semgrep-rules
semgrep-rules copied to clipboard
semgrep
License issue?
Looking at https://github.com/returntocorp/semgrep-rules/blob/5e37d4c37c39816895f9d1cdbb42226a7c4ae3d2/ruby/lang/security/ssl-mode-no-verify.rb#L1
I'm a bit confused - this repo claims to be LGPL-2.1 & Commons-Clause-1.0 but the site that most of the code is copied from isn't LGPL licensed at all (more or less the original repo is licensed under some proprietary license, which basically forbids usage in any commercial environment without a commercial license of the original tool).
With this in mind (INAL but) I think this should be reflected in the repo's license.
BTW: If I would pull this rule from https://semgrep.dev/p/ruby I wouldn't even know that I'm doing 2 license infringements when using in a commercial (or even remotely commercial) environment. First I would violate the Commons-Clause-1.0 here and secondly the one from here https://github.com/presidentbeef/brakeman/blob/main/LICENSE.md
Relatedly: https://github.com/returntocorp/semgrep/issues/4281
We are working on this with the lawyers, but it will be a while till we have an update.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
We do have a plan here, see messaging in community slack, haven't executed the change on repo yet
see messaging in community slack
It would be ideal if you could copy+paste this announcement here for those of us who don't want to join the Slack server just to read one message.
Hi — any updates on this, particularly since https://github.com/returntocorp/semgrep/issues/4281 is now resolved?
see messaging in community slack
This seems to refer to this message:
Pablo Estrada (r2c):
Hi all,
We’re announcing upcoming changes to Semgrep & rules licensing: Semgrep will be GPL-licensed and most rules will be MIT licensed.
Most users are not affected by the changes.
The changes serve two purposes:
- Respect the open-source community by putting all community-contributed and many r2c-written rules under a true free and open-source (FOSS) license (MIT)
- Prevent Semgrep and some r2c-written rules from being commercialized by non-contributing companies so that we can build a sustainable business around Semgrep, while allowing other FOSS software to leverage Semgrep and its rules.
Semgrep is now licensed under GPL v3 rather than LGPL. “Any modifications to or software including GPL-licensed code must also be made available under the GPL” - tldr on GPL
- This better reflects Semgrep CLI’s transition to a full application rather than a library [1].
- Impact: If you publicly redistribute Semgrep (not just distributing inside your company), your wrapper package should be GPL-compatible. If this is an issue for your use of Semgrep, please tell us before we make the change!
Most Semgrep rules are now MIT licensed. “Basically, you can do whatever you want as long as you include the original license notice in any copy of the rules” - tldr on MIT license.
- All community-contributed rules are now MIT-licensed.
- Some rules written by r2c are now under a new Semgrep Registry license that allows commercial use exclusively through semgrep.dev. [2]
- Impact: You are unaffected unless you are offering a commercial service (competitive with semgrep.dev) that scans code with these rules.
Thanks to the many contributors who have added code to the engine and rules and given us permission to make this change (via our contributor license agreement). We are delighted to be part of the open-source community.
Footnotes:
- MIT license
- GNU General Public License (GPL)
- [1] Semgrep’s previous license, LGPL, explicitly allows this transition to GPL.
- [2] Previously, all the rules were licensed with LGPL under the Commons Clause. This caused confusion for users as LGPL, an Open Source Initiative (OSI) -approved license, can be argued to not be compatible with the non-free Commons Clause. We worked with the lawyer who created the original Commons Clause to draft the new license.
Getting back to the original example, the code still does a license infringement - if the comment is correct code is licensed under https://github.com/presidentbeef/brakeman/blob/df2ac8c98a649a5f7b47a42bc17d2ce4ab0e26ec/LICENSE.md, which prohibits commercial use or Using the Software as a component of a value-added service/product - which this rule and therefore code does, when added to local semgrep (which is then supposedly MIT) or via SaaS (r2c's special license).
To me this still is fishy and unclear - esp as the LICENSE in semgrep-rules still says everything is LGPL + Common-Clause-1.0.
Even as I welcome the statement, I simply don't see it reflected in the actual code yet
The document in brakeman we link to is actually under MIT license: https://github.com/presidentbeef/brakeman/blob/v3.6.2/MIT-LICENSE https://github.com/presidentbeef/brakeman/blob/v3.6.2/docs/warning_types/ssl_verification_bypass/index.markdown so for this specific case there is likely no issue. We'll update the pointer.
In general, the example code we show is not included when rules get sent from the registry and is not included when you run a rule.
The changes in the statement above are in progress :D
I am going to close this ticket, as its causing confusion to people that visit it, this thread has inaccurate information.
Our accurate license information can be viewed here https://semgrep.dev/docs/licensing/#semgrep-registry-license
If you need further help regarding license information, please reach out to support [at] r2c.dev
