Skip to content

Commit

Permalink
Add license-is-osi-or-fsf-approved rule type.
Browse files Browse the repository at this point in the history
This rule type checks that the license detected by GitHub is approved
by either OSI or FSF. It uses two data sources, one to call GitHub API
to get the SPDX identifier of the license, and another one to get the
updated list of licenses approved by from SPDX repository.

This rule can be used to implement `OSPS-LE-02`.
  • Loading branch information
blkt committed Jan 8, 2025
1 parent cbcd86c commit 86cc91a
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 1 deletion.
2 changes: 1 addition & 1 deletion data-sources/osi.yaml → data-sources/spdx.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
version: v1
type: data-source
name: osi
name: spdx
context: {}
rest:
def:
Expand Down
53 changes: 53 additions & 0 deletions rule-types/github/license_is_osi_fsf_approved.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
version: v1
release_phase: alpha
type: rule-type
name: license_is_osi_fsf_approved
display_name: License meets the OSI or the FSF definition
short_failure_message: License does not meet OSI or FSF definition
severity:
value: info
context:
provider: github
description: |
Ensure that the project’s source code is distributed under a
recognized and legally enforceable open source software license.
guidance: |
Ensure that the project’s source code is distributed under a
recognized and legally enforceable open source software license,
providing clarity on how the code can be used and shared by others.
def:
in_entity: repository
rule_schema: {}
ingest:
type: git
eval:
type: rego
data_sources:
- name: ghapi
- name: spdx
rego:
type: constraints
def: |
package minder
import future.keywords.every
import future.keywords.if
violations[{"msg": msg}] {
owner := input.properties["github/repo_owner"]
repo := input.properties["github/repo_name"]
resp := minder.datasource.ghapi.license({"owner": owner, "repo": repo})
license := resp.body.license.spdx_id
resp2 := minder.datasource.spdx.licenses({})
licenses := resp2.body.licenses
osi := { l.licenseId | l := licenses[_]; l.isOsiApproved }
fsf := { l.licenseId | l := licenses[_]; l.isFsfLibre }
approved_licenses := osi | fsf
count(approved_licenses) != 0
license != null
not license in approved_licenses
msg := sprintf("License %s of repo %s/%s is not OSI/FSF approved", [license, owner, repo])
}

0 comments on commit 86cc91a

Please sign in to comment.