We often get the question, what would be the best option to align the representations in TrustSource and the technical flow in the repository. Actually there is not really a best way on how to do it, because it mainly depends on...
- ... the amount of teams and people.
- ... the type of workflow you support.
- ... the degree of freedom your developers shall have.
- ... the structure of your project/application/artifact.
- ... the roles you have identified/assigned in your open source compliance process.
But we do not want to hide behind complexity. So find here are a few words on how we would suggest to integrate TrustSource best.
Tags added in the SCAN API
During the upgrade to v1.8 we have introduced a set of new features. One silent extension has happened in the SCAN API, which is used also by our scanners pushing data to TrustSource for analysis. There the text fields "branch" and "tag" were added. In the same time, the analysis got an additional search criteria, so that you may search for these tags.
How to benefit?
The general idea was to ease the handling of automated scans. Use the `branch` tag to name the feature branch and the `tag` tag for all additional comments. It could be an idea to provide the Commit-ID or Timestamp that triggered the new scan. In the UI you may then select a specific tag or branch to filter analysis.
How to align with Git-Flow?
If you are using a Git-flow we recommend to use the name of the branch in the branch tag, e.g. feature, fix or develop. Depending on your philosophy you may probably not urge every developer to push all commits through TrustSource (despite we would suggest to do so!).
Further on we would recommend to prepare Notice files for Release branches only. If you base your approvals on the Release branches, you will not need anymore additional scans of the Master branch. A Hotfix branch would be treated the same way as a Release branch. However, based on your knowhow, you should decide, whether the Notice file will require an update when you merge a hot fix.
How to align with GitHub-Flow?
In the GitHub-Flow the same naming applies. However, you will have to update the Notice file always after merging to the master. Here approvals as well as Notice Files should always be managed on the Master branch.