[ci] Enable FOSSA scans again

.buildkite/pipeline.yml

@@ -85,15 +85,15 @@ steps:
         gopath-checkout#v1.0.1:
           import: github.com/m3db/m3
     <<: *common
-  # - label: "FOSSA license scan"
-  #   command: make clean install-vendor fossa
-  #   plugins:
-  #     docker-compose#v2.5.1:
-  #       run: app
-  #       workdir: /go/src/github.com/m3db/m3
-  #       env:
-  #         - FOSSA_API_KEY
-  #   <<: *common
+  - label: "FOSSA license scan"
+    command: make clean install-vendor fossa
+    plugins:
+      docker-compose#v2.5.1:
+        run: app
+        workdir: /go/src/github.com/m3db/m3
+        env:
+          - FOSSA_API_KEY
+    <<: *common
   - name: "Check for docker and docs builds :docker: :books:"
     commands:
     - ".ci/docker/check_do_docker.sh"

.fossa.yml

@@ -1,13 +1,21 @@
 # Generated by FOSSA CLI (https://github.com/fossas/fossa-cli)
-# Visit https://fossa.io to learn more
+# Visit https://fossa.com to learn more
 
-version: 1
+version: 2
 cli:
-  server: https://app.fossa.io
+  server: https://app.fossa.com
   fetcher: custom
   project: https://github.com/m3db/m3
 analyze:
   modules:
+  - name: github.com/m3db/m3/scripts/lockfile
+    type: go
+    target: github.com/m3db/m3/scripts/lockfile
+    path: scripts/lockfile
+  - name: github.com/m3db/m3/scripts/md5
+    type: go
+    target: github.com/m3db/m3/scripts/md5
+    path: scripts/md5
   - name: github.com/m3db/m3/src/cmd/services/m3aggregator/main
     type: go
     target: github.com/m3db/m3/src/cmd/services/m3aggregator/main
@@ -20,10 +28,22 @@ analyze:
     type: go
     target: github.com/m3db/m3/src/cmd/services/m3coordinator/main
     path: src/cmd/services/m3coordinator/main
+    options:
+      # FOSSA finds Go dependencies by first finding all dependencies that a project uses and then comparing them to the lockfile to obtain version numbers.
+      # It appears that one of the dependencies is choosing to manually vendor a dependency, thereby omitting the version from its lockfile.
+      # This results in cryptic FOSSA failures.
+      # The solution for this is to allow this dependency to be discovered without a corresponding version.
+      allow-unresolved: true
+  - name: github.com/m3db/m3/src/cmd/services/m3ctl/main
+    type: go
+    target: github.com/m3db/m3/src/cmd/services/m3ctl/main
+    path: src/cmd/services/m3ctl/main
   - name: github.com/m3db/m3/src/cmd/services/m3dbnode/main
     type: go
     target: github.com/m3db/m3/src/cmd/services/m3dbnode/main
     path: src/cmd/services/m3dbnode/main
+    options:
+      allow-unresolved: true
   - name: github.com/m3db/m3/src/cmd/services/m3em_agent/main
     type: go
     target: github.com/m3db/m3/src/cmd/services/m3em_agent/main
@@ -40,6 +60,12 @@ analyze:
     type: go
     target: github.com/m3db/m3/src/cmd/services/m3query/main
     path: src/cmd/services/m3query/main
+    options:
+      allow-unresolved: true
+  - name: github.com/m3db/m3/src/cmd/tools/carbon_load/main
+    type: go
+    target: github.com/m3db/m3/src/cmd/tools/carbon_load/main
+    path: src/cmd/tools/carbon_load/main
   - name: github.com/m3db/m3/src/cmd/tools/clone_fileset/main
     type: go
     target: github.com/m3db/m3/src/cmd/tools/clone_fileset/main

Makefile

@@ -457,7 +457,7 @@ test-all-gen: all-gen
 # Runs a fossa license report
 .PHONY: fossa
 fossa: install-tools
-	PATH=$(combined_bin_paths):$(PATH) fossa --option allow-nested-vendor:true --option allow-deep-vendor:true
+	PATH=$(combined_bin_paths):$(PATH) fossa analyze --verbose --no-ansi --option allow-nested-vendor:true --option allow-deep-vendor:true
 
 # Waits for the result of a fossa test and exits success if pass or fail if fails
 .PHONY: fossa-test

tools.json

@@ -22,7 +22,7 @@
     },
     {
       "Repository": "github.com/fossas/fossa-cli/cmd/fossa",
-      "Commit": "623f658a3882ec0d4e64c43fa973c8088bee54fa"
+      "Commit": "638f9f79fac6fd4b4fa2eb575d1faea4c5d04807"
     },
     {
       "Repository": "github.com/pointlander/peg",