Add license for xen importer

TG1999 · TG1999 · commit 94c2c8cd71f7 · 2023-01-27T01:31:05.000+05:30
Signed-off-by: Tushar Goel &lt;tushar.goel.dav@gmail.com&gt;
diff --git a/vulnerabilities/importers/xen.py b/vulnerabilities/importers/xen.py
@@ -17,8 +17,33 @@
 class XenImporter(Importer):
 
     url = "https://xenbits.xen.org/xsa/xsa.json"
-    spdx_license_expression = "GPL-2"
-    license_url = "https://wiki.xenproject.org/wiki/Xen_FAQ_General"
+    spdx_license_expression = "LicenseRef-scancode-other-permissive"
+    notice = """
+    From: George Dunlap <george.dunlap@cloud.com>
+    Date: Wed, Jan 25, 2023 at 4:57 PM
+    Subject: Re: Usage of Xen Security Data in VulnerableCode
+    To: Tushar Goel <tushar.goel.dav@gmail.com>
+    Cc: Andrew Cooper <Andrew.Cooper3@citrix.com>, xen-devel@lists.xenproject.org <xen-devel@lists.xenproject.org>, Xen Security <security@xen.org>, Philippe Ombredanne <pombredanne@nexb.com>, <jmhoran@nexb.com>
+
+    On Thu, Jan 19, 2023 at 1:10 PM Tushar Goel <tushar.goel.dav@gmail.com> wrote:
+    >
+    > Hi Andrew,
+    >
+    > > Maybe we want to make it CC-BY-4 to require people to reference back to
+    > > the canonical upstream ?
+    > Thanks for your response, can we have a more declarative statement on
+    > the license from your end
+    > and also can you please provide your acknowledgement over the usage of
+    > Xen security data in vulnerablecode.
+
+
+    Hey Tushar,
+    Informally, the Xen Project Security Team is happy for you to include the data from xsa.json in your open-source vulnerability database. As a courtesy we'd request that it be documented where the information came from. (I think if the data includes links to then advisories on our website, that will suffice.)
+    Formally, we're not copyright lawyers; but we don't think there's anything copyright-able in the xsa.json: There is no editorial or creative control in the generation of that file; it's just a collection of facts which you could re-generate by scanning all the advisories. (In fact that's exactly how the file is created; i.e., the collection of advisory texts is our "source of truth".)
+    We do have "Officially license all advisory text as CC-BY-4" on our to-do list; if you'd be more comfortable with an official license for xsa.json as well, we can add that to the list.
+
+     -George
+    """
 
     def advisory_data(self):
         data = fetch_response(self.url).json()
