Update license links (#3534)

* Remove hardcoded license in rules

* Update README and LICENSE

* Update references

* references required only for security rules

LICENSE

@@ -1,11 +1 @@
-“Commons Clause” License Condition v1.0
-
-The Software is provided to you by the Licensor under the License, as defined below, subject to the following condition.
-
-Without limiting other conditions in the License, the grant of rights under the License will not include, and the License does not grant to you, the right to Sell the Software.
-
-For purposes of the foregoing, “Sell” means practicing any or all of the rights granted to you under the License to provide to third parties, for a fee or other consideration (including without limitation fees for hosting or consulting/ support services related to the Software), a product or service whose value derives, entirely or substantially, from the functionality of the Software. Any license notice or attribution required by the License must also include this Commons Clause License Condition notice.
-
-Software: semgrep-rules (https://github.com/semgrep/semgrep-rules)
-License: LGPL 2.1 (GNU Lesser General Public License, Version 2.1)
-Licensor: Semgrep, Inc. (https://semgrep.dev)
+Semgrep Rules License v1.0. For more details, visit [semgrep.dev/rules-license](semgrep.dev/legal/rules-license)

README.md

@@ -28,11 +28,12 @@ You can also learn how to write rules using the [interactive, example-based Semg
 
 ## Contributing
 
-We welcome Semgrep rule contributions directly to this repository! When submitting your contribution to this repository, we’ll ask you to make Semgrep, Inc. a joint owner of your contributions. While you still own copyright rights to your rule, joint ownership allows Semgrep, Inc. to license these contributions to other [Semgrep Registry](https://semgrep.dev/r) users pursuant to the LGPL 2.1 under the [Commons Clause](https://commonsclause.com/). See full [license details](https://github.com/returntocorp/semgrep-rules/blob/develop/LICENSE).
+We welcome Semgrep rule contributions directly to this repository! When submitting your contribution, you grant Semgrep, Inc. a license to use, modify, and distribute your contribution under the {Semgrep Rules License v. 1.0](semgrep.dev/legal/rules-license). This ensures your rule can be shared with other Semgrep Registry users.
 
-Note: To contribute, review the **[Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/)** documentation.
+To contribute, please review our  **[Contributing to Semgrep rules](https://semgrep.dev/docs/contributing/contributing-to-semgrep-rules-repository/)** guidelines.
+
+You can also reach out to us at [email protected], and we will help import your rules for others to use!
 
-You can also contact us at [email protected] to make Semgrep rule contributions. We will import your rules for everyone to use!
 
 ## Additional information
 

dockerfile/best-practice/remove-package-cache.yaml

@@ -16,4 +16,3 @@ rules:
       category: best-practice
       technology:
         - dockerfile
-      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

generic/secrets/security/detected-artifactory-password.yaml

@@ -44,4 +44,3 @@ rules:
         - audit
       likelihood: LOW
       impact: HIGH
-      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

generic/secrets/security/detected-aws-account-id.yaml

@@ -55,4 +55,3 @@ rules:
         - audit
       likelihood: LOW
       impact: HIGH
-      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

generic/secrets/security/detected-google-api-key.yaml

@@ -15,7 +15,6 @@ rules:
     technology:
     - secrets
     - google
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     confidence: LOW
     owasp:
     - A07:2021 - Identification and Authentication Failures

generic/secrets/security/detected-telegram-bot-api-key.yaml

@@ -16,7 +16,6 @@ rules:
     technology:
     - secrets
     - telegram
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     confidence: LOW
     owasp:
     - A07:2021 - Identification and Authentication Failures

generic/secrets/security/detected-username-and-password-in-uri.yaml

@@ -26,7 +26,6 @@ rules:
     technology:
     - secrets
     confidence: MEDIUM
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     cwe2022-top25: true
     cwe2021-top25: true
     subcategory:

go/gorilla/security/audit/handler-assignment-from-multiple-sources.yaml

@@ -7,7 +7,6 @@ rules:
     technology:
     - gorilla
     confidence: MEDIUM
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     references:
     - https://cwe.mitre.org/data/definitions/289.html
     subcategory:

go/lang/security/audit/sqli/pg-orm-sqli.yaml

@@ -84,5 +84,4 @@ rules:
         - vuln
       likelihood: LOW
       impact: HIGH
-      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     severity: ERROR

go/lang/security/audit/xss/no-direct-write-to-responsewriter.yaml

@@ -11,7 +11,6 @@ rules:
     category: security
     cwe:
     - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     owasp:
     - A07:2017 - Cross-Site Scripting (XSS)
     - A03:2021 - Injection

go/lang/security/injection/raw-html-format.yaml

@@ -21,7 +21,6 @@ rules:
     - go
     references:
     - https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     confidence: MEDIUM
     cwe2022-top25: true
     cwe2021-top25: true

go/lang/security/injection/tainted-url-host.yaml

@@ -21,7 +21,6 @@ rules:
       category: security
       technology:
         - go
-      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
       confidence: HIGH
       cwe2022-top25: true
       cwe2021-top25: true

java/android/best-practice/manifest-security-features.yaml

@@ -9,7 +9,6 @@ rules:
       Config is present.
     metadata:
       category: best-practice
-      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
       technology:
         - android
       references:
@@ -33,7 +32,6 @@ rules:
       if a Network Security Config is present.
     metadata:
       category: best-practice
-      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
       technology:
         - android
       references:

java/android/best-practice/network-security-config.yml

@@ -10,7 +10,6 @@ rules:
     `<network-security-config>`)
   metadata:
     category: best-practice
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     technology:
     - android
     references:
@@ -40,7 +39,6 @@ rules:
     pin as a backup.
   metadata:
     category: best-practice
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     technology:
     - android
     references:
@@ -78,7 +76,6 @@ rules:
     default to trusting system CAs and disregard the pin.
   metadata:
     category: best-practice
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     technology:
     - android
     references:
@@ -108,7 +105,6 @@ rules:
     `<network-security-config>`)
   metadata:
     category: best-practice
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     technology:
     - android
     references:
@@ -141,7 +137,6 @@ rules:
     `<network-security-config>`)
   metadata:
     category: best-practice
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     technology:
     - android
     references:

java/lang/security/audit/xss/no-direct-response-writer.yaml

@@ -29,7 +29,6 @@ rules:
       - java
       - servlets
     interfile: true
-    license: proprietary license - copyright © Semgrep, Inc.
   languages:
     - java
   mode: taint

java/spring/security/injection/tainted-sql-string.yaml

@@ -21,7 +21,6 @@ rules:
       category: security
       technology:
         - spring
-      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
       cwe2022-top25: true
       cwe2021-top25: true
       subcategory:

javascript/browser/security/open-redirect-from-function.yaml

@@ -22,7 +22,6 @@ rules:
     - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
     technology:
     - browser
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     subcategory:
     - vuln
     likelihood: LOW

javascript/browser/security/open-redirect.yaml

@@ -25,7 +25,6 @@ rules:
     - https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
     technology:
     - browser
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     subcategory:
     - vuln
     likelihood: HIGH

javascript/browser/security/raw-html-concat.yaml

@@ -12,7 +12,6 @@ rules:
     category: security
     technology:
     - browser
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     cwe2022-top25: true
     cwe2021-top25: true
     subcategory:

javascript/express/security/audit/express-open-redirect.yaml

@@ -20,7 +20,6 @@ rules:
       likelihood: HIGH
       impact: MEDIUM
       confidence: HIGH
-      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     languages:
       - javascript
       - typescript

javascript/express/security/audit/xss/direct-response-write.yaml

@@ -26,7 +26,6 @@ rules:
     likelihood: MEDIUM
     impact: MEDIUM
     confidence: MEDIUM
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     vulnerability_class:
     - Cross-Site-Scripting (XSS)
   languages:

javascript/express/security/injection/tainted-sql-string.yaml

@@ -19,7 +19,6 @@ rules:
     category: security
     technology:
     - express
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     cwe2022-top25: true
     cwe2021-top25: true
     subcategory:

javascript/lang/security/audit/detect-non-literal-fs-filename.yaml

@@ -16,7 +16,6 @@ rules:
     category: security
     technology:
     - typescript
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     cwe2022-top25: true
     cwe2021-top25: true
     subcategory:

javascript/lang/security/audit/sqli/node-knex-sqli.yaml

@@ -23,7 +23,6 @@ rules:
     - express
     - nodejs
     - knex
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     cwe2022-top25: true
     cwe2021-top25: true
     subcategory:

javascript/lang/security/audit/sqli/node-mssql-sqli.yaml

@@ -17,7 +17,6 @@ rules:
     category: security
     technology:
     - mssql
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     references:
     - https://www.npmjs.com/package/mssql
     cwe2022-top25: true

javascript/lang/security/audit/sqli/node-mysql-sqli.yaml

@@ -22,7 +22,6 @@ rules:
     - mysql2
     - javascript
     - nodejs
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     cwe2022-top25: true
     cwe2021-top25: true
     subcategory:

javascript/lang/security/detect-child-process.yaml

@@ -16,7 +16,6 @@ rules:
     category: security
     technology:
     - javascript
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     cwe2022-top25: true
     cwe2021-top25: true
     subcategory:

javascript/sequelize/security/audit/sequelize-injection-express.yaml

@@ -27,7 +27,6 @@ rules:
       likelihood: HIGH
       impact: HIGH
       confidence: HIGH
-      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     languages:
       - javascript
       - typescript

json/aws/security/public-s3-bucket.yaml

@@ -12,7 +12,6 @@ rules:
     category: security
     cwe:
     - 'CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls'
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     owasp:
     - A01:2021 - Broken Access Control
     references:

json/npm/security/package-dependencies-check.yml

@@ -45,7 +45,6 @@ rules:
     - https://cwe.mitre.org/data/definitions/427.html
     technology:
     - npm
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     subcategory:
     - audit
     likelihood: LOW

kotlin/lang/security/defaulthttpclient-is-deprecated.yaml

@@ -15,7 +15,6 @@ rules:
     category: security
     technology:
     - kotlin
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     references:
     - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
     subcategory:

kotlin/lang/security/ecb-cipher.yaml

@@ -10,7 +10,6 @@ rules:
     category: security
     technology:
     - kotlin
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     references:
     - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
     subcategory:

kotlin/lang/security/gcm-detection.yaml

@@ -8,7 +8,6 @@ rules:
     - https://cwe.mitre.org/data/definitions/323.html
     technology:
     - kotlin
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     owasp:
     - A02:2021 - Cryptographic Failures
     subcategory:

kotlin/lang/security/no-null-cipher.yaml

@@ -16,7 +16,6 @@ rules:
     category: security
     technology:
     - kotlin
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     references:
     - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
     subcategory:

kotlin/lang/security/unencrypted-socket.yaml

@@ -15,7 +15,6 @@ rules:
     category: security
     technology:
     - kotlin
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     references:
     - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
     subcategory:

kotlin/lang/security/use-of-md5.yaml

@@ -15,7 +15,6 @@ rules:
     category: security
     technology:
     - kotlin
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     references:
     - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
     subcategory:

metadata-schema.yaml.schm

@@ -3,7 +3,6 @@ schema:
   allOf:
   - type: object
     required:
-    - references
     - category
     - technology
     properties:
@@ -90,4 +89,5 @@ schema:
       - likelihood
       - impact
       - subcategory
+      - references
 

php/doctrine/security/audit/doctrine-dbal-dangerous-query.yaml

@@ -9,7 +9,6 @@ rules:
     category: security
     cwe:
     - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     owasp:
     - A01:2017 - Injection
     - A03:2021 - Injection

php/doctrine/security/audit/doctrine-orm-dangerous-query.yaml

@@ -11,7 +11,6 @@ rules:
     category: security
     cwe:
     - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     owasp:
     - A01:2017 - Injection
     - A03:2021 - Injection

php/lang/security/injection/tainted-url-host.yaml

@@ -23,7 +23,6 @@ rules:
     category: security
     technology:
     - php
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     cwe2022-top25: true
     cwe2021-top25: true
     subcategory:

php/lang/security/php-ssrf.yaml

@@ -31,7 +31,6 @@ rules:
     metadata:
       references: 
         - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html
-      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
       cwe:
         - "CWE-918: Server-Side Request Forgery (SSRF)"
       category: security

python/aws-lambda/security/dangerous-asyncio-create-exec.yaml

@@ -46,7 +46,6 @@ rules:
     category: security
     technology:
     - python
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     cwe2022-top25: true
     cwe2021-top25: true
     subcategory:

python/aws-lambda/security/dangerous-asyncio-exec.yaml

@@ -41,7 +41,6 @@ rules:
     technology:
     - python
     - aws-lambda
-    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     cwe2022-top25: true
     cwe2021-top25: true
     subcategory: