Feature: New Check "Permissive License"

[fhoeborn]

Is your feature request related to a problem? Please describe.
Usage of non-permissive licensed open-source software comes with some legal risk, especially when used by companies.
It would be good to have an indicator if software is permissively licensed or if further considerations have to be taken.

Describe the solution you'd like
An extended version of the license check, that checks whether a known-permissive license is used for the analyzed repo.

Describe alternatives you've considered
Checking for copyleft licenses. But that way around it might fool you into a "safe" license situation because of a non-comprehensive license list in the check. Therefore it is more safe to check for a known-list of "safe" licenses and rather "fail" for everything else.

Additional context
Added a possible implementation here #3838

[spencerschrock]

An extended version of the license check, that checks whether a known-permissive license is used for the analyzed repo.

Hmm, I would consider this similar enough to License check that it could be an optional probe under the License check. We're still thinking about what to do with these not-enabled-by-default probes.

You can see an example of this with the Binary-Artifacts check, where there are two probes:

• freeOfUnverifiedBinaryArtifacts
• freeOfAnyBinaryArtifacts

But only one is enabled by default:

scorecard/probes/entries.go

Lines 144 to 146 in a762812

	BinaryArtifacts = []ProbeImpl{
	freeOfUnverifiedBinaryArtifacts.Run,
	}

[fhoeborn]

Maybe I did miss something in the documentation, but is there a way to enable optional probes via the CLI?
Or do we have to change the code and rebuild the binary if we want to enable an optional probe?

[spencerschrock]

We have a --probe flag, but it's experimental/hacky currently. That's what I was talking about with "We're still thinking about what to do with these not-enabled-by-default probes.".

The structured result/probe work is my highest priority currently. So I can take a stab at enabling that.

[spencerschrock]

Sorry for the delay. I'll try to finish #3876 this Friday, but I left a review on the probe portion of #3838.

[spencerschrock]

I see the value in this for some people / organizations, and am happy to have accessible in some form via Scorecard.

Advocating for a project to declare a license is something projects/people should support regardless of their viewpoints on specific licenses. However, I don't think we should award for permissive and penalize copyleft licenses in the default Scorecard results.

#3876 was merged, so you can run custom probes currently and get results

SCORECARD_EXPERIMENTAL=1 go run  main.go --repo ossf/scorecard --probes freeOfAnyBinaryArtifacts --format probe | jq

{
  "date": "2024-04-02",
  "repo": {
    "name": "github.com/ossf/scorecard",
    "commit": "d58bfb03aab496807d8489e09da9883928465f59"
  },
  "scorecard": {
    "version": "",
    "commit": "unknown"
  },
  "findings": [
    {
      "probe": "freeOfAnyBinaryArtifacts",
      "message": "Repository does not have any binary artifacts.",
      "outcome": 12
    }
  ]
}

(note: outcome 12 is currently OutcomePositive we are working on readability so people don't need to look up numbers)

This doesn't have a score attached though, so if you wanted a scorecard binary with a permissive license check with a score, #3095 would be one possibility.