search

falcosecurity / evolution

Evolution process of The Falco Project
Apache License 2.0
47 stars 37 forks source link

Audit needed for the Hashicorp MPL -> BUSL license change #305

Closed leogr closed 6 months ago

leogr commented 10 months ago

We've conducted an initial scan following the CNCF input request after the Hashicorp MPL -> BUSL license change.

The lists below were generated after examining the go.sum packages across the entire Falcosecurity organization.

From this initial audit, we've determined that we are NOT using any BUSL-licensed packages :partying_face: Thus, we are unaffected by the MPL -> BUSL license transition, which is positive.

Additionally, we identified some Hashicorp packages under MPL 2.0 that we are using without a CNCF Governing Board exception.

For context, according to the CNCF IP Policy, all 3rd-party dependencies must either be Apache 2.0 licensed OR listed in the Approved Licenses for Allowlist OR have an exception approved by the Governing Board (see already approved license exceptions).

MPL2'd packages being used without an exception

[ACTION NEEDED]! @falcosecurity/core-maintainers

cc @falcosecurity/driverkit-maintainers @falcosecurity/event-generator-maintainers @falcosecurity/falcoctl-maintainers @falcosecurity/falcosidekick-maintainers @falcosecurity/kilt-maintainers @falcosecurity/plugins-maintainers

Please carefully evaluate the possibility of removal for these Go dependencies listed in the table below. If that's not feasible, we must submit a ticket to the CNCF for review and request a license exception (I can take care of that once we have completed the evaluation of them one by one).

It's worth noting that some of these packages might not be in active use. A straightforward cleanup might suffice to remove them:

go get -u
go mod tidy
License Package Used by Note
MPL-2.0 github.com/hashicorp/consul/sdk falcosidekick plugins An exception request for github.com/hashicorp/consul/api exists already
MPL-2.0 github.com/hashicorp/logutils event-generator falcoctl falcosidekick plugins This is likely an indirect dependency. Need investigation.
MPL-2.0 github.com/hashicorp/memberlist event-generator falcoctl falcosidekick plugins See https://github.com/cncf/foundation/issues/624
MPL-2.0 github.com/hashicorp/terraform-plugin-framework kilt See https://github.com/cncf/foundation/issues/187 and https://github.com/cncf/foundation/issues/619. Evaluate replacing: https://github.com/ko-build/terraform-provider-ko
MPL-2.0 github.com/hashicorp/terraform-plugin-go kilt same as above 
### Cleanups in progress
- [ ] https://github.com/falcosecurity/driverkit/pull/286
- [ ] https://github.com/falcosecurity/falcoctl/pull/315
- [ ] https://github.com/falcosecurity/event-generator/pull/85
- [ ] https://github.com/falcosecurity/plugins/pull/324
- [ ] https://github.com/falcosecurity/falcosidekick/pull/619

Already allowed Hashicorp packages.

The packages listed below are already permitted, either due to inclusion in the allowlist or because they have a GB-approved exception. Therefore, no additional action is required. We can continue to use them without concerns.

Allowlist / Exception License Package
2023-06-27 MPL-2.0 github.com/hashicorp/consul/api
2019-03-11 MPL-2.0 github.com/hashicorp/errwrap
2019-03-11 MPL-2.0 github.com/hashicorp/go-cleanhttp
Allowlist MIT github.com/hashicorp/go-hclog
2023-06-27 MPL-2.0 github.com/hashicorp/go-immutable-radix
Allowlist MIT github.com/hashicorp/go-msgpack
2019-03-11 MPL-2.0 github.com/hashicorp/go-multierror
2023-06-27 MPL-2.0 github.com/hashicorp/go-plugin
2021-07-19 MPL-2.0 github.com/hashicorp/go-retryablehttp
2023-06-27 MPL-2.0 github.com/hashicorp/go-rootcerts
2023-06-27 MPL github.com/hashicorp/go-secure-stdlib/parseutil
2023-06-27 MPL github.com/hashicorp/go-secure-stdlib/strutil
2023-06-27 MPL-2.0 github.com/hashicorp/go-sockaddr
Allowlist MIT github.com/hashicorp/go-syslog
2023-06-27 MPL-2.0 github.com/hashicorp/go-uuid
Allowlist BSD-3-Clause github.com/hashicorp/go.net
2019-03-11 MPL-2.0 github.com/hashicorp/golang-lru
2019-03-11 MPL-2.0 github.com/hashicorp/hcl
Allowlist MIT github.com/hashicorp/mdns
2023-06-27 MPL-2.0 github.com/hashicorp/raft
2023-06-27 MPL-2.0 github.com/hashicorp/serf
2023-06-27 MPL-2.0 github.com/hashicorp/vault/api
2023-06-27 MPL-2.0 github.com/hashicorp/yamux

N.B. The 2023-06-27 license execptions file inaccurately indicates that that github.com/hashicorp/vault is licensed under MPL-2.0 and has GB exception approval as of 2023-06-27. In reality, github.com/hashicorp/vault is BUSL-1.1, while only its sub-package github.com/hashicorp/vault/api is MPL-2.0.

leogr commented 10 months ago

It seems that consul/sdk, logutils, and memberlist were transitive dependencies of other packages.

This was the dep graph for them in the event-generator (before I fixed it):

❯ go mod graph | grep consul/sdk                                                                                                                                                                          
github.com/hashicorp/consul/api@v1.20.0 github.com/hashicorp/consul/sdk@v0.13.1                                                                                                                           
github.com/hashicorp/consul/sdk@v0.13.1 github.com/hashicorp/go-cleanhttp@v0.5.1                                                                                                                          
github.com/hashicorp/consul/sdk@v0.13.1 github.com/hashicorp/go-hclog@v0.12.0                                                                                                                             
github.com/hashicorp/consul/sdk@v0.13.1 github.com/hashicorp/go-uuid@v1.0.1                                                                                                                               
github.com/hashicorp/consul/sdk@v0.13.1 github.com/hashicorp/go-version@v1.2.1                                                                                                                            
github.com/hashicorp/consul/sdk@v0.13.1 github.com/pkg/errors@v0.8.1                                                                                                                                      
github.com/hashicorp/consul/sdk@v0.13.1 github.com/stretchr/testify@v1.4.0                                                                                                                                
github.com/hashicorp/consul/sdk@v0.13.1 golang.org/x/sys@v0.0.0-20220412211240-33da011f77ad                                                                                                               
github.com/hashicorp/consul/sdk@v0.13.1 github.com/davecgh/go-spew@v1.1.1                                                                                                                                 
github.com/hashicorp/consul/sdk@v0.13.1 github.com/fatih/color@v1.9.0                                                                                                                                     
github.com/hashicorp/consul/sdk@v0.13.1 github.com/kr/pretty@v0.2.0                                                                                                                                       
github.com/hashicorp/consul/sdk@v0.13.1 github.com/mattn/go-colorable@v0.1.4                                                                                                                              
github.com/hashicorp/consul/sdk@v0.13.1 github.com/mattn/go-isatty@v0.0.12                                                                                                                                
github.com/hashicorp/consul/sdk@v0.13.1 github.com/pmezard/go-difflib@v1.0.0                                                                                                                              
github.com/hashicorp/consul/sdk@v0.13.1 gopkg.in/check.v1@v1.0.0-20190902080502-41f04d3bba15                                                                                                              
github.com/hashicorp/consul/sdk@v0.13.1 gopkg.in/yaml.v2@v2.2.8

❯ go mod graph | grep github.com/hashicorp/logutils                                                                                                                                                       
github.com/hashicorp/serf@v0.10.1 github.com/hashicorp/logutils@v1.0.0                                                                                                                                    

❯ go mod graph | grep github.com/hashicorp/memberlist                                                                                                                                                     
github.com/hashicorp/consul/api@v1.20.0 github.com/hashicorp/memberlist@v0.5.0                                                                                                                            
github.com/hashicorp/serf@v0.10.1 github.com/hashicorp/memberlist@v0.5.0                                                                                                                                  
github.com/hashicorp/memberlist@v0.5.0 github.com/armon/go-metrics@v0.0.0-20180917152333-f0300d1749da                                                                                                     
github.com/hashicorp/memberlist@v0.5.0 github.com/davecgh/go-spew@v1.1.1                                                                                                                                  
github.com/hashicorp/memberlist@v0.5.0 github.com/google/btree@v0.0.0-20180813153112-4030bb1f1f0c                                                                                                         
github.com/hashicorp/memberlist@v0.5.0 github.com/hashicorp/go-immutable-radix@v1.0.0
github.com/hashicorp/memberlist@v0.5.0 github.com/hashicorp/go-msgpack@v0.5.3
github.com/hashicorp/memberlist@v0.5.0 github.com/hashicorp/go-multierror@v1.0.0
github.com/hashicorp/memberlist@v0.5.0 github.com/hashicorp/go-sockaddr@v1.0.0
github.com/hashicorp/memberlist@v0.5.0 github.com/miekg/dns@v1.1.26
github.com/hashicorp/memberlist@v0.5.0 github.com/pascaldekloe/goe@v0.0.0-20180627143212-57f6aae5913c 
github.com/hashicorp/memberlist@v0.5.0 github.com/pmezard/go-difflib@v1.0.0
github.com/hashicorp/memberlist@v0.5.0 github.com/sean-/seed@v0.0.0-20170313163322-e2103e2c3529
github.com/hashicorp/memberlist@v0.5.0 github.com/stretchr/testify@v1.2.2
github.com/hashicorp/memberlist@v0.5.0 golang.org/x/sys@v0.0.0-20220728004956-3c1f35247d10

I had to reset the go.mod and switch to Go 1.21 to remove them from the event generator. Likely, the latest versions of required packages do not carry any unwanted Hashicorp packages anymore. See https://github.com/falcosecurity/event-generator/pull/85

FedeDP commented 10 months ago

I am doing the same (ie: switching to new go and running go get -u and go mod tidy) on:

Consul is no more greppable in them.

leogr commented 6 months ago

With https://github.com/falcosecurity/evolution/issues/347, all tasks are done now! /close

poiana commented 6 months ago

@leogr: Closing this issue.

In response to [this](https://github.com/falcosecurity/evolution/issues/305#issuecomment-1886938976): >With https://github.com/falcosecurity/evolution/issues/347, all tasks are done now! >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.