[Project contribution] IP policy and license review for GUAC

[mlieberman85]

GUAC maintainers (Kusari, Google, etc.) would like contribute GUAC to the OpenSSF as a sandbox project. Based on TAC approval, we have gotten interest from Supply Chain Integrity WG and would want them to sponsor the contribution assuming we get through TAC approval.

As part of the submission we need "a one-time IP policy and license review with The Linux Foundation"[1], which this issue is created to track.

[hythloda]

We have requested this review, they say about 1 more week until they can generate the report.
Thanks for your patience.

[bobcallaway]

Any update on this @hythloda ?

[hythloda]

Just closing up some open issues. We finally got the IP review on July 26 and I passed it to @mlieberman85 forgetting that it was also in this github thread. Here it is encase anyone else needs it:

LICENSE INTAKE SCAN & ANALYSIS:  OpenSSF:  GUAC

- This intake scan is a static analysis of the source code in your repository.  A dependency scan was not performed.  Once a project is added to LFX [https://security.lfx.linuxfoundation.org/], you can use SNYK to view a dependency scan for both licenses and vulnerabilities.

CODE SCANNED:  https://github.com/guacsec/guac  [pulled 11–July-2023]

PROJECT LICENSE:  Apache-2.0

SPDX LICENSE IDENTIFIERS:  SPDX license identifiers were not found in any source file headers.
- Copyright and License statements were found in source file headers.
- We recommend that SPDX license identifiers be added to ALL source file headers.  [see https://spdx.dev/ids for examples]

PERMISSIVE LICENSES:  Apache-2.0, CC0-1.0, BSD-3-Clause, Zlib, MIT, CC-BY-4.0

COPYLEFT LICENSES:  GPL-2.0 [external dependency / test data]
- NOTE:  Copyleft licenses in external dependencies may or may not cause a license conflict, depending on how the dependent code is used, integrated, and distrbuted by the end user.  Since this appears to be test data only it is likely not a problem, but should still be checked to be sure.
-- https://github.com/guacsec/guac/blob/main/internal/testing/testdata/exampledata/alpine-cyclonedx.json
-- https://github.com/guacsec/guac/blob/main/internal/testing/testdata/exampledata/alpine-small-spdx.json
-- https://github.com/guacsec/guac/blob/main/internal/testing/testdata/exampledata/alpine-spdx.json
-- https://github.com/guacsec/guac/blob/main/internal/testing/testdata/exampledata/distroless-cyclonedx.json
-- https://github.com/guacsec/guac/blob/main/internal/testing/testdata/exampledata/quarkus-deps-cyclonedx.json
-- https://github.com/guacsec/guac/blob/main/internal/testing/testdata/exampledata/big-mongo-cyclonedx.json
-- https://github.com/guacsec/guac/blob/main/internal/testing/testdata/exampledata/oci-spdx.json
 
PROPRIETARY LICENSES:  None found

LICENSE CONFLICTS:  None found, however see above NOTE in copyleft licenses.

BINARY / PACKAGE FILES:  None found

THIRD PARTY CODE / DEPENDENCIES:  None found, however see above NOTE in copyleft licenses.

THIRD PARTY NOTICE FILE:  None found

SUMMARY FINDINGS:  The code is licensed under the Apache-2.0 license, which is the project license.  SPDX license identifiers were not found and should be added to all source file headers.  No license conflicts found.  References to GPL-2.0 were found in test data files, these are most likely not an issue, but should be confirmed that there is no actual GPL licensed code in your repository.

[mlieberman85]

And a note about the COPYLEFT licenses found were from test data SBOMs. No GPL code is in GUAC itself, just references in SBOMs GUAC uses for tests.

[mlieberman85]

Do we view this as now completed or is there anything else we have to do?

[hythloda]

I think your comments cleared up any concerns I had for the copy left licensing. Since no others commented concerns we can close as complete and passed.