Skip to content

Creating CQs

Jump to bottom
Christian Kaltepoth edited this page Dec 1, 2019 · 22 revisions

Creating CQs

We need to file CQs for all our dependencies. This wiki page gives a brief overview about how to create a CQ correctly.

You can learn more details about the process here:

Dependency type

The two most important dependency types are:

  • Prerequisite (prereq)
    • Required by Krazo to provide core functionality
  • Works With Dependency (workswith)
    • Krazo's functionality is enhanced with this dependency
    • The dependency is required at build-time only

Use the following decision tree:

  • Maven test scope or only used for testing/building (Maven plugins, Arquillian). See here.
    • -> workswith
  • Maven compile and provided scope:
    • Dependency is used by an extension (Everything in the ext directory, see here)
      • -> workswith
    • Everything else:
      • -> prereq

Dependency versions

CQs always refer to a specific version of that dependency. However, patch releases don't require a new CQ. So updating a dependency from 1.2.3 to 1.2.7 is fine, but updating to 1.3.0 would require a new CQ.

Creating the CQ

  • Open the Create a Contribution Questionnaire form.
  • Select Third-Party Code Request
  • Search for the library in the corresponding version.
    • If you find an exact match, select it. Most of the following steps will be skipped in this case. (Piggyback CQs)
    • Otherwise enter the full name of the dependency including the version
  • Now enter the following data into the form:
    • Due Diligence Type:
      • Type A
    • Description
      • "Maven compile-scoped dependency on Foobar x.y.z"
    • Intellectual Property Rights
      • No (in most case)
    • Cryptography
      • No (in most case)
    • Project Website of the Contribution
      • The official site or GitHub repo of the dependency
    • Source URL
      • Something like the GitHub link. I usually also select the corresponding version tag in GitHub before copying the URL which ensures that the link points to the correct version of the source code.
    • License
      • Check LICENSE file or project site
    • Other License
      • Usually empty
    • Distribution
      • "Binary only" (Which is actually not correct, but the PMI doesn't allow other values)
    • Modified
      • Unmodified
  • Click "Finish" and open the just created CQ which will take you to IPZilla
  • If the dependency is "workswith", add a manual comment like this:
    • "Please note that this is a workswith-dependency"
  • After some time (up to 30 minutes), a bot will comment on the issue asking for the source code of the dependency.
    • You don't have to wait for this comment. You can also proceed with the following steps immediately.
    • The code is actually not required for "workswith" dependencies, but the bot will ask for the code anyway
    • The CQ will only proceed to the next step in the process if you add an attachment. So I usually also add the code for "workswith" dependencies, although it is not required.
  • Upload the source code
    • For dependencies hosted on GitHub I usually select the tag representing the version of the dependency we want to use and then select "Clone or download" and download the source as a ZIP file. In the non-GitHub case you may have to do it differently
    • Click on "Add attachment" in the CQ:
      • File:
        • Select the source code zip
      • Description:
        • "Source code of Foobar x.y.z"
    • Now click "issue addressed, return CQ to IP-Team"
  • Now wait for feedback of the IP-team.
Clone this wiki locally