Re: Clarity On GPL License Risk Issue

0 views

Skip to first unread message

Michael Ernst

unread,

Sep 2, 2022, 6:14:07 PM9/2/22

to Tapkir, Ankita, jth...@cs.washington.edu, db...@cs.washington.edu, jonatha...@gmail.com, smi...@cs.washington.edu, mcar...@cs.washington.edu, Sharnagate, Rakesh B, Bhattbhatt, Harish, Miller, Jennifer A, Bhalekar, Yogesh P, Checker Framework Developers

The list of licenses for version 2.0.0 is a typo. The list should only be the MIT license, and that is the case for more recent versions of the checker-qual artifact.

The licensing is explained in the Checker Framework Manual.

To eliminate the Black Duck warning, I suggest that you upgrade to a newer version of the checker-qual artifact. Version 2.0.0 is over 6 years old, and there have been over 80 releases since then. You can see the latest version and the release history at https://mvnrepository.com/artifact/org.checkerframework/checker-qual .

If you are obtaining it transitively, through another dependency, then I suggest that you update that one, or encourage its maintainer to update their dependencies.

-Mike

On Wed, Aug 31, 2022 at 11:57 PM Tapkir, Ankita <Ankita...@eaton.com> wrote:

Hi All,

We are using Checker Qual 2.0.0 in one of our code base. We have a security scanning tool named Black Duck which identifies vulnerabilities with the 3^rd party libraries. The tool reported a license risk issue that we are using a GPL-2.0-with-classpath-exception. I checked on the maven repository and found the license used is same :

So we have a question that if the Checker Qual is using a GPL license then why is it available publicly on maven repository.

Thanks,

Ankita T.

Tapkir, Ankita

unread,

Sep 5, 2022, 10:55:55 AM9/5/22

to Michael Ernst, jth...@cs.washington.edu, db...@cs.washington.edu, jonatha...@gmail.com, smi...@cs.washington.edu, mcar...@cs.washington.edu, Sharnagate, Rakesh B, Bhattbhatt, Harish, Miller, Jennifer A, Bhalekar, Yogesh P, Checker Framework Developers