Code-Scanning Tool's License at Heart of Security Breakup

A group of nine application security service providers announced they would "fork" the popular code-scanning project Semgrep, creating a new codebase, after a series of moves by the eponymous startup made it more difficult for the firms to use the open source software in their own products.

The companies — Aikido Security, Arnica, Amplify Security, Endor Labs, Jit, Kodem, Legit Security, Mobb, and Orca Security — embarked on the initiative after Semgrep announced it had moved some capabilities of its open source engine into the startup's paid version. Dubbed Opengrep, the new project remains under the same license as the Semgrep Community Edition — the Lesser GNU Public License (LGPL) — but will restore advanced features and the ability to export data in JSON and SARIF formats, as well as create an open source database of rules.

The Opengrep initiative is intended to create a neutral open source project that is not owned by a single company and can be improved to suit the needs of enterprise users and the group of companies behind the project, says Varun Badhwar, CEO and co-founder of software supply chain security firm Endor Labs, one of the companies sponsoring Opengrep.

"We are all collectively funding this right now, but once we stabilize the project, our goal is to turn it over to the right community ... we don't want to — as vendors — own this long term," he says. "This is an interim step for us — to create something that is owned by multiple parties and not a single vendor [that] can overnight decide to make a change."

The triggering event for the open source split came on Dec. 13, when Semgrep outlined changes it had made to seemingly small — but nevertheless important — features. The company sought to further delineate its Pro version from the open source project by renaming the latter to the "Community Edition," clarifying that the license allowed only internal use of its ruleset and removing the ability of the Community Edition to export certain fields in common output formats, such as JSON and the Static Analysis Results Interchange Format (SARIF).

Essentially, the firm has pursued an open core model, where the core engine is made public using an open source license, but more advanced features are made proprietary.

"I feel that we've clarified what belongs in a Unix-style, open source tool for security practitioners versus what makes sense in a commercial platform," says Luke O'Malley, chief product officer and founder at Semgrep. "Features like platform-focused fingerprinting go beyond CE's core mission. As maintainers, we ask ourselves: Would the majority of the community see this as fair? That principle broadly guides what stays in CE and what is in our commercial offering."

Freeloading and a Growing Gap

The creation of the Opengrep project has created a kerfuffle among some application security specialists, with some criticizing the companies for forking, rather than financing, Semgrep's open source core. In many ways, it's part of a playbook where venture-backed companies use an open source project to launch their own products, argued application security specialist Mark Curphey, in a Jan. 29 column.

"[W]hy on earth would anyone fork a successful open-source security project with a vibrant community?," he said. "There are a lot of free-loaders in the world of software, companies who build on other peoples hard work, and that don't fairly contribute back to the projects that they are making money off. It's perfectly legal as long as they stay within the license terms, and sadly a fact of life."

He pointed to another application security project — the open source Zed Attack Proxy (ZAP) used for dynamic application security testing (DAST) — which suffered similar commercial issues during its development, struggling to fund the maintainers of the project, even though "over a dozen commercial DAST services" used the open source codebase as the basis of their products. Application security firm Checkmarx ended up hiring all three ZAP maintainers and committed to funding the project, which formed the foundation of its own DAST solution.

In Curphey's mind, Semgrep's efforts have been taken advantage of.

"I think open source funding is incredibly complex, but this doesn't feel right, and it feels hypocritical to me for these companies to be doing this," he told Dark Reading in an interview.

More Features for Opengrep?

Endor Labs' Badhwar, however, argues that Opengrep will be a more feature-rich version of the code-scanning engine because Semgrep had slowly created a gap between its professional AppSec Platform and its open source engine — a common practice among companies that create open core technologies.

The creation of the Community Edition and the removal of some "experimental" features that the Opengrep companies considered valuable caused alarm among the commercial vendors who used the Semgrep engine as part of their service offerings, says Badhwar.

"There are several examples where the community tried to contribute things that would close the gaps in the open source version of Semgrep ... that the maintainers of the engine were choosing not to necessarily accept and include," he says. "I think it was becoming very clear ... that Semgrep's biggest competitor was their own open source engine, and so they were trying to create a bigger gap."

Opengrep has already financed two software engineers to work on the project and will discuss a road map during a Feb. 20 meeting.

This tension has played out with other open source projects as well. The open source search engine Elasticsearch, for example, had been developed as an open core project, but Elastic shifted the license in January 2021 to restrict managed service providers from using the software as the basis of their services. The same month, a group of Amazon Web Services engineers created a fork, OpenSearch, to give the community the ability to use an open version.

In Semgrep's case, founder O'Malley argues that the company has an incentive to keep the Community Edition well-maintained and strong, while the Opengrep team has not demonstrated their product will be an improvement. Two parallel projects is never ideal, he says.

"Multiple forks can create confusion, making it harder for individuals to know where to contribute and what’s actively maintained," O'Malley says. "That’s always a risk with fragmentation in open source. Our priority is keeping Semgrep CE strong, well-maintained, and growing. Developers and security engineers relying on it should feel confident that we're committed to its long-term success and a thriving ecosystem."