├── BUILDING.md ├── images ├── zap-issue-1.png ├── zap-issue-2.png └── zap-issue-3.png ├── .github └── workflows │ ├── check-run.yml │ └── check-dist.yml ├── package.json ├── .gitignore ├── action.yml ├── index.js ├── CHANGELOG.md ├── README.md └── LICENSE /BUILDING.md: -------------------------------------------------------------------------------- 1 | ## Build instructions 2 | 3 | Build using `npm run package` -------------------------------------------------------------------------------- /images/zap-issue-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zaproxy/action-baseline/HEAD/images/zap-issue-1.png -------------------------------------------------------------------------------- /images/zap-issue-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zaproxy/action-baseline/HEAD/images/zap-issue-2.png -------------------------------------------------------------------------------- /images/zap-issue-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zaproxy/action-baseline/HEAD/images/zap-issue-3.png -------------------------------------------------------------------------------- /.github/workflows/check-run.yml: -------------------------------------------------------------------------------- 1 | name: Check run 2 | 3 | on: 4 | push: 5 | branches: 6 | - master 7 | paths-ignore: 8 | - '**.md' 9 | pull_request: 10 | paths-ignore: 11 | - '**.md' 12 | workflow_dispatch: 13 | 14 | jobs: 15 | check-run: 16 | runs-on: ubuntu-latest 17 | 18 | steps: 19 | - name: Checkout 20 | uses: actions/checkout@v4 21 | 22 | - run: sudo apt-get update && sudo apt-get install -y nginx && sudo systemctl start nginx 23 | 24 | - name: ZAP Scan 25 | uses: ./ 26 | id: action-baseline 27 | with: 28 | target: 'http://localhost' 29 | allow_issue_writing: false -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "action-baseline-scan", 3 | "version": "1.0.0", 4 | "description": "ZAP baseline scan action", 5 | "main": "index.js", 6 | "scripts": { 7 | "package": "ncc build index.js -o dist" 8 | }, 9 | "repository": { 10 | "type": "git", 11 | "url": "git+https://github.com/zaproxy/action-baseline.git" 12 | }, 13 | "keywords": [ 14 | "GitHub", 15 | "Actions", 16 | "JavaScript", 17 | "ZAP" 18 | ], 19 | "author": "ZAP Team", 20 | "bugs": { 21 | "url": "https://github.com/zaproxy/action-baseline/issues" 22 | }, 23 | "dependencies": { 24 | "@actions/core": "^1.11.1", 25 | "@actions/exec": "^1.1.1", 26 | "@zaproxy/actions-common-scans": "^1.4.0", 27 | "lodash": "^4.17.21" 28 | }, 29 | "devDependencies": { 30 | "@vercel/ncc": "^0.36.1" 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Eclipse 2 | *.project 3 | *.settings 4 | 5 | node_modules/ 6 | *.DS_Store 7 | 8 | # Editors 9 | .vscode 10 | 11 | # Logs 12 | logs 13 | *.log 14 | npm-debug.log* 15 | yarn-debug.log* 16 | yarn-error.log* 17 | 18 | # Runtime data 19 | pids 20 | *.pid 21 | *.seed 22 | *.pid.lock 23 | 24 | # Directory for instrumented libs generated by jscoverage/JSCover 25 | lib-cov 26 | 27 | # Coverage directory used by tools like istanbul 28 | coverage 29 | 30 | # nyc test coverage 31 | .nyc_output 32 | 33 | # Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files) 34 | .grunt 35 | 36 | # Bower dependency directory (https://bower.io/) 37 | bower_components 38 | 39 | # node-waf configuration 40 | .lock-wscript 41 | 42 | # Compiled binary addons (https://nodejs.org/api/addons.html) 43 | build/Release 44 | 45 | # Other Dependency directories 46 | jspm_packages/ 47 | 48 | # TypeScript v1 declaration files 49 | typings/ 50 | 51 | # Optional npm cache directory 52 | .npm 53 | 54 | # Optional eslint cache 55 | .eslintcache 56 | 57 | # Optional REPL history 58 | .node_repl_history 59 | 60 | # Output of 'npm pack' 61 | *.tgz 62 | 63 | # Yarn Integrity file 64 | .yarn-integrity 65 | 66 | # dotenv environment variables file 67 | .env 68 | 69 | # next.js build output 70 | .next 71 | -------------------------------------------------------------------------------- /action.yml: -------------------------------------------------------------------------------- 1 | name: 'ZAP Baseline Scan' 2 | description: 'Scans the web application with the ZAP Baseline Scan' 3 | branding: 4 | icon: 'zap' 5 | color: 'blue' 6 | inputs: 7 | token: 8 | description: 'GitHub Token to create issues in the repository' 9 | required: false 10 | default: ${{ github.token }} 11 | target: 12 | description: 'Target URL' 13 | required: true 14 | rules_file_name: 15 | description: 'Relative path of the ZAP configuration file' 16 | required: false 17 | docker_name: 18 | description: 'The Docker file to be executed' 19 | required: true 20 | default: 'ghcr.io/zaproxy/zaproxy:stable' 21 | cmd_options: 22 | description: 'Additional command line options' 23 | required: false 24 | issue_title: 25 | description: 'The title for the GitHub issue to be created' 26 | required: false 27 | default: 'ZAP Scan Baseline Report' 28 | fail_action: 29 | description: 'The action status will be set to fail if ZAP identifies any alerts during the baseline scan' 30 | required: false 31 | default: false 32 | allow_issue_writing: 33 | description: 'The action will file the report to the GitHub issue using the issue_title input' 34 | required: false 35 | default: true 36 | artifact_name: 37 | description: 'The name of the artifact that contains the ZAP reports' 38 | required: false 39 | default: 'zap_scan' 40 | runs: 41 | using: 'node24' 42 | main: 'dist/index.js' 43 | -------------------------------------------------------------------------------- /.github/workflows/check-dist.yml: -------------------------------------------------------------------------------- 1 | # `dist/index.js` is a special file in Actions. 2 | # When you reference an action with `uses:` in a workflow, 3 | # `index.js` is the code that will run. 4 | # For our project, we generate this file through a build process from other source files. 5 | # We need to make sure the checked-in `index.js` actually matches what we expect it to be. 6 | name: Check dist/ 7 | 8 | on: 9 | push: 10 | branches: 11 | - master 12 | paths-ignore: 13 | - '**.md' 14 | pull_request: 15 | paths-ignore: 16 | - '**.md' 17 | workflow_dispatch: 18 | 19 | jobs: 20 | check-dist: 21 | runs-on: ubuntu-latest 22 | 23 | steps: 24 | - uses: actions/checkout@v4 25 | 26 | - name: Set Node.js 27 | uses: actions/setup-node@v4 28 | with: 29 | node-version: 20.x 30 | 31 | - name: Install dependencies 32 | run: npm ci 33 | 34 | - name: Rebuild the dist/ directory 35 | run: npm run package 36 | 37 | - name: Compare the expected and actual dist/ directories 38 | run: | 39 | if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then 40 | echo "Detected uncommitted changes after build. See status below:" 41 | git diff 42 | exit 1 43 | fi 44 | id: diff 45 | 46 | # If index.js was different than expected, upload the expected version as an artifact 47 | - uses: actions/upload-artifact@v4 48 | if: ${{ failure() && steps.diff.conclusion == 'failure' }} 49 | with: 50 | name: dist 51 | path: dist/ 52 | -------------------------------------------------------------------------------- /index.js: -------------------------------------------------------------------------------- 1 | const core = require('@actions/core'); 2 | const exec = require('@actions/exec'); 3 | const common = require('@zaproxy/actions-common-scans'); 4 | const _ = require('lodash'); 5 | 6 | // Default file names 7 | let jsonReportName = 'report_json.json'; 8 | let mdReportName = 'report_md.md'; 9 | let htmlReportName = 'report_html.html'; 10 | 11 | async function run() { 12 | 13 | try { 14 | let workspace = process.env.GITHUB_WORKSPACE; 15 | let currentRunnerID = process.env.GITHUB_RUN_ID; 16 | let repoName = process.env.GITHUB_REPOSITORY; 17 | let token = core.getInput('token'); 18 | let docker_name = core.getInput('docker_name'); 19 | let target = core.getInput('target'); 20 | let rulesFileLocation = core.getInput('rules_file_name'); 21 | let cmdOptions = core.getInput('cmd_options'); 22 | let issueTitle = core.getInput('issue_title'); 23 | let failAction = core.getInput('fail_action'); 24 | let allowIssueWriting = core.getInput('allow_issue_writing'); 25 | let artifactName = core.getInput('artifact_name'); 26 | let createIssue = true; 27 | 28 | if (!(String(failAction).toLowerCase() === 'true' || String(failAction).toLowerCase() === 'false')) { 29 | console.log('[WARNING]: \'fail_action\' action input should be either \'true\' or \'false\''); 30 | } 31 | 32 | if (String(allowIssueWriting).toLowerCase() === 'false') { 33 | createIssue = false; 34 | } 35 | 36 | if (!artifactName) { 37 | console.log('[WARNING]: \'artifact_name\' action input should not be empty. Setting it back to the default name.'); 38 | artifactName = 'zap_scan'; 39 | } 40 | 41 | console.log('starting the program'); 42 | console.log('github run id :' + currentRunnerID); 43 | 44 | let plugins = []; 45 | if (rulesFileLocation) { 46 | plugins = await common.helper.processLineByLine(`${workspace}/${rulesFileLocation}`); 47 | } 48 | 49 | // Allow writing files from the Docker container. 50 | await exec.exec(`chmod a+w ${workspace}`); 51 | 52 | await exec.exec(`docker pull ${docker_name} -q`); 53 | let command = (`docker run -v ${workspace}:/zap/wrk/:rw --network="host" -e ZAP_AUTH_HEADER -e ZAP_AUTH_HEADER_VALUE -e ZAP_AUTH_HEADER_SITE ` + 54 | `-t ${docker_name} zap-baseline.py -t ${target} -J ${jsonReportName} -w ${mdReportName} -r ${htmlReportName} ${cmdOptions}`); 55 | 56 | if (plugins.length !== 0) { 57 | command = command + ` -c ${rulesFileLocation}` 58 | } 59 | 60 | try { 61 | await exec.exec(command); 62 | } catch (err) { 63 | if (err.toString().includes('exit code 3')) { 64 | core.setFailed('failed to scan the target: ' + err.toString()); 65 | return 66 | } 67 | 68 | if ((err.toString().includes('exit code 2') || err.toString().includes('exit code 1')) 69 | && String(failAction).toLowerCase() === 'true') { 70 | console.log(`[info] By default ZAP Docker container will fail if it identifies any alerts during the scan!`); 71 | core.setFailed('Scan action failed as ZAP has identified alerts, starting to analyze the results. ' + err.toString()); 72 | }else { 73 | console.log('Scanning process completed, starting to analyze the results!') 74 | } 75 | } 76 | await common.main.processReport(token, workspace, plugins, currentRunnerID, issueTitle, repoName, createIssue, artifactName); 77 | } catch (error) { 78 | core.setFailed(error.message); 79 | } 80 | } 81 | 82 | run(); 83 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | All notable changes to this GitHub action will be documented in this file. 3 | 4 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). 5 | 6 | ## [Unreleased] 7 | 8 | ## [0.15.0] - 2025-10-22 9 | ### Changed 10 | - Update dependencies. 11 | - Run with node24. 12 | 13 | ## [0.14.0] - 2024-11-20 14 | ### Changed 15 | - Update dependencies to stop using deprecated `upload-artifact` version. 16 | 17 | ## [0.13.0] - 2024-09-25 18 | ### Changed 19 | - Update dependencies, which adds rate-limiting when accessing the GitHub API. 20 | 21 | ### Fixed 22 | - Allow to write any file from the Docker container. [#118](https://github.com/zaproxy/action-baseline/issues/118) 23 | 24 | ## [0.12.0] - 2024-04-02 25 | ### Changed 26 | - Update dependencies. 27 | 28 | ## [0.11.0] - 2024-01-25 29 | ### Changed 30 | - Run with node20. [#114](https://github.com/zaproxy/action-baseline/issues/114) 31 | 32 | ## [0.10.0] - 2023-10-31 33 | ### Added 34 | - Support for authentication environment variables. 35 | 36 | ### Fixed 37 | - Update Crowdin link. 38 | 39 | ## [0.9.0] - 2023-08-02 40 | ### Changed 41 | - The default Docker image was changed to `ghcr.io/zaproxy/zaproxy:stable`. 42 | 43 | ## [0.8.2] - 2023-07-04 44 | ### Fixed 45 | - Fix an issue introduced in the previous release that prevented the use of the default GitHub authentication token to raise issues. 46 | 47 | ## [0.8.1] - 2023-07-03 48 | ### Fixed 49 | - Check issues with authenticated user. [#17](https://github.com/zaproxy/action-baseline/issues/17) 50 | 51 | ## [0.8.0] - 2023-06-30 52 | ### Added 53 | - An input (`artifact_name`) used to name the artifact that contains the ZAP reports. [#45](https://github.com/zaproxy/action-baseline/issues/45) 54 | 55 | ### Changed 56 | - Run action with Node 16. 57 | - Update dependencies. 58 | 59 | ## [0.7.0] - 2022-05-23 60 | ### Changed 61 | - Update dependencies. 62 | 63 | ### Fixed 64 | - Use default zap user rather than root to allow the Ajax Spider to run. 65 | 66 | ## [0.6.1] - 2021-10-08 67 | ### Changed 68 | - Revert previous change (not into effect), no longer needed. 69 | 70 | ## [0.6.0] - 2021-10-08 71 | ### Changed 72 | - Disabled the automation framework while we investigate a problem with it. 73 | 74 | ## [0.5.0] - 2021-09-14 75 | ### Added 76 | - An input (`allow_issue_writing`) to choose if a GitHub issue should be raised or not. [#56](https://github.com/zaproxy/action-baseline/issues/56) 77 | 78 | ### Changed 79 | - Update dependencies. 80 | 81 | ## [0.4.0] - 2020-10-08 82 | ### Added 83 | - Option to fail the status of the GitHub action if any alerts are found during the scan process. [#31](https://github.com/zaproxy/action-baseline/issues/31) 84 | 85 | ### Changed 86 | - Modified the action status to pass by default (previously fail by default) [#31](https://github.com/zaproxy/action-baseline/issues/31) 87 | - Reduced docker logs [#20](https://github.com/zaproxy/action-baseline/issues/20) 88 | 89 | ## [0.3.0] - 2020-04-28 90 | ### Added 91 | - Allow to configure the title of the issue raised, using the parameter `issue_title`. [#10](https://github.com/zaproxy/action-baseline/issues/10) 92 | 93 | ### Changed 94 | - Moved the common code to [actions-common-scans repository](https://github.com/zaproxy/actions-common) 95 | 96 | ## [0.2.0] - 2020-04-09 97 | ### Added 98 | - Allow to pass command line arguments to the baseline script, using the parameter `cmd_options`. [#4](https://github.com/zaproxy/action-baseline/issues/4) 99 | 100 | ### Changed 101 | - Improve the content of the issue raised and generate the HTML report. [#3](https://github.com/zaproxy/action-baseline/issues/3) 102 | 103 | ## [0.1.0] - 2020-04-07 104 | 105 | First release to Marketplace. 106 | 107 | [Unreleased]: https://github.com/zaproxy/action-baseline/compare/v0.15.0...HEAD 108 | [0.15.0]: https://github.com/zaproxy/action-baseline/compare/v0.14.0...v0.15.0 109 | [0.14.0]: https://github.com/zaproxy/action-baseline/compare/v0.13.0...v0.14.0 110 | [0.13.0]: https://github.com/zaproxy/action-baseline/compare/v0.12.0...v0.13.0 111 | [0.12.0]: https://github.com/zaproxy/action-baseline/compare/v0.11.0...v0.12.0 112 | [0.11.0]: https://github.com/zaproxy/action-baseline/compare/v0.10.0...v0.11.0 113 | [0.10.0]: https://github.com/zaproxy/action-baseline/compare/v0.9.0...v0.10.0 114 | [0.9.0]: https://github.com/zaproxy/action-baseline/compare/v0.8.2...v0.9.0 115 | [0.8.2]: https://github.com/zaproxy/action-baseline/compare/v0.8.1...v0.8.2 116 | [0.8.1]: https://github.com/zaproxy/action-baseline/compare/v0.8.0...v0.8.1 117 | [0.8.0]: https://github.com/zaproxy/action-baseline/compare/v0.7.0...v0.8.0 118 | [0.7.0]: https://github.com/zaproxy/action-baseline/compare/v0.6.1...v0.7.0 119 | [0.6.1]: https://github.com/zaproxy/action-baseline/compare/v0.6.0...v0.6.1 120 | [0.6.0]: https://github.com/zaproxy/action-baseline/compare/v0.5.0...v0.6.0 121 | [0.5.0]: https://github.com/zaproxy/action-baseline/compare/v0.4.0...v0.5.0 122 | [0.4.0]: https://github.com/zaproxy/action-baseline/compare/v0.3.0...v0.4.0 123 | [0.3.0]: https://github.com/zaproxy/action-baseline/compare/v0.2.0...v0.3.0 124 | [0.2.0]: https://github.com/zaproxy/action-baseline/compare/v0.1.0...v0.2.0 125 | [0.1.0]: https://github.com/zaproxy/action-baseline/compare/64ea8c12229f3351fcc50f5834b2c8db25042817...v0.1.0 126 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Action Baseline 2 | 3 | A GitHub Action for running the ZAP [Baseline scan](https://www.zaproxy.org/docs/docker/baseline-scan/) to find vulnerabilities in your web application. 4 | 5 | The ZAP baseline action scans a target URL for vulnerabilities and maintains an issue in GitHub repository for the 6 | identified alerts. Read the following [blog post](https://www.zaproxy.org/blog/2020-04-09-automate-security-testing-with-zap-and-github-actions) 7 | for additional information. 8 | 9 | ## Inputs 10 | 11 | ### `target` 12 | 13 | **Required** The URL of the web application to be scanned. This can be either a publicly available web application or a locally 14 | accessible URL. 15 | 16 | ### `docker_name` 17 | 18 | **Optional** The name of the docker file to be executed. By default the action runs the stable version of ZAP. But you can 19 | configure the parameter to use the weekly builds. 20 | 21 | ### `rules_file_name` 22 | 23 | **Optional** You can also specify a relative path to the rules file to ignore any alerts from the ZAP scan. Make sure to create 24 | the rules file inside the relevant repository. The following shows a sample rules file configuration. 25 | Make sure to checkout the repository (actions/checkout@v2) to provide the ZAP rules to the scan action. 26 | 27 | ```tsv 28 | 10011 IGNORE (Cookie Without Secure Flag) 29 | 10015 IGNORE (Incomplete or No Cache-control and Pragma HTTP Header Set) 30 | ``` 31 | 32 | ### `cmd_options` 33 | 34 | **Optional** Additional command lines options for the baseline script 35 | 36 | ### `allow_issue_writing` 37 | 38 | **Optional** By default the baseline action will file the report to the GitHub issue using the `issue_title` input. 39 | Set this to false if you don't want the issue to be created or updated. 40 | 41 | ### `issue_title` 42 | 43 | **Optional** The title for the GitHub issue to be created 44 | 45 | ### `token` 46 | 47 | **Optional** ZAP action uses the default action token provided by GitHub to create and update the issue for the baseline scan. 48 | You do not have to create a dedicated token. Make sure to use the GitHub's default action token when running the action(`secrets.GITHUB_TOKEN`). 49 | 50 | ### `fail_action` 51 | 52 | **Optional** By default ZAP Docker container will fail with an [exit code](https://github.com/zaproxy/zaproxy/blob/efb404d38280dc9ecf8f88c9b0c658385861bdcf/docker/zap-baseline.py#L31), 53 | if it identifies any alerts. Set this option to `true` if you want to fail the status of the GitHub Scan if ZAP identifies any alerts during the scan. 54 | 55 | ### `artifact_name` 56 | 57 | **Optional** By default the baseline action will attach the report to the build with the name `zap_scan`. Set this to a different string to name it something else. Consult [GitHub's documentation](https://github.com/actions/toolkit/blob/main/packages/artifact/docs/additional-information.md#non-supported-characters) for which artifact names are allowed. 58 | 59 | ## Environment variables 60 | 61 | If set, the following [ZAP authentication environment variables](https://www.zaproxy.org/docs/authentication/handling-auth-yourself/#authentication-env-vars) 62 | will be copied into the docker container: 63 | 64 | - `ZAP_AUTH_HEADER_VALUE` 65 | - `ZAP_AUTH_HEADER` 66 | - `ZAP_AUTH_HEADER_SITE` 67 | 68 | ## Example usage 69 | 70 | ** Basic ** 71 | ``` 72 | steps: 73 | - name: ZAP Scan 74 | uses: zaproxy/action-baseline@v0.15.0 75 | with: 76 | target: 'https://www.zaproxy.org' 77 | ``` 78 | 79 | ** Advanced ** 80 | 81 | ``` 82 | on: [push] 83 | 84 | jobs: 85 | zap_scan: 86 | runs-on: ubuntu-latest 87 | name: Scan the webapplication 88 | steps: 89 | - name: Checkout 90 | uses: actions/checkout@v5 91 | with: 92 | ref: master 93 | - name: ZAP Scan 94 | uses: zaproxy/action-baseline@v0.15.0 95 | with: 96 | token: ${{ secrets.GITHUB_TOKEN }} 97 | docker_name: 'ghcr.io/zaproxy/zaproxy:stable' 98 | target: 'https://www.zaproxy.org' 99 | rules_file_name: '.zap/rules.tsv' 100 | cmd_options: '-a' 101 | ``` 102 | 103 | ## Issue Description 104 | 105 | The following [issue](https://github.com/zaproxy/zaproxy-website/issues/93) shows how the GitHub Baseline Action scans the 106 | [https://www.zaproxy.org/](https://www.zaproxy.org/) website and notifies the users via opening an issue in the ZAP website repository. 107 | The issue will be created by the GitHub Actions bot and will list the alerts as issue comments. 108 | 109 | [![issue open](./images/zap-issue-1.png)](https://github.com/zaproxy/zaproxy-website/issues/93#issue-597219582) 110 | 111 | To demonstrate the workflow of the action; we are ignoring the alerts as they are not relevant, but this has the same effect as fixing them. 112 | Therefore during the second scan we are ignoring few alerts via ZAP rules and the action bot updates the issue with the newly ignored/resolved alerts. 113 | [![comment with issues resolved](./images/zap-issue-2.png)](https://github.com/zaproxy/zaproxy-website/issues/93#issuecomment-611490632) 114 | 115 | 116 | During the last scan we are ignoring all the alerts, thus resulting in finding zero alerts. Based on the scan results 117 | the actions bot will close the ongoing open issue. 118 | [![issue closed](./images/zap-issue-3.png)](https://github.com/zaproxy/zaproxy-website/issues/93#issuecomment-611496321) 119 | 120 | ## Localised Alert Details 121 | 122 | ZAP is internationalised and alert information is available in many languages. 123 | 124 | You can change the language used by this action by changing the locale via the `cmd_options` e.g.: `-z "-config view.locale=fr_FR"` 125 | 126 | See [https://github.com/zaproxy/zaproxy/tree/main/zap/src/main/dist/lang](https://github.com/zaproxy/zaproxy/tree/main/zap/src/main/dist/lang) for the full set of locales currently supported. 127 | 128 | You can help improve ZAP translations via [https://crowdin.com/project/zaproxy](https://crowdin.com/project/zaproxy). 129 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | --------------------------------------------------------------------------------