[rl-reuse_tool-4] Violation against OSS Rules of Play

[sap-ospo-bot]

A violation against the OSS Rules of Play has been detected.

Rule ID: rl-reuse_tool-4
Explanation: Is it compliant with REUSE rules? No

Find more information at: https://sap.github.io/fosstars-rating-core/oss_rules_of_play_rating.html

[matz3]

@SebastianWolf-SAP could you please check why the REUSE rules are not compliant? We are using a Github Actions workflow to run REUSE (https://github.com/SAP/openui5-sample-app/blob/master/.github/workflows/reuse-compliance.yml), and I can't see any issues there.
I just re-triggered the last run and it succeeded: https://github.com/SAP/openui5-sample-app/runs/3217993847

# SUMMARY

* Bad licenses:
* Deprecated licenses:
* Licenses without file extension:
* Missing licenses:
* Unused licenses:
* Used licenses: Apache-2.0
* Read errors: 0
* Files with copyright information: 39 / 39
* Files with license information: 39 / 39

Congratulations! Your project is compliant with version 3.0 of the REUSE Specification :-)

I've also executed https://github.com/SAP/fosstars-rating-core locally and it gave me the following output.
The only action I plan to take here is to enable CodeQL, as we already use it for all our other OSS projects.

[+] Rating:     4,62 out of 10,0 -> MODERATE
[+] Confidence: High (9,65 out of 10,0)
[+] 
[+] Here is how the rating may be improved:
[+] 1. You can ask the project maintainers to enable LGTM
[+]    checks for pull requests in the project.
[+]    More info:
[+]    1. How to enable LGTM checks for pull requests:
[+]       https://lgtm.com/help/lgtm/about-automated-code-review
[+] 2. You can open a pull request to enable CodeQL scans
[+]    in the project. Make sure that the scans are run
[+]    on pull requests.
[+]    More info:
[+]    1. How to enable CodeQL checks for pull requests:
[+]       https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions
[+] 3. You can open a pull request to enable CodeQL scans
[+]    in the project.
[+]    More info:
[+]    1. How to enable CodeQL checks:
[+]       https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions
[+] 4. You can open a pull request to enable FindSecBugs
[+]    for the project.
[+]    More info:
[+]    1. FindSecBugs home page:
[+]       https://find-sec-bugs.github.io/
[+] 5. You can enable artifact signing in the project's
[+]    build pipeline.
[+]    More info:
[+]    1. Apache Maven Jarsigner Plugin:
[+]       https://maven.apache.org/plugins/maven-jarsigner-plugin/
[+] 6. You can enable NoHttp tool in the project's build
[+]    pipeline.
[+]    More info:
[+]    1. NoHttp tool home page:
[+]       https://github.com/spring-io/nohttp
[+] 
[+] Bye!

[SebastianWolf-SAP]

To me it seems that the last check didn't run correctly. There is no output message listed on the overview and I got the same success message locally. As a re-run is only triggered after a new commit, you could try to push a pseudo-commit. If that doesn't work or you can't push a new commit, please explain the problem in an issue or via their mailing list so it can be addressed.

Concerning the security rating of FOSSTARS (be aware of the different ratings, we are executing the OSS rules of play rating here): Right now, there is no policy regarding the compliance to the security scan yet. We have it on our agenda to review and introduce it probably later this year, but right now there is no obligation to do so. Until there is another statement: Whatever improves the project setup with respect to security is appreciated. :)

[matz3]

Thanks for the quick clarification. A CodeQL action will be added via #114