update the SPDX license list

[spencerschrock]

As noticed in #3838 (comment) (which I'm noticing know is wrong because Beerware shouldn't be on out list in the sense of FSF or OSI approved), the SPDX list seems to have fallen out of date and could be refreshed. The list was added ~2 years ago (via #2442) and we're probably missing a few entries.

scorecard/checks/raw/license.go

Lines 399 to 418 in 0b9dfb6

	// (there's no magic here)
	// created from the table at https://spdx.org/licenses
	// 1) convert table to CSV and convert to json
	// (inspired from inspired from https://stackoverflow.com/questions/17912307/u-ufeff-in-python-string)
	//
	// cat SPDX-license-IDs-202211131030CST.csv | \
	// python -c \
	// 'import csv, json, sys; print(json.dumps([dict(r) for r in csv.DictReader(sys.stdin)]))' | \
	// sed 's/\\ufeff//g' > SPDX-license-IDs-202211131030CST.json
	//
	// 2) convert json to go lang compatible map
	//
	// cat SPDX-license-IDs-202211131030CST.json | \
	// jq -c '.[] | select((."FSF Free/Libre?"=="Y") or (."OSI Approved?"=="Y")) | \
	// [."Identifier",."Full Name"]' | \
	// sed 's/","/": \{ Name: "/;s/\["/"/;s/"\]/" },/' | \
	// sed 's/[- ]only//g;s/[- ]or[- ]later//g' | \
	// sort | \
	// uniq
	var fsfOsiApprovedLicenseMap = map[string]fsfOsiLicenseType{

[lelia]

I can work on this

[spencerschrock]

@lelia are you still interested in this?

[lelia]

@lelia are you still interested in this?

Yeah, sorry got sidetracked with some other priorities, but I did generate a new map of updated licenses a while back. I was holding off on making a contribution so we could have a more sustainable solution going forward, but I could always split the contribution into two parts.

[spencerschrock]

I was holding off on making a contribution so we could have a more sustainable solution going forward, but I could always split the contribution into two parts.

At the time, I had thought stale data was part of the cause for #4144, but that wasn't the case. So there isn't a time critical part of this

[bagder]

Our project which is 100% REUSE compliant (every single file clearly shows copyright and license) does not score full on License by the scorecard because of this problem.

[spencerschrock]

Our project which is 100% REUSE compliant (every single file clearly shows copyright and license) does not score full on License by the scorecard because of this problem.

While the issue is closed, it wasn't the root cause for the scoring.

1. We rely on GitHub for license type detection. https://api.github.com/repos/curl/curl/license doesn't identify the curl license, but rather NOASSERTION
2. The check (as written) awards the last point for "FSF Free/Libre" or "OSI Approved" licenses. An issue or discussion around changing this behavior in favor of REUSE or some other metric (originally just having a LICENSE file was a full score) is a valid discussion, it's just unrelated to this issue.

[bagder]

Okay. I'm a little disappointed that the aspirations aren't higher but I'll live.