Merge branch 'main' into feat/lastapproval

ossf · Nov 29, 2022 · f65607c · f65607c
2 parents 971fc31 + 28b116f
commit f65607c
Show file tree

Hide file tree

Showing 19 changed files with 1,490 additions and 154 deletions.
diff --git a/checker/raw_result.go b/checker/raw_result.go
@@ -22,7 +22,7 @@ import (
 
 // RawResults contains results before a policy
 // is applied.
-//nolint
+// nolint
 type RawResults struct {
 	PackagingResults            PackagingData
 	CIIBestPracticesResults     CIIBestPracticesData
@@ -68,7 +68,7 @@ type PackagingData struct {
 }
 
 // Package represents a package.
-//nolint
+// nolint
 type Package struct {
 	// TODO: not supported yet. This needs to be unique across
 	// ecosystems: purl, OSV, CPE, etc.
@@ -125,10 +125,34 @@ type MaintainedData struct {
 	ArchivedStatus       ArchivedStatus
 }
 
+type LicenseAttributionType string
+
+const (
+	// sources of license information used to assert repo's license.
+	LicenseAttributionTypeOther      LicenseAttributionType = "other"
+	LicenseAttributionTypeAPI        LicenseAttributionType = "repositoryAPI"
+	LicenseAttributionTypeHeuristics LicenseAttributionType = "builtinHeuristics"
+)
+
+// license details.
+type License struct {
+	Name        string                 // OSI standardized license name
+	SpdxID      string                 // SPDX standardized identifier
+	Attribution LicenseAttributionType // source of licensing information
+	Approved    bool                   // FSF or OSI Approved License
+}
+
+// one file contains one license.
+type LicenseFile struct {
+	LicenseInformation License
+	File               File
+}
+
 // LicenseData contains the raw results
 // for the License check.
+// Some repos may have more than one license.
 type LicenseData struct {
-	Files []File
+	LicenseFiles []LicenseFile
 }
 
 // CodeReviewData contains the raw results

diff --git a/checks/evaluation/license.go b/checks/evaluation/license.go
@@ -19,27 +19,76 @@ import (
 	sce "github.com/ossf/scorecard/v4/errors"
 )
 
+func scoreLicenseCriteria(f *checker.LicenseFile,
+	dl checker.DetailLogger,
+) int {
+	var score int
+	msg := checker.LogMessage{
+		Path:   "",
+		Type:   checker.FileTypeNone,
+		Text:   "",
+		Offset: 1,
+	}
+	msg.Path = f.File.Path
+	msg.Type = checker.FileTypeSource
+	// #1 a license file was found.
+	score += 6
+
+	// #2 the licence was found at the top-level or LICENSE/ folder.
+	switch f.LicenseInformation.Attribution {
+	case checker.LicenseAttributionTypeAPI, checker.LicenseAttributionTypeHeuristics:
+		// both repoAPI and scorecard (not using the API) follow checks.md
+		// for a file to be found it must have been in the correct location
+		// award location points.
+		score += 3
+		msg.Text = "License file found in expected location"
+		dl.Info(&msg)
+		// for repo attribution prepare warning if not an recognized license"
+		msg.Text = "Any licence detected not an FSF or OSI recognized license"
+	case checker.LicenseAttributionTypeOther:
+		// TODO ascertain location found
+		score += 0
+		msg.Text = "License file found in unexpected location"
+		dl.Warn(&msg)
+		// for non repo attribution not the license detection is not supported
+		msg.Text = "Detecting license content not supported"
+	default:
+	}
+
+	// #3 is the license either an FSF or OSI recognized/approved license
+	if f.LicenseInformation.Approved {
+		score += 1
+		msg.Text = "FSF or OSI recognized license"
+		dl.Info(&msg)
+	} else {
+		// message text for this condition set above
+		dl.Warn(&msg)
+	}
+	return score
+}
+
 // License applies the score policy for the License check.
 func License(name string, dl checker.DetailLogger,
 	r *checker.LicenseData,
 ) checker.CheckResult {
+	var score int
 	if r == nil {
 		e := sce.WithMessage(sce.ErrScorecardInternal, "empty raw data")
 		return checker.CreateRuntimeErrorResult(name, e)
 	}
 
 	// Apply the policy evaluation.
-	if r.Files == nil || len(r.Files) == 0 {
+	if r.LicenseFiles == nil || len(r.LicenseFiles) == 0 {
 		return checker.CreateMinScoreResult(name, "license file not detected")
 	}
 
-	for _, f := range r.Files {
-		dl.Info(&checker.LogMessage{
-			Path:   f.Path,
-			Type:   checker.FileTypeSource,
-			Offset: 1,
-		})
+	// TODO: although this a loop, the raw checks will only return one licence file
+	// when more than one license file can be aggregated into a composite
+	// score, that logic can be comprehended here.
+	score = 0
+	for idx := range r.LicenseFiles {
+		score = scoreLicenseCriteria(&r.LicenseFiles[idx], dl)
 	}
 
-	return checker.CreateMaxScoreResult(name, "license file detected")
+	return checker.CreateResultWithScore(name, "license file detected", score)
 }
diff --git a/checks/license.go b/checks/license.go
@@ -27,7 +27,6 @@ const CheckLicense = "License"
 //nolint:gochecknoinits
 func init() {
 	supportedRequestTypes := []checker.RequestType{
-		checker.FileBased,
 		checker.CommitBased,
 	}
 	if err := registerCheck(CheckLicense, License, supportedRequestTypes); err != nil {

diff --git a/checks/license_test.go b/checks/license_test.go
@@ -42,8 +42,9 @@ func TestLicenseFileSubdirectory(t *testing.T) {
 			inputFolder: "testdata/licensedir/withlicense",
 			expected: scut.TestReturn{
 				Error:        nil,
-				Score:        checker.MaxResultScore,
+				Score:        checker.MaxResultScore - 1,
 				NumberOfInfo: 1,
+				NumberOfWarn: 1,
 			},
 			err: nil,
 		},