This article mentions licenses 7 times but it's important to note Semgrep did not actually change the project's license. The semgrep-rules repo's license was updated but added no new restrictions; resale was forbidden both before and after.
I added a paragraph to clarify that I'm mostly referring to the metadata requiring a login as a change concerning how I interpret the spirit of LGPLv2. I also had read the old rules license itself as allowing redistribution, but see in the FAQ that it was explicitly not allowed, so I understand why there was confusion about the intent behind it.
Thank you, appreciate the clarification! On the remaining point saying "The loss of metadata is what now makes using Semgrep internally, for free, virtually impossible - as ignoring findings is the most critical part of running a SAST at scale." I would also like to point out
2. If you meant missing fingerprinting, that feature only requires login, so it's available with a free account without any limitations. I do understand the article probably meant to say "makes using Semgrep internally, without phoning home, virtually impossible" because it's definitely still available for free.
Yes I meant the latter and will update to clarify, I meant if you were crazy enough to attempt and roll your own centralized management (which I also acknowledge most people aren't doing). It's more about the possibility existing.
This article mentions licenses 7 times but it's important to note Semgrep did not actually change the project's license. The semgrep-rules repo's license was updated but added no new restrictions; resale was forbidden both before and after.
I added a paragraph to clarify that I'm mostly referring to the metadata requiring a login as a change concerning how I interpret the spirit of LGPLv2. I also had read the old rules license itself as allowing redistribution, but see in the FAQ that it was explicitly not allowed, so I understand why there was confusion about the intent behind it.
Thank you, appreciate the clarification! On the remaining point saying "The loss of metadata is what now makes using Semgrep internally, for free, virtually impossible - as ignoring findings is the most critical part of running a SAST at scale." I would also like to point out
1. Features for ignoring findings remain open source and available without login, both #nosemgrep and .semgrepignore are unaffected: https://semgrep.dev/docs/ignoring-files-folders-code#reference-summary
2. If you meant missing fingerprinting, that feature only requires login, so it's available with a free account without any limitations. I do understand the article probably meant to say "makes using Semgrep internally, without phoning home, virtually impossible" because it's definitely still available for free.
Yes I meant the latter and will update to clarify, I meant if you were crazy enough to attempt and roll your own centralized management (which I also acknowledge most people aren't doing). It's more about the possibility existing.