joshcgrossman.com
Friendly AppSec Ghost π»
https://appsecg.host
105 posts
1,163 followers
431 following
Regular Contributor
Active Commenter
comment in response to
post
5. Applied Cryptography β Real-world applications, vulnerabilities, and protections
6. Bug Bounty Stories, Fun Hacks & Creative Exploits β Unique perspectives, social engineering, and more
π
CFP Deadline: March 15, 2025
π Submit now: www.papercall.io/owa...
5/6
comment in response to
post
I can't remember if I publicised it or not π€¦ββοΈ
So just in case, here it is again:
www.bouncesecurity.c...
comment in response to
post
But... then they would be maintaining their own fork AND crucially they would trigger the LGPL requirement to open source the modified fork.
Which is basically what they did.
This would probably have been a more compelling and positive angle for @opengrep to have pitched.
3/3
comment in response to
post
So licence-wise it was completely legit for an ASPM to integrate the product into their platform as long as they didn't modify it.
When @Semgrep removed functionality from CE, it would also be completely legit for the ASPM to modify the functionality back into the software.
2/3
comment in response to
post
0-days since last time it was DNS
comment in response to
post
and here it is π
:
joshcgrossman.com/2025/01/28/w...
comment in response to
post
and here it is π
:
joshcgrossman.com/2025/01/28/w...
comment in response to
post
Full post here:
joshcgrossman.com/20...
comment in response to
post
In the meantime, you can take a look at the new site, it ain't the most beautiful but it is about a million times more maintainable and it's free!
joshcgrossman.com
comment in response to
post
Some related links:
Original Semgrep announcement:
semgrep.dev/blog/2024/im...
Common Clause:
commonsclause.com
CEO subsequent message on slack:
semgrep.slack.com/archives/CK8...
Opengrep announcement:
www.opengrep.dev
Opengrep rules fork:
github.com/opengrep/ope...
comment in response to
post
Personally I really hope that @opengrep and @Semgrep can work together on a community maintained engine with strong support from multiple vendors, whilst also respecting @Semgrep's commercial rights.
10/10
comment in response to
post
However, since @opengrep has forked the rules repo as well, I think it is ethically critical for the vendors involved to come to an agreement with @Semgrep on the use of the rules in @opengrep.
The alternative is for @opengrep to create a new "clean room" set of rules.
9/10
comment in response to
post
I think that safeguarding the engine in an open source foundation with support from multiple vendors is a great thing for the project and significantly strengthens the static analysis industry. It is pretty much a unique tool for code security.
8/10
comment in response to
post
However, the CEO's subsequent statement on December community slack channel states that this rule use was not allowed according to the license (see screenshot below).
7/10
comment in response to
post
I think Semgrep's messaging on this change is a little inconsistent, their original blog post sounds like up until the licence change they could be used commercially and now they can't:
semgrep.dev/blog/202...
6/10
comment in response to
post
2) The intent of the rules license didn't change.
Semgrep's rules seem to have always had a "don't use me to sell a competing product or service licence", the Commons Clauseβ License.
They have now changed to a clearer, but similar licence, the Semgrep Rules License.
5/10
comment in response to
post
For me, the removal of features made me particularly nervous (I have some nice join mode rules) I can therefore see how people could be nervous about a future engine license change.
4/10
comment in response to
post
IMHO people (including myself) saw them requiring login for certain features and mistook this for a licence change.
As I understand it, since the licence isn't changing, @opengrep can take any code from future @Semgrep versions and copy into @opengrep and vice versa
3/10
comment in response to
post
a) The engine license didn't change.
It is still LGPL and IANAL but from what I understand it means you can package the @Semgrep binary in closed source but if you make source changes, you have to be redistribute them as open source.
2/10
comment in response to
post
...and before anyone comes chiming in about Linux, I avoid doing updates on Linux VMs because I so am scared it will break something. I'd rather just "Nuke and Pave"...
As for the concept of a Mac VM..... π€£π€£π€£
2/2
comment in response to
post
Check out the full blog for detailed analysis, technical examples, and tips on securing your Spring Boot Actuator deployments πͺ: www.wiz.io/blog/spring-...
comment in response to
post
This from @davidwhitney.co.uk
youtube.com/watch?v=9YQg...
comment in response to
post
are you implying that someone could take a bad photo of Sam Stepanyan? π
comment in response to
post
@sydseter.com
www.flickr.com/photos/20114...