tac icon indicating copy to clipboard operation
tac copied to clipboard
verified publisher icon ossf

[License scan] CVE-BIN License Scanning

Open kj-powell opened this issue 3 months ago • 7 comments

CVE-BIN is being onboarded to OpenSSF. Could we please have their license scanned as part of their application?

Repo: https://github.com/intel/cve-bin-tool License: GPLv3

cc @jeffcshapiro

kj-powell avatar Oct 13 '25 20:10 kj-powell

@kj-powell I can do an intake scan.

1st question I have is, this repo is under GPLv3 which is likely incompatible with the typical licenses that LF and OpenSSF projects use (e.g. Apache-2.0). Has this project/license been approved by the OpenSSF governing board?

jeffcshapiro avatar Oct 14 '25 11:10 jeffcshapiro

The OpenSSF Charter section 4(a) requires OpenSSF Governing Board approval for the use of licenses other than:

The OpenSSF (and Linux Foundation) can use other licenses, as noted, but it requires Governing Board approval. That request can be handled electronically. Typically the WG lead would ask OpenSSF staff or TAC to bring that to the governing board for approval. I wouldn't call it incompatible, I would say "requires GB approval".

david-a-wheeler avatar Oct 14 '25 12:10 david-a-wheeler

@jeffcshapiro @david-a-wheeler The Governance Committee asked for us to do the license scan first before bringing it to the GB in this case.

kj-powell avatar Oct 14 '25 12:10 kj-powell

@kj-powell - thanks for the clarification, that makes sense!

david-a-wheeler avatar Oct 14 '25 12:10 david-a-wheeler

Some info from CVE-BIN: They wanted to mention that the condensed-download directory does not contain actual binaries. The files contain string information for corresponding binaries.

kj-powell avatar Oct 14 '25 18:10 kj-powell

I've done the scan and I'm working on the report. There are a lot of different licenses in the codebase, including of course GPLv3 and LGPL, and several permissive licenses. There is also a reference to AGPL which is a problem.

Another concern is that there are a lot of binaries present such as tar files, which makes it hard to tell how the code interacts.

Also there are a lot of copyrights which indicates many contributors, this is likely a problem if the code is intended to be re-licensed. Will update when the report is ready.

jeffcshapiro avatar Oct 15 '25 20:10 jeffcshapiro

LICENSE INTAKE SCAN & ANALYSIS: OpenSSF: cve-bin-tool

DISTRIBUTION: [email protected], [email protected]

  • This License Intake Scan is a static analysis of the source code in your repository. A dependency scan was not performed. If a full baseline scan is done, a dependency analysis plus SBOM will be provided. Once a project is added to LFX [https://security.lfx.linuxfoundation.org], you can also use SNYK to view a dependency scan for both licenses and vulnerabilities.

CODE SCANNED: [pulled 15-Oct-2025] (1 repo scanned)

  • https://github.com/intel/cve-bin-tool

PROJECT LICENSES: GPL-3.0

  • Top level project license file found.

SPDX LICENSE IDENTIFIERS: SPDX license identifiers were found in source file headers.

PERMISSIVE OPEN SOURCE LICENSES: Apache-2.0, MIT, BSD-3-Clause, BSD-2-Clause, BSD-Style, Zlib

  • See https://spdx.org/licenses/ for more info on licenses.

STRONG COPYLEFT OPEN SOURCE LICENSES: GPL-3.0 (project license), GPL-2.0, AGPL-3.0

  • AGPL-3.0 was found in this file:
  • /cve-bin-tool-main/test/condensed-downloads/ceph-base_10.2.11-2_amd64.deb.tar.gz/ceph-base_10.2.11-2_amd64.deb.tar/ceph-base_10.2.11-2_amd64.deb/data.tar.xz/usr/lib/python2.7/dist-packages/ceph_detect_init/exc.py

WEAK COPYLEFT OPEN SOURCE LICENSES: LGPL-2.1, LGPL-2.0

OTHER OPEN SOURCE LICENSES: None found

SOURCE AVAILABLE LICENSES: None found

PROPRIETARY LICENSES: None found

OTHER LICENSES: None found

LICENSE CONFLICTS: Since the project license is GPL-3.0, all permissive licenses are effectively released under the copyleft terms of the GPL. The file under AGPL presents a potential license conflict, and I strongly recommend that this file be removed from your repo.

BINARY / PACKAGE FILES: Numerous binary files were found, including .so, tar, and zip files - these contain many files with embedded licenses. Licenses were analyzed where they were detected during the scan, but it’s likely that not all embedded license were found.

THIRD PARTY CODE / DEPENDENCIES: Build files were found with references to 3rd party external dependencies, e.g. requirements.txt

  • NOTE: These files/folders contain external references to 3rd party dependencies. Unless the code is copied into your project’s repos, source code for these dependencies was not scanned, and any potential license conflicts will not be reported here.

THIRD PARTY NOTICE FILE: None found

SUMMARY FINDINGS: The project is under the GPL-3.0 License - This license must be approved by your governing board. The code under AGPL-3.0 should be removed from your codebase.

jeffcshapiro avatar Nov 07 '25 10:11 jeffcshapiro