wolfi-dev / wolfictl

A CLI used to work with the Wolfi OSS project
Apache License 2.0
57 stars 54 forks source link

Lint: please add "detected-spdx-license-missmatch" linter #785

Open xnox opened 6 months ago

xnox commented 6 months ago

Description

Please add a new lint check. Use a license detector (for example https://github.com/go-enry/go-license-detector/tree/master) to detect the SPDX license of given package.

Compare it to the declared SPDX license. And raise a warning if they missmatch.

Allow humans to fix the license to match to the detected one. Or override the lint check with #nolint in case of confusing / undetectable licensing.

Real world example on a large code base

$ time license-detector /tmp/gcc-13.2.0
/tmp/gcc-13.2.0
    99% GCC-exception-3.1
    99% LGPL-2.1-only
    99% deprecated_LGPL-2.1
    99% LGPL-2.1-or-later
    99% deprecated_LGPL-2.1+
    98% deprecated_GPL-3.0-with-GCC-exception
    97% deprecated_GPL-2.0+
    97% GPL-2.0-or-later
    97% GPL-2.0-only
    97% deprecated_GPL-2.0

real    0m4.400s
user    0m5.240s
sys 0m0.171s

Declared license in the package

$ git grep license gcc.yaml
gcc.yaml:    - license: GPL-3.0-or-later

Which is incorrect.

xnox commented 6 months ago

Oh it can work on git repos too.... i wonder if i can just run that tool across all of wolfi and generate a report.