New license request: cve-tou [SPDX-Online-Tools]

[pombredanne]

1. License Name: Common Vulnerability Enumeration ToU License 2. Short identifier: cve-tou 3. License Author or steward: Mitre 4. Comments: This is the license for the CVE data and it is used in the kernel among other places: https://git.kernel.org/pub/scm/linux/security/vulns.git/commit/?id=2625152aa0e28fded9919ed31f8e0a08a002f56a Any user of the CVE data also uses this license

Note that the short identifier is already used in the Linux kernel and in ScanCode and all tools reusing ScanCode https://scancode-licensedb.aboutcode.org/cve-tou.html 5. License Request Url: http://tools.spdx.org/app/license_requests/359 6. URL(s): https://www.cve.org/Legal/TermsOfUse 7. OSI Status: Unknown 8. Example Projects:

• https://git.kernel.org/pub/scm/linux/security/vulns.git/commit/?id=2625152aa0e28fded9919ed31f8e0a08a002f56a
• https://github.com/doubleopen-project/policy-configuration/blob/372cdc9931b3f965f84a6f29d96e45cbc3526e00/license-classifications.yml#L2755
• https://scancode-licensedb.aboutcode.org/cve-tou.html
• https://github.com/nexB/vulnerablecode/blob/4a6734b1bbaa8df6fd816f3eb4fd843a88c1ecec/vulnerabilities/importers/nvd.py#L30
• https://git.kernel.org/pub/scm/linux/security/vulns.git/tree/LICENSES/cve-tou.txt

[xsuchy]

Text of the license:

CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive,
no-charge, royalty-free, irrevocable copyright license to reproduce, prepare
derivative works of, publicly display, publicly perform, sublicense, and
distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for
such purposes is authorized provided that you reproduce MITRE's copyright
designation and this license in any such copy.

DISCLAIMERS

ALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN PROVIDED BY MITRE ARE
PROVIDED ON AN "AS IS" BASIS AND THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE CORPORATION, ITS BOARD OF
TRUSTEES, OFFICERS, AGENTS, AND EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

[pombredanne]

@xsuchy Thanks ... it did not make it through from the app.

[swinslow]

+1 to add.

Although this is drafted as a license for a single licensor ("Other Factor" 2 from the License Inclusion Principles), it is structured as a broad freely-available copyright license grant. And given the usage in the Linux kernel, I think that easily meets the "actual, substantial use" factor.

I'm good with the name and ID proposed above.

[swinslow]

I guess to be more precise, this is being used in the "security/vulns" separate tree of the Linux kernel development community, rather than the canonical "Linus's tree." :) Still, I think this pretty easily hits the "actual, substantial use" factor given its usage here and for the CVE data more generally.

[karsten-klein]

{metæffekt} Universe canonical name: Common Vulnerability Enumeration License short name: CVE-ToU category: CVE ScanCode reference id: cve-tou OSI status: none

ScanCode matched id: cve-tou

Comment +1 for adding as a new license.

[jlovejoy]

agreed as well for adding and thanks for submitting @pombredanne

One question: the text on this page https://www.cve.org/Legal/TermsOfUse includes another paragraph about Submissions yet, it looks like when used "in the wild" (i.e., in actual source files, like https://github.com/nexB/vulnerablecode/blob/4a6734b1bbaa8df6fd816f3eb4fd843a88c1ecec/vulnerabilities/importers/nvd.py#L30 ) that is omitted.

Is that a fair assumption?

[DennisClark]

Hi @jlovejoy Since @pombredanne is traveling a bit at the moment, I'll chime in. I think your assumption is correct. The "Submissions" bit is really a CLA, and does not seem to have anything to do with actual usage, so the text that @xsuchy provided is correct, imho. Thanks for taking care of this.

[swinslow]

No objections and several +1's here, so I'm going to go ahead and mark this as approved.

License Inclusion Decision

Decision:

• [X] approved
• [ ] not approved

Name

Common Vulnerability Enumeration ToU License

License ID

cve-tou

XML markup

None

Notes:

N/A

Next steps

@swinslow will create the PR for this one

[github-actions[bot]]

This new license/exception request has been accepted and the information for the license/exception has been merged to the repository. Thank you to everyone who has participated! The license/exception will be published at https://spdx.org/licenses/ as part of the next SPDX License List release, which is expected to be in three months' time or sooner. In the interim, the new license will appear on the license list preview site at https://spdx.github.io/license-list-data/. This is an automated message.