
Snyk.io – Find and fix known vulnerabilities in Node.js dependencies - proyb2
https://snyk.io
======
nacs
From their policies page:

> by uploading or posting content to the Platform and providing access to your
> system’s source code repository, you hereby grant to Snyk, limited to the
> extent it is necessary in order to enable your use of the Platform, a
> perpetual, worldwide, non-exclusive, royalty free and transferable licence
> (with right to sub-license) to, including without limitation, use, display
> and transmit the content and source code

.. No thanks.

~~~
guypod
You've omitted the previous paragraph: We claim no intellectual property
rights over the material you provide to the Service. Your profile and
materials uploaded remain yours. However, to enable your use of the Platform,
we do need to inspect portions of your code, communicate parts of it (e.g. the
dependencies being used) to the Snyk servers, etc. For that purpose, by
uploading or posting content to...

~~~
0x4a6f6579
The omission is inconsequential. One does not require intellectual property
rights to abuse "a perpetual, worldwide, non-exclusive, royalty free and
transferable licence (with right to sub-license) to, including without
limitation, use, display and transmit the content and source code."

A service allowing consumers to "find and fix known vulnerabilities in Node.js
dependencies" certainly does not require a transferable license (especially
one with the right to sub-license). A transferable license allows the licensee
to freely assign the license to any other party without the licensor's
consent. The wording includes the right to sub-license, allowing the same
license to be granted to another third-party -- again, without the need to
obtain the licensor's consent due to its inclusion as part of the transferable
license statement.

~~~
guypod
Fair point, language is probably too broad (was just in the lawyers
template...). Note it is "limited to the extent needed to provide the
service", but can be reduced further, as we (Snyk) never had any intent to do
anything more than what's needed for the service. We'll remedy that in the
next couple of weeks.

------
exratione
You might also look at
[https://github.com/nodesecurity/nsp](https://github.com/nodesecurity/nsp)

The Node.js ecosystem is still fairly immature with regard to formalized
security, certainly in comparison to, say, the Java ecosystem. There just
aren't as many people filing CVEs on packages as a part of vetting their
stacks, and certainly far fewer people focused on that part of the security
process.

To a certain degree tools are only going to be as good as the security
environment. If people aren't filing CVEs at an appropriate pace given the
level of vulnerability out there, and it takes a village, etc, etc, then no
one group is going to be able to deliver a good security service on their own,
since these services are individually (a) a megaphone and filter for a CVE RSS
feed, and (b) a minor source of CVEs.

------
mfkp
I remember seeing something similar posted here for ruby (rubygems) - does
anybody remember what that service was called?

~~~
oddmunds
[https://gemnasium.com/](https://gemnasium.com/)

