Initial commit

2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
--- a/skills/appsec/sca-blackduck/references/license_risk_guide.md
+++ b/skills/appsec/sca-blackduck/references/license_risk_guide.md
@@ -0,0 +1,472 @@
+# License Compliance Risk Assessment Guide
+
+## Table of Contents
+- [License Risk Categories](#license-risk-categories)
+- [Common Open Source Licenses](#common-open-source-licenses)
+- [License Compatibility](#license-compatibility)
+- [Compliance Workflows](#compliance-workflows)
+- [Legal Considerations](#legal-considerations)
+
+## License Risk Categories
+
+### High Risk - Copyleft (Strong)
+
+**Licenses**: GPL-2.0, GPL-3.0, AGPL-3.0
+
+**Characteristics**:
+- Requires derivative works to be open-sourced under same license
+- Source code distribution mandatory
+- AGPL extends to network use (SaaS applications)
+
+**Business Impact**: HIGH
+- May require releasing proprietary code as open source
+- Incompatible with most commercial software
+- Legal review required for any usage
+
+**Use Cases Where Allowed**:
+- Internal tools (not distributed)
+- Separate services with network boundaries
+- Dual-licensed components (use commercial license)
+
+**Example Compliance Violation**:
+```
+Product: Commercial SaaS Application
+Dependency: GPL-licensed library linked into application
+Issue: AGPL requires source code release for network-accessible software
+Risk: Legal liability, forced open-sourcing
+```
+
+### Medium Risk - Weak Copyleft
+
+**Licenses**: LGPL-2.1, LGPL-3.0, MPL-2.0, EPL-2.0
+
+**Characteristics**:
+- Copyleft applies only to modified library files
+- Allows proprietary applications if library used as separate component
+- Source modifications must be released
+
+**Business Impact**: MEDIUM
+- Safe if used as unmodified library (dynamic linking)
+- Modifications require open-sourcing
+- License compatibility considerations
+
+**Compliance Requirements**:
+- Keep library as separate, unmodified component
+- If modified, release modifications under same license
+- Attribute properly in documentation
+
+**Example Safe Usage**:
+```
+Product: Commercial Application
+Dependency: LGPL library via dynamic linking
+Status: COMPLIANT
+Reason: No modifications, used as separate component
+```
+
+### Low Risk - Permissive
+
+**Licenses**: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause
+
+**Characteristics**:
+- Minimal restrictions on use and distribution
+- No copyleft requirements
+- Attribution required
+- Apache-2.0 includes patent grant
+
+**Business Impact**: LOW
+- Generally safe for commercial use
+- Simple compliance requirements
+- Industry standard for most projects
+
+**Compliance Requirements**:
+- Include license text in distribution
+- Preserve copyright notices
+- Apache-2.0: Include NOTICE file if present
+
+### Minimal Risk - Public Domain / Unlicense
+
+**Licenses**: CC0-1.0, Unlicense, Public Domain
+
+**Characteristics**:
+- No restrictions
+- No attribution required (though recommended)
+
+**Business Impact**: MINIMAL
+- Safest for commercial use
+- No compliance obligations
+
+## Common Open Source Licenses
+
+### Permissive Licenses
+
+#### MIT License
+
+**SPDX**: MIT
+**OSI Approved**: Yes
+**Risk Level**: LOW
+
+**Permissions**: Commercial use, modification, distribution, private use
+**Conditions**: Include license and copyright notice
+**Limitations**: No liability, no warranty
+
+**Common in**: JavaScript (React, Angular), Ruby (Rails)
+
+**Compliance Checklist**:
+- [ ] Include LICENSE file in distribution
+- [ ] Preserve copyright notices in source files
+- [ ] Credit in ABOUT/CREDITS file
+
+#### Apache License 2.0
+
+**SPDX**: Apache-2.0
+**OSI Approved**: Yes
+**Risk Level**: LOW
+
+**Permissions**: Same as MIT, plus explicit patent grant
+**Conditions**: Include license, preserve NOTICE file, state changes
+**Limitations**: No trademark use, no liability
+
+**Common in**: Java (Spring), Big Data (Hadoop, Kafka)
+
+**Key Difference from MIT**: Patent protection clause
+
+**Compliance Checklist**:
+- [ ] Include LICENSE file
+- [ ] Include NOTICE file if present
+- [ ] Document modifications
+- [ ] Don't use project trademarks
+
+#### BSD Licenses (2-Clause and 3-Clause)
+
+**SPDX**: BSD-2-Clause, BSD-3-Clause
+**OSI Approved**: Yes
+**Risk Level**: LOW
+
+**3-Clause Addition**: No endorsement using project name
+
+**Common in**: Unix utilities, networking libraries
+
+**Compliance Checklist**:
+- [ ] Include license text
+- [ ] Preserve copyright notices
+- [ ] BSD-3: No unauthorized endorsements
+
+### Weak Copyleft Licenses
+
+#### GNU LGPL 2.1 / 3.0
+
+**SPDX**: LGPL-2.1, LGPL-3.0
+**OSI Approved**: Yes
+**Risk Level**: MEDIUM
+
+**Safe Usage Patterns**:
+1. **Dynamic Linking**: Link as shared library without modification
+2. **Unmodified Use**: Use library as-is without code changes
+3. **Separate Component**: Keep as distinct, replaceable module
+
+**Unsafe Usage Patterns**:
+1. **Static Linking**: Compiling LGPL code into proprietary binary
+2. **Modifications**: Changing LGPL library code
+3. **Intimate Integration**: Tightly coupling with proprietary code
+
+**Common in**: GTK, glibc, Qt (dual-licensed)
+
+**Compliance for Unmodified Use**:
+- [ ] Provide library source code or offer to provide
+- [ ] Allow users to replace library
+- [ ] Include license text
+
+**Compliance for Modifications**:
+- [ ] Release modifications under LGPL
+- [ ] Provide modified source code
+- [ ] Document changes
+
+#### Mozilla Public License 2.0
+
+**SPDX**: MPL-2.0
+**OSI Approved**: Yes
+**Risk Level**: MEDIUM
+
+**File-Level Copyleft**: Only modified files must remain MPL
+
+**Common in**: Firefox, Rust standard library
+
+**Compliance**:
+- [ ] Keep MPL files in separate files
+- [ ] Release modifications to MPL files
+- [ ] May combine with proprietary code at module level
+
+### Strong Copyleft Licenses
+
+#### GNU GPL 2.0 / 3.0
+
+**SPDX**: GPL-2.0, GPL-3.0
+**OSI Approved**: Yes
+**Risk Level**: HIGH
+
+**Copyleft Scope**: Entire program must be GPL
+
+**Key Differences**:
+- **GPL-3.0**: Added anti-tivoization, patent provisions
+- **GPL-2.0**: More permissive for hardware restrictions
+
+**Common in**: Linux kernel (GPL-2.0), many GNU tools
+
+**When GPL is Acceptable**:
+1. **Internal Use**: Not distributed outside organization
+2. **Network Boundary**: Separate GPL service (API-based)
+3. **Dual-Licensed**: Use commercial license option
+
+**Compliance if Using**:
+- [ ] Entire program must be GPL-compatible
+- [ ] Provide source code to recipients
+- [ ] Include license and build instructions
+
+#### GNU AGPL 3.0
+
+**SPDX**: AGPL-3.0
+**OSI Approved**: Yes
+**Risk Level**: CRITICAL for SaaS
+
+**Network Copyleft**: Source code required even for network use
+
+**Common in**: Some database tools, server software
+
+**Critical for**: SaaS, web applications, APIs
+
+**Avoid Unless**: Prepared to open-source entire application
+
+### Proprietary / Commercial Licenses
+
+**Risk Level**: VARIES (requires legal review)
+
+**Common Scenarios**:
+- Evaluation/trial licenses (non-production)
+- Dual-licensed (commercial option available)
+- Runtime licenses (e.g., database drivers)
+
+**Compliance**: Follow vendor-specific terms
+
+## License Compatibility
+
+### Compatibility Matrix
+
+| Your Project | MIT | Apache-2.0 | LGPL | GPL | AGPL |
+|--------------|-----|-----------|------|-----|------|
+| Proprietary  | ✅  | ✅        | ⚠️   | ❌  | ❌   |
+| MIT          | ✅  | ✅        | ⚠️   | ❌  | ❌   |
+| Apache-2.0   | ✅  | ✅        | ⚠️   | ⚠️  | ❌   |
+| LGPL         | ✅  | ✅        | ✅   | ⚠️  | ❌   |
+| GPL          | ✅  | ⚠️        | ✅   | ✅  | ⚠️   |
+| AGPL         | ✅  | ⚠️        | ✅   | ✅  | ✅   |
+
+**Legend**:
+- ✅ Compatible
+- ⚠️ Compatible with conditions
+- ❌ Incompatible
+
+### Common Incompatibilities
+
+**Apache-2.0 with GPL-2.0**:
+- Issue: GPL-2.0 doesn't have explicit patent grant
+- Solution: Use GPL-3.0 instead (compatible with Apache-2.0)
+
+**GPL with Proprietary**:
+- Issue: GPL requires derivative works be GPL
+- Solution: Keep as separate program, use network boundary
+
+**AGPL with SaaS**:
+- Issue: AGPL triggers on network use
+- Solution: Avoid AGPL or use commercial license
+
+## Compliance Workflows
+
+### Initial License Assessment
+
+1. **Scan Dependencies**
+   ```bash
+   scripts/blackduck_scan.py --project MyApp --version 1.0.0 --report-type license
+   ```
+
+2. **Categorize Licenses by Risk**
+   - Review all HIGH risk licenses immediately
+   - Assess MEDIUM risk licenses for compliance requirements
+   - Document LOW risk licenses for attribution
+
+3. **Legal Review**
+   - Escalate HIGH risk licenses to legal team
+   - Get approval for MEDIUM risk usage patterns
+   - Document decisions
+
+### Continuous License Monitoring
+
+**In CI/CD Pipeline**:
+```yaml
+# GitHub Actions example
+- name: License Compliance Check
+  run: |
+    scripts/blackduck_scan.py \
+      --project ${{ github.repository }} \
+      --version ${{ github.sha }} \
+      --report-type license \
+      --fail-on-blocklisted-licenses
+```
+
+**Policy Enforcement**:
+- Block builds with GPL/AGPL dependencies
+- Require approval for new LGPL dependencies
+- Auto-approve MIT/Apache-2.0
+
+### License Remediation
+
+**For High-Risk Licenses**:
+
+1. **Replace Component**
+   - Find MIT/Apache alternative
+   - Example: MySQL (GPL) → PostgreSQL (PostgreSQL License - permissive)
+
+2. **Commercial License**
+   - Purchase commercial license if available
+   - Example: Qt (LGPL or Commercial)
+
+3. **Separate Service**
+   - Run GPL component as separate service
+   - Communicate via API/network
+
+4. **Remove Dependency**
+   - Implement functionality directly
+   - Use different approach
+
+### Attribution and Notices
+
+**Required Artifacts**:
+
+**LICENSES.txt** - All license texts:
+```
+This software includes the following third-party components:
+
+1. Component Name v1.0.0
+   License: MIT
+   Copyright (c) 2024 Author
+   [Full license text]
+
+2. Another Component v2.0.0
+   License: Apache-2.0
+   [Full license text]
+```
+
+**NOTICE.txt** - Attribution notices (if Apache-2.0 dependencies):
+```
+This product includes software developed by
+The Apache Software Foundation (http://www.apache.org/).
+
+[Additional NOTICE content from Apache-licensed dependencies]
+```
+
+**UI/About Screen**:
+- List major third-party components
+- Link to full license information
+- Provide "Open Source Licenses" section
+
+## Legal Considerations
+
+### When to Consult Legal Counsel
+
+**Always Consult for**:
+- GPL/AGPL in commercial products
+- Dual-licensing decisions
+- Patent-related concerns
+- Proprietary license negotiations
+- M&A due diligence
+- License violations/disputes
+
+### Common Legal Questions
+
+**Q: Can I use GPL code in a SaaS application?**
+A: GPL-2.0/3.0 yes (no distribution), AGPL-3.0 no (network use triggers copyleft)
+
+**Q: What if I modify an MIT-licensed library?**
+A: You can keep modifications proprietary, just preserve MIT license
+
+**Q: Can I remove license headers from code?**
+A: No, preserve all copyright and license notices
+
+**Q: What's the difference between "linking" and "use"?**
+A: Legal concept varies by jurisdiction; consult attorney for specific cases
+
+### Audit and Compliance Documentation
+
+**Maintain Records**:
+- Complete SBOM with license information
+- License review approvals
+- Component selection rationale
+- Exception approvals with expiration dates
+
+**Quarterly Review**:
+- Update license inventory
+- Review new dependencies
+- Renew/revoke exceptions
+- Update attribution files
+
+## Tools and Resources
+
+**Black Duck Features**:
+- Automated license detection
+- License risk categorization
+- Policy enforcement
+- Bill of Materials with licenses
+
+**Additional Tools**:
+- FOSSA - License compliance automation
+- WhiteSource - License management
+- Snyk - License scanning
+
+**Resources**:
+- [SPDX License List](https://spdx.org/licenses/)
+- [Choose A License](https://choosealicense.com/)
+- [TL;DR Legal](https://tldrlegal.com/)
+- [OSI Approved Licenses](https://opensource.org/licenses)
+
+## License Risk Scorecard Template
+
+```markdown
+# License Risk Assessment: [Component Name]
+
+**Component**: component-name@version
+**License**: [SPDX ID]
+**Risk Level**: [HIGH/MEDIUM/LOW]
+
+## Usage Context
+- [ ] Used in distributed product
+- [ ] Used in SaaS/cloud service
+- [ ] Internal tool only
+- [ ] Modifications made: [Yes/No]
+
+## Risk Assessment
+- **Copyleft Trigger**: [Yes/No/Conditional]
+- **Patent Concerns**: [Yes/No]
+- **Commercial Use Allowed**: [Yes/No]
+
+## Compliance Requirements
+- [ ] Include license text
+- [ ] Provide source code
+- [ ] Include NOTICE file
+- [ ] Preserve copyright notices
+- [ ] Other: _______
+
+## Decision
+- [X] Approved for use
+- [ ] Requires commercial license
+- [ ] Find alternative
+- [ ] Legal review pending
+
+**Approved By**: [Name, Date]
+**Review Date**: [Date]
+```
+
+## References
+
+- [Open Source Initiative](https://opensource.org/)
+- [Free Software Foundation](https://www.fsf.org/licensing/)
+- [Linux Foundation - Open Compliance Program](https://www.linuxfoundation.org/projects/open-compliance)
+- [Google Open Source License Guide](https://opensource.google/documentation/reference/thirdparty/licenses)