it on top of release-1.5 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[killianmuldoon]

/cherry-pick release-1.4

[k8s-infra-cherrypick-robot]

@killianmuldoon: once the present PR merges, I will cherry-pick it on top of release-1.4 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.4

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[chrischdi]

Suggested change

	verify-licenses: ## Verify licenses
	verify-licenses: $(TRIVY) ## Verify licenses

Should we start running ensure-trivy.sh as a separate target to fetch the binary (including the versioned binary + symlink to the version) as we do for go install based tools?

[chrischdi]

note: I could also take this as a follow-up

[killianmuldoon]

Not sure given it's just a download - I'm fine either way though.

[sbueringer]

Would be a nice follow-up

[sbueringer]

Now that I reviewed the PR. I'm fine with the current version. I think the most important part is that we always use the right version specified in the Makefile (which we do)

Would be still nice to follow-up for consistency though

[killianmuldoon]

Current state:

• Updated this PR to match the exact guidance of the CNCF upstream.
• Added a specific exclude for hashicorp/hcl which we should probably move toward removing. Issue Review hashicorp license change impact #9181
• Using trivy as it's simpler - i.e. can be run locally with no API - than snyk or fossa which are also used in the community. k/k uses a few custom scripts, and we don't have full guidance for how to scan from upstream yet.

[sbueringer]

Nice work. Thank you very much for working on this!

[sbueringer]

Now that I reviewed the PR. I'm fine with the current version. I think the most important part is that we always use the right version specified in the Makefile (which we do)

Would be still nice to follow-up for consistency though

[sbueringer]

Last nit: #9184 (comment)

[sbueringer]

Thank you!

/approve

/assign @chrischdi

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sbueringer

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [sbueringer]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[chrischdi]

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 1cf49f28629713a5187694d08d8b969f3cb8317b

[k8s-infra-cherrypick-robot]

@killianmuldoon: #9184 failed to apply on top of branch "release-1.5":

Applying: Add licence-scan for pull requests
.git/rebase-apply/patch:240: new blank line at EOF.
+
warning: 1 line adds whitespace errors.
Using index info to reconstruct a base tree...
M	CONTRIBUTING.md
M	Makefile
Falling back to patching base and 3-way merge...
Auto-merging Makefile
CONFLICT (content): Merge conflict in Makefile
Auto-merging CONTRIBUTING.md
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Add licence-scan for pull requests
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-infra-cherrypick-robot]

@killianmuldoon: #9184 failed to apply on top of branch "release-1.4":

Applying: Add licence-scan for pull requests
.git/rebase-apply/patch:240: new blank line at EOF.
+
warning: 1 line adds whitespace errors.
Using index info to reconstruct a base tree...
M	CONTRIBUTING.md
M	Makefile
M	hack/verify-container-images.sh
Falling back to patching base and 3-way merge...
Auto-merging hack/verify-container-images.sh
CONFLICT (content): Merge conflict in hack/verify-container-images.sh
Auto-merging Makefile
CONFLICT (content): Merge conflict in Makefile
Auto-merging CONTRIBUTING.md
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Add licence-scan for pull requests
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.4

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sbueringer]

@killianmuldoon Found in https://github.com/kubernetes-sigs/cluster-api-provider-vsphere/pull/2299/files. We probably still want to set GO_ARCH