Generali Letter of Intention
|
|
Generali Germany acknowledges and appreciates the log4j-detector Upstream Project by Mergebase. We put it to good use as complementary log4j scanning tool in addition to diverse other tools. It is of valuable advantage to Generali Germany to have an additional Open Source tool, which is a whitebox to us so we can understand how the scan works and have an educated opinion on how adequate the scan was. Furthermore, the tool has proven to deliver correct results which other tools had not delivered before, so we're increasing our completeness by using the tool. We use the tool mainly in Windows context and due to many systems being scanned, we got through a hardening process and decided to actively make changes to the tool by ourselves as we need them in our own pace without waiting for the Upstream. However, we would like to give back the resulting changes of this hardening to the Community.
We chose the log4j-detector tool for roughly the following reasons:
- Very small and easy tool with no dependencies and thereby very transparent and secure, as we can easily confirm the tool is no malware by itself.
- Easy to change for us.
- Scan runtimes are good enough.
- The tool seems to have a good support for nested JARs, ZIPs etc. and also for exploded classes and shaded/obfuscated names.
- It delivered results we had not known before
We want (and feel obliged) to contribute our changes to the community under GPL v3 (as licensed to us by the Upstream project). Two contribution strategies are possible:
- Preferred way We contribute our changes back to the Upstream as Pull Request(s). We are ready to grant the Upstream sufficient copyright on our changes, as we have no interest to use them in any commercial way. To a certain extent we will be ready to make refactorings to reflect the wished for coding style by the upstream. In this strategy we would aim to make minimal changes in our fork to everything to do with ownership, copyright, licenses, etc. As it is our wished for scenario we will start in this spirit. However we cannot be sure that our pull requests will be accepted sufficiently for us to be manageable with our own changes, so we need a second strategy:
- Alternative way We contribute our changes to the community in this fork under GPL v3 (as we are obligued by receiving the Upstream under GPL v3). This is just to give the results of our hardening back to the community and explicitly not to actively maintain this as an "alive" product over our own usage time. Everyone will be free to use, change and propagate with respect to GPL v3. But we will process issues quite selectively as it's not our goal to launch a real product here. In this strategy, we would need to make some more changes to copyright, ownership and license topics to reflect our responsibilities by GPL v3. We would do so as soon as we would see Strategy 1 is not going to work for whatever reason.
We hope and are convinced that this will be of value for the community, as it includes hardening especially for Windows on a quite broad usage base. Also we hope that our contribution will be welcome to Mergebase to further advance their splendid product.