-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add
license-is-osi-or-fsf-approved rule type.
This rule type checks that the license detected by GitHub is approved by either OSI or FSF. It uses two data sources, one to call GitHub API to get the SPDX identifier of the license, and another one to get the updated list of licenses approved by from SPDX repository. This rule can be used to implement `OSPS-LE-02`.
- Loading branch information
Showing
2 changed files
with
54 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| version: v1 | ||
| type: data-source | ||
| name: osi | ||
| name: spdx | ||
| context: {} | ||
| rest: | ||
| def: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| version: v1 | ||
| release_phase: alpha | ||
| type: rule-type | ||
| name: permissive_license | ||
| display_name: License meets the OSI or the FSF definition | ||
| short_failure_message: License does not meet OSI or FSF definition | ||
| severity: | ||
| value: info | ||
| context: | ||
| provider: github | ||
| description: | | ||
| Ensure that the project’s source code is distributed under a | ||
| recognized and legally enforceable open source software license. | ||
| guidance: | | ||
| Ensure that the project’s source code is distributed under a | ||
| recognized and legally enforceable open source software license, | ||
| providing clarity on how the code can be used and shared by others. | ||
| def: | ||
| in_entity: repository | ||
| rule_schema: {} | ||
| ingest: | ||
| type: git | ||
| eval: | ||
| type: rego | ||
| data_sources: | ||
| - name: ghapi | ||
| - name: spdx | ||
| rego: | ||
| type: constraints | ||
| def: | | ||
| package minder | ||
| import future.keywords.every | ||
| import future.keywords.if | ||
| violations[{"msg": msg}] { | ||
| owner := input.properties["github/repo_owner"] | ||
| repo := input.properties["github/repo_name"] | ||
| resp := minder.datasource.ghapi.license({"owner": owner, "repo": repo}) | ||
| license := resp.body.license.spdx_id | ||
| resp2 := minder.datasource.spdx.licenses({}) | ||
| licenses := resp2.body.licenses | ||
| osi := { l.licenseId | l := licenses[_]; l.isOsiApproved } | ||
| fsf := { l.licenseId | l := licenses[_]; l.isFsfLibre } | ||
| approved_licenses := osi | fsf | ||
| count(approved_licenses) != 0 | ||
| license != null | ||
| not license in approved_licenses | ||
| msg := sprintf("License %s of repo %s/%s is not OSI/FSF approved", [license, owner, repo]) | ||
| } |