Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Commercial use for Current version trivy's license. #1798

Closed
bluefriday opened this issue Mar 6, 2022 · 4 comments
Closed

Commercial use for Current version trivy's license. #1798

bluefriday opened this issue Mar 6, 2022 · 4 comments
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. triage/support Indicates an issue that is a support question.

Comments

@bluefriday
Copy link

bluefriday commented Mar 6, 2022
edited
Loading

In previous version(v0.17.0), there was some data sources that was a non-commercial in trivy.

After two releases, the current version does not appear to have any non-commercial data sources.

However, in the case of a specific data source (Ruby Advisory Datasource), the datasource remains the same, only the status has been changed to Commercial Use.
((I mean, There is still remain 'Ruby Advisory Database' in 'trivy' data source list)

Ruby Advisory Database
https://github.com/rubysec/ruby-advisory-db/blob/master/LICENSE.txt

However, not all of the ruby-advisory-db can be considered public domain.
The ruby-advisory-db may contain some information copyrighted by the Open
Source Vulnerability Database (http://osvdb.org). If you use ruby-advisory-db
data to build a product or a service, it is your responsibility to familiarize
yourself with the terms of their license: http://www.osvdb.org/osvdb_license
(you may need to use a web archive service to view the license).

I wonder if there will be any problem even if all current trivy data sources, including OSVDB, are used commercially.
@bluefriday bluefriday added the triage/support Indicates an issue that is a support question. label Mar 6, 2022
@bluefriday bluefriday changed the title Commercial License for Current version trivy. Commercial use for Current version trivy's license. Mar 6, 2022
@knqyf263
Copy link
Collaborator

knqyf263 commented Mar 6, 2022

We tried to remove OSV advisories.
rubysec/ruby-advisory-db#456

But some of the OSV advisories still remain.
rubysec/ruby-advisory-db#487

We skipped them in the below PR.
aquasecurity/trivy-db#148

@bluefriday
Copy link
Author

We tried to remove OSV advisories. rubysec/ruby-advisory-db#456

But some of the OSV advisories still remain. rubysec/ruby-advisory-db#487

We skipped them in the below PR. aquasecurity/trivy-db#148

Thanks for your reply.
I understand now that current Trivy db is available for commercial use :D
But I don't know why the 'Ruby Advisory Database' still exists in the Trivy datasource(https://github.com/aquasecurity/trivy/blob/main/docs/vulnerability/detection/data-source.md)

@knqyf263
Copy link
Collaborator

knqyf263 commented Mar 9, 2022

As you can see in the above PR, we didn't drop Ruby Advisory Database completely. We just dropped only advisories from OSVDB.

@github-actions
Copy link

github-actions bot commented May 9, 2022

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label May 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. triage/support Indicates an issue that is a support question.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@knqyf263 @bluefriday