[License scan] CVE-BIN License Scanning

[kj-powell]

CVE-BIN is being onboarded to OpenSSF. Could we please have their license scanned as part of their application?

Repo: https://github.com/intel/cve-bin-tool
License: GPLv3

cc @jeffcshapiro

[jeffcshapiro]

@kj-powell I can do an intake scan.

1st question I have is, this repo is under GPLv3 which is likely incompatible with the typical licenses that LF and OpenSSF projects use (e.g. Apache-2.0). Has this project/license been approved by the OpenSSF governing board?

[david-a-wheeler]

The OpenSSF Charter section 4(a) requires OpenSSF Governing Board approval for the use of licenses other than:

• Software source code: Apache 2.0, MIT
• Data: a Community Data License Agreement
• Specifications: Community Specification License, Version 1.0
• All other Documentation: [Creative Commons Attribution 4.0 International License](https://creative
  commons.org/licenses/by/4.0/)

The OpenSSF (and Linux Foundation) can use other licenses, as noted, but it requires Governing Board approval. That request can be handled electronically. Typically the WG lead would ask OpenSSF staff or TAC to bring that to the governing board for approval. I wouldn't call it incompatible, I would say "requires GB approval".

[kj-powell]

@jeffcshapiro @david-a-wheeler The Governance Committee asked for us to do the license scan first before bringing it to the GB in this case.

[david-a-wheeler]

@kj-powell - thanks for the clarification, that makes sense!

[kj-powell]

Some info from CVE-BIN: They wanted to mention that the condensed-download directory does not contain actual binaries. The files contain string information for corresponding binaries.

[jeffcshapiro]

I've done the scan and I'm working on the report. There are a lot of different licenses in the codebase, including of course GPLv3 and LGPL, and several permissive licenses. There is also a reference to AGPL which is a problem.

Another concern is that there are a lot of binaries present such as tar files, which makes it hard to tell how the code interacts.

Also there are a lot of copyrights which indicates many contributors, this is likely a problem if the code is intended to be re-licensed. Will update when the report is ready.