From 878093d17de51ba467934a4373e78c3adf22d29b Mon Sep 17 00:00:00 2001
From: Trask Stalnaker <trask.stalnaker@gmail.com>
Date: Sun, 9 Feb 2025 07:15:05 -0800
Subject: [PATCH 1/4] Add FOSSA license scanning

---
 .fossa.yml                                    | 40 +++++++++++++++++++
 .github/workflows/fossa.yml                   | 19 +++++++++
 .../kotlin/otel.java-conventions.gradle.kts   |  2 +
 custom-checks/build.gradle.kts                |  2 +-
 dependencyManagement/build.gradle.kts         | 14 ++++++-
 5 files changed, 74 insertions(+), 3 deletions(-)
 create mode 100644 .fossa.yml
 create mode 100644 .github/workflows/fossa.yml

diff --git a/.fossa.yml b/.fossa.yml
new file mode 100644
index 00000000000..87c35f5bcae
--- /dev/null
+++ b/.fossa.yml
@@ -0,0 +1,40 @@
+version: 3
+
+targets:
+  only:
+    - type: gradle
+  exclude:
+    # these modules are not published and so consumers will not be exposed to them
+    - type: gradle
+      path: ./
+      target: ':api:testing-internal'
+    - type: gradle
+      path: ./
+      target: ':exporters:otlp:testing-internal'
+    - type: gradle
+      path: ./
+      target: ':integration-tests'
+    - type: gradle
+      path: ./
+      target: ':integration-tests:graal'
+    - type: gradle
+      path: ./
+      target: ':integration-tests:graal-incubating'
+    - type: gradle
+      path: ./
+      target: ':integration-tests:otlp'
+    - type: gradle
+      path: ./
+      target: ':integration-tests:tracecontext'
+    - type: gradle
+      path: ./
+      target: ':perf-harness'
+    - type: gradle
+      path: ./
+      target: ':testing-internal'
+
+experimental:
+  gradle:
+    configurations-only:
+      # consumer will only be exposed to these dependencies
+      - runtimeClasspath
diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
new file mode 100644
index 00000000000..23cabfc684d
--- /dev/null
+++ b/.github/workflows/fossa.yml
@@ -0,0 +1,19 @@
+name: FOSSA
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  fossa:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: fossas/fossa-action@93a52ecf7c3ac7eb40f5de77fd69b1a19524de94 # v1.5.0
+        with:
+          api-key: ${{secrets.FOSSA_API_KEY}}
diff --git a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
index 4d2315b9bdd..7a2d7cfcece 100644
--- a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
+++ b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
@@ -232,6 +232,8 @@ testing {
     dependencies {
       implementation(project(project.path))
 
+      implementation(enforcedPlatform("org.junit:junit-bom:5.11.4"))
+
       implementation(project(":testing-internal"))
 
       compileOnly("com.google.auto.value:auto-value-annotations")
diff --git a/custom-checks/build.gradle.kts b/custom-checks/build.gradle.kts
index 5167a979be0..0139c392ffc 100644
--- a/custom-checks/build.gradle.kts
+++ b/custom-checks/build.gradle.kts
@@ -3,7 +3,7 @@ plugins {
 }
 
 dependencies {
-  implementation("com.google.errorprone:error_prone_core")
+  compileOnly("com.google.errorprone:error_prone_core")
 
   testImplementation("com.google.errorprone:error_prone_test_helpers")
 }
diff --git a/dependencyManagement/build.gradle.kts b/dependencyManagement/build.gradle.kts
index 95d51cf04a0..7007a18276a 100644
--- a/dependencyManagement/build.gradle.kts
+++ b/dependencyManagement/build.gradle.kts
@@ -8,10 +8,13 @@ val dependencyVersions = hashMapOf<String, String>()
 rootProject.extra["versions"] = dependencyVersions
 
 val DEPENDENCY_BOMS = listOf(
+  // for some reason boms show up as runtime dependencies in license and vulnerability scans
+  // even if they are only used by test dependencies, so not using junit or armeria boms here
+  // since they are LGPL and EPL licensed respectively
+
   "com.fasterxml.jackson:jackson-bom:2.18.2",
   "com.google.guava:guava-bom:33.4.0-jre",
   "com.google.protobuf:protobuf-bom:4.29.3",
-  "com.linecorp.armeria:armeria-bom:1.31.3",
   "com.squareup.okhttp3:okhttp-bom:4.12.0",
   "com.squareup.okio:okio-bom:3.10.2", // applies to transitive dependencies of okhttp
   "io.grpc:grpc-bom:1.70.0",
@@ -19,7 +22,6 @@ val DEPENDENCY_BOMS = listOf(
   "io.zipkin.brave:brave-bom:6.0.3",
   "io.zipkin.reporter2:zipkin-reporter-bom:3.4.3",
   "org.assertj:assertj-bom:3.27.3",
-  "org.junit:junit-bom:5.11.4",
   "org.testcontainers:testcontainers-bom:1.20.4",
   "org.snakeyaml:snakeyaml-engine:2.9"
 )
@@ -33,8 +35,16 @@ val slf4jVersion = "2.0.16"
 val opencensusVersion = "0.31.1"
 val prometheusClientVersion = "0.16.0"
 val prometheusServerVersion = "1.3.5"
+val armeriaVersion = "1.31.3"
+
 
 val DEPENDENCIES = listOf(
+  "org.junit.jupiter:junit-jupiter-api:5.11.4",
+  "com.linecorp.armeria:armeria:${armeriaVersion}",
+  "com.linecorp.armeria:armeria-grpc:${armeriaVersion}",
+  "com.linecorp.armeria:armeria-grpc-protocol:${armeriaVersion}",
+  "com.linecorp.armeria:armeria-junit5:${armeriaVersion}",
+
   "com.google.auto.value:auto-value:${autoValueVersion}",
   "com.google.auto.value:auto-value-annotations:${autoValueVersion}",
   "com.google.errorprone:error_prone_annotations:${errorProneVersion}",

From 83dd241bd315017154224a72f62e5bd2e2a4a093 Mon Sep 17 00:00:00 2001
From: Trask Stalnaker <trask.stalnaker@gmail.com>
Date: Sun, 9 Feb 2025 15:59:07 -0800
Subject: [PATCH 2/4] fix up comment

---
 dependencyManagement/build.gradle.kts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dependencyManagement/build.gradle.kts b/dependencyManagement/build.gradle.kts
index 7007a18276a..a117ac9b894 100644
--- a/dependencyManagement/build.gradle.kts
+++ b/dependencyManagement/build.gradle.kts
@@ -9,7 +9,7 @@ rootProject.extra["versions"] = dependencyVersions
 
 val DEPENDENCY_BOMS = listOf(
   // for some reason boms show up as runtime dependencies in license and vulnerability scans
-  // even if they are only used by test dependencies, so not using junit or armeria boms here
+  // even if they are only used by test dependencies, so not using junit or armeria boms
   // since they are LGPL and EPL licensed respectively
 
   "com.fasterxml.jackson:jackson-bom:2.18.2",

From b941184942b08d31204d5da0fa15d94e805d6eee Mon Sep 17 00:00:00 2001
From: Trask Stalnaker <trask.stalnaker@gmail.com>
Date: Sun, 9 Feb 2025 19:49:06 -0800
Subject: [PATCH 3/4] update comment

---
 dependencyManagement/build.gradle.kts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/dependencyManagement/build.gradle.kts b/dependencyManagement/build.gradle.kts
index a117ac9b894..ef1f9e2f08c 100644
--- a/dependencyManagement/build.gradle.kts
+++ b/dependencyManagement/build.gradle.kts
@@ -9,8 +9,9 @@ rootProject.extra["versions"] = dependencyVersions
 
 val DEPENDENCY_BOMS = listOf(
   // for some reason boms show up as runtime dependencies in license and vulnerability scans
-  // even if they are only used by test dependencies, so not using junit or armeria boms
-  // since they are LGPL and EPL licensed respectively
+  // even if they are only used by test dependencies, so not using junit bom here
+  // (which is EPL licensed) or armeria bom (which is Apache licensed but is getting flagged
+  // by FOSSA for containing EPL-licensed)
 
   "com.fasterxml.jackson:jackson-bom:2.18.2",
   "com.google.guava:guava-bom:33.4.0-jre",

From 551a7643ba31fb6fd162ff557c27a5fabf5f3a47 Mon Sep 17 00:00:00 2001
From: Trask Stalnaker <trask.stalnaker@gmail.com>
Date: Mon, 10 Feb 2025 08:51:04 -0800
Subject: [PATCH 4/4] feedback

---
 buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts | 2 --
 dependencyManagement/build.gradle.kts                     | 6 ++++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
index 7a2d7cfcece..4d2315b9bdd 100644
--- a/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
+++ b/buildSrc/src/main/kotlin/otel.java-conventions.gradle.kts
@@ -232,8 +232,6 @@ testing {
     dependencies {
       implementation(project(project.path))
 
-      implementation(enforcedPlatform("org.junit:junit-bom:5.11.4"))
-
       implementation(project(":testing-internal"))
 
       compileOnly("com.google.auto.value:auto-value-annotations")
diff --git a/dependencyManagement/build.gradle.kts b/dependencyManagement/build.gradle.kts
index ef1f9e2f08c..d7cd7d90f89 100644
--- a/dependencyManagement/build.gradle.kts
+++ b/dependencyManagement/build.gradle.kts
@@ -37,10 +37,12 @@ val opencensusVersion = "0.31.1"
 val prometheusClientVersion = "0.16.0"
 val prometheusServerVersion = "1.3.5"
 val armeriaVersion = "1.31.3"
-
+val junitVersion = "5.11.4"
 
 val DEPENDENCIES = listOf(
-  "org.junit.jupiter:junit-jupiter-api:5.11.4",
+  "org.junit.jupiter:junit-jupiter-api:${junitVersion}",
+  "org.junit.jupiter:junit-jupiter-params:${junitVersion}",
+  "org.junit.jupiter:junit-jupiter-pioneer:${junitVersion}",
   "com.linecorp.armeria:armeria:${armeriaVersion}",
   "com.linecorp.armeria:armeria-grpc:${armeriaVersion}",
   "com.linecorp.armeria:armeria-grpc-protocol:${armeriaVersion}",