search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.58k stars 542 forks source link

Enable OSS Index by default #636

Closed stevespringett closed 3 years ago

ghost commented 4 years ago

Hi, just wondering if that is a good idea - since I am not even sure that we can use the Sonatype OSS Index at our company just like this... Looking at their ToS, one could understand that the use in DependencyTrack is not permitted:

https://ossindex.sonatype.org/tos

i.e.:

  1. Right to Use the Materials Subject to your compliance with the terms and conditions of this Agreement, you may access and use the Materials solely for your personal, internal use.

--> otherwise I need to first contact them via email and hope for their agreement.

Also:

  1. Rules of Conduct In accessing or using the Website, you may not: ... Systematically download and store any or all of the Website’s content. ...

So, this sounds to me like this:

I am not a lawyer, but just reading this makes me doubt that it should be enabled by default.

IMO it should be clearly stated in DT before enabling the OSS Index that you need to accept their ToS and that you might need to ask their permission via email first.

However, I will write them an email to ask for our intended use, because their ToS are rather not suggested this use is allowed out of the box.

stevespringett commented 4 years ago

I've been chatting with Brian Fox as well as Justin Young and Najla Damand (dedicated OSS Index product manager) about enabling OSS Index by default in DT.

We have agreed upon what is required on both ends to do so and are moving forward. Feel free to reach out to Sonatype regarding the TOS. I think that's a good catch as it likely needs to be updated.

ghost commented 4 years ago

Alright, will do! If they are open to the usage in DT, esp. by default, the ToS should not create doubt in that.

Thank you for your quick reply and really great work on this and related projects. It's a tremendous help for us.

stevespringett commented 4 years ago

335e5acb3de80adf763e52dc61b2824d1b99c7c0

sephiroth-j commented 3 years ago

Can we also activate OSS Indexer now in version 3.8 without having an account too?

stevespringett commented 3 years ago

No. 3.8 and lower still requires an account.

stevespringett commented 3 years ago

Closing. Anonymous OSS Index enabled by default in v4.0 - to be released soon.

github-actions[bot] commented 3 years ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.