-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add
permissive_license rule type. (#261)
This rule type checks that the license detected by GitHub is approved by either OSI or FSF. It used two data sources, one to call GitHub API to get the SPDX identifier of the license (now removed), and another one to get the updated list of licenses approved by from SPDX repository.
- Loading branch information
Showing
2 changed files
with
61 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| version: v1 | ||
| type: data-source | ||
| name: osi | ||
| name: spdx | ||
| context: {} | ||
| rest: | ||
| def: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| version: v1 | ||
| release_phase: alpha | ||
| type: rule-type | ||
| name: permissive_license | ||
| display_name: License meets the OSI or the FSF definition | ||
| short_failure_message: License does not meet OSI or FSF definition | ||
| severity: | ||
| value: info | ||
| context: | ||
| provider: github | ||
| description: | | ||
| Ensure that the project’s source code is distributed under a | ||
| recognized and legally enforceable open source software license. | ||
| guidance: | | ||
| Ensure that the project’s source code is distributed under a | ||
| recognized and legally enforceable open source software license, | ||
| providing clarity on how the code can be used and shared by others. | ||
| def: | ||
| in_entity: repository | ||
| rule_schema: {} | ||
| ingest: | ||
| type: rest | ||
| rest: | ||
| # This is the path to the data source. Given that this will evaluate | ||
| # for each repository in the organization, we use a template that | ||
| # will be evaluated for each repository. The structure to use is the | ||
| # protobuf structure for the entity that is being evaluated. | ||
| endpoint: '/repos/{{.Entity.Owner}}/{{.Entity.Name}}/license' | ||
| # This is the method to use to retrieve the data. It should already default to JSON | ||
| parse: json | ||
| fallback: | ||
| - http_code: 404 | ||
| body: | | ||
| {"http_status": 404, "message": "License details not found} | ||
| eval: | ||
| type: rego | ||
| data_sources: | ||
| - name: spdx | ||
| rego: | ||
| type: constraints | ||
| def: | | ||
| package minder | ||
| import future.keywords.every | ||
| import future.keywords.if | ||
| violations[{"msg": msg}] { | ||
| license := input.ingested.license.spdx_id | ||
| resp2 := minder.datasource.spdx.licenses({}) | ||
| licenses := resp2.body.licenses | ||
| osi := { l.licenseId | l := licenses[_]; l.isOsiApproved } | ||
| fsf := { l.licenseId | l := licenses[_]; l.isFsfLibre } | ||
| approved_licenses := osi | fsf | ||
| count(approved_licenses) != 0 | ||
| license != null | ||
| not license in approved_licenses | ||
| msg := sprintf("License %s is not OSI/FSF approved", [license]) | ||
| } |