Comments (6)
We have requested this review, they say about 1 more week until they can generate the report.
Thanks for your patience.
from tac.
Any update on this @hythloda ?
from tac.
Just closing up some open issues. We finally got the IP review on July 26 and I passed it to @mlieberman85 forgetting that it was also in this github thread. Here it is encase anyone else needs it:
LICENSE INTAKE SCAN & ANALYSIS: OpenSSF: GUAC
- This intake scan is a static analysis of the source code in your repository. A dependency scan was not performed. Once a project is added to LFX [https://security.lfx.linuxfoundation.org/], you can use SNYK to view a dependency scan for both licenses and vulnerabilities.
CODE SCANNED: https://github.com/guacsec/guac [pulled 11–July-2023]
PROJECT LICENSE: Apache-2.0
SPDX LICENSE IDENTIFIERS: SPDX license identifiers were not found in any source file headers.
- Copyright and License statements were found in source file headers.
- We recommend that SPDX license identifiers be added to ALL source file headers. [see https://spdx.dev/ids for examples]
PERMISSIVE LICENSES: Apache-2.0, CC0-1.0, BSD-3-Clause, Zlib, MIT, CC-BY-4.0
COPYLEFT LICENSES: GPL-2.0 [external dependency / test data]
- NOTE: Copyleft licenses in external dependencies may or may not cause a license conflict, depending on how the dependent code is used, integrated, and distrbuted by the end user. Since this appears to be test data only it is likely not a problem, but should still be checked to be sure.
-- https://github.com/guacsec/guac/blob/main/internal/testing/testdata/exampledata/alpine-cyclonedx.json
-- https://github.com/guacsec/guac/blob/main/internal/testing/testdata/exampledata/alpine-small-spdx.json
-- https://github.com/guacsec/guac/blob/main/internal/testing/testdata/exampledata/alpine-spdx.json
-- https://github.com/guacsec/guac/blob/main/internal/testing/testdata/exampledata/distroless-cyclonedx.json
-- https://github.com/guacsec/guac/blob/main/internal/testing/testdata/exampledata/quarkus-deps-cyclonedx.json
-- https://github.com/guacsec/guac/blob/main/internal/testing/testdata/exampledata/big-mongo-cyclonedx.json
-- https://github.com/guacsec/guac/blob/main/internal/testing/testdata/exampledata/oci-spdx.json
PROPRIETARY LICENSES: None found
LICENSE CONFLICTS: None found, however see above NOTE in copyleft licenses.
BINARY / PACKAGE FILES: None found
THIRD PARTY CODE / DEPENDENCIES: None found, however see above NOTE in copyleft licenses.
THIRD PARTY NOTICE FILE: None found
SUMMARY FINDINGS: The code is licensed under the Apache-2.0 license, which is the project license. SPDX license identifiers were not found and should be added to all source file headers. No license conflicts found. References to GPL-2.0 were found in test data files, these are most likely not an issue, but should be confirmed that there is no actual GPL licensed code in your repository.
from tac.
And a note about the COPYLEFT licenses found were from test data SBOMs. No GPL code is in GUAC itself, just references in SBOMs GUAC uses for tests.
from tac.
Do we view this as now completed or is there anything else we have to do?
from tac.
I think your comments cleared up any concerns I had for the copy left licensing. Since no others commented concerns we can close as complete and passed.
from tac.
Related Issues (20)
- TAC Vote Needed - Enable GitHub Secret Scanning and Push Protection HOT 22
- Publish TI funding requests cycles. HOT 1
- Programmatic Help with Standardization HOT 1
- [Technical Initiative Funding Request]: Sigstore Documentation Modernization HOT 11
- Project Onboarding Action Items HOT 5
- Threat Model for an Open Source Project - Yes/No? HOT 12
- [Technical Initiative Funding Request]: Cybersecurity Workforce Development (Education Focus) HOT 18
- Add benefits/impact questions to TI funding request template
- Proposal: Expanding Security Benchmarks for Critical OSS in OpenSSF HOT 7
- Proposal: Funding Critical Projects POC with commercial vendors HOT 10
- Advice Needed - Staff-Produced Architecture Document Review Process HOT 5
- Should Scorecard Adoption in project-lifecycle.md besides TI Gives? HOT 2
- [IP policy and license review] Bomctl Sandbox Project Entry HOT 1
- Provide Logos to Sandbox Projects HOT 7
- Resolve FRSCA HOT 6
- Resolve Status of Projects Lagging in Onboarding HOT 1
- [Technical Initiative Funding Request]: Cloud credits for gittuf's GitHub app HOT 1
- [Technical Initiative Funding Request]: RSTUF Security Audit for 1.0.0 HOT 2
- TAC input on MVSR update for 2025
- Persona development
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tac.