-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: New Check "Permissive License" #3840
Comments
Hmm, I would consider this similar enough to License check that it could be an optional probe under the License check. We're still thinking about what to do with these not-enabled-by-default probes. You can see an example of this with the Binary-Artifacts check, where there are two probes: But only one is enabled by default: Lines 144 to 146 in a762812
|
Maybe I did miss something in the documentation, but is there a way to enable optional probes via the CLI? |
We have a The structured result/probe work is my highest priority currently. So I can take a stab at enabling that. |
I see the value in this for some people / organizations, and am happy to have accessible in some form via Scorecard. Advocating for a project to declare a license is something projects/people should support regardless of their viewpoints on specific licenses. However, I don't think we should award for permissive and penalize copyleft licenses in the default Scorecard results. #3876 was merged, so you can run custom probes currently and get results SCORECARD_EXPERIMENTAL=1 go run main.go --repo ossf/scorecard --probes freeOfAnyBinaryArtifacts --format probe | jq
{
"date": "2024-04-02",
"repo": {
"name": "github.com/ossf/scorecard",
"commit": "d58bfb03aab496807d8489e09da9883928465f59"
},
"scorecard": {
"version": "",
"commit": "unknown"
},
"findings": [
{
"probe": "freeOfAnyBinaryArtifacts",
"message": "Repository does not have any binary artifacts.",
"outcome": 12
}
]
} (note: outcome 12 is currently This doesn't have a score attached though, so if you wanted a scorecard binary with a permissive license check with a score, #3095 would be one possibility. |
Is your feature request related to a problem? Please describe.
Usage of non-permissive licensed open-source software comes with some legal risk, especially when used by companies.
It would be good to have an indicator if software is permissively licensed or if further considerations have to be taken.
Describe the solution you'd like
An extended version of the license check, that checks whether a known-permissive license is used for the analyzed repo.
Describe alternatives you've considered
Checking for copyleft licenses. But that way around it might fool you into a "safe" license situation because of a non-comprehensive license list in the check. Therefore it is more safe to check for a known-list of "safe" licenses and rather "fail" for everything else.
Additional context
Added a possible implementation here #3838
The text was updated successfully, but these errors were encountered: