Add ruletype OSPS-LE- 04 #296
Conversation
| violations[{"msg": msg}] { | ||
| not license_file | ||
| msg := "No license file found in release assets" | ||
| } |
There was a problem hiding this comment.
I think it's fine for there to be no explicit license in the assets; in that case, we'd expect the source code license to apply. (This is the common case.)
There was a problem hiding this comment.
Ok, in that case, I've added a line to exit gracefully if no such is found.
| license_file := asset { | ||
| some asset in input.ingested | ||
| is_license_file(asset.name) | ||
| } |
There was a problem hiding this comment.
Since we don't need to worry about the not license_file case, it seems like we could simplify to put this into the violations[{"msg":msg}] block.
| "Accept": "application/json", | ||
| "Content-Type": "application/octet-stream" | ||
| }, | ||
| "raw_body": license_resp |
There was a problem hiding this comment.
Doesn't this need to be the .body or some other attribute of the http response?
There was a problem hiding this comment.
For when we have "HTTP message body to include in request. The value WILL NOT be serialized. Use this for non-JSON messages.", "raw_body": https://www.openpolicyagent.org/docs/latest/policy-reference/#http
There was a problem hiding this comment.
I meant that license_resp is an object, not a string. I think you want:
| "raw_body": license_resp | |
| "raw_body": license_resp.raw_body |
There was a problem hiding this comment.
Got it! Done, thanks.
| # We have this servcice processing on the other side: | ||
| # https://github.com/CycloneDX/license-scanner |
There was a problem hiding this comment.
| # We have this servcice processing on the other side: | |
| # https://github.com/CycloneDX/license-scanner | |
| # We have a service for this detection: | |
| # https://github.com/evankanderson/spdx-detector |
| # Exit without violation if no license file found | ||
| license_file != {} |
There was a problem hiding this comment.
I don't think you need this; since license_file is some entry in input.ingested which has a name property which passes is_license_file, you know it's not an empty object (it must contain a name property).
| license_pattern := "^license(\\..*)?$" | ||
| is_license_file(name) if { | ||
| regex.match(license_pattern, lower(name)) | ||
| } | ||
|
|
||
| violations[{"msg": msg}] { | ||
| license_file := asset { | ||
| some asset in input.ingested | ||
| is_license_file(asset.name) | ||
| } |
There was a problem hiding this comment.
This seems simpler as:
| license_pattern := "^license(\\..*)?$" | |
| is_license_file(name) if { | |
| regex.match(license_pattern, lower(name)) | |
| } | |
| violations[{"msg": msg}] { | |
| license_file := asset { | |
| some asset in input.ingested | |
| is_license_file(asset.name) | |
| } | |
| violations[{"msg": msg}] { | |
| license_file := asset { | |
| some asset in input.ingested | |
| startswith(lower(name), "license") | |
| } |
|
Testing: |
| "Accept": "application/octet-stream" | ||
| }, | ||
| "enable_redirect": true, | ||
| "raise_error": true |
There was a problem hiding this comment.
This is fine, but it's also the default for http.send.
Closes https://github.com/stacklok/minder-stories/issues/199
This PR should be merged only after the external license processor is up and running. The URL in the POST used here should then be updated.
For visibility, this is the lib that will do the processing: https://github.com/CycloneDX/license-scanner