verifies that inspec.yml uses licenses in SPDX format

Signed-off-by: Christoph Hartmann <chris@lollyrock.com>

Rakefile

@@ -6,6 +6,7 @@ require 'bundler/gem_tasks'
 require 'rake/testtask'
 require_relative 'tasks/changelog'
 require_relative 'tasks/maintainers'
+require_relative 'tasks/spdx'
 
 # The docs tasks rely on ruby-progressbar. If we can't load it, then don't
 # load the docs tasks. This is necessary to allow this Rakefile to work
@@ -195,4 +196,3 @@ namespace :www do
     exit(1)
   end
 end
-

examples/inheritance/inspec.yml

@@ -3,7 +3,7 @@ title: InSpec example inheritance
 maintainer: Chef Software, Inc.
 copyright: Chef Software, Inc.
 copyright_email: support@chef.io
-license: Apache 2 license
+license: Apache-2.0
 summary: Demonstrates the use of InSpec profile inheritance
 version: 1.0.0
 supports:

examples/meta-profile/inspec.yml

@@ -3,7 +3,7 @@ title: Meta Compliance Profile
 maintainer: InSpec Authors
 copyright: InSpec Authors
 copyright_email: support@chef.io
-license: Apache 2
+license: Apache-2.0
 summary: InSpec Profile that is only consuming dependencies
 version: 0.2.0
 depends:

examples/profile-attribute/inspec.yml

@@ -3,6 +3,6 @@ title: InSpec Profile
 maintainer: The Authors
 copyright: The Authors
 copyright_email: you@example.com
-license: All Rights Reserved
+license: Apache-2.0
 summary: An InSpec Compliance Profile
 version: 0.1.0

examples/profile/inspec.yml

@@ -3,7 +3,7 @@ title: InSpec Example Profile
 maintainer: Chef Software, Inc.
 copyright: Chef Software, Inc.
 copyright_email: support@chef.io
-license: Apache 2 license
+license: Apache-2.0
 summary: Demonstrates the use of InSpec Compliance Profile
 version: 1.0.0
 supports:

lib/bundles/inspec-init/templates/profile/inspec.yml

@@ -3,6 +3,6 @@ title: InSpec Profile
 maintainer: The Authors
 copyright: The Authors
 copyright_email: you@example.com
-license: All Rights Reserved
+license: Apache-2.0
 summary: An InSpec Compliance Profile
 version: 0.1.0

lib/inspec/metadata.rb

@@ -7,6 +7,7 @@ require 'logger'
 require 'rubygems/version'
 require 'rubygems/requirement'
 require 'semverse'
+require 'utils/spdx'
 
 module Inspec
   # Extract metadata.rb information
@@ -102,7 +103,7 @@ module Inspec
     end
 
     # return all warn and errors
-    def valid
+    def valid # rubocop:disable Metrics/AbcSize
       errors = []
       warnings = []
 
@@ -116,11 +117,16 @@ module Inspec
         errors.push('Version needs to be in SemVer format')
       end
 
-      %w{ title summary maintainer copyright }.each do |field|
+      %w{ title summary maintainer copyright license }.each do |field|
         next unless params[field.to_sym].nil?
         warnings.push("Missing profile #{field} in #{ref}")
       end
 
+      # if version is set, ensure it is in SPDX format
+      if !params[:license].nil? && !Spdx.valid_license?(params[:license])
+        errors.push("License '#{params[:license]}' needs to be in SPDX format. See https://spdx.org/licenses/.")
+      end
+
       [errors, warnings]
     end
 

lib/utils/spdx.rb

@@ -0,0 +1,13 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+class Spdx
+  def self.licenses
+    spdx_file = File.join(File.dirname(__FILE__), 'spdx.txt').freeze
+    File.read(spdx_file).split("\n")
+  end
+
+  def self.valid_license?(license)
+    licenses.include?(license)
+  end
+end

lib/utils/spdx.txt

@@ -0,0 +1,343 @@
+Glide
+Abstyles
+AFL-1.1
+AFL-1.2
+AFL-2.0
+AFL-2.1
+AFL-3.0
+AMPAS
+APL-1.0
+Adobe-Glyph
+APAFML
+Adobe-2006
+AGPL-1.0
+Afmparse
+Aladdin
+ADSL
+AMDPLPA
+ANTLR-PD
+Apache-1.0
+Apache-1.1
+Apache-2.0
+AML
+APSL-1.0
+APSL-1.1
+APSL-1.2
+APSL-2.0
+Artistic-1.0
+Artistic-1.0-Perl
+Artistic-1.0-cl8
+Artistic-2.0
+AAL
+Bahyph
+Barr
+Beerware
+BitTorrent-1.0
+BitTorrent-1.1
+BSL-1.0
+Borceux
+BSD-2-Clause
+BSD-2-Clause-FreeBSD
+BSD-2-Clause-NetBSD
+BSD-3-Clause
+BSD-3-Clause-Clear
+BSD-3-Clause-No-Nuclear-License
+BSD-3-Clause-No-Nuclear-License-2014
+BSD-3-Clause-No-Nuclear-Warranty
+BSD-4-Clause
+BSD-Protection
+BSD-Source-Code
+BSD-3-Clause-Attribution
+0BSD
+BSD-4-Clause-UC
+bzip2-1.0.5
+bzip2-1.0.6
+Caldera
+CECILL-1.0
+CECILL-1.1
+CECILL-2.0
+CECILL-2.1
+CECILL-B
+CECILL-C
+ClArtistic
+MIT-CMU
+CNRI-Jython
+CNRI-Python
+CNRI-Python-GPL-Compatible
+CPOL-1.02
+CDDL-1.0
+CDDL-1.1
+CPAL-1.0
+CPL-1.0
+CATOSL-1.1
+Condor-1.1
+CC-BY-1.0
+CC-BY-2.0
+CC-BY-2.5
+CC-BY-3.0
+CC-BY-4.0
+CC-BY-ND-1.0
+CC-BY-ND-2.0
+CC-BY-ND-2.5
+CC-BY-ND-3.0
+CC-BY-ND-4.0
+CC-BY-NC-1.0
+CC-BY-NC-2.0
+CC-BY-NC-2.5
+CC-BY-NC-3.0
+CC-BY-NC-4.0
+CC-BY-NC-ND-1.0
+CC-BY-NC-ND-2.0
+CC-BY-NC-ND-2.5
+CC-BY-NC-ND-3.0
+CC-BY-NC-ND-4.0
+CC-BY-NC-SA-1.0
+CC-BY-NC-SA-2.0
+CC-BY-NC-SA-2.5
+CC-BY-NC-SA-3.0
+CC-BY-NC-SA-4.0
+CC-BY-SA-1.0
+CC-BY-SA-2.0
+CC-BY-SA-2.5
+CC-BY-SA-3.0
+CC-BY-SA-4.0
+CC0-1.0
+Crossword
+CrystalStacker
+CUA-OPL-1.0
+Cube
+curl
+D-FSL-1.0
+diffmark
+WTFPL
+DOC
+Dotseqn
+DSDP
+dvipdfm
+EPL-1.0
+ECL-1.0
+ECL-2.0
+eGenix
+EFL-1.0
+EFL-2.0
+MIT-advertising
+MIT-enna
+Entessa
+ErlPL-1.1
+EUDatagrid
+EUPL-1.0
+EUPL-1.1
+Eurosym
+Fair
+MIT-feh
+Frameworx-1.0
+FreeImage
+FTL
+FSFAP
+FSFUL
+FSFULLR
+Giftware
+GL2PS
+Glulxe
+AGPL-3.0
+GFDL-1.1
+GFDL-1.2
+GFDL-1.3
+GPL-1.0
+GPL-2.0
+GPL-3.0
+LGPL-2.1
+LGPL-3.0
+LGPL-2.0
+gnuplot
+gSOAP-1.3b
+HaskellReport
+HPND
+IBM-pibs
+IPL-1.0
+ICU
+ImageMagick
+iMatix
+Imlib2
+IJG
+Info-ZIP
+Intel-ACPI
+Intel
+Interbase-1.0
+IPA
+ISC
+JasPer-2.0
+JSON
+LPPL-1.0
+LPPL-1.1
+LPPL-1.2
+LPPL-1.3a
+LPPL-1.3c
+Latex2e
+BSD-3-Clause-LBNL
+Leptonica
+LGPLLR
+Libpng
+libtiff
+LAL-1.2
+LAL-1.3
+LiLiQ-P-1.1
+LiLiQ-Rplus-1.1
+LiLiQ-R-1.1
+LPL-1.02
+LPL-1.0
+MakeIndex
+MTLL
+MS-PL
+MS-RL
+MirOS
+MITNFA
+MIT
+Motosoto
+MPL-1.0
+MPL-1.1
+MPL-2.0
+MPL-2.0-no-copyleft-exception
+mpich2
+Multics
+Mup
+NASA-1.3
+Naumen
+NBPL-1.0
+Net-SNMP
+NetCDF
+NGPL
+NOSL
+NPL-1.0
+NPL-1.1
+Newsletr
+NLPL
+Nokia
+NPOSL-3.0
+NLOD-1.0
+Noweb
+NRL
+NTP
+Nunit
+OCLC-2.0
+ODbL-1.0
+PDDL-1.0
+OCCT-PL
+OGTSL
+OLDAP-2.2.2
+OLDAP-1.1
+OLDAP-1.2
+OLDAP-1.3
+OLDAP-1.4
+OLDAP-2.0
+OLDAP-2.0.1
+OLDAP-2.1
+OLDAP-2.2
+OLDAP-2.2.1
+OLDAP-2.3
+OLDAP-2.4
+OLDAP-2.5
+OLDAP-2.6
+OLDAP-2.7
+OLDAP-2.8
+OML
+OPL-1.0
+OSL-1.0
+OSL-1.1
+OSL-2.0
+OSL-2.1
+OSL-3.0
+OpenSSL
+OSET-PL-2.1
+PHP-3.0
+PHP-3.01
+Plexus
+PostgreSQL
+psfrag
+psutils
+Python-2.0
+QPL-1.0
+Qhull
+Rdisc
+RPSL-1.0
+RPL-1.1
+RPL-1.5
+RHeCos-1.1
+RSCPL
+RSA-MD
+Ruby
+SAX-PD
+Saxpath
+SCEA
+SWL
+SMPPL
+Sendmail
+SGI-B-1.0
+SGI-B-1.1
+SGI-B-2.0
+OFL-1.0
+OFL-1.1
+SimPL-2.0
+Sleepycat
+SNIA
+Spencer-86
+Spencer-94
+Spencer-99
+SMLNJ
+SugarCRM-1.1.3
+SISSL
+SISSL-1.2
+SPL-1.0
+Watcom-1.0
+TCL
+TCP-wrappers
+Unlicense
+TMate
+TORQUE-1.1
+TOSL
+Unicode-DFS-2015
+Unicode-DFS-2016
+Unicode-TOU
+UPL-1.0
+NCSA
+Vim
+VOSTROM
+VSL-1.0
+W3C-20150513
+W3C-19980720
+W3C
+Wsuipa
+Xnet
+X11
+Xerox
+XFree86-1.1
+xinetd
+xpp
+XSkat
+YPL-1.0
+YPL-1.1
+Zed
+Zend-2.0
+Zimbra-1.3
+Zimbra-1.4
+Zlib
+zlib-acknowledgement
+ZPL-1.1
+ZPL-2.0
+ZPL-2.1
+eCos-2.0
+GPL-1.0+
+GPL-2.0+
+GPL-2.0-with-autoconf-exception
+GPL-2.0-with-bison-exception
+GPL-2.0-with-classpath-exception
+GPL-2.0-with-font-exception
+GPL-2.0-with-GCC-exception
+GPL-3.0+
+GPL-3.0-with-autoconf-exception
+GPL-3.0-with-GCC-exception
+LGPL-2.1+
+LGPL-3.0+
+LGPL-2.0+
+StandardML-NJ
+WXwindows

tasks/spdx.rb

@@ -0,0 +1,33 @@
+# encoding: utf-8
+# Copyright:: Copyright (c) 2017 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+PROJECT_DIR = File.join(File.expand_path(File.dirname(__FILE__)), '..').freeze
+UTILS_DIR     = File.join(PROJECT_DIR, 'lib/utils').freeze
+
+desc 'Updates the list of the spdx valid licenses'
+task :spdx do
+  # Kudos to Foodcritic for providing that idea
+  # @see https://github.com/Foodcritic/foodcritic/pull/530/files
+  # list of valid SPDX.org license strings. To build an array run this:
+  require 'json'
+  require 'net/http'
+  json_data = JSON.parse(Net::HTTP.get(URI('https://raw.githubusercontent.com/spdx/license-list-data/master/json/licenses.json')))
+  licenses = json_data['licenses'].map { |l| l['licenseId'] }
+  # "All Rights Reserved" is non-standard extra value to cover proriatary license
+  licenses.push('All Rights Reserved')
+  File.write(File.join(UTILS_DIR, 'spdx.txt'), licenses.join("\n"))
+end