What is the license of the wolfi and chainguard secdb?

[pombredanne]

I could not find any license information for the secdb data for wolfi and chainguard. Can you clarify what would be the license? These are the data published at:

• https://packages.wolfi.dev/os/security.json
• https://packages.cgr.dev/chainguard/security.json

I need a license to integrate this in https://github.com/nexb/vulnerablecode

For reference, the Alpine secdb has a license at https://secdb.alpinelinux.org/license.txt Something similar would be awesome! Thanks

PS: I am not sure if this issue should be filed only here, or at https://github.com/chainguard-dev/vulnerability-scanner-support/ or should be split in two? Please advise!

[pombredanne]

@luhring gentle ping. Without a proper license, there is no way this data can be reused. Alpine's secdb CC-BY-SA is a fine license and would likely apply if any of these advisories is derived from Alpine's db.

• If https://packages.wolfi.dev/os/security.json is all computed from https://github.com/wolfi-dev/advisories/ then https://github.com/wolfi-dev/advisories/blob/main/LICENSE Apache would likely be the license? ... but this is a rather odd license for data rather designed for code.
• Short of an explicit license for https://packages.cgr.dev/chainguard/security.json the most likely license would be https://www.chainguard.dev/legal/terms-of-use which makes it essentially not reusable anywhere.

[luhring]

Thanks for the poke, @pombredanne! I'll get you an answer shortly. 🙇

[luhring]

We've updated our documentation for the feeds to clarify the license for them: Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0).

Does this help?