removed repo Key from LicenseInformation as unneeded, changed attribu…

…tion constants to be more meaningful, update documentation as necessary for changes Signed-off-by: Scott Hissam <[email protected]>
ossf · Nov 28, 2022 · c1b7373 · c1b7373
1 parent 1ef1703
commit c1b7373
Show file tree

Hide file tree

Showing 6 changed files with 10 additions and 18 deletions.
diff --git a/checker/raw_result.go b/checker/raw_result.go
@@ -129,14 +129,13 @@ type LicenseAttributionType string
 
 const (
 	// sources of license information used to assert repo's license.
-	LicenseAttributionTypeOther     LicenseAttributionType = "otherAttribution"
-	LicenseAttributionTypeRepo      LicenseAttributionType = "repoAttribution"
-	LicenseAttributionTypeScorecard LicenseAttributionType = "scorecardAttribution"
+	LicenseAttributionTypeOther      LicenseAttributionType = "other"
+	LicenseAttributionTypeAPI        LicenseAttributionType = "repositoryAPI"
+	LicenseAttributionTypeHeuristics LicenseAttributionType = "builtinHeuristics"
 )
 
 // license details.
 type License struct {
-	Key         string                 // repo specified key
 	Name        string                 // OSI standardized license name
 	SpdxID      string                 // SPDX standardized identifier
 	Attribution LicenseAttributionType // source of licensing information

diff --git a/checks/evaluation/license.go b/checks/evaluation/license.go
@@ -36,7 +36,7 @@ func scoreLicenseCriteria(f *checker.LicenseFile,
 
 	// #2 the licence was found at the top-level or LICENSE/ folder.
 	switch f.LicenseInformation.Attribution {
-	case checker.LicenseAttributionTypeRepo, checker.LicenseAttributionTypeScorecard:
+	case checker.LicenseAttributionTypeAPI, checker.LicenseAttributionTypeHeuristics:
 		// both repoAPI and scorecard (not using the API) follow checks.md
 		// for a file to be found it must have been in the correct location
 		// award location points.

diff --git a/checks/raw/license.go b/checks/raw/license.go
@@ -124,10 +124,9 @@ func License(c *checker.CheckRequest) (checker.LicenseData, error) {
 					},
 					LicenseInformation: checker.License{
 						Approved:    len(fsfOsiApprovedLicenseCiMap[strings.ToUpper(v.SPDXId)].Name) > 0,
-						Key:         v.Key,
 						Name:        v.Name,
 						SpdxID:      v.SPDXId,
-						Attribution: checker.LicenseAttributionTypeRepo,
+						Attribution: checker.LicenseAttributionTypeAPI,
 					},
 				})
 		}
@@ -163,18 +162,15 @@ func License(c *checker.CheckRequest) (checker.LicenseData, error) {
 		// Aside from 'UN', these settings (Name, Key) match GH repo API
 		// for when the Spdx Identifier cannot be determined.
 		path.LicenseInformation.Name = fsfOsiApprovedLicenseCiMap[strings.ToUpper(path.LicenseInformation.SpdxID)].Name
-		path.LicenseInformation.Key = strings.ToLower(path.LicenseInformation.SpdxID)
 		if strings.ToUpper(path.LicenseInformation.SpdxID) == "UN" {
 			path.LicenseInformation.SpdxID = "UNLICENSE"
-			path.LicenseInformation.Key = strings.ToLower(path.LicenseInformation.SpdxID)
 		} else if path.LicenseInformation.SpdxID == "" {
 			path.LicenseInformation.SpdxID = "NOASSERTION"
 			path.LicenseInformation.Name = "Other"
-			path.LicenseInformation.Key = strings.ToLower(path.LicenseInformation.Name)
 		}
 		path.LicenseInformation.Approved = len(
 			fsfOsiApprovedLicenseCiMap[strings.ToUpper(path.LicenseInformation.SpdxID)].Name) > 0
-		path.LicenseInformation.Attribution = checker.LicenseAttributionTypeScorecard
+		path.LicenseInformation.Attribution = checker.LicenseAttributionTypeHeuristics
 		results.LicenseFiles = append(results.LicenseFiles, path)
 	}
 
@@ -358,7 +354,6 @@ func checkLicense(lfName string) (checker.LicenseFile, bool) {
 				Type: checker.FileTypeSource,
 			},
 			LicenseInformation: checker.License{
-				Key:    "",
 				Name:   "",
 				SpdxID: "",
 			},

diff --git a/docs/checks.md b/docs/checks.md
@@ -360,8 +360,8 @@ or audit and creates a legal risk for potential users.
 
 Scorecard uses the
 [GitHub License API](https://docs.github.com/en/rest/licenses#get-the-license-for-a-repository)
-for GitHub hosted projects. Otherwise, Scorecard attempts to detect a
-published license file on its own.
+for GitHub hosted projects. Otherwise, Scorecard uses its own heuristics to
+detect a published license file.
 
 On its own, this check will detect files in the top-level directory with
 any combination of the following names and extensions:`LICENSE`, `LICENCE`,

diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml
@@ -755,8 +755,8 @@ checks:
 
       Scorecard uses the
       [GitHub License API](https://docs.github.com/en/rest/licenses#get-the-license-for-a-repository)
-      for GitHub hosted projects. Otherwise, Scorecard attempts to detect a
-      published license file on its own.
+      for GitHub hosted projects. Otherwise, Scorecard uses its own heuristics to
+      detect a published license file.
 
       On its own, this check will detect files in the top-level directory with
       any combination of the following names and extensions:`LICENSE`, `LICENCE`,

diff --git a/pkg/json_raw_results.go b/pkg/json_raw_results.go
@@ -169,7 +169,6 @@ type jsonOssfBestPractices struct {
 
 type jsonLicenseInfo struct {
 	File        string `json:"path"`
-	Key         string `json:"key,omitempty"`
 	Name        string `json:"name,omitempty"`
 	SpdxID      string `json:"spdxid,omitempty"`
 	Attribution string `json:"attribution,omitempty"`
@@ -609,7 +608,6 @@ func (r *jsonScorecardRawResult) addLicenseRawResults(ld *checker.LicenseData) e
 			jsonLicense{
 				License: jsonLicenseInfo{
 					File:        ld.LicenseFiles[idx].File.Path,
-					Key:         ld.LicenseFiles[idx].LicenseInformation.Key,
 					Name:        ld.LicenseFiles[idx].LicenseInformation.Name,
 					SpdxID:      ld.LicenseFiles[idx].LicenseInformation.SpdxID,
 					Attribution: string(ld.LicenseFiles[idx].LicenseInformation.Attribution),