Investigate licensing of gemnasium-db for use in Trivy
Context
Section 5f of the gemnasium-db vulnerability database explicitly prohibit its use by third-party scanners:
(f) Attempt to access or search the Security Alert Database or Content or download Content from the Security Alert Database through the use of any engine, software, tool, agent, device or mechanism (including spiders, robots, crawlers, data mining tools or the like) other than the software and/or search agents provided by GitLab or other generally available third-party web browsers;
Trivy has a feature request to use gemnasium-db and one of the maintainers has inquired about the possibility of using it.
Questions
- Who is the DRI capable of deciding whether to grant a license to use gemnasium-db in Trivy?
- Should we do it?
/cc @sam.white @samk @gonzoyumo @NicoleSchwartz @david @whaber
Edited by Thiago Figueiró