A New Sonar License for SonarQube Analyzers

Hello Sonar Community –

Today, we announced the Sonar Source Available License Version 1.0 (SSALv1) for Sonar analyzers, bundled in SonarQube Community Build and IDE. This copyleft license created by Sonar places certain limitations on the rights to use, copy, distribute, make available, and prepare derivative works of Sonar software.

If you are scanning your code using SonarQube Community Build or SonarQube for IDE, don’t worry—nothing will change!

Under the new license, users must adhere to the following:

• Derivative works must be licensed under SSAL and released publicly
• Users may not use the software to provide others with a product or service that includes or offers the same or substantially similar functionality as SonarQube
• The use of AI technology to engage with the software outside of what is already included in the software is strictly prohibited
• Users may not remove or obscure any licensing, copyright, or other notices

Until now, the analyzers packaged with SonarQube for IDE and SonarQube Community Build (formerly SonarLint and SonarQube Community Edition, respectively) have been distributed under the GNU Lesser GPL License, Version 3 (LGPLv3). Starting in December 2024, the binaries for SonarQube Community Build and SonarQube for IDE will continue to be released under the LGPLv3 license, but the bundled analyzers will be subject to the SSALv1.

Here’s an overview:

Note for OSS plugin developers: These license changes do not impact you or your licensing requirements. A custom plugin relying on any of our APIs (released under LGPLv3 or SSALv1) does not require a license change for the plugin.

Fabrice

Hi Fabrice,

We have developed our own language plugin.

We currently distribute this plugin internally and externally (to subcontractors) through our own Docker image based on https://hub.docker.com/layers/library/sonarqube/community/images/sha256-ceee7008d2aeae082866c4261ea48692ef3b83d28fd382f1add5f71a04cc4921?context=explore

Would it still be possible to distribute our plugin this way because the SonarQube Docker image contains binaries of analyzers under this new licence?

We also plan to distribute our plugin with the SonarQube Developer Edition. Are we allowed to distribute a Docker image based on https://hub.docker.com/layers/library/sonarqube/developer/images/sha256-f15e7859cf41d05f733dd9f4cc2a9c5dc97855516332fc062b31ede148e058eb?context=explore with our plugin?

Thank you

Regards

Nicolas

Hi Nicolas,

You can continue to distribute your plugin through the SonarQube Community Build Docker image as long as your plugin does not provide a product or service that includes or offers the same or substantially similar functionality as SonarQube. You cannot do it with the Docker images of our commercial editions, though.

If I may ask: why do you want/need to distribute your plugin through the Docker image and not through our plugin Marketplace? The Marketplace is designed for this, and it would give your plugin more visibility.

Hi Fabrice,

Thank you for your reply. It’s clearer now.

Our plugin is not open-source and we make our subcontractors pay for its usage.
I guess that you do not want to host “commercial” plugins on your marketplace, right?

Regards

Nicolas

Got it. And that’s right, the marketplace is for OSS plugins only for the time being.

Hi Fabrice – Hello! I’m a big fan of SonarQube and have a clarifying question about copyright and licensing.

The context is that I have been working on a project which allows for Sonar’s open source analyzers to be run as a CLI, licensed this under the LGPL.

I was surprised to see the recent announcement about re-licensing the analyzers from the LGPL license to a license written by Sonar.

My understanding is that the analyzers have been a LGPL work with many copyright owners beyond Sonar the company. (For example, the SonarJava analyzer alone has 136 unique authors dating back to 2012.)

I was not aware of any Contributor License Agreement requirement having been in place which would assign copyright for these contributions to Sonar the company.

Does SonarSource SA own the entire copyright for the the public analyzers? Or, is the copyright ownership of these analyzers a combination of code owned by SonarSource SA from it’s employees as well as community contributions?

If the latter, can you please help folks understand where those copyright assignments from community contributors to SonarSource SA took place?

I have been under the understanding that these codebases are LGPL licensed works which are a combination of SonarSource-owned contributions and community-owned contributions, and therefore that they would remain LGPL due to the copyleft nature.

Any clarifications would be appreciated!

Thank you,

-Bryan

(I had originally posted this as a separate thread and then found this thread which is a better spot, please feel free to delete the old thread)

Hi Bryan,

Yes, SonarSource is the sole owner of the copyright in its analyzers.

Hi Fabrice – Thank you for your reply.

Can you please explain how that can be the case, given that the analyzers have accepted contributions from the open-source community on GitHub?

Below I’ve included a list of some of the analyzer contributors. While many of these people obviously worked for SonarSource, others do not.

Do you have copyright assignments from these non-SonarSource employees?

(Without copyright assignments, it would seem like SonarSource could be at risk of violating the LGPL because it taking LGPL code, mixing it with other code, and then distributing it without the copyleft license.)

I appreciate your help clarifying this.

Best,

-Bryan

–

Adam Gabryś
Adam Lehenbauer
Akram Ben Aissi
Alban Auzeill
Alexander Kamushkin
Alexandre Gigleux
Alix Lourme
Amélie Renard
Andrea Guarino
Andreas Keefer
Andrei Epure
Andrey Tyukin
Angelo
Angelo Buono
Antoine de Troostembergh
Anton Haubner
Anton Rybochkin
Antonio Muñiz
Anurag870
Arnaud Brunet
Arseniy Zaostrovnykh
B1nj0y
Balázs Sándor
Ben Salem
Benjamin
Carlo Bottiglieri
Charles Andre Outin
Chris Gavin
Chrislain Razafimahefa
Christoph Dreis
Christophe Zurn
Christophe Zürn
Coffeeboy7
Damien PIQUET
Daniel White
David Cho-Lerat
David Gageot
David Owens
David Pursehouse
David RACODON
David Racodon
David Rautureau
Dependabot[bot]
Didier Besset
Dinesh Bolkensteyn
Dominik Adamiak
Dorian Burihabwa
Duarte Meneses
Elena
Elena Vilchik
Enrique S. Filiage
Eric
Eric Hartmann
Eric Hirlemann
Eric MORAND
Eric Morand
Eriks Nukis
Eugene
Evgeny Mandrikov
Fabrice Bellingard
Fernando Garcia
Freddy Mallet
Frédéric Leroy
G. Ann Campbell
GAUDIN
GabinL21
Gabriel Fleischer
Gabriele Santini
Gennadiy Litvinyuk
GitHub Actions Bot
Grégoire Aubert
Guillaume Dequenne
Guillaume Toison
Gwelican-laptop
Harold Shinsato
Hedi Nasr
Hendrik Buchwald
Hirle
Ilia Kebets
Irina Batinic
JMeterTea
Jamie Anderson
Janos Gyerik
Jean-Baptiste Giraudeau
Jean-Baptiste Lievremont
Jean-Baptiste Lièvremont
Jeanne
Jens Bannmann
Johann Beleites
Johnnei
Jonas Wielage
JoseLion
Julien Boucher
Julien Carsique
Julien HENRY
Julien Henry
Julien Herr
Julien Lancelot
Karim El Ouerghemmi
Karol Majewski
Kevin Ji
Korbinian Würl
Krzysztof Kocel
Krzysztof Suszyński
Larry Diamond
Laszlo Hathazy
Leonardo Pilastri
Linda
Linda Martin
Lindoox
Lior Samuni
Luc Bonade
Malena Ebert
Malte Skoruppa
Marcin Stachniuk
Marco Kaufmann
Margarita Nedzelska
Marichez Pierre
Markus Heberling
Massimo Paladin
Mathias Åhsberg
Matthew Caya
Matti Pöllä
Michael Clarke
Michael Gumowski
Michael Keppler
Michal Zgliczynski
Michel Pawlak
Miguel Angel Jimenez
Mike Birnstiehl
MikeBirnstiehl
MishaDemianenko
Nat Luengnaruemitchai
Nathan Osborn
Nebotov
Nicolas PERU
Nicolas Peru
Niko Huber
Nils Werner
Nito Moreno
Odilon Alves Oliveira
Olcbean
Olivier Gaudin
Orimarko
Patrick M.J. Roth
Paul O’Reilly
Paul Willworth
Pavel Mikula
Peter Trifanov
Phil Nash
Pierre-Loup TRISTANT
Pierre-Yves Nicolas
Quentin Jaquier
RE-team-bot
Renaud
Renaud T
René Wolfert
Rguihard
Robert Hencke
Roberto Orlandi
Rodrigo Carvalho Silva
Rudy Regazzoni
Samir M
Samuel Mercier
Sebastian Hungerecker
Sebastian Marek
Sebastien Vermeille
Simon Brandhof
Simon Legner
Simon Schrottner
Slawomir Jaranowski
Snyk Bot
Sonartech
Stanislav
Stas Vilchik
Steven Sheehy
Stylianos Agapiou
Sylvain Kuchen
Sylvain Laurent
Sébastien Lesaint
Thomas Levy
Thomas Turrell-Croft
Thomas Vérin
Tibor Blenessy
Tobias Gruetzmacher
Tom
Tomasz Tylenda
Truc Nguyen
Valentin Aebi
ValentinAebi-sonar
Victor
Victor Diez
Will May
Wouter Admiraal
Xu Huisheng
Yassin Kammoun
Yuki Nagai
Yves Dubois-Pelerin
Yves Dubois-Pèlerin
alexander-kamushkin-sonarsource
andrey-tyukin-sonarsource
benzonico
carlo
colin-sonarsource
comdeng
dependabot[bot]
eller86
eric-therond-sonarsource
erwan-serandour
erwan-serandour-sonarsource
francoismora
github-actions[bot]
ivandalbosco
jayadeep kinavoor madam
juboucher
karim-ouerghemmi-sonarsource
leonardo-pilastri-sonarsource
lindamartin
marco-bearzi-sonarsource
margarita-nedzelska-sonarsource
nicolas-harraudeau-sonarsource
nils-werner-sonarsource
pynicolas
quentin-jaquier-sonarsource
renovate[bot]
roberto-orlandi-sonarsource
rudy-regazzoni-sonarsource
tomasz-tylenda-sonarsource
tomverin
vilchik-elena
vilchik.elena
vincenzolaudizio
yassin-kammoun-sonarsource
zglicz

I’m also very interested with Bryan’s question.

I have a related one:

for Sonar analyzers, bundled in SonarQube Community Build and IDE

What do you mean by “bundled in SonarQube”? Do you mean plugins that are at the time of writing bundled in SonarQube? Or does it mean any plugin that may be bundled at some point in SonarQube?

Let’s say that I’m working on a plugin, under a very permissive licence, and that you love it and decide to bundle it in SonarQube, like the very permissive licence allows you to do. Does it automatically become bound to your licence?

If so, how can we protect our work from you?
If not, then we need the exact list of the plugins that are bound to the licence, because “bundled in SonarQube” doesn’t quite cover the reality.