Closed IceManGreen closed 10 months ago
ATT&CK's lead here. Apologies, completely missed this when it came in. We've only interpreted those terms to impact redistribution of ATT&CK content itself, not the use of it from our repository (despite being called a "Terms of Use" as someone pointed out in the PR). As far as I'm aware, this is the first time it's come up related to use of ATT&CK, or with ATT&CK as a dependency, rather than redistribution of it.
I completely agree with @adampennin here in that having read through https://github.com/falcosecurity/rules/pull/181 and the actual changes in it, there isn't an actual code dependency on this repo (https://github.com/mitre-attack/attack-stix-data) at all.
My only addition is that in your code you are calling it the Mitre_checker
and it may help in the long term if you were to differentiate MITRE (the company) from ATT&CK (the framework) more cleanly, e.g. Mitre_attack_checker
or some such. Certainly not a requirement as you get to own your own code over there - just a suggestion.
I'm going to close this issue as it looks like the latest comment in the PR indicates that you won't have any issues and things are in hands of legal counsel on the CNCF side of things. But feel free to bring it up again if any issues do arise.
Oh, and to your question about "have you experienced the same kind of problems for other contributions to CNCF projects?" to my knowledge we have not explicitly worked with CNCF in the past nor heard anything from the community about issues with using ATT&CK there. Hope that helps!
Hello @adampennin and @jondricek,
Thanks a lot for your answers !
I will change the references in the contribution from mitre_checker
into mitre_attack_checker
; like you mentioned. I think that you are completely right about it. It will be more explicit and legit in the long term.
So according to your words, I guess that this License exception is a first for the CNCF. I hope it will help someone in the future and encourage more contributions !
Hello,
I am opening this issue to discuss about the Mitre ATT&CK data usage regarding the terms of use.
Context : I submitted a contribution to the CNCF project named FalcoSecurity Rules to provide a Mitre ATT&CK base knowledge to the project, using attack-stix-data for the data.
It is important to mention that I am not copying the data.
Since this repository has a custom License, it does not appear in the list of licenses compliant with the CNCF. The terms of use in the attack-stix-data license are not problematic for the data usage made in the contribution code, but the issue is only related to the CNCF policies.
As a consequence, the pull request is pending for FalcoSecurity Rules until the maintainers can file a license exception to the CNCF.
As maintainers, have you experienced the same kind of problems for other contributions to CNCF projects ? Or does a contributor of your repositories already faced a similar issue ?
Thanks in advance !