generated from ossf/project-template
-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Co-authored-by: Michelangelo Mori <[email protected]> Signed-off-by: Adolfo García Veytia (puerco) <[email protected]>
- Loading branch information
Showing
5 changed files
with
147 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| version: v1 | ||
| type: data-source | ||
| name: ghapi | ||
| context: {} | ||
| rest: | ||
| def: | ||
| license: | ||
| endpoint: https://api.github.com/repos/{owner}/{repo}/license | ||
| parse: json | ||
| input_schema: | ||
| type: object | ||
| properties: | ||
| owner: | ||
| type: string | ||
| repo: | ||
| type: string |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| version: v1 | ||
| type: data-source | ||
| name: spdx-license-list | ||
| context: {} | ||
| rest: | ||
| def: | ||
| licenses: | ||
| endpoint: https://raw.githubusercontent.com/spdx/license-list-data/refs/heads/main/json/licenses.json | ||
| parse: json | ||
| input_schema: {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| version: v1 | ||
| release_phase: alpha | ||
| type: rule-type | ||
| name: OSPS-LE-02 | ||
| display_name: The project's license is an OSI or FSF approved license | ||
| short_failure_message: License not found or is not an OSI or FSF approved license. | ||
| severity: | ||
| value: info | ||
| context: | ||
| provider: github | ||
| description: | | ||
| Ensure that the project's source code is distributed under a recognized and legally enforceable open source software license. | ||
| guidance: | | ||
| Ensure that the project's source code is distributed under a recognized and legally enforceable open source software license, providing clarity on how the code can be used and shared by others. | ||
| def: | ||
| in_entity: repository | ||
| rule_schema: {} | ||
| ingest: | ||
| type: git | ||
| eval: | ||
| type: rego | ||
| data_sources: | ||
| - name: ghapi | ||
| - name: "spdx-license-list" | ||
| rego: | ||
| type: constraints | ||
| def: | | ||
| package minder | ||
| import future.keywords.every | ||
| import future.keywords.if | ||
| violations[{"msg": msg}] { | ||
| resp := minder.datasource.ghapi.license({"owner": "mindersec", "repo": "minder"}) | ||
| license := resp.body.license.spdx_id | ||
| resp2 := minder.datasource["spdx-license-list"].licenses({}) | ||
| licenses := resp2.body.licenses | ||
| osi := { license.licenseId | license := licenses[_]; license.isOsiApproved } | ||
| fsf := { license.licenseId | license := licenses[_]; license.isFsfLibre } | ||
| approved_licenses := osi | fsf | ||
| not license in approved_licenses | ||
| msg := sprintf("License '%s' is not approved", [license]) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| version: v1 | ||
| release_phase: alpha | ||
| type: rule-type | ||
| name: OSPS-LE-03 | ||
| display_name: LICENSE or COPYING files are available available | ||
| short_failure_message: No LICENSE or COPYING file found. | ||
| severity: | ||
| value: info | ||
| context: | ||
| provider: github | ||
| description: | | ||
| Ensure that either LICENSE file, COPYING file, or LICENSE/ folder are available. | ||
| guidance: | | ||
| Source code must be accompanied by a `LICENSE` or `COPYING` file, or a `LICENSE/` folder at the root of the project source tree. | ||
| def: | ||
| in_entity: repository | ||
| rule_schema: {} | ||
| ingest: | ||
| type: git | ||
| git: {} | ||
| eval: | ||
| type: rego | ||
| rego: | ||
| type: deny-by-default | ||
| def: | | ||
| package minder | ||
| import future.keywords.every | ||
| import future.keywords.if | ||
| default allow := false | ||
| allow if { | ||
| files := file.ls_glob("./LICENSE*") | ||
| some name | ||
| content := file.read(files[name]) | ||
| "" != content | ||
| } | ||
| allow if { | ||
| files := file.ls_glob("./COPYING*") | ||
| some name | ||
| content := file.read(files[name]) | ||
| "" != content | ||
| } | ||
| allow if { | ||
| files := file.ls_glob("./LICENSE/*") | ||
| some name | ||
| content := file.read(files[name]) | ||
| "" != content | ||
| } |