Audit needed for the Hashicorp MPL -> BUSL license change

[leogr]

We've conducted an initial scan following the CNCF input request after the Hashicorp MPL -> BUSL license change.

The lists below were generated after examining the go.sum packages across the entire Falcosecurity organization.

From this initial audit, we've determined that we are NOT using any BUSL-licensed packages 🥳 Thus, we are unaffected by the MPL -> BUSL license transition, which is positive.

Additionally, we identified some Hashicorp packages under MPL 2.0 that we are using without a CNCF Governing Board exception.

For context, according to the CNCF IP Policy, all 3rd-party dependencies must either be Apache 2.0 licensed OR listed in the Approved Licenses for Allowlist OR have an exception approved by the Governing Board (see already approved license exceptions).

MPL2'd packages being used without an exception

[ACTION NEEDED]! @falcosecurity/core-maintainers

cc @falcosecurity/driverkit-maintainers @falcosecurity/event-generator-maintainers @falcosecurity/falcoctl-maintainers @falcosecurity/falcosidekick-maintainers @falcosecurity/kilt-maintainers @falcosecurity/plugins-maintainers

Please carefully evaluate the possibility of removal for these Go dependencies listed in the table below. If that's not feasible, we must submit a ticket to the CNCF for review and request a license exception (I can take care of that once we have completed the evaluation of them one by one).

It's worth noting that some of these packages might not be in active use. A straightforward cleanup might suffice to remove them:

go get -u
go mod tidy

License	Package	Used by	Note
MPL-2.0	github.com/hashicorp/consul/sdk	falcosidekick plugins	An exception request for github.com/hashicorp/consul/api exists already
MPL-2.0	github.com/hashicorp/logutils	event-generator falcoctl falcosidekick plugins	This is likely an indirect dependency. Need investigation.
MPL-2.0	github.com/hashicorp/memberlist	event-generator falcoctl falcosidekick plugins	See cncf/foundation#624
MPL-2.0	github.com/hashicorp/terraform-plugin-framework	kilt	See cncf/foundation#187 and cncf/foundation#619. Evaluate replacing: https://github.com/ko-build/terraform-provider-ko
MPL-2.0	github.com/hashicorp/terraform-plugin-go	kilt	same as above

Cleanups in progress

Beta Give feedback

1. chore: updated project deps. driverkit#286
   approved area/build dco-signoff: yes kind/cleanup lgtm size/XXL +6
   
2. chore: bumped deps through go get -u falcoctl#315
   approved dco-signoff: yes kind/cleanup lgtm size/XXL +5
   
3. build: switch to Go 1.21 and tidy deps event-generator#85
   approved dco-signoff: yes kind/cleanup lgtm size/XXL +5
   
4. chore(build/registry): updated go deps. plugins#324
   approved area/registry dco-signoff: yes kind/cleanup lgtm size/XXL +6
   
5. update dependencies falcosidekick#619
   approved area/build area/outputs dco-signoff: yes kind/cleanup lgtm size/XXL +7
   

Already allowed Hashicorp packages.

The packages listed below are already permitted, either due to inclusion in the allowlist or because they have a GB-approved exception. Therefore, no additional action is required. We can continue to use them without concerns.

Allowlist / Exception	License	Package
2023-06-27	MPL-2.0	github.com/hashicorp/consul/api
2019-03-11	MPL-2.0	github.com/hashicorp/errwrap
2019-03-11	MPL-2.0	github.com/hashicorp/go-cleanhttp
Allowlist	MIT	github.com/hashicorp/go-hclog
2023-06-27	MPL-2.0	github.com/hashicorp/go-immutable-radix
Allowlist	MIT	github.com/hashicorp/go-msgpack
2019-03-11	MPL-2.0	github.com/hashicorp/go-multierror
2023-06-27	MPL-2.0	github.com/hashicorp/go-plugin
2021-07-19	MPL-2.0	github.com/hashicorp/go-retryablehttp
2023-06-27	MPL-2.0	github.com/hashicorp/go-rootcerts
2023-06-27	MPL	github.com/hashicorp/go-secure-stdlib/parseutil
2023-06-27	MPL	github.com/hashicorp/go-secure-stdlib/strutil
2023-06-27	MPL-2.0	github.com/hashicorp/go-sockaddr
Allowlist	MIT	github.com/hashicorp/go-syslog
2023-06-27	MPL-2.0	github.com/hashicorp/go-uuid
Allowlist	BSD-3-Clause	github.com/hashicorp/go.net
2019-03-11	MPL-2.0	github.com/hashicorp/golang-lru
2019-03-11	MPL-2.0	github.com/hashicorp/hcl
Allowlist	MIT	github.com/hashicorp/mdns
2023-06-27	MPL-2.0	github.com/hashicorp/raft
2023-06-27	MPL-2.0	github.com/hashicorp/serf
2023-06-27	MPL-2.0	github.com/hashicorp/vault/api
2023-06-27	MPL-2.0	github.com/hashicorp/yamux

N.B. The 2023-06-27 license execptions file inaccurately indicates that that github.com/hashicorp/vault is licensed under MPL-2.0 and has GB exception approval as of 2023-06-27. In reality, github.com/hashicorp/vault is BUSL-1.1, while only its sub-package github.com/hashicorp/vault/api is MPL-2.0.

[leogr]

It seems that consul/sdk, logutils, and memberlist were transitive dependencies of other packages.

This was the dep graph for them in the event-generator (before I fixed it):

❯ go mod graph | grep consul/sdk                                                                                                                                                                          
github.com/hashicorp/consul/api@v1.20.0 github.com/hashicorp/consul/sdk@v0.13.1                                                                                                                           
github.com/hashicorp/consul/sdk@v0.13.1 github.com/hashicorp/go-cleanhttp@v0.5.1                                                                                                                          
github.com/hashicorp/consul/sdk@v0.13.1 github.com/hashicorp/go-hclog@v0.12.0                                                                                                                             
github.com/hashicorp/consul/sdk@v0.13.1 github.com/hashicorp/go-uuid@v1.0.1                                                                                                                               
github.com/hashicorp/consul/sdk@v0.13.1 github.com/hashicorp/go-version@v1.2.1                                                                                                                            
github.com/hashicorp/consul/sdk@v0.13.1 github.com/pkg/errors@v0.8.1                                                                                                                                      
github.com/hashicorp/consul/sdk@v0.13.1 github.com/stretchr/testify@v1.4.0                                                                                                                                
github.com/hashicorp/consul/sdk@v0.13.1 golang.org/x/sys@v0.0.0-20220412211240-33da011f77ad                                                                                                               
github.com/hashicorp/consul/sdk@v0.13.1 github.com/davecgh/go-spew@v1.1.1                                                                                                                                 
github.com/hashicorp/consul/sdk@v0.13.1 github.com/fatih/color@v1.9.0                                                                                                                                     
github.com/hashicorp/consul/sdk@v0.13.1 github.com/kr/pretty@v0.2.0                                                                                                                                       
github.com/hashicorp/consul/sdk@v0.13.1 github.com/mattn/go-colorable@v0.1.4                                                                                                                              
github.com/hashicorp/consul/sdk@v0.13.1 github.com/mattn/go-isatty@v0.0.12                                                                                                                                
github.com/hashicorp/consul/sdk@v0.13.1 github.com/pmezard/go-difflib@v1.0.0                                                                                                                              
github.com/hashicorp/consul/sdk@v0.13.1 gopkg.in/check.v1@v1.0.0-20190902080502-41f04d3bba15                                                                                                              
github.com/hashicorp/consul/sdk@v0.13.1 gopkg.in/yaml.v2@v2.2.8
                                                                                                                                           
❯ go mod graph | grep github.com/hashicorp/logutils                                                                                                                                                       
github.com/hashicorp/serf@v0.10.1 github.com/hashicorp/logutils@v1.0.0                                                                                                                                    

❯ go mod graph | grep github.com/hashicorp/memberlist                                                                                                                                                     
github.com/hashicorp/consul/api@v1.20.0 github.com/hashicorp/memberlist@v0.5.0                                                                                                                            
github.com/hashicorp/serf@v0.10.1 github.com/hashicorp/memberlist@v0.5.0                                                                                                                                  
github.com/hashicorp/memberlist@v0.5.0 github.com/armon/go-metrics@v0.0.0-20180917152333-f0300d1749da                                                                                                     
github.com/hashicorp/memberlist@v0.5.0 github.com/davecgh/go-spew@v1.1.1                                                                                                                                  
github.com/hashicorp/memberlist@v0.5.0 github.com/google/btree@v0.0.0-20180813153112-4030bb1f1f0c                                                                                                         
github.com/hashicorp/memberlist@v0.5.0 github.com/hashicorp/go-immutable-radix@v1.0.0
github.com/hashicorp/memberlist@v0.5.0 github.com/hashicorp/go-msgpack@v0.5.3
github.com/hashicorp/memberlist@v0.5.0 github.com/hashicorp/go-multierror@v1.0.0
github.com/hashicorp/memberlist@v0.5.0 github.com/hashicorp/go-sockaddr@v1.0.0
github.com/hashicorp/memberlist@v0.5.0 github.com/miekg/dns@v1.1.26
github.com/hashicorp/memberlist@v0.5.0 github.com/pascaldekloe/goe@v0.0.0-20180627143212-57f6aae5913c 
github.com/hashicorp/memberlist@v0.5.0 github.com/pmezard/go-difflib@v1.0.0
github.com/hashicorp/memberlist@v0.5.0 github.com/sean-/seed@v0.0.0-20170313163322-e2103e2c3529
github.com/hashicorp/memberlist@v0.5.0 github.com/stretchr/testify@v1.2.2
github.com/hashicorp/memberlist@v0.5.0 golang.org/x/sys@v0.0.0-20220728004956-3c1f35247d10

I had to reset the go.mod and switch to Go 1.21 to remove them from the event generator. Likely, the latest versions of required packages do not carry any unwanted Hashicorp packages anymore. See falcosecurity/event-generator#85

[FedeDP]

I am doing the same (ie: switching to new go and running go get -u and go mod tidy) on:

• falcoctl: chore: bumped deps through go get -u falcoctl#315
• plugins build/registry tool: chore(build/registry): updated go deps. plugins#324
• driverkit: chore: updated project deps. driverkit#286

Consul is no more greppable in them.

[leogr]

With #347, all tasks are done now!
/close

[poiana]

@leogr: Closing this issue.

In response to this:

With #347, all tasks are done now!
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.