🐛 checks.yml not sync'ed with checks.md (#1360)

* update docs

* update

* remove file

* remove  improper commit

* fix

checks/license.go

@@ -30,12 +30,12 @@ type checks struct {
 	p    []string
 }
 
-// LicenseCheckPolicy is the registered name for LicenseCheck.
-const LicenseCheckPolicy = "LicenseCheck"
+// CheckLicense is the registered name for License.
+const CheckLicense = "License"
 
 //nolint:gochecknoinits
 func init() {
-	registerCheck(LicenseCheckPolicy, LicenseCheck)
+	registerCheck(CheckLicense, LicenseCheck)
 }
 
 const (
@@ -114,14 +114,14 @@ func LicenseCheck(c *checker.CheckRequest) checker.CheckResult {
 		return true, nil
 	}
 
-	err := fileparser.CheckIfFileExists(LicenseCheckPolicy, c, onFile, &r)
+	err := fileparser.CheckIfFileExists(CheckLicense, c, onFile, &r)
 	if err != nil {
-		return checker.CreateRuntimeErrorResult(LicenseCheckPolicy, err)
+		return checker.CreateRuntimeErrorResult(CheckLicense, err)
 	}
 	if r {
-		return checker.CreateMaxScoreResult(LicenseCheckPolicy, "license file detected")
+		return checker.CreateMaxScoreResult(CheckLicense, "license file detected")
 	}
-	return checker.CreateMinScoreResult(LicenseCheckPolicy, "license file not detected")
+	return checker.CreateMinScoreResult(CheckLicense, "license file not detected")
 }
 
 // CheckLicense to check whether the name parameter fulfill license file criteria.

cmd/root.go

@@ -140,8 +140,8 @@ func getAllChecks() checker.CheckNameToFnMap {
 		delete(possibleChecks, checks.CheckDangerousWorkflow)
 	}
 	// TODO: Remove this to enable the LICENSE_CHECK by default in the next release.
-	if _, licenseflowCheck := os.LookupEnv("ENABLE_LICENSE_CHECK"); !licenseflowCheck {
-		delete(possibleChecks, checks.LicenseCheckPolicy)
+	if _, licenseflowCheck := os.LookupEnv("ENABLE_LICENSE"); !licenseflowCheck {
+		delete(possibleChecks, checks.CheckLicense)
 	}
 	return possibleChecks
 }

docs/checks.md

@@ -330,6 +330,31 @@ is therefore not a definitive indication that the project is at risk.
 **Remediation steps**
 - Integrate the project with OSS-Fuzz by following the instructions [here](https://google.github.io/oss-fuzz/).
 
+## License 
+
+Risk: `Low` (possible impediment to security review)
+
+This check tries to determine if the project has published a license. It
+works by checking standard locations for a file named according to common
+conventions for licenses.
+
+A license can give users information about how the source code may or may
+not be used. The lack of a license will impede any kind of security review
+or audit and creates a legal risk for potential users.
+
+This check will detect files in the top-level directory with any combination
+of the following names and extensions:`LICENSE`, `LICENCE`, `COPYING`,
+`COPYRIGHT` and .html, .txt, .md. It will also detect these files in a
+directory named `LICENSES`. (Files in a `LICENSES` directory are typically
+named as their [SPDX](https://spdx.org/licenses/) license identifier followed
+by an appropriate file extension, as described in the [REUSE](https://reuse.software/spec/) Specification.)
+ 
+
+**Remediation steps**
+- Determine [which license](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/licensing-a-repository) to apply to your project.
+- Create the license in a .txt, .html, or .md file named LICENSE or COPYING, and place it in the top-level directory.
+- Alternately, create a `LICENSE` directory and add license files with a name that matches your [SPDX license identifier](https://spdx.dev/ids/).
+
 ## Maintained 
 
 Risk: `High` (possibly unpatched vulnerabilities)

docs/checks/internal/checks.yaml

@@ -683,7 +683,7 @@ checks:
         Avoid the dangerous workflow patterns. See this [post](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
         for information on avoiding untrusted code checkouts.
 
-  LicenseCheck:
+  License:
     risk: Low
     tags: license
     repos: GitHub, local

e2e/license_test.go

@@ -25,11 +25,11 @@ import (
 	scut "github.com/ossf/scorecard/v3/utests"
 )
 
-var _ = Describe("E2E TEST:"+checks.LicenseCheckPolicy, func() {
+var _ = Describe("E2E TEST:"+checks.CheckLicense, func() {
 	Context("E2E TEST:Validating license file check", func() {
 		It("Should return license check works", func() {
 			dl := scut.TestDetailLogger{}
-			repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-dangerous-workflow-e2e")
+			repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-license-e2e")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
 			err = repoClient.InitRepo(repo)
@@ -52,7 +52,7 @@ var _ = Describe("E2E TEST:"+checks.LicenseCheckPolicy, func() {
 			Expect(result.Error).Should(BeNil())
 			Expect(result.Pass).Should(BeTrue())
 
-			Expect(scut.ValidateTestReturn(nil, "license check", &expected, &result,
+			Expect(scut.ValidateTestReturn(nil, "license found", &expected, &result,
 				&dl)).Should(BeTrue())
 		})
 	})