vulnerablecode
vulnerablecode copied to clipboard
nexB
RFC: Specify a license for vulnerablecode Data
We need to specify a license for vulnerablecode Data. Workable candidates include:
cdla-permissive-1.0
https://cdla.io/permissive-1-0/
https://spdx.org/licenses/CDLA-Permissive-1.0.html
and
cc-by-4.0
http://creativecommons.org/licenses/by/4.0/legalcode
https://spdx.org/licenses/CC-BY-4.0.html
Both licenses are also in the scancode list.
@pombredanne Regarding the overly complex aspect of the cdla-permissive-1.0 license text that you were concerned about, I did a quick comparison between the texts of it and cc-by-4.0, and discovered that the amount text in cdla-permissive-1.0 is roughly 60% of the amount of text in cc-by-4.0. So maybe one is still easier to read and understand than the other, but cc-by-4.0 is definitely way more verbose.
As before, I see it as a coin toss, and if you still prefer cc-by-4.0, that's ok with me.
@pombredanne I did find, I think, a substantive difference between the two licenses. cc-by-4.0 contains the following statement:
1 Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:
whereas the other license has
3.2. You may provide additional or different license terms and conditions for use, reproduction, or distribution of that Enhanced Data, or for any combination of Data and Enhanced Data as a whole, provided that Your Use and Publication of that combined Data otherwise complies with the conditions stated in this License.
Which tells me that if we want to prevent any sublicensing (and I'm not at all sure if we do, and have no opinion on that) then we might want to use cc-by-4.0; otherwise, the cdla-permissive-1.0 is less restricted and more "free" with the main emphasis being on attribution.
@DennisClark Thank you ++
Some extra considerations as we are integrating other data:
- from the NVD and the terms of these are summarized nicely here https://github.com/google/vulncode-db#third-party-data
- you can see the details here https://github.com/nexB/vulnerablecode/blob/1959a22bda489483e8c3a049484a1f8fa3330318/vulnerabilities/importer_yielder.py#L25 we still have several gaps of actual licenses for each of these.
So our license would be IMHO for:
- the overall collection
- the additions and updates we are doing
Here is what I think makes the most sense:
- overall data (including any future curations) is licensed CC-BY-4.0 ... this is AFAIK compatible with all licenses supported datasources (and several use this license)
- we track each data source licenses
Old notice is :
# Copyright (c) nexB Inc. and others. All rights reserved.
# http://nexb.com and https://github.com/nexB/vulnerablecode/
# The VulnerableCode software is licensed under the Apache License version 2.0.
# Data generated with VulnerableCode require an acknowledgment.
#
# You may not use this software except in compliance with the License.
# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.
#
# When you publish or redistribute any data created with VulnerableCode or any VulnerableCode
# derivative work, you must accompany this data with the following acknowledgment:
#
# Generated with VulnerableCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
# VulnerableCode should be considered or used as legal advice. Consult an Attorney
# for any legal advice.
# VulnerableCode is a free software code scanning tool from nexB Inc. and others.
# Visit https://github.com/nexB/vulnerablecode/ for support and download.
Here is the proposed new notice with the CC-BY-4.0 license:
Copyright (c) nexB Inc. and others. All rights reserved.
VulnerableCode is a trademark of nexB Inc.
SPDX-License-Identifier: Apache-2.0 AND CC-BY-4.0
VulnerableCode software is licensed under the Apache License version 2.0.
VulnerableCode data is licensed collectively under CC-BY-4.0.
See https://www.apache.org/licenses/LICENSE-2.0 for the Apache-2.0 license text.
See https://creativecommons.org/licenses/by/4.0/legalcode for the CC-BY-4.0 license text.
See https://github.com/nexB/vulnerablecode for support or download.
See https://aboutcode.org for more information about nexB OSS projects
@sbs2001 @Hritik14 @tardyp @haikoschol @kartiksibal @rolfschr @tushar912 ping! Any feedback?
Actually since we have data that is CC-BY-SA the minimal shared common denominator for the data is going to be CC-BY-SA and not CC-BY.
For background, Alpine, gentoo, victims, Alma and vulncode among others are using the CC-BY-SA license for their data.
So I am going to apply this to the code:
#
# Copyright (c) nexB Inc. and others. All rights reserved.
# VulnerableCode is a trademark of nexB Inc.
# SPDX-License-Identifier: Apache-2.0
# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
# See https://github.com/nexB/vulnerablecode for support or download.
# See https://aboutcode.org for more information about nexB OSS projects.
#
And have this in the top level notice:
#
# Copyright (c) nexB Inc. and others. All rights reserved.
# VulnerableCode is a trademark of nexB Inc.
# SPDX-License-Identifier: Apache-2.0 AND CC-BY-SA-4.0
# VulnerableCode software is licensed under the Apache License version 2.0.
# VulnerableCode data is licensed collectively under CC-BY-SA-4.0.
# See https://www.apache.org/licenses/LICENSE-2.0 for the license text.
# See https://creativecommons.org/licenses/by-sa/4.0/legalcode for the license text.
#
# See https://github.com/nexB/vulnerablecode for support or download.
# See https://aboutcode.org for more information about nexB OSS projects.
#
And this in the UI:
VulnerableCode is free software by nexB Inc. and others.
The source code is licensed under Apache 2.0. The data is licensed under CC-BY-SA-4.0.