Software testing firm Semgrep is in the midst of a fork storm, after a pre-Christmas change in its license policy prompted a group of partners and contributors to launch their own open-source alternative, "Opengrep".
But some of the fork backers have themselves been accused of not being particularly upstanding open-source citizens.
Semgrep Inc, based in the Bay Area, has been producing its scanning engine and associated rules components for static application security testing since 2017. It had operated under the LGPL licence.
However, in December it announced what it called
“A few updates to the Semgrep OSS engine and rules—now collectively named Semgrep Community Edition—to better distinguish their free community-focused nature from our commercial offerings, and to clarify that other vendors may not use Semgrep Community Edition rules as part of a competing Software as a Service offering.”
This included taking the rules component under the “Semgrep Rules License v.1.0, so that they’re available only for internal, non-competing, and non-SaaS contexts.” The engine remains under LGPL 2.1
It may, or may not, be significant that Semgrep clinched $53m in funding in 2023. More recently, it has started to describe its technology as being AI powered, talking of “Your New AI AppSec Engineer.
Either way, its moves echoes the playbooks of other companies that have thought twice about what exactly being open source means, such as Redis, HashiCorp and Elastic, particularly when it comes to other companies building services on it code.
The Big Interview: Elastic CTO Shay Banon on suing AWS, returning to OSS, and GenAI
A similarly resounding echo came from the wider Semgrep ecosystem, which this week announced Opengrep following what it described as Semgrep’s “open source clampdown.”
In a statement, the backers described Opengrep as “a collaborative fork of Semgrep's code analysis engine.”
They include at least 10 security firm in the US, Europe and Israel, including Aikido Security, Amplify Security, Endor Labs, and Mobb. They railed against “Open-source license changes by private vendors [which] can disrupt contributors and communities that help build these projects.”
They claimed, in their announcement, that the December changes “mean community-contributed rules are now locked behind a commercial license, and essential features like tracking ignores, fingerprinting, and meta-variables—developed with community support—are no longer open-source.”
"This harms the broader open-source ecosystem," note Opengrep sponsors. "The development community must now think twice before investing in open-source."
Orca field CTO Neil Carpenter, for example, welcomed his company's backing of the fork, saying: "I think this gives us all to have a common language and a shared grammar for talking about static code scanning and to build on. SAST is a capability that is coming up more frequently in my conversations and it makes a lot of sense to me, as we more frequently scan source code repos for any number of reasons, to scan them for common patterns that lead to security issues."
Endor Labs' CEO Varun Badhwar added: "If you told me a couple of months ago that I’d be teaming up with my AppSec competitors, I wouldn’t believe you..."
But the Opengrep announcement, and its backers, was not universally welcomed.
On LinkedIn, Martin Torp, co-founder of Danish open source vuln scanner Coana accused many of the backers of historically doing “little to nothing to support the open source community”.
Torp added, “most of the sponsoring companies haven’t even contributed a single line of code.” This in turn sparked a stream of replies varying from even-handed to acrimonious, including from some of the backers of OpenGrep. We asked Semgrep for their take on matters. We’ll let you know if and when they get back.
