The Berlin District Court II prohibited the distribution of a security scanner in preliminary injunction proceedings, ruling that it violated GPL-2.0, AGPL-3.0, and ODbL-1.0.
In a legal dispute between two competitors offering security scanners, one provider offered another provider’s open-source software in the Microsoft Azure Marketplace. In addition to the usual license violations, such as missing license texts and a failure to provide a reference to the source code, the copyleft of GPL-2.0 was violated.
Known vulnerabilities are detected using „vulnerability tests“ licensed under GPL-2.0. These programs are collected in a large database of over 100,000 vulnerability tests known as the “OpenVAS Community Feed” (former „Greenbone Community Feed“) and are updated regularly. The infringer added its own vulnerability tests to the „Greenbone Community Feed,“ which was licensed under ODbL-1.0. These tests were linked to GPL-2.0-licensed libraries from the open-source provider via an #include command. The court considered this to be a „derivative work“ and prohibited distributing such vulnerability tests unless they were licensed under GPL 2.0.
In accordance with the customary practice in preliminary injunction proceedings before German courts, the reasoning given for the decision is brief and does not contain any details as to why a derivative work is to be assumed in this case. This is due to the fact that more detailed reasoning can only be expected after an objection to a preliminary injunction has been lodged, which was not the case in this instance. The infringer consented to the preliminary injunction, thereby acknowledging its binding nature.
The decision is noteworthy for two additional reasons. Primarily, it pertains to a dispute between competitors, and the infringement claim was based not only on copyright but also on unfair competition. However, the court did not determine whether the decision was based on one or both legal grounds. Secondly, a violation of ODbL-1.0 was also assumed with regard to the sui generis database right of the provider of the Greenbone Community Feed. It is important to note that this license does not extend to the intellectual property rights associated with the individual vulnerability tests, which are governed by the GPL-2.0 license. Instead, it pertains to the database manufacturer’s rights concerning the collection of the single programs, a process that necessitates a substantial investment in the selection, testing, or procurement of the software programs. The copyleft of the license was also affected because the infringer had added his own programs to the database without subjecting this modified database to ODbL-1.0.
A statement from the infringed provider in German: https://www.greenbone.net/en/blog/peacocks-and-crows-in-it-security/