-
Notifications
You must be signed in to change notification settings - Fork 201
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Tushar Goel <[email protected]>
- Loading branch information
Showing
1 changed file
with
27 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -17,8 +17,33 @@ | |
| class XenImporter(Importer): | ||
|
|
||
| url = "https://xenbits.xen.org/xsa/xsa.json" | ||
| spdx_license_expression = "GPL-2" | ||
| license_url = "https://wiki.xenproject.org/wiki/Xen_FAQ_General" | ||
| spdx_license_expression = "LicenseRef-scancode-other-permissive" | ||
| notice = """ | ||
| From: George Dunlap <[email protected]> | ||
| Date: Wed, Jan 25, 2023 at 4:57 PM | ||
| Subject: Re: Usage of Xen Security Data in VulnerableCode | ||
| To: Tushar Goel <[email protected]> | ||
| Cc: Andrew Cooper <[email protected]>, [email protected] <[email protected]>, Xen Security <[email protected]>, Philippe Ombredanne <[email protected]>, <[email protected]> | ||
| On Thu, Jan 19, 2023 at 1:10 PM Tushar Goel <[email protected]> wrote: | ||
| > | ||
| > Hi Andrew, | ||
| > | ||
| > > Maybe we want to make it CC-BY-4 to require people to reference back to | ||
| > > the canonical upstream ? | ||
| > Thanks for your response, can we have a more declarative statement on | ||
| > the license from your end | ||
| > and also can you please provide your acknowledgement over the usage of | ||
| > Xen security data in vulnerablecode. | ||
| Hey Tushar, | ||
| Informally, the Xen Project Security Team is happy for you to include the data from xsa.json in your open-source vulnerability database. As a courtesy we'd request that it be documented where the information came from. (I think if the data includes links to then advisories on our website, that will suffice.) | ||
| Formally, we're not copyright lawyers; but we don't think there's anything copyright-able in the xsa.json: There is no editorial or creative control in the generation of that file; it's just a collection of facts which you could re-generate by scanning all the advisories. (In fact that's exactly how the file is created; i.e., the collection of advisory texts is our "source of truth".) | ||
| We do have "Officially license all advisory text as CC-BY-4" on our to-do list; if you'd be more comfortable with an official license for xsa.json as well, we can add that to the list. | ||
| -George | ||
| """ | ||
|
|
||
| def advisory_data(self): | ||
| data = fetch_response(self.url).json() | ||
|
|
||