Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: New Check "Permissive License" #3840

Closed
fhoeborn opened this issue Feb 2, 2024 · 5 comments · Fixed by #3838
Closed

Feature: New Check "Permissive License" #3840

fhoeborn opened this issue Feb 2, 2024 · 5 comments · Fixed by #3838
Labels
kind/enhancement New feature or request

Comments

@fhoeborn
Copy link
Contributor

fhoeborn commented Feb 2, 2024

Is your feature request related to a problem? Please describe.
Usage of non-permissive licensed open-source software comes with some legal risk, especially when used by companies.
It would be good to have an indicator if software is permissively licensed or if further considerations have to be taken.

Describe the solution you'd like
An extended version of the license check, that checks whether a known-permissive license is used for the analyzed repo.

Describe alternatives you've considered
Checking for copyleft licenses. But that way around it might fool you into a "safe" license situation because of a non-comprehensive license list in the check. Therefore it is more safe to check for a known-list of "safe" licenses and rather "fail" for everything else.

Additional context
Added a possible implementation here #3838

@fhoeborn fhoeborn added the kind/enhancement New feature or request label Feb 2, 2024
@spencerschrock
Copy link
Member

An extended version of the license check, that checks whether a known-permissive license is used for the analyzed repo.

Hmm, I would consider this similar enough to License check that it could be an optional probe under the License check. We're still thinking about what to do with these not-enabled-by-default probes.

You can see an example of this with the Binary-Artifacts check, where there are two probes:

But only one is enabled by default:

scorecard/probes/entries.go

Lines 144 to 146 in a762812

BinaryArtifacts = []ProbeImpl{
freeOfUnverifiedBinaryArtifacts.Run,
}

@fhoeborn
Copy link
Contributor Author

fhoeborn commented Feb 7, 2024

Maybe I did miss something in the documentation, but is there a way to enable optional probes via the CLI?
Or do we have to change the code and rebuild the binary if we want to enable an optional probe?

@spencerschrock
Copy link
Member

spencerschrock commented Feb 7, 2024

We have a --probe flag, but it's experimental/hacky currently. That's what I was talking about with "We're still thinking about what to do with these not-enabled-by-default probes.".

The structured result/probe work is my highest priority currently. So I can take a stab at enabling that.

@spencerschrock
Copy link
Member

Sorry for the delay. I'll try to finish #3876 this Friday, but I left a review on the probe portion of #3838.

@spencerschrock
Copy link
Member

I see the value in this for some people / organizations, and am happy to have accessible in some form via Scorecard.

Advocating for a project to declare a license is something projects/people should support regardless of their viewpoints on specific licenses. However, I don't think we should award for permissive and penalize copyleft licenses in the default Scorecard results.

#3876 was merged, so you can run custom probes currently and get results

SCORECARD_EXPERIMENTAL=1 go run  main.go --repo ossf/scorecard --probes freeOfAnyBinaryArtifacts --format probe | jq

{
  "date": "2024-04-02",
  "repo": {
    "name": "github.com/ossf/scorecard",
    "commit": "d58bfb03aab496807d8489e09da9883928465f59"
  },
  "scorecard": {
    "version": "",
    "commit": "unknown"
  },
  "findings": [
    {
      "probe": "freeOfAnyBinaryArtifacts",
      "message": "Repository does not have any binary artifacts.",
      "outcome": 12
    }
  ]
}

(note: outcome 12 is currently OutcomePositive we are working on readability so people don't need to look up numbers)

This doesn't have a score attached though, so if you wanted a scorecard binary with a permissive license check with a score, #3095 would be one possibility.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/enhancement New feature or request
Projects
Status: Done
Development

Successfully merging a pull request may close this issue.

2 participants