mirror of
https://github.com/ossf/scorecard.git
synced 2024-09-17 11:57:12 +03:00
🐛 checks.yml not sync'ed with checks.md (#1360)
* update docs * update * remove file * remove improper commit * fix
This commit is contained in:
parent
afe55a83c1
commit
b323cded04
@ -30,12 +30,12 @@ type checks struct {
|
||||
p []string
|
||||
}
|
||||
|
||||
// LicenseCheckPolicy is the registered name for LicenseCheck.
|
||||
const LicenseCheckPolicy = "LicenseCheck"
|
||||
// CheckLicense is the registered name for License.
|
||||
const CheckLicense = "License"
|
||||
|
||||
//nolint:gochecknoinits
|
||||
func init() {
|
||||
registerCheck(LicenseCheckPolicy, LicenseCheck)
|
||||
registerCheck(CheckLicense, LicenseCheck)
|
||||
}
|
||||
|
||||
const (
|
||||
@ -114,14 +114,14 @@ func LicenseCheck(c *checker.CheckRequest) checker.CheckResult {
|
||||
return true, nil
|
||||
}
|
||||
|
||||
err := fileparser.CheckIfFileExists(LicenseCheckPolicy, c, onFile, &r)
|
||||
err := fileparser.CheckIfFileExists(CheckLicense, c, onFile, &r)
|
||||
if err != nil {
|
||||
return checker.CreateRuntimeErrorResult(LicenseCheckPolicy, err)
|
||||
return checker.CreateRuntimeErrorResult(CheckLicense, err)
|
||||
}
|
||||
if r {
|
||||
return checker.CreateMaxScoreResult(LicenseCheckPolicy, "license file detected")
|
||||
return checker.CreateMaxScoreResult(CheckLicense, "license file detected")
|
||||
}
|
||||
return checker.CreateMinScoreResult(LicenseCheckPolicy, "license file not detected")
|
||||
return checker.CreateMinScoreResult(CheckLicense, "license file not detected")
|
||||
}
|
||||
|
||||
// CheckLicense to check whether the name parameter fulfill license file criteria.
|
@ -140,8 +140,8 @@ func getAllChecks() checker.CheckNameToFnMap {
|
||||
delete(possibleChecks, checks.CheckDangerousWorkflow)
|
||||
}
|
||||
// TODO: Remove this to enable the LICENSE_CHECK by default in the next release.
|
||||
if _, licenseflowCheck := os.LookupEnv("ENABLE_LICENSE_CHECK"); !licenseflowCheck {
|
||||
delete(possibleChecks, checks.LicenseCheckPolicy)
|
||||
if _, licenseflowCheck := os.LookupEnv("ENABLE_LICENSE"); !licenseflowCheck {
|
||||
delete(possibleChecks, checks.CheckLicense)
|
||||
}
|
||||
return possibleChecks
|
||||
}
|
||||
|
@ -330,6 +330,31 @@ is therefore not a definitive indication that the project is at risk.
|
||||
**Remediation steps**
|
||||
- Integrate the project with OSS-Fuzz by following the instructions [here](https://google.github.io/oss-fuzz/).
|
||||
|
||||
## License
|
||||
|
||||
Risk: `Low` (possible impediment to security review)
|
||||
|
||||
This check tries to determine if the project has published a license. It
|
||||
works by checking standard locations for a file named according to common
|
||||
conventions for licenses.
|
||||
|
||||
A license can give users information about how the source code may or may
|
||||
not be used. The lack of a license will impede any kind of security review
|
||||
or audit and creates a legal risk for potential users.
|
||||
|
||||
This check will detect files in the top-level directory with any combination
|
||||
of the following names and extensions:`LICENSE`, `LICENCE`, `COPYING`,
|
||||
`COPYRIGHT` and .html, .txt, .md. It will also detect these files in a
|
||||
directory named `LICENSES`. (Files in a `LICENSES` directory are typically
|
||||
named as their [SPDX](https://spdx.org/licenses/) license identifier followed
|
||||
by an appropriate file extension, as described in the [REUSE](https://reuse.software/spec/) Specification.)
|
||||
|
||||
|
||||
**Remediation steps**
|
||||
- Determine [which license](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/licensing-a-repository) to apply to your project.
|
||||
- Create the license in a .txt, .html, or .md file named LICENSE or COPYING, and place it in the top-level directory.
|
||||
- Alternately, create a `LICENSE` directory and add license files with a name that matches your [SPDX license identifier](https://spdx.dev/ids/).
|
||||
|
||||
## Maintained
|
||||
|
||||
Risk: `High` (possibly unpatched vulnerabilities)
|
||||
|
@ -683,7 +683,7 @@ checks:
|
||||
Avoid the dangerous workflow patterns. See this [post](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
|
||||
for information on avoiding untrusted code checkouts.
|
||||
|
||||
LicenseCheck:
|
||||
License:
|
||||
risk: Low
|
||||
tags: license
|
||||
repos: GitHub, local
|
||||
|
@ -25,11 +25,11 @@ import (
|
||||
scut "github.com/ossf/scorecard/v3/utests"
|
||||
)
|
||||
|
||||
var _ = Describe("E2E TEST:"+checks.LicenseCheckPolicy, func() {
|
||||
var _ = Describe("E2E TEST:"+checks.CheckLicense, func() {
|
||||
Context("E2E TEST:Validating license file check", func() {
|
||||
It("Should return license check works", func() {
|
||||
dl := scut.TestDetailLogger{}
|
||||
repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-dangerous-workflow-e2e")
|
||||
repo, err := githubrepo.MakeGithubRepo("ossf-tests/scorecard-check-license-e2e")
|
||||
Expect(err).Should(BeNil())
|
||||
repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
|
||||
err = repoClient.InitRepo(repo)
|
||||
@ -52,7 +52,7 @@ var _ = Describe("E2E TEST:"+checks.LicenseCheckPolicy, func() {
|
||||
Expect(result.Error).Should(BeNil())
|
||||
Expect(result.Pass).Should(BeTrue())
|
||||
|
||||
Expect(scut.ValidateTestReturn(nil, "license check", &expected, &result,
|
||||
Expect(scut.ValidateTestReturn(nil, "license found", &expected, &result,
|
||||
&dl)).Should(BeTrue())
|
||||
})
|
||||
})
|
Loading…
Reference in New Issue
Block a user