What is the license ?

[ziadhany]

I am trying to import the Mandiant in vulnerablecode as part of my GSoC project. it will be great if we get the license
@pombredanne

[pombredanne]

FWIW this is tracked on our side in aboutcode-org/vulnerablecode#487 and aboutcode-org/vulnerablecode#795

[pombredanne]

@williballenthin @jhsmith @RonnieSalomonsen and team: gentle ping... if there is no license the data cannot be reused at all.

[williballenthin]

@aaronc100 do you have a preference or insights here?

[aaronc100]

I'd suggest referring to our general council. Aaron

…

On Tue, Oct 11, 2022 at 1:25 PM Willi Ballenthin ***@***.***> wrote: @aaronc100 <https://github.com/aaronc100> do you have a preference or insights here? — Reply to this email directly, view it on GitHub <#5 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA4EJKHYZY5IE6KITXUPJ33WCWWILANCNFSM53IEO24Q> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[williballenthin]

@aaronc100 given that you maintain this repo, can I ask that you take lead on this?

[aaronc100]

Absolutely. Please assign the ticket to me.

…

On Tue, Oct 11, 2022 at 2:21 PM Willi Ballenthin ***@***.***> wrote: @aaronc100 <https://github.com/aaronc100> given that you maintain this repo, can I ask that you take lead on this? — Reply to this email directly, view it on GitHub <#5 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA4EJKBAVOV2Q62LY5OUMCLWCW43VANCNFSM53IEO24Q> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[pombredanne]

@aaronc100 Thank you in advance: anything you will select as a license will work and be a good choice.
And FWIW, the more common licenses of vulnerability data we see these days are either CC-BY-4.0 or CC-BY-SA-4.0.

[pombredanne]

Some examples:

• CC-BY-SA-4.0.

  • https://github.com/nexB/vulnerablecode/blob/main/vulnerabilities/importers/alpine_linux.py#L41

• CC-BY-4.0.

  • https://github.com/nexB/vulnerablecode/blob/main/vulnerabilities/importers/redhat.py#L64

• MIT

  • https://github.com/nexB/vulnerablecode/blob/main/vulnerabilities/importers/gitlab.py#L79

• NVD has its own permissive license License not found for NVD importer aboutcode-org/vulnerablecode#665

[aaronc100]

I have updated our readme and source files (*.cpp). CVE information is CC BY-SA 4.0 and source files are MIT. Please let me know if this resolves this issue to satisfaction. Thanks! --Aaron

[pombredanne]

@aaronc100 and team: this is awesome and you rock. Thanks!

[aaronc100]

Licensing updated on repo.

[pombredanne]

Just for the record, since code and data are mixed in the files with the exception of these few PoC files in https://github.com/mandiant/Vulnerability-Disclosures/search?l=C%2B%2B&q=include , I will treat the effective resulting license of the collection as CC-BY-SA-4.0 AND MIT