stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

fix tests. new product advisories enhancements

Browse Source
This commit is contained in:
master
2026-01-25 19:11:36 +02:00
parent c70e83719e
commit 6e687b523a
504 changed files with 40610 additions and 3785 deletions
Download Patch File Download Diff File Expand all files Collapse all files

291
docs/legal/PLUGIN_DEVELOPER_FAQ.md Normal file
View File

@@ -0,0 +1,291 @@
# Plugin Developer FAQ
**Document Version:** 1.0.0
**Last Updated:** 2026-01-25
This FAQ addresses common questions from plugin developers working with the Stella Ops
Community Plugin Grant. For the full legal terms, see `LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md`
in the repository root.
---
## General Questions
### Q1: What constitutes a "Plugin" under the Community Plugin Grant?
**A:** A Plugin is a separately packaged extension that interfaces with Stella Ops using
documented public plugin APIs or integration points. This includes:
**Examples of Plugins:**
- Custom vulnerability connectors (e.g., integrating a proprietary vulnerability database)
- CI/CD integrations (e.g., Jenkins, GitLab CI, Azure DevOps plugins)
- Output formatters (e.g., custom report templates, dashboard integrations)
- Notification connectors (e.g., Slack, Teams, PagerDuty integrations)
- Scanner analyzers (e.g., language-specific dependency parsers)
- Policy gates (e.g., custom compliance rules)
**NOT Plugins (derivative works requiring BUSL-1.1 compliance):**
- Modifications to Stella Ops core source code
- Forks that include modified Stella Ops components
- Extensions that copy substantial portions of Stella Ops internals
### Q2: Can I sell my plugin commercially?
**A:** Yes. You may develop and sell plugins commercially under license terms of your
choosing (including proprietary terms), provided:
1. Your plugin does not include, copy, or modify Stella Ops source code; AND
2. You comply with the attribution requirements (see Q4).
Your commercial plugin license is entirely separate from the BUSL-1.1 license covering
Stella Ops itself.
### Q3: Do I need to open-source my plugin?
**A:** No. Plugins that interface with Stella Ops through public APIs do not need to be
open-sourced. You may use any license you choose, including proprietary licenses.
**Exception:** If your plugin includes, copies, or modifies any portion of Stella Ops
source code, it becomes a derivative work subject to BUSL-1.1.
### Q4: What attribution is required when distributing a plugin?
**A:** When distributing a plugin, you should:
1. **Acknowledge compatibility:** State that your plugin is designed for use with
Stella Ops (e.g., "Compatible with Stella Ops Suite")
2. **Include license reference:** If your plugin distribution includes any Stella Ops
components (even configuration samples), include the LICENSE and NOTICE files
3. **Link to source:** Provide a link to the Stella Ops source repository
(https://git.stella-ops.org)
**Minimum attribution example:**
```
This plugin is designed for use with Stella Ops Suite.
Stella Ops is licensed under BUSL-1.1. See https://git.stella-ops.org
```
---
## Usage Limits
### Q5: What counts as an "Environment"?
**A:** An Environment is a logically separated workspace within a Stella Ops installation.
The free tier allows up to 3 Environments per installation.
**Each of these counts as one Environment:**
- A "Development" environment for testing scans
- A "Staging" environment for pre-production validation
- A "Production" environment for live deployments
- A tenant/workspace in a multi-tenant setup
- A project or team workspace with isolated configuration
**These do NOT count as separate Environments:**
- High-availability replicas of the same environment
- Read replicas or cache nodes
- Backup/disaster recovery instances (if not actively used)
**Example scenarios:**
| Scenario | Environment Count |
|----------|------------------|
| Single dev laptop installation | 1 |
| Dev + Staging + Prod for one team | 3 |
| Two separate teams, each with Dev + Prod | 4 (requires commercial license) |
| MSP hosting 5 isolated customer instances | 5 (requires commercial license) |
### Q6: What counts as a "Scan"?
**A:** A Scan is one completed execution of Stella Ops' vulnerability or artifact analysis
pipeline that produces a new result. The free tier allows up to 999 Scans per calendar day.
**Counts as a Scan:**
- First-time scan of a container image (new hash)
- Re-scan of a modified image (hash changed)
- SBOM generation for a new artifact
- VEX statement generation for new findings
**Does NOT count as a Scan:**
- Cache hits (retrieving previously scanned results)
- Viewing existing scan reports
- Policy evaluation on cached data
- API queries for existing results
**Deduplication:** Stella Ops uses hash-based deduplication. Scanning the same artifact
multiple times only counts as one Scan if the hash hasn't changed.
### Q7: What happens if my users exceed the free limits?
**A:** If users of your plugin exceed the free tier limits (3 Environments or 999 Scans/day):
1. **They need a commercial license** - The user (not the plugin developer) is responsible
for licensing compliance
2. **Your plugin continues to work** - There's no technical enforcement in the plugin itself
3. **Quota enforcement is server-side** - Stella Ops may introduce delays after limits
are exceeded (see `docs/legal/30_QUOTA_ENFORCEMENT_FLOW1.md`)
As a plugin developer, you should:
- Document the free tier limits in your plugin documentation
- Recommend users contact stella-ops.org for commercial licensing if they exceed limits
- Not build quota circumvention into your plugin
---
## Bundling & Distribution
### Q8: Can I bundle Stella Ops core with my plugin?
**A:** This depends on how you bundle:
**Allowed (aggregation):**
- Shipping your plugin alongside Stella Ops as separate components
- Docker Compose files that reference Stella Ops images
- Helm charts that deploy Stella Ops as a dependency
- Installation scripts that download Stella Ops separately
**Requires BUSL-1.1 compliance (derivative work):**
- Embedding Stella Ops source code into your plugin
- Modifying Stella Ops binaries and redistributing
- Creating a single binary that includes Stella Ops components
**Requires commercial license:**
- Bundling into a competing managed service offering
- White-labeling Stella Ops functionality
### Q9: Can I create a plugin that modifies Stella Ops behavior at runtime?
**A:** Yes, if the modification uses documented extension points:
**Allowed:**
- Plugins that register custom handlers via plugin APIs
- Extensions that add new endpoints or processing steps
- Integrations that intercept and transform data via documented hooks
**Not allowed without BUSL-1.1 derivative work compliance:**
- Runtime patching of Stella Ops binaries
- Monkey-patching internal classes or methods
- Replacing core components at runtime
The key distinction is whether you're using **documented public APIs** (allowed) vs.
**undocumented internal behavior** (derivative work).
---
## Commercial Considerations
### Q10: Can my plugin be used with Stella Ops commercial/SaaS offerings?
**A:** Yes. Plugins designed for the Community Plugin Grant are compatible with commercial
Stella Ops deployments. Commercial customers may use community plugins subject to their
commercial license terms.
### Q11: Do I need Licensor approval to publish a plugin?
**A:** No. You do not need approval from stella-ops.org to:
- Develop plugins
- Publish plugins (open source or commercial)
- List plugins in third-party marketplaces
However, stella-ops.org may maintain an official plugin registry with quality/security
standards for listed plugins.
### Q12: Can MSPs provide plugins to their managed customers?
**A:** Yes, with these considerations:
1. **Plugin distribution:** MSPs can freely distribute plugins to customers
2. **Stella Ops licensing:** Each customer deployment must comply with BUSL-1.1:
- Within free tier limits; OR
- Covered by MSP's commercial license; OR
- Customer has their own commercial license
See `docs/legal/SAAS_MSP_GUIDANCE.md` for detailed MSP scenarios.
---
## Edge Cases
### Q13: Does the Community Plugin Grant apply to unofficial API integrations?
**A:** The grant specifically covers plugins using "documented public plugin APIs or
integration points." For unofficial or undocumented APIs:
- Using undocumented APIs is at your own risk (they may change without notice)
- The Community Plugin Grant still applies if you're not modifying source code
- Relying on internal implementation details may create a derivative work
**Recommendation:** Use documented APIs for stable, supported integration.
### Q14: Can I fork Stella Ops and call it something else?
**A:** Forking is allowed under BUSL-1.1, but:
1. **BUSL-1.1 applies to the fork** - Production use requires compliance with the
Additional Use Grant or a commercial license
2. **Attribution required** - You must preserve LICENSE, NOTICE, and copyright notices
3. **No trademark use** - You may not use Stella Ops trademarks for your fork
4. **Change Date applies** - After the Change Date (2030-01-20), the fork converts to
Apache-2.0
### Q15: What if my plugin becomes popular and used beyond free tier limits?
**A:** Success is good! If your plugin enables usage beyond free tier limits:
1. **Users are responsible for licensing** - Not you as the plugin developer
2. **Consider partnership** - Contact stella-ops.org about potential partnership or
revenue sharing arrangements
3. **Document clearly** - Ensure your plugin documentation explains licensing requirements
### Q16: Can I host a free scanning service for the community using my plugin?
**A:** The BUSL-1.1 restriction specifically targets "public multi-tenant **paid** hosting."
Non-commercial, free-of-charge hosting for community benefit may be eligible for the
Community Program.
**Potentially eligible:**
- Free scanning for open source projects
- Academic/educational free access
- Non-profit services for other non-profits
**Not eligible (requires commercial license):**
- "Free tier" that upsells to paid services
- Free scanning bundled with paid consulting
- Any scenario where the free service drives commercial revenue
**Process:** Apply to the Community Program at community@stella-ops.org. Approval is
not automatic and is evaluated based on genuine community benefit.
See `docs/legal/SAAS_MSP_GUIDANCE.md` Section 4.3 for detailed guidance.
---
## Getting Help
**Technical questions about plugin development:**
- Documentation: `docs/plugins/`
- Community forum: https://community.stella-ops.org
**Licensing questions:**
- Email: legal@stella-ops.org
- FAQ: This document and `docs/legal/LEGAL_FAQ_QUOTA.md`
**Commercial licensing:**
- Email: sales@stella-ops.org
- Website: https://stella-ops.org/pricing
---
## See Also
- `LICENSE-ADDENDUM-COMMUNITY-PLUGIN-GRANT.md` - Full legal terms
- `docs/legal/LEGAL_FAQ_QUOTA.md` - Quota and free tier FAQ
- `docs/legal/SAAS_MSP_GUIDANCE.md` - MSP and SaaS guidance
- `docs/legal/LICENSE-COMPATIBILITY.md` - License compatibility for dependencies
---
*Document maintained by: Legal + Developer Relations*
*Last review: 2026-01-25*