Closed leogr closed 6 months ago
It seems that consul/sdk
, logutils
, and memberlist
were transitive dependencies of other packages.
This was the dep graph for them in the event-generator (before I fixed it):
❯ go mod graph | grep consul/sdk
github.com/hashicorp/consul/api@v1.20.0 github.com/hashicorp/consul/sdk@v0.13.1
github.com/hashicorp/consul/sdk@v0.13.1 github.com/hashicorp/go-cleanhttp@v0.5.1
github.com/hashicorp/consul/sdk@v0.13.1 github.com/hashicorp/go-hclog@v0.12.0
github.com/hashicorp/consul/sdk@v0.13.1 github.com/hashicorp/go-uuid@v1.0.1
github.com/hashicorp/consul/sdk@v0.13.1 github.com/hashicorp/go-version@v1.2.1
github.com/hashicorp/consul/sdk@v0.13.1 github.com/pkg/errors@v0.8.1
github.com/hashicorp/consul/sdk@v0.13.1 github.com/stretchr/testify@v1.4.0
github.com/hashicorp/consul/sdk@v0.13.1 golang.org/x/sys@v0.0.0-20220412211240-33da011f77ad
github.com/hashicorp/consul/sdk@v0.13.1 github.com/davecgh/go-spew@v1.1.1
github.com/hashicorp/consul/sdk@v0.13.1 github.com/fatih/color@v1.9.0
github.com/hashicorp/consul/sdk@v0.13.1 github.com/kr/pretty@v0.2.0
github.com/hashicorp/consul/sdk@v0.13.1 github.com/mattn/go-colorable@v0.1.4
github.com/hashicorp/consul/sdk@v0.13.1 github.com/mattn/go-isatty@v0.0.12
github.com/hashicorp/consul/sdk@v0.13.1 github.com/pmezard/go-difflib@v1.0.0
github.com/hashicorp/consul/sdk@v0.13.1 gopkg.in/check.v1@v1.0.0-20190902080502-41f04d3bba15
github.com/hashicorp/consul/sdk@v0.13.1 gopkg.in/yaml.v2@v2.2.8
❯ go mod graph | grep github.com/hashicorp/logutils
github.com/hashicorp/serf@v0.10.1 github.com/hashicorp/logutils@v1.0.0
❯ go mod graph | grep github.com/hashicorp/memberlist
github.com/hashicorp/consul/api@v1.20.0 github.com/hashicorp/memberlist@v0.5.0
github.com/hashicorp/serf@v0.10.1 github.com/hashicorp/memberlist@v0.5.0
github.com/hashicorp/memberlist@v0.5.0 github.com/armon/go-metrics@v0.0.0-20180917152333-f0300d1749da
github.com/hashicorp/memberlist@v0.5.0 github.com/davecgh/go-spew@v1.1.1
github.com/hashicorp/memberlist@v0.5.0 github.com/google/btree@v0.0.0-20180813153112-4030bb1f1f0c
github.com/hashicorp/memberlist@v0.5.0 github.com/hashicorp/go-immutable-radix@v1.0.0
github.com/hashicorp/memberlist@v0.5.0 github.com/hashicorp/go-msgpack@v0.5.3
github.com/hashicorp/memberlist@v0.5.0 github.com/hashicorp/go-multierror@v1.0.0
github.com/hashicorp/memberlist@v0.5.0 github.com/hashicorp/go-sockaddr@v1.0.0
github.com/hashicorp/memberlist@v0.5.0 github.com/miekg/dns@v1.1.26
github.com/hashicorp/memberlist@v0.5.0 github.com/pascaldekloe/goe@v0.0.0-20180627143212-57f6aae5913c
github.com/hashicorp/memberlist@v0.5.0 github.com/pmezard/go-difflib@v1.0.0
github.com/hashicorp/memberlist@v0.5.0 github.com/sean-/seed@v0.0.0-20170313163322-e2103e2c3529
github.com/hashicorp/memberlist@v0.5.0 github.com/stretchr/testify@v1.2.2
github.com/hashicorp/memberlist@v0.5.0 golang.org/x/sys@v0.0.0-20220728004956-3c1f35247d10
I had to reset the go.mod
and switch to Go 1.21 to remove them from the event generator. Likely, the latest versions of required packages do not carry any unwanted Hashicorp packages anymore. See https://github.com/falcosecurity/event-generator/pull/85
I am doing the same (ie: switching to new go and running go get -u
and go mod tidy
) on:
Consul is no more greppable in them.
With https://github.com/falcosecurity/evolution/issues/347, all tasks are done now! /close
@leogr: Closing this issue.
We've conducted an initial scan following the CNCF input request after the Hashicorp MPL -> BUSL license change.
The lists below were generated after examining the
go.sum
packages across the entire Falcosecurity organization.From this initial audit, we've determined that we are NOT using any BUSL-licensed packages :partying_face: Thus, we are unaffected by the MPL -> BUSL license transition, which is positive.
Additionally, we identified some Hashicorp packages under MPL 2.0 that we are using without a CNCF Governing Board exception.
For context, according to the CNCF IP Policy, all 3rd-party dependencies must either be Apache 2.0 licensed OR listed in the Approved Licenses for Allowlist OR have an exception approved by the Governing Board (see already approved license exceptions).
MPL2'd packages being used without an exception
[ACTION NEEDED]! @falcosecurity/core-maintainers
cc @falcosecurity/driverkit-maintainers @falcosecurity/event-generator-maintainers @falcosecurity/falcoctl-maintainers @falcosecurity/falcosidekick-maintainers @falcosecurity/kilt-maintainers @falcosecurity/plugins-maintainers
Please carefully evaluate the possibility of removal for these Go dependencies listed in the table below. If that's not feasible, we must submit a ticket to the CNCF for review and request a license exception (I can take care of that once we have completed the evaluation of them one by one).
It's worth noting that some of these packages might not be in active use. A straightforward cleanup might suffice to remove them:
falcosidekickpluginsevent-generatorfalcoctlfalcosidekickpluginsevent-generatorfalcoctlfalcosidekickpluginsAlready allowed Hashicorp packages.
The packages listed below are already permitted, either due to inclusion in the allowlist or because they have a GB-approved exception. Therefore, no additional action is required. We can continue to use them without concerns.