License Declaration
ID |
openssf_scorecard/license_declared |
Severity |
low |
Category |
|
Levels |
|
Optional |
false |
Tags |
license |
Description
Does the project declare a license?
This check tries to determine if the project has published a license.
Reference: OpenSSF Scorecard - License.
Rationale
A license can give users information about how the source code may or may not be used. The lack of a license will impede any kind of security review or audit, and creates a legal risk for potential users.
Verification
The check looks for a file named according to common conventions for licenses, under standard locations.
This check will detect files in the top-level directory with any combination of the following names and extensions: LICENSE, LICENCE, COPYING, COPYRIGHT and .html, .txt, .md. It will also detect these files in a directory named LICENSES. (Files in a LICENSES directory are typically named as their SPDX license identifier followed by an appropriate file extension, as described in the REUSE Specification.)
| This check does not check if usage of third-party dependencies violates their licenses. This is a common feature of Software Composition Analysis (SCA) tools. |
Remediation
-
Determine which license to apply to your project.
-
Create the license in a .txt, .html, or .md file named
LICENSEorCOPYING, and place it in the top-level directory. -
Alternately, create a LICENSE directory and add license files with a name that matches your SPDX license identifier.