BUG: Apache 2.0 license not recognized

[anotherbridge]

Describe the bug
When having the Apache 2.0 license placed at the root of a GitLab repo, it is not recognized as an "FSF or OSI recognized license"

Reproduction steps
Steps to reproduce the behavior:

1. Place Apache 2.0 license (c.f. https://www.apache.org/licenses/LICENSE-2.0.html) at the root of the repo
2. Run export SCORECARD_EXPERIMENTAL=1
3. Run export GITLAB_AUTH_TOKEN=<token>
4. Run scorecard --repo https://gitlab.com/<namespace>/<repo> --commit <commit id> --checks=License,Code-Review,Maintained,Security-Policy,Binary-Artifacts,Vulnerabilities,Pinned-Dependencies --show-details
5. Observe output about license, telling a score 9/10 and saying:

Info: License file found in expected location: LICENSE:1  
Warn: Any licence detected not an FSF or OSI recognized license: LICENSE:1

Expected behavior
Getting a 10/10 rating with no complaints.

Additional context
Scorecard version: v4.11.0
Reproduced on: Debian 11.x x86 architecure, macOS Ventura ARM architecture

[spencerschrock]

@raghavkaul this seems to be from a gap in the GitLab client. It seems like there's a way of getting the license as part of the project endpoint (in the REST at least), not sure how easily extendible this is, or if the license type is return as any sort of standardized way:

https://stackoverflow.com/a/74685995

curl https://gitlab.com/api/v4/projects/278964?license=yes | jq

  "license": {
    "key": "mit",
    "name": "MIT License",
    "nickname": null,
    "html_url": "https://opensource.org/licenses/MIT",
    "source_url": null
  },

[spencerschrock]

Note: We don't have any good way of getting the SPDX info for local repos either, but that sounds harder since it's something we'd need to detect ourselves

[raghavkaul]

Yes, we'd need the license's SPDXId. For GitHub, we use the API:

scorecard/clients/githubrepo/licenses.go

Line 84 in e82d15d

SPDXId: bodyJSON.GetLicense().GetSPDXID(),

We don't have an equivalent for GitLab, but for some reason it doesn't work to simply add SPDXId: l.Key, to

scorecard/clients/gitlabrepo/licenses.go

Line 73 in e82d15d

Path: path,

I can take a look further, assigning to self. Wrt. SPDX Id for local repos, can we do some kind of fuzzy matching on License name?

[spencerschrock]

We don't have an equivalent for GitLab, but for some reason it doesn't work to simply add SPDXId: l.Key, to

Does the license GetProjectOptions here not work? I believe this is the library version of the stack overflow I posted above:

scorecard/clients/gitlabrepo/project.go

Lines 40 to 43 in e82d15d

	func (handler *projectHandler) setup() error {
	handler.once.Do(func() {
	proj, _, err := handler.glClient.Projects.GetProject(handler.repourl.projectID, &gitlab.GetProjectOptions{})
	if err != nil {