<!--
SPDX-FileCopyrightText: 2023 DB Systel GmbH
SPDX-License-Identifier: Apache-2.0
-->
# Open Source Red Flag Checker
[](https://github.com/dbsystel/oss-red-flag-checker/actions/workflows/test.yaml)
[](https://api.reuse.software/info/github.com/dbsystel/oss-red-flag-checker)
[](https://pypi.org/project/oss-red-flag-checker/)
[](https://pypi.org/project/oss-red-flag-checker/)
This projects evaluates remote repositories by looking for typical red flags like CLAs (Contributor Licensing Agreements) but also indicators for governance, activity or licensing conditions we consider as good.
## Table of contents
* [Features](#features)
* [Installation](#installation)
* [Usage](#usage)
* [Caveats](#caveats)
* [Similar approaches](#similar-approaches)
* [License and copyright](#license-and-copyright)
## Features
[](https://asciinema.org/a/TTgMvR8kyzusNCUL7VKlCzIaT)
### Searched data
The checker looks for the following data in remote repositories:
* CLA (Contributor License Agreement) mentioned in files and pull requests
* DCO (Developer Certificate of Origin) mentioned in files and pull requests
* inbound=outbound mentioned in files
* Existence of LICENSE/COPYING file
* Human and bot contributors to the project (based on Github stats)
* Last commits made by humans and bots
### Analysis based on data
Red flags:
* CLA mentioned in `README` or `CONTRIBUTING` files
* CLA as part of pull request actions/statuses
* No `LICENSE`/`COPYING` file in the repository
* The project only contains contributions by one person
* The last commit is more than 1 year old
Yellow flags:
* The project's main developer made more than 75% contributions than the next 10 most active contributors
* The last human commit is more than 1 year old but there have been newer commits made by bots (like dependabot or renovate)
* The last human commit is more than 90 days old
Green flags:
* DCO mentioned in `README` or `CONTRIBUTING` files
* DCO as part of pull request actions/statuses
* inbound = outbound mentioned in `README` or `CONTRIBUTING` files
* The project has an acceptable contribition distribution by multiple active developers
* The last human commit is less than 90 days old
## Installation
You must have the following dependencies installed:
* `git` >= 1.7.0
* `python` >= 3.8
* `pip3`
You can install the latest release using pip: `pip3 install oss-red-flag-checker`.
The command to run the program afterwards will be `ossrfc`.
### Install/develop using poetry
You can also run this tool via `poetry` that takes care of installing the correct dependencies in a clean environment. This also makes development very easy. We recommend to have at least poetry 1.1.0. Inside of the repository, run `poetry install` once and you are ready to go. If you update the repository, run this command again to fetch new versions and dependencies.
The command to run the programm will be `poetry run ossrfc`.
## Usage
You can find all supported flags by running `ossrfc --help`.
> [!NOTE]
> It is recommended to provide a GitHub Personal Access Token to avoid low API rate limits.
> Either use the `--token` argument or set the `GITHUB_TOKEN` environment variable.
Basic examples:
```sh
# Check a remote repository
ossrfc -r https://github.com/hashicorp/terraform
# Cache the cloned repository so subsequent checks are faster
ossrfc -r https://github.com/hashicorp/terraform --cache
# Return the results as JSON
ossrfc -r https://github.com/hashicorp/terraform --json
# Do not check for CLAs and DCOs in pull requests
ossrfc -r https://github.com/hashicorp/terraform -d cla-dco-pulls
# Ignore findings about contribution distribution
ossrfc -r https://github.com/hashicorp/terraform -i contributions
# Provide a list of repositories to be checked
ossrfc -f repos.txt
```
Here's a possible output in both the Markdown view as well as in JSON:
```md
# Report for hashicorp/terraform (https://github.com/hashicorp/terraform)
* 🚩 Licensing: A mention of Contributor License Agreements in the following file(s): .github/CONTRIBUTING.md
* 🚩 Licensing: A check for Contributor License Agreements in at least one status in pull request(s): 33656
* ✔ Contributions: The project has multiple contributors with an acceptable contribution distribution
* ✔ Contributions: The last commit made by a human is less than 90 days old (1 days)
```
```json
{
"json_version": "1.0",
"disabled_checks": [],
"ignored_flags": [],
"debug_mode": false,
"repositories": [
{
"url": "https://github.com/hashicorp/terraform",
"shortname": "hashicorp/terraform",
"red_flags": [
"cla",
"cla"
],
"yellow_flags": [],
"green_flags": [
"distributed-contributions",
"actively-developed"
],
"cla_files": [
{
"file": ".github/CONTRIBUTING.md",
"indicators": [
"- Contributor License Agreement (CLA): If this is your first contribution to Terraform you will be asked to sign the CLA."
]
}
],
"cla_pulls": [
{
"pull_request": 33656,
"type": "status",
"url": "https://api.github.com/repos/hashicorp/terraform/statuses/b53d89a08df10c85f6d4c546d2e54d4fab886d67",
"indicators": [
"Contributor License Agreement is signed.",
"license/cla"
]
}
],
"dco_files": [],
"dco_pulls": [],
"inoutbound_files": [],
"licensefiles": [
"LICENSE"
],
"maintainer_dominance": -2.83,
"days_since_last_human_commit": 1,
"days_since_last_bot_commit": 141,
"analysis": [
{
"category": "Licensing",
"ignored": false,
"severity": "red",
"indicator": "A mention of Contributor License Agreements in the following file(s): .github/CONTRIBUTING.md"
},
{
"category": "Licensing",
"ignored": false,
"severity": "red",
"indicator": "A check for Contributor License Agreements in at least one status in pull request(s): 33656"
},
{
"category": "Contributions",
"ignored": false,
"severity": "green",
"indicator": "The project has multiple contributors with an acceptable contribution distribution"
},
{
"category": "Contributions",
"ignored": false,
"severity": "green",
"indicator": "The last commit made by a human is less than 90 days old (1 days)"
}
]
}
]
}
```
## Caveats
### Opinionated analysis
The analysis and decisions for how certain indicators are considered red, yellow or green flags is highly opinionated and represents a snapshot about our (DB Systel GmbH's) current thinking.
You are free to use this tool. If certain criteria is not relevant for you, consider using the `--ignore` or `--disable` flags.
In the long run, it may be feasible to make the ratings configurable. Contributions are welcome if you are interested in it.
## Similar approaches
There are different initiatives that intend to evaluate the health or risks of Open Source projects. All of them have their particular focuses, strengths and weaknesses.
* [OpenSSF](https://openssf.org/) with a focus on security and their [scorecards](https://github.com/ossf/scorecard)
* [CHAOSS](https://chaoss.community/) with a focus on metrics about community health and metrics models
## License and copyright
The content of this repository is licensed under the [Apache 2.0 license](https://www.apache.org/licenses/LICENSE-2.0).
This repository is [REUSE](https://reuse.software) compliant. You can find licensing and copyright information for each file in the file header or accompying files.
The project has been started by DB Systel GmbH. [We welcome contributions from everyone](CONTRIBUTING.md).
Raw data
{
"_id": null,
"home_page": "https://github.com/dbsystel/oss-red-flag-checker/",
"name": "oss-red-flag-checker",
"maintainer": "Max Mehl",
"docs_url": null,
"requires_python": "<4.0,>=3.8",
"maintainer_email": "max.mehl@deutschebahn.com",
"keywords": "ospo, open-source-management, supply-chain, risk-analysis",
"author": "Open Source at Deutsche Bahn",
"author_email": "opensource@deutschebahn.com",
"download_url": "https://files.pythonhosted.org/packages/83/2d/cdcbd08d479a598df240eac52b9969b8388d34a2b3c160bc290cbc70c3b4/oss_red_flag_checker-0.1.6.tar.gz",
"platform": null,
"description": "<!--\nSPDX-FileCopyrightText: 2023 DB Systel GmbH\n\nSPDX-License-Identifier: Apache-2.0\n-->\n\n# Open Source Red Flag Checker\n\n[](https://github.com/dbsystel/oss-red-flag-checker/actions/workflows/test.yaml)\n[](https://api.reuse.software/info/github.com/dbsystel/oss-red-flag-checker)\n[](https://pypi.org/project/oss-red-flag-checker/)\n[](https://pypi.org/project/oss-red-flag-checker/)\n\nThis projects evaluates remote repositories by looking for typical red flags like CLAs (Contributor Licensing Agreements) but also indicators for governance, activity or licensing conditions we consider as good.\n\n## Table of contents\n\n* [Features](#features)\n* [Installation](#installation)\n* [Usage](#usage)\n* [Caveats](#caveats)\n* [Similar approaches](#similar-approaches)\n* [License and copyright](#license-and-copyright)\n\n\n## Features\n\n[](https://asciinema.org/a/TTgMvR8kyzusNCUL7VKlCzIaT)\n\n### Searched data\n\nThe checker looks for the following data in remote repositories:\n\n* CLA (Contributor License Agreement) mentioned in files and pull requests\n* DCO (Developer Certificate of Origin) mentioned in files and pull requests\n* inbound=outbound mentioned in files\n* Existence of LICENSE/COPYING file\n* Human and bot contributors to the project (based on Github stats)\n* Last commits made by humans and bots\n\n### Analysis based on data\n\nRed flags:\n\n* CLA mentioned in `README` or `CONTRIBUTING` files\n* CLA as part of pull request actions/statuses\n* No `LICENSE`/`COPYING` file in the repository\n* The project only contains contributions by one person\n* The last commit is more than 1 year old\n\nYellow flags:\n\n* The project's main developer made more than 75% contributions than the next 10 most active contributors\n* The last human commit is more than 1 year old but there have been newer commits made by bots (like dependabot or renovate)\n* The last human commit is more than 90 days old\n\nGreen flags:\n* DCO mentioned in `README` or `CONTRIBUTING` files\n* DCO as part of pull request actions/statuses\n* inbound = outbound mentioned in `README` or `CONTRIBUTING` files\n* The project has an acceptable contribition distribution by multiple active developers\n* The last human commit is less than 90 days old\n\n\n## Installation\n\nYou must have the following dependencies installed:\n\n* `git` >= 1.7.0\n* `python` >= 3.8\n* `pip3`\n\nYou can install the latest release using pip: `pip3 install oss-red-flag-checker`.\n\nThe command to run the program afterwards will be `ossrfc`.\n\n### Install/develop using poetry\n\nYou can also run this tool via `poetry` that takes care of installing the correct dependencies in a clean environment. This also makes development very easy. We recommend to have at least poetry 1.1.0. Inside of the repository, run `poetry install` once and you are ready to go. If you update the repository, run this command again to fetch new versions and dependencies.\n\nThe command to run the programm will be `poetry run ossrfc`.\n\n## Usage\n\nYou can find all supported flags by running `ossrfc --help`.\n\n> [!NOTE]\n> It is recommended to provide a GitHub Personal Access Token to avoid low API rate limits.\n> Either use the `--token` argument or set the `GITHUB_TOKEN` environment variable.\n\nBasic examples:\n\n```sh\n# Check a remote repository\nossrfc -r https://github.com/hashicorp/terraform\n# Cache the cloned repository so subsequent checks are faster\nossrfc -r https://github.com/hashicorp/terraform --cache\n# Return the results as JSON\nossrfc -r https://github.com/hashicorp/terraform --json\n# Do not check for CLAs and DCOs in pull requests\nossrfc -r https://github.com/hashicorp/terraform -d cla-dco-pulls\n# Ignore findings about contribution distribution\nossrfc -r https://github.com/hashicorp/terraform -i contributions\n# Provide a list of repositories to be checked\nossrfc -f repos.txt\n```\n\nHere's a possible output in both the Markdown view as well as in JSON:\n\n```md\n# Report for hashicorp/terraform (https://github.com/hashicorp/terraform)\n\n* \ud83d\udea9 Licensing: A mention of Contributor License Agreements in the following file(s): .github/CONTRIBUTING.md\n* \ud83d\udea9 Licensing: A check for Contributor License Agreements in at least one status in pull request(s): 33656\n* \u2714 Contributions: The project has multiple contributors with an acceptable contribution distribution\n* \u2714 Contributions: The last commit made by a human is less than 90 days old (1 days)\n```\n\n```json\n{\n \"json_version\": \"1.0\",\n \"disabled_checks\": [],\n \"ignored_flags\": [],\n \"debug_mode\": false,\n \"repositories\": [\n {\n \"url\": \"https://github.com/hashicorp/terraform\",\n \"shortname\": \"hashicorp/terraform\",\n \"red_flags\": [\n \"cla\",\n \"cla\"\n ],\n \"yellow_flags\": [],\n \"green_flags\": [\n \"distributed-contributions\",\n \"actively-developed\"\n ],\n \"cla_files\": [\n {\n \"file\": \".github/CONTRIBUTING.md\",\n \"indicators\": [\n \"- Contributor License Agreement (CLA): If this is your first contribution to Terraform you will be asked to sign the CLA.\"\n ]\n }\n ],\n \"cla_pulls\": [\n {\n \"pull_request\": 33656,\n \"type\": \"status\",\n \"url\": \"https://api.github.com/repos/hashicorp/terraform/statuses/b53d89a08df10c85f6d4c546d2e54d4fab886d67\",\n \"indicators\": [\n \"Contributor License Agreement is signed.\",\n \"license/cla\"\n ]\n }\n ],\n \"dco_files\": [],\n \"dco_pulls\": [],\n \"inoutbound_files\": [],\n \"licensefiles\": [\n \"LICENSE\"\n ],\n \"maintainer_dominance\": -2.83,\n \"days_since_last_human_commit\": 1,\n \"days_since_last_bot_commit\": 141,\n \"analysis\": [\n {\n \"category\": \"Licensing\",\n \"ignored\": false,\n \"severity\": \"red\",\n \"indicator\": \"A mention of Contributor License Agreements in the following file(s): .github/CONTRIBUTING.md\"\n },\n {\n \"category\": \"Licensing\",\n \"ignored\": false,\n \"severity\": \"red\",\n \"indicator\": \"A check for Contributor License Agreements in at least one status in pull request(s): 33656\"\n },\n {\n \"category\": \"Contributions\",\n \"ignored\": false,\n \"severity\": \"green\",\n \"indicator\": \"The project has multiple contributors with an acceptable contribution distribution\"\n },\n {\n \"category\": \"Contributions\",\n \"ignored\": false,\n \"severity\": \"green\",\n \"indicator\": \"The last commit made by a human is less than 90 days old (1 days)\"\n }\n ]\n }\n ]\n}\n```\n\n\n## Caveats\n\n### Opinionated analysis\n\nThe analysis and decisions for how certain indicators are considered red, yellow or green flags is highly opinionated and represents a snapshot about our (DB Systel GmbH's) current thinking.\n\nYou are free to use this tool. If certain criteria is not relevant for you, consider using the `--ignore` or `--disable` flags.\n\nIn the long run, it may be feasible to make the ratings configurable. Contributions are welcome if you are interested in it.\n\n\n## Similar approaches\n\nThere are different initiatives that intend to evaluate the health or risks of Open Source projects. All of them have their particular focuses, strengths and weaknesses.\n\n* [OpenSSF](https://openssf.org/) with a focus on security and their [scorecards](https://github.com/ossf/scorecard)\n* [CHAOSS](https://chaoss.community/) with a focus on metrics about community health and metrics models\n\n## License and copyright\n\nThe content of this repository is licensed under the [Apache 2.0 license](https://www.apache.org/licenses/LICENSE-2.0).\n\nThis repository is [REUSE](https://reuse.software) compliant. You can find licensing and copyright information for each file in the file header or accompying files.\n\nThe project has been started by DB Systel GmbH. [We welcome contributions from everyone](CONTRIBUTING.md).\n",
"bugtrack_url": null,
"license": "Apache-2.0",
"summary": "Check remote repositories for typical red flags like CLAs and risks due to low development activity",
"version": "0.1.6",
"project_urls": {
"Homepage": "https://github.com/dbsystel/oss-red-flag-checker/",
"Repository": "https://github.com/dbsystel/oss-red-flag-checker/"
},
"split_keywords": [
"ospo",
" open-source-management",
" supply-chain",
" risk-analysis"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "fcfc9521760cf5ac6f70e895bd9f05eca722846fb597c9d296e210465e45b18a",
"md5": "9e8c9c529785be2e358e3c1178f0eaea",
"sha256": "51396bb09ae43637d86aab746297c72bfcb3ca406e831beb1a4e4cc3bb004df9"
},
"downloads": -1,
"filename": "oss_red_flag_checker-0.1.6-py3-none-any.whl",
"has_sig": false,
"md5_digest": "9e8c9c529785be2e358e3c1178f0eaea",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<4.0,>=3.8",
"size": 27602,
"upload_time": "2024-05-07T11:51:56",
"upload_time_iso_8601": "2024-05-07T11:51:56.159968Z",
"url": "https://files.pythonhosted.org/packages/fc/fc/9521760cf5ac6f70e895bd9f05eca722846fb597c9d296e210465e45b18a/oss_red_flag_checker-0.1.6-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "832dcdcbd08d479a598df240eac52b9969b8388d34a2b3c160bc290cbc70c3b4",
"md5": "acdb76b86028b1525c518ce15196b08d",
"sha256": "72c287de3d9fdb0d52208bb0ef165527cfc6ee82e79a8cd74dc7be42b57741b7"
},
"downloads": -1,
"filename": "oss_red_flag_checker-0.1.6.tar.gz",
"has_sig": false,
"md5_digest": "acdb76b86028b1525c518ce15196b08d",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<4.0,>=3.8",
"size": 21809,
"upload_time": "2024-05-07T11:51:57",
"upload_time_iso_8601": "2024-05-07T11:51:57.316423Z",
"url": "https://files.pythonhosted.org/packages/83/2d/cdcbd08d479a598df240eac52b9969b8388d34a2b3c160bc290cbc70c3b4/oss_red_flag_checker-0.1.6.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-05-07 11:51:57",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "dbsystel",
"github_project": "oss-red-flag-checker",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "oss-red-flag-checker"
}
JSON
