Before the name gets too set in stone I'd like to propose renaming to repolint for consistency with jslint, eslint, etc.

Source files which specify their license in this form:

SPDX-License-Identifier: MIT

(in a suitable comment style for the language used in the file) should pass the license information check.

The awesome new license axiom support appears to use the licensee license names rather than SPDX identifiers. Let's settle on using SPDX identifiers as much as possible.

After much work, I was able to get linguist and licensee to gem install on RailsInstaller in Windows 10, but the commandline executables are not made for cmd or PowerShell.

Issue Report

We should validate a SECURITY_CONTACTS file See https://github.com/kubernetes/kubernetes/blob/master/SECURITY_CONTACTS.

Expected Behavior

We check to see if a repo has a SECURITY_CONTACTS file.

Actual Behavior

We currently do not have this check.

Steps to Reproduce the Issue

N/A

Rather than assuming a report goes to STDOUT, a report could go to a file and STDOUT would get a summary. This would allow for deeper linting.

Currently the filenames displayed are absolute, they should instead be relative to the target directory to make the results easier to read.

The file-starts-with rule currently matches files by matched pattern. We should make it configurable by language, like file-existence.

Ability to detect a code of conduct file and/or a code of conduct reference in the README

The todogroup.org/repolinter site is pretty barebones right now. Let's enhance it with details on how to use repolinter, why it is important, and when to use it!

For example, it might be useful to verify certain file types are not present in ANY branch/version of the repository. Similar with file contents, etc...

I expect this would be optional behavior as it could be very expensive for some repositories.

We should make repolinter runnable without node.js installed. pkg could be a good option for this.

Proposed code. Would be much simpler with a solution for #59. Alternatively, could have a system similar to the linguist plugins where the core code identifies the license, and then rules are run per license.

// Copyright 2018 TODO Group. All rights reserved.
// Licensed under the Apache License, Version 2.0.

const isWindows = require('is-windows')
const spawnSync = require('child_process').spawnSync
const Result = require('../lib/result')

// TODO: In an ideal world this rule would depend on, and obtain the reuslts of, the licensee rule; and it would then simply be an invocation of the file-exists rule
module.exports = function (fileSystem, rule) {
  const expected = /License: ([^\n]+)/

  const licenseeOutput = spawnSync(isWindows() ? 'licensee.bat' : 'licensee', [fileSystem.targetDir]).stdout

  let result = new Result(rule, '', null, false)
  if (licenseeOutput == null) {
    result.message = 'Licensee is not installed'
    return [result]
  }

  const license = licenseeOutput.toString().match(expected)

  if (license != null && license[1] == 'Apache License 2.0') {

    const options = rule.options
    const fs = options.fs || fileSystem
    noticeFiles = ['NOTICE', 'NOTICE.md', 'NOTICE.txt']
    const file = fs.findFirst(noticeFiles)

    result.passed = !!file
    if(!!file) {
      result.message = `found (${file})`
    } else {
      result.message = `not found: (${noticeFiles.join(', ')})`
    }

  } else {
    result.message = 'Licensee did not identify this project as Apache 2.0 licensed'
  }

  return [result]
}

The readme-references-license rule currently looks at only README.md because the file-contents rule doesn't support multiple files which is inconsistent with the readme-file-exists rule which looks for README*.

Using repolinter on a large amount of repos does not scale as git clone is required for each repo.

Would be great to use the APIs of GitHub and GitLab for those individual checks:

• https://developer.github.com/v3/repos/contents
• https://gitlab.com/help/api/repository_files.md

Currently the Axioms take a directory. They should take the richer fileSystem API.

The code of conduct should have an email address in it for reporting violations.

Issue and Pull Request Templates are a great way to help improve the quality of contributions, and reduce the overhead of triaging issues. see: https://github.com/blog/2111-issue-and-pull-request-templates

README.md would look something like:

github-templates-exist

Fails if there isn't a directory matching .github or ISSUE_TEMPLATE.md PULL_REQUEST_TEMPLATE.md in the directory tree of the target directory.

• 1. The ruleset that checks whether tests directory exists or not is case sensitive.
  If one has "Tests" folder instead or "tests". the ruleset fails.
• 2. There was a condition where the said tests folder was in one of the subdirectories and not in the parent directory. In such a situation the ruleset again failed

Today the only way to customize the rules is to copy the default ruleset and edit it... You should be able to create a ruleset that extends a ruleset and add new rules or change configuration on existing rules.

It would be nice to describe a rule in rule format rather than writing JavaScript every time.

Rather than the ruleset having:

"license=Apache-2.0": {
  "notice-file-exists:file-existence": [
    "error",
    {
      "files": ["NOTICE*"],
      "fail-message": "The NOTICE file is described in section 4.4 of the Apache License version 2.0. Its presence is not mandated by the license itself, but by ASF policy."
    }
}

Instead it would have:

"license=Apache-2.0": {
  "notice-file-exists"
}

and notice-file-exists would be defined as the above larger block of rule code.

https://www.npmjs.com/package/repolinter/v/0.6.0

The last release for the NPM package was 4 months ago. Could you ship the latest version?

Thanks!

The inverse of the current file-contents.js rule.

GitHub supports various magic files (CONTRIBUTING, SUPPORT, CODE_OF_CONDUCT, Templates etc). Some of them can also be in .github and docs. I suggest we support the alternatives.

It is tempting to implement it as a new github-magic rule rather than overloading things on the if-file-exists side of things. That way it could also throw an error if the file appears duplicate times, and deal with other specialness that shows up over time.

We should have a github site to highlight the tool.

It'd be useful for programmatic parsing for an output format other than text.

@cdelahousse has been doing great work, I think he should be a full time committer :)

I am going to go on fiverr and get a logo commissioned.

When using repolinter in a CI/CD system or in Docker, the exit code is not set correctly to reflect failing rules. For example, this:

repolinter || echo 'error'

never writes 'error'.

The initial use case is:

If license is Apache 2.0, then check if NOTICE file is there.

It's similar to Linguist/language support in principle. If , then .

I think it means running a series of Axioms, and then having rules that are dependent on the Axiom's output. So 'If language=Java' is the axiom, and "Java rule set" is the output.

Thanks so much for this awesome tool! One thing that would make it even more amazing would be to add group or org-level scanning to check multiple repos in the same org.

Issue Report

The term "PATENTS" can trigger bad things for some users.

Expected Behavior

Add a rule to detect the usage of the word "PATENTS" in the project.

Actual Behavior

It does not do this right now.

Steps to Reproduce the Issue

N/A

Right now it assumes a filesystem. It would be great to allow the checks to run against a repo on GitHub using the API.

Issue Report

If there are lots of lines in the report and most of them are passing, they can crowd out the errors.

Expected Behavior

A command line option to exclude passing lines.

Actual Behavior

No such option presently exists

Steps to Reproduce the Issue

N/A

Currently the output includes absolute filenames. This looks odd when reports are published. For example:

Target directory: /Users/hyandell/oss/repolinter
Ruleset: /Users/hyandell/oss/repolinter/rulesets/default.json
Languages: ruby, batchfile, javascript

✔ readme-references-license: File /Users/hyandell/oss/repolinter/README.md contains license

Would be better for this to be independent of where I ran it. ie It should say:

Target directory: .
Ruleset: rulesets/default.json
Languages: ruby, batchfile, javascript

✔ readme-references-license: File ./README.md contains license

It would be nice to have a site where we can input a URL and get an HTML report, using repolinter as the backend.

Licensee is a little touchy and sensitive to small changes in licenses, I'd like to be able to use repolinter to verify expected licenses on a project. I have a couple changes in this direction (e.g. specifying a threshold for matching) I need to clean up to submit.

When I run repolinter on https://github.com/voyages-sncf-technologies/vboard this is part of the output I get:

× binaries-not-present: Excluded file type exists (vboard-front/node_modules/gifsicle/vendor/gifsicle.exe)
× binaries-not-present: Excluded file type exists (vboard-front/node_modules/jpegtran-bin/vendor/jpegtran.exe)
× binaries-not-present: Excluded file type exists (vboard-front/node_modules/optipng-bin/vendor/optipng.exe)
× binaries-not-present: Excluded file type exists (vboard-front/node_modules/phantomjs/lib/phantom/phantomjs.exe)
× binaries-not-present: Excluded file type exists (vboard-front/node_modules/jpegtran-bin/vendor/libjpeg-62.dll)
× license-detectable-by-licensee: Licensee is not installed
√ test-directory-exists: found (repolinter/tests)
√ integrates-with-ci: found (.travis.yml)
‼ source-license-headers-exist: EMFILE: too many open files

I have a feature request : could only the versionned files be parsed by repolinter when used in a git repository, to avoid those false positives and this final application crash ?

right now there are a bunch of blocking sync calls.

Issue Report

Add a rule to check for a NOTICE file.
See https://github.com/Comcast/petasos/blob/master/NOTICE for an example.

Expected Behavior

There is a rule to check for the NOTICE file.

Actual Behavior

There is no rule for this right now.

Steps to Reproduce the Issue

N/A

Issue Report

I want a concise summary of errors and passing conditions at the bottom of the run, if optionally asked for.

Expected Behavior

A command line option allows for a summary to appear at the bottom of the report.

Actual Behavior

No option presently exists.

Steps to Reproduce the Issue

N/A

Hello,

Instead of creating one issue for each, I thought it would be simpler to gather those ideas and ask for feedback in one issue:

• check for the existence of the following files:

  • CONTRIBUTING.md
  • CHANGELOG.md

• check that issues are enabled in the repo, or else that there is a Contact section in the README

• suggest to add Github tags if none exists

• if the repo contains mainly python files, suggest to add a setup.py.
  Same for NodeJS and a package.json

• finally, I would love a check for a "Screenshots" or "Demo" section in the README it the repo contains HTML (template) files. The rationale is that it serves the project visibility a LOT to include pictures. Of course it makes a lot less sense for pure code libraries. And checking for images links in the README is not a good solution as it could be a logo.

• Look for a standard filename up the current directory tree (e.g. repolint.json)
• Allow path to a rule configuration to be passed to the executable

This line of the ruleset leads to errors:

  "license-detectable-by-licensee": ["error"],

Ideally that should be within an axiom, perhaps matching to '*'. Same wildcard feature could exist for linguist.

Can we get a new version published to npm?

Thanks!

Rather than embedding patterns into the rules, it'd be good to have a file search report that points to a file that lists patterns of interest.

• license parseable as a SPDX expression
• description provided
• keywords provided
• homepage provided
• author provided
• main provided
• repository provided
• test script provided (and isn't the default error script)

It's a good practice to tag releases, if a repo doesn't have any tags, this should be a warning.

So, the way I see it, we have three levels of functionality that we can define:

1. Rulesets: sets of rules
2. Rules: applications of modules to create some type of test. Eg. file-existence applied to the 'readme.md' pattern creates the "Does this repo have a readme" rule (ie. "readme-file-exists:file-existence": ["error", {"files": ["README*"], "nocase": true}],)
3. Modules: query operations on the repo (eg. file-existence)

Currently, we've structured out code as

1. Rulesets: a series of rules
2. Rules and Modules: we use them interchangebly. We call the objects from the 'rules' folder in the result object "modules".

I suggest we do the following:

• Rename the rules directory to modules
• Try to make this clearer in code

This will make the distinction between rules and 'modules' more clear.

https://blog.github.com/2017-07-20-support-file-support/