-
Notifications
You must be signed in to change notification settings - Fork 308
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Evaluator: Add support for "repolinter" style rules #5621
Comments
One might ask why not simply use repolinter as tool instead of implemented our own version. My response would be:
|
@tsteenbe can we add as bullet point to use scenarios: checks for the project, out of scope "packages"? |
@tsteenbe a couple of questions to the use cases / API in the ticket description:
|
My assumption is that each code file in my organization would use "Coypright (C) Example, Inc." followed by on the next line "SPDX identifier: "LicenseRef-proprietary-my-org". We would then write helper functions in rules.kts
I was thinking to just do it on directory name and only in a next step code repository location. My presumption was that R&D teams can agree on the naming on libs within /external but that code repository information would not be useful. Think for example case were the R&D team simply creates a /external/curl within their own code repository. "hasCommitContains(contents regex?)" I want to use for checking Git commits messages/history for organization's secrets or naming. Say we are open-sourcing a project and the team would like to preserve the Git history as much as possible, however as a company we don't want our internal code names for projects or customer to be made public. The project was originally developed for customer "paris" and code name was "oiseau" then I would like to |
Hm, from that writing I have a hunch that you're assuming that there would be some new rule type which gets called once per file in the source tree. However, for this use case I believe one should not create one violation per file as that would lead potentially to a large amount of violations. If I'm not missing anything, that would not be possible to achieve with a rule which gets called separately per file. Whilst writing this I got the feeling that clarifying these details in a call would be more efficient. |
@tsteenbe and me further dived into the use cases and we propose to do the following in scope of this ticket:
The following rules should be added to ort-config or ORT's example rules, and the rules API shall be extended accordingly: One rule for each of the following files, checking their existance
Note: We added One rule which checks whether there is CI setup
A rule which checks whether the repository contains tests
A rule which checks for the existance of '.gitignore' in the root
A rule that checks that no dependencies commited which are used via package managers
A rule that checks that the README.md has a section for License and contains a copyright A rule which flags non-inclusive language in commit messages idea: check git history for non-inclusive language |
As flagging non-inclusive language is a bigger topic, I've filed a GitHub issue as a basis for starting discussions: #5629. |
The evaluator rules in this repository have been created based on ORT's example policy rules, meanwhile they deviated, but are quite redundant. Reduce the deviation use-case-wise by copying all rules from ORT's examples which are missing in this repository using ORT revision [1]. This is the first step towards making the 'ort-config' repository the single dedicated place to examplify policy rules. In the following ORT's example rules will be deleted, or rather minimized and turned into functional test assets, see also [2]. Note: The copied rules have been create as part of [3]. [1] 63e002ba57e7d49c96017fac2ff679de8a5b76df [2] oss-review-toolkit/ort#5701 [3] oss-review-toolkit/ort#5621 Signed-off-by: Frank Viernau <frank_viernau@epam.com>
The evaluator rules in this repository have been created based on ORT's example policy rules, meanwhile they deviated, but are quite redundant. Reduce the deviation use-case-wise by copying all rules from ORT's examples which are missing in this repository using ORT revision [1]. This is the first step towards making the 'ort-config' repository the single dedicated place to examplify policy rules. In the following ORT's example rules will be deleted, or rather minimized and turned into functional test assets, see also [2]. Note: The copied rules have been create as part of [3]. [1] 63e002ba57e7d49c96017fac2ff679de8a5b76df [2] oss-review-toolkit/ort#5701 [3] oss-review-toolkit/ort#5621 Signed-off-by: Frank Viernau <frank_viernau@epam.com>
The evaluator rules in this repository have been created based on ORT's example policy rules, meanwhile they deviated, but are quite redundant. Reduce the deviation use-case-wise by copying all rules from ORT's examples which are missing in this repository using ORT revision [1]. This is the first step towards making the 'ort-config' repository the single dedicated place to examplify policy rules. In the following ORT's example rules will be deleted, or rather minimized and turned into functional test assets, see also [2]. Note: The copied rules have been created as part of [3]. [1] 63e002ba57e7d49c96017fac2ff679de8a5b76df [2] oss-review-toolkit/ort#5701 [3] oss-review-toolkit/ort#5621 Signed-off-by: Frank Viernau <frank_viernau@epam.com>
The evaluator rules in this repository have been created based on ORT's example policy rules, meanwhile they deviated, but are quite redundant. Reduce the deviation use-case-wise by copying all rules from ORT's examples which are missing in this repository using ORT revision [1]. This is the first step towards making the 'ort-config' repository the single dedicated place to examplify policy rules. In the following ORT's example rules will be deleted, or rather minimized and turned into functional test assets, see also [2]. Note: The copied rules have been created as part of [3]. [1] 63e002ba57e7d49c96017fac2ff679de8a5b76df [2] oss-review-toolkit/ort#5701 [3] oss-review-toolkit/ort#5621 Signed-off-by: Frank Viernau <frank_viernau@epam.com>
The evaluator rules in this repository have been created based on ORT's example policy rules, meanwhile they deviated, but are quite redundant. Reduce the deviation use-case-wise by copying all rules from ORT's examples which are missing in this repository using ORT revision [1]. This is the first step towards making the 'ort-config' repository the single dedicated place to examplify policy rules. In the following ORT's example rules will be deleted, or rather minimized and turned into functional test assets, see also [2]. Note: The copied rules have been created as part of [3]. [1] 63e002ba57e7d49c96017fac2ff679de8a5b76df [2] oss-review-toolkit/ort#5701 [3] oss-review-toolkit/ort#5621 Signed-off-by: Frank Viernau <frank_viernau@epam.com>
The evaluator rules in this repository have been created based on ORT's example policy rules, meanwhile they deviated, but are quite redundant. Reduce the deviation use-case-wise by copying all rules from ORT's examples which are missing in this repository using ORT revision [1]. This is the first step towards making the 'ort-config' repository the single dedicated place to examplify policy rules. In the following ORT's example rules will be deleted, or rather minimized and turned into functional test assets, see also [2]. Note: The copied rules have been created as part of [3]. [1] 63e002ba57e7d49c96017fac2ff679de8a5b76df [2] oss-review-toolkit/ort#5701 [3] oss-review-toolkit/ort#5621 Signed-off-by: Frank Viernau <frank_viernau@epam.com>
The initial scope (ticket description) had been changed to the use case defined in the comment above: #5621 (comment). All except one have been implemented which I extracted to a separate ticket [1], so this can be closed as completed. Note: For the implementation of the use cases see merged PRs linked above. [1] #5853 |
Goal: Have ORT better support common contribution process checks
Usage scenarios:
Came up with below API, inspired by https://github.com/todogroup/repolinter/blob/main/docs/rules.md.
hasCI()
checks for presence of known CI files within project being scanned such as .gitlab-ci.yml or .github/workflowshasMoreContributorsThan(integer)
checks the number of unique names in version control log (Git log) of the project being scanned.hasDirectory([glob/regex?])
checks for presence of directory within project being scannedhasFile([glob/regex?])
to check for the presence of LICENSE, CONTRIBUTING.md, CHANGELOG.md, SECURITY.md, SUPPORT.md, NOTICE, CODE-OF-CONDUCT and README e.g. make sure the FOSS project has minimum files present to clarify its governance. I would like to be able to write a policy rule to check if project’s license is APACHE-2.0 then a NOTICE file must be presenthasFileWithContents([filepath glob/regex?, contents regex?])
checks if the contents of a file matches a given regular expression. Useful for searching for internal names or urls.hasFileWithExtension([glob/regex?])
checks for presence of file with certain extensions within project being scanned e.g. hasFileWithExtension(‘.ttf’) to search for font files. See also https://github.com/todogroup/repolinter/blob/main/docs/rules.md#file-starts-withhasFileWithLicense([filepath glob/regex, spdx license id])
to check for presence of file with certain license within project being scannedusesGit()
checks whether the project being scanned is managed by Git.usesGitSubModules()
checks whether the project being scanned uses Git sub modules.usesSVN()
checks whether the project being scanned is managed by Subversion.usesMercurial()
checks whether the project being scanned is managed by Mercurial.hasCommitContains(contents regex?)
checks if the contents of a version control log (Git history) matches a given regular expression for a project being scanned. Useful for searching for internal names or URLs.The text was updated successfully, but these errors were encountered: