Skip to content

PR-13 (DRAFT — needs OWASP sign-off): License split (Apache-2.0 code / CC BY-SA 4.0 content)#44

Draft
emmanuelgjr wants to merge 1 commit into
mainfrom
improve/pr-13-license-split
Draft

PR-13 (DRAFT — needs OWASP sign-off): License split (Apache-2.0 code / CC BY-SA 4.0 content)#44
emmanuelgjr wants to merge 1 commit into
mainfrom
improve/pr-13-license-split

Conversation

@emmanuelgjr

Copy link
Copy Markdown
Contributor

⚠️ DRAFT — DO NOT MERGE without OWASP GenAI Data Security Initiative leadership sign-off.

Phase 4. This dual-licensing split touches the initiative's licensing posture, so per the improvement plan it is prepared but held for an explicit call from leadership.

What's proposed

  • Original executable code → Apache-2.0 (cli/, build/, tests/, scripts/, integrations/*.sh|*.yml|*.toml, schemas/, templates/, dist/, scanner workflows). Permissive so it can be adopted/embedded; avoids ShareAlike tripping corporate OSS review.
  • Derived OWASP framework text → CC BY-SA 4.0 (control descriptions, README framework content, report boilerplate, changelog prose). Inherits the framework's license + attribution.
  • LICENSES/Apache-2.0.txt + LICENSES/CC-BY-SA-4.0.txt (canonical texts); LICENSE-NOTES.md (full path→license map + reasoning); SPDX headers on 16 code files.

The decision that needs leadership (⚠️)

rules/dsgai-rules.yaml is a genuine gray zone: its control mappings/keywords derive from CC BY-SA framework text, while its PCRE implementations are original code. LICENSE-NOTES.md names this explicitly and offers two defensible options:

  1. Whole file Apache-2.0 (treated as code).
  2. Fallback: YAML rules file CC BY-SA 4.0; generated JSON + all other code Apache-2.0.

Verification

  • SPDX headers changed no behavior: compile / shellcheck / actionlint clean; all generators (build_rules_json, export_semgrep, generate_prompt_variant) still in sync; pytest → 21 passed.

Blocking checkpoint: @emmanuelgjr — confirm the split, and specifically the rules/dsgai-rules.yaml decision, with OWASP leadership before this is un-drafted and merged.

… (PR-13, DRAFT)

DRAFT — awaiting OWASP GenAI Data Security Initiative leadership sign-off.
DO NOT MERGE without explicit sign-off (this touches the initiative's licensing
posture).

- LICENSES/Apache-2.0.txt + LICENSES/CC-BY-SA-4.0.txt (canonical texts).
- LICENSE-NOTES.md: path -> license map + reasoning. Names the
  rules/dsgai-rules.yaml gray zone explicitly (its control mappings derive from
  CC BY-SA framework text; PCRE implementations are original code) and offers
  leadership two defensible options.
- SPDX-License-Identifier: Apache-2.0 headers on 16 code files (cli/, build/,
  tests/, scripts/, integrations/*.sh|*.yml|*.toml, rules/atlas-map.yaml, the
  scanner workflows). JSON/generated files covered by LICENSE-NOTES.md.
- Attribution (OWASP + Guilherme/Ramachandran) unchanged.

Verified: compile/shellcheck/actionlint clean; all generators in sync; pytest
21 passed — SPDX headers changed no behavior.
emmanuelgjr added a commit that referenced this pull request Jul 18, 2026
…pos (#56)

Scanned 8 permissively-licensed public GenAI repos (LangChain/LlamaIndex example
apps + production agents + Semantic Kernel) at pinned SHAs with the deterministic
CLI only, CVE stage enabled. Untrusted content — the CLI only greps.

- benchmark/METHODOLOGY.md: corpus (repos + SHAs + licenses + counts), scanner
  0.3.0 / ruleset 0.3.0, exact commands, and the labeling rubric (TP/FP per rule
  class incl. absence-based low-confidence handling). Flags high-volume rules to
  spot-check (P04.7 ~1253x on npm lockfile integrity hashes; P03.1 ~2613x on
  crewAI doc/test endpoints) and recommends stratified sampling for large repos.
- benchmark/labeling-sheets/<repo>.csv: one row per public finding
  (rule_id, path, line, status, confidence, empty human_verdict + notes).
- benchmark/missed-candidates.md: suspected false negatives with evidence —
  TypeScript/C#/notebook coverage gaps (patterns are Python-shaped).
- Responsible disclosure: 8 value-bearing FAIL findings (potential secrets,
  values redacted) are held in benchmark/SENSITIVE-holdback.md, which is
  GITIGNORED and NOT committed — for maintainer review before any disclosure.

No precision numbers computed; no rules modified; draft PR #44 untouched.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant