ci: add snyk license scanning to PR CI workflow

[jpower432]

Types of changes

• Hot fix (emergency fix and release)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Documentation (change which affects the documentation site)
• Breaking change (fix or feature that would cause existing functionality to change)
• Release (develop -> main)

Quality assurance (all should be covered).

• My code follows the code style of this project.
• Documentation for my change is up to date?
• My PR meets testing requirements.
• All new and existing tests passed.
• All commits are signed-off.

How To Test

If using act, fill in below:

act version : 0.2.71

act command

gh act -W .github/workflows/python-test.yml -j snyk

Summary

Currently snyk scans with pyproject.toml are only supported with poetry. This solution installs dependencies into a virtual environment and generates a temporary requirements.txt for scanning.

Caveat: This solution does not differentiate between direct and transitive dependencies nor dev/optional dependencies.

Note: This requires a new repository secret to store the token

Key links:

• Sonar coverage

Before you merge

• Ensure it is a 'squash commit' if not a release.
• Ensure CI is currently passing
• Check sonar. If you are working for a fork a maintainer will reach out, if required.

[degenaro]

Is there a readily accessible link that will show the list of (license) problems when the pipeline fails? Perhaps this PR should not be merged until current licence problems are fixed, so that future (non-snyk) PRs don't also get flagged.

[jpower432]

@degenaro I was able to add the dependencies triggering the failure to this issue #1895. They don't appear to have a CNCF licensing exception, so I think the next step would be to review to see if they can be replaced.