diff --git a/README.adoc b/README.adoc index c6236df..17b2589 100644 --- a/README.adoc +++ b/README.adoc @@ -29,7 +29,7 @@ toc::[] image::Overview.png[] 1. Create a *Software Bill of Materials* (SBOM) for your source code. -2. Call the *Jenkins Plugin* in your build job to create a component manifest and download the license files. +2. Call the *Jenkins Plugin* in your build job to create a component manifest, to patch the SBOM and download the license files. You can *configure* several JSON data sources to improve data quality. 3. Add the component manifest and the license files to your delivery package (e.g. ZIP, WAR, MSI). @@ -80,6 +80,11 @@ Entries have the following attributes: | If groupMatch is not set | Regular expression for the component's name +|purlMatch +| Package URL +| Optional, if groupMatch and nameMatch is not set and patching is in use +| Regular expression for the component's purl + | mappedName | String | Optional @@ -148,6 +153,18 @@ Here are some examples to illustrate what you can do with it: } ---- +- Patching SBOM licenses > override licenses + +[source,json] +---- +{ + "purl": "pkg:maven\/com\.github\.kenglxn\.qrgen\/.*@2\.6\.0\?type=jar", + "licenses": [ + "Apache-2.0" + ] +} +---- + ==== License information Use this setting to define licenses and URLs with the license texts. The URL needs to point to a JSON file containing an array of entries with the following attributes: |=== @@ -170,7 +187,9 @@ Use this setting to define licenses and URLs with the license texts. The URL nee |=== ==== License mapping -Different components often use different names for the same license. You can use this setting to define aliases for licenses. The URL needs to point to a JSON file containing an array of entries with the following attributes: +Different components often use different names for the same license. You can use this setting to define aliases for +licenses. The URL needs to point to a JSON file containing an array of entries with the following attributes: + |=== |Name | Type | Required?| Meaning @@ -185,6 +204,19 @@ Different components often use different names for the same license. You can use |The name of the license in the license information |=== +==== License patching rules URL +The URL where to download the rules for patching BOM licenses. This is a required field when you want to use license +patching. + +tbd + +==== SPDX licenses URL +The URL where to download the list of supported SPDX licenses. If not set, then a local copy of the +https://github.com/spdx/license-list-data/tree/main/json[SPDX GitHub project] will be used. + +==== Resolve license expressions +tbd + === Create manifest This build step creates a component manifest file based on an input SBOM and the global configuration. @@ -251,6 +283,25 @@ pipeline { } ---- +=== Patch SBOM +This build step patch a SBOM, based on your component manifest configuration and the global configuration. +Goal is, to fix incomplete or incorrect license informations in your SBOM. + +[source,groovy,title=Declarative pipeline example] +---- +pipeline { + agent any + + stages { + stage('Patch BOM') { + steps { + patchBOM inputFile: 'input.bom', outputFile: 'output.bom' + } + } + } +} +---- + == CLI tool You can also run the tool as a standalone CLI tool. This is especially useful when you want to test out changes to component or license metadata since you do not have to switch back and forth between Jenkins @@ -285,6 +336,15 @@ Examples: ---- java -jar license-compliance-tool-cli.jar download-licenses --in=path/to/bom --out=manifest.html ---- +* Patch licenses +[source] +---- + java -jar license-compliance-tool-cli.jar + patch-sbom + --in=file-path/in.bom + --out=file-path/out.bom + --componentMetadata=https://your.server.url/componentMetadata.json +---- * Get usage help [source] ---- diff --git a/cli/pom.xml b/cli/pom.xml index f92dafa..2cc9947 100644 --- a/cli/pom.xml +++ b/cli/pom.xml @@ -1,7 +1,5 @@ - + 4.0.0 4.7.6 @@ -37,6 +35,13 @@ org.slf4j slf4j-simple + + + + org.junit.jupiter + junit-jupiter-params + test + diff --git a/cli/src/main/java/de/medavis/lct/cli/ConfigurationOptions.java b/cli/src/main/java/de/medavis/lct/cli/ConfigurationOptions.java index 6b8f2ab..6843d95 100644 --- a/cli/src/main/java/de/medavis/lct/cli/ConfigurationOptions.java +++ b/cli/src/main/java/de/medavis/lct/cli/ConfigurationOptions.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -21,11 +21,14 @@ import java.net.URL; import java.util.Optional; + import picocli.CommandLine.Command; import picocli.CommandLine.Option; import de.medavis.lct.core.Configuration; +import org.jetbrains.annotations.NotNull; + import static de.medavis.lct.cli.StringToUrlConverter.convert; @Command @@ -38,16 +41,28 @@ class ConfigurationOptions implements Configuration { @Option(names = {"--licenseMapping", "-lm"}) private String licenseMappingsUrl; + @Option(names = {"--spdxLicenseListUrl", "-sllu"}, description = "URL where to download official supported SPDX licenses. If not set, then local copy will be used") + private String spdxLicenseListUri; + + @Override public Optional getComponentMetadataUrl() { return convert(componentMetadataUrl); } + @Override public Optional getLicensesUrl() { return convert(licensesUrl); } + @Override public Optional getLicenseMappingsUrl() { return convert(licenseMappingsUrl); } + @Override + @NotNull + public Optional getSpdxLicensesUrl() { + return convert(spdxLicenseListUri); + } + } diff --git a/cli/src/main/java/de/medavis/lct/cli/Main.java b/cli/src/main/java/de/medavis/lct/cli/Main.java index 2ba1206..7dd6595 100644 --- a/cli/src/main/java/de/medavis/lct/cli/Main.java +++ b/cli/src/main/java/de/medavis/lct/cli/Main.java @@ -26,7 +26,7 @@ @Command class Main { - public Main(String[] args) { + int run(String[] args) { System.setProperty("org.jboss.logging.provider", "slf4j"); final CommandLine commandLine = new CommandLine(this); @@ -34,12 +34,13 @@ public Main(String[] args) { commandLine.addSubcommand(new CreateManifest()); commandLine.addSubcommand(new DownloadLicenses()); commandLine.addSubcommand(new AnalyzeComponents()); - System.exit(commandLine.execute(args)); + commandLine.addSubcommand(new PatchSBOM()); + return commandLine.execute(args); } public static void main(String[] args) { - new Main(args); - + Main main = new Main(); + System.exit(main.run(args)); } } diff --git a/cli/src/main/java/de/medavis/lct/cli/PatchSBOM.java b/cli/src/main/java/de/medavis/lct/cli/PatchSBOM.java new file mode 100644 index 0000000..d0e5440 --- /dev/null +++ b/cli/src/main/java/de/medavis/lct/cli/PatchSBOM.java @@ -0,0 +1,59 @@ +/*- + * #%L + * License Compliance Tool - Command Line Interface + * %% + * Copyright (C) 2022 - 2024 medavis GmbH + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * #L% + */ +package de.medavis.lct.cli; + +import picocli.CommandLine.Command; +import picocli.CommandLine.Mixin; +import picocli.CommandLine.Option; + +import de.medavis.lct.core.asset.AssetLoader; +import de.medavis.lct.core.license.LicenseLoader; +import de.medavis.lct.core.license.LicenseMappingLoader; +import de.medavis.lct.core.metadata.ComponentMetaDataLoader; +import de.medavis.lct.core.patcher.BomPatcher; + +import java.nio.file.Path; +import java.util.concurrent.Callable; + +@Command(name = "patch-sbom", description = "Patch SBOM with licenses mapping rules") +public class PatchSBOM implements Callable { + + @Option(names = {"--in", "-i"}, required = true) + private Path inputFile; + @Option(names = {"--out", "-o"}, required = true) + private Path outputFile; + @Mixin + private ConfigurationOptions configurationOptions; + + @Override + public Void call() throws Exception { + BomPatcher patcher = new BomPatcher( + new AssetLoader(), + new ComponentMetaDataLoader(), + new LicenseLoader(), + new LicenseMappingLoader(), + configurationOptions); + + patcher.patch(inputFile, outputFile); + + return null; + } + +} diff --git a/cli/src/test/java/de/medavis/lct/cli/JsonPath.java b/cli/src/test/java/de/medavis/lct/cli/JsonPath.java new file mode 100644 index 0000000..ecc7729 --- /dev/null +++ b/cli/src/test/java/de/medavis/lct/cli/JsonPath.java @@ -0,0 +1,64 @@ +/*- + * #%L + * License Compliance Tool - Command Line Interface + * %% + * Copyright (C) 2022 - 2024 medavis GmbH + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * #L% + */ +package de.medavis.lct.cli; + +import com.fasterxml.jackson.databind.JsonNode; + +import org.jetbrains.annotations.NotNull; +import org.jetbrains.annotations.Nullable; + +import java.util.List; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +public class JsonPath { + + private static final String REGEX = "(?\\D[a-zA-Z0-9]*)(\\[(?\\d*)\\])?"; + private static final Pattern PATTERN = Pattern.compile(REGEX); + + private JsonPath() {} + + @Nullable + public static JsonNode path(@NotNull JsonNode firstNode, @NotNull String path) { + + List items = List.of(path.split("\\.")); + + JsonNode node = firstNode; + + for (String item : items) { + Matcher matcher = PATTERN.matcher(item); + while(matcher.find()) { + String name = matcher.group("name"); + node = node.path(name); + + String sIndex = matcher.group("index"); + if (sIndex != null) { + int index = Integer.parseInt(matcher.group("index")); + node = node.path(index); + if (node == null) { + return null; + } + } + } + } + + return node; + } +} diff --git a/cli/src/test/java/de/medavis/lct/cli/MainPatchSBOMTest.java b/cli/src/test/java/de/medavis/lct/cli/MainPatchSBOMTest.java new file mode 100644 index 0000000..1a0a5c5 --- /dev/null +++ b/cli/src/test/java/de/medavis/lct/cli/MainPatchSBOMTest.java @@ -0,0 +1,64 @@ +/*- + * #%L + * License Compliance Tool - Command Line Interface + * %% + * Copyright (C) 2022 - 2024 medavis GmbH + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * #L% + */ +package de.medavis.lct.cli; + +import com.fasterxml.jackson.databind.JsonNode; +import com.fasterxml.jackson.databind.ObjectMapper; + +import de.medavis.lct.core.Json5MapperFactory; + +import org.junit.jupiter.api.Test; + +import java.io.IOException; +import java.net.URI; +import java.nio.file.Files; +import java.nio.file.Path; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertTrue; + +class MainPatchSBOMTest { + + @Test + void testPatchBOM() throws IOException { + + URI uri = Path.of("src/test/resources/test-component-metadata.json5").toUri(); + + Path testFile = Path.of("target/test-results/test-patched-01.json"); + Files.deleteIfExists(testFile); + + int exitCode = new Main().run(new String[] { + "patch-sbom", + "--in=src/test/resources/test-bom-01.json", + "--out=" + testFile, + "--componentMetadata=" + uri, + }); + + assertEquals(0, exitCode); + assertTrue(Files.exists(testFile)); + + ObjectMapper mapper = Json5MapperFactory.create(); + JsonNode rootNode = mapper.readTree(testFile.toFile()); + + assertEquals("Apache-2.0", JsonPath.path(rootNode, "components[0].licenses[0].license.id").asText()); + assertEquals("BSD-2-Clause", JsonPath.path(rootNode, "components[2].licenses[0].license.id").asText()); + assertEquals("BSD-2-Clause", JsonPath.path(rootNode, "components[2].licenses[0].license.id").asText()); + } +} diff --git a/cli/src/test/resources/test-bom-01.json b/cli/src/test/resources/test-bom-01.json new file mode 100644 index 0000000..22ca83b --- /dev/null +++ b/cli/src/test/resources/test-bom-01.json @@ -0,0 +1,138 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.4", + "serialNumber": "urn:uuid:c62cd474-7b90-41c0-9168-757b6d5614d1", + "version": 1, + "metadata": { + "component": { + "type": "application", + "name": "dependency-track", + "version": "4.11.1", + "description": "Dependency-Track is an intelligent component analysis platform that allows organizations to identify and reduce risk in the software supply chain.", + "licenses": [ + { + "license": { + "id": "Apache-2.0", + "url": "https://www.apache.org/licenses/LICENSE-2.0" + } + } + ], + "purl": "pkg:maven/org.dependencytrack/dependency-track@4.11.1?type=war" + } + }, + "components": [ + { + "type": "library", + "bom-ref": "pkg:maven/us.springett/alpine-common@2.2.5?type=jar", + "group": "us.springett", + "name": "alpine-common", + "version": "2.2.5", + "description": "An opinionated scaffolding library that jumpstarts Java projects with an API-first design, secure defaults, and minimal dependencies.", + "scope": "required", + "licenses": [ + { + "license": { + "id": "Apache 2.0", + "url": "https://www.apache.org/licenses/LICENSE-2.0" + } + } + ], + "purl": "pkg:maven/us.springett/alpine-common@2.2.5?type=jar" + }, + { + "type": "library", + "bom-ref": "pkg:maven/javax.transaction/javax.transaction-api@1.3?type=jar", + "publisher": "GlassFish Community", + "group": "javax.transaction", + "name": "javax.transaction-api", + "version": "1.3", + "description": "Project GlassFish Java Transaction API", + "scope": "required", + "licenses": [ + { + "expression": "(CDDL-1.0 OR GPL-2.0-with-classpath-exception)" + } + ], + "purl": "pkg:maven/javax.transaction/javax.transaction-api@1.3?type=jar" + }, + { + "type": "library", + "bom-ref": "pkg:maven/javax.transaction/javax.transaction-api@1.3?type=jar", + "publisher": "GlassFish Community", + "group": "javax.transaction", + "name": "javax.transaction-api", + "version": "1.3", + "description": "Project GlassFish Java Transaction API", + "scope": "required", + "purl": "pkg:maven/com.pixelmed/any-lib@1.2.3.4?type=jar" + }, + { + "type": "library", + "bom-ref": "pkg:maven/org.glassfish.jersey.ext/jersey-bean-validation@2.41?type=jar", + "publisher": "Eclipse Foundation", + "group": "org.glassfish.jersey.ext", + "name": "jersey-bean-validation", + "version": "2.41", + "description": "Jersey extension module providing support for Bean Validation (JSR-349) API.", + "scope": "required", + "licenses": [ + { + "license": { + "id": "EPL-2.0" + } + }, + { + "license": { + "id": "GPL-2.0-with-classpath-exception" + } + }, + { + "license": { + "id": "BSD-3-Clause" + } + }, + { + "license": { + "id": "BSD-2-Clause" + } + }, + { + "license": { + "name": "Apache License, 2.0", + "url": "http://www.apache.org/licenses/LICENSE-2.0.html" + } + }, + { + "license": { + "name": "Public Domain", + "url": "https://creativecommons.org/publicdomain/zero/1.0/" + } + }, + { + "license": { + "name": "Modified BSD", + "url": "https://asm.ow2.io/license.html" + } + }, + { + "license": { + "name": "jQuery license", + "url": "jquery.org/license" + } + }, + { + "license": { + "url": "https://www.bouncycastle.org/licence.html" + } + }, + { + "license": { + "name": "W3C license", + "url": "https://www.w3.org/Consortium/Legal/copyright-documents-19990405" + } + } + ], + "purl": "pkg:maven/org.glassfish.jersey.ext/jersey-bean-validation@2.41?type=jar" + } + ] +} \ No newline at end of file diff --git a/cli/src/test/resources/test-component-metadata.json5 b/cli/src/test/resources/test-component-metadata.json5 new file mode 100644 index 0000000..57c2f64 --- /dev/null +++ b/cli/src/test/resources/test-component-metadata.json5 @@ -0,0 +1,1294 @@ +[ + { + "groupMatch": "de\\.medavis.*", + "ignore": true + }, + { + "groupMatch": "com\\.fg.*", + "nameMatch": "xmleditor-medavis", + "ignore": true + }, + { + "groupMatch": "io\\.agroal\\.*", + "mappedName": "Agoral", + "ignore": true + }, + { + "groupMatch": "gnu\\.getopt\\.*", + "mappedName": "Java-Getopt", + "url": "https://www.gnu.org/software/gnuprologjava/api/allclasses-noframe.html", + "ignore": true + }, + { + "groupMatch": "org\\.jboss\\.spec\\.javax\\.xml\\.bind", + "nameMatch": "jboss-jaxb-api_.*_spec", + "mappedName": "JBoss JAXB API", + "url": "https://github.com/jboss/jboss-jaxb-api_spec", + "licenses": [ + "CDDL-1.1", + "GPL-2.0" + ] + }, + { + "groupMatch": "org\\.jboss\\.spec\\.javax\\.annotation", + "nameMatch": "jboss-annotations-api_.*_spec", + "mappedName": "Java Common Annotations", + "url": "https://github.com/javaee/javax.annotation", + "licenses": [ + "CDDL-1.1", + "GPL-2.0" + ] + }, + { + "groupMatch": "javax\\.annotation", + "purlMatch": "pkg:maven\\/javax\\.annotation\\/jakarta\\.annotation-api@.*type=jar", + "mappedName": "Java Common Annotations", + "url": "https://github.com/javaee/javax.annotation", + "licenses": [ + "CDDL-1.1", + "GPL-2.0" + ] + }, + { + "groupMatch": "org\\.apache\\.camel", + "mappedName": "Apache Camel", + "url": "https://github.com/apache/camel/tree/main", + "attributionNotices": [ + "
Apache Camel\nCopyright 2007-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (http://www.apache.org/).\n \n=========================================================================\n==  NOTICE file corresponding to the section 4 d of                    ==\n==  the Apache License, Version 2.0,                                   ==\n==  in this case for the Apache Camel distribution.                    ==\n=========================================================================\n\nApache Camel\nCopyright 2007-2019 The Apache Software Foundation\n\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\n=========================================================================\n==  Spring Notice                                                      ==\n=========================================================================\n\nThis product includes software developed by\nthe Apache Software Foundation (http://www.apache.org).\n\nThis product also includes software developed by\nClinton Begin (http://www.ibatis.com).\n\nThe end-user documentation included with a redistribution, if any,\nmust include the following acknowledgement:\n\n \"This product includes software developed by the Spring Framework\n  Project (http://www.springframework.org).\"\n\nAlternately, this acknowledgement may appear in the software itself,\nif and wherever such third-party acknowledgements normally appear.\n\nThe names \"Spring\" and \"Spring Framework\" must not be used to\nendorse or promote products derived from this software without\nprior written permission. For written permission, please contact\nrod.johnson@interface21.com or juergen.hoeller@interface21.com.\n\n=========================================================================\n==  OpenShift Notice                                                   ==\n=========================================================================\n\nThis product includes software developed by\nthe OpenShift Project (https://github.com/openshift/openshift-java-client/).\n
" + ] + }, + { + "groupMatch": "org\\.apache\\.derby.*", + "mappedName": "Apache Derby", + "attributionNotices": [ + "
=========================================================================\n==  NOTICE file corresponding to section 4(d) of the Apache License,\n==  Version 2.0, in this case for the Apache Derby distribution.\n==\n==  DO NOT EDIT THIS FILE DIRECTLY. IT IS GENERATED\n==  BY THE buildnotice TARGET IN THE TOP LEVEL build.xml FILE.\n==\n=========================================================================\n\nApache Derby\nCopyright 2004-2018 The Apache Software Foundation\n\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\n=========================================================================\n\nPortions of Derby were originally developed by\nInternational Business Machines Corporation and are\nlicensed to the Apache Software Foundation under the\n\"Software Grant and Corporate Contribution License Agreement\",\ninformally known as the \"Derby CLA\".\nThe following copyright notice(s) were affixed to portions of the code\nwith which this file is now or was at one time distributed\nand are placed here unaltered.\n(C) Copyright 1997,2004 International Business Machines Corporation.  All rights reserved.\n(C) Copyright IBM Corp. 2003.\n\n=========================================================================\nThe portion of the functionTests under 'nist' was originally \ndeveloped by the National Institute of Standards and Technology (NIST), \nan agency of the United States Department of Commerce, and adapted by\nInternational Business Machines Corporation in accordance with the NIST\nSoftware Acknowledgment and Redistribution document at\nhttp://www.itl.nist.gov/div897/ctg/sql_form.htm\n\n=========================================================================\n\nThe Derby build relies on source files supplied by the Apache Felix\nproject. The following notice covers the Felix files:\n\n  Apache Felix Main\n  Copyright 2008 The Apache Software Foundation\n\n  I. Included Software\n\n  This product includes software developed at\n  The Apache Software Foundation (http://www.apache.org/).\n  Licensed under the Apache License 2.0.\n\n  This product includes software developed at\n  The OSGi Alliance (http://www.osgi.org/).\n  Copyright (c) OSGi Alliance (2000, 2007).\n  Licensed under the Apache License 2.0.\n\n  This product includes software from http://kxml.sourceforge.net.\n  Copyright (c) 2002,2003, Stefan Haustein, Oberhausen, Rhld., Germany.\n  Licensed under BSD License.\n\n  II. Used Software\n\n  This product uses software developed at\n  The OSGi Alliance (http://www.osgi.org/).\n  Copyright (c) OSGi Alliance (2000, 2007).\n  Licensed under the Apache License 2.0.\n\n\n  III. License Summary\n  - Apache License 2.0\n  - BSD License\n\n=========================================================================\n\nThe Derby build relies on jar files supplied by the Apache Lucene\nproject. The following notice covers the Lucene files:\n\nApache Lucene\nCopyright 2013 The Apache Software Foundation\n\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\nIncludes software from other Apache Software Foundation projects,\nincluding, but not limited to:\n - Apache Ant\n - Apache Jakarta Regexp\n - Apache Commons\n - Apache Xerces\n\nICU4J, (under analysis/icu) is licensed under an MIT styles license\nand Copyright (c) 1995-2008 International Business Machines Corporation and others\n\nSome data files (under analysis/icu/src/data) are derived from Unicode data such\nas the Unicode Character Database. See http://unicode.org/copyright.html for more\ndetails.\n\nBrics Automaton (under core/src/java/org/apache/lucene/util/automaton) is \nBSD-licensed, created by Anders Møller. See http://www.brics.dk/automaton/\n\nThe levenshtein automata tables (under core/src/java/org/apache/lucene/util/automaton) were\nautomatically generated with the moman/finenight FSA library, created by\nJean-Philippe Barrette-LaPierre. This library is available under an MIT license,\nsee http://sites.google.com/site/rrettesite/moman and \nhttp://bitbucket.org/jpbarrette/moman/overview/\n\nThe class org.apache.lucene.util.WeakIdentityMap was derived from\nthe Apache CXF project and is Apache License 2.0.\n\nThe Google Code Prettify is Apache License 2.0.\nSee http://code.google.com/p/google-code-prettify/\n\nJUnit (junit-4.10) is licensed under the Common Public License v. 1.0\nSee http://junit.sourceforge.net/cpl-v10.html\n\nThis product includes code (JaspellTernarySearchTrie) from Java Spelling Checkin\ng Package (jaspell): http://jaspell.sourceforge.net/\nLicense: The BSD License (http://www.opensource.org/licenses/bsd-license.php)\n\nThe snowball stemmers in\n  analysis/common/src/java/net/sf/snowball\nwere developed by Martin Porter and Richard Boulton.\nThe snowball stopword lists in\n  analysis/common/src/resources/org/apache/lucene/analysis/snowball\nwere developed by Martin Porter and Richard Boulton.\nThe full snowball package is available from\n  http://snowball.tartarus.org/\n\nThe KStem stemmer in\n  analysis/common/src/org/apache/lucene/analysis/en\nwas developed by Bob Krovetz and Sergio Guzman-Lara (CIIR-UMass Amherst)\nunder the BSD-license.\n\nThe Arabic,Persian,Romanian,Bulgarian, and Hindi analyzers (common) come with a default\nstopword list that is BSD-licensed created by Jacques Savoy.  These files reside in:\nanalysis/common/src/resources/org/apache/lucene/analysis/ar/stopwords.txt,\nanalysis/common/src/resources/org/apache/lucene/analysis/fa/stopwords.txt,\nanalysis/common/src/resources/org/apache/lucene/analysis/ro/stopwords.txt,\nanalysis/common/src/resources/org/apache/lucene/analysis/bg/stopwords.txt,\nanalysis/common/src/resources/org/apache/lucene/analysis/hi/stopwords.txt\nSee http://members.unine.ch/jacques.savoy/clef/index.html.\n\nThe German,Spanish,Finnish,French,Hungarian,Italian,Portuguese,Russian and Swedish light stemmers\n(common) are based on BSD-licensed reference implementations created by Jacques Savoy and\nLjiljana Dolamic. These files reside in:\nanalysis/common/src/java/org/apache/lucene/analysis/de/GermanLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/de/GermanMinimalStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/es/SpanishLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/fi/FinnishLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/fr/FrenchLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/fr/FrenchMinimalStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/hu/HungarianLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/it/ItalianLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/pt/PortugueseLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/ru/RussianLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/sv/SwedishLightStemmer.java\n\nThe Stempel analyzer (stempel) includes BSD-licensed software developed \nby the Egothor project http://egothor.sf.net/, created by Leo Galambos, Martin Kvapil,\nand Edmond Nolan.\n\nThe Polish analyzer (stempel) comes with a default\nstopword list that is BSD-licensed created by the Carrot2 project. The file resides\nin stempel/src/resources/org/apache/lucene/analysis/pl/stopwords.txt.\nSee http://project.carrot2.org/license.html.\n\nThe SmartChineseAnalyzer source code (smartcn) was\nprovided by Xiaoping Gao and copyright 2009 by www.imdict.net.\n\nWordBreakTestUnicode_*.java (under modules/analysis/common/src/test/) \nis derived from Unicode data such as the Unicode Character Database. \nSee http://unicode.org/copyright.html for more details.\n\nThe Morfologik analyzer (morfologik) includes BSD-licensed software\ndeveloped by Dawid Weiss and Marcin Miłkowski (http://morfologik.blogspot.com/).\n\nMorfologik uses data from Polish ispell/myspell dictionary\n(http://www.sjp.pl/slownik/en/) licenced on the terms of (inter alia)\nLGPL and Creative Commons ShareAlike.\n\nMorfologic includes data from BSD-licensed dictionary of Polish (SGJP)\n(http://sgjp.pl/morfeusz/)\n\nServlet-api.jar and javax.servlet-*.jar are under the CDDL license, the original\nsource code for this can be found at http://www.eclipse.org/jetty/downloads.php\n\n===========================================================================\nKuromoji Japanese Morphological Analyzer - Apache Lucene Integration\n===========================================================================\n\nThis software includes a binary and/or source version of data from\n\n  mecab-ipadic-2.7.0-20070801\n\nwhich can be obtained from\n\n  http://atilika.com/releases/mecab-ipadic/mecab-ipadic-2.7.0-20070801.tar.gz\n\nor\n\n  http://jaist.dl.sourceforge.net/project/mecab/mecab-ipadic/2.7.0-20070801/mecab-ipadic-2.7.0-20070801.tar.gz\n\n===========================================================================\nmecab-ipadic-2.7.0-20070801 Notice\n===========================================================================\n\nNara Institute of Science and Technology (NAIST),\nthe copyright holders, disclaims all warranties with regard to this\nsoftware, including all implied warranties of merchantability and\nfitness, in no event shall NAIST be liable for\nany special, indirect or consequential damages or any damages\nwhatsoever resulting from loss of use, data or profits, whether in an\naction of contract, negligence or other tortuous action, arising out\nof or in connection with the use or performance of this software.\n\nA large portion of the dictionary entries\noriginate from ICOT Free Software.  The following conditions for ICOT\nFree Software applies to the current dictionary as well.\n\nEach User may also freely distribute the Program, whether in its\noriginal form or modified, to any third party or parties, PROVIDED\nthat the provisions of Section 3 (\"NO WARRANTY\") will ALWAYS appear\non, or be attached to, the Program, which is distributed substantially\nin the same form as set out herein and that such intended\ndistribution, if actually made, will neither violate or otherwise\ncontravene any of the laws and regulations of the countries having\njurisdiction over the User or the intended distribution itself.\n\nNO WARRANTY\n\nThe program was produced on an experimental basis in the course of the\nresearch and development conducted during the project and is provided\nto users as so produced on an experimental basis.  Accordingly, the\nprogram is provided without any warranty whatsoever, whether express,\nimplied, statutory or otherwise.  The term \"warranty\" used herein\nincludes, but is not limited to, any warranty of the quality,\nperformance, merchantability and fitness for a particular purpose of\nthe program and the nonexistence of any infringement or violation of\nany right of any third party.\n\nEach user of the program will agree and understand, and be deemed to\nhave agreed and understood, that there is no warranty whatsoever for\nthe program and, accordingly, the entire risk arising from or\notherwise connected with the program is assumed by the user.\n\nTherefore, neither ICOT, the copyright holder, or any other\norganization that participated in or was otherwise related to the\ndevelopment of the program and their respective officials, directors,\nofficers and other employees shall be held liable for any and all\ndamages, including, without limitation, general, special, incidental\nand consequential damages, arising out of or otherwise in connection\nwith the use or inability to use the program or any product, material\nor result produced or otherwise obtained by using the program,\nregardless of whether they have been advised of, or otherwise had\nknowledge of, the possibility of such damages at any time during the\nproject or thereafter.  Each user will be deemed to have agreed to the\nforegoing by his or her commencement of use of the program.  The term\n\"use\" as used herein includes, but is not limited to, the use,\nmodification, copying and distribution of the program and the\nproduction of secondary products from the program.\n\nIn the case where the program, whether in its original form or\nmodified, was distributed or delivered to or received by a user from\nany person, organization or entity other than ICOT, unless it makes or\ngrants independently of ICOT any specific warranty to the user in\nwriting, such person, organization or entity, will also be exempted\nfrom and not be held liable to the user for any such damages as noted\nabove as far as the program is concerned.\n\n=========================================================================\n\nThe Derby build relies on a jar file supplied by the JSON Simple\nproject, hosted at https://code.google.com/p/json-simple/.\nThe JSON simple jar file is licensed under the Apache 2.0 License.\nNo other notice covers that jar file.\n
" + ] + }, + { + "groupMatch": "org\\.apache\\.mina.*", + "mappedName": "Apache MINA", + "attributionNotices": [ + "
Apache POI\nCopyright 2003-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (https://www.apache.org/).\n\nThis product contains parts that were originally based on software from BEA.\nCopyright (c) 2000-2003, BEA Systems, <http://www.bea.com/> (dead link),\nwhich was acquired by Oracle Corporation in 2008.\n<http://www.oracle.com/us/corporate/Acquisitions/bea/index.html>\n<https://en.wikipedia.org/wiki/BEA_Systems>\nNote: The ASF Secretary has on hand a Software Grant Agreement (SGA) from\nBEA Systems, Inc. dated 9 Sep 2003 for XMLBeans signed by their EVP/CFO.\n\nThis product contains W3C XML Schema documents. Copyright 2001-2003 (c)\nWorld Wide Web Consortium (Massachusetts Institute of Technology, European\nResearch Consortium for Informatics and Mathematics, Keio University)\n\nThis product contains the chunks_parse_cmds.tbl file from the vsdump program.\nCopyright (C) 2006-2007 Valek Filippov (frob@df.ru)\n\nThis product contains parts of the eID Applet project\n<http://eid-applet.googlecode.com> and <https://github.com/e-Contract/eid-applet>.\nCopyright (c) 2009-2018\nFedICT (federal ICT department of Belgium), e-Contract.be BVBA (https://www.e-contract.be),\nBart Hanssens from FedICT\n
" + ] + }, + { + "groupMatch": "org\\.apache\\.poi.*", + "mappedName": "Apache POI", + "url": "https://svn.apache.org/repos/asf/poi/", + "attributionNotices": [ + "Apache POI
\nCopyright 2003-2022 The Apache Software Foundation
\n

\nThis product includes software developed at
\nThe Apache Software Foundation (https://www.apache.org/).
\n

\nThis product contains parts that were originally based on software from BEA.
\nCopyright (c) 2000-2003, BEA Systems, (dead link),
\nwhich was acquired by Oracle Corporation in 2008.
\n
\n
\nNote: The ASF Secretary has on hand a Software Grant Agreement (SGA) from
\nBEA Systems, Inc. dated 9 Sep 2003 for XMLBeans signed by their EVP/CFO.
\n

\nThis product contains W3C XML Schema documents. Copyright 2001-2003 (c)
\nWorld Wide Web Consortium (Massachusetts Institute of Technology, European
\nResearch Consortium for Informatics and Mathematics, Keio University)
\n

\nThis product contains the chunks_parse_cmds.tbl file from the vsdump program.
\nCopyright (C) 2006-2007 Valek Filippov (frob@df.ru)
\n

\nThis product contains parts of the eID Applet project\n and .
\nCopyright (c) 2009-2018
\nFedICT (federal ICT department of Belgium), e-Contract.be BVBA (https://www.e-contract.be),
\nBart Hanssens from FedICT
" + ] + }, + { + "nameMatch": "xmlbeans", + "mappedName": "Apache XMLBeans", + "attributionNotices": [ + "
   =========================================================================\n   ==  NOTICE file corresponding to section 4(d) of the Apache License,   ==\n   ==  Version 2.0, in this case for the Apache XmlBeans distribution.    ==\n   =========================================================================\n\n   This product includes software developed at\n   The Apache Software Foundation (http://www.apache.org/).\n\n   Portions of this software were originally based on the following:\n     - software copyright (c) 2000-2003, BEA Systems, <http://www.bea.com/>.\n   Note: The ASF Secretary has on hand a Software Grant Agreement (SGA) from\n   BEA Systems, Inc. dated 9 Sep 2003 for XMLBeans signed by their EVP/CFO.\n\n   Aside from contributions to the Apache XMLBeans project, this\n   software also includes:\n\n    - one or more source files from the Apache Xerces-J and Apache Axis\n      products, Copyright (c) 1999-2003 Apache Software Foundation\n\n    - W3C XML Schema documents Copyright 2001-2003 (c) World Wide Web\n      Consortium (Massachusetts Institute of Technology, European Research\n      Consortium for Informatics and Mathematics, Keio University)\n\n    - resolver.jar from Apache Xml Commons project,\n      Copyright (c) 2001-2003 Apache Software Foundation\n
" + ] + }, + { + "nameMatch": "xmlsec", + "mappedName": "Apache XMLSec", + "url": "https://github.com/apache/santuario-xml-security-java/tree/main", + "licenses": [ + "Apache-2.0" + ], + "attributionNotices": [ + "
Apache Santuario - XML Security for Java\nCopyright 1999-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (http://www.apache.org/).\n\nIt was originally based on software copyright (c) 2001, Institute for\nData Communications Systems, <http://www.nue.et-inf.uni-siegen.de/>.\n\nThe development of this software was partly funded by the European\nCommission in the <WebSig> project in the ISIS Programme.\n\nThis product contains software that is\ncopyright (c) 2021, Oracle and/or its affiliates.\n
" + ] + }, + { + "groupMatch": "org\\.aspectj", + "mappedName": "AspectJ", + "url": "https://github.com/eclipse/org.aspectj/tree/V1_6_X" + }, + { + "nameMatch": "validation-api", + "mappedName": "Bean Validation API", + "attributionNotices": [ + "
# Notices for Eclipse Jakarta Bean Validation\n\nThis content is produced and maintained by the Eclipse Jakarta Bean Validation\nproject.\n\n* Project home: https://projects.eclipse.org/projects/ee4j.bean-validation\n\n## Trademarks\n\n Jakarta Bean Validation is a trademark of the Eclipse Foundation.\n\n## Copyright\n\nAll content is the property of the respective authors or their employers. For\nmore information regarding authorship of content, please consult the listed\nsource code repository logs.\n\n## Declared Project Licenses\n\nThis program and the accompanying materials are made available under the terms\nof the Apache License, Version 2.0 which is available at\nhttps://www.apache.org/licenses/LICENSE-2.0.\n\nSPDX-License-Identifier: Apache-2.0\n\n## Source Code\n\nThe project maintains the following source code repositories:\n\n * [The specification repository](https://github.com/eclipse-ee4j/beanvalidation-spec)\n * [The API repository](https://github.com/eclipse-ee4j/beanvalidation-api)\n * [The TCK repository](https://github.com/eclipse-ee4j/beanvalidation-tck)\n\n## Third-party Content\n\nThis project leverages the following third party content.\n\nTest dependencies:\n\n * [TestNG](https://github.com/cbeust/testng) - Apache License 2.0\n * [JCommander](https://github.com/cbeust/jcommander) - Apache License 2.0\n * [SnakeYAML](https://bitbucket.org/asomov/snakeyaml/src) - Apache License 2.0\n\n
" + ] + }, + { + "groupMatch": "org\\.bouncycastle.*", + "mappedName": "Bouncy Castle Crypto Package" + }, + { + "nameMatch": "byte-buddy", + "mappedName": "Byte Buddy", + "url": "https://github.com/raphw/byte-buddy", + "attributionNotices": [ + "
Copyright ${project.inceptionYear} - Present ${copyright.holder}\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n
" + ] + }, + { + "groupMatch": "com\\.github\\.ben-manes\\.caffeine.*", + "mappedName": "Caffeine", + "url": "https://github.com/ben-manes/caffeine" + }, + { + "groupMatch": "com\\.fasterxml", + "nameMatch": "classmate", + "mappedName": "Classmate", + "url": "https://github.com/FasterXML/java-classmate" + }, + { + "nameMatch": "commons-collections4", + "mappedName": "Commons Collections", + "attributionNotices": [ + "
Apache Commons Collections\nCopyright 2001-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (https://www.apache.org/).\n
" + ] + }, + { + "nameMatch": "commons-compress", + "mappedName": "Commons Compress", + "attributionNotices": [ + "
Apache Commons Compress\nCopyright 2002-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (https://www.apache.org/).\n\n---\n\nThe files in the package org.apache.commons.compress.archivers.sevenz\nwere derived from the LZMA SDK, version 9.20 (C/ and CPP/7zip/),\nwhich has been placed in the public domain:\n\n\"LZMA SDK is placed in the public domain.\" (http://www.7-zip.org/sdk.html)\n\n---\n\nThe test file lbzip2_32767.bz2 has been copied from libbzip2's source\nrepository:\n\nThis program, \"bzip2\", the associated library \"libbzip2\", and all\ndocumentation, are copyright (C) 1996-2019 Julian R Seward.  All\nrights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n   notice, this list of conditions and the following disclaimer.\n\n2. The origin of this software must not be misrepresented; you must\n   not claim that you wrote the original software.  If you use this\n   software in a product, an acknowledgment in the product\n   documentation would be appreciated but is not required.\n\n3. Altered source versions must be plainly marked as such, and must\n   not be misrepresented as being the original software.\n\n4. The name of the author may not be used to endorse or promote\n   products derived from this software without specific prior written\n   permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS\nOR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\nARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\nDIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE\nGOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS\nINTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING\nNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n\nJulian Seward, jseward@acm.org\n
" + ] + }, + { + "nameMatch": "commons-fileupload", + "mappedName": "Commons File Upload", + "attributionNotices": [ + "
Apache Commons FileUpload\nCopyright 2002-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (http://www.apache.org/).\n
" + ] + }, + { + "nameMatch": "commons-io", + "mappedName": "Commons IO", + "attributionNotices": [ + "
Apache Commons IO\nCopyright 2002-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (https://www.apache.org/).\n
" + ] + }, + { + "nameMatch": "commons-lang", + "mappedName": "Commons Lang", + "url": "https://github.com/apache/commons-lang" + }, + { + "nameMatch": "commons-math3", + "mappedName": "Commons Math", + "attributionNotices": [ + "Copyright 2001-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (http://www.apache.org/).\n\nThis product includes software developed for Orekit by\nCS Systèmes d'Information (http://www.c-s.fr/)\nCopyright 2010-2012 CS Systèmes d'Information" + ] + }, + { + "groupMatch": "com\\.github\\.virtuald", + "nameMatch": "curvesapi", + "mappedName": "Curve API", + "url": "https://github.com/virtuald/curvesapi", + "attributionNotices": [ + "
The original project used a BSD license, and remains so.\n\ncom.graphbuilder.org.apache.harmony.awt.gl.Crossing is from the Apache Harmony project and is released under the Apache 2.0 license.\n
\n" + ] + }, + { + "nameMatch": "ezmorph", + "mappedName": "EZMorph" + }, + { + "groupMatch": "org\\.flywaydb.*", + "mappedName": "Flyway", + "url": "https://github.com/flyway/flyway/tree/main", + "attributionNotices": [ + "
License\nCopyright © Red Gate Software Ltd 2010-2022\n\nLicensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance with the License. You may obtain a copy of the License at\n\nhttp://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.\n\nTrademark\nFlyway is a registered trademark of Boxfuse GmbH, owned by Red Gate Software Ltd.\n
\n" + ] + }, + { + "groupMatch": "com\\.google\\.code\\.gson", + "mappedName": "Gson", + "url": "https://github.com/google/gson/tree/master", + "attributionNotices": [ + "
License\nGson is released under the Apache 2.0 license.\n\nCopyright 2008 Google Inc.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\nhttp://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\nDisclaimer\nThis is not an officially supported Google product.\n
" + ] + }, + { + "groupMatch": "com\\.googlecode\\.concurrentlinkedhashmap\\.*", + "url": "https://github.com/ben-manes/concurrentlinkedhashmap", + "licenses": [ + "Apache-2.0" + ] + }, + { + "groupMatch": "com\\.h2database", + "mappedName": "H2 Database", + "licenses": [ + "MPL-2.0", + "EPL-1.0" + ] + }, + { + "groupMatch": "ca\\.uhn\\.hapi.*", + "mappedName": "HAPI", + "url": "https://github.com/hapifhir/hapi-hl7v2/tree/v2.3", + "licenses": [ + "GPL-3.0", + "MPL-1.1" + ] + }, + { + "groupMatch": "org\\.hibernate", + "mappedName": "Hibernate", + "url": "https://github.com/hibernate/hibernate-orm", + "licenses" : [ + "LGPL-2.1" + ] + }, + { + "nameMatch": "hsqldb", + "mappedName": "HSQL DB", + "attributionNotices": [ + "
The highly configurable java source code formatter Jindent is used to format the HSQLDB source code.\nThis Software is developed and published by the HSQL Development Group\n\nFred Toussi (fredt (at) users.sourceforge.net)\nBlaine Simpson (blaine dot simpson (at) admc dot com)\n\nhttp://hsqldb.org\n
\n" + ], + "licenses": [ + "HyperSQL License" + ] + }, + { + "nameMatch": "(infinispan-commons)|(infinispan-core)", + "mappedName": "Infinispan" + }, + { + "groupMatch": "com\\.sun\\.istack", + "mappedName": "iStack Common", + "url": "https://javaee.github.io/jaxb-istack-commons/" + }, + { + "nameMatch": "protostream", + "mappedName": "Infinispan protostream" + }, + { + "groupMatch": "com\\.fasterxml\\.jackson.*", + "mappedName": "Jackson" + }, + { + "groupMatch": "javax\\.activation", + "mappedName": "JavaBeans Activation Framework", + "url": "https://github.com/javaee/activation", + "attributionNotices": [ + "
# Notices for Jakarta Activation\n\nThis content is produced and maintained by the Jakarta Activation project.\n\n* Project home: https://projects.eclipse.org/projects/ee4j.jaf\n\n## Trademarks\n\nJakarta Activation is a trademark of the Eclipse Foundation.\n\n## Copyright00\n\nAll content is the property of the respective authors or their employers. For\nmore information regarding authorship of content, please consult the listed\nsource code repository logs.\n\n## Declared Project Licenses\n\nThis program and the accompanying materials are made available under the terms\nof the Eclipse Public License v. 2.0 which is available at\nhttps://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License v1.0\nwhich is available at https://www.eclipse.org/org/documents/edl-v10.php. This\nSource Code may also be made available under the following Secondary Licenses\nwhen the conditions for such availability set forth in the Eclipse Public\nLicense v. 2.0 are satisfied: (secondary) GPL-2.0 with Classpath-exception-2.0\nwhich is available at https://openjdk.java.net/legal/gplv2+ce.html.\n\nSPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause OR GPL-2.0-only with\nClasspath-exception-2.0\n\n## Cryptography\n\nContent may contain encryption software. The country in which you are currently\nmay have restrictions on the import, possession, and use, and/or re-export to\nanother country, of encryption software. BEFORE using any encryption software,\nplease check the country's laws, regulations and policies concerning the import,\npossession, or use, and re-export of encryption software, to see if this is\npermitted.
" + ] + }, + { + "groupMatch": "com\\.github\\.fge", + "mappedName": "Java Json Tools", + "url": "https://github.com/java-json-tools" + }, + { + "groupMatch": "com\\.github\\.stephenc\\.jcip", + "mappedName": "JCIP annotations", + "url": "https://github.com/stephenc/jcip-annotations" + }, + { + "groupMatch": "org\\.javassist", + "mappedName": "Javassist", + "url": "https://www.javassist.org/" + }, + { + "groupMatch": "javax\\.persistence", + "mappedName": "Java Persistence API", + "url": "https://github.com/javaee/jpa-spec" + }, + { + "groupMatch": "org\\.jboss\\.spec\\.javax\\.transaction", + "nameMatch": "jboss\\-transaction\\-api_.*_spec", + "mappedName": "Java Transaction API", + "url": "https://github.com/javaee/javax.transaction" + }, + { + "groupMatch": "org\\.glassfish\\.grizzly.*", + "mappedName": "Grizzly", + "url": "https://javaee.github.io/grizzly/", + "licenses": [ + "CDDL-1.1", + "GPL-2" + ] + }, + { + "groupMatch": "(com\\.sun\\.xml\\.bind)|(org\\.glassfish\\.jaxb)|(javax\\.xml\\.bind)", + "mappedName": "JAXB", + "url": "https://javaee.github.io/jaxb-v2/", + "attributionNotices": [ + "
Licensing and Governance\nJAXB is licensed under a dual license - CDDL 1.1 and GPL 2.0 with Class-path Exception. That means you can choose which one of the two suits your needs better and use it under those terms.\n\nWe use GlassFish Governance Policy, which means we can only accept contributions under the terms of OCA.\n
\n" + ] + }, + { + "nameMatch": "jaxb2-basics-runtime", + "mappedName": "JAXB2 Basics Runtime", + "licenses": [ + "BSD-2-Clause" + ] + }, + { + "groupMatch": "org\\.jboss\\.spec\\.javax\\.ws\\.rs", + "nameMatch": "jboss\\-jaxrs\\-api_.*_spec", + "mappedName": "JAX-RS", + "url": "https://github.com/javaee/jax-rs-api" + }, + { + "nameMatch": "jbcrypt", + "mappedName": "jBCrypt", + "attributionNotices": [ + "
Copyright (c) 2006 Damien Miller \n\nPermission to use, copy, modify, and distribute this software for any\npurpose with or without fee is hereby granted, provided that the above\ncopyright notice and this permission notice appear in all copies.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\nWITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\nMERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR\nANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\nWHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN\nACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF\nOR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n
\n" + ], + "licenses": [ + "ISC" + ] + }, + { + "nameMatch": "jboss-threads", + "mappedName": "JBoss Threads", + "attributionNotices": [ + "
Copyright (c) 2006 Damien Miller \n\nPermission to use, copy, modify, and distribute this software for any\npurpose with or without fee is hereby granted, provided that the above\ncopyright notice and this permission notice appear in all copies.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\nWITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\nMERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR\nANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\nWHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN\nACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF\nOR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n
\n" + ] + }, + { + "nameMatch": "joda-time", + "mappedName": "Joda Time", + "attributionNotices": [ + "
=============================================================================\n= NOTICE file corresponding to section 4d of the Apache License Version 2.0 =\n=============================================================================\nThis product includes software developed by\nJoda.org (https://www.joda.org/).\n
" + ] + }, + { + "nameMatch": "json-lib", + "mappedName": "JSON-lib", + "url": "https://github.com/kordamp/json-lib", + "licenses": [ + "Apache-2.0" + ] + }, + { + "nameMatch": "jgroups", + "mappedName": "JGroups" + }, + { + "nameMatch": "jsoup", + "mappedName": "JSoup" + }, + { + "nameMatch": "jtds", + "mappedName": "jTDS JDBC Driver", + "licenses": [ + "LGPL-2.1" + ] + }, + { + "groupMatch": "org\\.keycloak.*", + "mappedName": "Keycloak", + "url": "https://github.com/keycloak/keycloak", + "licenses": [ + "Apache-2.0" + ] + }, + { + "groupMatch": "com\\.googlecode\\.libphonenumber", + "mappedName": "Libphonenumber" + }, + { + "groupMatch": "org\\.apache\\.logging\\.log4j", + "mappedName": "Log4J", + "attributionNotices": [ + "
Apache Log4j\nCopyright 1999-2021 Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (http://www.apache.org/).\n\nResolverUtil.java\nCopyright 2005-2006 Tim Fennell\n\nDumbster SMTP test server\nCopyright 2004 Jason Paul Kitchen\n\nTypeUtil.java\nCopyright 2002-2012 Ramnivas Laddad, Juergen Hoeller, Chris Beams\n\npicocli (http://picocli.info)\nCopyright 2017 Remko Popma\n\nTimeoutBlockingWaitStrategy.java and parts of Util.java\nCopyright 2011 LMAX Ltd.\n
" + ] + }, + { + "nameMatch": "mapstruct", + "mappedName": "Mapstruct", + "attributionNotices": [ + "
\n Copyright MapStruct Authors.\n\n MapStruct is licensed under the Apache License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0\n\n------------------------------------------------------------------------\n\n MAPSTRUCT SUBCOMPONENTS WITH DIFFERENT COPYRIGHT OWNERS\n\n The MapStruct distribution (ZIP, TAR.GZ) as well as the MapStruct\n library (JAR) include FreeMarker, a software developed by Attila\n Szegedi, Daniel Dekany and Jonathan Revusky. FreeMarker is licensed\n under the same license as MapStruct itself - Apache License, Version\n 2.0 - but the copyright owners are the aforementioned individuals.\n\n The MapStruct distribution (ZIP, TAR.GZ) as well as the MapStruct\n library (JAR) include a number of files that are licensed by the\n Apache Software Foundation under the same license as MapStruct itself -\n Apache License, Version 2.0 - but the copyright owner is the Apache\n Software Foundation. These files are:\n\n     freemarker/ext/jsp/web-app_2_2.dtd\n     freemarker/ext/jsp/web-app_2_3.dtd\n     freemarker/ext/jsp/web-app_2_4.xsd\n     freemarker/ext/jsp/web-app_2_5.xsd\n     freemarker/ext/jsp/web-jsptaglibrary_1_1.dtd\n     freemarker/ext/jsp/web-jsptaglibrary_1_2.dtd\n     freemarker/ext/jsp/web-jsptaglibrary_2_0.xsd\n     freemarker/ext/jsp/web-jsptaglibrary_2_1.xsd\n
" + ] + }, + { + "nameMatch": "mariadb-java-client", + "mappedName": "Maria DB Java Client" + }, + { + "nameMatch": "microprofile-config-api", + "mappedName": "MicroProfile Config API", + "attributionNotices": [ + "
=========================================================================\n==  NOTICE file corresponding to section 4(d) of the Apache License,   ==\n==  Version 2.0, in this case for Microprofile Config                  ==\n=========================================================================\n\nThis product includes software developed at\nThe Apache Software Foundation (http://www.apache.org/).\n\nPortions of this software were originally based on the following:\n* Apache DeltaSpike Config\n  https://deltaspike.apache.org\n  under Apache License, v2.0\n\nSPDXVersion: SPDX-2.1\nPackageName: Eclipse Microprofile\nPackageHomePage: http://www.eclipse.org/microprofile\nPackageLicenseDeclared: Apache-2.0\n\nPackageCopyrightText: <text>\nMark Struberg struberg@apache.org,\nGerhard Petracek gpetracek@apache.org,\nRomain Manni-Bucau rmannibucau@apache.org,\nRon Smeral rsmeral@apache.org,\nEmily Jiang emijiang@uk.ibm.com,\nOndrej Mihalyi ondrej.mihalyi@gmail.com,\nGunnar Morling gunnar@hibernate.org\n</text>\n
" + ] + }, + { + "nameMatch": "microprofile-metrics-api", + "mappedName": "MicroProfile Metrics API", + "attributionNotices": [ + "
=========================================================================\n==  NOTICE file corresponding to section 4(d) of the Apache License,   ==\n==  Version 2.0, in this case for Microprofile Metrics                 ==\n=========================================================================\n\nPortions of this software were originally based on the following:\n* Dropwizard Metrics\n  http://metrics.dropwizard.io/3.2.3/\n  under Apache License, v2.0\n\n* CDI Extension for Metrics by Antonin Stefanutti\n  https://github.com/astefanutti/metrics-cdi\n  under Apache License, v2.0\n\nSPDXVersion: SPDX-2.1\nPackageName: Eclipse Microprofile\nPackageHomePage: http://www.eclipse.org/microprofile\nPackageLicenseDeclared: Apache-2.0\n\nPackageCopyrightText: <text>\nHeiko Rupp hrupp@redhat.com,\nRaymond Lam lamr@ca.ibm.com,\nBrennan Nichyporuk brennan.nichyporuk@gmail.com,\nDavid Chan chdavid@ca.ibm.com,\nDon Bourne dbourne@ca.ibm.com,\nAntonin Stefanutti antonin@stefanutti.fr,\nArjun Sharma arjun.a.sharma@ibm.com,\nFahham Khan fahhamk@ca.ibm.com,\nFelix Wong fmhwong@ca.ibm.com,\nMike Croft mike.croft@payara.fish,\nWerner Keil werner@catmedia.us,\nJan Martiska jmartisk@redhat.com\n</text>\n
" + ] + }, + { + "nameMatch": "org\\.osgi\\.org\\.osgi.*", + "mappedName": "OSGI" + }, + { + "nameMatch": "annotation\\.versioning", + "mappedName": "OSGI Versioning", + "url": "https://docs.osgi.org/javadoc/r6/annotation/" + }, + { + "nameMatch": "passay", + "mappedName": "Passay", + "url": "https://github.com/vt-middleware/passay", + "attributionNotices": [ + "
Passay Java Library\nCopyright (C) 2003-2022 Virginia Tech.\nAll rights reserved.\n\nThis product includes software developed at\nVirginia Tech (http://www.vt.edu).\n
" + ], + "licenses": [ + "Apache-2.0", + "LGPL-3.0" + ] + }, + { + "nameMatch": "ph-commons", + "mappedName": "ph-commons", + "attributionNotices": [ + "
=============================================================================\n= NOTICE file corresponding to section 4d of the Apache License Version 2.0 =\n=============================================================================\nThis product includes Open Source Software developed by\nPhilip Helger - https://www.helger.com/\n\nThis product includes Open Source Software developed by phloc systems (http://www.phloc.com/)\n\nThis product includes/uses software(s) developed by 'Apache Software Foundation' (http://www.apache.org/)\n  - Abdera I18N (http://abdera.apache.org/)\n  - commons-primitives (http://commons.apache.org/proper/commons-primitives/)\n  - commons-codec (http://commons.apache.org/proper/commons-codec/)\n\nThis product includes/uses software(s) developed by 'Robert Harder' (http://iharder.net/)\n  - Base64 (http://iharder.net/base64)\n\nThis product includes/uses software(s) developed by 'Bytecode Pty Ltd.'\n  - OpenCSV (http://sourceforge.net/projects/opencsv/)\n
" + ] + }, + { + "nameMatch": "ph-css", + "mappedName": "ph-css", + "attributionNotices": [ + "
=============================================================================\n= NOTICE file corresponding to section 4d of the Apache License Version 2.0 =\n=============================================================================\nThis product includes Open Source Software developed by\nPhilip Helger - https://www.helger.com/\n\nThis product includes Open Source Software developed by phloc systems (http://www.phloc.com/)\n
" + ] + }, + { + "nameMatch": "reactive-streams", + "mappedName": "Reactive Streams", + "url": "https://github.com/reactive-streams/reactive-streams-jvm/tree/master", + "attributionNotices": [ + "
Legal\n  This project is a collaboration between engineers from Kaazing, Lightbend, Netflix, Pivotal, Red Hat, Twitter and many others. This project is licensed under MIT No Attribution (SPDX: MIT-0).\n
\n\n" + ], + "licenses": [ + "MIT-0" + ] + }, + { + "nameMatch": "reflections", + "mappedName": "Reflections", + "attributionNotices": [ + "
            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE\n                    Version 2, December 2004\n\n Copyright (C) 2004 Sam Hocevar <sam@hocevar.net>\n\n Everyone is permitted to copy and distribute verbatim or modified\n copies of this license document, and changing it is allowed as long\n as the name is changed.\n\n            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE\n   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION\n\n  0. You just DO WHAT THE FUCK YOU WANT TO.\n\n
" + ] + }, + { + "nameMatch": "resteasy-cache-core", + "mappedName": "RESTEasy Cache Core" + }, + { + "nameMatch": "rxjava", + "mappedName": "RxJava", + "url": "https://github.com/ReactiveX/RxJava", + "attributionNotices": [ + "
Copyright (c) 2016-present, RxJava Contributors.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\nhttp://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n
" + ] + }, + { + "nameMatch": "SparseBitSet", + "mappedName": "SparseBitSet" + }, + { + "nameMatch": "sqlite-jdbc", + "mappedName": "SQLITE JDBC", + "url": "https://github.com/xerial/sqlite-jdbc/tree/master", + "attributionNotices": [ + "
This product includes the following softwares developed by David Crawshaw.\nSee LICENSE.zentus file.\n\nAnd also, NestedVM (Apache License Version 2.0) is used inside sqlite-
" + ] + }, + { + "nameMatch": "swagger-annotations", + "mappedName": "Swagger", + "attributionNotices": [ + "
This product includes the following softwares developed by David Crawshaw.\nSee LICENSE.zentus file.\n\nAnd also, NestedVM (Apache License Version 2.0) is used inside sqlite-
" + ] + }, + { + "groupMatch": "com\\.vaadin.*", + "mappedName": "Vaadin", + "url": "https://github.com/vaadin", + "licenses": [ + "Apache-2.0", + "CVAL-3.0" + ] + }, + { + "groupMatch": "com\\.vaadin\\.flow.*", + "ignore": true, + "comment": "Ignore because it's a part of Vaadin, but has a different versioning scheme" + }, + { + "groupMatch": "com\\.vaadin.*", + "nameMatch": "vaadin-lumo-theme|vaadin-lumo-theme|vaadin-cdi", + "ignore": true, + "comment": "Ignore because it's a part of Vaadin, but has a different versioning scheme" + }, + { + "groupMatch": "com\\.vaadin\\.external.*", + "ignore": true, + "comment": "Ignore because it's a part of Vaadin, but has a different versioning scheme" + }, + { + "nameMatch": "enhanced-date-time-picker", + "mappedName": "Vaadin Componentfactory Enhanced Date Time Picker", + "url": "https://github.com/vaadin-component-factory/enhanced-date-time-picker", + "licenses": [ + "Apache-2.0" + ] + }, + { + "nameMatch": "mobile-drag-drop", + "mappedName": "Webjars NPM Mobile drag and drop" + }, + { + "nameMatch": "vaadin__vaadin-mobile-drag-drop", + "mappedName": "Webjars NPM Vaadin Mobile drag and drop" + }, + { + "nameMatch": "polymer", + "mappedName": "Webjars Polymer" + }, + { + "nameMatch": "iron-a11y-announcer", + "mappedName": "Webjars Polymerelement iron-a11y-announcer" + }, + { + "nameMatch": "iron-scroll-target-behavior", + "mappedName": "Webjars Polymerelement iron-scroll-target-behavior" + }, + { + "nameMatch": "iron-resizable-behavior", + "mappedName": "Webjars Polymerelement iron-resizable-behavior" + }, + { + "nameMatch": "iron-meta", + "mappedName": "Webjars Polymerelement iron-meta" + }, + { + "nameMatch": "iron-a11y-keys-behavior", + "mappedName": "Webjars Polymerelement iron-a11y-keys-behavior" + }, + { + "nameMatch": "iron-fit-behavior", + "mappedName": "Webjars Polymerelement iron-fit-behavior" + }, + { + "nameMatch": "iron-iconset-svg", + "mappedName": "Webjars Polymerelements iron-iconset-svg" + }, + { + "nameMatch": "iron-icon", + "mappedName": "Webjars Polymerelements iron-icon" + }, + { + "nameMatch": "iron-media-query", + "mappedName": "Webjars Polymerelement iron-media-query" + }, + { + "nameMatch": "iron-flex-layout", + "mappedName": "Webjars Polymerelement iron-flex-layout" + }, + { + "nameMatch": "iron-list", + "mappedName": "Webjars Polymerelement iron-list" + }, + { + "nameMatch": "iron-overlay-behavior", + "mappedName": "Webjars Polymerelement iron-overlay-behavior" + }, + { + "nameMatch": "polymer", + "mappedName": "Webjars Vaadin Button", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-combo-box", + "mappedName": "Webjars Vaadin Combo Box", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-control-state-mixin", + "mappedName": "Webjars Vaadin Control State Mixin", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-element-mixin", + "mappedName": "Webjars Vaadin Element Mixin", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-custom-field", + "mappedName": "Webjars Vaadin Custom Field", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-date-picker", + "mappedName": "Webjars Vaadin Date Picker", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "(vaadin-time-picker)|(vaadin-button)", + "mappedName": "Webjars Vaadin Time Picker, Button", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-date-time-picker", + "mappedName": "Webjars Vaadin Date Time Picker", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-development-mode-detector", + "mappedName": "Webjars Vaadin Development Mode Detector", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-item", + "mappedName": "Webjars Vaadin Item", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-lumo-styles", + "mappedName": "Webjars Vaadin Lumo Styles", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-material-styles", + "mappedName": "Webjars Vaadin Material Styles", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-overlay", + "mappedName": "Webjars Vaadin Overlay", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-text-field", + "mappedName": "Webjars Vaadin Text Field", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-themable-mixin", + "mappedName": "Webjars Vaadin Themable Mixin", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-themable-mixin", + "mappedName": "Webjars Vaadin Themable Mixin", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-usage-statistics", + "mappedName": "Webjars Vaadin Statistics Usage", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "shadycss", + "mappedName": "Webjars Webcomponents Shady CSS" + }, + { + "nameMatch": "webcomponentsjs", + "mappedName": "Webjars Webcomponents JS" + }, + { + "nameMatch": "wildfly-common", + "mappedName": "Wildfly Common", + "attributionNotices": [ + "
License\nThis software is in the public domain\n
\n" + ] + }, + { + "nameMatch": "xml-apis", + "mappedName": "XML APIs", + "url": "http://svn.apache.org/repos/asf/xerces/xml-commons/", + "attributionNotices": [ + "
   =========================================================================\n   ==  NOTICE file corresponding to section 4(d) of the Apache License,   ==\n   ==  Version 2.0, in this case for the Apache xml-commons xml-apis      ==\n   ==  distribution.                                                      ==\n   =========================================================================\n\n   Apache XML Commons\n   Copyright 2001-2003,2006 The Apache Software Foundation.\n\n   This product includes software developed at\n   The Apache Software Foundation (http://www.apache.org/).\n\n   Portions of this software were originally based on the following:\n     - software copyright (c) 1999, IBM Corporation., http://www.ibm.com.\n     - software copyright (c) 1999, Sun Microsystems., http://www.sun.com.\n     - software copyright (c) 2000 World Wide Web Consortium, http://www.w3.org\n
" + ], + "licenses": [ + "Apache-2.0" + ] + }, + { + "nameMatch": "aopalliance", + "mappedName": "AOP Alliance (Java/J2EE AOP standards)", + "url": "http://aopalliance.cvs.sourceforge.net:/cvsroot/aopalliance" + }, + { + "nameMatch": "ch-commons-charset", + "mappedName": "ch-commons-charset", + "url": "https://github.com/jjlauer/cloudhopper-commons-charset", + "attributionNotices": [ + "
\nch-commons-charset is Copyright (C) 2011 Twitter, Inc.\n\nLicensed under the Apache License, Version 2.0 (the "License"); you may not\nuse this work except in compliance with the License. You may obtain a copy of\nthe License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an "AS IS" BASIS, WITHOUT\nWARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the\nLicense for the specific language governing permissions and limitations under\nthe License.
\n" + ] + }, + { + "groupMatch": "xerces", + "mappedName": "Apache Xerces - Impl", + "url": "https://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_8_0/" + }, + { + "groupMatch": "apache-xerces", + "mappedName": "Apache Xerces", + "url": "https://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_9_1/", + "licenses": [ + "Apache-2.0" + ] + }, + { + "groupMatch": "com\\.github\\.kenglxn\\.qrgen", + "mappedName": "QRGen", + "url": "https://github.com/kenglxn/QRGen" + }, + { + "groupMatch": "com\\.beust", + "nameMatch": "jcommander", + "mappedName": "JCommander", + "url": "https://github.com/cbeust/jcommander" + }, + { + "groupMatch": "com\\.github\\.librepdf", + "nameMatch": "openpdf", + "mappedName": "OpenPDF", + "url": "https://github.com/LibrePDF/OpenPDF", + "attributionNotices": [ + "
\n# Licenses\n\n## Licenses of OpenPDF\n\n### Mozilla Public License Version 2.0\n\nPlease see https://www.mozilla.org/en-US/MPL/2.0/ or the attached file\n[MPL-2.0.txt](src/main/resources/META-INF/MPL-2.0.txt).\n\n### GNU Lesser General Public License 2.1\n\nPlease see https://www.gnu.org/licenses/old-licenses/lgpl-2.1 or the attached file\n[LGPL-2.1.md](src/main/resources/META-INF/LGPL-2.1.md).\n
" + ] + }, + { + "groupMatch": "com\\.github\\.albfernandez", + "nameMatch": "juniversalchardet", + "mappedName": "juniversalchardet", + "url": "https://github.com/albfernandez/juniversalchardet" + }, + { + "groupMatch": "com\\.google\\.zxing", + "mappedName": "ZXing", + "url": "https://github.com/zxing/zxing", + "attributionNotices": [ + "
Copyright (c) 2005 Sun Microsystems, Inc.\nCopyright © 2010-2014 University of Manchester\nCopyright © 2010-2015 Stian Soiland-Reyes\nCopyright © 2015 Peter Hull\nAll Rights Reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n- Redistribution of source code must retain the above copyright\n  notice, this list of conditions and the following disclaimer.\n\n- Redistribution in binary form must reproduce the above copyright\n  notice, this list of conditions and the following disclaimer in\n  the documentation and/or other materials provided with the\n  distribution.\n\nNeither the name of Sun Microsystems, Inc. or the names of\ncontributors may be used to endorse or promote products derived\nfrom this software without specific prior written permission.\n\nThis software is provided "AS IS," without a warranty of any\nkind. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND\nWARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE HEREBY\nEXCLUDED. SUN MIDROSYSTEMS, INC. ("SUN") AND ITS LICENSORS SHALL\nNOT BE LIABLE FOR ANY DAMAGES SUFFERED BY LICENSEE AS A RESULT OF\nUSING, MODIFYING OR DISTRIBUTING THIS SOFTWARE OR ITS\nDERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR\nANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL,\nCONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND\nREGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF THE USE OF OR\nINABILITY TO USE THIS SOFTWARE, EVEN IF SUN HAS BEEN ADVISED OF THE\nPOSSIBILITY OF SUCH DAMAGES.\n\nYou acknowledge that this software is not designed or intended for\nuse in the design, construction, operation or maintenance of any\nnuclear facility.
\n" + ] + }, + { + "groupMatch": "org\\.apache\\.activemq\\.protobuf", + "mappedName": "Apache ActiveMQ - Protobuf" + }, + { + "groupMatch": "org\\.apache\\.activemq", + "mappedName": "Apache ActiveMQ", + "url": "https://github.com/apache/activemq" + }, + { + "groupMatch": "net\\.java\\.dev\\.jna", + "mappedName": "Java Native Access (JNA)", + "url": "https://github.com/java-native-access/jna", + "attributionNotices": [ + "
\nSPDX-License-Identifier: Apache-2.0 OR LGPL-2.1\n\nJava Native Access (JNA) is licensed under the LGPL, version 2.1\nor later, or (from version 4.0 onward) the Apache License,\nversion 2.0.\n\nYou can freely decide which license you want to apply to the project.\n\nYou may obtain a copy of the LGPL License at:\n\nhttp://www.gnu.org/licenses/licenses.html\n\nA copy is also included in the downloadable source code package\ncontaining JNA, in file "LGPL2.1", under the same directory\nas this file.\n\nYou may obtain a copy of the Apache License at:\n\nhttp://www.apache.org/licenses/\n\nA copy is also included in the downloadable source code package\ncontaining JNA, in file "AL2.0", under the same directory\nas this file.\n\nCommercial support may be available, please e-mail\ntwall[at]users[dot]sf[dot]net.\n
" + ] + }, + { + "groupMatch": "org\\.apache\\.pdfbox", + "mappedName": "PDFBox", + "url": "https://svn.apache.org/repos/asf/pdfbox/", + "attributionNotices": [ + "
\nEXTERNAL COMPONENTS\n\nApache PDFBox includes a number of components with separate copyright notices\nand license terms. Your use of these components is subject to the terms and\nconditions of the following licenses.\n\nContributions made to the original PDFBox and FontBox projects:\n\n   Copyright (c) 2002-2007, www.pdfbox.org\n   All rights reserved.\n\n   Redistribution and use in source and binary forms, with or without\n   modification, are permitted provided that the following conditions are met:\n\n   1. Redistributions of source code must retain the above copyright notice,\n      this list of conditions and the following disclaimer.\n\n   2. Redistributions in binary form must reproduce the above copyright\n      notice, this list of conditions and the following disclaimer in the\n      documentation and/or other materials provided with the distribution.\n\n   3. Neither the name of pdfbox; nor the names of its contributors may be\n      used to endorse or promote products derived from this software without\n      specific prior written permission.\n\n   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"\n   AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\n   IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\n   ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE\n   FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\n   DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\n   SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\n   CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT\n   LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY\n   OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF\n   SUCH DAMAGE.\n\nAdobe Font Metrics (AFM) for PDF Core 14 Fonts\n\n   This file and the 14 PostScript(R) AFM files it accompanies may be used,\n   copied, and distributed for any purpose and without charge, with or without\n   modification, provided that all copyright notices are retained; that the\n   AFM files are not distributed without this file; that all modifications\n   to this file or any of the AFM files are prominently noted in the modified\n   file(s); and that this paragraph is not modified. Adobe Systems has no\n   responsibility or obligation to support the use of the AFM files. \n\nCMaps for PDF Fonts (http://opensource.adobe.com/wiki/display/cmap/Downloads)\n\n   Copyright 1990-2009 Adobe Systems Incorporated.\n   All rights reserved.\n\n   Redistribution and use in source and binary forms, with or without\n   modification, are permitted provided that the following conditions\n   are met:\n\n   Redistributions of source code must retain the above copyright notice,\n   this list of conditions and the following disclaimer.\n\n   Redistributions in binary form must reproduce the above copyright notice,\n   this list of conditions and the following disclaimer in the documentation\n   and/or other materials provided with the distribution. \n\n   Neither the name of Adobe Systems Incorporated nor the names of its\n   contributors may be used to endorse or promote products derived from this\n   software without specific prior written permission. \n\n   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"\n   AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\n   IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\n   ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE\n   LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR\n   CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF\n   SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS\n   INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN\n   CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)\n   ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF\n   THE POSSIBILITY OF SUCH DAMAGE.\n\nPaDaF PDF/A preflight (http://sourceforge.net/projects/padaf)\n\n  Copyright 2010 Atos Worldline SAS\n \n  Licensed by Atos Worldline SAS under one or more\n  contributor license agreements.  See the NOTICE file distributed with\n  this work for additional information regarding copyright ownership.\n  Atos Worldline SAS licenses this file to You under the Apache License, Version 2.0\n  (the "License"); you may not use this file except in compliance with\n  the License.  You may obtain a copy of the License at\n \n       http://www.apache.org/licenses/LICENSE-2.0\n \n  Unless required by applicable law or agreed to in writing, software\n  distributed under the License is distributed on an "AS IS" BASIS,\n  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n  See the License for the specific language governing permissions and\n  limitations under the License.\n\nOSXAdapter\n\n  Version: 2.0\n  \n  Disclaimer: IMPORTANT:  This Apple software is supplied to you by \n  Apple Inc. ("Apple") in consideration of your agreement to the\n  following terms, and your use, installation, modification or\n  redistribution of this Apple software constitutes acceptance of these\n  terms.  If you do not agree with these terms, please do not use,\n  install, modify or redistribute this Apple software.\n  \n  In consideration of your agreement to abide by the following terms, and\n  subject to these terms, Apple grants you a personal, non-exclusive\n  license, under Apple's copyrights in this original Apple software (the\n  "Apple Software"), to use, reproduce, modify and redistribute the Apple\n  Software, with or without modifications, in source and/or binary forms;\n  provided that if you redistribute the Apple Software in its entirety and\n  without modifications, you must retain this notice and the following\n  text and disclaimers in all such redistributions of the Apple Software. \n  Neither the name, trademarks, service marks or logos of Apple Inc. \n  may be used to endorse or promote products derived from the Apple\n  Software without specific prior written permission from Apple.  Except\n  as expressly stated in this notice, no other rights or licenses, express\n  or implied, are granted by Apple herein, including but not limited to\n  any patent rights that may be infringed by your derivative works or by\n  other works in which the Apple Software may be incorporated.\n  \n  The Apple Software is provided by Apple on an "AS IS" basis.  APPLE\n  MAKES NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION\n  THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS\n  FOR A PARTICULAR PURPOSE, REGARDING THE APPLE SOFTWARE OR ITS USE AND\n  OPERATION ALONE OR IN COMBINATION WITH YOUR PRODUCTS.\n  \n  IN NO EVENT SHALL APPLE BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL\n  OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF\n  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS\n  INTERRUPTION) ARISING IN ANY WAY OUT OF THE USE, REPRODUCTION,\n  MODIFICATION AND/OR DISTRIBUTION OF THE APPLE SOFTWARE, HOWEVER CAUSED\n  AND WHETHER UNDER THEORY OF CONTRACT, TORT (INCLUDING NEGLIGENCE),\n  STRICT LIABILITY OR OTHERWISE, EVEN IF APPLE HAS BEEN ADVISED OF THE\n  POSSIBILITY OF SUCH DAMAGE.\n  \n  Copyright (C) 2003-2007 Apple, Inc., All Rights Reserved\n
" + ] + }, + { + "groupMatch": "org\\.apache\\.xmlgraphics", + "nameMatch": "batik.*", + "mappedName": "Apache XML Graphics Project - Batik", + "url": "https://svn.apache.org/repos/asf/xmlgraphics/batik/tags/batik-1_10/" + }, + { + "groupMatch": "org\\.apache\\.xmlgraphics", + "nameMatch": "xmlgraphics-commons", + "mappedName": "Apache XML Graphics Project - xmlgraphics-commons", + "url": "https://svn.apache.org/viewvc/xmlgraphics/commons/tags/commons-2_2/" + }, + { + "groupMatch": "xml-apis", + "nameMatch": "xml-apis-ext", + "mappedName": "Apache XML APIs Extensions", + "url": "https://xerces.apache.org/xml-commons/components/external/" + }, + { + "groupMatch": "xom", + "nameMatch": "xom", + "mappedName": "XOM: XML object model", + "url": "https://github.com/elharo/xom/", + "attributionNotices": [ + "
\nXOM is a dual streaming/tree-based API for processing XML with Java.\nCopyright 2004, 2005, 2009, 2010, 2020 Elliotte Rusty Harold\n   \n   This library is free software; you can redistribute it and/or modify\n   it under the terms of version 2.1 of the GNU Lesser General Public \n   License as published by the Free Software Foundation.\n   \n   This library is distributed in the hope that it will be useful,\n   but WITHOUT ANY WARRANTY; without even the implied warranty of\n   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the \n   GNU Lesser General Public License for more details.\n   \n   You should have received a copy of the GNU Lesser General Public\n   License along with this library. If not, see \n   \n   \nYou can contact Elliotte Rusty Harold by sending e-mail to\nelharo@ibiblio.org. Please include the word "XOM" in the\nsubject line. For more information see https://xom.nu/ \nor ask a question on the xom-interest mailing list.\n
" + ] + }, + { + "groupMatch": "relaxngDatatype", + "nameMatch": "relaxngDatatype", + "mappedName": "relaxngDatatype", + "url": "https://sourceforge.net/projects/relaxng/files/" + }, + { + "groupMatch": "pull-parser", + "nameMatch": "pull-parser", + "mappedName": "pull-parser", + "url": "https://extreme.indiana.edu/" + }, + { + "groupMatch": "org\\.springframework", + "mappedName": "Spring Framework", + "url": "https://github.com/SpringSource/spring-framework" + }, + { + "groupMatch": "org\\.slf4j", + "nameMatch": "slf4j.*", + "mappedName": "Simple Logging Facade for Java (SLF4J)", + "url": "https://github.com/qos-ch/slf4j" + }, + { + "groupMatch": "org\\.dcm4che.*", + "mappedName": "dcm4che DICOM Toolkit & Library", + "url": "https://github.com/dcm4che/dcm4che" + }, + { + "groupMatch": "commons-validator", + "nameMatch": "commons-validator", + "mappedName": "Apache Commons Validator", + "url": "https://github.com/apache/commons-validator/tree/VALIDATOR_1_6" + }, + { + "groupMatch": "commons-pool", + "nameMatch": "commons-pool", + "mappedName": "Apache Commons Pool", + "url": "https://github.com/apache/commons-pool/tree/POOL_1_6" + }, + { + "groupMatch": "commons-net", + "nameMatch": "commons-net", + "mappedName": "Apache Commons Net", + "url": "https://github.com/apache/commons-net/tree/NET_3_3" + }, + { + "groupMatch": "commons-digester", + "nameMatch": "commons-digester", + "mappedName": "Apache Commons Digester", + "url": "https://github.com/apache/commons-digester/tree/DIGESTER_1_8_1" + }, + { + "groupMatch": "commons-cli", + "nameMatch": "commons-cli", + "mappedName": "Apache Commons CLI", + "url": "https://github.com/apache/commons-cli/tree/cli-1.4" + }, + { + "groupMatch": "commons-httpclient", + "nameMatch": "commons-httpclient", + "mappedName": "Apache Commons HTTP-Client", + "url": "https://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/" + }, + { + "groupMatch": "io\\.github\\.openfeign", + "mappedName": "Openfeign" + }, + { + "groupMatch": "org\\.jodd", + "mappedName": "Jodd", + "url": "https://github.com/oblac/jodd/tree/v3.6.7" + }, + { + "groupMatch": "org\\.drools", + "mappedName": "Drools", + "url": "https://github.com/kiegroup/drools/tree/5.5.0.Final" + }, + { + "groupMatch": "org\\.checkerframework", + "nameMatch": "Checker framework", + "mappedName": "", + "attributionNotices": [ + "
\nThe Checker Framework\nCopyright 2004-present by the Checker Framework developers\n\n\nMost of the Checker Framework is licensed under the GNU General Public\nLicense, version 2 (GPL2), with the classpath exception.  The text of this\nlicense appears below.  This is the same license used for OpenJDK.\n\nA few parts of the Checker Framework have more permissive licenses, notably\nthe parts that you might want to include with your own program.\n\n * The annotations and utility files are licensed under the MIT License.\n   (The text of this license also appears below.)  This applies to\n   checker-qual*.jar and checker-util.jar and all the files that appear in\n   them, which is all files in checker-qual and checker-util directories.\n   It also applies to the cleanroom implementations of\n   third-party annotations (in checker/src/testannotations/,\n   framework/src/main/java/org/jmlspecs/, and\n   framework/src/main/java/com/google/).\n\nThe Checker Framework includes annotations for some libraries.  Those in\n.astub files use the MIT License.  Those in https://github.com/typetools/jdk\n(which appears in the annotated-jdk directory of file checker.jar) use the\nGPL2 license.\n\nSome external libraries that are included with the Checker Framework\ndistribution have different licenses.  Here are some examples.\n\n * JavaParser is dual licensed under the LGPL or the Apache license -- you\n   may use it under whichever one you want.  (The JavaParser source code\n   contains a file with the text of the GPL, but it is not clear why, since\n   JavaParser does not use the GPL.)  See\n   https://github.com/typetools/stubparser .\n\n * Annotation Tools (https://github.com/typetools/annotation-tools) uses\n   the MIT license.\n\n * Libraries in plume-lib (https://github.com/plume-lib/) are licensed\n   under the MIT License.\n\n===========================================================================\n
" + ], + "licenses": [ + "MIT", + "GPL-2" + ] + }, + { + "groupMatch": "com\\.google\\.j2objc", + "nameMatch": "j2objc-annotations", + "mappedName": "J2ODBC-Annotations", + "url": "https://github.com/google/j2objc", + "licenses": [ + "Apache-2.0" + ] + }, + { + "groupMatch": "org.vaadin.haijian", + "nameMatch": "exporter", + "mappedName": "Exporter", + "url": "https://github.com/haiwan/Exporter", + "attributionNotices": [ + "
\nAll parts, except the contents of the documentation module, are licenced\nunder Apache License v2.0. See the license text below.\n\nThe documentation is licensed under Creative Commons CC-BY-ND 2.0\n(http://creativecommons.org/licenses/by-nd/2.0/legalcode).\n
" + ] + }, + { + "groupMatch": "c3p0", + "nameMatch": "c3p0", + "mappedName": "C3p0", + "url": "https://sourceforge.net/projects/c3p0/files/" + }, + { + "groupMatch": "com\\.github\\.jai-imageio", + "nameMatch": "jai-imageio-core", + "licenses": [ + "BSD-3-Clause No Nuclear License" + ] + }, + { + "groupMatch": "com\\.mchange", + "nameMatch": "c3p0", + "mappedName": "Mchange - C3p0", + "url": "https://github.com/swaldman/c3p0", + "attributionNotices": [ + "
\n\nThis library is free software; you can redistribute it and/or modify\nit under the terms of EITHER:\n\n    1) The GNU Lesser General Public License (LGPL), version 2.1, as \n       published by the Free Software Foundation\n\nOR\n\n    2) The Eclipse Public License (EPL), version 1.0\n\nYou may choose which license to accept if you wish to redistribute\nor modify this work. You may offer derivatives of this work\nunder the license you have chosen, or you may provide the same\nchoice of license which you have been offered here.\n\nThis software is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n\nYou should have received copies of both LGPL v2.1 and EPL v1.0\nalong with this software; see the files LICENSE-EPL and LICENSE-LGPL.\nIf not, the text of these licenses are currently available at\n\nLGPL v2.1: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html\n EPL v1.0: http://www.eclipse.org/org/documents/epl-v10.php \n\n
" + ] + }, + { + "groupMatch": "com\\.mchange", + "nameMatch": "mchange-commons-java", + "mappedName": "Mchange - mchange-commons-java", + "url": "https://github.com/swaldman/mchange-commons-java", + "attributionNotices": [ + "
\n\nThis library is free software; you can redistribute it and/or modify\nit under the terms of EITHER:\n\n    1) The GNU Lesser General Public License (LGPL), version 2.1, as \n       published by the Free Software Foundation\n\nOR\n\n    2) The Eclipse Public License (EPL), version 1.0\n\nYou may choose which license to accept if you wish to redistribute\nor modify this work. You may offer derivatives of this work\nunder the license you have chosen, or you may provide the same\nchoice of license which you have been offered here.\n\nThis software is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n\nYou should have received copies of both LGPL v2.1 and EPL v1.0\nalong with this software; see the files LICENSE-EPL and LICENSE-LGPL.\nIf not, the text of these licenses are currently available at\n\nLGPL v2.1: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html\n EPL v1.0: http://www.eclipse.org/org/documents/epl-v10.php \n\n
" + ] + }, + { + "groupMatch": "com\\.twelvemonkeys.*", + "mappedName": "TwelveMonkeys" + }, + { + "groupMatch": "commons-codec", + "nameMatch": "commons-codec", + "mappedName": "Apache commons-codec", + "url": "https://github.com/apache/commons-codec" + }, + { + "groupMatch": "commons-logging", + "nameMatch": "commons-logging", + "mappedName": "Apache commons-logging", + "url": "https://github.com/apache/commons-logging" + }, + { + "groupMatch": "dom4j", + "nameMatch": "dom4j", + "mappedName": "Dom4j", + "url": "https://github.com/dom4j/dom4j", + "licenses": [ + "DOM4j-License" + ] + }, + { + "groupMatch": "javax\\.jmdns", + "nameMatch": "jmdns", + "mappedName": "JMDNS", + "url": "https://sourceforge.net/projects/jmdns/files/" + }, + { + "groupMatch": "javax\\.json", + "nameMatch": "javax\\.json-api", + "mappedName": "Javax Json-API", + "url": "https://github.com/javaee/json-processing-spec", + "licenses": [ + "CDDL-1.1" + ] + }, + { + "groupMatch": "javax\\.servlet", + "nameMatch": "javax\\.servlet-api", + "mappedName": "Javax Servlet-API", + "url": "https://github.com/javaee/servlet-spec", + "licenses": [ + "CDDL-1.1" + ] + }, + { + "groupMatch": "net\\.jpountz\\.lz4", + "nameMatch": "lz4", + "mappedName": "Lz4", + "url": "https://github.com/lz4/lz4-java" + }, + { + "groupMatch": "org\\.apache\\.cxf", + "nameMatch": "cxf-api", + "mappedName": "Apache CFX API", + "url": "https://github.com/apache/cxf.git" + }, + { + "groupMatch": "org\\.apache\\.cxf", + "nameMatch": "cxf-rt-core", + "mappedName": "Apache CFX RT Core", + "url": "https://github.com/apache/cxf.git" + }, + { + "groupMatch": "org\\.apache\\.cxf", + "mappedName": "Apache CFX Others", + "url": "https://github.com/apache/cxf.git" + }, + { + "groupMatch": "org\\.apache\\.deltaspike.*", + "mappedName": "Apache Deltaspike", + "url": "https://git-wip-us.apache.org/repos/asf?p=deltaspike.git;a=tree;hb=cb0d4d07a2ae8604f84eb4acaab89f4bd0504e72" + }, + { + "groupMatch": "org\\.apache\\.james", + "nameMatch": "apache-mime4j", + "mappedName": "Apache mime4j", + "url": "https://github.com/apache/james-mime4j" + }, + { + "groupMatch": "org\\.apache\\.geronimo\\.specs", + "nameMatch": "geronimo-javamail_1.4_spec", + "mappedName": "Apache Geronimo JavaMail 1.4", + "attributionNotices": [ + "
\n#########################################################################\n## ADDITIONAL LICENSES                                                 ##\n#########################################################################\n\nThe XMLSchema.dtd included in this project was developed by the\nW3C Consortium (http://www.w3c.org/).\nUse of the source code, thus licensed, and the resultant binary are\nsubject to the terms and conditions of the following license.\n\nW3C¨ SOFTWARE NOTICE AND LICENSE\nCopyright © 1994-2002 World Wide Web Consortium, (Massachusetts Institute of\nTechnology, Institut National de Recherche en Informatique et en Automatique,\nKeio University). All Rights Reserved. http://www.w3.org/Consortium/Legal/\n\nThis W3C work (including software, documents, or other related items) is\nbeing provided by the copyright holders under the following license. By\nobtaining, using and/or copying this work, you (the licensee) agree that you\nhave read, understood, and will comply with the following terms and\nconditions:\n\nPermission to use, copy, modify, and distribute this software and its\ndocumentation, with or without modification,  for any purpose and without\nfee or royalty is hereby granted, provided that you include the following on\nALL copies of the software and documentation or portions thereof, including\nmodifications, that you make:\n\n   1. The full text of this NOTICE in a location viewable to users of the\n         redistributed or derivative work.\n   2. Any pre-existing intellectual property disclaimers, notices, or terms\n         and conditions. If none exist, a short notice of the following form\n         (hypertext is preferred, text is permitted) should be used within\n         the body of any redistributed or derivative code: "Copyright ©\n         [$date-of-software] World Wide Web Consortium, (Massachusetts Institute\n         of Technology, Institut National de Recherche en Informatique et en\n         Automatique, Keio University). All Rights Reserved.\n         http://www.w3.org/Consortium/Legal/"\n   3. Notice of any changes or modifications to the W3C files, including the\n         date changes were made. (We recommend you provide URIs to the location\n         from which the code is derived.)\n\nTHIS SOFTWARE AND DOCUMENTATION IS PROVIDED "AS IS," AND COPYRIGHT HOLDERS MAKE\nNO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED\nTO, WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT\nTHE USE OF THE SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY PATENTS,\nCOPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.\n\nCOPYRIGHT HOLDERS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL OR\nCONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THE SOFTWARE OR DOCUMENTATION.\n\nThe name and trademarks of copyright holders may NOT be used in advertising or\npublicity pertaining to the software without specific, written prior permission.\nTitle to copyright in this software and any associated documentation will at all\ntimes remain with copyright holders.\n
" + ] + }, + { + "groupMatch": "org\\.apache\\.httpcomponents", + "nameMatch": "httpcore", + "mappedName": "Apache HttpComponents HttpCore", + "licenses": [ + "Apache-2.0", + "MPL-2.0" + ] + }, + { + "groupMatch": "org\\.apache\\.httpcomponents", + "nameMatch": "httpclient", + "mappedName": "Apache HttpComponents HttpClient", + "licenses": [ + "Apache-2.0", + "CC-BY-2.5" + ] + }, + { + "groupMatch": "org\\.apache\\.tomcat", + "nameMatch": "tomcat-servlet-api", + "mappedName": "Tomcat Servlet API", + "licenses": [ + "Apache-2.0", + "CDDL-1.0" + ] + }, + { + "groupMatch": "org\\.eclipse\\.jetty", + "mappedName": "Eclipse Jetty" + }, + { + "groupMatch": "org\\.eclipse\\.jetty\\.http2", + "mappedName": "Eclipse Jetty HTTP/2" + }, + { + "groupMatch": "org\\.eclipse\\.jetty\\.websocket", + "mappedName": "Eclipse Jetty Websocket" + }, + { + "groupMatch": "xml-resolver", + "nameMatch": "xml-resolver", + "mappedName": "Xerces XML-Resolver", + "url": "https://xerces.apache.org/xml-commons/components/resolver/" + }, + { + "nameMatch": "relaxngDatatype", + "licenses": [ + "BSD-3-Clause" + ] + }, + { + "groupMatch": "jaxen", + "nameMatch": "jaxen", + "mappedName": "Jaxen", + "url": "https://github.com/jaxen-xpath/jaxen", + "licenses": [ + "BSD-3-Clause" + ] + }, + { + "groupMatch": "org\\.jboss\\.spec\\.javax\\.interceptor", + "nameMatch": "jboss-interceptors-api_1.1_spec", + "mappedName": "JavaX Interceptor API", + "url": "https://github.com/jboss/jboss-interceptors-api_spec", + "licenses":[ + "GPL-2.0-with-classpath-exception", + "CDDL-1.0" + ] + }, + { + "nameMatch": "corretto8", + "mappedName": "Amazon Coretto 8", + "url": "https://github.com/corretto/corretto-8", + "licenses":[ + "GPL-2.0-with-classpath-exception" + ] + }, + { + "groupMatch": "org\\.wildfly\\.security\\.*", + "mappedName": "Wildfly Security", + "url": "https://github.com/wildfly-security/wildfly-elytron" + }, + { + "nameMatch": "wildfly-dist", + "mappedName": "Wildfly", + "url": "https://github.com/wildfly/wildfly", + "licenses":[ + "GPL-2.1" + ] + }, + { + "nameMatch": "wildfly-galleon-pack", + "mappedName": "Wildfly", + "url": "https://github.com/wildfly/wildfly" + }, + { + "groupMatch": "io\\.netty\\.*", + "mappedName": "Netty" + }, + { + "groupMatch": "org\\.infinispan.*", + "mappedName": "Infinispan" + }, + { + "nameMatch": "okhttp", + "mappedName": "OkHttp", + "url": "https://github.com/square/okhttp/" + }, + { + "nameMatch": "okio", + "mappedName": "OkIo", + "url": "https://github.com/square/okio/" + }, + { + "nameMatch": "JConnect", + "mappedName": "JConnect", + "url" : "https://help.sap.com/docs/SAP_ASE_SDK/e12c539de04b44a0bb17a545a148361c/b03e2db6bbf910148fc6bbe092513290.html?locale=en-US&version=16.0.4.3" + }, + { + "groupMatch": "org\\.rocksdb\\.*", + "mappedName": "Rocks DB" + }, + { + "nameMatch": "jboss-logging", + "mappedName": "JBoss Logging" + }, + { + "nameMatch": "jboss-marshalling-osgi", + "mappedName": "JBoss Marshalling OSGI" + }, + { + "nameMatch": "resteasy-jboss-modules", + "mappedName": "Resteasy JBoss Modules", + "url": "https://github.com/resteasy/resteasy", + "licenses": [ + "Apache-2.0" + ] + }, + { + "nameMatch": "httpd", + "mappedName": "Apache httpd", + "url": "https://github.com/apache/httpd", + "attributionNotices": [ + "
Apache HTTP Server\nCopyright 2021 The Apache Software Foundation.\n\nThis product includes software developed at\nThe Apache Software Foundation (https://www.apache.org/).\n\nPortions of this software were developed at the National Center\nfor Supercomputing Applications (NCSA) at the University of\nIllinois at Urbana-Champaign.\n\nThis software contains code derived from the RSA Data Security\nInc. MD5 Message-Digest Algorithm, including various\nmodifications by Spyglass Inc., Carnegie Mellon University, and\nBell Communications Research, Inc (Bellcore).\n\nThis software contains code derived from the PCRE library pcreposix.c\nsource code, written by Philip Hazel, Copyright 1997-2004\nby the University of Cambridge, England.\n
" + ], + "licenses": [ + "Apache-2.0" + ] + }, + { + "nameMatch": "vcredist", + "mappedName": "vcredist", + "url": "https://learn.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-160", + "licenses": [ + "Microsoft VC++ Redistributable" + ] + }, + { + "nameMatch": "postgresql", + "mappedName": "PostgreSQL", + "url": "https://github.com/postgres/postgres", + "licenses": [ + "PostgreSQL" + ] + }, + { + "nameMatch": "medavis-yajsw", + "mappedName": "Yet Another Java Service Wrapper", + "url": "https://yajsw.sourceforge.io", + "licenses": [ + "Apache-2.0" + ] + }, + { + "nameMatch": "xstream", + "mappedName": "XStream", + "licenses": [ + "BSD-3-Clause" + ] + }, + { + "nameMatch": "ical4j", + "mappedName": "iCal4j", + "url":"https://github.com/ical4j/ical4j", + "licenses": [ + "BSD-3-Clause" + ] + }, + { + "groupMatch": "org\\.ow2\\.asm", + "mappedName": "OW2 ASM" + }, + { + "groupMatch": "org\\.jdom", + "nameMatch": "jdom2", + "licenses": [ + "Apache-1.0-JDOM" + ] + }, + { + "purlMatch": "pkg:maven\\/us\\.springett\\/alpine-common@2\\.2\\.5\\?type=jar", + "licenses": [ + "Apache-2.0" + ] + }, + { + "purlMatch": "pkg:maven\\/com\\.pixelmed\\/any-lib@1\\.2\\.3\\.4\\?type=jar", + "licenses": [ + "BSD-2-Clause" + ] + } +] \ No newline at end of file diff --git a/core/pom.xml b/core/pom.xml index fb2da65..8a1c0e3 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -1,7 +1,5 @@ - + 4.0.0 @@ -39,6 +37,11 @@ guava + + org.jetbrains + annotations + + org.junit.jupiter @@ -66,6 +69,39 @@ test + + org.slf4j + slf4j-nop + test + + + + + + com.googlecode.maven-download-plugin + download-maven-plugin + + + + download-latest-spdx + generate-resources + + wget + + + false + true + https://github.com/spdx/license-list-data/raw/main/json/licenses.json + false + ${project.basedir}/target/classes/de/medavis/lct/core/patcher + SpdxLicenseList.json5 + + + + + + + \ No newline at end of file diff --git a/core/src/main/java/de/medavis/lct/core/Configuration.java b/core/src/main/java/de/medavis/lct/core/Configuration.java index d1c7c47..e3c4916 100644 --- a/core/src/main/java/de/medavis/lct/core/Configuration.java +++ b/core/src/main/java/de/medavis/lct/core/Configuration.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -19,15 +19,33 @@ */ package de.medavis.lct.core; +import org.jetbrains.annotations.NotNull; + import java.net.URL; import java.util.Optional; public interface Configuration { - Optional getComponentMetadataUrl(); + default Optional getComponentMetadataUrl() { + return Optional.empty(); + } + + default Optional getLicensesUrl() { + return Optional.empty(); + } - Optional getLicensesUrl(); + default Optional getLicenseMappingsUrl() { + return Optional.empty(); + } - Optional getLicenseMappingsUrl(); + /** + * Used by license patcher feature. + * + * @return Optional URL + */ + @NotNull + default Optional getSpdxLicensesUrl() { + return Optional.empty(); + } } diff --git a/core/src/main/java/de/medavis/lct/core/Json5MapperFactory.java b/core/src/main/java/de/medavis/lct/core/Json5MapperFactory.java new file mode 100644 index 0000000..b8a64b4 --- /dev/null +++ b/core/src/main/java/de/medavis/lct/core/Json5MapperFactory.java @@ -0,0 +1,59 @@ +/*- + * #%L + * License Compliance Tool - Implementation Core + * %% + * Copyright (C) 2022 - 2024 medavis GmbH + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * #L% + */ +package de.medavis.lct.core; + +import com.fasterxml.jackson.core.JsonParser; +import com.fasterxml.jackson.core.json.JsonReadFeature; +import com.fasterxml.jackson.databind.DeserializationFeature; +import com.fasterxml.jackson.databind.ObjectMapper; + +import org.jetbrains.annotations.NotNull; + +/** + * Factory for creating JSON5 Mappers + */ +public class Json5MapperFactory { + + private Json5MapperFactory() {} + + /** + * Create a new JSON5 Mapper. + * + * @return Returns a new JSON5 Mapper + */ + @NotNull + public static ObjectMapper create() { + ObjectMapper objectMapper = new ObjectMapper(); + // Do not cancel import on unknown/unsupported properties + objectMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false); + + // Enable pseudo JSON5 Support + objectMapper.configure(JsonParser.Feature.ALLOW_UNQUOTED_FIELD_NAMES, true); + objectMapper.configure(JsonReadFeature.ALLOW_TRAILING_COMMA.mappedFeature(), true); + objectMapper.configure(JsonParser.Feature.ALLOW_SINGLE_QUOTES, true); + objectMapper.configure(JsonReadFeature.ALLOW_BACKSLASH_ESCAPING_ANY_CHARACTER.mappedFeature(), true); + objectMapper.configure(JsonReadFeature.ALLOW_NON_NUMERIC_NUMBERS.mappedFeature(), true); + objectMapper.configure(JsonReadFeature.ALLOW_JAVA_COMMENTS.mappedFeature(), true); + objectMapper.configure(JsonReadFeature.ALLOW_LEADING_DECIMAL_POINT_FOR_NUMBERS.mappedFeature(), true); + + return objectMapper; + } + +} diff --git a/core/src/main/java/de/medavis/lct/core/asset/AssetLoader.java b/core/src/main/java/de/medavis/lct/core/asset/AssetLoader.java index dc9c29f..fd3b2ae 100644 --- a/core/src/main/java/de/medavis/lct/core/asset/AssetLoader.java +++ b/core/src/main/java/de/medavis/lct/core/asset/AssetLoader.java @@ -83,11 +83,12 @@ private Component bomComponentToEntity(org.cyclonedx.model.Component component) String name = component.getName(); String version = component.getVersion(); String url = getWebsite(component.getExternalReferences()); + String purl = component.getPurl(); Set licenses = getLicenseStream(component) .map(this::extractLicense) .filter(Objects::nonNull) .collect(Collectors.toSet()); - return new Component(group, name, version, url, licenses); + return new Component(group, name, version, url, purl, licenses); } private License extractLicense(org.cyclonedx.model.License license) { @@ -120,8 +121,8 @@ private Optional getUrl(List externalReferences, Type } private Stream getLicenseStream(org.cyclonedx.model.Component component) { - return component.getLicenseChoice() != null && component.getLicenseChoice().getLicenses() != null - ? component.getLicenseChoice().getLicenses().stream() + return component.getLicenses() != null && component.getLicenses().getLicenses() != null + ? component.getLicenses().getLicenses().stream() : Stream.empty(); } diff --git a/core/src/main/java/de/medavis/lct/core/asset/Component.java b/core/src/main/java/de/medavis/lct/core/asset/Component.java index 5e2f1f7..5a12562 100644 --- a/core/src/main/java/de/medavis/lct/core/asset/Component.java +++ b/core/src/main/java/de/medavis/lct/core/asset/Component.java @@ -30,13 +30,15 @@ public final class Component { private final String name; private final String version; private final String url; + private final String purl; private final Set licenses; - public Component(String group, String name, String version, String url, Set licenses) { + public Component(String group, String name, String version, String url, String purl, Set licenses) { this.group = group; this.name = name; this.version = version; this.url = url; + this.purl = purl; this.licenses = licenses; } @@ -56,6 +58,10 @@ public String url() { return url; } + public String purl() { + return purl; + } + public Set licenses() { return licenses; } @@ -71,12 +77,13 @@ public boolean equals(Object obj) { Objects.equals(this.name, that.name) && Objects.equals(this.version, that.version) && Objects.equals(this.url, that.url) && + Objects.equals(this.purl, that.purl) && Objects.equals(this.licenses, that.licenses); } @Override public int hashCode() { - return Objects.hash(group, name, version, url, licenses); + return Objects.hash(group, name, version, url, purl, licenses); } @Override @@ -86,6 +93,7 @@ public String toString() { "name=" + name + ", " + "version=" + version + ", " + "url=" + url + ", " + + "purl=" + purl + ", " + "licenses=" + licenses + ']'; } diff --git a/core/src/main/java/de/medavis/lct/core/downloader/LicenseFileDownloader.java b/core/src/main/java/de/medavis/lct/core/downloader/LicenseFileDownloader.java index 39ac9fa..99d7fce 100644 --- a/core/src/main/java/de/medavis/lct/core/downloader/LicenseFileDownloader.java +++ b/core/src/main/java/de/medavis/lct/core/downloader/LicenseFileDownloader.java @@ -19,62 +19,72 @@ */ package de.medavis.lct.core.downloader; -import com.google.common.io.ByteStreams; +import de.medavis.lct.core.patcher.AbstractRestClient; + import java.io.IOException; -import java.io.InputStream; +import java.net.URI; +import java.net.http.HttpRequest; +import java.net.http.HttpResponse; import java.nio.charset.UnsupportedCharsetException; -import org.apache.http.Header; + +import org.apache.http.HttpHeaders; import org.apache.http.ParseException; -import org.apache.http.client.HttpClient; -import org.apache.http.client.methods.HttpGet; import org.apache.http.entity.ContentType; -import org.apache.http.impl.client.HttpClients; +import org.jetbrains.annotations.NotNull; +import org.jetbrains.annotations.Nullable; import static org.apache.http.entity.ContentType.TEXT_HTML; import static org.apache.http.entity.ContentType.TEXT_PLAIN; -public class LicenseFileDownloader { - - private final transient HttpClient httpclient = HttpClients.createDefault(); - +public class LicenseFileDownloader extends AbstractRestClient { + /** + * Request the license text from external source. + * + * @return Returns result status of download + */ + @NotNull Result downloadToFile(String url, String license, LicenseFileHandler licenseFileHandler) throws IOException { - if (!licenseFileHandler.isCached(license)) { - httpclient.execute(new HttpGet(url), response -> { - final int statusCode = response.getStatusLine().getStatusCode(); + try { + if (!licenseFileHandler.isCached(license)) { + HttpRequest request = createDefaultGET(URI.create(url)); + HttpResponse response = executeRequestWithResponse(request, HttpResponse.BodyHandlers.ofByteArray()); + int statusCode = response.statusCode(); if (statusCode < 200 || statusCode >= 300) { throw new IOException("Download not successful: Status " + statusCode); } - String extension = determineExtension(response.getEntity().getContentType()); - try (final InputStream input = response.getEntity().getContent()) { - licenseFileHandler.save(license, extension, ByteStreams.toByteArray(input)); - } - return null; - }); - return Result.DOWNLOADED; - } else { - licenseFileHandler.copyFromCache(license); - return Result.FROM_CACHE; + String contentType = determineExtension(response.headers().firstValue(HttpHeaders.CONTENT_TYPE).orElse("")); + licenseFileHandler.save(license, contentType, response.body()); + + return Result.DOWNLOADED; + } else { + licenseFileHandler.copyFromCache(license); + return Result.FROM_CACHE; + } + } catch (InterruptedException ex) { + throw new IOException(ex); } } - private String determineExtension(Header contentTypeHeader) { + @NotNull + private String determineExtension(@NotNull String contentTypeHeader) { String result = ""; - if (contentTypeHeader != null) { - String contentType = parseContentType(contentTypeHeader); - if (TEXT_HTML.getMimeType().equals(contentType)) { - result = ".html"; - } else if (TEXT_PLAIN.getMimeType().equals(contentType)) { - result = ".txt"; - } + String contentType = parseContentType(contentTypeHeader); + + if (TEXT_HTML.getMimeType().equals(contentType)) { + result = ".html"; + } else if (TEXT_PLAIN.getMimeType().equals(contentType)) { + result = ".txt"; } + return result; } - private String parseContentType(Header contentTypeHeader) { + @Nullable + private String parseContentType(String contentTypeHeader) { try { - return ContentType.parse(contentTypeHeader.getValue()).getMimeType(); + return ContentType.parse(contentTypeHeader).getMimeType(); } catch (ParseException | UnsupportedCharsetException e) { // Ignore error and assume unknown content type return null; diff --git a/core/src/main/java/de/medavis/lct/core/license/License.java b/core/src/main/java/de/medavis/lct/core/license/License.java index 789aa81..d756e88 100644 --- a/core/src/main/java/de/medavis/lct/core/license/License.java +++ b/core/src/main/java/de/medavis/lct/core/license/License.java @@ -51,6 +51,11 @@ private License(String name, String url, String downloadUrl, boolean configured) this.configured = configured; } + /** + * Can contain the name or ID of license. + * + * @return Returns Name or ID of the license + */ public String getName() { return name; } diff --git a/core/src/main/java/de/medavis/lct/core/license/LicenseMappingLoader.java b/core/src/main/java/de/medavis/lct/core/license/LicenseMappingLoader.java index 998235a..dac1ba5 100644 --- a/core/src/main/java/de/medavis/lct/core/license/LicenseMappingLoader.java +++ b/core/src/main/java/de/medavis/lct/core/license/LicenseMappingLoader.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -20,20 +20,25 @@ package de.medavis.lct.core.license; import com.fasterxml.jackson.databind.ObjectMapper; + +import de.medavis.lct.core.Json5MapperFactory; + +import org.jetbrains.annotations.NotNull; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + import java.io.IOException; import java.net.URL; import java.util.List; import java.util.Map; import java.util.stream.Collectors; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; public class LicenseMappingLoader { - private static final Logger logger = LoggerFactory.getLogger(LicenseMappingLoader.class); + private static final Logger LOGGER = LoggerFactory.getLogger(LicenseMappingLoader.class); - public Map load(URL licenseMappingUrl) { - ObjectMapper objectMapper = new ObjectMapper(); + public Map load(@NotNull URL licenseMappingUrl) { + ObjectMapper objectMapper = Json5MapperFactory.create(); try { Map result = objectMapper.>readValue(licenseMappingUrl, @@ -41,7 +46,7 @@ public Map load(URL licenseMappingUrl) { .stream() .collect(Collectors.toMap(LicenseMapping::alias, LicenseMapping::canonicalName)); - logger.info("Imported {} component metadata entries from {}.", result.size(), licenseMappingUrl); + LOGGER.info("Imported {} license mapping entries from {}.", result.size(), licenseMappingUrl); return result; } catch (IOException e) { throw new IllegalStateException("Failure while processing metadata from " + licenseMappingUrl, e); diff --git a/core/src/main/java/de/medavis/lct/core/list/ComponentData.java b/core/src/main/java/de/medavis/lct/core/list/ComponentData.java index bb8f490..64a8d1a 100644 --- a/core/src/main/java/de/medavis/lct/core/list/ComponentData.java +++ b/core/src/main/java/de/medavis/lct/core/list/ComponentData.java @@ -30,6 +30,7 @@ public final class ComponentData { private final String name; private final String version; private final String url; + private final String purl; private final Set licenses; private final Set attributionNotices; @@ -37,11 +38,13 @@ public ComponentData( String name, String version, String url, + String purl, Set licenses, Set attributionNotices) { this.name = name; this.version = version; this.url = url; + this.purl = purl; this.licenses = licenses; this.attributionNotices = attributionNotices; } @@ -58,6 +61,10 @@ public String getUrl() { return url; } + public String getPurl() { + return purl; + } + public Set getLicenses() { return licenses; } @@ -78,13 +85,14 @@ public boolean equals(Object o) { return Objects.equals(name, that.name) && Objects.equals(version, that.version) && Objects.equals(url, that.url) + && Objects.equals(purl, that.purl) && Objects.equals(licenses, that.licenses) && Objects.equals(attributionNotices, that.attributionNotices); } @Override public int hashCode() { - return Objects.hash(name, version, url, licenses, attributionNotices); + return Objects.hash(name, version, url, purl, licenses, attributionNotices); } @Override @@ -93,6 +101,7 @@ public String toString() { .add("name='" + name + "'") .add("version='" + version + "'") .add("url='" + url + "'") + .add("purl='" + purl + "'") .add("licenses=" + licenses) .add("attributionNotices=" + attributionNotices) .toString(); diff --git a/core/src/main/java/de/medavis/lct/core/list/ComponentLister.java b/core/src/main/java/de/medavis/lct/core/list/ComponentLister.java index 3384ed8..e799439 100644 --- a/core/src/main/java/de/medavis/lct/core/list/ComponentLister.java +++ b/core/src/main/java/de/medavis/lct/core/list/ComponentLister.java @@ -73,6 +73,7 @@ public List listComponents(InputStream bomStream) { .map(componentByName -> { // ComponentMetadata has to ensure that component with same name has same url and version String url = componentByName.getValue().get(0).getUrl(); + String purl = componentByName.getValue().get(0).getPurl(); String version = componentByName.getValue().get(0).getVersion(); Set allLicenses = componentByName.getValue().stream() .flatMap(cd -> cd.getLicenses().stream()) @@ -80,7 +81,7 @@ public List listComponents(InputStream bomStream) { Set attributionNotices = componentByName.getValue().stream() .flatMap(cd -> cd.getAttributionNotices().stream()) .collect(Collectors.toCollection(LinkedHashSet::new)); - return new ComponentData(componentByName.getKey(), url, version, allLicenses, attributionNotices); + return new ComponentData(componentByName.getKey(), version, url, purl, allLicenses, attributionNotices); }) .sorted(Comparator.comparing(ComponentData::getName, String.CASE_INSENSITIVE_ORDER)) .collect(Collectors.toList()); @@ -88,7 +89,7 @@ public List listComponents(InputStream bomStream) { private boolean isIgnored(Component component, Collection componentMetadata) { return componentMetadata.stream() - .filter(cmd -> cmd.matches(component.group(), component.name())) + .filter(cmd -> cmd.matches(component.group(), component.name(), component.purl())) .map(ComponentMetadata::ignore) .findFirst() .orElse(false); @@ -97,7 +98,7 @@ private boolean isIgnored(Component component, Collection com private ComponentData enrichWithMetadata(Component component, Collection componentMetadata, Map licenses, Map licenseMappings) { Stream actualLicenses = componentMetadata.stream() - .filter(cmd -> cmd.matches(component.group(), component.name())) + .filter(cmd -> cmd.matches(component.group(), component.name(), component.purl())) .filter(cmd -> !cmd.licenses().isEmpty()) .findFirst() .map(cmd -> cmd.licenses().stream().map(licenseName -> License.dynamic(licenseName, null, null))) @@ -111,14 +112,15 @@ private ComponentData enrichWithMetadata(Component component, Collection cmd.matches(component.group(), component.name())) + .filter(cmd -> cmd.matches(component.group(), component.name(), component.purl())) .findFirst() .map(cmd -> { String exportName = !Strings.isNullOrEmpty(cmd.mappedName()) ? cmd.mappedName() : combineGroupAndName(component); - String url = !Strings.isNullOrEmpty(cmd.url()) ? cmd.url() : component.url(); - return new ComponentData(exportName, url, component.version(), convertedLicenses, cmd.attributionNotices()); + String url = Strings.isNullOrEmpty(cmd.url()) ? component.url() : cmd.url(); + // TODO What to set in purl? + return new ComponentData(exportName, component.version(), url, component.purl(), convertedLicenses, cmd.attributionNotices()); }) - .orElse(new ComponentData(combineGroupAndName(component), component.url(), component.version(), convertedLicenses, Collections.emptySet())); + .orElse(new ComponentData(combineGroupAndName(component), component.version(), component.url(), component.purl(), convertedLicenses, Collections.emptySet())); } private String combineGroupAndName(Component component) { diff --git a/core/src/main/java/de/medavis/lct/core/metadata/ComponentMetaDataLoader.java b/core/src/main/java/de/medavis/lct/core/metadata/ComponentMetaDataLoader.java index d14b049..24613a2 100644 --- a/core/src/main/java/de/medavis/lct/core/metadata/ComponentMetaDataLoader.java +++ b/core/src/main/java/de/medavis/lct/core/metadata/ComponentMetaDataLoader.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -19,25 +19,31 @@ */ package de.medavis.lct.core.metadata; +import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.ObjectMapper; + +import de.medavis.lct.core.Json5MapperFactory; + +import org.jetbrains.annotations.NotNull; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + import java.io.IOException; import java.net.URL; import java.util.Collection; import java.util.List; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; public class ComponentMetaDataLoader { - private static final Logger logger = LoggerFactory.getLogger(ComponentMetaDataLoader.class); + private static final Logger LOGGER = LoggerFactory.getLogger(ComponentMetaDataLoader.class); - public Collection load(URL metadataUrl) { - ObjectMapper objectMapper = new ObjectMapper(); + public Collection load(@NotNull URL metadataUrl) { + ObjectMapper objectMapper = Json5MapperFactory.create(); try { - List result = objectMapper.readValue(metadataUrl, - objectMapper.getTypeFactory().constructCollectionType(List.class, ComponentMetadata.class)); - logger.info("Imported {} component metadata entries from {}.", result.size(), metadataUrl); + List result = List.of(objectMapper.readValue(metadataUrl, ComponentMetadata[].class)); + + LOGGER.info("Imported {} component metadata entries from {}.", result.size(), metadataUrl); return result; } catch (IOException e) { throw new IllegalStateException("Failure while processing metadata from " + metadataUrl, e); diff --git a/core/src/main/java/de/medavis/lct/core/metadata/ComponentMetadata.java b/core/src/main/java/de/medavis/lct/core/metadata/ComponentMetadata.java index a25cff4..ebfe24d 100644 --- a/core/src/main/java/de/medavis/lct/core/metadata/ComponentMetadata.java +++ b/core/src/main/java/de/medavis/lct/core/metadata/ComponentMetadata.java @@ -25,6 +25,10 @@ import com.fasterxml.jackson.annotation.Nulls; import com.fasterxml.jackson.databind.annotation.JsonDeserialize; import com.google.common.base.Strings; + +import org.jetbrains.annotations.NotNull; +import org.jetbrains.annotations.Nullable; + import java.util.LinkedHashSet; import java.util.Objects; import java.util.Set; @@ -35,6 +39,7 @@ public final class ComponentMetadata { private final String groupMatch; private final String nameMatch; + private final String purlMatch; private final boolean ignore; private final String mappedName; private final String url; @@ -46,6 +51,7 @@ public final class ComponentMetadata { public ComponentMetadata( @JsonProperty("groupMatch") String groupMatch, @JsonProperty("nameMatch") String nameMatch, + @JsonProperty("purlMatch") String purlMatch, @JsonProperty("ignore") boolean ignore, @JsonProperty("mappedName") String mappedName, @JsonProperty("url") String url, @@ -56,6 +62,8 @@ public ComponentMetadata( Set attributionNotices) { this.groupMatch = groupMatch; this.nameMatch = nameMatch; + this.purlMatch = purlMatch; + this.ignore = ignore; this.mappedName = mappedName; this.url = url; @@ -64,20 +72,35 @@ public ComponentMetadata( this.attributionNotices = attributionNotices; } - public boolean matches(String group, String name) { - boolean matchesGroup = Strings.isNullOrEmpty(groupMatch) || Pattern.matches(groupMatch, Strings.nullToEmpty(group)); - boolean matchesName = Strings.isNullOrEmpty(nameMatch) || Pattern.matches(nameMatch, name); - return matchesGroup && matchesName; + /** + * @param group Group to match or null. If null then it will be ignored in the match. According to CycloneDX Spec this is not a mandatory field + * @param name Name to match. According to CycloneDX Spec this is a mandatory field + * @param purl Package URL or null. If null then it will be ignored in the match. According to CycloneDX Spec this is not a mandatory field + * + * @return Returns true if we have a match + */ + public boolean matches(@Nullable String group, @NotNull String name, @Nullable String purl) { + boolean matchesGroup = (Strings.isNullOrEmpty(groupMatch) || Pattern.matches(groupMatch, Strings.nullToEmpty(group))) && Strings.isNullOrEmpty(purlMatch); + boolean matchesName = (Strings.isNullOrEmpty(nameMatch) || Pattern.matches(nameMatch, name)) && Strings.isNullOrEmpty(purlMatch); + boolean matchesPurl = !Strings.isNullOrEmpty(purlMatch) && !Strings.isNullOrEmpty(purl) && Pattern.matches(purlMatch, purl); + return matchesPurl || matchesGroup && matchesName; } + @Nullable public String groupMatch() { return groupMatch; } + @Nullable public String nameMatch() { return nameMatch; } + @Nullable + public String purlMatch() { + return purlMatch; + } + public boolean ignore() { return ignore; } @@ -118,18 +141,19 @@ public boolean equals(Object o) { } ComponentMetadata that = (ComponentMetadata) o; return ignore == that.ignore - && Objects.equals(groupMatch, that.groupMatch) - && Objects.equals(nameMatch, that.nameMatch) - && Objects.equals(mappedName, that.mappedName) - && Objects.equals(url, that.url) - && Objects.equals(comment, that.comment) - && Objects.equals(licenses, that.licenses) - && Objects.equals(attributionNotices, that.attributionNotices); + && Objects.equals(groupMatch, that.groupMatch) + && Objects.equals(nameMatch, that.nameMatch) + && Objects.equals(purlMatch, that.purlMatch) + && Objects.equals(mappedName, that.mappedName) + && Objects.equals(url, that.url) + && Objects.equals(comment, that.comment) + && Objects.equals(licenses, that.licenses) + && Objects.equals(attributionNotices, that.attributionNotices); } @Override public int hashCode() { - return Objects.hash(groupMatch, nameMatch, ignore, mappedName, url, comment, licenses, attributionNotices); + return Objects.hash(groupMatch, nameMatch, purlMatch, ignore, mappedName, url, comment, licenses, attributionNotices); } @Override @@ -137,6 +161,7 @@ public String toString() { return new StringJoiner(", ", ComponentMetadata.class.getSimpleName() + "[", "]") .add("groupMatch='" + groupMatch + "'") .add("nameMatch='" + nameMatch + "'") + .add("purlMatch='" + purlMatch + "'") .add("ignore=" + ignore) .add("mappedName='" + mappedName + "'") .add("url='" + url + "'") @@ -146,5 +171,4 @@ public String toString() { .toString(); } - } diff --git a/core/src/main/java/de/medavis/lct/core/patcher/AbstractRestClient.java b/core/src/main/java/de/medavis/lct/core/patcher/AbstractRestClient.java new file mode 100644 index 0000000..fc7b930 --- /dev/null +++ b/core/src/main/java/de/medavis/lct/core/patcher/AbstractRestClient.java @@ -0,0 +1,128 @@ +/*- + * #%L + * License Compliance Tool - Implementation Core + * %% + * Copyright (C) 2022 - 2024 medavis GmbH + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * #L% + */ +package de.medavis.lct.core.patcher; + +import com.fasterxml.jackson.databind.ObjectMapper; + +import de.medavis.lct.core.Json5MapperFactory; + +import org.jetbrains.annotations.NotNull; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.net.URI; +import java.net.http.HttpClient; +import java.net.http.HttpRequest; +import java.net.http.HttpResponse; +import java.nio.charset.StandardCharsets; +import java.time.Duration; +import java.util.List; + +public abstract class AbstractRestClient { + + private static final Logger LOGGER = LoggerFactory.getLogger(AbstractRestClient.class); + private final HttpClient httpClient = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.ALWAYS).build(); + + /** + * Create a default HTTP GET request. + * + * @param uri URI of the servers endpoint + * @param headers Additional headers + * @return Returns the created HTTP GET request + */ + @NotNull + protected HttpRequest createDefaultGET(@NotNull URI uri, @NotNull String... headers) { + HttpRequest.Builder builder = HttpRequest + .newBuilder(uri) + .timeout(Duration.ofSeconds(60)); + + if (headers.length != 0) { + builder = builder.headers(headers); + } + + return builder + .GET() + .build(); + } + + /** + * Execute an HTTP request and return the HTTP response body as string. + * + * @param request The HTTP request + * @return Returns the HTTP response body as string + * @throws IOException Thrown if an I/ O error occurs when sending or receiving + * @throws InterruptedException Thrown if the operation is interrupted + */ + @NotNull + protected String executeRequest(@NotNull HttpRequest request) throws IOException, InterruptedException { + HttpResponse response = executeRequestWithResponse(request, HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8)); + if (!List.of(200, 302).contains(response.statusCode())) { + throw new LicensePatcherException("Unexpected HTTP status code " + response.statusCode() + ": Body=" + response.body()); + } + + return response.body(); + } + + /** + * Execute an HTTP request and return the {@link HttpResponse} of the request. + * + * @param request The HTTP request + * @return Returns the HTTP response body as string + * @throws IOException Thrown if an I/ O error occurs when sending or receiving + * @throws InterruptedException Thrown if the operation is interrupted + */ + @NotNull + protected HttpResponse executeRequestWithResponse(@NotNull HttpRequest request, HttpResponse.BodyHandler responseBodyHandler) throws IOException, InterruptedException { + try { + LOGGER.debug("Executing HTTP {} to {}", request.method(), request.uri()); + return httpClient.send(request, responseBodyHandler); + } catch (Exception ex) { + LOGGER.error("Error on url request '{}' occurred.", request.uri()); + throw ex; + } + } + + /** + * Execute an HTTP request and return the JSON result as a Java object. + * + * @param request The HTTP request + * @param classType Class type to return + * @return JSON mapped Java object + * @param Java object type to be returned + * @throws IOException Thrown if an I/ O error occurs when sending or receiving + * @throws InterruptedException Thrown if the operation is interrupted + */ + @NotNull + protected T executeRequest(@NotNull HttpRequest request, Class classType) throws IOException, InterruptedException { + try { + String content = executeRequest(request); + + LOGGER.trace("HTTP response body={}", content); + + ObjectMapper objectMapper = Json5MapperFactory.create(); + return objectMapper.readValue(content, classType); + } catch (Exception ex) { + LOGGER.error("Error on url request '{}' occurred.", request.uri()); + throw ex; + } + } + +} diff --git a/core/src/main/java/de/medavis/lct/core/patcher/BomPatcher.java b/core/src/main/java/de/medavis/lct/core/patcher/BomPatcher.java new file mode 100644 index 0000000..ad6aeb2 --- /dev/null +++ b/core/src/main/java/de/medavis/lct/core/patcher/BomPatcher.java @@ -0,0 +1,195 @@ +/*- + * #%L + * License Compliance Tool - Implementation Core + * %% + * Copyright (C) 2022 - 2024 medavis GmbH + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * #L% + */ +package de.medavis.lct.core.patcher; + +import com.google.common.io.ByteStreams; + +import de.medavis.lct.core.Configuration; +import de.medavis.lct.core.asset.AssetLoader; +import de.medavis.lct.core.license.LicenseLoader; +import de.medavis.lct.core.license.LicenseMappingLoader; +import de.medavis.lct.core.list.ComponentData; +import de.medavis.lct.core.list.ComponentLister; +import de.medavis.lct.core.metadata.ComponentMetaDataLoader; + +import org.cyclonedx.Version; +import org.cyclonedx.exception.GeneratorException; +import org.cyclonedx.exception.ParseException; +import org.cyclonedx.generators.BomGeneratorFactory; +import org.cyclonedx.model.Bom; +import org.cyclonedx.model.Component; +import org.cyclonedx.model.License; +import org.cyclonedx.model.LicenseChoice; +import org.cyclonedx.parsers.BomParserFactory; +import org.jetbrains.annotations.NotNull; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.net.URI; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.StandardOpenOption; +import java.util.Arrays; +import java.util.List; +import java.util.Map; +import java.util.stream.Collectors; + +public class BomPatcher { + + private static final Logger LOGGER = LoggerFactory.getLogger(BomPatcher.class); + + private final ComponentLister componentLister; + private final Configuration configuration; + + private final SpdxLicenseManager spdxLicenseManager; + private final ComponentMetaDataManager componentMetaDataManager; + + public BomPatcher( + @NotNull AssetLoader assetLoader, + @NotNull ComponentMetaDataLoader componentMetaDataLoader, + @NotNull LicenseLoader licenseLoader, + @NotNull LicenseMappingLoader licenseMappingLoader, + @NotNull Configuration configuration) { + this.configuration = configuration; + + componentLister = new ComponentLister( + assetLoader, + componentMetaDataLoader, + licenseLoader, + licenseMappingLoader, + configuration + ); + + spdxLicenseManager = SpdxLicenseManager.create(); + componentMetaDataManager = ComponentMetaDataManager.create(); + } + + private void init() { + configuration + .getSpdxLicensesUrl() + .ifPresentOrElse( + url -> spdxLicenseManager.load(URI.create(url.toString())), + spdxLicenseManager::loadDefaults + ); + + configuration + .getComponentMetadataUrl() + .map(url -> URI.create(url.toString())) + .ifPresent(componentMetaDataManager::load); + + componentMetaDataManager.logInvalidLicenseIds(spdxLicenseManager.getSupportedLicenseIds()); + } + + /** + * Patches a BOM file. + * + * @param sourceFile Source BOM file + * @param targetFile Target BOM file. The directory will be created if not exist + * @return Returns true if patching was successful. False, when BOM leaved untouched. + */ + public boolean patch(@NotNull Path sourceFile, @NotNull Path targetFile) { + try { + Files.createDirectories(targetFile.getParent()); + } catch (IOException ex) { + throw new LicensePatcherException(ex.getMessage(), ex); + } + + try (InputStream in = Files.newInputStream(sourceFile); + OutputStream out = Files.newOutputStream(targetFile, StandardOpenOption.CREATE)) { + LOGGER.info("Writing patched file '{}'", targetFile); + return patch(in, out); + } catch (IOException ex) { + throw new LicensePatcherException(ex.getMessage(), ex); + } + } + + /** + * Patches a BOM stream. + * + * @param in Source BOM as input stream + * @param out Target BOM as output stream + * @return Returns true if patching was successful. False, when BOM leaved untouched. + */ + public boolean patch(@NotNull InputStream in, @NotNull OutputStream out) { + init(); + + try { + final byte[] bomBytes = ByteStreams.toByteArray(in); + Bom bom = BomParserFactory.createParser(bomBytes).parse(bomBytes); + Version version = Arrays + .stream(Version.values()) + .filter(v -> v.getVersionString().equals(bom.getSpecVersion())) + .findFirst() + .orElseThrow(() -> new LicensePatcherException("Unsupported version: " + bom.getSpecVersion())); + + if (!"CycloneDX".equals(bom.getBomFormat())) { + throw new LicensePatcherException("Unsupported BOM format: " + bom.getBomFormat()); + } + + String originalBom = BomGeneratorFactory.createJson(version, bom).toJsonString(); + + List list = componentLister.listComponents(new ByteArrayInputStream(bomBytes)); + + // Map licenses back to original BOM + Map purlMap = list.stream().collect(Collectors.toMap(ComponentData::getPurl, cd -> cd)); + bom.getComponents() + .stream() + .filter(c -> purlMap.containsKey(c.getPurl())) + .forEach(c -> patchLicense(c, purlMap.get(c.getPurl()))); + + String patchedBom = BomGeneratorFactory.createJson(version, bom).toJsonString(); + out.write(patchedBom.getBytes(StandardCharsets.UTF_8)); + + if (originalBom.equals(patchedBom)) { + LOGGER.warn("No rules matched. Nothing has been patched in the SBOM."); + return false; + } + + return true; + } catch (IOException | ParseException | GeneratorException ex) { + throw new LicensePatcherException(ex.getMessage(), ex); + } + } + + private void patchLicense(@NotNull Component c, @NotNull ComponentData cd) { + c.setLicenses(new LicenseChoice()); + cd.getLicenses() + .stream() + // Map only valid licenses + .filter(l -> spdxLicenseManager.getSupportedLicenseIds().contains(l.getName())) + .map(this::mapLicense) + .forEach(l -> c.getLicenses().addLicense(l)); + } + + @NotNull + private License mapLicense(@NotNull de.medavis.lct.core.license.License l) { + License license = new License(); + // Do not wonder. License object from the asset loader may contain license id or license name. + license.setId(l.getName()); + license.setUrl(l.getUrl()); + return license; + } + +} diff --git a/core/src/main/java/de/medavis/lct/core/patcher/ComponentMetaDataManager.java b/core/src/main/java/de/medavis/lct/core/patcher/ComponentMetaDataManager.java new file mode 100644 index 0000000..5494204 --- /dev/null +++ b/core/src/main/java/de/medavis/lct/core/patcher/ComponentMetaDataManager.java @@ -0,0 +1,92 @@ +/*- + * #%L + * License Compliance Tool - Implementation Core + * %% + * Copyright (C) 2022 - 2024 medavis GmbH + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * #L% + */ +package de.medavis.lct.core.patcher; + +import de.medavis.lct.core.metadata.ComponentMetaDataLoader; +import de.medavis.lct.core.metadata.ComponentMetadata; + +import org.apache.commons.lang3.StringUtils; +import org.jetbrains.annotations.NotNull; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.net.URI; +import java.nio.file.Files; +import java.nio.file.Path; +import java.util.Collection; +import java.util.List; +import java.util.Set; +import java.util.stream.Collectors; + +public class ComponentMetaDataManager { + + private final Logger LOGGER = LoggerFactory.getLogger(ComponentMetaDataManager.class); + private Collection componentMetaDataList = List.of(); + + private ComponentMetaDataManager() { } + + public static ComponentMetaDataManager create() { + return new ComponentMetaDataManager(); + } + + private void setComponentMetaDataList(@NotNull Collection list) { + this.componentMetaDataList = List.copyOf(list); + } + + public void load(@NotNull URI uri) { + LOGGER.info("Loading custom rules from '{}'.", uri); + + try { + ComponentMetaDataLoader loader = new ComponentMetaDataLoader(); + setComponentMetaDataList(loader.load(uri.toURL())); + } catch (IOException ex) { + throw new LicensePatcherException(ex.getMessage(), ex); + } + } + + public void load(@NotNull Path file) { + if (Files.exists(file)) { + load(file.toUri()); + } else { + LOGGER.info("No custom rules file '{}' found.", file); + } + } + + /** + * Validate to be mapped license names against an (official SPDX) set of license names. + *

+ * If an unsupported SPDX license was found, a log warning will be written into the log. + * + * @param supportedLicenseIds Set od (SPDX) supported license IDs + */ + public void logInvalidLicenseIds(@NotNull Set supportedLicenseIds) { + List findings = componentMetaDataList + .stream() + .flatMap(cm -> cm.licenses().stream()) + .filter(l -> StringUtils.isNotBlank(l) && !supportedLicenseIds.contains(l)) + .collect(Collectors.toList()); + + if (!findings.isEmpty()) { + LOGGER.warn("Your component meta data configuration contains an unsupported to be mapped SPDX name '{}'.", findings); + } + } + +} diff --git a/core/src/main/java/de/medavis/lct/core/patcher/LicensePatcherException.java b/core/src/main/java/de/medavis/lct/core/patcher/LicensePatcherException.java new file mode 100644 index 0000000..b6cc939 --- /dev/null +++ b/core/src/main/java/de/medavis/lct/core/patcher/LicensePatcherException.java @@ -0,0 +1,35 @@ +/*- + * #%L + * License Compliance Tool - Implementation Core + * %% + * Copyright (C) 2022 - 2024 medavis GmbH + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * #L% + */ +package de.medavis.lct.core.patcher; + +/** + * Common exception for license patcher. + */ +public class LicensePatcherException extends RuntimeException { + + public LicensePatcherException(String message, Throwable cause) { + super(message, cause); + } + + public LicensePatcherException(String message) { + super(message); + } + +} diff --git a/core/src/main/java/de/medavis/lct/core/patcher/SpdxLicenseManager.java b/core/src/main/java/de/medavis/lct/core/patcher/SpdxLicenseManager.java new file mode 100644 index 0000000..9c8112d --- /dev/null +++ b/core/src/main/java/de/medavis/lct/core/patcher/SpdxLicenseManager.java @@ -0,0 +1,143 @@ +/*- + * #%L + * License Compliance Tool - Implementation Core + * %% + * Copyright (C) 2022 - 2024 medavis GmbH + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * #L% + */ +package de.medavis.lct.core.patcher; + +import com.fasterxml.jackson.databind.ObjectMapper; + +import de.medavis.lct.core.Json5MapperFactory; +import de.medavis.lct.core.patcher.model.SpdxLicense; +import de.medavis.lct.core.patcher.model.SpdxLicenses; + +import org.apache.commons.io.IOUtils; +import org.jetbrains.annotations.NotNull; +import org.jetbrains.annotations.Nullable; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.net.URI; +import java.nio.charset.StandardCharsets; +import java.util.HashMap; +import java.util.Map; +import java.util.Optional; +import java.util.Set; +import java.util.function.Function; +import java.util.stream.Collectors; + +public class SpdxLicenseManager { + + private static final Logger LOGGER = LoggerFactory.getLogger(SpdxLicenseManager.class); + private final ObjectMapper objectMapper = Json5MapperFactory.create(); + private final Map idMap = new HashMap<>(); + private final Map nameMap = new HashMap<>(); + + public static SpdxLicenseManager create() { + return new SpdxLicenseManager(); + } + + private void clear() { + idMap.clear(); + nameMap.clear(); + } + + private void load(@NotNull SpdxLicenses licenses) { + LOGGER.info("Using SPDX license version {}", licenses.getLicenseListVersion()); + + idMap.putAll(licenses + .getLicenses() + .stream() + .collect(Collectors.toMap(SpdxLicense::getLicenseId, l -> l))); + nameMap.putAll(licenses + .getLicenses() + .stream() + .collect(Collectors.toMap(SpdxLicense::getName, Function.identity(), (existing, replacement) -> existing))); + } + + @NotNull + public SpdxLicenseManager loadDefaults() { + try { + LOGGER.info("Loading local copy of SPDX licenses"); + String resource = IOUtils.resourceToString( + "de/medavis/lct/core/patcher/SpdxLicenseList.json5", + StandardCharsets.UTF_8, + ClassLoader.getSystemClassLoader() + ); + + SpdxLicenses licenses = Json5MapperFactory + .create() + .readValue(resource, SpdxLicenses.class); + + load(licenses); + } catch (IOException ex) { + // TODO Uncomment before commit: throw new LicensePatcherException(ex.getMessage(), ex); + } + + return this; + } + + /** + * Tries to load a list of licenses in specified SPDX format. + * See https://github.com/spdx/license-list-data for more information. + * + * @param uri URI of the SPDX list + * @return Returns this instance + */ + @NotNull + public SpdxLicenseManager load(@NotNull URI uri) { + LOGGER.info("Loading SPDX licenses from {}", uri); + clear(); + + SpdxLicenses licenses; + + if ("file".equals(uri.getScheme())) { + try { + licenses = objectMapper.readValue(uri.toURL(), SpdxLicenses.class); + } catch (IOException ex) { + throw new LicensePatcherException(ex.getMessage(), ex); + } + } else { + SpdxRestClient client = new SpdxRestClient(uri); + licenses = client.fetchLicenses(); + } + + load(licenses); + + return this; + } + + /** + * Try to match a {@link SpdxLicense} ny license name or license ID. + * + * @param licenseId License ID + * @param licenseName License name + * @return Returns an {@link Optional} with the matched {@link SpdxLicense} or an empty Optional + */ + @NotNull + public Optional match(@Nullable String licenseId, @Nullable String licenseName) { + return Optional.ofNullable(idMap.get(licenseId)) + .or(() -> Optional.ofNullable(nameMap.get(licenseName))); + } + + @NotNull + public Set getSupportedLicenseIds() { + return Set.copyOf(idMap.keySet()); + } + +} diff --git a/core/src/main/java/de/medavis/lct/core/patcher/SpdxRestClient.java b/core/src/main/java/de/medavis/lct/core/patcher/SpdxRestClient.java new file mode 100644 index 0000000..6d1fd9f --- /dev/null +++ b/core/src/main/java/de/medavis/lct/core/patcher/SpdxRestClient.java @@ -0,0 +1,68 @@ +/*- + * #%L + * License Compliance Tool - Implementation Core + * %% + * Copyright (C) 2022 - 2024 medavis GmbH + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * #L% + */ +package de.medavis.lct.core.patcher; + +import de.medavis.lct.core.patcher.model.SpdxLicenses; + +import org.jetbrains.annotations.NotNull; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.IOException; +import java.net.URI; +import java.net.http.HttpRequest; + +/** + * SPDX REST client. + */ +public class SpdxRestClient extends AbstractRestClient { + + private static final Logger LOGGER = LoggerFactory.getLogger(SpdxRestClient.class); + private final URI uri; + + public static final URI DEFAULT_URI = URI.create("https://github.com/spdx/license-list-data/raw/main/json/licenses.json"); + + /** + * Creates a new SPDX REST client. + * + * @param uri URI of the servers endpoint + */ + public SpdxRestClient(@NotNull URI uri) { + this.uri = uri; + } + + /** + * Request the SPDX licenses from the server. + * + * @return Returns the SPDX licenses but never null + */ + @NotNull + public SpdxLicenses fetchLicenses() { + try { + LOGGER.info("Fetching licenses"); + HttpRequest request = createDefaultGET(uri); + + return executeRequest(request, SpdxLicenses.class); + } catch (IOException | InterruptedException ex) { + throw new LicensePatcherException(ex.getMessage(), ex); + } + } + +} diff --git a/core/src/main/java/de/medavis/lct/core/patcher/model/SpdxLicense.java b/core/src/main/java/de/medavis/lct/core/patcher/model/SpdxLicense.java new file mode 100644 index 0000000..f5f31ec --- /dev/null +++ b/core/src/main/java/de/medavis/lct/core/patcher/model/SpdxLicense.java @@ -0,0 +1,91 @@ +/*- + * #%L + * License Compliance Tool - Implementation Core + * %% + * Copyright (C) 2022 - 2024 medavis GmbH + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * #L% + */ +package de.medavis.lct.core.patcher.model; + +import java.util.HashSet; +import java.util.Set; + +public class SpdxLicense { + + private String reference; + private boolean isDeprecatedLicenseId; + private String detailsUrl; + private String referenceNumber; + private String name; + private String licenseId; + private Set seeAlso = new HashSet<>(); + + public String getReference() { + return reference; + } + + public void setReference(String reference) { + this.reference = reference; + } + + public boolean isDeprecatedLicenseId() { + return isDeprecatedLicenseId; + } + + public void setDeprecatedLicenseId(boolean deprecatedLicenseId) { + isDeprecatedLicenseId = deprecatedLicenseId; + } + + public String getDetailsUrl() { + return detailsUrl; + } + + public void setDetailsUrl(String detailsUrl) { + this.detailsUrl = detailsUrl; + } + + public String getReferenceNumber() { + return referenceNumber; + } + + public void setReferenceNumber(String referenceNumber) { + this.referenceNumber = referenceNumber; + } + + public String getName() { + return name; + } + + public void setName(String name) { + this.name = name; + } + + public String getLicenseId() { + return licenseId; + } + + public void setLicenseId(String licenseId) { + this.licenseId = licenseId; + } + + public Set getSeeAlso() { + return seeAlso; + } + + public void setSeeAlso(Set seeAlso) { + this.seeAlso = seeAlso; + } + +} diff --git a/core/src/main/java/de/medavis/lct/core/patcher/model/SpdxLicenses.java b/core/src/main/java/de/medavis/lct/core/patcher/model/SpdxLicenses.java new file mode 100644 index 0000000..1521b19 --- /dev/null +++ b/core/src/main/java/de/medavis/lct/core/patcher/model/SpdxLicenses.java @@ -0,0 +1,46 @@ +/*- + * #%L + * License Compliance Tool - Implementation Core + * %% + * Copyright (C) 2022 - 2024 medavis GmbH + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * #L% + */ +package de.medavis.lct.core.patcher.model; + +import java.util.ArrayList; +import java.util.List; + +public class SpdxLicenses { + + private String licenseListVersion; + private List licenses = new ArrayList<>(); + + public String getLicenseListVersion() { + return licenseListVersion; + } + + public void setLicenseListVersion(String licenseListVersion) { + this.licenseListVersion = licenseListVersion; + } + + public List getLicenses() { + return licenses; + } + + public void setLicenses(List licenses) { + this.licenses = licenses; + } + +} diff --git a/core/src/test/java/de/medavis/lct/core/JsonPath.java b/core/src/test/java/de/medavis/lct/core/JsonPath.java new file mode 100644 index 0000000..9883abd --- /dev/null +++ b/core/src/test/java/de/medavis/lct/core/JsonPath.java @@ -0,0 +1,64 @@ +/*- + * #%L + * License Compliance Tool - Implementation Core + * %% + * Copyright (C) 2022 - 2024 medavis GmbH + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * #L% + */ +package de.medavis.lct.core; + +import com.fasterxml.jackson.databind.JsonNode; + +import org.jetbrains.annotations.NotNull; +import org.jetbrains.annotations.Nullable; + +import java.util.List; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +public class JsonPath { + + private static final String REGEX = "(?\\D[a-zA-Z0-9]*)(\\[(?\\d*)\\])?"; + private static final Pattern PATTERN = Pattern.compile(REGEX); + + private JsonPath() {} + + @Nullable + public static JsonNode path(@NotNull JsonNode firstNode, @NotNull String path) { + + List items = List.of(path.split("\\.")); + + JsonNode node = firstNode; + + for (String item : items) { + Matcher matcher = PATTERN.matcher(item); + while(matcher.find()) { + String name = matcher.group("name"); + node = node.path(name); + + String sIndex = matcher.group("index"); + if (sIndex != null) { + int index = Integer.parseInt(matcher.group("index")); + node = node.path(index); + if (node == null) { + return null; + } + } + } + } + + return node; + } +} diff --git a/core/src/test/java/de/medavis/lct/core/asset/AssetLoaderTest.java b/core/src/test/java/de/medavis/lct/core/asset/AssetLoaderTest.java index 1b229ca..2313e0d 100644 --- a/core/src/test/java/de/medavis/lct/core/asset/AssetLoaderTest.java +++ b/core/src/test/java/de/medavis/lct/core/asset/AssetLoaderTest.java @@ -21,9 +21,8 @@ import com.google.common.collect.ImmutableSet; import java.io.InputStream; -import org.junit.jupiter.api.Test; + import org.junit.jupiter.params.ParameterizedTest; -import org.junit.jupiter.params.provider.ArgumentsSource; import org.junit.jupiter.params.provider.ValueSource; import static org.assertj.core.api.Assertions.assertThat; @@ -46,13 +45,13 @@ void shouldLoadAssetFromBOM(String bomSuffix) { assertThat(actual.name()).isEqualTo("de.medavis.license-compliance-tool-core"); assertThat(actual.version()).isEqualTo("1.4.0"); assertThat(actual.components()).contains( - new Component("org.cyclonedx", "cyclonedx-core-java", "9.0.0", "https://github.com/CycloneDX/cyclonedx-core-java.git", ImmutableSet.of( + new Component("org.cyclonedx", "cyclonedx-core-java", "9.0.0", "https://github.com/CycloneDX/cyclonedx-core-java.git", "pkg:maven/org.cyclonedx/cyclonedx-core-java@9.0.0?type=jar", ImmutableSet.of( License.dynamic("Apache-2.0", "https://www.apache.org/licenses/LICENSE-2.0") )), - new Component("org.codehaus.woodstox", "stax2-api", "4.2.2", "http://github.com/FasterXML/stax2-api", ImmutableSet.of( + new Component("org.codehaus.woodstox", "stax2-api", "4.2.2", "http://github.com/FasterXML/stax2-api", "pkg:maven/org.codehaus.woodstox/stax2-api@4.2.2?type=jar", ImmutableSet.of( License.dynamic("BSD-2-Clause", null) )), - new Component(null, "slf4j-api", "2.0.13", "https://github.com/qos-ch/slf4j/slf4j-parent/slf4j-api", ImmutableSet.of( + new Component(null, "slf4j-api", "2.0.13", "https://github.com/qos-ch/slf4j/slf4j-parent/slf4j-api", "pkg:maven/org.slf4j/slf4j-api@2.0.13?type=jar", ImmutableSet.of( License.dynamic("MIT", "https://opensource.org/licenses/MIT"), License.dynamic("GNU Lesser General Public License", "http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html"))) ); diff --git a/core/src/test/java/de/medavis/lct/core/downloader/LicensesDownloaderTest.java b/core/src/test/java/de/medavis/lct/core/downloader/LicensesDownloaderTest.java index e14eac5..b43bbf2 100644 --- a/core/src/test/java/de/medavis/lct/core/downloader/LicensesDownloaderTest.java +++ b/core/src/test/java/de/medavis/lct/core/downloader/LicensesDownloaderTest.java @@ -126,6 +126,7 @@ private ComponentData component(License... licenses) { RandomStringUtils.randomAlphabetic(6), RandomStringUtils.randomAlphabetic(6), RandomStringUtils.randomAlphabetic(6), + RandomStringUtils.randomAlphabetic(6), ImmutableSet.copyOf(licenses), Collections.emptySet()); } diff --git a/core/src/test/java/de/medavis/lct/core/list/ComponentListerTest.java b/core/src/test/java/de/medavis/lct/core/list/ComponentListerTest.java index ed21cca..4f8cae1 100644 --- a/core/src/test/java/de/medavis/lct/core/list/ComponentListerTest.java +++ b/core/src/test/java/de/medavis/lct/core/list/ComponentListerTest.java @@ -47,15 +47,15 @@ class ComponentListerTest { void useWithoutModifications() { assertThat(executeTest("metadata-empty", "license-empty", "licensemapping-empty", "test-bom")) .containsExactly( - new ComponentData("ch.qos.logback.logback-classic", "1.2.11", "https://github.com/ceki/logback", ImmutableSet.of( + new ComponentData("ch.qos.logback.logback-classic", "1.2.11", "https://github.com/ceki/logback", "pkg:maven/ch.qos.logback/logback-classic@1.2.11?type=jar", ImmutableSet.of( License.dynamic("EPL-1.0", null), License.dynamic("GNU Lesser General Public License", "http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html") ), Collections.emptySet()), - new ComponentData("ch.qos.logback.logback-core", "1.2.11", "https://github.com/ceki/logback", ImmutableSet.of( + new ComponentData("ch.qos.logback.logback-core", "1.2.11", "https://github.com/ceki/logback", "pkg:maven/ch.qos.logback/logback-core@1.2.11?type=jar", ImmutableSet.of( License.dynamic("EPL-1.0", null), License.dynamic("GNU Lesser General Public License", "http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html") ), Collections.emptySet()), - new ComponentData("org.slf4j.slf4j-api", "1.7.32", "https://github.com/qos-ch/slf4j", ImmutableSet.of( + new ComponentData("org.slf4j.slf4j-api", "1.7.32", "https://github.com/qos-ch/slf4j", "pkg:maven/org.slf4j/slf4j-api@1.7.32?type=jar", ImmutableSet.of( License.dynamic("MIT", "https://opensource.org/licenses/MIT") ), Collections.emptySet()) ); @@ -65,10 +65,10 @@ void useWithoutModifications() { void ignoreEmptyGroup() { assertThat(executeTest("metadata-empty", "license-empty", "licensemapping-empty", "test-bom-depWithoutGroup")) .containsExactly( - new ComponentData("dep-emptygroup", "2.0.0", null, Set.of( + new ComponentData("dep-emptygroup", "2.0.0", null, null, Set.of( License.dynamic("EPL-1.0", null) ), Collections.emptySet()), - new ComponentData("dep-nogroup", "1.0.0", null, Set.of( + new ComponentData("dep-nogroup", "1.0.0", null, null, Set.of( License.dynamic("EPL-1.0", null) ), Collections.emptySet()) ); @@ -78,11 +78,11 @@ void ignoreEmptyGroup() { void canMergeComponentsWithSameMappedName() { assertThat(executeTest("metadata-mergeLogback", "license-empty", "licensemapping-empty", "test-bom")) .containsExactly( - new ComponentData("Logback", "1.2.11", "https://github.com/ceki/logback", ImmutableSet.of( + new ComponentData("Logback", "1.2.11", "https://github.com/ceki/logback", "pkg:maven/ch.qos.logback/logback-core@1.2.11?type=jar", ImmutableSet.of( License.dynamic("EPL-1.0", null), License.dynamic("GNU Lesser General Public License", "http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html") ), Collections.emptySet()), - new ComponentData("org.slf4j.slf4j-api", "1.7.32", "https://github.com/qos-ch/slf4j", ImmutableSet.of( + new ComponentData("org.slf4j.slf4j-api", "1.7.32", "https://github.com/qos-ch/slf4j", "pkg:maven/org.slf4j/slf4j-api@1.7.32?type=jar", ImmutableSet.of( License.dynamic("MIT", "https://opensource.org/licenses/MIT") ), Collections.emptySet()) ); @@ -92,13 +92,13 @@ void canMergeComponentsWithSameMappedName() { void canMergeLicensesWhenMergingComponents() { assertThat(executeTest("metadata-mergeLogback", "license-empty", "licensemapping-empty", "test-bom-modifiedLicense")) .containsExactly( - new ComponentData("Logback", "1.2.11", "https://github.com/ceki/logback", ImmutableSet.of( + new ComponentData("Logback", "1.2.11", "https://github.com/ceki/logback", "pkg:maven/ch.qos.logback/logback-core@1.2.11?type=jar", ImmutableSet.of( License.dynamic("EPL-1.0", null), License.dynamic("EPL-1.0-Modified", null), License.dynamic("GNU Lesser General Public License", "http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html"), License.dynamic("GNU Greater General Public License", "https://greater.gnu.com") ), Collections.emptySet()), - new ComponentData("org.slf4j.slf4j-api", "1.7.32", "https://github.com/qos-ch/slf4j", ImmutableSet.of( + new ComponentData("org.slf4j.slf4j-api", "1.7.32", "https://github.com/qos-ch/slf4j", "pkg:maven/org.slf4j/slf4j-api@1.7.32?type=jar", ImmutableSet.of( License.dynamic("MIT", "https://opensource.org/licenses/MIT") ), Collections.emptySet()) ); @@ -108,7 +108,7 @@ void canMergeLicensesWhenMergingComponents() { void canIgnoreComponents() { assertThat(executeTest("metadata-ignoreLogback", "license-empty", "licensemapping-empty", "test-bom")) .containsExactly( - new ComponentData("org.slf4j.slf4j-api", "1.7.32", "https://github.com/qos-ch/slf4j", ImmutableSet.of( + new ComponentData("org.slf4j.slf4j-api", "1.7.32", "https://github.com/qos-ch/slf4j", "pkg:maven/org.slf4j/slf4j-api@1.7.32?type=jar", ImmutableSet.of( License.dynamic("MIT", "https://opensource.org/licenses/MIT") ), Collections.emptySet()) ); @@ -118,15 +118,15 @@ void canIgnoreComponents() { void canRenameLicenseAndReplaceUrl() { assertThat(executeTest("metadata-empty", "license-lgpl", "licensemapping-lgpl", "test-bom")) .containsExactly( - new ComponentData("ch.qos.logback.logback-classic", "1.2.11", "https://github.com/ceki/logback", ImmutableSet.of( + new ComponentData("ch.qos.logback.logback-classic", "1.2.11", "https://github.com/ceki/logback", "pkg:maven/ch.qos.logback/logback-classic@1.2.11?type=jar", ImmutableSet.of( License.dynamic("EPL-1.0", null), License.fromConfig("LGPL", "https://my.lgpl.link", "https://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt") ), Collections.emptySet()), - new ComponentData("ch.qos.logback.logback-core", "1.2.11", "https://github.com/ceki/logback", ImmutableSet.of( + new ComponentData("ch.qos.logback.logback-core", "1.2.11", "https://github.com/ceki/logback", "pkg:maven/ch.qos.logback/logback-core@1.2.11?type=jar", ImmutableSet.of( License.dynamic("EPL-1.0", null), License.fromConfig("LGPL", "https://my.lgpl.link", "https://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt") ), Collections.emptySet()), - new ComponentData("org.slf4j.slf4j-api", "1.7.32", "https://github.com/qos-ch/slf4j", ImmutableSet.of( + new ComponentData("org.slf4j.slf4j-api", "1.7.32", "https://github.com/qos-ch/slf4j", "pkg:maven/org.slf4j/slf4j-api@1.7.32?type=jar", ImmutableSet.of( License.dynamic("MIT", "https://opensource.org/licenses/MIT") ), Collections.emptySet()) ); @@ -136,15 +136,15 @@ void canRenameLicenseAndReplaceUrl() { void canRenameLicenseWithOriginalUrl() { assertThat(executeTest("metadata-empty", "license-empty", "licensemapping-lgpl", "test-bom")) .containsExactly( - new ComponentData("ch.qos.logback.logback-classic", "1.2.11", "https://github.com/ceki/logback", ImmutableSet.of( + new ComponentData("ch.qos.logback.logback-classic", "1.2.11", "https://github.com/ceki/logback", "pkg:maven/ch.qos.logback/logback-classic@1.2.11?type=jar", ImmutableSet.of( License.dynamic("EPL-1.0", null), License.dynamic("LGPL", "http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html") ), Collections.emptySet()), - new ComponentData("ch.qos.logback.logback-core", "1.2.11", "https://github.com/ceki/logback", ImmutableSet.of( + new ComponentData("ch.qos.logback.logback-core", "1.2.11", "https://github.com/ceki/logback", "pkg:maven/ch.qos.logback/logback-core@1.2.11?type=jar", ImmutableSet.of( License.dynamic("EPL-1.0", null), License.dynamic("LGPL", "http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html") ), Collections.emptySet()), - new ComponentData("org.slf4j.slf4j-api", "1.7.32", "https://github.com/qos-ch/slf4j", ImmutableSet.of( + new ComponentData("org.slf4j.slf4j-api", "1.7.32", "https://github.com/qos-ch/slf4j", "pkg:maven/org.slf4j/slf4j-api@1.7.32?type=jar", ImmutableSet.of( License.dynamic("MIT", "https://opensource.org/licenses/MIT") ), Collections.emptySet()) ); @@ -154,15 +154,15 @@ void canRenameLicenseWithOriginalUrl() { void canOverwriteUrl() { assertThat(executeTest("metadata-overwriteSlf4jUrl", "license-empty", "licensemapping-empty", "test-bom")) .containsExactly( - new ComponentData("ch.qos.logback.logback-classic", "1.2.11", "https://github.com/ceki/logback", ImmutableSet.of( + new ComponentData("ch.qos.logback.logback-classic", "1.2.11", "https://github.com/ceki/logback", "pkg:maven/ch.qos.logback/logback-classic@1.2.11?type=jar", ImmutableSet.of( License.dynamic("EPL-1.0", null), License.dynamic("GNU Lesser General Public License", "http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html") ), Collections.emptySet()), - new ComponentData("ch.qos.logback.logback-core", "1.2.11", "https://github.com/ceki/logback", ImmutableSet.of( + new ComponentData("ch.qos.logback.logback-core", "1.2.11", "https://github.com/ceki/logback", "pkg:maven/ch.qos.logback/logback-core@1.2.11?type=jar", ImmutableSet.of( License.dynamic("EPL-1.0", null), License.dynamic("GNU Lesser General Public License", "http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html") ), Collections.emptySet()), - new ComponentData("org.slf4j.slf4j-api", "1.7.32", "https://my.slf4j.com/", ImmutableSet.of( + new ComponentData("org.slf4j.slf4j-api", "1.7.32", "https://my.slf4j.com/", "pkg:maven/org.slf4j/slf4j-api@1.7.32?type=jar", ImmutableSet.of( License.dynamic("MIT", "https://opensource.org/licenses/MIT") ), Collections.emptySet()) ); @@ -172,14 +172,14 @@ void canOverwriteUrl() { void canOverwriteLicensesForSpecificComponents() { assertThat(executeTest("metadata-overwriteMyLicense", "license-empty", "licensemapping-empty", "test-bom")) .containsExactly( - new ComponentData("ch.qos.logback.logback-classic", "1.2.11", "https://github.com/ceki/logback", ImmutableSet.of( + new ComponentData("ch.qos.logback.logback-classic", "1.2.11", "https://github.com/ceki/logback", "pkg:maven/ch.qos.logback/logback-classic@1.2.11?type=jar", ImmutableSet.of( License.dynamic("EPL-1.0", null), License.dynamic("GNU Lesser General Public License", "http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html") ), Collections.emptySet()), - new ComponentData("ch.qos.logback.logback-core", "1.2.11", "https://github.com/ceki/logback", ImmutableSet.of( + new ComponentData("ch.qos.logback.logback-core", "1.2.11", "https://github.com/ceki/logback", "pkg:maven/ch.qos.logback/logback-core@1.2.11?type=jar", ImmutableSet.of( License.dynamic("MYLICENSE", null) ), Collections.emptySet()), - new ComponentData("org.slf4j.slf4j-api", "1.7.32", "https://github.com/qos-ch/slf4j", ImmutableSet.of( + new ComponentData("org.slf4j.slf4j-api", "1.7.32", "https://github.com/qos-ch/slf4j", "pkg:maven/org.slf4j/slf4j-api@1.7.32?type=jar", ImmutableSet.of( License.dynamic("MIT", "https://opensource.org/licenses/MIT") ), Collections.emptySet()) ); @@ -189,15 +189,15 @@ void canOverwriteLicensesForSpecificComponents() { void canAddAttributionNotices() { assertThat(executeTest("metadata-logbackAttributionNotice", "license-empty", "licensemapping-empty", "test-bom")) .containsExactly( - new ComponentData("ch.qos.logback.logback-classic", "1.2.11", "https://github.com/ceki/logback", ImmutableSet.of( + new ComponentData("ch.qos.logback.logback-classic", "1.2.11", "https://github.com/ceki/logback", "pkg:maven/ch.qos.logback/logback-classic@1.2.11?type=jar", ImmutableSet.of( License.dynamic("EPL-1.0", null), License.dynamic("GNU Lesser General Public License", "http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html") ), ImmutableSet.of("Copyright (c) 2015", "Guaranteed Log4Shell-free")), - new ComponentData("ch.qos.logback.logback-core", "1.2.11", "https://github.com/ceki/logback", ImmutableSet.of( + new ComponentData("ch.qos.logback.logback-core", "1.2.11", "https://github.com/ceki/logback", "pkg:maven/ch.qos.logback/logback-core@1.2.11?type=jar", ImmutableSet.of( License.dynamic("EPL-1.0", null), License.dynamic("GNU Lesser General Public License", "http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html") ), ImmutableSet.of("Copyright (c) 2015", "Guaranteed Log4Shell-free")), - new ComponentData("org.slf4j.slf4j-api", "1.7.32", "https://github.com/qos-ch/slf4j", ImmutableSet.of( + new ComponentData("org.slf4j.slf4j-api", "1.7.32", "https://github.com/qos-ch/slf4j", "pkg:maven/org.slf4j/slf4j-api@1.7.32?type=jar", ImmutableSet.of( License.dynamic("MIT", "https://opensource.org/licenses/MIT") ), Collections.emptySet()) ); diff --git a/core/src/test/java/de/medavis/lct/core/metadata/ComponentMetaDataLoaderTest.java b/core/src/test/java/de/medavis/lct/core/metadata/ComponentMetaDataLoaderTest.java index 4f6d323..d539186 100644 --- a/core/src/test/java/de/medavis/lct/core/metadata/ComponentMetaDataLoaderTest.java +++ b/core/src/test/java/de/medavis/lct/core/metadata/ComponentMetaDataLoaderTest.java @@ -37,9 +37,9 @@ void shouldLoadCompleteRecords() { final Collection actual = underTest.load(metadataUrl); Assertions.assertThat(actual).containsExactly( - new ComponentMetadata("my\\.group", "keep", false, "KEEP!", "https://keep.com", "Keep component", + new ComponentMetadata("my\\.group", "keep", null, false, "KEEP!", "https://keep.com", "Keep component", ImmutableSet.of("LIC-1.0"), ImmutableSet.of("Copyright (c) 2020")), - new ComponentMetadata("my\\.group", "ignore", true, "IGNORE!", "https://ignore.com", "Ignore component", + new ComponentMetadata("my\\.group", "ignore", null, true, "IGNORE!", "https://ignore.com", "Ignore component", ImmutableSet.of("LIC1-1.0", "LIC2-1.0"), ImmutableSet.of("Copyright (c) 2022", "Contains software by ACME Foundation")) ); } @@ -51,8 +51,8 @@ void shouldLoadMinimalRecords() { final Collection actual = underTest.load(metadataUrl); Assertions.assertThat(actual).containsExactly( - new ComponentMetadata("my\\.group", null, false, null, null, null, Collections.emptySet(), Collections.emptySet()), - new ComponentMetadata(null, "my\\.name", false, null, null, null, Collections.emptySet(), Collections.emptySet()) + new ComponentMetadata("my\\.group", null, null, false, null, null, null, Collections.emptySet(), Collections.emptySet()), + new ComponentMetadata(null, "my\\.name", null, false, null, null, null, Collections.emptySet(), Collections.emptySet()) ); } } diff --git a/core/src/test/java/de/medavis/lct/core/metadata/ComponentMetadataTest.java b/core/src/test/java/de/medavis/lct/core/metadata/ComponentMetadataTest.java new file mode 100644 index 0000000..fbdffb2 --- /dev/null +++ b/core/src/test/java/de/medavis/lct/core/metadata/ComponentMetadataTest.java @@ -0,0 +1,57 @@ +/*- + * #%L + * License Compliance Tool - Implementation Core + * %% + * Copyright (C) 2022 - 2024 medavis GmbH + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * #L% + */ +package de.medavis.lct.core.metadata; + +import org.junit.jupiter.api.Test; + +import static org.junit.jupiter.api.Assertions.*; + +class ComponentMetadataTest { + + @Test + void testMatches() { + assertFalse(createComponentMetadata("de.medavis", "b", null).matches("de.medavis", "a", null)); + assertFalse(createComponentMetadata("de.medavis", "a", "abc").matches("de.medavis", "a", "xyz")); + assertTrue(createComponentMetadata("xz.medavis", "b", "abc").matches("de.medavis", "a", "abc")); + assertTrue(createComponentMetadata("de.medavis", "a", "abc").matches("de.medavis", "a", "abc")); + + assertTrue(createComponentMetadata(null, null, "abc").matches("de.medavis", "a", "abc")); + assertFalse(createComponentMetadata(null, null, "abc").matches("de.medavis", "a", "xyz")); + + assertTrue(createComponentMetadata("de.medavis", "a", null).matches("de.medavis", "a", null)); + assertTrue(createComponentMetadata(null, "a", null).matches("de.medavis", "a", null)); + assertTrue(createComponentMetadata("de.medavis", null, null).matches("de.medavis", "a", null)); + + } + + private ComponentMetadata createComponentMetadata(String group, String name, String purl) { + return new ComponentMetadata( + group, + name, + purl, + false, + null, + null, + null, + null, + null); + } + +} diff --git a/core/src/test/java/de/medavis/lct/core/outputter/FreemarkerOutputterTest.java b/core/src/test/java/de/medavis/lct/core/outputter/FreemarkerOutputterTest.java index 49dcd77..928aa47 100644 --- a/core/src/test/java/de/medavis/lct/core/outputter/FreemarkerOutputterTest.java +++ b/core/src/test/java/de/medavis/lct/core/outputter/FreemarkerOutputterTest.java @@ -72,9 +72,9 @@ class ComponentTable { @Test void fullAttributes(@TempDir Path outputPath) throws IOException { - final ComponentData componentA = createComponent("ComponentA", "1.0.0", "https://component-a.com", + final ComponentData componentA = createComponent("ComponentA","1.0.0", "https://component-a.com", null, createLicenses("LIC-A", "https://license-a.com"), Collections.singleton("Copyright (c) 2020")); - final ComponentData componentB = createComponent("ComponentB", "2.0.0", "https://component-b.com", + final ComponentData componentB = createComponent("ComponentB", "2.0.0", "https://component-b.com", null, createLicenses("LIC-B", "https://license-b.com"), ImmutableSet.of("Copyright (c) 2015", "Resistance is futile")); createAndVerifyOutput(outputPath, componentA, componentB); @@ -82,7 +82,7 @@ void fullAttributes(@TempDir Path outputPath) throws IOException { @Test void missingComponentUrl(@TempDir Path outputPath) throws IOException { - final ComponentData component = createComponent("ComponentA", "1.0.0", null, + final ComponentData component = createComponent("ComponentA", "1.0.0", null, null, createLicenses("LIC-A", "https://license-a.com"), Collections.singleton("Copyright (c) 2020")); createAndVerifyOutput(outputPath, component); @@ -90,7 +90,7 @@ void missingComponentUrl(@TempDir Path outputPath) throws IOException { @Test void missingVersionUrl(@TempDir Path outputPath) throws IOException { - final ComponentData component = createComponent("ComponentA", null, "https://component-a.com", + final ComponentData component = createComponent("ComponentA", null, "https://component-a.com", null, createLicenses("LIC-A", "https://license-a.com"), Collections.singleton("Copyright (c) 2020")); createAndVerifyOutput(outputPath, component); @@ -98,7 +98,7 @@ void missingVersionUrl(@TempDir Path outputPath) throws IOException { @Test void missingLicenseUrl(@TempDir Path outputPath) throws IOException { - final ComponentData component = createComponent("ComponentA", "1.0.0", null, + final ComponentData component = createComponent("ComponentA", "1.0.0", null, null, createLicenses("LIC-A", null), Collections.singleton("Copyright (c) 2020")); createAndVerifyOutput(outputPath, component); @@ -106,7 +106,7 @@ void missingLicenseUrl(@TempDir Path outputPath) throws IOException { @Test void noLicenses(@TempDir Path outputPath) throws IOException { - final ComponentData component = createComponent("ComponentA", "1.0.0", "https://component-a.com", Collections.emptySet(), + final ComponentData component = createComponent("ComponentA", "1.0.0", "https://component-a.com", null, Collections.emptySet(), Collections.singleton("Copyright (c) 2020")); createAndVerifyOutput(outputPath, component); @@ -114,14 +114,14 @@ void noLicenses(@TempDir Path outputPath) throws IOException { @Test void noAttributionNotices(@TempDir Path outputPath) throws IOException { - final ComponentData component = createComponent("ComponentA", "1.0.0", "https://component-a.com", createLicenses("LIC-A", "https://license-a.com"), + final ComponentData component = createComponent("ComponentA", "1.0.0", "https://component-a.com", null, createLicenses("LIC-A", "https://license-a.com"), Collections.emptySet()); createAndVerifyOutput(outputPath, component); } - private ComponentData createComponent(String name, String version, String url, Set licenses, Set attributionNotices) { - return new ComponentData(name, version, url, licenses, attributionNotices); + private ComponentData createComponent(String name, String version, String url, String purl, Set licenses, Set attributionNotices) { + return new ComponentData(name, version, url, purl, licenses, attributionNotices); } private Set createLicenses(String name, String url) { diff --git a/core/src/test/java/de/medavis/lct/core/patcher/BomPatcherTest.java b/core/src/test/java/de/medavis/lct/core/patcher/BomPatcherTest.java new file mode 100644 index 0000000..b212030 --- /dev/null +++ b/core/src/test/java/de/medavis/lct/core/patcher/BomPatcherTest.java @@ -0,0 +1,109 @@ +/*- + * #%L + * License Compliance Tool - Implementation Core + * %% + * Copyright (C) 2022 - 2024 medavis GmbH + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * #L% + */ +package de.medavis.lct.core.patcher; + +import com.fasterxml.jackson.databind.JsonNode; +import com.fasterxml.jackson.databind.ObjectMapper; + +import de.medavis.lct.core.Configuration; +import de.medavis.lct.core.Json5MapperFactory; +import de.medavis.lct.core.JsonPath; +import de.medavis.lct.core.asset.AssetLoader; +import de.medavis.lct.core.license.LicenseLoader; +import de.medavis.lct.core.license.LicenseMappingLoader; +import de.medavis.lct.core.metadata.ComponentMetaDataLoader; + +import org.apache.commons.io.output.NullOutputStream; +import org.junit.jupiter.api.Test; + +import java.io.File; +import java.io.IOException; +import java.net.MalformedURLException; +import java.net.URL; +import java.nio.file.Files; +import java.nio.file.Path; +import java.util.Optional; + +import static org.junit.jupiter.api.Assertions.*; + +class BomPatcherTest { + + private BomPatcher createBomPatcher() { + return new BomPatcher( + new AssetLoader(), + new ComponentMetaDataLoader(), + new LicenseLoader(), + new LicenseMappingLoader(), + new Configuration() { + @Override + public Optional getComponentMetadataUrl() { + try { + return Optional.of(Path.of("src/test/resources/de/medavis/lct/core/patcher/test-component-metadata.json").toUri().toURL()); + } catch (MalformedURLException ex) { + throw new LicensePatcherException(ex.getMessage(), ex); + } + } + } + ); + } + + @Test + void testCycloneDXSchema() { + BomPatcher patcher = createBomPatcher(); + assertThrows(LicensePatcherException.class, () -> patcher.patch(getClass().getResourceAsStream("/asset/test-bom-unsupported-version.json"), NullOutputStream.nullOutputStream())); + assertThrows(LicensePatcherException.class, () -> patcher.patch(getClass().getResourceAsStream("/asset/test-bom-unsupported-format.json"), NullOutputStream.nullOutputStream())); + } + + @Test + void testPatchBOM() throws IOException { + BomPatcher patcher = createBomPatcher(); + + Path patchedFile = Path.of("target/test-results/test-patched-01.json"); + Files.deleteIfExists(patchedFile); + + Path sourceFile = Path.of("src/test/resources/de/medavis/lct/core/patcher/test-bom-01.json"); + + boolean result = patcher.patch( + sourceFile, + patchedFile + ); + + assertTrue(result); + assertTrue(Files.exists(patchedFile)); + + ObjectMapper mapper = Json5MapperFactory.create(); + JsonNode rootNode = mapper.readTree(sourceFile.toFile()); + + // Validate unpatched file, so that we can be sure that we have patched the BOM + assertEquals("Apache 2.0", JsonPath.path(rootNode, "components[0].licenses[0].license.id").asText()); + assertFalse(JsonPath.path(rootNode, "components[2].licenses[0].license").has("id")); + assertTrue(JsonPath.path(rootNode, "components[1].licenses[0]").has("expression")); + assertFalse(JsonPath.path(rootNode, "components[3].licenses[8].license").has("id")); + + rootNode = mapper.readTree(patchedFile.toFile()); + + // Now, validate patched file (pkg:maven/us.springett/alpine-common@2.2.5?type=jar) + assertEquals("Apache-2.0", JsonPath.path(rootNode, "components[0].licenses[0].license.id").asText()); + // Test, creating of missing licenses node + assertEquals("BSD-2-Clause", JsonPath.path(rootNode, "components[2].licenses[0].license.id").asText()); + // assertTrue(JsonPath.path(rootNode, "components[1].licenses[0]").has("expression")); + } + +} diff --git a/core/src/test/java/de/medavis/lct/core/patcher/ComponentMetaDataManagerTest.java b/core/src/test/java/de/medavis/lct/core/patcher/ComponentMetaDataManagerTest.java new file mode 100644 index 0000000..4fccff0 --- /dev/null +++ b/core/src/test/java/de/medavis/lct/core/patcher/ComponentMetaDataManagerTest.java @@ -0,0 +1,59 @@ +/*- + * #%L + * License Compliance Tool - Implementation Core + * %% + * Copyright (C) 2022 - 2024 medavis GmbH + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * #L% + */ +package de.medavis.lct.core.patcher; + +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.Mock; +import org.mockito.MockedStatic; +import org.mockito.Mockito; +import org.mockito.junit.jupiter.MockitoExtension; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.net.URISyntaxException; +import java.util.List; + +@ExtendWith(MockitoExtension.class) +class ComponentMetaDataManagerTest { + + @Mock() + private Logger mockedLogger; + + @Test + void testValidateLicenseMappedNames() throws URISyntaxException { + + try (MockedStatic context = Mockito.mockStatic(LoggerFactory.class)) { + context + .when(() -> LoggerFactory.getLogger(Mockito.any(Class.class))) + .thenReturn(mockedLogger); + + ComponentMetaDataManager mapper = ComponentMetaDataManager.create(); + mapper.load(getClass().getClassLoader().getResource("de/medavis/lct/core/patcher/test-component-metadata2.json").toURI()); + + mapper.logInvalidLicenseIds(SpdxLicenseManager.create().loadDefaults().getSupportedLicenseIds()); + + Mockito.verify(mockedLogger) + .warn("Your component meta data configuration contains an unsupported to be mapped SPDX name '{}'.", List.of("Apache-1.0-JDOM")); + } + + } + +} diff --git a/core/src/test/java/de/medavis/lct/core/patcher/SpdxLicenseManagerTest.java b/core/src/test/java/de/medavis/lct/core/patcher/SpdxLicenseManagerTest.java new file mode 100644 index 0000000..8724afc --- /dev/null +++ b/core/src/test/java/de/medavis/lct/core/patcher/SpdxLicenseManagerTest.java @@ -0,0 +1,70 @@ +/*- + * #%L + * License Compliance Tool - Implementation Core + * %% + * Copyright (C) 2022 - 2024 medavis GmbH + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * #L% + */ +package de.medavis.lct.core.patcher; + +import com.github.tomakehurst.wiremock.junit5.WireMockRuntimeInfo; +import com.github.tomakehurst.wiremock.junit5.WireMockTest; + +import org.apache.commons.io.IOUtils; +import org.apache.http.HttpHeaders; +import org.apache.http.entity.ContentType; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; + +import java.io.IOException; +import java.net.URI; +import java.nio.charset.StandardCharsets; + +import static com.github.tomakehurst.wiremock.client.WireMock.get; +import static com.github.tomakehurst.wiremock.client.WireMock.ok; +import static com.github.tomakehurst.wiremock.client.WireMock.stubFor; +import static org.junit.jupiter.api.Assertions.*; + +@WireMockTest +class SpdxLicenseManagerTest { + + private static final String SPDX_LICENSE_PATH = "/spdx/licenses.json"; + + private String baseUrl; + + @BeforeEach + void beforeEach(WireMockRuntimeInfo wiremock) { + baseUrl = wiremock.getHttpBaseUrl(); + } + + @Test + void testCreateWithExternal() throws IOException { + String licenses = IOUtils.resourceToString("de/medavis/lct/core/patcher/SpdxLicenseList.json5", StandardCharsets.UTF_8, SpdxLicenseManagerTest.class.getClassLoader()); + + stubFor(get(SPDX_LICENSE_PATH). + willReturn(ok(licenses) + .withHeader(HttpHeaders.CONTENT_LENGTH, String.valueOf(licenses.length())) + .withHeader(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_JSON.getMimeType()))); + + SpdxLicenseManager manager = SpdxLicenseManager + .create() + .load(URI.create(baseUrl + SPDX_LICENSE_PATH)); + + assertTrue(manager.match("Apache-2.0", null).isPresent()); + assertFalse(manager.match("Commercial-42", null).isPresent()); + assertTrue(manager.match(null, "Apache License 1.1").isPresent()); + } + +} diff --git a/core/src/test/resources/asset/test-bom-unsupported-format.json b/core/src/test/resources/asset/test-bom-unsupported-format.json new file mode 100644 index 0000000..5467d41 --- /dev/null +++ b/core/src/test/resources/asset/test-bom-unsupported-format.json @@ -0,0 +1,2325 @@ +{ + "bomFormat" : "BraBra", + "specVersion" : "1.5", + "serialNumber" : "urn:uuid:a66af8e4-6341-367b-8061-cfe766fd36d7", + "version" : 1, + "metadata" : { + "timestamp" : "2024-05-16T12:11:08Z", + "lifecycles" : [ + { + "phase" : "build" + } + ], + "tools" : [ + { + "vendor" : "OWASP Foundation", + "name" : "CycloneDX Maven plugin", + "version" : "2.8.0", + "hashes" : [ + { + "alg" : "MD5", + "content" : "76ffec6a7ddd46b2b24517411874eb99" + }, + { + "alg" : "SHA-1", + "content" : "5b0d5b41975b53be4799b9621b4af0cfc41d44b6" + }, + { + "alg" : "SHA-256", + "content" : "6852aa0f4e42a2db745bab80e384951a6a65b9215d041081d675780999027e81" + }, + { + "alg" : "SHA-512", + "content" : "417de20fcdcb11c9713bacbd57290d8e68037fdb4553fd31b8cb08bd760ad52dc65ea88ad4be15844ad3fd5a4d3e440d2f70326f2fe1e63ec78e059c9a883f8d" + }, + { + "alg" : "SHA-384", + "content" : "5eb755c6492e7a7385fa9a1e1f4517875bcb834b2df437808a37a2d6f5285df428741762305980315a63fcef1406597d" + }, + { + "alg" : "SHA3-384", + "content" : "0fe16a47cf7aab0b22251dafcc39939b68e8f1778093309d8d2060b51a08df445a8b8ed5a9561669faf2e55f907c76d8" + }, + { + "alg" : "SHA3-256", + "content" : "3e5a1eb5ab7d0797498862794709ff8eaaa071fe4cc9ec77f52db7e2f97ef487" + }, + { + "alg" : "SHA3-512", + "content" : "59281a3e29e76270d7f44b40b5b9f05e55f1ae3ec716d80add806f360940809e3813998ac7c5758043b8e248aed73b86e37dc506cdb4cde03c16bb617d8e5a3a" + } + ] + } + ], + "component" : { + "publisher" : "medavis GmbH", + "group" : "de.medavis", + "name" : "license-compliance-tool-core", + "version" : "1.4.0", + "description" : "Generate component manifest and license files for compliance with licenses of third-party software", + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/de.medavis/license-compliance-tool-core@1.4.0?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/medavis-gmbh/LicenseComplianceTool/license-compliance-tool-core" + }, + { + "type" : "vcs", + "url" : "https://github.com/medavis-gmbh/LicenseComplianceTool/license-compliance-tool-core" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/de.medavis/license-compliance-tool-core@1.4.0?type=jar" + }, + "properties" : [ + { + "name" : "maven.goal", + "value" : "makeBom" + }, + { + "name" : "maven.scopes", + "value" : "compile,provided,runtime,system" + } + ] + }, + "components" : [ + { + "publisher" : "OWASP Foundation", + "group" : "org.cyclonedx", + "name" : "cyclonedx-core-java", + "version" : "9.0.0", + "description" : "The CycloneDX core module provides a model representation of the BOM along with utilities to assist in creating, parsing, and validating BOMs.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "2837ddac6fee046943d57512258f96f8" + }, + { + "alg" : "SHA-1", + "content" : "1874c9d985996aba2423acd60f0c3ca7791fec51" + }, + { + "alg" : "SHA-256", + "content" : "3c1db2f3f0ac2e509a2002a2ecc26252a9ddeec79fa0dc06c5246a239754668d" + }, + { + "alg" : "SHA-512", + "content" : "32fee8810da29e6cb21bf763754a45b213910efd4a3ca89d679cf140032e7b2a54f85af9189c9328f9cad7dda1e1cbea13017283800d36e93ceb867bc033182e" + }, + { + "alg" : "SHA-384", + "content" : "61569e8c67c6a3ab43e2a3753f1248e44cbb45898e9d246b179cc07988555114135e354f9a34f04571f23106dfaad851" + }, + { + "alg" : "SHA3-384", + "content" : "587ba744e0701fb7ec9c24566d27385541e3a40f2c9faf19a3d1c455367410cc8092d102ebd9bb21c86c8e1132305787" + }, + { + "alg" : "SHA3-256", + "content" : "258882568c14579249e5b456431112c6bf5cbe2c46752425f321cefd2adb8a12" + }, + { + "alg" : "SHA3-512", + "content" : "76fda5ab0706289f02d0e2e8e1d604f40618ec18cb28ee20a3bb4619a617c6607822b88673ab391e61fc1dfbe14913ce67878c7aa44c013bb78f0aa9a06b9838" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0", + "url" : "https://www.apache.org/licenses/LICENSE-2.0" + } + } + ], + "purl" : "pkg:maven/org.cyclonedx/cyclonedx-core-java@9.0.0?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/CycloneDX/cyclonedx-core-java" + }, + { + "type" : "build-system", + "url" : "https://github.com/CycloneDX/cyclonedx-core-java/actions" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/CycloneDX/cyclonedx-core-java/issues" + }, + { + "type" : "vcs", + "url" : "https://github.com/CycloneDX/cyclonedx-core-java.git" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.cyclonedx/cyclonedx-core-java@9.0.0?type=jar" + }, + { + "publisher" : "The Apache Software Foundation", + "group" : "commons-codec", + "name" : "commons-codec", + "version" : "1.17.0", + "description" : "The Apache Commons Codec component contains encoder and decoders for various formats such as Base16, Base32, Base64, digest, and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "ca1f080782f7e77cb3aec451e7a7f02d" + }, + { + "alg" : "SHA-1", + "content" : "0dbe8eef6e14460e73da07f7b11bf994d6626355" + }, + { + "alg" : "SHA-256", + "content" : "f700de80ac270d0344fdea7468201d8b9c805e5c648331c3619f2ee067ccfc59" + }, + { + "alg" : "SHA-512", + "content" : "cb9c3b2055d0b31d106293f0bc3696f90a11a30953e5b05a1a3c453e98a563475c93d7c6d1707e75f59d0806fba5fd8e4486b8bd72e58bb6ae995bdbbeeb7e17" + }, + { + "alg" : "SHA-384", + "content" : "a0fd174b2f8a21b43828371a7ee03c915b79e69d7b0e16cfe6367f794e2f8e6bbebc261e8a4ba35a79779b2338a774a4" + }, + { + "alg" : "SHA3-384", + "content" : "803fb227bd6770cc21c701b9529606f95ba05c30ea3d807b18b3681fde0c7cabd0e2f40ab36567832f63e0c42b77d0f2" + }, + { + "alg" : "SHA3-256", + "content" : "41b9b86fd0b19ff44d19d108302d7b0111ed86d07a65a90efe1023537fad8748" + }, + { + "alg" : "SHA3-512", + "content" : "eaacc9eafccf4bda0c72c5151dbd7e99954842782c91b501af8c7ca462a04b6c59d7ab8e1ef43b3ebc1b12ca62f4574544bc31df10f33f4a15cd3c3399bd808b" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0", + "url" : "https://www.apache.org/licenses/LICENSE-2.0" + } + } + ], + "purl" : "pkg:maven/commons-codec/commons-codec@1.17.0?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://commons.apache.org/proper/commons-codec/" + }, + { + "type" : "build-system", + "url" : "https://github.com/apache/commons-parent/actions" + }, + { + "type" : "distribution-intake", + "url" : "https://repository.apache.org/service/local/staging/deploy/maven2" + }, + { + "type" : "issue-tracker", + "url" : "https://issues.apache.org/jira/browse/CODEC" + }, + { + "type" : "mailing-list", + "url" : "https://mail-archives.apache.org/mod_mbox/commons-user/" + }, + { + "type" : "vcs", + "url" : "https://github.com/apache/commons-codec" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/commons-codec/commons-codec@1.17.0?type=jar" + }, + { + "publisher" : "The Apache Software Foundation", + "group" : "commons-io", + "name" : "commons-io", + "version" : "2.16.0", + "description" : "The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "4e115587dca5dd3c178e7c8f17a371b3" + }, + { + "alg" : "SHA-1", + "content" : "27875a7935f1ddcc13267eb6fae1f719e0409572" + }, + { + "alg" : "SHA-256", + "content" : "d1e417901235fae3aa0cb9736baeaf5b74de7349817d1c72390d82e3d83d3a97" + }, + { + "alg" : "SHA-512", + "content" : "afba6cc8fdef9d347aaccb3bff327ba8e2c17135989cf01179fdb2e3ca8d0afdce37defb08659eb1e99b8730e2baaaec95c7d3599f7ebf526c97c8edc477b852" + }, + { + "alg" : "SHA-384", + "content" : "0413eda39746809f3c7ce44336f6d88d8d72e2781db4b74c98a206f34b94639a39024697fde25f310edda8cf628fd376" + }, + { + "alg" : "SHA3-384", + "content" : "386bee9245d0ef901c3010be3603d4cd083c2745737fdf852f3c7024b295aa74d006f0d1a3e7cbc2b09b6023b42d41b5" + }, + { + "alg" : "SHA3-256", + "content" : "22054f3faf8d31b9bdb010e1341cf74dfcb40860e50eaf238991c784a9a8b4ae" + }, + { + "alg" : "SHA3-512", + "content" : "c7e76ce4a2177ea7898931e180cca6463bf5eab34199c6a9a0146474262f16c30d99a05eb02a86f37870ba83b1b413e78949582add25aa87c5f39462444be6ea" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0", + "url" : "https://www.apache.org/licenses/LICENSE-2.0" + } + } + ], + "purl" : "pkg:maven/commons-io/commons-io@2.16.0?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://commons.apache.org/proper/commons-io/" + }, + { + "type" : "build-system", + "url" : "https://github.com/apache/commons-parent/actions" + }, + { + "type" : "distribution-intake", + "url" : "https://repository.apache.org/service/local/staging/deploy/maven2" + }, + { + "type" : "issue-tracker", + "url" : "https://issues.apache.org/jira/browse/IO" + }, + { + "type" : "mailing-list", + "url" : "https://mail-archives.apache.org/mod_mbox/commons-user/" + }, + { + "type" : "vcs", + "url" : "https://gitbox.apache.org/repos/asf?p=commons-io.git" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/commons-io/commons-io@2.16.0?type=jar" + }, + { + "publisher" : "The Apache Software Foundation", + "group" : "org.apache.commons", + "name" : "commons-lang3", + "version" : "3.14.0", + "description" : "Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "4e5c3f5e6b0b965ef241d7d72ac8971f" + }, + { + "alg" : "SHA-1", + "content" : "1ed471194b02f2c6cb734a0cd6f6f107c673afae" + }, + { + "alg" : "SHA-256", + "content" : "7b96bf3ee68949abb5bc465559ac270e0551596fa34523fddf890ec418dde13c" + }, + { + "alg" : "SHA-512", + "content" : "0338b50767166e5746ada6d6aa2e071e7221d699323bfb629f7f204b294c1dc4cad140610a129ed751798443b43e74e0818989c7df7d33c5915aa29742be9ba8" + }, + { + "alg" : "SHA-384", + "content" : "908d0a22dc17aaa04caa5104cff7cad5b88b77eecb78dd5b3b3fefa22ff71ac50a4fb9e31c897ac243f9d841e4b3453d" + }, + { + "alg" : "SHA3-384", + "content" : "8a7f2e061b998780870eddd571620fbf3d3c70bcb54e24539d0db504f59d65bc6bda58136284498babe29fcc5eabb7a6" + }, + { + "alg" : "SHA3-256", + "content" : "022bf1f8039fcea717e9e34dd96eb80cfff05b43c9cbb76e9739b2421e2d027c" + }, + { + "alg" : "SHA3-512", + "content" : "0bcbc4edce974ea970c46e2da12ec98d9fd962c2cf64f757ac97136dec5623ca52af0c225895303c17ffabb57090e6772d7bd326d5e7438cef5454f8bbaeecfa" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0", + "url" : "https://www.apache.org/licenses/LICENSE-2.0" + } + } + ], + "purl" : "pkg:maven/org.apache.commons/commons-lang3@3.14.0?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://commons.apache.org/proper/commons-lang/" + }, + { + "type" : "build-system", + "url" : "https://github.com/apache/commons-parent/actions" + }, + { + "type" : "distribution-intake", + "url" : "https://repository.apache.org/service/local/staging/deploy/maven2" + }, + { + "type" : "issue-tracker", + "url" : "https://issues.apache.org/jira/browse/LANG" + }, + { + "type" : "mailing-list", + "url" : "https://mail-archives.apache.org/mod_mbox/commons-user/" + }, + { + "type" : "vcs", + "url" : "https://gitbox.apache.org/repos/asf?p=commons-lang.git" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.apache.commons/commons-lang3@3.14.0?type=jar" + }, + { + "publisher" : "The Apache Software Foundation", + "group" : "org.apache.commons", + "name" : "commons-collections4", + "version" : "4.4", + "description" : "The Apache Commons Collections package contains types that extend and augment the Java Collections Framework.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "4a37023740719b391f10030362c86be6" + }, + { + "alg" : "SHA-1", + "content" : "62ebe7544cb7164d87e0637a2a6a2bdc981395e8" + }, + { + "alg" : "SHA-256", + "content" : "1df8b9430b5c8ed143d7815e403e33ef5371b2400aadbe9bda0883762e0846d1" + }, + { + "alg" : "SHA-512", + "content" : "5939c9931eb9557caee3b45fe1dd9ce54cabdc4e6182ed7faac77e1a866dd0cb602bfa4ece2f3316d769913366106bd2b61bf3bb5faad1fa7d808124c06dec0f" + }, + { + "alg" : "SHA-384", + "content" : "74059fd8f61c366ed448e102256fdbd1db0d690501c2c296c80f3657a2c0d8ade3dd9533b1431cc29786bbb624195f46" + }, + { + "alg" : "SHA3-384", + "content" : "15034fb39842620bf3b152cd90bce252644ebc6a29fafd6dcf5e1f3925f09ccea2ae4e195817450f996b25a7081a9a3f" + }, + { + "alg" : "SHA3-256", + "content" : "1716630a207a8f4a83bf9ef19245f46c87d62bfebbcfa1227101e6dd51da8fa5" + }, + { + "alg" : "SHA3-512", + "content" : "c290c98c7b5825d024644ec1162804a1f9ad4da3bb5324d147ddffee6cc79e3c0ecc3825d6116502f2ca292ec80c4e7f8d49a03542dda8f4d58b0dc8228923c5" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/org.apache.commons/commons-collections4@4.4?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://commons.apache.org/proper/commons-collections/" + }, + { + "type" : "build-system", + "url" : "https://builds.apache.org/" + }, + { + "type" : "distribution-intake", + "url" : "https://repository.apache.org/service/local/staging/deploy/maven2" + }, + { + "type" : "issue-tracker", + "url" : "http://issues.apache.org/jira/browse/COLLECTIONS" + }, + { + "type" : "mailing-list", + "url" : "https://mail-archives.apache.org/mod_mbox/commons-user/" + }, + { + "type" : "vcs", + "url" : "https://git-wip-us.apache.org/repos/asf?p=commons-collections.git" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.apache.commons/commons-collections4@4.4?type=jar" + }, + { + "group" : "com.github.package-url", + "name" : "packageurl-java", + "version" : "1.5.0", + "description" : "The official Java implementation of the PackageURL specification. PackageURL (purl) is a minimal specification for describing a package via a \"mostly universal\" URL.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "90856d8bb5b17e08fdf03b6a2f93b81c" + }, + { + "alg" : "SHA-1", + "content" : "e6bf530f52feab911f4032604ca0b8216f7ff337" + }, + { + "alg" : "SHA-256", + "content" : "e45551727707acc0c56ac62d56964332ea0f138d6cc3656d988b9369150f5247" + }, + { + "alg" : "SHA-512", + "content" : "8064df400154caa110b8845bd17e6cea2683307e575ce88e40d7c0c8965ea0af6c150a376d8b9ba7354676c41b52c94535f30c6e830447613299ccf5fc7aa959" + }, + { + "alg" : "SHA-384", + "content" : "0597100022f72e020c9d929bf57ecef91af7574610fb03b4019feba4b25f491a076f03577be2009e66d9001c4c0f8ab0" + }, + { + "alg" : "SHA3-384", + "content" : "bbdd55a31a4755ef589bcb176283fe03e3c9089d315eab577fef3a9c2d02e632c6ac3fdebbc90a2f0f8ed7974b9f397c" + }, + { + "alg" : "SHA3-256", + "content" : "c9881b69bde35ea6ff4006877b9fbf91462f911b5b142aa699a45a00867d413a" + }, + { + "alg" : "SHA3-512", + "content" : "2b9caf58deef687a9bf01abd61a7af4abdb61247a8a966683a18157ee948f1ea424602598dc8f665bf24f7e1e516866298ef0507e9d697cb20dcf60eff2095ca" + } + ], + "licenses" : [ + { + "license" : { + "id" : "MIT", + "url" : "https://opensource.org/licenses/MIT" + } + } + ], + "purl" : "pkg:maven/com.github.package-url/packageurl-java@1.5.0?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/package-url/packageurl-java" + }, + { + "type" : "build-system", + "url" : "https://travis-ci.com/package-url/packageurl-java" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/package-url/packageurl-java/issues" + }, + { + "type" : "vcs", + "url" : "https://github.com/package-url/packageurl-java.git" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.github.package-url/packageurl-java@1.5.0?type=jar" + }, + { + "publisher" : "FasterXML", + "group" : "com.fasterxml.jackson.dataformat", + "name" : "jackson-dataformat-xml", + "version" : "2.17.0", + "description" : "Data format extension for Jackson to offer alternative support for serializing POJOs as XML and deserializing XML as pojos.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "2b8f4884b06f29806a5317399cd991bb" + }, + { + "alg" : "SHA-1", + "content" : "fbe3c274a39cef5538ca8688ac7e2ad0053a6ffa" + }, + { + "alg" : "SHA-256", + "content" : "375e0e1c5cf530ac06858d4c9e674b03498644c2e7ee59f16160702ee02aabce" + }, + { + "alg" : "SHA-512", + "content" : "0d576e403958a69553bbf186db8b850daa47d99312c68932658a1d116a97c52ec3dee9ff30b9f65f614da6bee473d4faf08e577f7e435ba33384a460d343fe49" + }, + { + "alg" : "SHA-384", + "content" : "11737a9db7bfe6c2c66b5bf00a7c5c6da96d1613d1fca650be7fcb985166bcecf4de57b23892d21770001afeb40f2e25" + }, + { + "alg" : "SHA3-384", + "content" : "c4c5c06bd4af0a95e4b63f41dff4ceccf285662e90f95b0e9a0fd59700ba676ab7f080991222715fa257c33520bd892c" + }, + { + "alg" : "SHA3-256", + "content" : "e5c618225b6da5099236e37200fa492eda10d4024203764d95e01ed29a839aaa" + }, + { + "alg" : "SHA3-512", + "content" : "ff474b904215f7a328ca5b4bfb3091e6975034894f362fbf664c6ee665e621960bbea1ae46db2860932fcff7b71e6e1a9035adfaa83735cf577ca265494d39f3" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-xml@2.17.0?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/FasterXML/jackson-dataformat-xml" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/FasterXML/jackson-dataformat-xml/issues" + }, + { + "type" : "vcs", + "url" : "http://github.com/FasterXML/jackson-dataformat-xml" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-xml@2.17.0?type=jar" + }, + { + "publisher" : "fasterxml.com", + "group" : "org.codehaus.woodstox", + "name" : "stax2-api", + "version" : "4.2.2", + "description" : "Stax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "6949cace015c0f408f0b846e3735d301" + }, + { + "alg" : "SHA-1", + "content" : "b0d746cadea928e5264f2ea294ea9a1bf815bbde" + }, + { + "alg" : "SHA-256", + "content" : "a61c48d553efad78bc01fffc4ac528bebbae64cbaec170b2a5e39cf61eb51abe" + }, + { + "alg" : "SHA-512", + "content" : "1c0587ecb4c5a659ce2ae1fe36ffc12636a8ecba549a29f2cf91cb4d1d36a335c05f35776f480488d40d894230389f76aeeb363887026c6ef5c565995c17b7c6" + }, + { + "alg" : "SHA-384", + "content" : "3b617db8307a081df858a4110f5b8fec51c06355762506cbc4be5557fb06959f0499f7e672103d46f71c66bae472a7bd" + }, + { + "alg" : "SHA3-384", + "content" : "22a3150713f7072962e26c286a1ef97d849b10d7f1251c56ae34252f247127b56dd189daa758c64776b4196ee0060517" + }, + { + "alg" : "SHA3-256", + "content" : "174868c81672068b42ccde35310d4dad60f457b795101e99588c28b0eebdefc2" + }, + { + "alg" : "SHA3-512", + "content" : "c88de5a2137e3b63b632ef24799a677c998b76e736407f1e8c6af85d1b6a94c76bc20d26e6cac847d8383ab6760f1b5c2ae7574fba21e1e6a96de7cdd38f0e39" + } + ], + "licenses" : [ + { + "license" : { + "id" : "BSD-2-Clause" + } + } + ], + "purl" : "pkg:maven/org.codehaus.woodstox/stax2-api@4.2.2?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "http://github.com/FasterXML/stax2-api" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/FasterXML/stax2-api/issues" + }, + { + "type" : "vcs", + "url" : "http://github.com/FasterXML/stax2-api" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.codehaus.woodstox/stax2-api@4.2.2?type=jar" + }, + { + "publisher" : "FasterXML", + "group" : "com.fasterxml.woodstox", + "name" : "woodstox-core", + "version" : "6.6.1", + "description" : "Woodstox is a high-performance XML processor that implements Stax (JSR-173), SAX2 and Stax2 APIs", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "003d77e2442b9f58e5eb9e34c2d018c6" + }, + { + "alg" : "SHA-1", + "content" : "586727abc793dc4cde0148c3c3b264e4f7deb5b3" + }, + { + "alg" : "SHA-256", + "content" : "5655c56e820b0140c1814ed4bddb3352efef88e33c382f3a0b51aad7ef89956c" + }, + { + "alg" : "SHA-512", + "content" : "4f6cd44c47d11d2bf1d02236f70dad8267bd9a93b9702aae31023725b48e63784025165f0cf4b290442b4a5b14dffb101db3dd8d7bca701a11c6506eb5e0788d" + }, + { + "alg" : "SHA-384", + "content" : "3708b825228da92f3b491d72f3104677241926091c3fffc6a66ba763907ff97c9dfa793aefab0a1820918f5dc5355f04" + }, + { + "alg" : "SHA3-384", + "content" : "cfb13014a414f92f84b14defe072eba4e13046839b22705e78bcad63412282cb732b4b6f22bea360df26d04aa6a8576e" + }, + { + "alg" : "SHA3-256", + "content" : "6a12bc8142518e2c74adde9d7367267a783a9b69b46536ed9cb7506a01dcbb5a" + }, + { + "alg" : "SHA3-512", + "content" : "5f6f257d5ee5995c2a7966d38ec50e1adf73b3474d2b6f6a78ab4561dbf5e629fe0eb74d9f7a5bb2f85df381ecb0d8fe816184af647b61f87f3c99eec4ae4554" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.fasterxml.woodstox/woodstox-core@6.6.1?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/FasterXML/woodstox" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/FasterXML/woodstox/issues" + }, + { + "type" : "vcs", + "url" : "https://github.com/FasterXML/woodstox" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.fasterxml.woodstox/woodstox-core@6.6.1?type=jar" + }, + { + "group" : "com.networknt", + "name" : "json-schema-validator", + "version" : "1.4.0", + "description" : "A json schema validator that supports draft v4, v6, v7, v2019-09 and v2020-12", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "4d9c589b2813f03a252bcd50cf8a1507" + }, + { + "alg" : "SHA-1", + "content" : "8e7c5b0b0ed6b3eac2adfa9352ff4ca8187d9160" + }, + { + "alg" : "SHA-256", + "content" : "5d7b6ce4c7b2a3ed189511cbaa913808c7cd2b570d70b923426352785bffbdd0" + }, + { + "alg" : "SHA-512", + "content" : "e156aeb4b603023dd55c599315f22cbcbfdb00a2037c01b346324dceba583922dad29b20570a244863373545f5b77a311c0f740d3598dc4978bec6298cc613ba" + }, + { + "alg" : "SHA-384", + "content" : "5313166403f1c62732d41283f946418dec1971cdd6530a8e4495b84f67d60b96f7c50a2b8b6a63905767bea1ab0780b5" + }, + { + "alg" : "SHA3-384", + "content" : "a7cc84c4ecff22d04fa3da5d56dda9ca6253b87ab71479932c2e3da1edcfebfe176250b82abb66a9325907ab79309f96" + }, + { + "alg" : "SHA3-256", + "content" : "a45ff1fdc732d5e7c626072e84e8ba24eb0102d26380d918b8ef8707ea307c3a" + }, + { + "alg" : "SHA3-512", + "content" : "7164adfc8d496253af3d4841150fff7335f72d29523696cbcb15fb7dec2c18a74e731ad55db6c3392aee895f2b4f055a2f83414bc9ab292a49b47e17401aac55" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.networknt/json-schema-validator@1.4.0?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/networknt/json-schema-validator" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/networknt/json-schema-validator/issues" + }, + { + "type" : "vcs", + "url" : "https://github.com:networknt/json-schema-validator.git" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.networknt/json-schema-validator@1.4.0?type=jar" + }, + { + "group" : "com.ethlo.time", + "name" : "itu", + "version" : "1.8.0", + "description" : "Extremely fast date-time parser and formatter - RFC 3339 (ISO 8601 profile) and W3C format", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "c6680dc6496b4edc74bd3d534b8b0bfb" + }, + { + "alg" : "SHA-1", + "content" : "b31c9f9a06386b63772968424faeaf0e364ef93b" + }, + { + "alg" : "SHA-256", + "content" : "a9a567da9bf8bdcd4710fb5c4c7bc155658bb964a91637664ed7bd6e77b050c5" + }, + { + "alg" : "SHA-512", + "content" : "7df8d7b78c76e3d4c11be0b45e18561177245b0494d67dfd95be13a10b0f026cfae870fdbae7bae34bb278be73d8f28d02c175ba43863a712a73306d89b1e710" + }, + { + "alg" : "SHA-384", + "content" : "3433a20e764a82fb9ff48a4a6337b492f329015b9416465508650782db090ab275c44166a6f9a407adb3d39c0fdb7554" + }, + { + "alg" : "SHA3-384", + "content" : "863a2245e786b5906d3d9d2c59af6366a1b5a53b1770c5f2c4ac07cb9cb65e213a0695c81329ebf19cceaec289bc3fa2" + }, + { + "alg" : "SHA3-256", + "content" : "de376611b8d84c8f0b9017604d3b00bc0750f6a4b3e887bc4ea379ffbca61b56" + }, + { + "alg" : "SHA3-512", + "content" : "de8d24c29486eb900c313109662800c41f029c6b7e0246b59a0da30150d8641f121445f52df64066e51dbf083e23fe3d2f10a8b44e5a48fe7c25b52216938425" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.ethlo.time/itu@1.8.0?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/ethlo/itu" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "vcs", + "url" : "https://github.com:ethlo/itu" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.ethlo.time/itu@1.8.0?type=jar" + }, + { + "publisher" : "FasterXML", + "group" : "com.fasterxml.jackson.dataformat", + "name" : "jackson-dataformat-yaml", + "version" : "2.15.3", + "description" : "Support for reading and writing YAML-encoded data via Jackson abstractions.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "8c09fdc03a6cc2108e3e8ce14a12da24" + }, + { + "alg" : "SHA-1", + "content" : "2c928259effc818986c7e46c58de5dbfee6ae4ac" + }, + { + "alg" : "SHA-256", + "content" : "2dd70a080e8542dc5ee727387abed963fc24122cd784ab38355f87d0e08d9772" + }, + { + "alg" : "SHA-512", + "content" : "1e00f24d41a85ea0bb21ca08b1964acaf66ede60347df9bfd5de9c90e7d08dc59530cb7d6c0c138f44bbd75406ae3c0c1e7f031716a7c3d30e6cc5db14071345" + }, + { + "alg" : "SHA-384", + "content" : "8a3be2087d79b469470138b2d17fae342a57e3e7dde0aeaec9ae385b473ac2cfd871f81fd12879c41372002ccea52a3e" + }, + { + "alg" : "SHA3-384", + "content" : "701069df05a5567cb23ec1748433d76044de4ff63c5bcb07e9b145651500325910cc15b94a1a3c9aa9bd96cbed5fe168" + }, + { + "alg" : "SHA3-256", + "content" : "c73d7bbb271d9eeac7677064f1abf1879455f665df96a25acec456568c4d59e7" + }, + { + "alg" : "SHA3-512", + "content" : "3d82cb5931a382cbc87ba69fc0118af92720396cbfa6414021964b1a4799f855760243b684ee7bfd7a48f56313acc02d8051c617afc99464da75c5c2d46f1454" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml@2.15.3?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/FasterXML/jackson-dataformats-text" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/FasterXML/jackson-dataformats-text/issues" + }, + { + "type" : "vcs", + "url" : "https://github.com/FasterXML/jackson-dataformats-text/jackson-dataformat-yaml" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml@2.15.3?type=jar" + }, + { + "group" : "org.yaml", + "name" : "snakeyaml", + "version" : "2.1", + "description" : "YAML 1.1 parser and emitter for Java", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "33cc7f2b24873e9d8af5d78a0b09bdc1" + }, + { + "alg" : "SHA-1", + "content" : "c79f47315517560b5bd6a62376ee385e48105437" + }, + { + "alg" : "SHA-256", + "content" : "69a4537045ddbcaed4c68eef074462eb12d324d7953f62c5ecd35df645e8aec9" + }, + { + "alg" : "SHA-512", + "content" : "5148ca86d6a28bd85f7ee4922d405d58fd3e61204f70b1ac3a755fa34455227ffe29f04e710596e43c48d1bce3e9c9379ca2c6fedabbc65dab7e00b4ae995823" + }, + { + "alg" : "SHA-384", + "content" : "083794a57d718dd04eda74b7994ed7608ee14b8c84034e775def46aa7242e332b45007975fecb19922b8a3a2e7a00493" + }, + { + "alg" : "SHA3-384", + "content" : "239cf654b22d97ad28224912400f635a06fe5ec7e3562f19bb38c3f3006e7b19ff3036221867c4c721184e84b880cb9c" + }, + { + "alg" : "SHA3-256", + "content" : "89cb985a9228aea9e192246c7033de3414692cfe5ae131be1e9768a8bd28f152" + }, + { + "alg" : "SHA3-512", + "content" : "68c3b32dbd60054abfa8fc73b32d14a921b76652d739585a18ec1f7209bf9190c17cee9936219b2d49c49556b3295b571f406d6d071225fcbc0012b116b7ec89" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/org.yaml/snakeyaml@2.1?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://bitbucket.org/snakeyaml/snakeyaml" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://bitbucket.org/snakeyaml/snakeyaml/issues" + }, + { + "type" : "vcs", + "url" : "https://bitbucket.org/snakeyaml/snakeyaml/src" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.yaml/snakeyaml@2.1?type=jar" + }, + { + "publisher" : "The Apache Software Foundation", + "group" : "org.apache.httpcomponents", + "name" : "httpclient", + "version" : "4.5.14", + "description" : "Apache HttpComponents Client", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "2cb357c4b763f47e58af6cad47df6ba3" + }, + { + "alg" : "SHA-1", + "content" : "1194890e6f56ec29177673f2f12d0b8e627dec98" + }, + { + "alg" : "SHA-256", + "content" : "c8bc7e1c51a6d4ce72f40d2ebbabf1c4b68bfe76e732104b04381b493478e9d6" + }, + { + "alg" : "SHA-512", + "content" : "a084ef30fb0a2a25397d8fab439fe68f67e294bf53153e2e1355b8df92886d40fe6abe35dc84f014245f7158e92641bcbd98019b4fbbd9e5a0db495b160b4ced" + }, + { + "alg" : "SHA-384", + "content" : "c8ccaa1fa8ba7c421413e3c30375bd9c31284e837c476fd831e18043ad4187e92166f49554123108891241bed674b95d" + }, + { + "alg" : "SHA3-384", + "content" : "9a17dfcf12b2af3a9b006ec369f9bc78ba322348bf1a01146e0d4f3fec2bed6cbe8b2193fac5b4d5a0c3036c06477510" + }, + { + "alg" : "SHA3-256", + "content" : "48f0a61b691e22dec9d6db8e0b58be4ca17a42a2846c82f0875de21f72bb0faa" + }, + { + "alg" : "SHA3-512", + "content" : "4ad2c9adc761b7e813330f0dcad3f9978702896c7d0cbf81f60a472d550e320b1527be425ba597c8c9352d587e32e1d46ceb4c73e99c70a6190df4c699a7c2a9" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/org.apache.httpcomponents/httpclient@4.5.14?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "http://hc.apache.org/httpcomponents-client-ga" + }, + { + "type" : "distribution-intake", + "url" : "https://repository.apache.org/service/local/staging/deploy/maven2" + }, + { + "type" : "issue-tracker", + "url" : "http://issues.apache.org/jira/browse/HTTPCLIENT" + }, + { + "type" : "mailing-list", + "url" : "http://mail-archives.apache.org/mod_mbox/hc-httpclient-users/" + }, + { + "type" : "vcs", + "url" : "https://github.com/apache/httpcomponents-client/tree/4.5.14/httpclient" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.apache.httpcomponents/httpclient@4.5.14?type=jar" + }, + { + "publisher" : "The Apache Software Foundation", + "group" : "org.apache.httpcomponents", + "name" : "httpcore", + "version" : "4.4.16", + "description" : "Apache HttpComponents Core (blocking I/O)", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "28d2cd9bf8789fd2ec774fb88436ebd1" + }, + { + "alg" : "SHA-1", + "content" : "51cf043c87253c9f58b539c9f7e44c8894223850" + }, + { + "alg" : "SHA-256", + "content" : "6c9b3dd142a09dc468e23ad39aad6f75a0f2b85125104469f026e52a474e464f" + }, + { + "alg" : "SHA-512", + "content" : "168026436a6bcf5e96c0c59606638abbdc30de4b405ae55afde70fdf2895e267a3d48bba6bdadc5a89f38e31da3d9a9dc91e1cab7ea76f5e04322cf1ec63b838" + }, + { + "alg" : "SHA-384", + "content" : "ba9ceaee1a37ca3201d6a1315ecb0327b495489efd0baa155c219c475df8d3eb69fe77ab0026563db406497626da6562" + }, + { + "alg" : "SHA3-384", + "content" : "b9dc44dcc7cc86d5036f26d54c4003a2d72808ae7b07a0808bb53505c6d4281b5ad213eb1f3d0fef1113dec57cb0dfe1" + }, + { + "alg" : "SHA3-256", + "content" : "fd8ab51846476c6c18822151c9ec07b39a9633010b5d20ea937fc6910407bc64" + }, + { + "alg" : "SHA3-512", + "content" : "b42fa528242981a9d70e4f68ab75a24292df5112c44c21b6f18cb9201ce747885ba1d4dc69bc3d14d0da46a6c2638f937c11bc45749abeb55dc89ddada90cdda" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/org.apache.httpcomponents/httpcore@4.4.16?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "http://hc.apache.org/httpcomponents-core-ga" + }, + { + "type" : "distribution-intake", + "url" : "https://repository.apache.org/service/local/staging/deploy/maven2" + }, + { + "type" : "issue-tracker", + "url" : "http://issues.apache.org/jira/browse/HTTPCORE" + }, + { + "type" : "mailing-list", + "url" : "http://mail-archives.apache.org/mod_mbox/hc-httpclient-users/" + }, + { + "type" : "vcs", + "url" : "https://github.com/apache/httpcomponents-core/tree/4.4.16/httpcore" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.apache.httpcomponents/httpcore@4.4.16?type=jar" + }, + { + "publisher" : "The Apache Software Foundation", + "group" : "commons-logging", + "name" : "commons-logging", + "version" : "1.2", + "description" : "Apache Commons Logging is a thin adapter allowing configurable bridging to other, well known logging systems.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "040b4b4d8eac886f6b4a2a3bd2f31b00" + }, + { + "alg" : "SHA-1", + "content" : "4bfc12adfe4842bf07b657f0369c4cb522955686" + }, + { + "alg" : "SHA-256", + "content" : "daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636" + }, + { + "alg" : "SHA-512", + "content" : "ed00dbfabd9ae00efa26dd400983601d076fe36408b7d6520084b447e5d1fa527ce65bd6afdcb58506c3a808323d28e88f26cb99c6f5db9ff64f6525ecdfa557" + }, + { + "alg" : "SHA-384", + "content" : "ac20720d7156131478205f1b454395abf84cfc8da2f163301af32f63bd3c4764bd26cb54ed53800f33193ae591f3ce9c" + }, + { + "alg" : "SHA3-384", + "content" : "628eb4407e95dca84da1a06b08a6d9b832a49de8472b1b217e8607f08efeeed18b996232d64dd07f03e78e0e3bb4b078" + }, + { + "alg" : "SHA3-256", + "content" : "9aab62deccf156ee6e324c925dfc30ecb53e8465802863a551901a461424e807" + }, + { + "alg" : "SHA3-512", + "content" : "3fd76857f6d20c03799537cc961c1c4ddf1c375c6c192fb982363e3b9397ba138b77f24ef38b4202f44e37586789c0320e4de18fdadd2772304fd14a9b26d552" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/commons-logging/commons-logging@1.2?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "http://commons.apache.org/proper/commons-logging/" + }, + { + "type" : "build-system", + "url" : "https://continuum-ci.apache.org/" + }, + { + "type" : "distribution-intake", + "url" : "https://repository.apache.org/service/local/staging/deploy/maven2" + }, + { + "type" : "issue-tracker", + "url" : "http://issues.apache.org/jira/browse/LOGGING" + }, + { + "type" : "mailing-list", + "url" : "http://mail-archives.apache.org/mod_mbox/commons-user/" + }, + { + "type" : "vcs", + "url" : "http://svn.apache.org/repos/asf/commons/proper/logging/trunk" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/commons-logging/commons-logging@1.2?type=jar" + }, + { + "publisher" : "Apache Software Foundation", + "group" : "org.freemarker", + "name" : "freemarker", + "version" : "2.3.32", + "description" : "FreeMarker is a \"template engine\"; a generic tool to generate text output based on templates.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "22624adfe32b76fe3be07a84de4e1c03" + }, + { + "alg" : "SHA-1", + "content" : "8607259125d4fbe982754227ea4f75dd513c6d19" + }, + { + "alg" : "SHA-256", + "content" : "04d65ec1bde6cea20e3495d5e78ef96ab774d9936434861d3254bd88e7e94f92" + }, + { + "alg" : "SHA-512", + "content" : "934c6c2bf47c1b88b1f81c25294cd83f5105f90f565e1fce75a09a54e51424fb8335542a6d5c3eb9df19dbc0007e869e9b6aebaf37880eac09759529dc0c5ca7" + }, + { + "alg" : "SHA-384", + "content" : "6fefe48f8aa5b570695ba5bdbed36a35b59b24673c0977890edf1eda68792a7001946e422cf56b0f5138edb247fac0dc" + }, + { + "alg" : "SHA3-384", + "content" : "3d21e14024108b2c89f2acd0de306a8f31cea67f55d7c5fa5ceb84a6bca0d52672179b1042a4f313aabacaf020e130b2" + }, + { + "alg" : "SHA3-256", + "content" : "91fb6edbf9930b9e21c290784b08e5b5a67ff94a4b8e34c47c0bc6f6d81619c7" + }, + { + "alg" : "SHA3-512", + "content" : "8df650d10a408d90ae0b20dc8c88bfa46309ab7287f0d16c5c9f60f113760a789aadd739080285343db9b3405084ef9049ad6e80b88f74fe8a8924ec741817cb" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/org.freemarker/freemarker@2.3.32?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://freemarker.apache.org/" + }, + { + "type" : "distribution-intake", + "url" : "https://repository.apache.org/service/local/staging/deploy/maven2" + }, + { + "type" : "issue-tracker", + "url" : "https://issues.apache.org/jira/browse/FREEMARKER/" + }, + { + "type" : "mailing-list", + "url" : "http://mail-archives.apache.org/mod_mbox/freemarker-dev/" + }, + { + "type" : "vcs", + "url" : "https://git-wip-us.apache.org/repos/asf?p=freemarker.git" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.freemarker/freemarker@2.3.32?type=jar" + }, + { + "group" : "com.google.guava", + "name" : "guava", + "version" : "33.2.0-jre", + "description" : "Guava is a suite of core and expanded libraries that include utility classes, Google's collections, I/O classes, and much more.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "8cc9e39ba1958ebca928d158806e0802" + }, + { + "alg" : "SHA-1", + "content" : "e264781dadc4967e5292f3c4d05f1d153631f7b4" + }, + { + "alg" : "SHA-256", + "content" : "99f491e86262ce38d13b3581d40f77acdb4696a9505447c3154474c3192908dd" + }, + { + "alg" : "SHA-512", + "content" : "21e981521598e95253df40e5390daab48fc5e2475d55306828b523d5a09f637c846aed1f826f85c3c2e2d9e0dd3d9c291afb4eb5349c3b54f4e9e5810340f022" + }, + { + "alg" : "SHA-384", + "content" : "82e3969b23c331d56b303fed8211606b7dc3ee4a5b55d105aef7979d98f36e46b498daf01a82c1c0263732e2101b0dde" + }, + { + "alg" : "SHA3-384", + "content" : "76b17f8047e46fa454657fafe61dd146b2072a2f16da501d950c808e83d7b1b08a306b5ab8e4a3f7e8efd5c3005d6f76" + }, + { + "alg" : "SHA3-256", + "content" : "aba97665a95287c30c69932dd5351060bcf1b819d92450b470997e6311df3f25" + }, + { + "alg" : "SHA3-512", + "content" : "a41d7c6b58809bc913278416530572c5affc43f1559f58271d055cdfb233af94c1661be8cb0c0ca4ddf3fb5f3a5e86c4e9b1c455e7ec6b9955f809925d1b1c00" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.google.guava/guava@33.2.0-jre?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/google/guava" + }, + { + "type" : "build-system", + "url" : "https://github.com/google/guava/actions" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/google/guava/issues" + }, + { + "type" : "vcs", + "url" : "https://github.com/google/guava/guava" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.google.guava/guava@33.2.0-jre?type=jar" + }, + { + "group" : "com.google.guava", + "name" : "failureaccess", + "version" : "1.0.2", + "description" : "Contains com.google.common.util.concurrent.internal.InternalFutureFailureAccess and InternalFutures. Most users will never need to use this artifact. Its classes are conceptually a part of Guava, but they're in this separate artifact so that Android libraries can use them without pulling in all of Guava (just as they can use ListenableFuture by depending on the listenablefuture artifact).", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "3f75955b49b6758fd6d1e1bd9bf777b3" + }, + { + "alg" : "SHA-1", + "content" : "c4a06a64e650562f30b7bf9aaec1bfed43aca12b" + }, + { + "alg" : "SHA-256", + "content" : "8a8f81cf9b359e3f6dfa691a1e776985c061ef2f223c9b2c80753e1b458e8064" + }, + { + "alg" : "SHA-512", + "content" : "ff4ee76aa661708989d53d45576cff3beea9ebbd86481dbbf2ee8c81bb22f882097b430588312b711025f0e890f22c6799d722ccd422a6a7278de08660fe2f51" + }, + { + "alg" : "SHA-384", + "content" : "85a7bd379da27ad57a4e5c02099fef206083caa52244597ac858a921b48e2912cfa7ef0e7d0c7a10ab2dd8d0f7d6ada0" + }, + { + "alg" : "SHA3-384", + "content" : "652b22d09b297320e62ac254801e7d3a0fd2a8038461c5cbf7a53a27d681f62b768b964aa62c864453c4e7af217c8c4a" + }, + { + "alg" : "SHA3-256", + "content" : "a650b2f7982affc2dbb7e2807fbb0fbf58b74fd8dc111cc6dc5e95a00179b7e3" + }, + { + "alg" : "SHA3-512", + "content" : "2c5ee7629a8fb1c952f437b80fcd1cff86c54ff81de02eda1eb73c0bbfe38d3f072946f8c6396c7f1e46e16a6d44ad393dfe6fd2dd96f75ebb854263d36bb193" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.google.guava/failureaccess@1.0.2?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/google/guava/failureaccess" + }, + { + "type" : "build-system", + "url" : "https://travis-ci.org/google/guava" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/google/guava/issues" + }, + { + "type" : "vcs", + "url" : "https://github.com/google/guava/failureaccess" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.google.guava/failureaccess@1.0.2?type=jar" + }, + { + "group" : "com.google.guava", + "name" : "listenablefuture", + "version" : "9999.0-empty-to-avoid-conflict-with-guava", + "description" : "An empty artifact that Guava depends on to signal that it is providing ListenableFuture -- but is also available in a second \"version\" that contains com.google.common.util.concurrent.ListenableFuture class, without any other Guava classes. The idea is: - If users want only ListenableFuture, they depend on listenablefuture-1.0. - If users want all of Guava, they depend on guava, which, as of Guava 27.0, depends on listenablefuture-9999.0-empty-to-avoid-conflict-with-guava. The 9999.0-... version number is enough for some build systems (notably, Gradle) to select that empty artifact over the \"real\" listenablefuture-1.0 -- avoiding a conflict with the copy of ListenableFuture in guava itself. If users are using an older version of Guava or a build system other than Gradle, they may see class conflicts. If so, they can solve them by manually excluding the listenablefuture artifact or manually forcing their build systems to use 9999.0-....", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "d094c22570d65e132c19cea5d352e381" + }, + { + "alg" : "SHA-1", + "content" : "b421526c5f297295adef1c886e5246c39d4ac629" + }, + { + "alg" : "SHA-256", + "content" : "b372a037d4230aa57fbeffdef30fd6123f9c0c2db85d0aced00c91b974f33f99" + }, + { + "alg" : "SHA-512", + "content" : "c5987a979174cbacae2e78b319f080420cc71bcdbcf7893745731eeb93c23ed13bff8d4599441f373f3a246023d33df03e882de3015ee932a74a774afdd0782f" + }, + { + "alg" : "SHA-384", + "content" : "caff9b74079f95832ca7f6029346b34b606051cc8c5a4389fac263511d277ada0c55f28b0d43011055b268c6eb7184d5" + }, + { + "alg" : "SHA3-384", + "content" : "e939f08df0545847ea0d3e4b04a114b08499ad069ba8ec9461d1779f87a56e0c37273630a0f4c14e78c348d3ac7eb97f" + }, + { + "alg" : "SHA3-256", + "content" : "1f0a8b1177773b3a8ace839df5eed63cbf56b24a38714898a6e4ed065c42559f" + }, + { + "alg" : "SHA3-512", + "content" : "6b495ecc2a18b17365cb08d124a0da47f04bcdde81927b5245edf3edd8e498c3c3fb92ce6a4127f660bac851bb1d3e4510e5c20d03be47ce99dc296d360db285" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.google.guava/listenablefuture@9999.0-empty-to-avoid-conflict-with-guava?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/google/guava/listenablefuture" + }, + { + "type" : "build-system", + "url" : "https://travis-ci.org/google/guava" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/google/guava/issues" + }, + { + "type" : "vcs", + "url" : "https://github.com/google/guava/listenablefuture" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.google.guava/listenablefuture@9999.0-empty-to-avoid-conflict-with-guava?type=jar" + }, + { + "group" : "com.google.code.findbugs", + "name" : "jsr305", + "version" : "3.0.2", + "description" : "JSR305 Annotations for Findbugs", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "dd83accb899363c32b07d7a1b2e4ce40" + }, + { + "alg" : "SHA-1", + "content" : "25ea2e8b0c338a877313bd4672d3fe056ea78f0d" + }, + { + "alg" : "SHA-256", + "content" : "766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7" + }, + { + "alg" : "SHA-512", + "content" : "bb09db62919a50fa5b55906013be6ca4fc7acb2e87455fac5eaf9ede2e41ce8bbafc0e5a385a561264ea4cd71bbbd3ef5a45e02d63277a201d06a0ae1636f804" + }, + { + "alg" : "SHA-384", + "content" : "ca0b169d3eb2d0922dc031133a021f861a043bb3e405a88728215fd6ff00fa52fdc7347842dcc2031472e3726164bdc4" + }, + { + "alg" : "SHA3-384", + "content" : "9903fd7505218999f8262efedb3d935d64bcef84aae781064ab5e1b24755466b269517cada562fa140cd1d417ede57a1" + }, + { + "alg" : "SHA3-256", + "content" : "223fda9a89a461afaae73b177a2dc20ed4a90f2f8757f5c65f3241b0510f00ff" + }, + { + "alg" : "SHA3-512", + "content" : "3996b5af57a5d5c6a0cd62b11773360fb051dd86a2ba968476806a2a5d32049b82d69a24a3c694e8fe4d735be6a28e41000cc500cc2a9fb577e058045855d2d6" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.google.code.findbugs/jsr305@3.0.2?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "http://findbugs.sourceforge.net/" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "vcs", + "url" : "https://code.google.com/p/jsr-305/" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.google.code.findbugs/jsr305@3.0.2?type=jar" + }, + { + "group" : "org.checkerframework", + "name" : "checker-qual", + "version" : "3.42.0", + "description" : "checker-qual contains annotations (type qualifiers) that a programmer writes to specify Java code for type-checking by the Checker Framework.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "4c55448dcbfe9c3702f7758fc8fe0086" + }, + { + "alg" : "SHA-1", + "content" : "638ec33f363a94d41a4f03c3e7d3dcfba64e402d" + }, + { + "alg" : "SHA-256", + "content" : "ccaedd33af0b7894d9f2f3b644f4d19e43928e32902e61ac4d10777830f5aac7" + }, + { + "alg" : "SHA-512", + "content" : "85f66a42a079b4578256b5b6daa4b1ba5aa684614982cab2c9cd83324f2c3fcdde420de6ad51b2f439c4c809be10b376f80f5a45110a1ee6caa59e6298c0ec95" + }, + { + "alg" : "SHA-384", + "content" : "1ee2061f8da04e77b577030edc21904b0700aceb241fcb5a549767d44c9b71267217850dc89aca41e65d188e148f8d58" + }, + { + "alg" : "SHA3-384", + "content" : "5d89ffdcafb432d84503340827bc6fae5f6fc290fde59c1eb491996c15fd92ad00dfd1e781d8c9d6ef4ca9c4f3e5b264" + }, + { + "alg" : "SHA3-256", + "content" : "25c061a632fc0263f974761afad7f4209dd6582a461f3049e39d260640308393" + }, + { + "alg" : "SHA3-512", + "content" : "75a743fb2577bb3252de16a86cf10922626689e75918136c83caa3a26db669f7c770779cfb9b9003ba5b181ffc9f7d871ab250cccfc4ff19e587a0384b448929" + } + ], + "licenses" : [ + { + "license" : { + "id" : "MIT" + } + } + ], + "purl" : "pkg:maven/org.checkerframework/checker-qual@3.42.0?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://checkerframework.org/" + }, + { + "type" : "vcs", + "url" : "https://github.com/typetools/checker-framework.git" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.checkerframework/checker-qual@3.42.0?type=jar" + }, + { + "publisher" : "Google LLC", + "group" : "com.google.errorprone", + "name" : "error_prone_annotations", + "version" : "2.26.1", + "description" : "Error Prone is a static analysis tool for Java that catches common programming mistakes at compile-time.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "64c623e550068e3b2708e5d901865c56" + }, + { + "alg" : "SHA-1", + "content" : "c1fde57694bdc14e8618899aaa6e857d9465d7de" + }, + { + "alg" : "SHA-256", + "content" : "de25f2d9a2156529bd765f51d8efdfc0dfa7301e04efb9cc75b7f10cf5d0e0fb" + }, + { + "alg" : "SHA-512", + "content" : "b29d69c3f61084f26f23bc7da138519161f3b33584d97b38e7448c303a1c0b42299fa0371552ad7e1f0be65ca1c69f3b6958cc28ff208a4f49c6456a442ab6ee" + }, + { + "alg" : "SHA-384", + "content" : "98c9da460debd77b7f60ad9ec4179913f93137f7116a597bd18bcd5bb7df4473176052e794228145cff2a6fc6c14e6e8" + }, + { + "alg" : "SHA3-384", + "content" : "d1a4c251bc77c1b6dbf164f6776c562453e287a76b5395ed69d514edc585b1f5f3d3924b234731f89e00eab68445f147" + }, + { + "alg" : "SHA3-256", + "content" : "641d97c7aa2cb5e8b3f9bf2cc1f5a88e506eec116bf952563d013b04d4f0789a" + }, + { + "alg" : "SHA3-512", + "content" : "9775c1b1c7303187f5b15bcf129c6d5e047436b9b664713f1fb6deb4abd97e0ea6d1186714d863adc4b3b73f7fb4dbf450459397f6f124957839a25e9cb69092" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.google.errorprone/error_prone_annotations@2.26.1?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://errorprone.info/error_prone_annotations" + }, + { + "type" : "vcs", + "url" : "https://github.com/google/error-prone/error_prone_annotations" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.google.errorprone/error_prone_annotations@2.26.1?type=jar" + }, + { + "group" : "com.google.j2objc", + "name" : "j2objc-annotations", + "version" : "3.0.0", + "description" : "A set of annotations that provide additional information to the J2ObjC translator to modify the result of translation.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "f59529b29202a5baf37f491ea5ec8627" + }, + { + "alg" : "SHA-1", + "content" : "7399e65dd7e9ff3404f4535b2f017093bdb134c7" + }, + { + "alg" : "SHA-256", + "content" : "88241573467ddca44ffd4d74aa04c2bbfd11bf7c17e0c342c94c9de7a70a7c64" + }, + { + "alg" : "SHA-512", + "content" : "1406b1aa53b19f8269129d96ce8b64bf36f215eacf7d8f1e0adadee31614e53bb3f7acf4ff97418c5bfc75677a6f3cd637c3d9889d1e85117b6fa12467c91e9f" + }, + { + "alg" : "SHA-384", + "content" : "24373643a4e2f8e1cf919d495e1e79b24dd9dbbbeecb06477be8764313f0b3b465fde74ea2cf5542fc8cba090132052f" + }, + { + "alg" : "SHA3-384", + "content" : "afa264c8d8d946e43438ae728f0ae7a2c12797b56f9ad885d5b3e9a7396eb8481ca6840c2a990a7c5da45968794b36d8" + }, + { + "alg" : "SHA3-256", + "content" : "4df89618b479d5fbede9363c6f914218a44007f48f29c6b6d58243558ced6152" + }, + { + "alg" : "SHA3-512", + "content" : "b25b2ad8dddeed8757ffe22a96cfa7511617d86baa0ed4a25b1850162b54e1132d40dbc2dfca0a6ff0a350b16628a0d2b523418eeb8f986e0f505833da4f7181" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.google.j2objc/j2objc-annotations@3.0.0?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/google/j2objc/" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "vcs", + "url" : "http://github.com/google/j2objc" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.google.j2objc/j2objc-annotations@3.0.0?type=jar" + }, + { + "publisher" : "FasterXML", + "group" : "com.fasterxml.jackson.core", + "name" : "jackson-core", + "version" : "2.15.2", + "description" : "Core Jackson processing abstractions (aka Streaming API), implementation for JSON", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "e51fdee85b48e6637ad9e85ee76b58df" + }, + { + "alg" : "SHA-1", + "content" : "a6fe1836469a69b3ff66037c324d75fc66ef137c" + }, + { + "alg" : "SHA-256", + "content" : "303c99e82b1faa91a0bae5d8fbeb56f7e2adf9b526a900dd723bf140d62bd4b4" + }, + { + "alg" : "SHA-512", + "content" : "a8a3ddf5c8a732fc3810f9c113d88fd59bf613d15dbf9d3e24dd196b2b8c2195f4088375e3d03906f2629e62983fef3267b5478abd5ab1df733ec58cd00efae6" + }, + { + "alg" : "SHA-384", + "content" : "22f4b71de5860b9c54dd85091d5b1312f7f5097a376f68f5a35b32a342858bf2e24ed394d76be0648545a6137d78b82e" + }, + { + "alg" : "SHA3-384", + "content" : "bf7f6d6d6898978d2ca11e924f0268a90adbb6f6f88b1402e7c96b6fba76ff4e7d83ba163d10b1c551443c3b3cdef9d2" + }, + { + "alg" : "SHA3-256", + "content" : "fa5ecb4b5ab9884403d5001dd368be876e10daf90e91fccfdf6fb21f14563c15" + }, + { + "alg" : "SHA3-512", + "content" : "1e8648a4c8aac64f0f71787ec6dd4693a30fe0e3c1fb78ce12b2a1865d17d7f9788c085ed1ac1216e45c05f582a0764d8fee44cf18cc90403846d255fe778c7b" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.2?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/FasterXML/jackson-core" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/FasterXML/jackson-core/issues" + }, + { + "type" : "vcs", + "url" : "https://github.com/FasterXML/jackson-core" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.2?type=jar" + }, + { + "publisher" : "FasterXML", + "group" : "com.fasterxml.jackson.core", + "name" : "jackson-annotations", + "version" : "2.15.2", + "description" : "Core annotations used for value types, used by Jackson data binding package.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "71dabcaac955a8bd17b5bba6580aac5b" + }, + { + "alg" : "SHA-1", + "content" : "4724a65ac8e8d156a24898d50fd5dbd3642870b8" + }, + { + "alg" : "SHA-256", + "content" : "04e21f94dcfee4b078fa5a5f53047b785aaba69d19de392f616e7a7fe5d3882f" + }, + { + "alg" : "SHA-512", + "content" : "c9ffb4cf3e409921bca1fa6126ca8746c611042ac3fcf0e4f991d23d12b20ef0946ef1421d991ae8ed86012059df4e08fb776d96db6d13147c2ec85e22254537" + }, + { + "alg" : "SHA-384", + "content" : "78885119a700d5dd717fc83e58bf063e1fd07bc823846b6797af6a04a99e92e8fbcf28c3a1316079e6695c138c110deb" + }, + { + "alg" : "SHA3-384", + "content" : "f5b8fcedd6d34427bbe32b1c6082b49d9ded5a00b69549cd6722ffad7d87f3e90b48ddc74a8bd0dec1987ebac73df3a7" + }, + { + "alg" : "SHA3-256", + "content" : "b4e4df4be6fe975483027aef5d4df099d8bf6dd5974118d118a47775d5f75a88" + }, + { + "alg" : "SHA3-512", + "content" : "d10fdee33fe005f9941851117e7021fae066ca3ddf2ccbbd048dae103f3cb540e11116ba53fe48b34bbab6fcfe09a6cbc6c50d1bc74893509e8b93a6c6f2c517" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.15.2?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/FasterXML/jackson" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/FasterXML/jackson-annotations/issues" + }, + { + "type" : "vcs", + "url" : "https://github.com/FasterXML/jackson-annotations" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.15.2?type=jar" + }, + { + "publisher" : "FasterXML", + "group" : "com.fasterxml.jackson.core", + "name" : "jackson-databind", + "version" : "2.15.2", + "description" : "General data-binding functionality for Jackson: works on core streaming API", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "20ac0d0526a456274409fa852eb74087" + }, + { + "alg" : "SHA-1", + "content" : "9353b021f10c307c00328f52090de2bdb4b6ff9c" + }, + { + "alg" : "SHA-256", + "content" : "0eb2fdad6e40ab8832a78c9b22f58196dd970594e8d3d5a26ead87847c4f3a96" + }, + { + "alg" : "SHA-512", + "content" : "edf622f3d2bb2cdf308875e467f28eafdd581c6ad47992a2b49a2c803b597c7fe4330c8f887687599c8a6a529d8b11054f8b354b7ddddd2bf904ef347d4f1cd2" + }, + { + "alg" : "SHA-384", + "content" : "cced300ea06748cc30cdabf1a0a8e45749d3d2a52740975acd858bd13b83458d535a52fc4cc0eb8991ebd3638b9688ec" + }, + { + "alg" : "SHA3-384", + "content" : "c4a29f5075cc31b52aabfc8f656ee761b075954fe89469e76aef7a563d93ee71653310967b68f89ce25ed26241c0bda9" + }, + { + "alg" : "SHA3-256", + "content" : "400677b87f766708abe38aea66c8564cb422cd271208e926a0c2eac99b64cd92" + }, + { + "alg" : "SHA3-512", + "content" : "0a02353d0afa97f7cb85f1f81ee221cf4425fbde1e2d1b6b7bd8fe0d5d2fcb5dbba8b6fe9c79b500c71fdac8accb77eccebe0853fd8c37bd34aa578796b8a81a" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.2?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/FasterXML/jackson" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/FasterXML/jackson-databind/issues" + }, + { + "type" : "vcs", + "url" : "https://github.com/FasterXML/jackson-databind" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.2?type=jar" + }, + { + "publisher" : "QOS.ch", + "group" : "org.slf4j", + "name" : "slf4j-api", + "version" : "2.0.13", + "description" : "The slf4j API", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "7f4028aa04f75427327f3f30cd62ba4e" + }, + { + "alg" : "SHA-1", + "content" : "80229737f704b121a318bba5d5deacbcf395bc77" + }, + { + "alg" : "SHA-256", + "content" : "e7c2a48e8515ba1f49fa637d57b4e2f590b3f5bd97407ac699c3aa5efb1204a9" + }, + { + "alg" : "SHA-512", + "content" : "b4eeb5757118e264ec7f107d879270784357380d6f53471b7874dd7e0166fdf5686a95eb66bab867abbe9536da032ab052e207165211391c293cbf6178431fb6" + }, + { + "alg" : "SHA-384", + "content" : "b67cbb4ef32141423000dd4e067bf32e0c1dd2c4689c611522b9fedfc1744513175a22f4b1276f2cec4721c9467cf882" + }, + { + "alg" : "SHA3-384", + "content" : "817fc9641f4fc52bfd76006886c6eba975f6f09b2a7cc59334729a8cc033807c8e89be9ec4309acfc16ed65ff6eee018" + }, + { + "alg" : "SHA3-256", + "content" : "f26080cceb5a2e605f3844d6dc8dd3f14c543cb14510765d841d71a64fa454dc" + }, + { + "alg" : "SHA3-512", + "content" : "00646c78d65ec854e157638f40735f1888aa585ede59915d58386c599c2fe54ec8c1da73284aeff00ce3142165e33c4c995ad39d08843c31e9e4d7e32c746836" + } + ], + "licenses" : [ + { + "license" : { + "id" : "MIT", + "url" : "https://opensource.org/licenses/MIT" + } + } + ], + "purl" : "pkg:maven/org.slf4j/slf4j-api@2.0.13?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "http://www.slf4j.org" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "vcs", + "url" : "https://github.com/qos-ch/slf4j/slf4j-parent/slf4j-api" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.slf4j/slf4j-api@2.0.13?type=jar" + }, + { + "publisher" : "QOS.ch", + "group" : "org.slf4j", + "name" : "slf4j-api", + "version" : "2.0.13", + "description" : "The slf4j API", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "7f4028aa04f75427327f3f30cd62ba4e" + }, + { + "alg" : "SHA-1", + "content" : "80229737f704b121a318bba5d5deacbcf395bc77" + }, + { + "alg" : "SHA-256", + "content" : "e7c2a48e8515ba1f49fa637d57b4e2f590b3f5bd97407ac699c3aa5efb1204a9" + }, + { + "alg" : "SHA-512", + "content" : "b4eeb5757118e264ec7f107d879270784357380d6f53471b7874dd7e0166fdf5686a95eb66bab867abbe9536da032ab052e207165211391c293cbf6178431fb6" + }, + { + "alg" : "SHA-384", + "content" : "b67cbb4ef32141423000dd4e067bf32e0c1dd2c4689c611522b9fedfc1744513175a22f4b1276f2cec4721c9467cf882" + }, + { + "alg" : "SHA3-384", + "content" : "817fc9641f4fc52bfd76006886c6eba975f6f09b2a7cc59334729a8cc033807c8e89be9ec4309acfc16ed65ff6eee018" + }, + { + "alg" : "SHA3-256", + "content" : "f26080cceb5a2e605f3844d6dc8dd3f14c543cb14510765d841d71a64fa454dc" + }, + { + "alg" : "SHA3-512", + "content" : "00646c78d65ec854e157638f40735f1888aa585ede59915d58386c599c2fe54ec8c1da73284aeff00ce3142165e33c4c995ad39d08843c31e9e4d7e32c746836" + } + ], + "licenses" : [ + { + "license" : { + "id" : "MIT", + "url" : "https://opensource.org/licenses/MIT" + } + }, + { + "license" : { + "id" : "GNU Lesser General Public License", + "url" : "http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html" + } + } + ], + "purl" : "pkg:maven/org.slf4j/slf4j-api@2.0.13?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "http://www.slf4j.org" + }, + { + "type" : "distribution", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "vcs", + "url" : "https://github.com/qos-ch/slf4j/slf4j-parent/slf4j-api" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.slf4j/slf4j-api@2.0.13?type=jar" + } + ], + "dependencies" : [ + { + "ref" : "pkg:maven/de.medavis/license-compliance-tool-core@1.4.0?type=jar", + "dependsOn" : [ + "pkg:maven/org.cyclonedx/cyclonedx-core-java@9.0.0?type=jar", + "pkg:maven/org.apache.httpcomponents/httpclient@4.5.14?type=jar", + "pkg:maven/org.freemarker/freemarker@2.3.32?type=jar", + "pkg:maven/com.google.guava/guava@33.2.0-jre?type=jar" + ] + }, + { + "ref" : "pkg:maven/org.cyclonedx/cyclonedx-core-java@9.0.0?type=jar", + "dependsOn" : [ + "pkg:maven/commons-codec/commons-codec@1.17.0?type=jar", + "pkg:maven/commons-io/commons-io@2.16.0?type=jar", + "pkg:maven/org.apache.commons/commons-lang3@3.14.0?type=jar", + "pkg:maven/org.apache.commons/commons-collections4@4.4?type=jar", + "pkg:maven/com.github.package-url/packageurl-java@1.5.0?type=jar", + "pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-xml@2.17.0?type=jar", + "pkg:maven/com.networknt/json-schema-validator@1.4.0?type=jar" + ] + }, + { + "ref" : "pkg:maven/commons-codec/commons-codec@1.17.0?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/commons-io/commons-io@2.16.0?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/org.apache.commons/commons-lang3@3.14.0?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/org.apache.commons/commons-collections4@4.4?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/com.github.package-url/packageurl-java@1.5.0?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-xml@2.17.0?type=jar", + "dependsOn" : [ + "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.2?type=jar", + "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.15.2?type=jar", + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.2?type=jar", + "pkg:maven/org.codehaus.woodstox/stax2-api@4.2.2?type=jar", + "pkg:maven/com.fasterxml.woodstox/woodstox-core@6.6.1?type=jar" + ] + }, + { + "ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.2?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.15.2?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.2?type=jar", + "dependsOn" : [ + "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.15.2?type=jar", + "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.2?type=jar" + ] + }, + { + "ref" : "pkg:maven/org.codehaus.woodstox/stax2-api@4.2.2?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/com.fasterxml.woodstox/woodstox-core@6.6.1?type=jar", + "dependsOn" : [ + "pkg:maven/org.codehaus.woodstox/stax2-api@4.2.2?type=jar" + ] + }, + { + "ref" : "pkg:maven/com.networknt/json-schema-validator@1.4.0?type=jar", + "dependsOn" : [ + "pkg:maven/com.ethlo.time/itu@1.8.0?type=jar", + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.2?type=jar", + "pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml@2.15.3?type=jar", + "pkg:maven/org.slf4j/slf4j-api@2.0.13?type=jar" + ] + }, + { + "ref" : "pkg:maven/com.ethlo.time/itu@1.8.0?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml@2.15.3?type=jar", + "dependsOn" : [ + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.2?type=jar", + "pkg:maven/org.yaml/snakeyaml@2.1?type=jar", + "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.2?type=jar" + ] + }, + { + "ref" : "pkg:maven/org.yaml/snakeyaml@2.1?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/org.slf4j/slf4j-api@2.0.13?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/org.apache.httpcomponents/httpclient@4.5.14?type=jar", + "dependsOn" : [ + "pkg:maven/org.apache.httpcomponents/httpcore@4.4.16?type=jar", + "pkg:maven/commons-logging/commons-logging@1.2?type=jar", + "pkg:maven/commons-codec/commons-codec@1.17.0?type=jar" + ] + }, + { + "ref" : "pkg:maven/org.apache.httpcomponents/httpcore@4.4.16?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/commons-logging/commons-logging@1.2?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/org.freemarker/freemarker@2.3.32?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/com.google.guava/guava@33.2.0-jre?type=jar", + "dependsOn" : [ + "pkg:maven/com.google.guava/failureaccess@1.0.2?type=jar", + "pkg:maven/com.google.guava/listenablefuture@9999.0-empty-to-avoid-conflict-with-guava?type=jar", + "pkg:maven/com.google.code.findbugs/jsr305@3.0.2?type=jar", + "pkg:maven/org.checkerframework/checker-qual@3.42.0?type=jar", + "pkg:maven/com.google.errorprone/error_prone_annotations@2.26.1?type=jar", + "pkg:maven/com.google.j2objc/j2objc-annotations@3.0.0?type=jar" + ] + }, + { + "ref" : "pkg:maven/com.google.guava/failureaccess@1.0.2?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/com.google.guava/listenablefuture@9999.0-empty-to-avoid-conflict-with-guava?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/com.google.code.findbugs/jsr305@3.0.2?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/org.checkerframework/checker-qual@3.42.0?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/com.google.errorprone/error_prone_annotations@2.26.1?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/com.google.j2objc/j2objc-annotations@3.0.0?type=jar", + "dependsOn" : [ ] + } + ] +} \ No newline at end of file diff --git a/core/src/test/resources/asset/test-bom-unsupported-version.json b/core/src/test/resources/asset/test-bom-unsupported-version.json new file mode 100644 index 0000000..a956b6b --- /dev/null +++ b/core/src/test/resources/asset/test-bom-unsupported-version.json @@ -0,0 +1,2325 @@ +{ + "bomFormat" : "CycloneDX", + "specVersion" : "999", + "serialNumber" : "urn:uuid:a66af8e4-6341-367b-8061-cfe766fd36d7", + "version" : 1, + "metadata" : { + "timestamp" : "2024-05-16T12:11:08Z", + "lifecycles" : [ + { + "phase" : "build" + } + ], + "tools" : [ + { + "vendor" : "OWASP Foundation", + "name" : "CycloneDX Maven plugin", + "version" : "2.8.0", + "hashes" : [ + { + "alg" : "MD5", + "content" : "76ffec6a7ddd46b2b24517411874eb99" + }, + { + "alg" : "SHA-1", + "content" : "5b0d5b41975b53be4799b9621b4af0cfc41d44b6" + }, + { + "alg" : "SHA-256", + "content" : "6852aa0f4e42a2db745bab80e384951a6a65b9215d041081d675780999027e81" + }, + { + "alg" : "SHA-512", + "content" : "417de20fcdcb11c9713bacbd57290d8e68037fdb4553fd31b8cb08bd760ad52dc65ea88ad4be15844ad3fd5a4d3e440d2f70326f2fe1e63ec78e059c9a883f8d" + }, + { + "alg" : "SHA-384", + "content" : "5eb755c6492e7a7385fa9a1e1f4517875bcb834b2df437808a37a2d6f5285df428741762305980315a63fcef1406597d" + }, + { + "alg" : "SHA3-384", + "content" : "0fe16a47cf7aab0b22251dafcc39939b68e8f1778093309d8d2060b51a08df445a8b8ed5a9561669faf2e55f907c76d8" + }, + { + "alg" : "SHA3-256", + "content" : "3e5a1eb5ab7d0797498862794709ff8eaaa071fe4cc9ec77f52db7e2f97ef487" + }, + { + "alg" : "SHA3-512", + "content" : "59281a3e29e76270d7f44b40b5b9f05e55f1ae3ec716d80add806f360940809e3813998ac7c5758043b8e248aed73b86e37dc506cdb4cde03c16bb617d8e5a3a" + } + ] + } + ], + "component" : { + "publisher" : "medavis GmbH", + "group" : "de.medavis", + "name" : "license-compliance-tool-core", + "version" : "1.4.0", + "description" : "Generate component manifest and license files for compliance with licenses of third-party software", + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/de.medavis/license-compliance-tool-core@1.4.0?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/medavis-gmbh/LicenseComplianceTool/license-compliance-tool-core" + }, + { + "type" : "vcs", + "url" : "https://github.com/medavis-gmbh/LicenseComplianceTool/license-compliance-tool-core" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/de.medavis/license-compliance-tool-core@1.4.0?type=jar" + }, + "properties" : [ + { + "name" : "maven.goal", + "value" : "makeBom" + }, + { + "name" : "maven.scopes", + "value" : "compile,provided,runtime,system" + } + ] + }, + "components" : [ + { + "publisher" : "OWASP Foundation", + "group" : "org.cyclonedx", + "name" : "cyclonedx-core-java", + "version" : "9.0.0", + "description" : "The CycloneDX core module provides a model representation of the BOM along with utilities to assist in creating, parsing, and validating BOMs.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "2837ddac6fee046943d57512258f96f8" + }, + { + "alg" : "SHA-1", + "content" : "1874c9d985996aba2423acd60f0c3ca7791fec51" + }, + { + "alg" : "SHA-256", + "content" : "3c1db2f3f0ac2e509a2002a2ecc26252a9ddeec79fa0dc06c5246a239754668d" + }, + { + "alg" : "SHA-512", + "content" : "32fee8810da29e6cb21bf763754a45b213910efd4a3ca89d679cf140032e7b2a54f85af9189c9328f9cad7dda1e1cbea13017283800d36e93ceb867bc033182e" + }, + { + "alg" : "SHA-384", + "content" : "61569e8c67c6a3ab43e2a3753f1248e44cbb45898e9d246b179cc07988555114135e354f9a34f04571f23106dfaad851" + }, + { + "alg" : "SHA3-384", + "content" : "587ba744e0701fb7ec9c24566d27385541e3a40f2c9faf19a3d1c455367410cc8092d102ebd9bb21c86c8e1132305787" + }, + { + "alg" : "SHA3-256", + "content" : "258882568c14579249e5b456431112c6bf5cbe2c46752425f321cefd2adb8a12" + }, + { + "alg" : "SHA3-512", + "content" : "76fda5ab0706289f02d0e2e8e1d604f40618ec18cb28ee20a3bb4619a617c6607822b88673ab391e61fc1dfbe14913ce67878c7aa44c013bb78f0aa9a06b9838" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0", + "url" : "https://www.apache.org/licenses/LICENSE-2.0" + } + } + ], + "purl" : "pkg:maven/org.cyclonedx/cyclonedx-core-java@9.0.0?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/CycloneDX/cyclonedx-core-java" + }, + { + "type" : "build-system", + "url" : "https://github.com/CycloneDX/cyclonedx-core-java/actions" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/CycloneDX/cyclonedx-core-java/issues" + }, + { + "type" : "vcs", + "url" : "https://github.com/CycloneDX/cyclonedx-core-java.git" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.cyclonedx/cyclonedx-core-java@9.0.0?type=jar" + }, + { + "publisher" : "The Apache Software Foundation", + "group" : "commons-codec", + "name" : "commons-codec", + "version" : "1.17.0", + "description" : "The Apache Commons Codec component contains encoder and decoders for various formats such as Base16, Base32, Base64, digest, and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "ca1f080782f7e77cb3aec451e7a7f02d" + }, + { + "alg" : "SHA-1", + "content" : "0dbe8eef6e14460e73da07f7b11bf994d6626355" + }, + { + "alg" : "SHA-256", + "content" : "f700de80ac270d0344fdea7468201d8b9c805e5c648331c3619f2ee067ccfc59" + }, + { + "alg" : "SHA-512", + "content" : "cb9c3b2055d0b31d106293f0bc3696f90a11a30953e5b05a1a3c453e98a563475c93d7c6d1707e75f59d0806fba5fd8e4486b8bd72e58bb6ae995bdbbeeb7e17" + }, + { + "alg" : "SHA-384", + "content" : "a0fd174b2f8a21b43828371a7ee03c915b79e69d7b0e16cfe6367f794e2f8e6bbebc261e8a4ba35a79779b2338a774a4" + }, + { + "alg" : "SHA3-384", + "content" : "803fb227bd6770cc21c701b9529606f95ba05c30ea3d807b18b3681fde0c7cabd0e2f40ab36567832f63e0c42b77d0f2" + }, + { + "alg" : "SHA3-256", + "content" : "41b9b86fd0b19ff44d19d108302d7b0111ed86d07a65a90efe1023537fad8748" + }, + { + "alg" : "SHA3-512", + "content" : "eaacc9eafccf4bda0c72c5151dbd7e99954842782c91b501af8c7ca462a04b6c59d7ab8e1ef43b3ebc1b12ca62f4574544bc31df10f33f4a15cd3c3399bd808b" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0", + "url" : "https://www.apache.org/licenses/LICENSE-2.0" + } + } + ], + "purl" : "pkg:maven/commons-codec/commons-codec@1.17.0?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://commons.apache.org/proper/commons-codec/" + }, + { + "type" : "build-system", + "url" : "https://github.com/apache/commons-parent/actions" + }, + { + "type" : "distribution-intake", + "url" : "https://repository.apache.org/service/local/staging/deploy/maven2" + }, + { + "type" : "issue-tracker", + "url" : "https://issues.apache.org/jira/browse/CODEC" + }, + { + "type" : "mailing-list", + "url" : "https://mail-archives.apache.org/mod_mbox/commons-user/" + }, + { + "type" : "vcs", + "url" : "https://github.com/apache/commons-codec" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/commons-codec/commons-codec@1.17.0?type=jar" + }, + { + "publisher" : "The Apache Software Foundation", + "group" : "commons-io", + "name" : "commons-io", + "version" : "2.16.0", + "description" : "The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "4e115587dca5dd3c178e7c8f17a371b3" + }, + { + "alg" : "SHA-1", + "content" : "27875a7935f1ddcc13267eb6fae1f719e0409572" + }, + { + "alg" : "SHA-256", + "content" : "d1e417901235fae3aa0cb9736baeaf5b74de7349817d1c72390d82e3d83d3a97" + }, + { + "alg" : "SHA-512", + "content" : "afba6cc8fdef9d347aaccb3bff327ba8e2c17135989cf01179fdb2e3ca8d0afdce37defb08659eb1e99b8730e2baaaec95c7d3599f7ebf526c97c8edc477b852" + }, + { + "alg" : "SHA-384", + "content" : "0413eda39746809f3c7ce44336f6d88d8d72e2781db4b74c98a206f34b94639a39024697fde25f310edda8cf628fd376" + }, + { + "alg" : "SHA3-384", + "content" : "386bee9245d0ef901c3010be3603d4cd083c2745737fdf852f3c7024b295aa74d006f0d1a3e7cbc2b09b6023b42d41b5" + }, + { + "alg" : "SHA3-256", + "content" : "22054f3faf8d31b9bdb010e1341cf74dfcb40860e50eaf238991c784a9a8b4ae" + }, + { + "alg" : "SHA3-512", + "content" : "c7e76ce4a2177ea7898931e180cca6463bf5eab34199c6a9a0146474262f16c30d99a05eb02a86f37870ba83b1b413e78949582add25aa87c5f39462444be6ea" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0", + "url" : "https://www.apache.org/licenses/LICENSE-2.0" + } + } + ], + "purl" : "pkg:maven/commons-io/commons-io@2.16.0?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://commons.apache.org/proper/commons-io/" + }, + { + "type" : "build-system", + "url" : "https://github.com/apache/commons-parent/actions" + }, + { + "type" : "distribution-intake", + "url" : "https://repository.apache.org/service/local/staging/deploy/maven2" + }, + { + "type" : "issue-tracker", + "url" : "https://issues.apache.org/jira/browse/IO" + }, + { + "type" : "mailing-list", + "url" : "https://mail-archives.apache.org/mod_mbox/commons-user/" + }, + { + "type" : "vcs", + "url" : "https://gitbox.apache.org/repos/asf?p=commons-io.git" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/commons-io/commons-io@2.16.0?type=jar" + }, + { + "publisher" : "The Apache Software Foundation", + "group" : "org.apache.commons", + "name" : "commons-lang3", + "version" : "3.14.0", + "description" : "Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "4e5c3f5e6b0b965ef241d7d72ac8971f" + }, + { + "alg" : "SHA-1", + "content" : "1ed471194b02f2c6cb734a0cd6f6f107c673afae" + }, + { + "alg" : "SHA-256", + "content" : "7b96bf3ee68949abb5bc465559ac270e0551596fa34523fddf890ec418dde13c" + }, + { + "alg" : "SHA-512", + "content" : "0338b50767166e5746ada6d6aa2e071e7221d699323bfb629f7f204b294c1dc4cad140610a129ed751798443b43e74e0818989c7df7d33c5915aa29742be9ba8" + }, + { + "alg" : "SHA-384", + "content" : "908d0a22dc17aaa04caa5104cff7cad5b88b77eecb78dd5b3b3fefa22ff71ac50a4fb9e31c897ac243f9d841e4b3453d" + }, + { + "alg" : "SHA3-384", + "content" : "8a7f2e061b998780870eddd571620fbf3d3c70bcb54e24539d0db504f59d65bc6bda58136284498babe29fcc5eabb7a6" + }, + { + "alg" : "SHA3-256", + "content" : "022bf1f8039fcea717e9e34dd96eb80cfff05b43c9cbb76e9739b2421e2d027c" + }, + { + "alg" : "SHA3-512", + "content" : "0bcbc4edce974ea970c46e2da12ec98d9fd962c2cf64f757ac97136dec5623ca52af0c225895303c17ffabb57090e6772d7bd326d5e7438cef5454f8bbaeecfa" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0", + "url" : "https://www.apache.org/licenses/LICENSE-2.0" + } + } + ], + "purl" : "pkg:maven/org.apache.commons/commons-lang3@3.14.0?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://commons.apache.org/proper/commons-lang/" + }, + { + "type" : "build-system", + "url" : "https://github.com/apache/commons-parent/actions" + }, + { + "type" : "distribution-intake", + "url" : "https://repository.apache.org/service/local/staging/deploy/maven2" + }, + { + "type" : "issue-tracker", + "url" : "https://issues.apache.org/jira/browse/LANG" + }, + { + "type" : "mailing-list", + "url" : "https://mail-archives.apache.org/mod_mbox/commons-user/" + }, + { + "type" : "vcs", + "url" : "https://gitbox.apache.org/repos/asf?p=commons-lang.git" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.apache.commons/commons-lang3@3.14.0?type=jar" + }, + { + "publisher" : "The Apache Software Foundation", + "group" : "org.apache.commons", + "name" : "commons-collections4", + "version" : "4.4", + "description" : "The Apache Commons Collections package contains types that extend and augment the Java Collections Framework.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "4a37023740719b391f10030362c86be6" + }, + { + "alg" : "SHA-1", + "content" : "62ebe7544cb7164d87e0637a2a6a2bdc981395e8" + }, + { + "alg" : "SHA-256", + "content" : "1df8b9430b5c8ed143d7815e403e33ef5371b2400aadbe9bda0883762e0846d1" + }, + { + "alg" : "SHA-512", + "content" : "5939c9931eb9557caee3b45fe1dd9ce54cabdc4e6182ed7faac77e1a866dd0cb602bfa4ece2f3316d769913366106bd2b61bf3bb5faad1fa7d808124c06dec0f" + }, + { + "alg" : "SHA-384", + "content" : "74059fd8f61c366ed448e102256fdbd1db0d690501c2c296c80f3657a2c0d8ade3dd9533b1431cc29786bbb624195f46" + }, + { + "alg" : "SHA3-384", + "content" : "15034fb39842620bf3b152cd90bce252644ebc6a29fafd6dcf5e1f3925f09ccea2ae4e195817450f996b25a7081a9a3f" + }, + { + "alg" : "SHA3-256", + "content" : "1716630a207a8f4a83bf9ef19245f46c87d62bfebbcfa1227101e6dd51da8fa5" + }, + { + "alg" : "SHA3-512", + "content" : "c290c98c7b5825d024644ec1162804a1f9ad4da3bb5324d147ddffee6cc79e3c0ecc3825d6116502f2ca292ec80c4e7f8d49a03542dda8f4d58b0dc8228923c5" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/org.apache.commons/commons-collections4@4.4?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://commons.apache.org/proper/commons-collections/" + }, + { + "type" : "build-system", + "url" : "https://builds.apache.org/" + }, + { + "type" : "distribution-intake", + "url" : "https://repository.apache.org/service/local/staging/deploy/maven2" + }, + { + "type" : "issue-tracker", + "url" : "http://issues.apache.org/jira/browse/COLLECTIONS" + }, + { + "type" : "mailing-list", + "url" : "https://mail-archives.apache.org/mod_mbox/commons-user/" + }, + { + "type" : "vcs", + "url" : "https://git-wip-us.apache.org/repos/asf?p=commons-collections.git" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.apache.commons/commons-collections4@4.4?type=jar" + }, + { + "group" : "com.github.package-url", + "name" : "packageurl-java", + "version" : "1.5.0", + "description" : "The official Java implementation of the PackageURL specification. PackageURL (purl) is a minimal specification for describing a package via a \"mostly universal\" URL.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "90856d8bb5b17e08fdf03b6a2f93b81c" + }, + { + "alg" : "SHA-1", + "content" : "e6bf530f52feab911f4032604ca0b8216f7ff337" + }, + { + "alg" : "SHA-256", + "content" : "e45551727707acc0c56ac62d56964332ea0f138d6cc3656d988b9369150f5247" + }, + { + "alg" : "SHA-512", + "content" : "8064df400154caa110b8845bd17e6cea2683307e575ce88e40d7c0c8965ea0af6c150a376d8b9ba7354676c41b52c94535f30c6e830447613299ccf5fc7aa959" + }, + { + "alg" : "SHA-384", + "content" : "0597100022f72e020c9d929bf57ecef91af7574610fb03b4019feba4b25f491a076f03577be2009e66d9001c4c0f8ab0" + }, + { + "alg" : "SHA3-384", + "content" : "bbdd55a31a4755ef589bcb176283fe03e3c9089d315eab577fef3a9c2d02e632c6ac3fdebbc90a2f0f8ed7974b9f397c" + }, + { + "alg" : "SHA3-256", + "content" : "c9881b69bde35ea6ff4006877b9fbf91462f911b5b142aa699a45a00867d413a" + }, + { + "alg" : "SHA3-512", + "content" : "2b9caf58deef687a9bf01abd61a7af4abdb61247a8a966683a18157ee948f1ea424602598dc8f665bf24f7e1e516866298ef0507e9d697cb20dcf60eff2095ca" + } + ], + "licenses" : [ + { + "license" : { + "id" : "MIT", + "url" : "https://opensource.org/licenses/MIT" + } + } + ], + "purl" : "pkg:maven/com.github.package-url/packageurl-java@1.5.0?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/package-url/packageurl-java" + }, + { + "type" : "build-system", + "url" : "https://travis-ci.com/package-url/packageurl-java" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/package-url/packageurl-java/issues" + }, + { + "type" : "vcs", + "url" : "https://github.com/package-url/packageurl-java.git" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.github.package-url/packageurl-java@1.5.0?type=jar" + }, + { + "publisher" : "FasterXML", + "group" : "com.fasterxml.jackson.dataformat", + "name" : "jackson-dataformat-xml", + "version" : "2.17.0", + "description" : "Data format extension for Jackson to offer alternative support for serializing POJOs as XML and deserializing XML as pojos.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "2b8f4884b06f29806a5317399cd991bb" + }, + { + "alg" : "SHA-1", + "content" : "fbe3c274a39cef5538ca8688ac7e2ad0053a6ffa" + }, + { + "alg" : "SHA-256", + "content" : "375e0e1c5cf530ac06858d4c9e674b03498644c2e7ee59f16160702ee02aabce" + }, + { + "alg" : "SHA-512", + "content" : "0d576e403958a69553bbf186db8b850daa47d99312c68932658a1d116a97c52ec3dee9ff30b9f65f614da6bee473d4faf08e577f7e435ba33384a460d343fe49" + }, + { + "alg" : "SHA-384", + "content" : "11737a9db7bfe6c2c66b5bf00a7c5c6da96d1613d1fca650be7fcb985166bcecf4de57b23892d21770001afeb40f2e25" + }, + { + "alg" : "SHA3-384", + "content" : "c4c5c06bd4af0a95e4b63f41dff4ceccf285662e90f95b0e9a0fd59700ba676ab7f080991222715fa257c33520bd892c" + }, + { + "alg" : "SHA3-256", + "content" : "e5c618225b6da5099236e37200fa492eda10d4024203764d95e01ed29a839aaa" + }, + { + "alg" : "SHA3-512", + "content" : "ff474b904215f7a328ca5b4bfb3091e6975034894f362fbf664c6ee665e621960bbea1ae46db2860932fcff7b71e6e1a9035adfaa83735cf577ca265494d39f3" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-xml@2.17.0?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/FasterXML/jackson-dataformat-xml" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/FasterXML/jackson-dataformat-xml/issues" + }, + { + "type" : "vcs", + "url" : "http://github.com/FasterXML/jackson-dataformat-xml" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-xml@2.17.0?type=jar" + }, + { + "publisher" : "fasterxml.com", + "group" : "org.codehaus.woodstox", + "name" : "stax2-api", + "version" : "4.2.2", + "description" : "Stax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "6949cace015c0f408f0b846e3735d301" + }, + { + "alg" : "SHA-1", + "content" : "b0d746cadea928e5264f2ea294ea9a1bf815bbde" + }, + { + "alg" : "SHA-256", + "content" : "a61c48d553efad78bc01fffc4ac528bebbae64cbaec170b2a5e39cf61eb51abe" + }, + { + "alg" : "SHA-512", + "content" : "1c0587ecb4c5a659ce2ae1fe36ffc12636a8ecba549a29f2cf91cb4d1d36a335c05f35776f480488d40d894230389f76aeeb363887026c6ef5c565995c17b7c6" + }, + { + "alg" : "SHA-384", + "content" : "3b617db8307a081df858a4110f5b8fec51c06355762506cbc4be5557fb06959f0499f7e672103d46f71c66bae472a7bd" + }, + { + "alg" : "SHA3-384", + "content" : "22a3150713f7072962e26c286a1ef97d849b10d7f1251c56ae34252f247127b56dd189daa758c64776b4196ee0060517" + }, + { + "alg" : "SHA3-256", + "content" : "174868c81672068b42ccde35310d4dad60f457b795101e99588c28b0eebdefc2" + }, + { + "alg" : "SHA3-512", + "content" : "c88de5a2137e3b63b632ef24799a677c998b76e736407f1e8c6af85d1b6a94c76bc20d26e6cac847d8383ab6760f1b5c2ae7574fba21e1e6a96de7cdd38f0e39" + } + ], + "licenses" : [ + { + "license" : { + "id" : "BSD-2-Clause" + } + } + ], + "purl" : "pkg:maven/org.codehaus.woodstox/stax2-api@4.2.2?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "http://github.com/FasterXML/stax2-api" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/FasterXML/stax2-api/issues" + }, + { + "type" : "vcs", + "url" : "http://github.com/FasterXML/stax2-api" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.codehaus.woodstox/stax2-api@4.2.2?type=jar" + }, + { + "publisher" : "FasterXML", + "group" : "com.fasterxml.woodstox", + "name" : "woodstox-core", + "version" : "6.6.1", + "description" : "Woodstox is a high-performance XML processor that implements Stax (JSR-173), SAX2 and Stax2 APIs", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "003d77e2442b9f58e5eb9e34c2d018c6" + }, + { + "alg" : "SHA-1", + "content" : "586727abc793dc4cde0148c3c3b264e4f7deb5b3" + }, + { + "alg" : "SHA-256", + "content" : "5655c56e820b0140c1814ed4bddb3352efef88e33c382f3a0b51aad7ef89956c" + }, + { + "alg" : "SHA-512", + "content" : "4f6cd44c47d11d2bf1d02236f70dad8267bd9a93b9702aae31023725b48e63784025165f0cf4b290442b4a5b14dffb101db3dd8d7bca701a11c6506eb5e0788d" + }, + { + "alg" : "SHA-384", + "content" : "3708b825228da92f3b491d72f3104677241926091c3fffc6a66ba763907ff97c9dfa793aefab0a1820918f5dc5355f04" + }, + { + "alg" : "SHA3-384", + "content" : "cfb13014a414f92f84b14defe072eba4e13046839b22705e78bcad63412282cb732b4b6f22bea360df26d04aa6a8576e" + }, + { + "alg" : "SHA3-256", + "content" : "6a12bc8142518e2c74adde9d7367267a783a9b69b46536ed9cb7506a01dcbb5a" + }, + { + "alg" : "SHA3-512", + "content" : "5f6f257d5ee5995c2a7966d38ec50e1adf73b3474d2b6f6a78ab4561dbf5e629fe0eb74d9f7a5bb2f85df381ecb0d8fe816184af647b61f87f3c99eec4ae4554" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.fasterxml.woodstox/woodstox-core@6.6.1?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/FasterXML/woodstox" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/FasterXML/woodstox/issues" + }, + { + "type" : "vcs", + "url" : "https://github.com/FasterXML/woodstox" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.fasterxml.woodstox/woodstox-core@6.6.1?type=jar" + }, + { + "group" : "com.networknt", + "name" : "json-schema-validator", + "version" : "1.4.0", + "description" : "A json schema validator that supports draft v4, v6, v7, v2019-09 and v2020-12", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "4d9c589b2813f03a252bcd50cf8a1507" + }, + { + "alg" : "SHA-1", + "content" : "8e7c5b0b0ed6b3eac2adfa9352ff4ca8187d9160" + }, + { + "alg" : "SHA-256", + "content" : "5d7b6ce4c7b2a3ed189511cbaa913808c7cd2b570d70b923426352785bffbdd0" + }, + { + "alg" : "SHA-512", + "content" : "e156aeb4b603023dd55c599315f22cbcbfdb00a2037c01b346324dceba583922dad29b20570a244863373545f5b77a311c0f740d3598dc4978bec6298cc613ba" + }, + { + "alg" : "SHA-384", + "content" : "5313166403f1c62732d41283f946418dec1971cdd6530a8e4495b84f67d60b96f7c50a2b8b6a63905767bea1ab0780b5" + }, + { + "alg" : "SHA3-384", + "content" : "a7cc84c4ecff22d04fa3da5d56dda9ca6253b87ab71479932c2e3da1edcfebfe176250b82abb66a9325907ab79309f96" + }, + { + "alg" : "SHA3-256", + "content" : "a45ff1fdc732d5e7c626072e84e8ba24eb0102d26380d918b8ef8707ea307c3a" + }, + { + "alg" : "SHA3-512", + "content" : "7164adfc8d496253af3d4841150fff7335f72d29523696cbcb15fb7dec2c18a74e731ad55db6c3392aee895f2b4f055a2f83414bc9ab292a49b47e17401aac55" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.networknt/json-schema-validator@1.4.0?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/networknt/json-schema-validator" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/networknt/json-schema-validator/issues" + }, + { + "type" : "vcs", + "url" : "https://github.com:networknt/json-schema-validator.git" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.networknt/json-schema-validator@1.4.0?type=jar" + }, + { + "group" : "com.ethlo.time", + "name" : "itu", + "version" : "1.8.0", + "description" : "Extremely fast date-time parser and formatter - RFC 3339 (ISO 8601 profile) and W3C format", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "c6680dc6496b4edc74bd3d534b8b0bfb" + }, + { + "alg" : "SHA-1", + "content" : "b31c9f9a06386b63772968424faeaf0e364ef93b" + }, + { + "alg" : "SHA-256", + "content" : "a9a567da9bf8bdcd4710fb5c4c7bc155658bb964a91637664ed7bd6e77b050c5" + }, + { + "alg" : "SHA-512", + "content" : "7df8d7b78c76e3d4c11be0b45e18561177245b0494d67dfd95be13a10b0f026cfae870fdbae7bae34bb278be73d8f28d02c175ba43863a712a73306d89b1e710" + }, + { + "alg" : "SHA-384", + "content" : "3433a20e764a82fb9ff48a4a6337b492f329015b9416465508650782db090ab275c44166a6f9a407adb3d39c0fdb7554" + }, + { + "alg" : "SHA3-384", + "content" : "863a2245e786b5906d3d9d2c59af6366a1b5a53b1770c5f2c4ac07cb9cb65e213a0695c81329ebf19cceaec289bc3fa2" + }, + { + "alg" : "SHA3-256", + "content" : "de376611b8d84c8f0b9017604d3b00bc0750f6a4b3e887bc4ea379ffbca61b56" + }, + { + "alg" : "SHA3-512", + "content" : "de8d24c29486eb900c313109662800c41f029c6b7e0246b59a0da30150d8641f121445f52df64066e51dbf083e23fe3d2f10a8b44e5a48fe7c25b52216938425" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.ethlo.time/itu@1.8.0?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/ethlo/itu" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "vcs", + "url" : "https://github.com:ethlo/itu" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.ethlo.time/itu@1.8.0?type=jar" + }, + { + "publisher" : "FasterXML", + "group" : "com.fasterxml.jackson.dataformat", + "name" : "jackson-dataformat-yaml", + "version" : "2.15.3", + "description" : "Support for reading and writing YAML-encoded data via Jackson abstractions.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "8c09fdc03a6cc2108e3e8ce14a12da24" + }, + { + "alg" : "SHA-1", + "content" : "2c928259effc818986c7e46c58de5dbfee6ae4ac" + }, + { + "alg" : "SHA-256", + "content" : "2dd70a080e8542dc5ee727387abed963fc24122cd784ab38355f87d0e08d9772" + }, + { + "alg" : "SHA-512", + "content" : "1e00f24d41a85ea0bb21ca08b1964acaf66ede60347df9bfd5de9c90e7d08dc59530cb7d6c0c138f44bbd75406ae3c0c1e7f031716a7c3d30e6cc5db14071345" + }, + { + "alg" : "SHA-384", + "content" : "8a3be2087d79b469470138b2d17fae342a57e3e7dde0aeaec9ae385b473ac2cfd871f81fd12879c41372002ccea52a3e" + }, + { + "alg" : "SHA3-384", + "content" : "701069df05a5567cb23ec1748433d76044de4ff63c5bcb07e9b145651500325910cc15b94a1a3c9aa9bd96cbed5fe168" + }, + { + "alg" : "SHA3-256", + "content" : "c73d7bbb271d9eeac7677064f1abf1879455f665df96a25acec456568c4d59e7" + }, + { + "alg" : "SHA3-512", + "content" : "3d82cb5931a382cbc87ba69fc0118af92720396cbfa6414021964b1a4799f855760243b684ee7bfd7a48f56313acc02d8051c617afc99464da75c5c2d46f1454" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml@2.15.3?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/FasterXML/jackson-dataformats-text" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/FasterXML/jackson-dataformats-text/issues" + }, + { + "type" : "vcs", + "url" : "https://github.com/FasterXML/jackson-dataformats-text/jackson-dataformat-yaml" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml@2.15.3?type=jar" + }, + { + "group" : "org.yaml", + "name" : "snakeyaml", + "version" : "2.1", + "description" : "YAML 1.1 parser and emitter for Java", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "33cc7f2b24873e9d8af5d78a0b09bdc1" + }, + { + "alg" : "SHA-1", + "content" : "c79f47315517560b5bd6a62376ee385e48105437" + }, + { + "alg" : "SHA-256", + "content" : "69a4537045ddbcaed4c68eef074462eb12d324d7953f62c5ecd35df645e8aec9" + }, + { + "alg" : "SHA-512", + "content" : "5148ca86d6a28bd85f7ee4922d405d58fd3e61204f70b1ac3a755fa34455227ffe29f04e710596e43c48d1bce3e9c9379ca2c6fedabbc65dab7e00b4ae995823" + }, + { + "alg" : "SHA-384", + "content" : "083794a57d718dd04eda74b7994ed7608ee14b8c84034e775def46aa7242e332b45007975fecb19922b8a3a2e7a00493" + }, + { + "alg" : "SHA3-384", + "content" : "239cf654b22d97ad28224912400f635a06fe5ec7e3562f19bb38c3f3006e7b19ff3036221867c4c721184e84b880cb9c" + }, + { + "alg" : "SHA3-256", + "content" : "89cb985a9228aea9e192246c7033de3414692cfe5ae131be1e9768a8bd28f152" + }, + { + "alg" : "SHA3-512", + "content" : "68c3b32dbd60054abfa8fc73b32d14a921b76652d739585a18ec1f7209bf9190c17cee9936219b2d49c49556b3295b571f406d6d071225fcbc0012b116b7ec89" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/org.yaml/snakeyaml@2.1?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://bitbucket.org/snakeyaml/snakeyaml" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://bitbucket.org/snakeyaml/snakeyaml/issues" + }, + { + "type" : "vcs", + "url" : "https://bitbucket.org/snakeyaml/snakeyaml/src" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.yaml/snakeyaml@2.1?type=jar" + }, + { + "publisher" : "The Apache Software Foundation", + "group" : "org.apache.httpcomponents", + "name" : "httpclient", + "version" : "4.5.14", + "description" : "Apache HttpComponents Client", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "2cb357c4b763f47e58af6cad47df6ba3" + }, + { + "alg" : "SHA-1", + "content" : "1194890e6f56ec29177673f2f12d0b8e627dec98" + }, + { + "alg" : "SHA-256", + "content" : "c8bc7e1c51a6d4ce72f40d2ebbabf1c4b68bfe76e732104b04381b493478e9d6" + }, + { + "alg" : "SHA-512", + "content" : "a084ef30fb0a2a25397d8fab439fe68f67e294bf53153e2e1355b8df92886d40fe6abe35dc84f014245f7158e92641bcbd98019b4fbbd9e5a0db495b160b4ced" + }, + { + "alg" : "SHA-384", + "content" : "c8ccaa1fa8ba7c421413e3c30375bd9c31284e837c476fd831e18043ad4187e92166f49554123108891241bed674b95d" + }, + { + "alg" : "SHA3-384", + "content" : "9a17dfcf12b2af3a9b006ec369f9bc78ba322348bf1a01146e0d4f3fec2bed6cbe8b2193fac5b4d5a0c3036c06477510" + }, + { + "alg" : "SHA3-256", + "content" : "48f0a61b691e22dec9d6db8e0b58be4ca17a42a2846c82f0875de21f72bb0faa" + }, + { + "alg" : "SHA3-512", + "content" : "4ad2c9adc761b7e813330f0dcad3f9978702896c7d0cbf81f60a472d550e320b1527be425ba597c8c9352d587e32e1d46ceb4c73e99c70a6190df4c699a7c2a9" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/org.apache.httpcomponents/httpclient@4.5.14?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "http://hc.apache.org/httpcomponents-client-ga" + }, + { + "type" : "distribution-intake", + "url" : "https://repository.apache.org/service/local/staging/deploy/maven2" + }, + { + "type" : "issue-tracker", + "url" : "http://issues.apache.org/jira/browse/HTTPCLIENT" + }, + { + "type" : "mailing-list", + "url" : "http://mail-archives.apache.org/mod_mbox/hc-httpclient-users/" + }, + { + "type" : "vcs", + "url" : "https://github.com/apache/httpcomponents-client/tree/4.5.14/httpclient" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.apache.httpcomponents/httpclient@4.5.14?type=jar" + }, + { + "publisher" : "The Apache Software Foundation", + "group" : "org.apache.httpcomponents", + "name" : "httpcore", + "version" : "4.4.16", + "description" : "Apache HttpComponents Core (blocking I/O)", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "28d2cd9bf8789fd2ec774fb88436ebd1" + }, + { + "alg" : "SHA-1", + "content" : "51cf043c87253c9f58b539c9f7e44c8894223850" + }, + { + "alg" : "SHA-256", + "content" : "6c9b3dd142a09dc468e23ad39aad6f75a0f2b85125104469f026e52a474e464f" + }, + { + "alg" : "SHA-512", + "content" : "168026436a6bcf5e96c0c59606638abbdc30de4b405ae55afde70fdf2895e267a3d48bba6bdadc5a89f38e31da3d9a9dc91e1cab7ea76f5e04322cf1ec63b838" + }, + { + "alg" : "SHA-384", + "content" : "ba9ceaee1a37ca3201d6a1315ecb0327b495489efd0baa155c219c475df8d3eb69fe77ab0026563db406497626da6562" + }, + { + "alg" : "SHA3-384", + "content" : "b9dc44dcc7cc86d5036f26d54c4003a2d72808ae7b07a0808bb53505c6d4281b5ad213eb1f3d0fef1113dec57cb0dfe1" + }, + { + "alg" : "SHA3-256", + "content" : "fd8ab51846476c6c18822151c9ec07b39a9633010b5d20ea937fc6910407bc64" + }, + { + "alg" : "SHA3-512", + "content" : "b42fa528242981a9d70e4f68ab75a24292df5112c44c21b6f18cb9201ce747885ba1d4dc69bc3d14d0da46a6c2638f937c11bc45749abeb55dc89ddada90cdda" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/org.apache.httpcomponents/httpcore@4.4.16?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "http://hc.apache.org/httpcomponents-core-ga" + }, + { + "type" : "distribution-intake", + "url" : "https://repository.apache.org/service/local/staging/deploy/maven2" + }, + { + "type" : "issue-tracker", + "url" : "http://issues.apache.org/jira/browse/HTTPCORE" + }, + { + "type" : "mailing-list", + "url" : "http://mail-archives.apache.org/mod_mbox/hc-httpclient-users/" + }, + { + "type" : "vcs", + "url" : "https://github.com/apache/httpcomponents-core/tree/4.4.16/httpcore" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.apache.httpcomponents/httpcore@4.4.16?type=jar" + }, + { + "publisher" : "The Apache Software Foundation", + "group" : "commons-logging", + "name" : "commons-logging", + "version" : "1.2", + "description" : "Apache Commons Logging is a thin adapter allowing configurable bridging to other, well known logging systems.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "040b4b4d8eac886f6b4a2a3bd2f31b00" + }, + { + "alg" : "SHA-1", + "content" : "4bfc12adfe4842bf07b657f0369c4cb522955686" + }, + { + "alg" : "SHA-256", + "content" : "daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636" + }, + { + "alg" : "SHA-512", + "content" : "ed00dbfabd9ae00efa26dd400983601d076fe36408b7d6520084b447e5d1fa527ce65bd6afdcb58506c3a808323d28e88f26cb99c6f5db9ff64f6525ecdfa557" + }, + { + "alg" : "SHA-384", + "content" : "ac20720d7156131478205f1b454395abf84cfc8da2f163301af32f63bd3c4764bd26cb54ed53800f33193ae591f3ce9c" + }, + { + "alg" : "SHA3-384", + "content" : "628eb4407e95dca84da1a06b08a6d9b832a49de8472b1b217e8607f08efeeed18b996232d64dd07f03e78e0e3bb4b078" + }, + { + "alg" : "SHA3-256", + "content" : "9aab62deccf156ee6e324c925dfc30ecb53e8465802863a551901a461424e807" + }, + { + "alg" : "SHA3-512", + "content" : "3fd76857f6d20c03799537cc961c1c4ddf1c375c6c192fb982363e3b9397ba138b77f24ef38b4202f44e37586789c0320e4de18fdadd2772304fd14a9b26d552" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/commons-logging/commons-logging@1.2?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "http://commons.apache.org/proper/commons-logging/" + }, + { + "type" : "build-system", + "url" : "https://continuum-ci.apache.org/" + }, + { + "type" : "distribution-intake", + "url" : "https://repository.apache.org/service/local/staging/deploy/maven2" + }, + { + "type" : "issue-tracker", + "url" : "http://issues.apache.org/jira/browse/LOGGING" + }, + { + "type" : "mailing-list", + "url" : "http://mail-archives.apache.org/mod_mbox/commons-user/" + }, + { + "type" : "vcs", + "url" : "http://svn.apache.org/repos/asf/commons/proper/logging/trunk" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/commons-logging/commons-logging@1.2?type=jar" + }, + { + "publisher" : "Apache Software Foundation", + "group" : "org.freemarker", + "name" : "freemarker", + "version" : "2.3.32", + "description" : "FreeMarker is a \"template engine\"; a generic tool to generate text output based on templates.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "22624adfe32b76fe3be07a84de4e1c03" + }, + { + "alg" : "SHA-1", + "content" : "8607259125d4fbe982754227ea4f75dd513c6d19" + }, + { + "alg" : "SHA-256", + "content" : "04d65ec1bde6cea20e3495d5e78ef96ab774d9936434861d3254bd88e7e94f92" + }, + { + "alg" : "SHA-512", + "content" : "934c6c2bf47c1b88b1f81c25294cd83f5105f90f565e1fce75a09a54e51424fb8335542a6d5c3eb9df19dbc0007e869e9b6aebaf37880eac09759529dc0c5ca7" + }, + { + "alg" : "SHA-384", + "content" : "6fefe48f8aa5b570695ba5bdbed36a35b59b24673c0977890edf1eda68792a7001946e422cf56b0f5138edb247fac0dc" + }, + { + "alg" : "SHA3-384", + "content" : "3d21e14024108b2c89f2acd0de306a8f31cea67f55d7c5fa5ceb84a6bca0d52672179b1042a4f313aabacaf020e130b2" + }, + { + "alg" : "SHA3-256", + "content" : "91fb6edbf9930b9e21c290784b08e5b5a67ff94a4b8e34c47c0bc6f6d81619c7" + }, + { + "alg" : "SHA3-512", + "content" : "8df650d10a408d90ae0b20dc8c88bfa46309ab7287f0d16c5c9f60f113760a789aadd739080285343db9b3405084ef9049ad6e80b88f74fe8a8924ec741817cb" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/org.freemarker/freemarker@2.3.32?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://freemarker.apache.org/" + }, + { + "type" : "distribution-intake", + "url" : "https://repository.apache.org/service/local/staging/deploy/maven2" + }, + { + "type" : "issue-tracker", + "url" : "https://issues.apache.org/jira/browse/FREEMARKER/" + }, + { + "type" : "mailing-list", + "url" : "http://mail-archives.apache.org/mod_mbox/freemarker-dev/" + }, + { + "type" : "vcs", + "url" : "https://git-wip-us.apache.org/repos/asf?p=freemarker.git" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.freemarker/freemarker@2.3.32?type=jar" + }, + { + "group" : "com.google.guava", + "name" : "guava", + "version" : "33.2.0-jre", + "description" : "Guava is a suite of core and expanded libraries that include utility classes, Google's collections, I/O classes, and much more.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "8cc9e39ba1958ebca928d158806e0802" + }, + { + "alg" : "SHA-1", + "content" : "e264781dadc4967e5292f3c4d05f1d153631f7b4" + }, + { + "alg" : "SHA-256", + "content" : "99f491e86262ce38d13b3581d40f77acdb4696a9505447c3154474c3192908dd" + }, + { + "alg" : "SHA-512", + "content" : "21e981521598e95253df40e5390daab48fc5e2475d55306828b523d5a09f637c846aed1f826f85c3c2e2d9e0dd3d9c291afb4eb5349c3b54f4e9e5810340f022" + }, + { + "alg" : "SHA-384", + "content" : "82e3969b23c331d56b303fed8211606b7dc3ee4a5b55d105aef7979d98f36e46b498daf01a82c1c0263732e2101b0dde" + }, + { + "alg" : "SHA3-384", + "content" : "76b17f8047e46fa454657fafe61dd146b2072a2f16da501d950c808e83d7b1b08a306b5ab8e4a3f7e8efd5c3005d6f76" + }, + { + "alg" : "SHA3-256", + "content" : "aba97665a95287c30c69932dd5351060bcf1b819d92450b470997e6311df3f25" + }, + { + "alg" : "SHA3-512", + "content" : "a41d7c6b58809bc913278416530572c5affc43f1559f58271d055cdfb233af94c1661be8cb0c0ca4ddf3fb5f3a5e86c4e9b1c455e7ec6b9955f809925d1b1c00" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.google.guava/guava@33.2.0-jre?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/google/guava" + }, + { + "type" : "build-system", + "url" : "https://github.com/google/guava/actions" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/google/guava/issues" + }, + { + "type" : "vcs", + "url" : "https://github.com/google/guava/guava" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.google.guava/guava@33.2.0-jre?type=jar" + }, + { + "group" : "com.google.guava", + "name" : "failureaccess", + "version" : "1.0.2", + "description" : "Contains com.google.common.util.concurrent.internal.InternalFutureFailureAccess and InternalFutures. Most users will never need to use this artifact. Its classes are conceptually a part of Guava, but they're in this separate artifact so that Android libraries can use them without pulling in all of Guava (just as they can use ListenableFuture by depending on the listenablefuture artifact).", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "3f75955b49b6758fd6d1e1bd9bf777b3" + }, + { + "alg" : "SHA-1", + "content" : "c4a06a64e650562f30b7bf9aaec1bfed43aca12b" + }, + { + "alg" : "SHA-256", + "content" : "8a8f81cf9b359e3f6dfa691a1e776985c061ef2f223c9b2c80753e1b458e8064" + }, + { + "alg" : "SHA-512", + "content" : "ff4ee76aa661708989d53d45576cff3beea9ebbd86481dbbf2ee8c81bb22f882097b430588312b711025f0e890f22c6799d722ccd422a6a7278de08660fe2f51" + }, + { + "alg" : "SHA-384", + "content" : "85a7bd379da27ad57a4e5c02099fef206083caa52244597ac858a921b48e2912cfa7ef0e7d0c7a10ab2dd8d0f7d6ada0" + }, + { + "alg" : "SHA3-384", + "content" : "652b22d09b297320e62ac254801e7d3a0fd2a8038461c5cbf7a53a27d681f62b768b964aa62c864453c4e7af217c8c4a" + }, + { + "alg" : "SHA3-256", + "content" : "a650b2f7982affc2dbb7e2807fbb0fbf58b74fd8dc111cc6dc5e95a00179b7e3" + }, + { + "alg" : "SHA3-512", + "content" : "2c5ee7629a8fb1c952f437b80fcd1cff86c54ff81de02eda1eb73c0bbfe38d3f072946f8c6396c7f1e46e16a6d44ad393dfe6fd2dd96f75ebb854263d36bb193" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.google.guava/failureaccess@1.0.2?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/google/guava/failureaccess" + }, + { + "type" : "build-system", + "url" : "https://travis-ci.org/google/guava" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/google/guava/issues" + }, + { + "type" : "vcs", + "url" : "https://github.com/google/guava/failureaccess" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.google.guava/failureaccess@1.0.2?type=jar" + }, + { + "group" : "com.google.guava", + "name" : "listenablefuture", + "version" : "9999.0-empty-to-avoid-conflict-with-guava", + "description" : "An empty artifact that Guava depends on to signal that it is providing ListenableFuture -- but is also available in a second \"version\" that contains com.google.common.util.concurrent.ListenableFuture class, without any other Guava classes. The idea is: - If users want only ListenableFuture, they depend on listenablefuture-1.0. - If users want all of Guava, they depend on guava, which, as of Guava 27.0, depends on listenablefuture-9999.0-empty-to-avoid-conflict-with-guava. The 9999.0-... version number is enough for some build systems (notably, Gradle) to select that empty artifact over the \"real\" listenablefuture-1.0 -- avoiding a conflict with the copy of ListenableFuture in guava itself. If users are using an older version of Guava or a build system other than Gradle, they may see class conflicts. If so, they can solve them by manually excluding the listenablefuture artifact or manually forcing their build systems to use 9999.0-....", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "d094c22570d65e132c19cea5d352e381" + }, + { + "alg" : "SHA-1", + "content" : "b421526c5f297295adef1c886e5246c39d4ac629" + }, + { + "alg" : "SHA-256", + "content" : "b372a037d4230aa57fbeffdef30fd6123f9c0c2db85d0aced00c91b974f33f99" + }, + { + "alg" : "SHA-512", + "content" : "c5987a979174cbacae2e78b319f080420cc71bcdbcf7893745731eeb93c23ed13bff8d4599441f373f3a246023d33df03e882de3015ee932a74a774afdd0782f" + }, + { + "alg" : "SHA-384", + "content" : "caff9b74079f95832ca7f6029346b34b606051cc8c5a4389fac263511d277ada0c55f28b0d43011055b268c6eb7184d5" + }, + { + "alg" : "SHA3-384", + "content" : "e939f08df0545847ea0d3e4b04a114b08499ad069ba8ec9461d1779f87a56e0c37273630a0f4c14e78c348d3ac7eb97f" + }, + { + "alg" : "SHA3-256", + "content" : "1f0a8b1177773b3a8ace839df5eed63cbf56b24a38714898a6e4ed065c42559f" + }, + { + "alg" : "SHA3-512", + "content" : "6b495ecc2a18b17365cb08d124a0da47f04bcdde81927b5245edf3edd8e498c3c3fb92ce6a4127f660bac851bb1d3e4510e5c20d03be47ce99dc296d360db285" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.google.guava/listenablefuture@9999.0-empty-to-avoid-conflict-with-guava?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/google/guava/listenablefuture" + }, + { + "type" : "build-system", + "url" : "https://travis-ci.org/google/guava" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/google/guava/issues" + }, + { + "type" : "vcs", + "url" : "https://github.com/google/guava/listenablefuture" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.google.guava/listenablefuture@9999.0-empty-to-avoid-conflict-with-guava?type=jar" + }, + { + "group" : "com.google.code.findbugs", + "name" : "jsr305", + "version" : "3.0.2", + "description" : "JSR305 Annotations for Findbugs", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "dd83accb899363c32b07d7a1b2e4ce40" + }, + { + "alg" : "SHA-1", + "content" : "25ea2e8b0c338a877313bd4672d3fe056ea78f0d" + }, + { + "alg" : "SHA-256", + "content" : "766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7" + }, + { + "alg" : "SHA-512", + "content" : "bb09db62919a50fa5b55906013be6ca4fc7acb2e87455fac5eaf9ede2e41ce8bbafc0e5a385a561264ea4cd71bbbd3ef5a45e02d63277a201d06a0ae1636f804" + }, + { + "alg" : "SHA-384", + "content" : "ca0b169d3eb2d0922dc031133a021f861a043bb3e405a88728215fd6ff00fa52fdc7347842dcc2031472e3726164bdc4" + }, + { + "alg" : "SHA3-384", + "content" : "9903fd7505218999f8262efedb3d935d64bcef84aae781064ab5e1b24755466b269517cada562fa140cd1d417ede57a1" + }, + { + "alg" : "SHA3-256", + "content" : "223fda9a89a461afaae73b177a2dc20ed4a90f2f8757f5c65f3241b0510f00ff" + }, + { + "alg" : "SHA3-512", + "content" : "3996b5af57a5d5c6a0cd62b11773360fb051dd86a2ba968476806a2a5d32049b82d69a24a3c694e8fe4d735be6a28e41000cc500cc2a9fb577e058045855d2d6" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.google.code.findbugs/jsr305@3.0.2?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "http://findbugs.sourceforge.net/" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "vcs", + "url" : "https://code.google.com/p/jsr-305/" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.google.code.findbugs/jsr305@3.0.2?type=jar" + }, + { + "group" : "org.checkerframework", + "name" : "checker-qual", + "version" : "3.42.0", + "description" : "checker-qual contains annotations (type qualifiers) that a programmer writes to specify Java code for type-checking by the Checker Framework.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "4c55448dcbfe9c3702f7758fc8fe0086" + }, + { + "alg" : "SHA-1", + "content" : "638ec33f363a94d41a4f03c3e7d3dcfba64e402d" + }, + { + "alg" : "SHA-256", + "content" : "ccaedd33af0b7894d9f2f3b644f4d19e43928e32902e61ac4d10777830f5aac7" + }, + { + "alg" : "SHA-512", + "content" : "85f66a42a079b4578256b5b6daa4b1ba5aa684614982cab2c9cd83324f2c3fcdde420de6ad51b2f439c4c809be10b376f80f5a45110a1ee6caa59e6298c0ec95" + }, + { + "alg" : "SHA-384", + "content" : "1ee2061f8da04e77b577030edc21904b0700aceb241fcb5a549767d44c9b71267217850dc89aca41e65d188e148f8d58" + }, + { + "alg" : "SHA3-384", + "content" : "5d89ffdcafb432d84503340827bc6fae5f6fc290fde59c1eb491996c15fd92ad00dfd1e781d8c9d6ef4ca9c4f3e5b264" + }, + { + "alg" : "SHA3-256", + "content" : "25c061a632fc0263f974761afad7f4209dd6582a461f3049e39d260640308393" + }, + { + "alg" : "SHA3-512", + "content" : "75a743fb2577bb3252de16a86cf10922626689e75918136c83caa3a26db669f7c770779cfb9b9003ba5b181ffc9f7d871ab250cccfc4ff19e587a0384b448929" + } + ], + "licenses" : [ + { + "license" : { + "id" : "MIT" + } + } + ], + "purl" : "pkg:maven/org.checkerframework/checker-qual@3.42.0?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://checkerframework.org/" + }, + { + "type" : "vcs", + "url" : "https://github.com/typetools/checker-framework.git" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.checkerframework/checker-qual@3.42.0?type=jar" + }, + { + "publisher" : "Google LLC", + "group" : "com.google.errorprone", + "name" : "error_prone_annotations", + "version" : "2.26.1", + "description" : "Error Prone is a static analysis tool for Java that catches common programming mistakes at compile-time.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "64c623e550068e3b2708e5d901865c56" + }, + { + "alg" : "SHA-1", + "content" : "c1fde57694bdc14e8618899aaa6e857d9465d7de" + }, + { + "alg" : "SHA-256", + "content" : "de25f2d9a2156529bd765f51d8efdfc0dfa7301e04efb9cc75b7f10cf5d0e0fb" + }, + { + "alg" : "SHA-512", + "content" : "b29d69c3f61084f26f23bc7da138519161f3b33584d97b38e7448c303a1c0b42299fa0371552ad7e1f0be65ca1c69f3b6958cc28ff208a4f49c6456a442ab6ee" + }, + { + "alg" : "SHA-384", + "content" : "98c9da460debd77b7f60ad9ec4179913f93137f7116a597bd18bcd5bb7df4473176052e794228145cff2a6fc6c14e6e8" + }, + { + "alg" : "SHA3-384", + "content" : "d1a4c251bc77c1b6dbf164f6776c562453e287a76b5395ed69d514edc585b1f5f3d3924b234731f89e00eab68445f147" + }, + { + "alg" : "SHA3-256", + "content" : "641d97c7aa2cb5e8b3f9bf2cc1f5a88e506eec116bf952563d013b04d4f0789a" + }, + { + "alg" : "SHA3-512", + "content" : "9775c1b1c7303187f5b15bcf129c6d5e047436b9b664713f1fb6deb4abd97e0ea6d1186714d863adc4b3b73f7fb4dbf450459397f6f124957839a25e9cb69092" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.google.errorprone/error_prone_annotations@2.26.1?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://errorprone.info/error_prone_annotations" + }, + { + "type" : "vcs", + "url" : "https://github.com/google/error-prone/error_prone_annotations" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.google.errorprone/error_prone_annotations@2.26.1?type=jar" + }, + { + "group" : "com.google.j2objc", + "name" : "j2objc-annotations", + "version" : "3.0.0", + "description" : "A set of annotations that provide additional information to the J2ObjC translator to modify the result of translation.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "f59529b29202a5baf37f491ea5ec8627" + }, + { + "alg" : "SHA-1", + "content" : "7399e65dd7e9ff3404f4535b2f017093bdb134c7" + }, + { + "alg" : "SHA-256", + "content" : "88241573467ddca44ffd4d74aa04c2bbfd11bf7c17e0c342c94c9de7a70a7c64" + }, + { + "alg" : "SHA-512", + "content" : "1406b1aa53b19f8269129d96ce8b64bf36f215eacf7d8f1e0adadee31614e53bb3f7acf4ff97418c5bfc75677a6f3cd637c3d9889d1e85117b6fa12467c91e9f" + }, + { + "alg" : "SHA-384", + "content" : "24373643a4e2f8e1cf919d495e1e79b24dd9dbbbeecb06477be8764313f0b3b465fde74ea2cf5542fc8cba090132052f" + }, + { + "alg" : "SHA3-384", + "content" : "afa264c8d8d946e43438ae728f0ae7a2c12797b56f9ad885d5b3e9a7396eb8481ca6840c2a990a7c5da45968794b36d8" + }, + { + "alg" : "SHA3-256", + "content" : "4df89618b479d5fbede9363c6f914218a44007f48f29c6b6d58243558ced6152" + }, + { + "alg" : "SHA3-512", + "content" : "b25b2ad8dddeed8757ffe22a96cfa7511617d86baa0ed4a25b1850162b54e1132d40dbc2dfca0a6ff0a350b16628a0d2b523418eeb8f986e0f505833da4f7181" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.google.j2objc/j2objc-annotations@3.0.0?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/google/j2objc/" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "vcs", + "url" : "http://github.com/google/j2objc" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.google.j2objc/j2objc-annotations@3.0.0?type=jar" + }, + { + "publisher" : "FasterXML", + "group" : "com.fasterxml.jackson.core", + "name" : "jackson-core", + "version" : "2.15.2", + "description" : "Core Jackson processing abstractions (aka Streaming API), implementation for JSON", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "e51fdee85b48e6637ad9e85ee76b58df" + }, + { + "alg" : "SHA-1", + "content" : "a6fe1836469a69b3ff66037c324d75fc66ef137c" + }, + { + "alg" : "SHA-256", + "content" : "303c99e82b1faa91a0bae5d8fbeb56f7e2adf9b526a900dd723bf140d62bd4b4" + }, + { + "alg" : "SHA-512", + "content" : "a8a3ddf5c8a732fc3810f9c113d88fd59bf613d15dbf9d3e24dd196b2b8c2195f4088375e3d03906f2629e62983fef3267b5478abd5ab1df733ec58cd00efae6" + }, + { + "alg" : "SHA-384", + "content" : "22f4b71de5860b9c54dd85091d5b1312f7f5097a376f68f5a35b32a342858bf2e24ed394d76be0648545a6137d78b82e" + }, + { + "alg" : "SHA3-384", + "content" : "bf7f6d6d6898978d2ca11e924f0268a90adbb6f6f88b1402e7c96b6fba76ff4e7d83ba163d10b1c551443c3b3cdef9d2" + }, + { + "alg" : "SHA3-256", + "content" : "fa5ecb4b5ab9884403d5001dd368be876e10daf90e91fccfdf6fb21f14563c15" + }, + { + "alg" : "SHA3-512", + "content" : "1e8648a4c8aac64f0f71787ec6dd4693a30fe0e3c1fb78ce12b2a1865d17d7f9788c085ed1ac1216e45c05f582a0764d8fee44cf18cc90403846d255fe778c7b" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.2?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/FasterXML/jackson-core" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/FasterXML/jackson-core/issues" + }, + { + "type" : "vcs", + "url" : "https://github.com/FasterXML/jackson-core" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.2?type=jar" + }, + { + "publisher" : "FasterXML", + "group" : "com.fasterxml.jackson.core", + "name" : "jackson-annotations", + "version" : "2.15.2", + "description" : "Core annotations used for value types, used by Jackson data binding package.", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "71dabcaac955a8bd17b5bba6580aac5b" + }, + { + "alg" : "SHA-1", + "content" : "4724a65ac8e8d156a24898d50fd5dbd3642870b8" + }, + { + "alg" : "SHA-256", + "content" : "04e21f94dcfee4b078fa5a5f53047b785aaba69d19de392f616e7a7fe5d3882f" + }, + { + "alg" : "SHA-512", + "content" : "c9ffb4cf3e409921bca1fa6126ca8746c611042ac3fcf0e4f991d23d12b20ef0946ef1421d991ae8ed86012059df4e08fb776d96db6d13147c2ec85e22254537" + }, + { + "alg" : "SHA-384", + "content" : "78885119a700d5dd717fc83e58bf063e1fd07bc823846b6797af6a04a99e92e8fbcf28c3a1316079e6695c138c110deb" + }, + { + "alg" : "SHA3-384", + "content" : "f5b8fcedd6d34427bbe32b1c6082b49d9ded5a00b69549cd6722ffad7d87f3e90b48ddc74a8bd0dec1987ebac73df3a7" + }, + { + "alg" : "SHA3-256", + "content" : "b4e4df4be6fe975483027aef5d4df099d8bf6dd5974118d118a47775d5f75a88" + }, + { + "alg" : "SHA3-512", + "content" : "d10fdee33fe005f9941851117e7021fae066ca3ddf2ccbbd048dae103f3cb540e11116ba53fe48b34bbab6fcfe09a6cbc6c50d1bc74893509e8b93a6c6f2c517" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.15.2?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/FasterXML/jackson" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/FasterXML/jackson-annotations/issues" + }, + { + "type" : "vcs", + "url" : "https://github.com/FasterXML/jackson-annotations" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.15.2?type=jar" + }, + { + "publisher" : "FasterXML", + "group" : "com.fasterxml.jackson.core", + "name" : "jackson-databind", + "version" : "2.15.2", + "description" : "General data-binding functionality for Jackson: works on core streaming API", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "20ac0d0526a456274409fa852eb74087" + }, + { + "alg" : "SHA-1", + "content" : "9353b021f10c307c00328f52090de2bdb4b6ff9c" + }, + { + "alg" : "SHA-256", + "content" : "0eb2fdad6e40ab8832a78c9b22f58196dd970594e8d3d5a26ead87847c4f3a96" + }, + { + "alg" : "SHA-512", + "content" : "edf622f3d2bb2cdf308875e467f28eafdd581c6ad47992a2b49a2c803b597c7fe4330c8f887687599c8a6a529d8b11054f8b354b7ddddd2bf904ef347d4f1cd2" + }, + { + "alg" : "SHA-384", + "content" : "cced300ea06748cc30cdabf1a0a8e45749d3d2a52740975acd858bd13b83458d535a52fc4cc0eb8991ebd3638b9688ec" + }, + { + "alg" : "SHA3-384", + "content" : "c4a29f5075cc31b52aabfc8f656ee761b075954fe89469e76aef7a563d93ee71653310967b68f89ce25ed26241c0bda9" + }, + { + "alg" : "SHA3-256", + "content" : "400677b87f766708abe38aea66c8564cb422cd271208e926a0c2eac99b64cd92" + }, + { + "alg" : "SHA3-512", + "content" : "0a02353d0afa97f7cb85f1f81ee221cf4425fbde1e2d1b6b7bd8fe0d5d2fcb5dbba8b6fe9c79b500c71fdac8accb77eccebe0853fd8c37bd34aa578796b8a81a" + } + ], + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.2?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/FasterXML/jackson" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/FasterXML/jackson-databind/issues" + }, + { + "type" : "vcs", + "url" : "https://github.com/FasterXML/jackson-databind" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.2?type=jar" + }, + { + "publisher" : "QOS.ch", + "group" : "org.slf4j", + "name" : "slf4j-api", + "version" : "2.0.13", + "description" : "The slf4j API", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "7f4028aa04f75427327f3f30cd62ba4e" + }, + { + "alg" : "SHA-1", + "content" : "80229737f704b121a318bba5d5deacbcf395bc77" + }, + { + "alg" : "SHA-256", + "content" : "e7c2a48e8515ba1f49fa637d57b4e2f590b3f5bd97407ac699c3aa5efb1204a9" + }, + { + "alg" : "SHA-512", + "content" : "b4eeb5757118e264ec7f107d879270784357380d6f53471b7874dd7e0166fdf5686a95eb66bab867abbe9536da032ab052e207165211391c293cbf6178431fb6" + }, + { + "alg" : "SHA-384", + "content" : "b67cbb4ef32141423000dd4e067bf32e0c1dd2c4689c611522b9fedfc1744513175a22f4b1276f2cec4721c9467cf882" + }, + { + "alg" : "SHA3-384", + "content" : "817fc9641f4fc52bfd76006886c6eba975f6f09b2a7cc59334729a8cc033807c8e89be9ec4309acfc16ed65ff6eee018" + }, + { + "alg" : "SHA3-256", + "content" : "f26080cceb5a2e605f3844d6dc8dd3f14c543cb14510765d841d71a64fa454dc" + }, + { + "alg" : "SHA3-512", + "content" : "00646c78d65ec854e157638f40735f1888aa585ede59915d58386c599c2fe54ec8c1da73284aeff00ce3142165e33c4c995ad39d08843c31e9e4d7e32c746836" + } + ], + "licenses" : [ + { + "license" : { + "id" : "MIT", + "url" : "https://opensource.org/licenses/MIT" + } + } + ], + "purl" : "pkg:maven/org.slf4j/slf4j-api@2.0.13?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "http://www.slf4j.org" + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "vcs", + "url" : "https://github.com/qos-ch/slf4j/slf4j-parent/slf4j-api" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.slf4j/slf4j-api@2.0.13?type=jar" + }, + { + "publisher" : "QOS.ch", + "group" : "org.slf4j", + "name" : "slf4j-api", + "version" : "2.0.13", + "description" : "The slf4j API", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "7f4028aa04f75427327f3f30cd62ba4e" + }, + { + "alg" : "SHA-1", + "content" : "80229737f704b121a318bba5d5deacbcf395bc77" + }, + { + "alg" : "SHA-256", + "content" : "e7c2a48e8515ba1f49fa637d57b4e2f590b3f5bd97407ac699c3aa5efb1204a9" + }, + { + "alg" : "SHA-512", + "content" : "b4eeb5757118e264ec7f107d879270784357380d6f53471b7874dd7e0166fdf5686a95eb66bab867abbe9536da032ab052e207165211391c293cbf6178431fb6" + }, + { + "alg" : "SHA-384", + "content" : "b67cbb4ef32141423000dd4e067bf32e0c1dd2c4689c611522b9fedfc1744513175a22f4b1276f2cec4721c9467cf882" + }, + { + "alg" : "SHA3-384", + "content" : "817fc9641f4fc52bfd76006886c6eba975f6f09b2a7cc59334729a8cc033807c8e89be9ec4309acfc16ed65ff6eee018" + }, + { + "alg" : "SHA3-256", + "content" : "f26080cceb5a2e605f3844d6dc8dd3f14c543cb14510765d841d71a64fa454dc" + }, + { + "alg" : "SHA3-512", + "content" : "00646c78d65ec854e157638f40735f1888aa585ede59915d58386c599c2fe54ec8c1da73284aeff00ce3142165e33c4c995ad39d08843c31e9e4d7e32c746836" + } + ], + "licenses" : [ + { + "license" : { + "id" : "MIT", + "url" : "https://opensource.org/licenses/MIT" + } + }, + { + "license" : { + "id" : "GNU Lesser General Public License", + "url" : "http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html" + } + } + ], + "purl" : "pkg:maven/org.slf4j/slf4j-api@2.0.13?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "http://www.slf4j.org" + }, + { + "type" : "distribution", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "vcs", + "url" : "https://github.com/qos-ch/slf4j/slf4j-parent/slf4j-api" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.slf4j/slf4j-api@2.0.13?type=jar" + } + ], + "dependencies" : [ + { + "ref" : "pkg:maven/de.medavis/license-compliance-tool-core@1.4.0?type=jar", + "dependsOn" : [ + "pkg:maven/org.cyclonedx/cyclonedx-core-java@9.0.0?type=jar", + "pkg:maven/org.apache.httpcomponents/httpclient@4.5.14?type=jar", + "pkg:maven/org.freemarker/freemarker@2.3.32?type=jar", + "pkg:maven/com.google.guava/guava@33.2.0-jre?type=jar" + ] + }, + { + "ref" : "pkg:maven/org.cyclonedx/cyclonedx-core-java@9.0.0?type=jar", + "dependsOn" : [ + "pkg:maven/commons-codec/commons-codec@1.17.0?type=jar", + "pkg:maven/commons-io/commons-io@2.16.0?type=jar", + "pkg:maven/org.apache.commons/commons-lang3@3.14.0?type=jar", + "pkg:maven/org.apache.commons/commons-collections4@4.4?type=jar", + "pkg:maven/com.github.package-url/packageurl-java@1.5.0?type=jar", + "pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-xml@2.17.0?type=jar", + "pkg:maven/com.networknt/json-schema-validator@1.4.0?type=jar" + ] + }, + { + "ref" : "pkg:maven/commons-codec/commons-codec@1.17.0?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/commons-io/commons-io@2.16.0?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/org.apache.commons/commons-lang3@3.14.0?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/org.apache.commons/commons-collections4@4.4?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/com.github.package-url/packageurl-java@1.5.0?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-xml@2.17.0?type=jar", + "dependsOn" : [ + "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.2?type=jar", + "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.15.2?type=jar", + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.2?type=jar", + "pkg:maven/org.codehaus.woodstox/stax2-api@4.2.2?type=jar", + "pkg:maven/com.fasterxml.woodstox/woodstox-core@6.6.1?type=jar" + ] + }, + { + "ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.2?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.15.2?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.2?type=jar", + "dependsOn" : [ + "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.15.2?type=jar", + "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.2?type=jar" + ] + }, + { + "ref" : "pkg:maven/org.codehaus.woodstox/stax2-api@4.2.2?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/com.fasterxml.woodstox/woodstox-core@6.6.1?type=jar", + "dependsOn" : [ + "pkg:maven/org.codehaus.woodstox/stax2-api@4.2.2?type=jar" + ] + }, + { + "ref" : "pkg:maven/com.networknt/json-schema-validator@1.4.0?type=jar", + "dependsOn" : [ + "pkg:maven/com.ethlo.time/itu@1.8.0?type=jar", + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.2?type=jar", + "pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml@2.15.3?type=jar", + "pkg:maven/org.slf4j/slf4j-api@2.0.13?type=jar" + ] + }, + { + "ref" : "pkg:maven/com.ethlo.time/itu@1.8.0?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml@2.15.3?type=jar", + "dependsOn" : [ + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.2?type=jar", + "pkg:maven/org.yaml/snakeyaml@2.1?type=jar", + "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.2?type=jar" + ] + }, + { + "ref" : "pkg:maven/org.yaml/snakeyaml@2.1?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/org.slf4j/slf4j-api@2.0.13?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/org.apache.httpcomponents/httpclient@4.5.14?type=jar", + "dependsOn" : [ + "pkg:maven/org.apache.httpcomponents/httpcore@4.4.16?type=jar", + "pkg:maven/commons-logging/commons-logging@1.2?type=jar", + "pkg:maven/commons-codec/commons-codec@1.17.0?type=jar" + ] + }, + { + "ref" : "pkg:maven/org.apache.httpcomponents/httpcore@4.4.16?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/commons-logging/commons-logging@1.2?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/org.freemarker/freemarker@2.3.32?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/com.google.guava/guava@33.2.0-jre?type=jar", + "dependsOn" : [ + "pkg:maven/com.google.guava/failureaccess@1.0.2?type=jar", + "pkg:maven/com.google.guava/listenablefuture@9999.0-empty-to-avoid-conflict-with-guava?type=jar", + "pkg:maven/com.google.code.findbugs/jsr305@3.0.2?type=jar", + "pkg:maven/org.checkerframework/checker-qual@3.42.0?type=jar", + "pkg:maven/com.google.errorprone/error_prone_annotations@2.26.1?type=jar", + "pkg:maven/com.google.j2objc/j2objc-annotations@3.0.0?type=jar" + ] + }, + { + "ref" : "pkg:maven/com.google.guava/failureaccess@1.0.2?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/com.google.guava/listenablefuture@9999.0-empty-to-avoid-conflict-with-guava?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/com.google.code.findbugs/jsr305@3.0.2?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/org.checkerframework/checker-qual@3.42.0?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/com.google.errorprone/error_prone_annotations@2.26.1?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/com.google.j2objc/j2objc-annotations@3.0.0?type=jar", + "dependsOn" : [ ] + } + ] +} \ No newline at end of file diff --git a/core/src/test/resources/de/medavis/lct/core/patcher/test-bom-01.json b/core/src/test/resources/de/medavis/lct/core/patcher/test-bom-01.json new file mode 100644 index 0000000..99d3e14 --- /dev/null +++ b/core/src/test/resources/de/medavis/lct/core/patcher/test-bom-01.json @@ -0,0 +1,133 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.4", + "serialNumber": "urn:uuid:c62cd474-7b90-41c0-9168-757b6d5614d1", + "version": 1, + "metadata": { + "component": { + "type": "application", + "name": "dependency-track", + "version": "4.11.1", + "description": "Dependency-Track is an intelligent component analysis platform that allows organizations to identify and reduce risk in the software supply chain.", + "licenses": [ + { + "license": { + "id": "Apache-2.0", + "url": "https://www.apache.org/licenses/LICENSE-2.0" + } + } + ], + "purl": "pkg:maven/org.dependencytrack/dependency-track@4.11.1?type=war" + } + }, + "components": [ + { + "type": "library", + "bom-ref": "pkg:maven/us.springett/alpine-common@2.2.5?type=jar", + "group": "us.springett", + "name": "alpine-common", + "version": "2.2.5", + "description": "An opinionated scaffolding library that jumpstarts Java projects with an API-first design, secure defaults, and minimal dependencies.", + "scope": "required", + "licenses": [ + { + "license": { + "id": "Apache 2.0", + "url": "https://www.apache.org/licenses/LICENSE-2.0" + } + } + ], + "purl": "pkg:maven/us.springett/alpine-common@2.2.5?type=jar" + }, + { + "type": "library", + "bom-ref": "pkg:maven/javax.transaction/javax.transaction-api@1.3?type=jar", + "publisher": "GlassFish Community", + "group": "javax.transaction", + "name": "javax.transaction-api", + "version": "1.3", + "description": "Project GlassFish Java Transaction API", + "scope": "required", + "licenses": [ + { + "expression": "(CDDL-1.0 OR GPL-2.0-with-classpath-exception)" + } + ], + "purl": "pkg:maven/javax.transaction/javax.transaction-api@1.3?type=jar" + }, + { + "type": "library", + "bom-ref": "pkg:maven/com.pixelmed/any-lib@1.2.3.4?type=jar", + "publisher": "Pixelmed", + "group": "com.pixelmed", + "name": "any-lib", + "version": "1.3", + "description": "Project GlassFish Java Transaction API", + "scope": "required", + "purl": "pkg:maven/com.pixelmed/any-lib@1.2.3.4?type=jar" + }, + { + "type": "library", + "bom-ref": "pkg:maven/org.glassfish.jersey.ext/jersey-bean-validation@2.41?type=jar", + "publisher": "Eclipse Foundation", + "group": "org.glassfish.jersey.ext", + "name": "jersey-bean-validation", + "version": "2.41", + "description": "Jersey extension module providing support for Bean Validation (JSR-349) API.", + "scope": "required", + "licenses": [ + { + "license": { + "id": "EPL-2.0" + } + }, + { + "license": { + "id": "GPL-2.0-with-classpath-exception" + } + }, + { + "license": { + "id": "BSD-3-Clause" + } + }, + { + "license": { + "id": "BSD-2-Clause" + } + }, + { + "license": { + "name": "Apache License, 2.0", + "url": "http://www.apache.org/licenses/LICENSE-2.0.html" + } + }, + { + "license": { + "name": "Public Domain", + "url": "https://creativecommons.org/publicdomain/zero/1.0/" + } + }, + { + "license": { + "name": "Modified BSD", + "url": "https://asm.ow2.io/license.html" + } + }, + { + "license": { + "name": "jQuery license", + "url": "jquery.org/license" + } + }, + { + "license": { + "name": "W3C license", + "url": "https://www.w3.org/Consortium/Legal/copyright-documents-19990405" + } + } + ], + "purl": "pkg:maven/org.glassfish.jersey.ext/jersey-bean-validation@2.41?type=jar" + } + ] +} \ No newline at end of file diff --git a/core/src/test/resources/de/medavis/lct/core/patcher/test-component-metadata.json b/core/src/test/resources/de/medavis/lct/core/patcher/test-component-metadata.json new file mode 100644 index 0000000..57c2f64 --- /dev/null +++ b/core/src/test/resources/de/medavis/lct/core/patcher/test-component-metadata.json @@ -0,0 +1,1294 @@ +[ + { + "groupMatch": "de\\.medavis.*", + "ignore": true + }, + { + "groupMatch": "com\\.fg.*", + "nameMatch": "xmleditor-medavis", + "ignore": true + }, + { + "groupMatch": "io\\.agroal\\.*", + "mappedName": "Agoral", + "ignore": true + }, + { + "groupMatch": "gnu\\.getopt\\.*", + "mappedName": "Java-Getopt", + "url": "https://www.gnu.org/software/gnuprologjava/api/allclasses-noframe.html", + "ignore": true + }, + { + "groupMatch": "org\\.jboss\\.spec\\.javax\\.xml\\.bind", + "nameMatch": "jboss-jaxb-api_.*_spec", + "mappedName": "JBoss JAXB API", + "url": "https://github.com/jboss/jboss-jaxb-api_spec", + "licenses": [ + "CDDL-1.1", + "GPL-2.0" + ] + }, + { + "groupMatch": "org\\.jboss\\.spec\\.javax\\.annotation", + "nameMatch": "jboss-annotations-api_.*_spec", + "mappedName": "Java Common Annotations", + "url": "https://github.com/javaee/javax.annotation", + "licenses": [ + "CDDL-1.1", + "GPL-2.0" + ] + }, + { + "groupMatch": "javax\\.annotation", + "purlMatch": "pkg:maven\\/javax\\.annotation\\/jakarta\\.annotation-api@.*type=jar", + "mappedName": "Java Common Annotations", + "url": "https://github.com/javaee/javax.annotation", + "licenses": [ + "CDDL-1.1", + "GPL-2.0" + ] + }, + { + "groupMatch": "org\\.apache\\.camel", + "mappedName": "Apache Camel", + "url": "https://github.com/apache/camel/tree/main", + "attributionNotices": [ + "

Apache Camel\nCopyright 2007-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (http://www.apache.org/).\n \n=========================================================================\n==  NOTICE file corresponding to the section 4 d of                    ==\n==  the Apache License, Version 2.0,                                   ==\n==  in this case for the Apache Camel distribution.                    ==\n=========================================================================\n\nApache Camel\nCopyright 2007-2019 The Apache Software Foundation\n\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\n=========================================================================\n==  Spring Notice                                                      ==\n=========================================================================\n\nThis product includes software developed by\nthe Apache Software Foundation (http://www.apache.org).\n\nThis product also includes software developed by\nClinton Begin (http://www.ibatis.com).\n\nThe end-user documentation included with a redistribution, if any,\nmust include the following acknowledgement:\n\n \"This product includes software developed by the Spring Framework\n  Project (http://www.springframework.org).\"\n\nAlternately, this acknowledgement may appear in the software itself,\nif and wherever such third-party acknowledgements normally appear.\n\nThe names \"Spring\" and \"Spring Framework\" must not be used to\nendorse or promote products derived from this software without\nprior written permission. For written permission, please contact\nrod.johnson@interface21.com or juergen.hoeller@interface21.com.\n\n=========================================================================\n==  OpenShift Notice                                                   ==\n=========================================================================\n\nThis product includes software developed by\nthe OpenShift Project (https://github.com/openshift/openshift-java-client/).\n
" + ] + }, + { + "groupMatch": "org\\.apache\\.derby.*", + "mappedName": "Apache Derby", + "attributionNotices": [ + "
=========================================================================\n==  NOTICE file corresponding to section 4(d) of the Apache License,\n==  Version 2.0, in this case for the Apache Derby distribution.\n==\n==  DO NOT EDIT THIS FILE DIRECTLY. IT IS GENERATED\n==  BY THE buildnotice TARGET IN THE TOP LEVEL build.xml FILE.\n==\n=========================================================================\n\nApache Derby\nCopyright 2004-2018 The Apache Software Foundation\n\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\n=========================================================================\n\nPortions of Derby were originally developed by\nInternational Business Machines Corporation and are\nlicensed to the Apache Software Foundation under the\n\"Software Grant and Corporate Contribution License Agreement\",\ninformally known as the \"Derby CLA\".\nThe following copyright notice(s) were affixed to portions of the code\nwith which this file is now or was at one time distributed\nand are placed here unaltered.\n(C) Copyright 1997,2004 International Business Machines Corporation.  All rights reserved.\n(C) Copyright IBM Corp. 2003.\n\n=========================================================================\nThe portion of the functionTests under 'nist' was originally \ndeveloped by the National Institute of Standards and Technology (NIST), \nan agency of the United States Department of Commerce, and adapted by\nInternational Business Machines Corporation in accordance with the NIST\nSoftware Acknowledgment and Redistribution document at\nhttp://www.itl.nist.gov/div897/ctg/sql_form.htm\n\n=========================================================================\n\nThe Derby build relies on source files supplied by the Apache Felix\nproject. The following notice covers the Felix files:\n\n  Apache Felix Main\n  Copyright 2008 The Apache Software Foundation\n\n  I. Included Software\n\n  This product includes software developed at\n  The Apache Software Foundation (http://www.apache.org/).\n  Licensed under the Apache License 2.0.\n\n  This product includes software developed at\n  The OSGi Alliance (http://www.osgi.org/).\n  Copyright (c) OSGi Alliance (2000, 2007).\n  Licensed under the Apache License 2.0.\n\n  This product includes software from http://kxml.sourceforge.net.\n  Copyright (c) 2002,2003, Stefan Haustein, Oberhausen, Rhld., Germany.\n  Licensed under BSD License.\n\n  II. Used Software\n\n  This product uses software developed at\n  The OSGi Alliance (http://www.osgi.org/).\n  Copyright (c) OSGi Alliance (2000, 2007).\n  Licensed under the Apache License 2.0.\n\n\n  III. License Summary\n  - Apache License 2.0\n  - BSD License\n\n=========================================================================\n\nThe Derby build relies on jar files supplied by the Apache Lucene\nproject. The following notice covers the Lucene files:\n\nApache Lucene\nCopyright 2013 The Apache Software Foundation\n\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\nIncludes software from other Apache Software Foundation projects,\nincluding, but not limited to:\n - Apache Ant\n - Apache Jakarta Regexp\n - Apache Commons\n - Apache Xerces\n\nICU4J, (under analysis/icu) is licensed under an MIT styles license\nand Copyright (c) 1995-2008 International Business Machines Corporation and others\n\nSome data files (under analysis/icu/src/data) are derived from Unicode data such\nas the Unicode Character Database. See http://unicode.org/copyright.html for more\ndetails.\n\nBrics Automaton (under core/src/java/org/apache/lucene/util/automaton) is \nBSD-licensed, created by Anders Møller. See http://www.brics.dk/automaton/\n\nThe levenshtein automata tables (under core/src/java/org/apache/lucene/util/automaton) were\nautomatically generated with the moman/finenight FSA library, created by\nJean-Philippe Barrette-LaPierre. This library is available under an MIT license,\nsee http://sites.google.com/site/rrettesite/moman and \nhttp://bitbucket.org/jpbarrette/moman/overview/\n\nThe class org.apache.lucene.util.WeakIdentityMap was derived from\nthe Apache CXF project and is Apache License 2.0.\n\nThe Google Code Prettify is Apache License 2.0.\nSee http://code.google.com/p/google-code-prettify/\n\nJUnit (junit-4.10) is licensed under the Common Public License v. 1.0\nSee http://junit.sourceforge.net/cpl-v10.html\n\nThis product includes code (JaspellTernarySearchTrie) from Java Spelling Checkin\ng Package (jaspell): http://jaspell.sourceforge.net/\nLicense: The BSD License (http://www.opensource.org/licenses/bsd-license.php)\n\nThe snowball stemmers in\n  analysis/common/src/java/net/sf/snowball\nwere developed by Martin Porter and Richard Boulton.\nThe snowball stopword lists in\n  analysis/common/src/resources/org/apache/lucene/analysis/snowball\nwere developed by Martin Porter and Richard Boulton.\nThe full snowball package is available from\n  http://snowball.tartarus.org/\n\nThe KStem stemmer in\n  analysis/common/src/org/apache/lucene/analysis/en\nwas developed by Bob Krovetz and Sergio Guzman-Lara (CIIR-UMass Amherst)\nunder the BSD-license.\n\nThe Arabic,Persian,Romanian,Bulgarian, and Hindi analyzers (common) come with a default\nstopword list that is BSD-licensed created by Jacques Savoy.  These files reside in:\nanalysis/common/src/resources/org/apache/lucene/analysis/ar/stopwords.txt,\nanalysis/common/src/resources/org/apache/lucene/analysis/fa/stopwords.txt,\nanalysis/common/src/resources/org/apache/lucene/analysis/ro/stopwords.txt,\nanalysis/common/src/resources/org/apache/lucene/analysis/bg/stopwords.txt,\nanalysis/common/src/resources/org/apache/lucene/analysis/hi/stopwords.txt\nSee http://members.unine.ch/jacques.savoy/clef/index.html.\n\nThe German,Spanish,Finnish,French,Hungarian,Italian,Portuguese,Russian and Swedish light stemmers\n(common) are based on BSD-licensed reference implementations created by Jacques Savoy and\nLjiljana Dolamic. These files reside in:\nanalysis/common/src/java/org/apache/lucene/analysis/de/GermanLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/de/GermanMinimalStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/es/SpanishLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/fi/FinnishLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/fr/FrenchLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/fr/FrenchMinimalStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/hu/HungarianLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/it/ItalianLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/pt/PortugueseLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/ru/RussianLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/sv/SwedishLightStemmer.java\n\nThe Stempel analyzer (stempel) includes BSD-licensed software developed \nby the Egothor project http://egothor.sf.net/, created by Leo Galambos, Martin Kvapil,\nand Edmond Nolan.\n\nThe Polish analyzer (stempel) comes with a default\nstopword list that is BSD-licensed created by the Carrot2 project. The file resides\nin stempel/src/resources/org/apache/lucene/analysis/pl/stopwords.txt.\nSee http://project.carrot2.org/license.html.\n\nThe SmartChineseAnalyzer source code (smartcn) was\nprovided by Xiaoping Gao and copyright 2009 by www.imdict.net.\n\nWordBreakTestUnicode_*.java (under modules/analysis/common/src/test/) \nis derived from Unicode data such as the Unicode Character Database. \nSee http://unicode.org/copyright.html for more details.\n\nThe Morfologik analyzer (morfologik) includes BSD-licensed software\ndeveloped by Dawid Weiss and Marcin Miłkowski (http://morfologik.blogspot.com/).\n\nMorfologik uses data from Polish ispell/myspell dictionary\n(http://www.sjp.pl/slownik/en/) licenced on the terms of (inter alia)\nLGPL and Creative Commons ShareAlike.\n\nMorfologic includes data from BSD-licensed dictionary of Polish (SGJP)\n(http://sgjp.pl/morfeusz/)\n\nServlet-api.jar and javax.servlet-*.jar are under the CDDL license, the original\nsource code for this can be found at http://www.eclipse.org/jetty/downloads.php\n\n===========================================================================\nKuromoji Japanese Morphological Analyzer - Apache Lucene Integration\n===========================================================================\n\nThis software includes a binary and/or source version of data from\n\n  mecab-ipadic-2.7.0-20070801\n\nwhich can be obtained from\n\n  http://atilika.com/releases/mecab-ipadic/mecab-ipadic-2.7.0-20070801.tar.gz\n\nor\n\n  http://jaist.dl.sourceforge.net/project/mecab/mecab-ipadic/2.7.0-20070801/mecab-ipadic-2.7.0-20070801.tar.gz\n\n===========================================================================\nmecab-ipadic-2.7.0-20070801 Notice\n===========================================================================\n\nNara Institute of Science and Technology (NAIST),\nthe copyright holders, disclaims all warranties with regard to this\nsoftware, including all implied warranties of merchantability and\nfitness, in no event shall NAIST be liable for\nany special, indirect or consequential damages or any damages\nwhatsoever resulting from loss of use, data or profits, whether in an\naction of contract, negligence or other tortuous action, arising out\nof or in connection with the use or performance of this software.\n\nA large portion of the dictionary entries\noriginate from ICOT Free Software.  The following conditions for ICOT\nFree Software applies to the current dictionary as well.\n\nEach User may also freely distribute the Program, whether in its\noriginal form or modified, to any third party or parties, PROVIDED\nthat the provisions of Section 3 (\"NO WARRANTY\") will ALWAYS appear\non, or be attached to, the Program, which is distributed substantially\nin the same form as set out herein and that such intended\ndistribution, if actually made, will neither violate or otherwise\ncontravene any of the laws and regulations of the countries having\njurisdiction over the User or the intended distribution itself.\n\nNO WARRANTY\n\nThe program was produced on an experimental basis in the course of the\nresearch and development conducted during the project and is provided\nto users as so produced on an experimental basis.  Accordingly, the\nprogram is provided without any warranty whatsoever, whether express,\nimplied, statutory or otherwise.  The term \"warranty\" used herein\nincludes, but is not limited to, any warranty of the quality,\nperformance, merchantability and fitness for a particular purpose of\nthe program and the nonexistence of any infringement or violation of\nany right of any third party.\n\nEach user of the program will agree and understand, and be deemed to\nhave agreed and understood, that there is no warranty whatsoever for\nthe program and, accordingly, the entire risk arising from or\notherwise connected with the program is assumed by the user.\n\nTherefore, neither ICOT, the copyright holder, or any other\norganization that participated in or was otherwise related to the\ndevelopment of the program and their respective officials, directors,\nofficers and other employees shall be held liable for any and all\ndamages, including, without limitation, general, special, incidental\nand consequential damages, arising out of or otherwise in connection\nwith the use or inability to use the program or any product, material\nor result produced or otherwise obtained by using the program,\nregardless of whether they have been advised of, or otherwise had\nknowledge of, the possibility of such damages at any time during the\nproject or thereafter.  Each user will be deemed to have agreed to the\nforegoing by his or her commencement of use of the program.  The term\n\"use\" as used herein includes, but is not limited to, the use,\nmodification, copying and distribution of the program and the\nproduction of secondary products from the program.\n\nIn the case where the program, whether in its original form or\nmodified, was distributed or delivered to or received by a user from\nany person, organization or entity other than ICOT, unless it makes or\ngrants independently of ICOT any specific warranty to the user in\nwriting, such person, organization or entity, will also be exempted\nfrom and not be held liable to the user for any such damages as noted\nabove as far as the program is concerned.\n\n=========================================================================\n\nThe Derby build relies on a jar file supplied by the JSON Simple\nproject, hosted at https://code.google.com/p/json-simple/.\nThe JSON simple jar file is licensed under the Apache 2.0 License.\nNo other notice covers that jar file.\n
" + ] + }, + { + "groupMatch": "org\\.apache\\.mina.*", + "mappedName": "Apache MINA", + "attributionNotices": [ + "
Apache POI\nCopyright 2003-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (https://www.apache.org/).\n\nThis product contains parts that were originally based on software from BEA.\nCopyright (c) 2000-2003, BEA Systems, <http://www.bea.com/> (dead link),\nwhich was acquired by Oracle Corporation in 2008.\n<http://www.oracle.com/us/corporate/Acquisitions/bea/index.html>\n<https://en.wikipedia.org/wiki/BEA_Systems>\nNote: The ASF Secretary has on hand a Software Grant Agreement (SGA) from\nBEA Systems, Inc. dated 9 Sep 2003 for XMLBeans signed by their EVP/CFO.\n\nThis product contains W3C XML Schema documents. Copyright 2001-2003 (c)\nWorld Wide Web Consortium (Massachusetts Institute of Technology, European\nResearch Consortium for Informatics and Mathematics, Keio University)\n\nThis product contains the chunks_parse_cmds.tbl file from the vsdump program.\nCopyright (C) 2006-2007 Valek Filippov (frob@df.ru)\n\nThis product contains parts of the eID Applet project\n<http://eid-applet.googlecode.com> and <https://github.com/e-Contract/eid-applet>.\nCopyright (c) 2009-2018\nFedICT (federal ICT department of Belgium), e-Contract.be BVBA (https://www.e-contract.be),\nBart Hanssens from FedICT\n
" + ] + }, + { + "groupMatch": "org\\.apache\\.poi.*", + "mappedName": "Apache POI", + "url": "https://svn.apache.org/repos/asf/poi/", + "attributionNotices": [ + "Apache POI
\nCopyright 2003-2022 The Apache Software Foundation
\n

\nThis product includes software developed at
\nThe Apache Software Foundation (https://www.apache.org/).
\n

\nThis product contains parts that were originally based on software from BEA.
\nCopyright (c) 2000-2003, BEA Systems, (dead link),
\nwhich was acquired by Oracle Corporation in 2008.
\n
\n
\nNote: The ASF Secretary has on hand a Software Grant Agreement (SGA) from
\nBEA Systems, Inc. dated 9 Sep 2003 for XMLBeans signed by their EVP/CFO.
\n

\nThis product contains W3C XML Schema documents. Copyright 2001-2003 (c)
\nWorld Wide Web Consortium (Massachusetts Institute of Technology, European
\nResearch Consortium for Informatics and Mathematics, Keio University)
\n

\nThis product contains the chunks_parse_cmds.tbl file from the vsdump program.
\nCopyright (C) 2006-2007 Valek Filippov (frob@df.ru)
\n

\nThis product contains parts of the eID Applet project\n and .
\nCopyright (c) 2009-2018
\nFedICT (federal ICT department of Belgium), e-Contract.be BVBA (https://www.e-contract.be),
\nBart Hanssens from FedICT
" + ] + }, + { + "nameMatch": "xmlbeans", + "mappedName": "Apache XMLBeans", + "attributionNotices": [ + "
   =========================================================================\n   ==  NOTICE file corresponding to section 4(d) of the Apache License,   ==\n   ==  Version 2.0, in this case for the Apache XmlBeans distribution.    ==\n   =========================================================================\n\n   This product includes software developed at\n   The Apache Software Foundation (http://www.apache.org/).\n\n   Portions of this software were originally based on the following:\n     - software copyright (c) 2000-2003, BEA Systems, <http://www.bea.com/>.\n   Note: The ASF Secretary has on hand a Software Grant Agreement (SGA) from\n   BEA Systems, Inc. dated 9 Sep 2003 for XMLBeans signed by their EVP/CFO.\n\n   Aside from contributions to the Apache XMLBeans project, this\n   software also includes:\n\n    - one or more source files from the Apache Xerces-J and Apache Axis\n      products, Copyright (c) 1999-2003 Apache Software Foundation\n\n    - W3C XML Schema documents Copyright 2001-2003 (c) World Wide Web\n      Consortium (Massachusetts Institute of Technology, European Research\n      Consortium for Informatics and Mathematics, Keio University)\n\n    - resolver.jar from Apache Xml Commons project,\n      Copyright (c) 2001-2003 Apache Software Foundation\n
" + ] + }, + { + "nameMatch": "xmlsec", + "mappedName": "Apache XMLSec", + "url": "https://github.com/apache/santuario-xml-security-java/tree/main", + "licenses": [ + "Apache-2.0" + ], + "attributionNotices": [ + "
Apache Santuario - XML Security for Java\nCopyright 1999-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (http://www.apache.org/).\n\nIt was originally based on software copyright (c) 2001, Institute for\nData Communications Systems, <http://www.nue.et-inf.uni-siegen.de/>.\n\nThe development of this software was partly funded by the European\nCommission in the <WebSig> project in the ISIS Programme.\n\nThis product contains software that is\ncopyright (c) 2021, Oracle and/or its affiliates.\n
" + ] + }, + { + "groupMatch": "org\\.aspectj", + "mappedName": "AspectJ", + "url": "https://github.com/eclipse/org.aspectj/tree/V1_6_X" + }, + { + "nameMatch": "validation-api", + "mappedName": "Bean Validation API", + "attributionNotices": [ + "
# Notices for Eclipse Jakarta Bean Validation\n\nThis content is produced and maintained by the Eclipse Jakarta Bean Validation\nproject.\n\n* Project home: https://projects.eclipse.org/projects/ee4j.bean-validation\n\n## Trademarks\n\n Jakarta Bean Validation is a trademark of the Eclipse Foundation.\n\n## Copyright\n\nAll content is the property of the respective authors or their employers. For\nmore information regarding authorship of content, please consult the listed\nsource code repository logs.\n\n## Declared Project Licenses\n\nThis program and the accompanying materials are made available under the terms\nof the Apache License, Version 2.0 which is available at\nhttps://www.apache.org/licenses/LICENSE-2.0.\n\nSPDX-License-Identifier: Apache-2.0\n\n## Source Code\n\nThe project maintains the following source code repositories:\n\n * [The specification repository](https://github.com/eclipse-ee4j/beanvalidation-spec)\n * [The API repository](https://github.com/eclipse-ee4j/beanvalidation-api)\n * [The TCK repository](https://github.com/eclipse-ee4j/beanvalidation-tck)\n\n## Third-party Content\n\nThis project leverages the following third party content.\n\nTest dependencies:\n\n * [TestNG](https://github.com/cbeust/testng) - Apache License 2.0\n * [JCommander](https://github.com/cbeust/jcommander) - Apache License 2.0\n * [SnakeYAML](https://bitbucket.org/asomov/snakeyaml/src) - Apache License 2.0\n\n
" + ] + }, + { + "groupMatch": "org\\.bouncycastle.*", + "mappedName": "Bouncy Castle Crypto Package" + }, + { + "nameMatch": "byte-buddy", + "mappedName": "Byte Buddy", + "url": "https://github.com/raphw/byte-buddy", + "attributionNotices": [ + "
Copyright ${project.inceptionYear} - Present ${copyright.holder}\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n
" + ] + }, + { + "groupMatch": "com\\.github\\.ben-manes\\.caffeine.*", + "mappedName": "Caffeine", + "url": "https://github.com/ben-manes/caffeine" + }, + { + "groupMatch": "com\\.fasterxml", + "nameMatch": "classmate", + "mappedName": "Classmate", + "url": "https://github.com/FasterXML/java-classmate" + }, + { + "nameMatch": "commons-collections4", + "mappedName": "Commons Collections", + "attributionNotices": [ + "
Apache Commons Collections\nCopyright 2001-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (https://www.apache.org/).\n
" + ] + }, + { + "nameMatch": "commons-compress", + "mappedName": "Commons Compress", + "attributionNotices": [ + "
Apache Commons Compress\nCopyright 2002-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (https://www.apache.org/).\n\n---\n\nThe files in the package org.apache.commons.compress.archivers.sevenz\nwere derived from the LZMA SDK, version 9.20 (C/ and CPP/7zip/),\nwhich has been placed in the public domain:\n\n\"LZMA SDK is placed in the public domain.\" (http://www.7-zip.org/sdk.html)\n\n---\n\nThe test file lbzip2_32767.bz2 has been copied from libbzip2's source\nrepository:\n\nThis program, \"bzip2\", the associated library \"libbzip2\", and all\ndocumentation, are copyright (C) 1996-2019 Julian R Seward.  All\nrights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n   notice, this list of conditions and the following disclaimer.\n\n2. The origin of this software must not be misrepresented; you must\n   not claim that you wrote the original software.  If you use this\n   software in a product, an acknowledgment in the product\n   documentation would be appreciated but is not required.\n\n3. Altered source versions must be plainly marked as such, and must\n   not be misrepresented as being the original software.\n\n4. The name of the author may not be used to endorse or promote\n   products derived from this software without specific prior written\n   permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS\nOR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\nARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\nDIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE\nGOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS\nINTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING\nNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n\nJulian Seward, jseward@acm.org\n
" + ] + }, + { + "nameMatch": "commons-fileupload", + "mappedName": "Commons File Upload", + "attributionNotices": [ + "
Apache Commons FileUpload\nCopyright 2002-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (http://www.apache.org/).\n
" + ] + }, + { + "nameMatch": "commons-io", + "mappedName": "Commons IO", + "attributionNotices": [ + "
Apache Commons IO\nCopyright 2002-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (https://www.apache.org/).\n
" + ] + }, + { + "nameMatch": "commons-lang", + "mappedName": "Commons Lang", + "url": "https://github.com/apache/commons-lang" + }, + { + "nameMatch": "commons-math3", + "mappedName": "Commons Math", + "attributionNotices": [ + "Copyright 2001-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (http://www.apache.org/).\n\nThis product includes software developed for Orekit by\nCS Systèmes d'Information (http://www.c-s.fr/)\nCopyright 2010-2012 CS Systèmes d'Information" + ] + }, + { + "groupMatch": "com\\.github\\.virtuald", + "nameMatch": "curvesapi", + "mappedName": "Curve API", + "url": "https://github.com/virtuald/curvesapi", + "attributionNotices": [ + "
The original project used a BSD license, and remains so.\n\ncom.graphbuilder.org.apache.harmony.awt.gl.Crossing is from the Apache Harmony project and is released under the Apache 2.0 license.\n
\n" + ] + }, + { + "nameMatch": "ezmorph", + "mappedName": "EZMorph" + }, + { + "groupMatch": "org\\.flywaydb.*", + "mappedName": "Flyway", + "url": "https://github.com/flyway/flyway/tree/main", + "attributionNotices": [ + "
License\nCopyright © Red Gate Software Ltd 2010-2022\n\nLicensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance with the License. You may obtain a copy of the License at\n\nhttp://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.\n\nTrademark\nFlyway is a registered trademark of Boxfuse GmbH, owned by Red Gate Software Ltd.\n
\n" + ] + }, + { + "groupMatch": "com\\.google\\.code\\.gson", + "mappedName": "Gson", + "url": "https://github.com/google/gson/tree/master", + "attributionNotices": [ + "
License\nGson is released under the Apache 2.0 license.\n\nCopyright 2008 Google Inc.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\nhttp://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\nDisclaimer\nThis is not an officially supported Google product.\n
" + ] + }, + { + "groupMatch": "com\\.googlecode\\.concurrentlinkedhashmap\\.*", + "url": "https://github.com/ben-manes/concurrentlinkedhashmap", + "licenses": [ + "Apache-2.0" + ] + }, + { + "groupMatch": "com\\.h2database", + "mappedName": "H2 Database", + "licenses": [ + "MPL-2.0", + "EPL-1.0" + ] + }, + { + "groupMatch": "ca\\.uhn\\.hapi.*", + "mappedName": "HAPI", + "url": "https://github.com/hapifhir/hapi-hl7v2/tree/v2.3", + "licenses": [ + "GPL-3.0", + "MPL-1.1" + ] + }, + { + "groupMatch": "org\\.hibernate", + "mappedName": "Hibernate", + "url": "https://github.com/hibernate/hibernate-orm", + "licenses" : [ + "LGPL-2.1" + ] + }, + { + "nameMatch": "hsqldb", + "mappedName": "HSQL DB", + "attributionNotices": [ + "
The highly configurable java source code formatter Jindent is used to format the HSQLDB source code.\nThis Software is developed and published by the HSQL Development Group\n\nFred Toussi (fredt (at) users.sourceforge.net)\nBlaine Simpson (blaine dot simpson (at) admc dot com)\n\nhttp://hsqldb.org\n
\n" + ], + "licenses": [ + "HyperSQL License" + ] + }, + { + "nameMatch": "(infinispan-commons)|(infinispan-core)", + "mappedName": "Infinispan" + }, + { + "groupMatch": "com\\.sun\\.istack", + "mappedName": "iStack Common", + "url": "https://javaee.github.io/jaxb-istack-commons/" + }, + { + "nameMatch": "protostream", + "mappedName": "Infinispan protostream" + }, + { + "groupMatch": "com\\.fasterxml\\.jackson.*", + "mappedName": "Jackson" + }, + { + "groupMatch": "javax\\.activation", + "mappedName": "JavaBeans Activation Framework", + "url": "https://github.com/javaee/activation", + "attributionNotices": [ + "
# Notices for Jakarta Activation\n\nThis content is produced and maintained by the Jakarta Activation project.\n\n* Project home: https://projects.eclipse.org/projects/ee4j.jaf\n\n## Trademarks\n\nJakarta Activation is a trademark of the Eclipse Foundation.\n\n## Copyright00\n\nAll content is the property of the respective authors or their employers. For\nmore information regarding authorship of content, please consult the listed\nsource code repository logs.\n\n## Declared Project Licenses\n\nThis program and the accompanying materials are made available under the terms\nof the Eclipse Public License v. 2.0 which is available at\nhttps://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License v1.0\nwhich is available at https://www.eclipse.org/org/documents/edl-v10.php. This\nSource Code may also be made available under the following Secondary Licenses\nwhen the conditions for such availability set forth in the Eclipse Public\nLicense v. 2.0 are satisfied: (secondary) GPL-2.0 with Classpath-exception-2.0\nwhich is available at https://openjdk.java.net/legal/gplv2+ce.html.\n\nSPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause OR GPL-2.0-only with\nClasspath-exception-2.0\n\n## Cryptography\n\nContent may contain encryption software. The country in which you are currently\nmay have restrictions on the import, possession, and use, and/or re-export to\nanother country, of encryption software. BEFORE using any encryption software,\nplease check the country's laws, regulations and policies concerning the import,\npossession, or use, and re-export of encryption software, to see if this is\npermitted.
" + ] + }, + { + "groupMatch": "com\\.github\\.fge", + "mappedName": "Java Json Tools", + "url": "https://github.com/java-json-tools" + }, + { + "groupMatch": "com\\.github\\.stephenc\\.jcip", + "mappedName": "JCIP annotations", + "url": "https://github.com/stephenc/jcip-annotations" + }, + { + "groupMatch": "org\\.javassist", + "mappedName": "Javassist", + "url": "https://www.javassist.org/" + }, + { + "groupMatch": "javax\\.persistence", + "mappedName": "Java Persistence API", + "url": "https://github.com/javaee/jpa-spec" + }, + { + "groupMatch": "org\\.jboss\\.spec\\.javax\\.transaction", + "nameMatch": "jboss\\-transaction\\-api_.*_spec", + "mappedName": "Java Transaction API", + "url": "https://github.com/javaee/javax.transaction" + }, + { + "groupMatch": "org\\.glassfish\\.grizzly.*", + "mappedName": "Grizzly", + "url": "https://javaee.github.io/grizzly/", + "licenses": [ + "CDDL-1.1", + "GPL-2" + ] + }, + { + "groupMatch": "(com\\.sun\\.xml\\.bind)|(org\\.glassfish\\.jaxb)|(javax\\.xml\\.bind)", + "mappedName": "JAXB", + "url": "https://javaee.github.io/jaxb-v2/", + "attributionNotices": [ + "
Licensing and Governance\nJAXB is licensed under a dual license - CDDL 1.1 and GPL 2.0 with Class-path Exception. That means you can choose which one of the two suits your needs better and use it under those terms.\n\nWe use GlassFish Governance Policy, which means we can only accept contributions under the terms of OCA.\n
\n" + ] + }, + { + "nameMatch": "jaxb2-basics-runtime", + "mappedName": "JAXB2 Basics Runtime", + "licenses": [ + "BSD-2-Clause" + ] + }, + { + "groupMatch": "org\\.jboss\\.spec\\.javax\\.ws\\.rs", + "nameMatch": "jboss\\-jaxrs\\-api_.*_spec", + "mappedName": "JAX-RS", + "url": "https://github.com/javaee/jax-rs-api" + }, + { + "nameMatch": "jbcrypt", + "mappedName": "jBCrypt", + "attributionNotices": [ + "
Copyright (c) 2006 Damien Miller \n\nPermission to use, copy, modify, and distribute this software for any\npurpose with or without fee is hereby granted, provided that the above\ncopyright notice and this permission notice appear in all copies.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\nWITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\nMERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR\nANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\nWHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN\nACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF\nOR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n
\n" + ], + "licenses": [ + "ISC" + ] + }, + { + "nameMatch": "jboss-threads", + "mappedName": "JBoss Threads", + "attributionNotices": [ + "
Copyright (c) 2006 Damien Miller \n\nPermission to use, copy, modify, and distribute this software for any\npurpose with or without fee is hereby granted, provided that the above\ncopyright notice and this permission notice appear in all copies.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\nWITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\nMERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR\nANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\nWHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN\nACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF\nOR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n
\n" + ] + }, + { + "nameMatch": "joda-time", + "mappedName": "Joda Time", + "attributionNotices": [ + "
=============================================================================\n= NOTICE file corresponding to section 4d of the Apache License Version 2.0 =\n=============================================================================\nThis product includes software developed by\nJoda.org (https://www.joda.org/).\n
" + ] + }, + { + "nameMatch": "json-lib", + "mappedName": "JSON-lib", + "url": "https://github.com/kordamp/json-lib", + "licenses": [ + "Apache-2.0" + ] + }, + { + "nameMatch": "jgroups", + "mappedName": "JGroups" + }, + { + "nameMatch": "jsoup", + "mappedName": "JSoup" + }, + { + "nameMatch": "jtds", + "mappedName": "jTDS JDBC Driver", + "licenses": [ + "LGPL-2.1" + ] + }, + { + "groupMatch": "org\\.keycloak.*", + "mappedName": "Keycloak", + "url": "https://github.com/keycloak/keycloak", + "licenses": [ + "Apache-2.0" + ] + }, + { + "groupMatch": "com\\.googlecode\\.libphonenumber", + "mappedName": "Libphonenumber" + }, + { + "groupMatch": "org\\.apache\\.logging\\.log4j", + "mappedName": "Log4J", + "attributionNotices": [ + "
Apache Log4j\nCopyright 1999-2021 Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (http://www.apache.org/).\n\nResolverUtil.java\nCopyright 2005-2006 Tim Fennell\n\nDumbster SMTP test server\nCopyright 2004 Jason Paul Kitchen\n\nTypeUtil.java\nCopyright 2002-2012 Ramnivas Laddad, Juergen Hoeller, Chris Beams\n\npicocli (http://picocli.info)\nCopyright 2017 Remko Popma\n\nTimeoutBlockingWaitStrategy.java and parts of Util.java\nCopyright 2011 LMAX Ltd.\n
" + ] + }, + { + "nameMatch": "mapstruct", + "mappedName": "Mapstruct", + "attributionNotices": [ + "
\n Copyright MapStruct Authors.\n\n MapStruct is licensed under the Apache License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0\n\n------------------------------------------------------------------------\n\n MAPSTRUCT SUBCOMPONENTS WITH DIFFERENT COPYRIGHT OWNERS\n\n The MapStruct distribution (ZIP, TAR.GZ) as well as the MapStruct\n library (JAR) include FreeMarker, a software developed by Attila\n Szegedi, Daniel Dekany and Jonathan Revusky. FreeMarker is licensed\n under the same license as MapStruct itself - Apache License, Version\n 2.0 - but the copyright owners are the aforementioned individuals.\n\n The MapStruct distribution (ZIP, TAR.GZ) as well as the MapStruct\n library (JAR) include a number of files that are licensed by the\n Apache Software Foundation under the same license as MapStruct itself -\n Apache License, Version 2.0 - but the copyright owner is the Apache\n Software Foundation. These files are:\n\n     freemarker/ext/jsp/web-app_2_2.dtd\n     freemarker/ext/jsp/web-app_2_3.dtd\n     freemarker/ext/jsp/web-app_2_4.xsd\n     freemarker/ext/jsp/web-app_2_5.xsd\n     freemarker/ext/jsp/web-jsptaglibrary_1_1.dtd\n     freemarker/ext/jsp/web-jsptaglibrary_1_2.dtd\n     freemarker/ext/jsp/web-jsptaglibrary_2_0.xsd\n     freemarker/ext/jsp/web-jsptaglibrary_2_1.xsd\n
" + ] + }, + { + "nameMatch": "mariadb-java-client", + "mappedName": "Maria DB Java Client" + }, + { + "nameMatch": "microprofile-config-api", + "mappedName": "MicroProfile Config API", + "attributionNotices": [ + "
=========================================================================\n==  NOTICE file corresponding to section 4(d) of the Apache License,   ==\n==  Version 2.0, in this case for Microprofile Config                  ==\n=========================================================================\n\nThis product includes software developed at\nThe Apache Software Foundation (http://www.apache.org/).\n\nPortions of this software were originally based on the following:\n* Apache DeltaSpike Config\n  https://deltaspike.apache.org\n  under Apache License, v2.0\n\nSPDXVersion: SPDX-2.1\nPackageName: Eclipse Microprofile\nPackageHomePage: http://www.eclipse.org/microprofile\nPackageLicenseDeclared: Apache-2.0\n\nPackageCopyrightText: <text>\nMark Struberg struberg@apache.org,\nGerhard Petracek gpetracek@apache.org,\nRomain Manni-Bucau rmannibucau@apache.org,\nRon Smeral rsmeral@apache.org,\nEmily Jiang emijiang@uk.ibm.com,\nOndrej Mihalyi ondrej.mihalyi@gmail.com,\nGunnar Morling gunnar@hibernate.org\n</text>\n
" + ] + }, + { + "nameMatch": "microprofile-metrics-api", + "mappedName": "MicroProfile Metrics API", + "attributionNotices": [ + "
=========================================================================\n==  NOTICE file corresponding to section 4(d) of the Apache License,   ==\n==  Version 2.0, in this case for Microprofile Metrics                 ==\n=========================================================================\n\nPortions of this software were originally based on the following:\n* Dropwizard Metrics\n  http://metrics.dropwizard.io/3.2.3/\n  under Apache License, v2.0\n\n* CDI Extension for Metrics by Antonin Stefanutti\n  https://github.com/astefanutti/metrics-cdi\n  under Apache License, v2.0\n\nSPDXVersion: SPDX-2.1\nPackageName: Eclipse Microprofile\nPackageHomePage: http://www.eclipse.org/microprofile\nPackageLicenseDeclared: Apache-2.0\n\nPackageCopyrightText: <text>\nHeiko Rupp hrupp@redhat.com,\nRaymond Lam lamr@ca.ibm.com,\nBrennan Nichyporuk brennan.nichyporuk@gmail.com,\nDavid Chan chdavid@ca.ibm.com,\nDon Bourne dbourne@ca.ibm.com,\nAntonin Stefanutti antonin@stefanutti.fr,\nArjun Sharma arjun.a.sharma@ibm.com,\nFahham Khan fahhamk@ca.ibm.com,\nFelix Wong fmhwong@ca.ibm.com,\nMike Croft mike.croft@payara.fish,\nWerner Keil werner@catmedia.us,\nJan Martiska jmartisk@redhat.com\n</text>\n
" + ] + }, + { + "nameMatch": "org\\.osgi\\.org\\.osgi.*", + "mappedName": "OSGI" + }, + { + "nameMatch": "annotation\\.versioning", + "mappedName": "OSGI Versioning", + "url": "https://docs.osgi.org/javadoc/r6/annotation/" + }, + { + "nameMatch": "passay", + "mappedName": "Passay", + "url": "https://github.com/vt-middleware/passay", + "attributionNotices": [ + "
Passay Java Library\nCopyright (C) 2003-2022 Virginia Tech.\nAll rights reserved.\n\nThis product includes software developed at\nVirginia Tech (http://www.vt.edu).\n
" + ], + "licenses": [ + "Apache-2.0", + "LGPL-3.0" + ] + }, + { + "nameMatch": "ph-commons", + "mappedName": "ph-commons", + "attributionNotices": [ + "
=============================================================================\n= NOTICE file corresponding to section 4d of the Apache License Version 2.0 =\n=============================================================================\nThis product includes Open Source Software developed by\nPhilip Helger - https://www.helger.com/\n\nThis product includes Open Source Software developed by phloc systems (http://www.phloc.com/)\n\nThis product includes/uses software(s) developed by 'Apache Software Foundation' (http://www.apache.org/)\n  - Abdera I18N (http://abdera.apache.org/)\n  - commons-primitives (http://commons.apache.org/proper/commons-primitives/)\n  - commons-codec (http://commons.apache.org/proper/commons-codec/)\n\nThis product includes/uses software(s) developed by 'Robert Harder' (http://iharder.net/)\n  - Base64 (http://iharder.net/base64)\n\nThis product includes/uses software(s) developed by 'Bytecode Pty Ltd.'\n  - OpenCSV (http://sourceforge.net/projects/opencsv/)\n
" + ] + }, + { + "nameMatch": "ph-css", + "mappedName": "ph-css", + "attributionNotices": [ + "
=============================================================================\n= NOTICE file corresponding to section 4d of the Apache License Version 2.0 =\n=============================================================================\nThis product includes Open Source Software developed by\nPhilip Helger - https://www.helger.com/\n\nThis product includes Open Source Software developed by phloc systems (http://www.phloc.com/)\n
" + ] + }, + { + "nameMatch": "reactive-streams", + "mappedName": "Reactive Streams", + "url": "https://github.com/reactive-streams/reactive-streams-jvm/tree/master", + "attributionNotices": [ + "
Legal\n  This project is a collaboration between engineers from Kaazing, Lightbend, Netflix, Pivotal, Red Hat, Twitter and many others. This project is licensed under MIT No Attribution (SPDX: MIT-0).\n
\n\n" + ], + "licenses": [ + "MIT-0" + ] + }, + { + "nameMatch": "reflections", + "mappedName": "Reflections", + "attributionNotices": [ + "
            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE\n                    Version 2, December 2004\n\n Copyright (C) 2004 Sam Hocevar <sam@hocevar.net>\n\n Everyone is permitted to copy and distribute verbatim or modified\n copies of this license document, and changing it is allowed as long\n as the name is changed.\n\n            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE\n   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION\n\n  0. You just DO WHAT THE FUCK YOU WANT TO.\n\n
" + ] + }, + { + "nameMatch": "resteasy-cache-core", + "mappedName": "RESTEasy Cache Core" + }, + { + "nameMatch": "rxjava", + "mappedName": "RxJava", + "url": "https://github.com/ReactiveX/RxJava", + "attributionNotices": [ + "
Copyright (c) 2016-present, RxJava Contributors.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\nhttp://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n
" + ] + }, + { + "nameMatch": "SparseBitSet", + "mappedName": "SparseBitSet" + }, + { + "nameMatch": "sqlite-jdbc", + "mappedName": "SQLITE JDBC", + "url": "https://github.com/xerial/sqlite-jdbc/tree/master", + "attributionNotices": [ + "
This product includes the following softwares developed by David Crawshaw.\nSee LICENSE.zentus file.\n\nAnd also, NestedVM (Apache License Version 2.0) is used inside sqlite-
" + ] + }, + { + "nameMatch": "swagger-annotations", + "mappedName": "Swagger", + "attributionNotices": [ + "
This product includes the following softwares developed by David Crawshaw.\nSee LICENSE.zentus file.\n\nAnd also, NestedVM (Apache License Version 2.0) is used inside sqlite-
" + ] + }, + { + "groupMatch": "com\\.vaadin.*", + "mappedName": "Vaadin", + "url": "https://github.com/vaadin", + "licenses": [ + "Apache-2.0", + "CVAL-3.0" + ] + }, + { + "groupMatch": "com\\.vaadin\\.flow.*", + "ignore": true, + "comment": "Ignore because it's a part of Vaadin, but has a different versioning scheme" + }, + { + "groupMatch": "com\\.vaadin.*", + "nameMatch": "vaadin-lumo-theme|vaadin-lumo-theme|vaadin-cdi", + "ignore": true, + "comment": "Ignore because it's a part of Vaadin, but has a different versioning scheme" + }, + { + "groupMatch": "com\\.vaadin\\.external.*", + "ignore": true, + "comment": "Ignore because it's a part of Vaadin, but has a different versioning scheme" + }, + { + "nameMatch": "enhanced-date-time-picker", + "mappedName": "Vaadin Componentfactory Enhanced Date Time Picker", + "url": "https://github.com/vaadin-component-factory/enhanced-date-time-picker", + "licenses": [ + "Apache-2.0" + ] + }, + { + "nameMatch": "mobile-drag-drop", + "mappedName": "Webjars NPM Mobile drag and drop" + }, + { + "nameMatch": "vaadin__vaadin-mobile-drag-drop", + "mappedName": "Webjars NPM Vaadin Mobile drag and drop" + }, + { + "nameMatch": "polymer", + "mappedName": "Webjars Polymer" + }, + { + "nameMatch": "iron-a11y-announcer", + "mappedName": "Webjars Polymerelement iron-a11y-announcer" + }, + { + "nameMatch": "iron-scroll-target-behavior", + "mappedName": "Webjars Polymerelement iron-scroll-target-behavior" + }, + { + "nameMatch": "iron-resizable-behavior", + "mappedName": "Webjars Polymerelement iron-resizable-behavior" + }, + { + "nameMatch": "iron-meta", + "mappedName": "Webjars Polymerelement iron-meta" + }, + { + "nameMatch": "iron-a11y-keys-behavior", + "mappedName": "Webjars Polymerelement iron-a11y-keys-behavior" + }, + { + "nameMatch": "iron-fit-behavior", + "mappedName": "Webjars Polymerelement iron-fit-behavior" + }, + { + "nameMatch": "iron-iconset-svg", + "mappedName": "Webjars Polymerelements iron-iconset-svg" + }, + { + "nameMatch": "iron-icon", + "mappedName": "Webjars Polymerelements iron-icon" + }, + { + "nameMatch": "iron-media-query", + "mappedName": "Webjars Polymerelement iron-media-query" + }, + { + "nameMatch": "iron-flex-layout", + "mappedName": "Webjars Polymerelement iron-flex-layout" + }, + { + "nameMatch": "iron-list", + "mappedName": "Webjars Polymerelement iron-list" + }, + { + "nameMatch": "iron-overlay-behavior", + "mappedName": "Webjars Polymerelement iron-overlay-behavior" + }, + { + "nameMatch": "polymer", + "mappedName": "Webjars Vaadin Button", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-combo-box", + "mappedName": "Webjars Vaadin Combo Box", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-control-state-mixin", + "mappedName": "Webjars Vaadin Control State Mixin", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-element-mixin", + "mappedName": "Webjars Vaadin Element Mixin", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-custom-field", + "mappedName": "Webjars Vaadin Custom Field", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-date-picker", + "mappedName": "Webjars Vaadin Date Picker", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "(vaadin-time-picker)|(vaadin-button)", + "mappedName": "Webjars Vaadin Time Picker, Button", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-date-time-picker", + "mappedName": "Webjars Vaadin Date Time Picker", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-development-mode-detector", + "mappedName": "Webjars Vaadin Development Mode Detector", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-item", + "mappedName": "Webjars Vaadin Item", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-lumo-styles", + "mappedName": "Webjars Vaadin Lumo Styles", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-material-styles", + "mappedName": "Webjars Vaadin Material Styles", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-overlay", + "mappedName": "Webjars Vaadin Overlay", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-text-field", + "mappedName": "Webjars Vaadin Text Field", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-themable-mixin", + "mappedName": "Webjars Vaadin Themable Mixin", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-themable-mixin", + "mappedName": "Webjars Vaadin Themable Mixin", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-usage-statistics", + "mappedName": "Webjars Vaadin Statistics Usage", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "shadycss", + "mappedName": "Webjars Webcomponents Shady CSS" + }, + { + "nameMatch": "webcomponentsjs", + "mappedName": "Webjars Webcomponents JS" + }, + { + "nameMatch": "wildfly-common", + "mappedName": "Wildfly Common", + "attributionNotices": [ + "
License\nThis software is in the public domain\n
\n" + ] + }, + { + "nameMatch": "xml-apis", + "mappedName": "XML APIs", + "url": "http://svn.apache.org/repos/asf/xerces/xml-commons/", + "attributionNotices": [ + "
   =========================================================================\n   ==  NOTICE file corresponding to section 4(d) of the Apache License,   ==\n   ==  Version 2.0, in this case for the Apache xml-commons xml-apis      ==\n   ==  distribution.                                                      ==\n   =========================================================================\n\n   Apache XML Commons\n   Copyright 2001-2003,2006 The Apache Software Foundation.\n\n   This product includes software developed at\n   The Apache Software Foundation (http://www.apache.org/).\n\n   Portions of this software were originally based on the following:\n     - software copyright (c) 1999, IBM Corporation., http://www.ibm.com.\n     - software copyright (c) 1999, Sun Microsystems., http://www.sun.com.\n     - software copyright (c) 2000 World Wide Web Consortium, http://www.w3.org\n
" + ], + "licenses": [ + "Apache-2.0" + ] + }, + { + "nameMatch": "aopalliance", + "mappedName": "AOP Alliance (Java/J2EE AOP standards)", + "url": "http://aopalliance.cvs.sourceforge.net:/cvsroot/aopalliance" + }, + { + "nameMatch": "ch-commons-charset", + "mappedName": "ch-commons-charset", + "url": "https://github.com/jjlauer/cloudhopper-commons-charset", + "attributionNotices": [ + "
\nch-commons-charset is Copyright (C) 2011 Twitter, Inc.\n\nLicensed under the Apache License, Version 2.0 (the "License"); you may not\nuse this work except in compliance with the License. You may obtain a copy of\nthe License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an "AS IS" BASIS, WITHOUT\nWARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the\nLicense for the specific language governing permissions and limitations under\nthe License.
\n" + ] + }, + { + "groupMatch": "xerces", + "mappedName": "Apache Xerces - Impl", + "url": "https://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_8_0/" + }, + { + "groupMatch": "apache-xerces", + "mappedName": "Apache Xerces", + "url": "https://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_9_1/", + "licenses": [ + "Apache-2.0" + ] + }, + { + "groupMatch": "com\\.github\\.kenglxn\\.qrgen", + "mappedName": "QRGen", + "url": "https://github.com/kenglxn/QRGen" + }, + { + "groupMatch": "com\\.beust", + "nameMatch": "jcommander", + "mappedName": "JCommander", + "url": "https://github.com/cbeust/jcommander" + }, + { + "groupMatch": "com\\.github\\.librepdf", + "nameMatch": "openpdf", + "mappedName": "OpenPDF", + "url": "https://github.com/LibrePDF/OpenPDF", + "attributionNotices": [ + "
\n# Licenses\n\n## Licenses of OpenPDF\n\n### Mozilla Public License Version 2.0\n\nPlease see https://www.mozilla.org/en-US/MPL/2.0/ or the attached file\n[MPL-2.0.txt](src/main/resources/META-INF/MPL-2.0.txt).\n\n### GNU Lesser General Public License 2.1\n\nPlease see https://www.gnu.org/licenses/old-licenses/lgpl-2.1 or the attached file\n[LGPL-2.1.md](src/main/resources/META-INF/LGPL-2.1.md).\n
" + ] + }, + { + "groupMatch": "com\\.github\\.albfernandez", + "nameMatch": "juniversalchardet", + "mappedName": "juniversalchardet", + "url": "https://github.com/albfernandez/juniversalchardet" + }, + { + "groupMatch": "com\\.google\\.zxing", + "mappedName": "ZXing", + "url": "https://github.com/zxing/zxing", + "attributionNotices": [ + "
Copyright (c) 2005 Sun Microsystems, Inc.\nCopyright © 2010-2014 University of Manchester\nCopyright © 2010-2015 Stian Soiland-Reyes\nCopyright © 2015 Peter Hull\nAll Rights Reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n- Redistribution of source code must retain the above copyright\n  notice, this list of conditions and the following disclaimer.\n\n- Redistribution in binary form must reproduce the above copyright\n  notice, this list of conditions and the following disclaimer in\n  the documentation and/or other materials provided with the\n  distribution.\n\nNeither the name of Sun Microsystems, Inc. or the names of\ncontributors may be used to endorse or promote products derived\nfrom this software without specific prior written permission.\n\nThis software is provided "AS IS," without a warranty of any\nkind. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND\nWARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE HEREBY\nEXCLUDED. SUN MIDROSYSTEMS, INC. ("SUN") AND ITS LICENSORS SHALL\nNOT BE LIABLE FOR ANY DAMAGES SUFFERED BY LICENSEE AS A RESULT OF\nUSING, MODIFYING OR DISTRIBUTING THIS SOFTWARE OR ITS\nDERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR\nANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL,\nCONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND\nREGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF THE USE OF OR\nINABILITY TO USE THIS SOFTWARE, EVEN IF SUN HAS BEEN ADVISED OF THE\nPOSSIBILITY OF SUCH DAMAGES.\n\nYou acknowledge that this software is not designed or intended for\nuse in the design, construction, operation or maintenance of any\nnuclear facility.
\n" + ] + }, + { + "groupMatch": "org\\.apache\\.activemq\\.protobuf", + "mappedName": "Apache ActiveMQ - Protobuf" + }, + { + "groupMatch": "org\\.apache\\.activemq", + "mappedName": "Apache ActiveMQ", + "url": "https://github.com/apache/activemq" + }, + { + "groupMatch": "net\\.java\\.dev\\.jna", + "mappedName": "Java Native Access (JNA)", + "url": "https://github.com/java-native-access/jna", + "attributionNotices": [ + "
\nSPDX-License-Identifier: Apache-2.0 OR LGPL-2.1\n\nJava Native Access (JNA) is licensed under the LGPL, version 2.1\nor later, or (from version 4.0 onward) the Apache License,\nversion 2.0.\n\nYou can freely decide which license you want to apply to the project.\n\nYou may obtain a copy of the LGPL License at:\n\nhttp://www.gnu.org/licenses/licenses.html\n\nA copy is also included in the downloadable source code package\ncontaining JNA, in file "LGPL2.1", under the same directory\nas this file.\n\nYou may obtain a copy of the Apache License at:\n\nhttp://www.apache.org/licenses/\n\nA copy is also included in the downloadable source code package\ncontaining JNA, in file "AL2.0", under the same directory\nas this file.\n\nCommercial support may be available, please e-mail\ntwall[at]users[dot]sf[dot]net.\n
" + ] + }, + { + "groupMatch": "org\\.apache\\.pdfbox", + "mappedName": "PDFBox", + "url": "https://svn.apache.org/repos/asf/pdfbox/", + "attributionNotices": [ + "
\nEXTERNAL COMPONENTS\n\nApache PDFBox includes a number of components with separate copyright notices\nand license terms. Your use of these components is subject to the terms and\nconditions of the following licenses.\n\nContributions made to the original PDFBox and FontBox projects:\n\n   Copyright (c) 2002-2007, www.pdfbox.org\n   All rights reserved.\n\n   Redistribution and use in source and binary forms, with or without\n   modification, are permitted provided that the following conditions are met:\n\n   1. Redistributions of source code must retain the above copyright notice,\n      this list of conditions and the following disclaimer.\n\n   2. Redistributions in binary form must reproduce the above copyright\n      notice, this list of conditions and the following disclaimer in the\n      documentation and/or other materials provided with the distribution.\n\n   3. Neither the name of pdfbox; nor the names of its contributors may be\n      used to endorse or promote products derived from this software without\n      specific prior written permission.\n\n   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"\n   AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\n   IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\n   ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE\n   FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\n   DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\n   SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\n   CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT\n   LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY\n   OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF\n   SUCH DAMAGE.\n\nAdobe Font Metrics (AFM) for PDF Core 14 Fonts\n\n   This file and the 14 PostScript(R) AFM files it accompanies may be used,\n   copied, and distributed for any purpose and without charge, with or without\n   modification, provided that all copyright notices are retained; that the\n   AFM files are not distributed without this file; that all modifications\n   to this file or any of the AFM files are prominently noted in the modified\n   file(s); and that this paragraph is not modified. Adobe Systems has no\n   responsibility or obligation to support the use of the AFM files. \n\nCMaps for PDF Fonts (http://opensource.adobe.com/wiki/display/cmap/Downloads)\n\n   Copyright 1990-2009 Adobe Systems Incorporated.\n   All rights reserved.\n\n   Redistribution and use in source and binary forms, with or without\n   modification, are permitted provided that the following conditions\n   are met:\n\n   Redistributions of source code must retain the above copyright notice,\n   this list of conditions and the following disclaimer.\n\n   Redistributions in binary form must reproduce the above copyright notice,\n   this list of conditions and the following disclaimer in the documentation\n   and/or other materials provided with the distribution. \n\n   Neither the name of Adobe Systems Incorporated nor the names of its\n   contributors may be used to endorse or promote products derived from this\n   software without specific prior written permission. \n\n   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"\n   AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\n   IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\n   ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE\n   LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR\n   CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF\n   SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS\n   INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN\n   CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)\n   ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF\n   THE POSSIBILITY OF SUCH DAMAGE.\n\nPaDaF PDF/A preflight (http://sourceforge.net/projects/padaf)\n\n  Copyright 2010 Atos Worldline SAS\n \n  Licensed by Atos Worldline SAS under one or more\n  contributor license agreements.  See the NOTICE file distributed with\n  this work for additional information regarding copyright ownership.\n  Atos Worldline SAS licenses this file to You under the Apache License, Version 2.0\n  (the "License"); you may not use this file except in compliance with\n  the License.  You may obtain a copy of the License at\n \n       http://www.apache.org/licenses/LICENSE-2.0\n \n  Unless required by applicable law or agreed to in writing, software\n  distributed under the License is distributed on an "AS IS" BASIS,\n  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n  See the License for the specific language governing permissions and\n  limitations under the License.\n\nOSXAdapter\n\n  Version: 2.0\n  \n  Disclaimer: IMPORTANT:  This Apple software is supplied to you by \n  Apple Inc. ("Apple") in consideration of your agreement to the\n  following terms, and your use, installation, modification or\n  redistribution of this Apple software constitutes acceptance of these\n  terms.  If you do not agree with these terms, please do not use,\n  install, modify or redistribute this Apple software.\n  \n  In consideration of your agreement to abide by the following terms, and\n  subject to these terms, Apple grants you a personal, non-exclusive\n  license, under Apple's copyrights in this original Apple software (the\n  "Apple Software"), to use, reproduce, modify and redistribute the Apple\n  Software, with or without modifications, in source and/or binary forms;\n  provided that if you redistribute the Apple Software in its entirety and\n  without modifications, you must retain this notice and the following\n  text and disclaimers in all such redistributions of the Apple Software. \n  Neither the name, trademarks, service marks or logos of Apple Inc. \n  may be used to endorse or promote products derived from the Apple\n  Software without specific prior written permission from Apple.  Except\n  as expressly stated in this notice, no other rights or licenses, express\n  or implied, are granted by Apple herein, including but not limited to\n  any patent rights that may be infringed by your derivative works or by\n  other works in which the Apple Software may be incorporated.\n  \n  The Apple Software is provided by Apple on an "AS IS" basis.  APPLE\n  MAKES NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION\n  THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS\n  FOR A PARTICULAR PURPOSE, REGARDING THE APPLE SOFTWARE OR ITS USE AND\n  OPERATION ALONE OR IN COMBINATION WITH YOUR PRODUCTS.\n  \n  IN NO EVENT SHALL APPLE BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL\n  OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF\n  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS\n  INTERRUPTION) ARISING IN ANY WAY OUT OF THE USE, REPRODUCTION,\n  MODIFICATION AND/OR DISTRIBUTION OF THE APPLE SOFTWARE, HOWEVER CAUSED\n  AND WHETHER UNDER THEORY OF CONTRACT, TORT (INCLUDING NEGLIGENCE),\n  STRICT LIABILITY OR OTHERWISE, EVEN IF APPLE HAS BEEN ADVISED OF THE\n  POSSIBILITY OF SUCH DAMAGE.\n  \n  Copyright (C) 2003-2007 Apple, Inc., All Rights Reserved\n
" + ] + }, + { + "groupMatch": "org\\.apache\\.xmlgraphics", + "nameMatch": "batik.*", + "mappedName": "Apache XML Graphics Project - Batik", + "url": "https://svn.apache.org/repos/asf/xmlgraphics/batik/tags/batik-1_10/" + }, + { + "groupMatch": "org\\.apache\\.xmlgraphics", + "nameMatch": "xmlgraphics-commons", + "mappedName": "Apache XML Graphics Project - xmlgraphics-commons", + "url": "https://svn.apache.org/viewvc/xmlgraphics/commons/tags/commons-2_2/" + }, + { + "groupMatch": "xml-apis", + "nameMatch": "xml-apis-ext", + "mappedName": "Apache XML APIs Extensions", + "url": "https://xerces.apache.org/xml-commons/components/external/" + }, + { + "groupMatch": "xom", + "nameMatch": "xom", + "mappedName": "XOM: XML object model", + "url": "https://github.com/elharo/xom/", + "attributionNotices": [ + "
\nXOM is a dual streaming/tree-based API for processing XML with Java.\nCopyright 2004, 2005, 2009, 2010, 2020 Elliotte Rusty Harold\n   \n   This library is free software; you can redistribute it and/or modify\n   it under the terms of version 2.1 of the GNU Lesser General Public \n   License as published by the Free Software Foundation.\n   \n   This library is distributed in the hope that it will be useful,\n   but WITHOUT ANY WARRANTY; without even the implied warranty of\n   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the \n   GNU Lesser General Public License for more details.\n   \n   You should have received a copy of the GNU Lesser General Public\n   License along with this library. If not, see \n   \n   \nYou can contact Elliotte Rusty Harold by sending e-mail to\nelharo@ibiblio.org. Please include the word "XOM" in the\nsubject line. For more information see https://xom.nu/ \nor ask a question on the xom-interest mailing list.\n
" + ] + }, + { + "groupMatch": "relaxngDatatype", + "nameMatch": "relaxngDatatype", + "mappedName": "relaxngDatatype", + "url": "https://sourceforge.net/projects/relaxng/files/" + }, + { + "groupMatch": "pull-parser", + "nameMatch": "pull-parser", + "mappedName": "pull-parser", + "url": "https://extreme.indiana.edu/" + }, + { + "groupMatch": "org\\.springframework", + "mappedName": "Spring Framework", + "url": "https://github.com/SpringSource/spring-framework" + }, + { + "groupMatch": "org\\.slf4j", + "nameMatch": "slf4j.*", + "mappedName": "Simple Logging Facade for Java (SLF4J)", + "url": "https://github.com/qos-ch/slf4j" + }, + { + "groupMatch": "org\\.dcm4che.*", + "mappedName": "dcm4che DICOM Toolkit & Library", + "url": "https://github.com/dcm4che/dcm4che" + }, + { + "groupMatch": "commons-validator", + "nameMatch": "commons-validator", + "mappedName": "Apache Commons Validator", + "url": "https://github.com/apache/commons-validator/tree/VALIDATOR_1_6" + }, + { + "groupMatch": "commons-pool", + "nameMatch": "commons-pool", + "mappedName": "Apache Commons Pool", + "url": "https://github.com/apache/commons-pool/tree/POOL_1_6" + }, + { + "groupMatch": "commons-net", + "nameMatch": "commons-net", + "mappedName": "Apache Commons Net", + "url": "https://github.com/apache/commons-net/tree/NET_3_3" + }, + { + "groupMatch": "commons-digester", + "nameMatch": "commons-digester", + "mappedName": "Apache Commons Digester", + "url": "https://github.com/apache/commons-digester/tree/DIGESTER_1_8_1" + }, + { + "groupMatch": "commons-cli", + "nameMatch": "commons-cli", + "mappedName": "Apache Commons CLI", + "url": "https://github.com/apache/commons-cli/tree/cli-1.4" + }, + { + "groupMatch": "commons-httpclient", + "nameMatch": "commons-httpclient", + "mappedName": "Apache Commons HTTP-Client", + "url": "https://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/" + }, + { + "groupMatch": "io\\.github\\.openfeign", + "mappedName": "Openfeign" + }, + { + "groupMatch": "org\\.jodd", + "mappedName": "Jodd", + "url": "https://github.com/oblac/jodd/tree/v3.6.7" + }, + { + "groupMatch": "org\\.drools", + "mappedName": "Drools", + "url": "https://github.com/kiegroup/drools/tree/5.5.0.Final" + }, + { + "groupMatch": "org\\.checkerframework", + "nameMatch": "Checker framework", + "mappedName": "", + "attributionNotices": [ + "
\nThe Checker Framework\nCopyright 2004-present by the Checker Framework developers\n\n\nMost of the Checker Framework is licensed under the GNU General Public\nLicense, version 2 (GPL2), with the classpath exception.  The text of this\nlicense appears below.  This is the same license used for OpenJDK.\n\nA few parts of the Checker Framework have more permissive licenses, notably\nthe parts that you might want to include with your own program.\n\n * The annotations and utility files are licensed under the MIT License.\n   (The text of this license also appears below.)  This applies to\n   checker-qual*.jar and checker-util.jar and all the files that appear in\n   them, which is all files in checker-qual and checker-util directories.\n   It also applies to the cleanroom implementations of\n   third-party annotations (in checker/src/testannotations/,\n   framework/src/main/java/org/jmlspecs/, and\n   framework/src/main/java/com/google/).\n\nThe Checker Framework includes annotations for some libraries.  Those in\n.astub files use the MIT License.  Those in https://github.com/typetools/jdk\n(which appears in the annotated-jdk directory of file checker.jar) use the\nGPL2 license.\n\nSome external libraries that are included with the Checker Framework\ndistribution have different licenses.  Here are some examples.\n\n * JavaParser is dual licensed under the LGPL or the Apache license -- you\n   may use it under whichever one you want.  (The JavaParser source code\n   contains a file with the text of the GPL, but it is not clear why, since\n   JavaParser does not use the GPL.)  See\n   https://github.com/typetools/stubparser .\n\n * Annotation Tools (https://github.com/typetools/annotation-tools) uses\n   the MIT license.\n\n * Libraries in plume-lib (https://github.com/plume-lib/) are licensed\n   under the MIT License.\n\n===========================================================================\n
" + ], + "licenses": [ + "MIT", + "GPL-2" + ] + }, + { + "groupMatch": "com\\.google\\.j2objc", + "nameMatch": "j2objc-annotations", + "mappedName": "J2ODBC-Annotations", + "url": "https://github.com/google/j2objc", + "licenses": [ + "Apache-2.0" + ] + }, + { + "groupMatch": "org.vaadin.haijian", + "nameMatch": "exporter", + "mappedName": "Exporter", + "url": "https://github.com/haiwan/Exporter", + "attributionNotices": [ + "
\nAll parts, except the contents of the documentation module, are licenced\nunder Apache License v2.0. See the license text below.\n\nThe documentation is licensed under Creative Commons CC-BY-ND 2.0\n(http://creativecommons.org/licenses/by-nd/2.0/legalcode).\n
" + ] + }, + { + "groupMatch": "c3p0", + "nameMatch": "c3p0", + "mappedName": "C3p0", + "url": "https://sourceforge.net/projects/c3p0/files/" + }, + { + "groupMatch": "com\\.github\\.jai-imageio", + "nameMatch": "jai-imageio-core", + "licenses": [ + "BSD-3-Clause No Nuclear License" + ] + }, + { + "groupMatch": "com\\.mchange", + "nameMatch": "c3p0", + "mappedName": "Mchange - C3p0", + "url": "https://github.com/swaldman/c3p0", + "attributionNotices": [ + "
\n\nThis library is free software; you can redistribute it and/or modify\nit under the terms of EITHER:\n\n    1) The GNU Lesser General Public License (LGPL), version 2.1, as \n       published by the Free Software Foundation\n\nOR\n\n    2) The Eclipse Public License (EPL), version 1.0\n\nYou may choose which license to accept if you wish to redistribute\nor modify this work. You may offer derivatives of this work\nunder the license you have chosen, or you may provide the same\nchoice of license which you have been offered here.\n\nThis software is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n\nYou should have received copies of both LGPL v2.1 and EPL v1.0\nalong with this software; see the files LICENSE-EPL and LICENSE-LGPL.\nIf not, the text of these licenses are currently available at\n\nLGPL v2.1: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html\n EPL v1.0: http://www.eclipse.org/org/documents/epl-v10.php \n\n
" + ] + }, + { + "groupMatch": "com\\.mchange", + "nameMatch": "mchange-commons-java", + "mappedName": "Mchange - mchange-commons-java", + "url": "https://github.com/swaldman/mchange-commons-java", + "attributionNotices": [ + "
\n\nThis library is free software; you can redistribute it and/or modify\nit under the terms of EITHER:\n\n    1) The GNU Lesser General Public License (LGPL), version 2.1, as \n       published by the Free Software Foundation\n\nOR\n\n    2) The Eclipse Public License (EPL), version 1.0\n\nYou may choose which license to accept if you wish to redistribute\nor modify this work. You may offer derivatives of this work\nunder the license you have chosen, or you may provide the same\nchoice of license which you have been offered here.\n\nThis software is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n\nYou should have received copies of both LGPL v2.1 and EPL v1.0\nalong with this software; see the files LICENSE-EPL and LICENSE-LGPL.\nIf not, the text of these licenses are currently available at\n\nLGPL v2.1: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html\n EPL v1.0: http://www.eclipse.org/org/documents/epl-v10.php \n\n
" + ] + }, + { + "groupMatch": "com\\.twelvemonkeys.*", + "mappedName": "TwelveMonkeys" + }, + { + "groupMatch": "commons-codec", + "nameMatch": "commons-codec", + "mappedName": "Apache commons-codec", + "url": "https://github.com/apache/commons-codec" + }, + { + "groupMatch": "commons-logging", + "nameMatch": "commons-logging", + "mappedName": "Apache commons-logging", + "url": "https://github.com/apache/commons-logging" + }, + { + "groupMatch": "dom4j", + "nameMatch": "dom4j", + "mappedName": "Dom4j", + "url": "https://github.com/dom4j/dom4j", + "licenses": [ + "DOM4j-License" + ] + }, + { + "groupMatch": "javax\\.jmdns", + "nameMatch": "jmdns", + "mappedName": "JMDNS", + "url": "https://sourceforge.net/projects/jmdns/files/" + }, + { + "groupMatch": "javax\\.json", + "nameMatch": "javax\\.json-api", + "mappedName": "Javax Json-API", + "url": "https://github.com/javaee/json-processing-spec", + "licenses": [ + "CDDL-1.1" + ] + }, + { + "groupMatch": "javax\\.servlet", + "nameMatch": "javax\\.servlet-api", + "mappedName": "Javax Servlet-API", + "url": "https://github.com/javaee/servlet-spec", + "licenses": [ + "CDDL-1.1" + ] + }, + { + "groupMatch": "net\\.jpountz\\.lz4", + "nameMatch": "lz4", + "mappedName": "Lz4", + "url": "https://github.com/lz4/lz4-java" + }, + { + "groupMatch": "org\\.apache\\.cxf", + "nameMatch": "cxf-api", + "mappedName": "Apache CFX API", + "url": "https://github.com/apache/cxf.git" + }, + { + "groupMatch": "org\\.apache\\.cxf", + "nameMatch": "cxf-rt-core", + "mappedName": "Apache CFX RT Core", + "url": "https://github.com/apache/cxf.git" + }, + { + "groupMatch": "org\\.apache\\.cxf", + "mappedName": "Apache CFX Others", + "url": "https://github.com/apache/cxf.git" + }, + { + "groupMatch": "org\\.apache\\.deltaspike.*", + "mappedName": "Apache Deltaspike", + "url": "https://git-wip-us.apache.org/repos/asf?p=deltaspike.git;a=tree;hb=cb0d4d07a2ae8604f84eb4acaab89f4bd0504e72" + }, + { + "groupMatch": "org\\.apache\\.james", + "nameMatch": "apache-mime4j", + "mappedName": "Apache mime4j", + "url": "https://github.com/apache/james-mime4j" + }, + { + "groupMatch": "org\\.apache\\.geronimo\\.specs", + "nameMatch": "geronimo-javamail_1.4_spec", + "mappedName": "Apache Geronimo JavaMail 1.4", + "attributionNotices": [ + "
\n#########################################################################\n## ADDITIONAL LICENSES                                                 ##\n#########################################################################\n\nThe XMLSchema.dtd included in this project was developed by the\nW3C Consortium (http://www.w3c.org/).\nUse of the source code, thus licensed, and the resultant binary are\nsubject to the terms and conditions of the following license.\n\nW3C¨ SOFTWARE NOTICE AND LICENSE\nCopyright © 1994-2002 World Wide Web Consortium, (Massachusetts Institute of\nTechnology, Institut National de Recherche en Informatique et en Automatique,\nKeio University). All Rights Reserved. http://www.w3.org/Consortium/Legal/\n\nThis W3C work (including software, documents, or other related items) is\nbeing provided by the copyright holders under the following license. By\nobtaining, using and/or copying this work, you (the licensee) agree that you\nhave read, understood, and will comply with the following terms and\nconditions:\n\nPermission to use, copy, modify, and distribute this software and its\ndocumentation, with or without modification,  for any purpose and without\nfee or royalty is hereby granted, provided that you include the following on\nALL copies of the software and documentation or portions thereof, including\nmodifications, that you make:\n\n   1. The full text of this NOTICE in a location viewable to users of the\n         redistributed or derivative work.\n   2. Any pre-existing intellectual property disclaimers, notices, or terms\n         and conditions. If none exist, a short notice of the following form\n         (hypertext is preferred, text is permitted) should be used within\n         the body of any redistributed or derivative code: "Copyright ©\n         [$date-of-software] World Wide Web Consortium, (Massachusetts Institute\n         of Technology, Institut National de Recherche en Informatique et en\n         Automatique, Keio University). All Rights Reserved.\n         http://www.w3.org/Consortium/Legal/"\n   3. Notice of any changes or modifications to the W3C files, including the\n         date changes were made. (We recommend you provide URIs to the location\n         from which the code is derived.)\n\nTHIS SOFTWARE AND DOCUMENTATION IS PROVIDED "AS IS," AND COPYRIGHT HOLDERS MAKE\nNO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED\nTO, WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT\nTHE USE OF THE SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY PATENTS,\nCOPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.\n\nCOPYRIGHT HOLDERS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL OR\nCONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THE SOFTWARE OR DOCUMENTATION.\n\nThe name and trademarks of copyright holders may NOT be used in advertising or\npublicity pertaining to the software without specific, written prior permission.\nTitle to copyright in this software and any associated documentation will at all\ntimes remain with copyright holders.\n
" + ] + }, + { + "groupMatch": "org\\.apache\\.httpcomponents", + "nameMatch": "httpcore", + "mappedName": "Apache HttpComponents HttpCore", + "licenses": [ + "Apache-2.0", + "MPL-2.0" + ] + }, + { + "groupMatch": "org\\.apache\\.httpcomponents", + "nameMatch": "httpclient", + "mappedName": "Apache HttpComponents HttpClient", + "licenses": [ + "Apache-2.0", + "CC-BY-2.5" + ] + }, + { + "groupMatch": "org\\.apache\\.tomcat", + "nameMatch": "tomcat-servlet-api", + "mappedName": "Tomcat Servlet API", + "licenses": [ + "Apache-2.0", + "CDDL-1.0" + ] + }, + { + "groupMatch": "org\\.eclipse\\.jetty", + "mappedName": "Eclipse Jetty" + }, + { + "groupMatch": "org\\.eclipse\\.jetty\\.http2", + "mappedName": "Eclipse Jetty HTTP/2" + }, + { + "groupMatch": "org\\.eclipse\\.jetty\\.websocket", + "mappedName": "Eclipse Jetty Websocket" + }, + { + "groupMatch": "xml-resolver", + "nameMatch": "xml-resolver", + "mappedName": "Xerces XML-Resolver", + "url": "https://xerces.apache.org/xml-commons/components/resolver/" + }, + { + "nameMatch": "relaxngDatatype", + "licenses": [ + "BSD-3-Clause" + ] + }, + { + "groupMatch": "jaxen", + "nameMatch": "jaxen", + "mappedName": "Jaxen", + "url": "https://github.com/jaxen-xpath/jaxen", + "licenses": [ + "BSD-3-Clause" + ] + }, + { + "groupMatch": "org\\.jboss\\.spec\\.javax\\.interceptor", + "nameMatch": "jboss-interceptors-api_1.1_spec", + "mappedName": "JavaX Interceptor API", + "url": "https://github.com/jboss/jboss-interceptors-api_spec", + "licenses":[ + "GPL-2.0-with-classpath-exception", + "CDDL-1.0" + ] + }, + { + "nameMatch": "corretto8", + "mappedName": "Amazon Coretto 8", + "url": "https://github.com/corretto/corretto-8", + "licenses":[ + "GPL-2.0-with-classpath-exception" + ] + }, + { + "groupMatch": "org\\.wildfly\\.security\\.*", + "mappedName": "Wildfly Security", + "url": "https://github.com/wildfly-security/wildfly-elytron" + }, + { + "nameMatch": "wildfly-dist", + "mappedName": "Wildfly", + "url": "https://github.com/wildfly/wildfly", + "licenses":[ + "GPL-2.1" + ] + }, + { + "nameMatch": "wildfly-galleon-pack", + "mappedName": "Wildfly", + "url": "https://github.com/wildfly/wildfly" + }, + { + "groupMatch": "io\\.netty\\.*", + "mappedName": "Netty" + }, + { + "groupMatch": "org\\.infinispan.*", + "mappedName": "Infinispan" + }, + { + "nameMatch": "okhttp", + "mappedName": "OkHttp", + "url": "https://github.com/square/okhttp/" + }, + { + "nameMatch": "okio", + "mappedName": "OkIo", + "url": "https://github.com/square/okio/" + }, + { + "nameMatch": "JConnect", + "mappedName": "JConnect", + "url" : "https://help.sap.com/docs/SAP_ASE_SDK/e12c539de04b44a0bb17a545a148361c/b03e2db6bbf910148fc6bbe092513290.html?locale=en-US&version=16.0.4.3" + }, + { + "groupMatch": "org\\.rocksdb\\.*", + "mappedName": "Rocks DB" + }, + { + "nameMatch": "jboss-logging", + "mappedName": "JBoss Logging" + }, + { + "nameMatch": "jboss-marshalling-osgi", + "mappedName": "JBoss Marshalling OSGI" + }, + { + "nameMatch": "resteasy-jboss-modules", + "mappedName": "Resteasy JBoss Modules", + "url": "https://github.com/resteasy/resteasy", + "licenses": [ + "Apache-2.0" + ] + }, + { + "nameMatch": "httpd", + "mappedName": "Apache httpd", + "url": "https://github.com/apache/httpd", + "attributionNotices": [ + "
Apache HTTP Server\nCopyright 2021 The Apache Software Foundation.\n\nThis product includes software developed at\nThe Apache Software Foundation (https://www.apache.org/).\n\nPortions of this software were developed at the National Center\nfor Supercomputing Applications (NCSA) at the University of\nIllinois at Urbana-Champaign.\n\nThis software contains code derived from the RSA Data Security\nInc. MD5 Message-Digest Algorithm, including various\nmodifications by Spyglass Inc., Carnegie Mellon University, and\nBell Communications Research, Inc (Bellcore).\n\nThis software contains code derived from the PCRE library pcreposix.c\nsource code, written by Philip Hazel, Copyright 1997-2004\nby the University of Cambridge, England.\n
" + ], + "licenses": [ + "Apache-2.0" + ] + }, + { + "nameMatch": "vcredist", + "mappedName": "vcredist", + "url": "https://learn.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-160", + "licenses": [ + "Microsoft VC++ Redistributable" + ] + }, + { + "nameMatch": "postgresql", + "mappedName": "PostgreSQL", + "url": "https://github.com/postgres/postgres", + "licenses": [ + "PostgreSQL" + ] + }, + { + "nameMatch": "medavis-yajsw", + "mappedName": "Yet Another Java Service Wrapper", + "url": "https://yajsw.sourceforge.io", + "licenses": [ + "Apache-2.0" + ] + }, + { + "nameMatch": "xstream", + "mappedName": "XStream", + "licenses": [ + "BSD-3-Clause" + ] + }, + { + "nameMatch": "ical4j", + "mappedName": "iCal4j", + "url":"https://github.com/ical4j/ical4j", + "licenses": [ + "BSD-3-Clause" + ] + }, + { + "groupMatch": "org\\.ow2\\.asm", + "mappedName": "OW2 ASM" + }, + { + "groupMatch": "org\\.jdom", + "nameMatch": "jdom2", + "licenses": [ + "Apache-1.0-JDOM" + ] + }, + { + "purlMatch": "pkg:maven\\/us\\.springett\\/alpine-common@2\\.2\\.5\\?type=jar", + "licenses": [ + "Apache-2.0" + ] + }, + { + "purlMatch": "pkg:maven\\/com\\.pixelmed\\/any-lib@1\\.2\\.3\\.4\\?type=jar", + "licenses": [ + "BSD-2-Clause" + ] + } +] \ No newline at end of file diff --git a/core/src/test/resources/de/medavis/lct/core/patcher/test-component-metadata2.json b/core/src/test/resources/de/medavis/lct/core/patcher/test-component-metadata2.json new file mode 100644 index 0000000..601cdf6 --- /dev/null +++ b/core/src/test/resources/de/medavis/lct/core/patcher/test-component-metadata2.json @@ -0,0 +1,21 @@ +[ + { + "groupMatch": "org\\.jdom", + "nameMatch": "jdom2", + "licenses": [ + "Apache-1.0-JDOM" + ] + }, + { + "purlMatch": "pkg:maven\\/us\\.springett\\/alpine-common@2\\.2\\.5\\?type=jar", + "licenses": [ + "Apache-2.0" + ] + }, + { + "purlMatch": "pkg:maven\\/com\\.pixelmed\\/any-lib@1\\.2\\.3\\.4\\?type=jar", + "licenses": [ + "BSD-2-Clause" + ] + } +] \ No newline at end of file diff --git a/doc/Overview.png b/doc/Overview.png index d4896fd..d8e4e3f 100644 Binary files a/doc/Overview.png and b/doc/Overview.png differ diff --git a/doc/icons/DocTypes.svg b/doc/icons/DocTypes.svg new file mode 100644 index 0000000..17570fa --- /dev/null +++ b/doc/icons/DocTypes.svg @@ -0,0 +1,271 @@ + + + Document + + + + image/svg+xml + + Document + + + + medavis GmbH + + + + + C: Rambow + + + 2024-06-02 + + + + + + + + + + + + + + + + + + + + + + + + + + TXT + + + diff --git a/doc/icons/_THIRD_PARTY b/doc/icons/_THIRD_PARTY index cadc41b..8029552 100644 --- a/doc/icons/_THIRD_PARTY +++ b/doc/icons/_THIRD_PARTY @@ -1,8 +1,3 @@ -html.svg -License: CC BY-SA 2.5 (https://creativecommons.org/licenses/by-sa/2.5/) -Author: Dreftymac (https://en.wikipedia.org/wiki/User:Dreftymac) -Source: https://commons.wikimedia.org/wiki/File:HTML.svg - jenkins.svg License: CC BY-SA 3.0 (https://creativecommons.org/licenses/by-sa/3.0/) Author: The Jenkins project (http://jenkins-ci.org/) @@ -33,7 +28,5 @@ License: CC0 1.0 (https://creativecommons.org/publicdomain/zero/1.0) Author: Koreller (https://commons.wikimedia.org/wiki/User:Koreller) Source: https://commons.wikimedia.org/wiki/File:Icon_pdf_file.svg -textfile.svg -License: LGPL-3.0 (https://www.gnu.org/licenses/lgpl-3.0.html) -Authors: The Oxygen Team (https://github.com/KDE/oxygen-icons5/blob/master/AUTHORS) -Source: https://commons.wikimedia.org/wiki/File:Oxygen15.04.1-text-sgml.svg \ No newline at end of file + +Please note, the file "DocTypes.svg" is not an image from a third party and belongs to this project \ No newline at end of file diff --git a/doc/icons/html.svg b/doc/icons/html.svg deleted file mode 100644 index b87cd86..0000000 --- a/doc/icons/html.svg +++ /dev/null @@ -1,66 +0,0 @@ - - - - -sample image of HTML code - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - <!DOCTYPE html> - <html> - <!-- created 2010-01-01 --> -  <head> -   <title>sample</title> -  </head> -  <body> -   <p>Voluptatem accusantium -    totam rem aperiam.</p> -  </body> - </html> - - - - - - - - - - - - HTML - HTML - - - diff --git a/doc/icons/textfile.svg b/doc/icons/textfile.svg deleted file mode 100644 index bd95bce..0000000 --- a/doc/icons/textfile.svg +++ /dev/null @@ -1,67 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - txt - - - - - - - - - - diff --git a/jenkins/pom.xml b/jenkins/pom.xml index d6b5490..09c7406 100644 --- a/jenkins/pom.xml +++ b/jenkins/pom.xml @@ -1,7 +1,5 @@ - + 4.0.0 diff --git a/jenkins/src/main/java/de/medavis/lct/jenkins/patch/BomPatcherBuilder.java b/jenkins/src/main/java/de/medavis/lct/jenkins/patch/BomPatcherBuilder.java new file mode 100644 index 0000000..2cb2729 --- /dev/null +++ b/jenkins/src/main/java/de/medavis/lct/jenkins/patch/BomPatcherBuilder.java @@ -0,0 +1,102 @@ +package de.medavis.lct.jenkins.patch; + +import edu.umd.cs.findbugs.annotations.NonNull; +import hudson.AbortException; +import hudson.EnvVars; +import hudson.Extension; +import hudson.FilePath; +import hudson.Launcher; +import hudson.model.AbstractProject; +import hudson.model.Run; +import hudson.model.TaskListener; +import hudson.tasks.BuildStepDescriptor; +import hudson.tasks.Builder; +import hudson.util.FormValidation; +import jenkins.tasks.SimpleBuildStep; + +import de.medavis.lct.core.Configuration; +import de.medavis.lct.core.patcher.BomPatcher; +import de.medavis.lct.jenkins.config.LCTGlobalConfiguration; +import de.medavis.lct.jenkins.util.JenkinsLogger; + +import org.jenkinsci.Symbol; +import org.kohsuke.stapler.DataBoundConstructor; +import org.kohsuke.stapler.DataBoundSetter; +import org.kohsuke.stapler.QueryParameter; +import org.kohsuke.stapler.verb.POST; + +import java.io.IOException; + +public class BomPatcherBuilder extends Builder implements SimpleBuildStep { + + private final String inputFile; + private final String outputFile; + private String configurationProfile; + + @DataBoundConstructor + public BomPatcherBuilder(@NonNull String inputFile, @NonNull String outputFile) { + this.inputFile = inputFile; + this.outputFile = outputFile; + } + + @NonNull + public String getInputFile() { + return inputFile; + } + + @NonNull + public String getOutputFile() { + return outputFile; + } + + public String getConfigurationProfile() { + return configurationProfile; + } + + @DataBoundSetter + public void setConfigurationProfile(final String configurationProfile) { + this.configurationProfile = configurationProfile; + } + + @Override + public void perform(@NonNull Run run, @NonNull FilePath workspace, @NonNull EnvVars env, @NonNull Launcher launcher, @NonNull TaskListener listener) + throws AbortException, InterruptedException { + try { + final JenkinsLogger logger = new JenkinsLogger(listener); + logger.info("Patching BOM from %s into %s.%n", inputFile, outputFile); + + Configuration configuration = LCTGlobalConfiguration.getConfigurationByProfile(configurationProfile); + BomPatcher bomPatcher = BomPatcherBuilderFactory.getBomPatcher(configuration); + bomPatcher.patch(/*logger,*/ workspace.child(inputFile).read(), workspace.child(outputFile).write()); + } catch (IOException e) { + throw new AbortException("Could not patch licenses: " + e.getMessage()); + } + } + + @Symbol("patchBOM") + @Extension + public static final class DescriptorImpl extends BuildStepDescriptor { + + @Override + public boolean isApplicable(Class jobType) { + return true; + } + + @NonNull + @Override + public String getDisplayName() { + return Messages.BomPatcherBuilder_DescriptorImpl_displayName(); + } + + @POST + public FormValidation doCheckInputFile(@QueryParameter String value) { + return FormValidation.validateRequired(value); + } + + @POST + public FormValidation doCheckOutputFile(@QueryParameter String value) { + return FormValidation.validateRequired(value); + } + + } +} diff --git a/jenkins/src/main/java/de/medavis/lct/jenkins/patch/BomPatcherBuilderFactory.java b/jenkins/src/main/java/de/medavis/lct/jenkins/patch/BomPatcherBuilderFactory.java new file mode 100644 index 0000000..4eb40a6 --- /dev/null +++ b/jenkins/src/main/java/de/medavis/lct/jenkins/patch/BomPatcherBuilderFactory.java @@ -0,0 +1,36 @@ +package de.medavis.lct.jenkins.patch; + +import de.medavis.lct.core.Configuration; +import de.medavis.lct.core.asset.AssetLoader; +import de.medavis.lct.core.license.LicenseLoader; +import de.medavis.lct.core.license.LicenseMappingLoader; +import de.medavis.lct.core.metadata.ComponentMetaDataLoader; +import de.medavis.lct.core.patcher.BomPatcher; + +import java.util.function.Function; + +// TODO Try to use dependency injection (maybe using ExtensionFinder, GuiceFinder?) +public class BomPatcherBuilderFactory { + + private static Function bomPatcherFactory = configuration -> new BomPatcher( + new AssetLoader(), + new ComponentMetaDataLoader(), + new LicenseLoader(), + new LicenseMappingLoader(), + configuration + ); + + private BomPatcherBuilderFactory() {} + + public static BomPatcher getBomPatcher(Configuration configuration) { + return bomPatcherFactory.apply(configuration); + } + + /** + * Should only be used for tests. + */ + static void setLicensesDownloaderFactory(Function bomPatcherFactory) { + BomPatcherBuilderFactory.bomPatcherFactory = bomPatcherFactory; + } + +} diff --git a/jenkins/src/main/resources/de/medavis/lct/jenkins/config/ConfigurationProfile/config.properties b/jenkins/src/main/resources/de/medavis/lct/jenkins/config/ConfigurationProfile/config.properties index e71faff..10f56c7 100644 --- a/jenkins/src/main/resources/de/medavis/lct/jenkins/config/ConfigurationProfile/config.properties +++ b/jenkins/src/main/resources/de/medavis/lct/jenkins/config/ConfigurationProfile/config.properties @@ -24,3 +24,5 @@ default.description=Use this profile when no profile is referenced from the job. componentMetadata=Component meta data (URL) licenses=License information (URL) licenseMappings=License name mapping (URL) +spdxLicenses=SPDX licenses URL (Used by the BOM patcher) +spdxLicenses.description=URL where to download the list of supported SPDX licenses. If not set, then local copy will be used. \ No newline at end of file diff --git a/jenkins/src/main/resources/de/medavis/lct/jenkins/patch/BomPatcherBuilder/config.jelly b/jenkins/src/main/resources/de/medavis/lct/jenkins/patch/BomPatcherBuilder/config.jelly new file mode 100644 index 0000000..90a60a5 --- /dev/null +++ b/jenkins/src/main/resources/de/medavis/lct/jenkins/patch/BomPatcherBuilder/config.jelly @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/jenkins/src/main/resources/de/medavis/lct/jenkins/patch/BomPatcherBuilder/config.properties b/jenkins/src/main/resources/de/medavis/lct/jenkins/patch/BomPatcherBuilder/config.properties new file mode 100644 index 0000000..af70f94 --- /dev/null +++ b/jenkins/src/main/resources/de/medavis/lct/jenkins/patch/BomPatcherBuilder/config.properties @@ -0,0 +1,23 @@ +### +# #%L +# License Compliance Tool +# %% +# Copyright (C) 2022 medavis GmbH +# %% +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# #L% +### +inputFile=Input file +inputFile.description=Input BOM file (CycloneDX formatted) +outputFile=Output file +outputFile.description=Output BOM file. Directories and files will be created and replaced as necessary. diff --git a/jenkins/src/main/resources/de/medavis/lct/jenkins/patch/Messages.properties b/jenkins/src/main/resources/de/medavis/lct/jenkins/patch/Messages.properties new file mode 100644 index 0000000..1f1fc8a --- /dev/null +++ b/jenkins/src/main/resources/de/medavis/lct/jenkins/patch/Messages.properties @@ -0,0 +1,21 @@ +### +# #%L +# License Compliance Tool +# %% +# Copyright (C) 2022 medavis GmbH +# %% +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# #L% +### +BomPatcherBuilder.DescriptorImpl.error.missingValue=Must not be empty +BomPatcherBuilder.DescriptorImpl.displayName=Patch licenses in BOM diff --git a/jenkins/src/test/java/de/medavis/lct/jenkins/create/CreateManifestBuilderTest.java b/jenkins/src/test/java/de/medavis/lct/jenkins/create/CreateManifestBuilderTest.java index 75fb7e2..59b4d05 100644 --- a/jenkins/src/test/java/de/medavis/lct/jenkins/create/CreateManifestBuilderTest.java +++ b/jenkins/src/test/java/de/medavis/lct/jenkins/create/CreateManifestBuilderTest.java @@ -64,7 +64,7 @@ class CreateManifestBuilderTest { private static final String TEMPLATE_URL = "file://template.ftl"; private static final String CONFIGURATION_PROFILE = "default"; private static final List COMPONENT_LIST = Collections.singletonList( - new ComponentData("name", "version", "url", Collections.emptySet(), Collections.emptySet())); + new ComponentData("name", "version", "url", null, Collections.emptySet(), Collections.emptySet())); private static final String FAKE_SBOM = "Normally, this would be a CycloneDX SBOM."; private static final String FAKE_MANIFEST = "IRL, I would be the manifest"; diff --git a/jenkins/src/test/java/de/medavis/lct/jenkins/patch/BomPatcherBuilderTest.java b/jenkins/src/test/java/de/medavis/lct/jenkins/patch/BomPatcherBuilderTest.java new file mode 100644 index 0000000..d4168b9 --- /dev/null +++ b/jenkins/src/test/java/de/medavis/lct/jenkins/patch/BomPatcherBuilderTest.java @@ -0,0 +1,137 @@ +package de.medavis.lct.jenkins.patch; + +import com.google.common.io.Resources; +import com.sun.net.httpserver.HttpServer; +import hudson.FilePath; +import hudson.model.FreeStyleProject; + +import de.medavis.lct.core.Configuration; +import de.medavis.lct.core.asset.AssetLoader; +import de.medavis.lct.core.license.LicenseLoader; +import de.medavis.lct.core.license.LicenseMappingLoader; +import de.medavis.lct.core.metadata.ComponentMetaDataLoader; +import de.medavis.lct.core.patcher.BomPatcher; + +import org.apache.http.entity.ContentType; +import org.assertj.core.api.SoftAssertions; +import org.assertj.core.api.junit.jupiter.SoftAssertionsExtension; +import org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition; +import org.jenkinsci.plugins.workflow.job.WorkflowJob; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.jvnet.hudson.test.JenkinsRule; +import org.jvnet.hudson.test.junit.jupiter.WithJenkins; + +import java.io.IOException; +import java.net.InetSocketAddress; +import java.net.MalformedURLException; +import java.net.URL; +import java.nio.charset.Charset; +import java.nio.charset.StandardCharsets; +import java.nio.file.Paths; +import java.util.Optional; +import java.util.concurrent.Executors; + +import static org.assertj.core.api.Assertions.assertThat; + +@WithJenkins +@ExtendWith(SoftAssertionsExtension.class) +class BomPatcherBuilderTest { + + private static final String INPUT_FILE = "input.bom"; + private static final String OUTPUT_FILE = "output.bom"; + + private static final String PATH = "/test-component-metadata.json"; + + private String baseUrl; + private HttpServer httpServer; + + @BeforeEach + void configureWebserver() throws IOException { + httpServer = HttpServer.create(new InetSocketAddress("localhost", 0), 0); + httpServer.createContext(PATH, exchange -> { + URL url = getClass().getResource("/de/medavis/lct/jenkins/patch" + PATH); + byte[] data = Resources.toByteArray(url); + exchange.getResponseHeaders().add("Content-Type", ContentType.APPLICATION_JSON.getMimeType()); + exchange.sendResponseHeaders(200, data.length); + try (var response = exchange.getResponseBody()) { + response.write(data); + response.flush(); + } + }); + httpServer.setExecutor(Executors.newSingleThreadExecutor()); + httpServer.start(); + + baseUrl = String.format("http://%s:%d", httpServer.getAddress().getHostName(), httpServer.getAddress().getPort()); + + BomPatcherBuilderFactory.setLicensesDownloaderFactory(configuration -> new BomPatcher( + new AssetLoader(), + new ComponentMetaDataLoader(), + new LicenseLoader(), + new LicenseMappingLoader(), + new Configuration() { + + @Override + public Optional getComponentMetadataUrl() { + try { + return Optional.of(new URL(baseUrl + PATH)); + } catch (MalformedURLException ex) { + return Optional.empty(); + } + } + + }) + ); + } + + @AfterEach + void tearDown() { + httpServer.stop(1); + } + + @Test + void testConfigRoundtrip(JenkinsRule jenkins) throws Exception { + FreeStyleProject project = jenkins.createFreeStyleProject(); + final BomPatcherBuilder builder = new BomPatcherBuilder(INPUT_FILE, OUTPUT_FILE); + project.getBuildersList().add(builder); + project = jenkins.configRoundtrip(project); + + jenkins.assertEqualDataBoundBeans(builder, project.getBuildersList().get(0)); + } + + @Test + void testScriptedPipelineBuild(JenkinsRule jenkins, SoftAssertions softly) throws Exception { + executePipelineAndVerifyResult(jenkins, softly, "scriptedPipeline.groovy"); + } + + @Test + void testDeclarativePipelineBuild(JenkinsRule jenkins, SoftAssertions softly) throws Exception { + executePipelineAndVerifyResult(jenkins, softly, "declarativePipeline.groovy"); + } + + private void executePipelineAndVerifyResult(JenkinsRule jenkins, SoftAssertions softly, String pipelineFile) throws Exception { + WorkflowJob job = createJob(jenkins, pipelineFile); + final FilePath workspace = jenkins.jenkins.getWorkspaceFor(job); + workspace.child(INPUT_FILE).write(getModifiedInputBom(), StandardCharsets.UTF_8.name()); + + jenkins.buildAndAssertSuccess(job); + + assertThat(Paths.get(workspace.toURI()).resolve(OUTPUT_FILE)) + .exists(); + } + + private WorkflowJob createJob(JenkinsRule jenkins, String pipelineFile) throws IOException { + WorkflowJob job = jenkins.createProject(WorkflowJob.class, "test-pipeline"); + String pipelineScript = Resources.toString(getClass().getResource(pipelineFile), Charset.defaultCharset()); + job.setDefinition(new CpsFlowDefinition(pipelineScript, true)); + return job; + } + + private String getModifiedInputBom() throws IOException { + return Resources.asCharSource(getClass().getResource("test-bom.json"), StandardCharsets.UTF_8) + .read() + .replaceAll("%BASEURL%", baseUrl); + } +} diff --git a/jenkins/src/test/resources/de/medavis/lct/jenkins/patch/declarativePipeline.groovy b/jenkins/src/test/resources/de/medavis/lct/jenkins/patch/declarativePipeline.groovy new file mode 100644 index 0000000..06adcad --- /dev/null +++ b/jenkins/src/test/resources/de/medavis/lct/jenkins/patch/declarativePipeline.groovy @@ -0,0 +1,30 @@ +/*- + * #%L + * License Compliance Tool + * %% + * Copyright (C) 2022 medavis GmbH + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * #L% + */ +pipeline { + agent any + + stages { + stage('Hello') { + steps { + patchBOM inputFile: 'input.bom', outputFile: 'output.bom' + } + } + } +} diff --git a/jenkins/src/test/resources/de/medavis/lct/jenkins/patch/scriptedPipeline.groovy b/jenkins/src/test/resources/de/medavis/lct/jenkins/patch/scriptedPipeline.groovy new file mode 100644 index 0000000..78c3452 --- /dev/null +++ b/jenkins/src/test/resources/de/medavis/lct/jenkins/patch/scriptedPipeline.groovy @@ -0,0 +1,22 @@ +/*- + * #%L + * License Compliance Tool + * %% + * Copyright (C) 2022 medavis GmbH + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * #L% + */ +node { + patchBOM inputFile: 'input.bom', outputFile: 'output.bom' +} diff --git a/jenkins/src/test/resources/de/medavis/lct/jenkins/patch/test-bom.json b/jenkins/src/test/resources/de/medavis/lct/jenkins/patch/test-bom.json new file mode 100644 index 0000000..39aa8aa --- /dev/null +++ b/jenkins/src/test/resources/de/medavis/lct/jenkins/patch/test-bom.json @@ -0,0 +1,248 @@ +{ + "bomFormat" : "CycloneDX", + "specVersion" : "1.4", + "serialNumber" : "urn:uuid:221ec8a8-97b9-468d-9687-043e71d5cccd", + "version" : 1, + "metadata" : { + "timestamp" : "2022-07-12T11:18:26Z", + "tools" : [ + { + "vendor" : "OWASP Foundation", + "name" : "CycloneDX Maven plugin", + "version" : "2.6.2", + "hashes" : [ + { + "alg" : "MD5", + "content" : "ff29fc50797fce0b33058a6b2b283f64" + }, + { + "alg" : "SHA-1", + "content" : "597e59ebf21c3b8bfb1faeb622569df324eca956" + }, + { + "alg" : "SHA-256", + "content" : "3cf9130fcac45a7beb6df2ae9c3fc9c062d1fddd0731d6a302968586f0aa586e" + }, + { + "alg" : "SHA-384", + "content" : "8111a6788c959305af23daecbc79defd4478c1e274cba65bfe860e09b30cd9fe29822d5d3d3eea608e4926a9418f92e3" + }, + { + "alg" : "SHA-512", + "content" : "2bea87b7bcd70897bf46a28a806b6064a6708d0a45e884e1ceddc25f97ca7bdf4ed190f30d9a28cc9416b6c66176d518c5876fd25bc06bdcb00d39367215e56e" + } + ] + } + ], + "component" : { + "group" : "de.medavis", + "name" : "bommanager", + "version" : "1.0-SNAPSHOT", + "licenses" : [ ], + "purl" : "pkg:maven/de.medavis/bommanager@1.0-SNAPSHOT?type=jar", + "type" : "library", + "bom-ref" : "pkg:maven/de.medavis/bommanager@1.0-SNAPSHOT?type=jar" + } + }, + "components" : [ + { + "publisher" : "QOS.ch", + "group" : "ch.qos.logback", + "name" : "logback-classic", + "version" : "1.2.11", + "description" : "logback-classic module", + "scope" : "optional", + "hashes" : [ + { + "alg" : "MD5", + "content" : "e13679004cc76ad5792f275f04884fab" + }, + { + "alg" : "SHA-1", + "content" : "4741689214e9d1e8408b206506cbe76d1c6a7d60" + }, + { + "alg" : "SHA-256", + "content" : "4d8e899621a3006c2f66e19feab002b11e6cfc5cb1854fc41f01532c00deb2aa" + }, + { + "alg" : "SHA-384", + "content" : "d480881d1a0d58c94aba0b719d56cd492147bc6481b67370dc7426ea7a81326af5b19f32d6a95fee714f37b90a5eed76" + }, + { + "alg" : "SHA-512", + "content" : "6df8b42396c5d3257f11fb19c280533aa28d66e647115816d4ebfd6a58c9b5adf0e098504772261b29435df75b86cb2b9a47f846ed45d770179c9d10f39941de" + } + ], + "licenses" : [ + { + "license" : { + "id" : "EPL-1.0", + "url" : "%BASEURL%/EPL-1.0" + } + }, + { + "license" : { + "name" : "LGPL-2.1", + "url" : "%BASEURL%/LGPL-2.1" + } + } + ], + "purl" : "pkg:maven/ch.qos.logback/logback-classic@1.2.11?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "http://www.qos.ch" + }, + { + "type" : "distribution", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "vcs", + "url" : "https://github.com/ceki/logback" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/ch.qos.logback/logback-classic@1.2.11?type=jar" + }, + { + "publisher" : "QOS.ch", + "group" : "ch.qos.logback", + "name" : "logback-core", + "version" : "1.2.11", + "description" : "logback-core module", + "hashes" : [ + { + "alg" : "MD5", + "content" : "115da115b5e66ef64e774ec35af1fb1a" + }, + { + "alg" : "SHA-1", + "content" : "a01230df5ca5c34540cdaa3ad5efb012f1f1f792" + }, + { + "alg" : "SHA-256", + "content" : "6ce1e9397be8298a2e99029f55f955c6fa3cef255171c554d0b9c201cffd0159" + }, + { + "alg" : "SHA-384", + "content" : "2afd896ebe6333d99e5baa553d80b7851d8ff51c06c725267e061df81bc9a878b74a65394699ae853f9738a08963aa0a" + }, + { + "alg" : "SHA-512", + "content" : "86b12a74c2a822a12ba2e9a7b0db5013803f18784a3cb1201c95d5f7872a6aa8cf06d5861a5c35777a7decc7ea26df7b4388fab3b3b71aab7274527d9b339318" + } + ], + "licenses" : [ + { + "license" : { + "id" : "EPL-1.0", + "url" : "%BASEURL%/EPL-1.0" + } + }, + { + "license" : { + "name" : "LGPL-2.1", + "url" : "%BASEURL%/LGPL-2.1" + } + } + ], + "purl" : "pkg:maven/ch.qos.logback/logback-core@1.2.11?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "http://www.qos.ch" + }, + { + "type" : "distribution", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "vcs", + "url" : "https://github.com/ceki/logback" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/ch.qos.logback/logback-core@1.2.11?type=jar" + }, + { + "publisher" : "QOS.ch", + "group" : "org.slf4j", + "name" : "slf4j-api", + "version" : "1.7.32", + "description" : "The slf4j API", + "scope" : "required", + "hashes" : [ + { + "alg" : "MD5", + "content" : "fbcf58513bc25b80f075d812aad3e3cf" + }, + { + "alg" : "SHA-1", + "content" : "cdcff33940d9f2de763bc41ea05a0be5941176c3" + }, + { + "alg" : "SHA-256", + "content" : "3624f8474c1af46d75f98bc097d7864a323c81b3808aa43689a6e1c601c027be" + }, + { + "alg" : "SHA-384", + "content" : "c95aa5a652533b3b54e721b7f20c4ef19a022ac6c8cd353b032bfd65f636b1adc3eb2e5ca0b409f19456e265cbfd3cb0" + }, + { + "alg" : "SHA-512", + "content" : "4ca4045775a879c3ce3021908db7b4778235a322fd8e2567da960156f24b9da86e6812a4956c8dc19920cd83e4c61141168c580829f43f10bbac925d465c3fd1" + } + ], + "licenses" : [ + { + "license" : { + "id" : "MIT", + "url" : "%BASEURL%/MIT" + } + } + ], + "purl" : "pkg:maven/org.slf4j/slf4j-api@1.7.32?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "http://www.qos.ch" + }, + { + "type" : "distribution", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/" + }, + { + "type" : "vcs", + "url" : "https://github.com/qos-ch/slf4j" + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.slf4j/slf4j-api@1.7.32?type=jar" + } + ], + "dependencies" : [ + { + "ref" : "pkg:maven/de.medavis/bommanager@1.0-SNAPSHOT?type=jar", + "dependsOn" : [ + "pkg:maven/ch.qos.logback/logback-classic@1.2.11?type=jar" + ] + }, + { + "ref" : "pkg:maven/ch.qos.logback/logback-classic@1.2.11?type=jar", + "dependsOn" : [ + "pkg:maven/ch.qos.logback/logback-core@1.2.11?type=jar", + "pkg:maven/org.slf4j/slf4j-api@1.7.32?type=jar" + ] + }, + { + "ref" : "pkg:maven/ch.qos.logback/logback-core@1.2.11?type=jar", + "dependsOn" : [ ] + }, + { + "ref" : "pkg:maven/org.slf4j/slf4j-api@1.7.32?type=jar", + "dependsOn" : [ ] + } + ] +} \ No newline at end of file diff --git a/jenkins/src/test/resources/de/medavis/lct/jenkins/patch/test-component-metadata.json b/jenkins/src/test/resources/de/medavis/lct/jenkins/patch/test-component-metadata.json new file mode 100644 index 0000000..57c2f64 --- /dev/null +++ b/jenkins/src/test/resources/de/medavis/lct/jenkins/patch/test-component-metadata.json @@ -0,0 +1,1294 @@ +[ + { + "groupMatch": "de\\.medavis.*", + "ignore": true + }, + { + "groupMatch": "com\\.fg.*", + "nameMatch": "xmleditor-medavis", + "ignore": true + }, + { + "groupMatch": "io\\.agroal\\.*", + "mappedName": "Agoral", + "ignore": true + }, + { + "groupMatch": "gnu\\.getopt\\.*", + "mappedName": "Java-Getopt", + "url": "https://www.gnu.org/software/gnuprologjava/api/allclasses-noframe.html", + "ignore": true + }, + { + "groupMatch": "org\\.jboss\\.spec\\.javax\\.xml\\.bind", + "nameMatch": "jboss-jaxb-api_.*_spec", + "mappedName": "JBoss JAXB API", + "url": "https://github.com/jboss/jboss-jaxb-api_spec", + "licenses": [ + "CDDL-1.1", + "GPL-2.0" + ] + }, + { + "groupMatch": "org\\.jboss\\.spec\\.javax\\.annotation", + "nameMatch": "jboss-annotations-api_.*_spec", + "mappedName": "Java Common Annotations", + "url": "https://github.com/javaee/javax.annotation", + "licenses": [ + "CDDL-1.1", + "GPL-2.0" + ] + }, + { + "groupMatch": "javax\\.annotation", + "purlMatch": "pkg:maven\\/javax\\.annotation\\/jakarta\\.annotation-api@.*type=jar", + "mappedName": "Java Common Annotations", + "url": "https://github.com/javaee/javax.annotation", + "licenses": [ + "CDDL-1.1", + "GPL-2.0" + ] + }, + { + "groupMatch": "org\\.apache\\.camel", + "mappedName": "Apache Camel", + "url": "https://github.com/apache/camel/tree/main", + "attributionNotices": [ + "
Apache Camel\nCopyright 2007-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (http://www.apache.org/).\n \n=========================================================================\n==  NOTICE file corresponding to the section 4 d of                    ==\n==  the Apache License, Version 2.0,                                   ==\n==  in this case for the Apache Camel distribution.                    ==\n=========================================================================\n\nApache Camel\nCopyright 2007-2019 The Apache Software Foundation\n\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\n=========================================================================\n==  Spring Notice                                                      ==\n=========================================================================\n\nThis product includes software developed by\nthe Apache Software Foundation (http://www.apache.org).\n\nThis product also includes software developed by\nClinton Begin (http://www.ibatis.com).\n\nThe end-user documentation included with a redistribution, if any,\nmust include the following acknowledgement:\n\n \"This product includes software developed by the Spring Framework\n  Project (http://www.springframework.org).\"\n\nAlternately, this acknowledgement may appear in the software itself,\nif and wherever such third-party acknowledgements normally appear.\n\nThe names \"Spring\" and \"Spring Framework\" must not be used to\nendorse or promote products derived from this software without\nprior written permission. For written permission, please contact\nrod.johnson@interface21.com or juergen.hoeller@interface21.com.\n\n=========================================================================\n==  OpenShift Notice                                                   ==\n=========================================================================\n\nThis product includes software developed by\nthe OpenShift Project (https://github.com/openshift/openshift-java-client/).\n
" + ] + }, + { + "groupMatch": "org\\.apache\\.derby.*", + "mappedName": "Apache Derby", + "attributionNotices": [ + "
=========================================================================\n==  NOTICE file corresponding to section 4(d) of the Apache License,\n==  Version 2.0, in this case for the Apache Derby distribution.\n==\n==  DO NOT EDIT THIS FILE DIRECTLY. IT IS GENERATED\n==  BY THE buildnotice TARGET IN THE TOP LEVEL build.xml FILE.\n==\n=========================================================================\n\nApache Derby\nCopyright 2004-2018 The Apache Software Foundation\n\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\n=========================================================================\n\nPortions of Derby were originally developed by\nInternational Business Machines Corporation and are\nlicensed to the Apache Software Foundation under the\n\"Software Grant and Corporate Contribution License Agreement\",\ninformally known as the \"Derby CLA\".\nThe following copyright notice(s) were affixed to portions of the code\nwith which this file is now or was at one time distributed\nand are placed here unaltered.\n(C) Copyright 1997,2004 International Business Machines Corporation.  All rights reserved.\n(C) Copyright IBM Corp. 2003.\n\n=========================================================================\nThe portion of the functionTests under 'nist' was originally \ndeveloped by the National Institute of Standards and Technology (NIST), \nan agency of the United States Department of Commerce, and adapted by\nInternational Business Machines Corporation in accordance with the NIST\nSoftware Acknowledgment and Redistribution document at\nhttp://www.itl.nist.gov/div897/ctg/sql_form.htm\n\n=========================================================================\n\nThe Derby build relies on source files supplied by the Apache Felix\nproject. The following notice covers the Felix files:\n\n  Apache Felix Main\n  Copyright 2008 The Apache Software Foundation\n\n  I. Included Software\n\n  This product includes software developed at\n  The Apache Software Foundation (http://www.apache.org/).\n  Licensed under the Apache License 2.0.\n\n  This product includes software developed at\n  The OSGi Alliance (http://www.osgi.org/).\n  Copyright (c) OSGi Alliance (2000, 2007).\n  Licensed under the Apache License 2.0.\n\n  This product includes software from http://kxml.sourceforge.net.\n  Copyright (c) 2002,2003, Stefan Haustein, Oberhausen, Rhld., Germany.\n  Licensed under BSD License.\n\n  II. Used Software\n\n  This product uses software developed at\n  The OSGi Alliance (http://www.osgi.org/).\n  Copyright (c) OSGi Alliance (2000, 2007).\n  Licensed under the Apache License 2.0.\n\n\n  III. License Summary\n  - Apache License 2.0\n  - BSD License\n\n=========================================================================\n\nThe Derby build relies on jar files supplied by the Apache Lucene\nproject. The following notice covers the Lucene files:\n\nApache Lucene\nCopyright 2013 The Apache Software Foundation\n\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\nIncludes software from other Apache Software Foundation projects,\nincluding, but not limited to:\n - Apache Ant\n - Apache Jakarta Regexp\n - Apache Commons\n - Apache Xerces\n\nICU4J, (under analysis/icu) is licensed under an MIT styles license\nand Copyright (c) 1995-2008 International Business Machines Corporation and others\n\nSome data files (under analysis/icu/src/data) are derived from Unicode data such\nas the Unicode Character Database. See http://unicode.org/copyright.html for more\ndetails.\n\nBrics Automaton (under core/src/java/org/apache/lucene/util/automaton) is \nBSD-licensed, created by Anders Møller. See http://www.brics.dk/automaton/\n\nThe levenshtein automata tables (under core/src/java/org/apache/lucene/util/automaton) were\nautomatically generated with the moman/finenight FSA library, created by\nJean-Philippe Barrette-LaPierre. This library is available under an MIT license,\nsee http://sites.google.com/site/rrettesite/moman and \nhttp://bitbucket.org/jpbarrette/moman/overview/\n\nThe class org.apache.lucene.util.WeakIdentityMap was derived from\nthe Apache CXF project and is Apache License 2.0.\n\nThe Google Code Prettify is Apache License 2.0.\nSee http://code.google.com/p/google-code-prettify/\n\nJUnit (junit-4.10) is licensed under the Common Public License v. 1.0\nSee http://junit.sourceforge.net/cpl-v10.html\n\nThis product includes code (JaspellTernarySearchTrie) from Java Spelling Checkin\ng Package (jaspell): http://jaspell.sourceforge.net/\nLicense: The BSD License (http://www.opensource.org/licenses/bsd-license.php)\n\nThe snowball stemmers in\n  analysis/common/src/java/net/sf/snowball\nwere developed by Martin Porter and Richard Boulton.\nThe snowball stopword lists in\n  analysis/common/src/resources/org/apache/lucene/analysis/snowball\nwere developed by Martin Porter and Richard Boulton.\nThe full snowball package is available from\n  http://snowball.tartarus.org/\n\nThe KStem stemmer in\n  analysis/common/src/org/apache/lucene/analysis/en\nwas developed by Bob Krovetz and Sergio Guzman-Lara (CIIR-UMass Amherst)\nunder the BSD-license.\n\nThe Arabic,Persian,Romanian,Bulgarian, and Hindi analyzers (common) come with a default\nstopword list that is BSD-licensed created by Jacques Savoy.  These files reside in:\nanalysis/common/src/resources/org/apache/lucene/analysis/ar/stopwords.txt,\nanalysis/common/src/resources/org/apache/lucene/analysis/fa/stopwords.txt,\nanalysis/common/src/resources/org/apache/lucene/analysis/ro/stopwords.txt,\nanalysis/common/src/resources/org/apache/lucene/analysis/bg/stopwords.txt,\nanalysis/common/src/resources/org/apache/lucene/analysis/hi/stopwords.txt\nSee http://members.unine.ch/jacques.savoy/clef/index.html.\n\nThe German,Spanish,Finnish,French,Hungarian,Italian,Portuguese,Russian and Swedish light stemmers\n(common) are based on BSD-licensed reference implementations created by Jacques Savoy and\nLjiljana Dolamic. These files reside in:\nanalysis/common/src/java/org/apache/lucene/analysis/de/GermanLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/de/GermanMinimalStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/es/SpanishLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/fi/FinnishLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/fr/FrenchLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/fr/FrenchMinimalStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/hu/HungarianLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/it/ItalianLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/pt/PortugueseLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/ru/RussianLightStemmer.java\nanalysis/common/src/java/org/apache/lucene/analysis/sv/SwedishLightStemmer.java\n\nThe Stempel analyzer (stempel) includes BSD-licensed software developed \nby the Egothor project http://egothor.sf.net/, created by Leo Galambos, Martin Kvapil,\nand Edmond Nolan.\n\nThe Polish analyzer (stempel) comes with a default\nstopword list that is BSD-licensed created by the Carrot2 project. The file resides\nin stempel/src/resources/org/apache/lucene/analysis/pl/stopwords.txt.\nSee http://project.carrot2.org/license.html.\n\nThe SmartChineseAnalyzer source code (smartcn) was\nprovided by Xiaoping Gao and copyright 2009 by www.imdict.net.\n\nWordBreakTestUnicode_*.java (under modules/analysis/common/src/test/) \nis derived from Unicode data such as the Unicode Character Database. \nSee http://unicode.org/copyright.html for more details.\n\nThe Morfologik analyzer (morfologik) includes BSD-licensed software\ndeveloped by Dawid Weiss and Marcin Miłkowski (http://morfologik.blogspot.com/).\n\nMorfologik uses data from Polish ispell/myspell dictionary\n(http://www.sjp.pl/slownik/en/) licenced on the terms of (inter alia)\nLGPL and Creative Commons ShareAlike.\n\nMorfologic includes data from BSD-licensed dictionary of Polish (SGJP)\n(http://sgjp.pl/morfeusz/)\n\nServlet-api.jar and javax.servlet-*.jar are under the CDDL license, the original\nsource code for this can be found at http://www.eclipse.org/jetty/downloads.php\n\n===========================================================================\nKuromoji Japanese Morphological Analyzer - Apache Lucene Integration\n===========================================================================\n\nThis software includes a binary and/or source version of data from\n\n  mecab-ipadic-2.7.0-20070801\n\nwhich can be obtained from\n\n  http://atilika.com/releases/mecab-ipadic/mecab-ipadic-2.7.0-20070801.tar.gz\n\nor\n\n  http://jaist.dl.sourceforge.net/project/mecab/mecab-ipadic/2.7.0-20070801/mecab-ipadic-2.7.0-20070801.tar.gz\n\n===========================================================================\nmecab-ipadic-2.7.0-20070801 Notice\n===========================================================================\n\nNara Institute of Science and Technology (NAIST),\nthe copyright holders, disclaims all warranties with regard to this\nsoftware, including all implied warranties of merchantability and\nfitness, in no event shall NAIST be liable for\nany special, indirect or consequential damages or any damages\nwhatsoever resulting from loss of use, data or profits, whether in an\naction of contract, negligence or other tortuous action, arising out\nof or in connection with the use or performance of this software.\n\nA large portion of the dictionary entries\noriginate from ICOT Free Software.  The following conditions for ICOT\nFree Software applies to the current dictionary as well.\n\nEach User may also freely distribute the Program, whether in its\noriginal form or modified, to any third party or parties, PROVIDED\nthat the provisions of Section 3 (\"NO WARRANTY\") will ALWAYS appear\non, or be attached to, the Program, which is distributed substantially\nin the same form as set out herein and that such intended\ndistribution, if actually made, will neither violate or otherwise\ncontravene any of the laws and regulations of the countries having\njurisdiction over the User or the intended distribution itself.\n\nNO WARRANTY\n\nThe program was produced on an experimental basis in the course of the\nresearch and development conducted during the project and is provided\nto users as so produced on an experimental basis.  Accordingly, the\nprogram is provided without any warranty whatsoever, whether express,\nimplied, statutory or otherwise.  The term \"warranty\" used herein\nincludes, but is not limited to, any warranty of the quality,\nperformance, merchantability and fitness for a particular purpose of\nthe program and the nonexistence of any infringement or violation of\nany right of any third party.\n\nEach user of the program will agree and understand, and be deemed to\nhave agreed and understood, that there is no warranty whatsoever for\nthe program and, accordingly, the entire risk arising from or\notherwise connected with the program is assumed by the user.\n\nTherefore, neither ICOT, the copyright holder, or any other\norganization that participated in or was otherwise related to the\ndevelopment of the program and their respective officials, directors,\nofficers and other employees shall be held liable for any and all\ndamages, including, without limitation, general, special, incidental\nand consequential damages, arising out of or otherwise in connection\nwith the use or inability to use the program or any product, material\nor result produced or otherwise obtained by using the program,\nregardless of whether they have been advised of, or otherwise had\nknowledge of, the possibility of such damages at any time during the\nproject or thereafter.  Each user will be deemed to have agreed to the\nforegoing by his or her commencement of use of the program.  The term\n\"use\" as used herein includes, but is not limited to, the use,\nmodification, copying and distribution of the program and the\nproduction of secondary products from the program.\n\nIn the case where the program, whether in its original form or\nmodified, was distributed or delivered to or received by a user from\nany person, organization or entity other than ICOT, unless it makes or\ngrants independently of ICOT any specific warranty to the user in\nwriting, such person, organization or entity, will also be exempted\nfrom and not be held liable to the user for any such damages as noted\nabove as far as the program is concerned.\n\n=========================================================================\n\nThe Derby build relies on a jar file supplied by the JSON Simple\nproject, hosted at https://code.google.com/p/json-simple/.\nThe JSON simple jar file is licensed under the Apache 2.0 License.\nNo other notice covers that jar file.\n
" + ] + }, + { + "groupMatch": "org\\.apache\\.mina.*", + "mappedName": "Apache MINA", + "attributionNotices": [ + "
Apache POI\nCopyright 2003-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (https://www.apache.org/).\n\nThis product contains parts that were originally based on software from BEA.\nCopyright (c) 2000-2003, BEA Systems, <http://www.bea.com/> (dead link),\nwhich was acquired by Oracle Corporation in 2008.\n<http://www.oracle.com/us/corporate/Acquisitions/bea/index.html>\n<https://en.wikipedia.org/wiki/BEA_Systems>\nNote: The ASF Secretary has on hand a Software Grant Agreement (SGA) from\nBEA Systems, Inc. dated 9 Sep 2003 for XMLBeans signed by their EVP/CFO.\n\nThis product contains W3C XML Schema documents. Copyright 2001-2003 (c)\nWorld Wide Web Consortium (Massachusetts Institute of Technology, European\nResearch Consortium for Informatics and Mathematics, Keio University)\n\nThis product contains the chunks_parse_cmds.tbl file from the vsdump program.\nCopyright (C) 2006-2007 Valek Filippov (frob@df.ru)\n\nThis product contains parts of the eID Applet project\n<http://eid-applet.googlecode.com> and <https://github.com/e-Contract/eid-applet>.\nCopyright (c) 2009-2018\nFedICT (federal ICT department of Belgium), e-Contract.be BVBA (https://www.e-contract.be),\nBart Hanssens from FedICT\n
" + ] + }, + { + "groupMatch": "org\\.apache\\.poi.*", + "mappedName": "Apache POI", + "url": "https://svn.apache.org/repos/asf/poi/", + "attributionNotices": [ + "Apache POI
\nCopyright 2003-2022 The Apache Software Foundation
\n

\nThis product includes software developed at
\nThe Apache Software Foundation (https://www.apache.org/).
\n

\nThis product contains parts that were originally based on software from BEA.
\nCopyright (c) 2000-2003, BEA Systems, (dead link),
\nwhich was acquired by Oracle Corporation in 2008.
\n
\n
\nNote: The ASF Secretary has on hand a Software Grant Agreement (SGA) from
\nBEA Systems, Inc. dated 9 Sep 2003 for XMLBeans signed by their EVP/CFO.
\n

\nThis product contains W3C XML Schema documents. Copyright 2001-2003 (c)
\nWorld Wide Web Consortium (Massachusetts Institute of Technology, European
\nResearch Consortium for Informatics and Mathematics, Keio University)
\n

\nThis product contains the chunks_parse_cmds.tbl file from the vsdump program.
\nCopyright (C) 2006-2007 Valek Filippov (frob@df.ru)
\n

\nThis product contains parts of the eID Applet project\n and .
\nCopyright (c) 2009-2018
\nFedICT (federal ICT department of Belgium), e-Contract.be BVBA (https://www.e-contract.be),
\nBart Hanssens from FedICT
" + ] + }, + { + "nameMatch": "xmlbeans", + "mappedName": "Apache XMLBeans", + "attributionNotices": [ + "
   =========================================================================\n   ==  NOTICE file corresponding to section 4(d) of the Apache License,   ==\n   ==  Version 2.0, in this case for the Apache XmlBeans distribution.    ==\n   =========================================================================\n\n   This product includes software developed at\n   The Apache Software Foundation (http://www.apache.org/).\n\n   Portions of this software were originally based on the following:\n     - software copyright (c) 2000-2003, BEA Systems, <http://www.bea.com/>.\n   Note: The ASF Secretary has on hand a Software Grant Agreement (SGA) from\n   BEA Systems, Inc. dated 9 Sep 2003 for XMLBeans signed by their EVP/CFO.\n\n   Aside from contributions to the Apache XMLBeans project, this\n   software also includes:\n\n    - one or more source files from the Apache Xerces-J and Apache Axis\n      products, Copyright (c) 1999-2003 Apache Software Foundation\n\n    - W3C XML Schema documents Copyright 2001-2003 (c) World Wide Web\n      Consortium (Massachusetts Institute of Technology, European Research\n      Consortium for Informatics and Mathematics, Keio University)\n\n    - resolver.jar from Apache Xml Commons project,\n      Copyright (c) 2001-2003 Apache Software Foundation\n
" + ] + }, + { + "nameMatch": "xmlsec", + "mappedName": "Apache XMLSec", + "url": "https://github.com/apache/santuario-xml-security-java/tree/main", + "licenses": [ + "Apache-2.0" + ], + "attributionNotices": [ + "
Apache Santuario - XML Security for Java\nCopyright 1999-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (http://www.apache.org/).\n\nIt was originally based on software copyright (c) 2001, Institute for\nData Communications Systems, <http://www.nue.et-inf.uni-siegen.de/>.\n\nThe development of this software was partly funded by the European\nCommission in the <WebSig> project in the ISIS Programme.\n\nThis product contains software that is\ncopyright (c) 2021, Oracle and/or its affiliates.\n
" + ] + }, + { + "groupMatch": "org\\.aspectj", + "mappedName": "AspectJ", + "url": "https://github.com/eclipse/org.aspectj/tree/V1_6_X" + }, + { + "nameMatch": "validation-api", + "mappedName": "Bean Validation API", + "attributionNotices": [ + "
# Notices for Eclipse Jakarta Bean Validation\n\nThis content is produced and maintained by the Eclipse Jakarta Bean Validation\nproject.\n\n* Project home: https://projects.eclipse.org/projects/ee4j.bean-validation\n\n## Trademarks\n\n Jakarta Bean Validation is a trademark of the Eclipse Foundation.\n\n## Copyright\n\nAll content is the property of the respective authors or their employers. For\nmore information regarding authorship of content, please consult the listed\nsource code repository logs.\n\n## Declared Project Licenses\n\nThis program and the accompanying materials are made available under the terms\nof the Apache License, Version 2.0 which is available at\nhttps://www.apache.org/licenses/LICENSE-2.0.\n\nSPDX-License-Identifier: Apache-2.0\n\n## Source Code\n\nThe project maintains the following source code repositories:\n\n * [The specification repository](https://github.com/eclipse-ee4j/beanvalidation-spec)\n * [The API repository](https://github.com/eclipse-ee4j/beanvalidation-api)\n * [The TCK repository](https://github.com/eclipse-ee4j/beanvalidation-tck)\n\n## Third-party Content\n\nThis project leverages the following third party content.\n\nTest dependencies:\n\n * [TestNG](https://github.com/cbeust/testng) - Apache License 2.0\n * [JCommander](https://github.com/cbeust/jcommander) - Apache License 2.0\n * [SnakeYAML](https://bitbucket.org/asomov/snakeyaml/src) - Apache License 2.0\n\n
" + ] + }, + { + "groupMatch": "org\\.bouncycastle.*", + "mappedName": "Bouncy Castle Crypto Package" + }, + { + "nameMatch": "byte-buddy", + "mappedName": "Byte Buddy", + "url": "https://github.com/raphw/byte-buddy", + "attributionNotices": [ + "
Copyright ${project.inceptionYear} - Present ${copyright.holder}\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n
" + ] + }, + { + "groupMatch": "com\\.github\\.ben-manes\\.caffeine.*", + "mappedName": "Caffeine", + "url": "https://github.com/ben-manes/caffeine" + }, + { + "groupMatch": "com\\.fasterxml", + "nameMatch": "classmate", + "mappedName": "Classmate", + "url": "https://github.com/FasterXML/java-classmate" + }, + { + "nameMatch": "commons-collections4", + "mappedName": "Commons Collections", + "attributionNotices": [ + "
Apache Commons Collections\nCopyright 2001-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (https://www.apache.org/).\n
" + ] + }, + { + "nameMatch": "commons-compress", + "mappedName": "Commons Compress", + "attributionNotices": [ + "
Apache Commons Compress\nCopyright 2002-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (https://www.apache.org/).\n\n---\n\nThe files in the package org.apache.commons.compress.archivers.sevenz\nwere derived from the LZMA SDK, version 9.20 (C/ and CPP/7zip/),\nwhich has been placed in the public domain:\n\n\"LZMA SDK is placed in the public domain.\" (http://www.7-zip.org/sdk.html)\n\n---\n\nThe test file lbzip2_32767.bz2 has been copied from libbzip2's source\nrepository:\n\nThis program, \"bzip2\", the associated library \"libbzip2\", and all\ndocumentation, are copyright (C) 1996-2019 Julian R Seward.  All\nrights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n   notice, this list of conditions and the following disclaimer.\n\n2. The origin of this software must not be misrepresented; you must\n   not claim that you wrote the original software.  If you use this\n   software in a product, an acknowledgment in the product\n   documentation would be appreciated but is not required.\n\n3. Altered source versions must be plainly marked as such, and must\n   not be misrepresented as being the original software.\n\n4. The name of the author may not be used to endorse or promote\n   products derived from this software without specific prior written\n   permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS\nOR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\nWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\nARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\nDIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE\nGOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS\nINTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING\nNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS\nSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n\nJulian Seward, jseward@acm.org\n
" + ] + }, + { + "nameMatch": "commons-fileupload", + "mappedName": "Commons File Upload", + "attributionNotices": [ + "
Apache Commons FileUpload\nCopyright 2002-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (http://www.apache.org/).\n
" + ] + }, + { + "nameMatch": "commons-io", + "mappedName": "Commons IO", + "attributionNotices": [ + "
Apache Commons IO\nCopyright 2002-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (https://www.apache.org/).\n
" + ] + }, + { + "nameMatch": "commons-lang", + "mappedName": "Commons Lang", + "url": "https://github.com/apache/commons-lang" + }, + { + "nameMatch": "commons-math3", + "mappedName": "Commons Math", + "attributionNotices": [ + "Copyright 2001-2022 The Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (http://www.apache.org/).\n\nThis product includes software developed for Orekit by\nCS Systèmes d'Information (http://www.c-s.fr/)\nCopyright 2010-2012 CS Systèmes d'Information" + ] + }, + { + "groupMatch": "com\\.github\\.virtuald", + "nameMatch": "curvesapi", + "mappedName": "Curve API", + "url": "https://github.com/virtuald/curvesapi", + "attributionNotices": [ + "
The original project used a BSD license, and remains so.\n\ncom.graphbuilder.org.apache.harmony.awt.gl.Crossing is from the Apache Harmony project and is released under the Apache 2.0 license.\n
\n" + ] + }, + { + "nameMatch": "ezmorph", + "mappedName": "EZMorph" + }, + { + "groupMatch": "org\\.flywaydb.*", + "mappedName": "Flyway", + "url": "https://github.com/flyway/flyway/tree/main", + "attributionNotices": [ + "
License\nCopyright © Red Gate Software Ltd 2010-2022\n\nLicensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance with the License. You may obtain a copy of the License at\n\nhttp://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.\n\nTrademark\nFlyway is a registered trademark of Boxfuse GmbH, owned by Red Gate Software Ltd.\n
\n" + ] + }, + { + "groupMatch": "com\\.google\\.code\\.gson", + "mappedName": "Gson", + "url": "https://github.com/google/gson/tree/master", + "attributionNotices": [ + "
License\nGson is released under the Apache 2.0 license.\n\nCopyright 2008 Google Inc.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\nhttp://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\nDisclaimer\nThis is not an officially supported Google product.\n
" + ] + }, + { + "groupMatch": "com\\.googlecode\\.concurrentlinkedhashmap\\.*", + "url": "https://github.com/ben-manes/concurrentlinkedhashmap", + "licenses": [ + "Apache-2.0" + ] + }, + { + "groupMatch": "com\\.h2database", + "mappedName": "H2 Database", + "licenses": [ + "MPL-2.0", + "EPL-1.0" + ] + }, + { + "groupMatch": "ca\\.uhn\\.hapi.*", + "mappedName": "HAPI", + "url": "https://github.com/hapifhir/hapi-hl7v2/tree/v2.3", + "licenses": [ + "GPL-3.0", + "MPL-1.1" + ] + }, + { + "groupMatch": "org\\.hibernate", + "mappedName": "Hibernate", + "url": "https://github.com/hibernate/hibernate-orm", + "licenses" : [ + "LGPL-2.1" + ] + }, + { + "nameMatch": "hsqldb", + "mappedName": "HSQL DB", + "attributionNotices": [ + "
The highly configurable java source code formatter Jindent is used to format the HSQLDB source code.\nThis Software is developed and published by the HSQL Development Group\n\nFred Toussi (fredt (at) users.sourceforge.net)\nBlaine Simpson (blaine dot simpson (at) admc dot com)\n\nhttp://hsqldb.org\n
\n" + ], + "licenses": [ + "HyperSQL License" + ] + }, + { + "nameMatch": "(infinispan-commons)|(infinispan-core)", + "mappedName": "Infinispan" + }, + { + "groupMatch": "com\\.sun\\.istack", + "mappedName": "iStack Common", + "url": "https://javaee.github.io/jaxb-istack-commons/" + }, + { + "nameMatch": "protostream", + "mappedName": "Infinispan protostream" + }, + { + "groupMatch": "com\\.fasterxml\\.jackson.*", + "mappedName": "Jackson" + }, + { + "groupMatch": "javax\\.activation", + "mappedName": "JavaBeans Activation Framework", + "url": "https://github.com/javaee/activation", + "attributionNotices": [ + "
# Notices for Jakarta Activation\n\nThis content is produced and maintained by the Jakarta Activation project.\n\n* Project home: https://projects.eclipse.org/projects/ee4j.jaf\n\n## Trademarks\n\nJakarta Activation is a trademark of the Eclipse Foundation.\n\n## Copyright00\n\nAll content is the property of the respective authors or their employers. For\nmore information regarding authorship of content, please consult the listed\nsource code repository logs.\n\n## Declared Project Licenses\n\nThis program and the accompanying materials are made available under the terms\nof the Eclipse Public License v. 2.0 which is available at\nhttps://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License v1.0\nwhich is available at https://www.eclipse.org/org/documents/edl-v10.php. This\nSource Code may also be made available under the following Secondary Licenses\nwhen the conditions for such availability set forth in the Eclipse Public\nLicense v. 2.0 are satisfied: (secondary) GPL-2.0 with Classpath-exception-2.0\nwhich is available at https://openjdk.java.net/legal/gplv2+ce.html.\n\nSPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause OR GPL-2.0-only with\nClasspath-exception-2.0\n\n## Cryptography\n\nContent may contain encryption software. The country in which you are currently\nmay have restrictions on the import, possession, and use, and/or re-export to\nanother country, of encryption software. BEFORE using any encryption software,\nplease check the country's laws, regulations and policies concerning the import,\npossession, or use, and re-export of encryption software, to see if this is\npermitted.
" + ] + }, + { + "groupMatch": "com\\.github\\.fge", + "mappedName": "Java Json Tools", + "url": "https://github.com/java-json-tools" + }, + { + "groupMatch": "com\\.github\\.stephenc\\.jcip", + "mappedName": "JCIP annotations", + "url": "https://github.com/stephenc/jcip-annotations" + }, + { + "groupMatch": "org\\.javassist", + "mappedName": "Javassist", + "url": "https://www.javassist.org/" + }, + { + "groupMatch": "javax\\.persistence", + "mappedName": "Java Persistence API", + "url": "https://github.com/javaee/jpa-spec" + }, + { + "groupMatch": "org\\.jboss\\.spec\\.javax\\.transaction", + "nameMatch": "jboss\\-transaction\\-api_.*_spec", + "mappedName": "Java Transaction API", + "url": "https://github.com/javaee/javax.transaction" + }, + { + "groupMatch": "org\\.glassfish\\.grizzly.*", + "mappedName": "Grizzly", + "url": "https://javaee.github.io/grizzly/", + "licenses": [ + "CDDL-1.1", + "GPL-2" + ] + }, + { + "groupMatch": "(com\\.sun\\.xml\\.bind)|(org\\.glassfish\\.jaxb)|(javax\\.xml\\.bind)", + "mappedName": "JAXB", + "url": "https://javaee.github.io/jaxb-v2/", + "attributionNotices": [ + "
Licensing and Governance\nJAXB is licensed under a dual license - CDDL 1.1 and GPL 2.0 with Class-path Exception. That means you can choose which one of the two suits your needs better and use it under those terms.\n\nWe use GlassFish Governance Policy, which means we can only accept contributions under the terms of OCA.\n
\n" + ] + }, + { + "nameMatch": "jaxb2-basics-runtime", + "mappedName": "JAXB2 Basics Runtime", + "licenses": [ + "BSD-2-Clause" + ] + }, + { + "groupMatch": "org\\.jboss\\.spec\\.javax\\.ws\\.rs", + "nameMatch": "jboss\\-jaxrs\\-api_.*_spec", + "mappedName": "JAX-RS", + "url": "https://github.com/javaee/jax-rs-api" + }, + { + "nameMatch": "jbcrypt", + "mappedName": "jBCrypt", + "attributionNotices": [ + "
Copyright (c) 2006 Damien Miller \n\nPermission to use, copy, modify, and distribute this software for any\npurpose with or without fee is hereby granted, provided that the above\ncopyright notice and this permission notice appear in all copies.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\nWITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\nMERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR\nANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\nWHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN\nACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF\nOR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n
\n" + ], + "licenses": [ + "ISC" + ] + }, + { + "nameMatch": "jboss-threads", + "mappedName": "JBoss Threads", + "attributionNotices": [ + "
Copyright (c) 2006 Damien Miller \n\nPermission to use, copy, modify, and distribute this software for any\npurpose with or without fee is hereby granted, provided that the above\ncopyright notice and this permission notice appear in all copies.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\nWITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\nMERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR\nANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\nWHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN\nACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF\nOR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n
\n" + ] + }, + { + "nameMatch": "joda-time", + "mappedName": "Joda Time", + "attributionNotices": [ + "
=============================================================================\n= NOTICE file corresponding to section 4d of the Apache License Version 2.0 =\n=============================================================================\nThis product includes software developed by\nJoda.org (https://www.joda.org/).\n
" + ] + }, + { + "nameMatch": "json-lib", + "mappedName": "JSON-lib", + "url": "https://github.com/kordamp/json-lib", + "licenses": [ + "Apache-2.0" + ] + }, + { + "nameMatch": "jgroups", + "mappedName": "JGroups" + }, + { + "nameMatch": "jsoup", + "mappedName": "JSoup" + }, + { + "nameMatch": "jtds", + "mappedName": "jTDS JDBC Driver", + "licenses": [ + "LGPL-2.1" + ] + }, + { + "groupMatch": "org\\.keycloak.*", + "mappedName": "Keycloak", + "url": "https://github.com/keycloak/keycloak", + "licenses": [ + "Apache-2.0" + ] + }, + { + "groupMatch": "com\\.googlecode\\.libphonenumber", + "mappedName": "Libphonenumber" + }, + { + "groupMatch": "org\\.apache\\.logging\\.log4j", + "mappedName": "Log4J", + "attributionNotices": [ + "
Apache Log4j\nCopyright 1999-2021 Apache Software Foundation\n\nThis product includes software developed at\nThe Apache Software Foundation (http://www.apache.org/).\n\nResolverUtil.java\nCopyright 2005-2006 Tim Fennell\n\nDumbster SMTP test server\nCopyright 2004 Jason Paul Kitchen\n\nTypeUtil.java\nCopyright 2002-2012 Ramnivas Laddad, Juergen Hoeller, Chris Beams\n\npicocli (http://picocli.info)\nCopyright 2017 Remko Popma\n\nTimeoutBlockingWaitStrategy.java and parts of Util.java\nCopyright 2011 LMAX Ltd.\n
" + ] + }, + { + "nameMatch": "mapstruct", + "mappedName": "Mapstruct", + "attributionNotices": [ + "
\n Copyright MapStruct Authors.\n\n MapStruct is licensed under the Apache License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0\n\n------------------------------------------------------------------------\n\n MAPSTRUCT SUBCOMPONENTS WITH DIFFERENT COPYRIGHT OWNERS\n\n The MapStruct distribution (ZIP, TAR.GZ) as well as the MapStruct\n library (JAR) include FreeMarker, a software developed by Attila\n Szegedi, Daniel Dekany and Jonathan Revusky. FreeMarker is licensed\n under the same license as MapStruct itself - Apache License, Version\n 2.0 - but the copyright owners are the aforementioned individuals.\n\n The MapStruct distribution (ZIP, TAR.GZ) as well as the MapStruct\n library (JAR) include a number of files that are licensed by the\n Apache Software Foundation under the same license as MapStruct itself -\n Apache License, Version 2.0 - but the copyright owner is the Apache\n Software Foundation. These files are:\n\n     freemarker/ext/jsp/web-app_2_2.dtd\n     freemarker/ext/jsp/web-app_2_3.dtd\n     freemarker/ext/jsp/web-app_2_4.xsd\n     freemarker/ext/jsp/web-app_2_5.xsd\n     freemarker/ext/jsp/web-jsptaglibrary_1_1.dtd\n     freemarker/ext/jsp/web-jsptaglibrary_1_2.dtd\n     freemarker/ext/jsp/web-jsptaglibrary_2_0.xsd\n     freemarker/ext/jsp/web-jsptaglibrary_2_1.xsd\n
" + ] + }, + { + "nameMatch": "mariadb-java-client", + "mappedName": "Maria DB Java Client" + }, + { + "nameMatch": "microprofile-config-api", + "mappedName": "MicroProfile Config API", + "attributionNotices": [ + "
=========================================================================\n==  NOTICE file corresponding to section 4(d) of the Apache License,   ==\n==  Version 2.0, in this case for Microprofile Config                  ==\n=========================================================================\n\nThis product includes software developed at\nThe Apache Software Foundation (http://www.apache.org/).\n\nPortions of this software were originally based on the following:\n* Apache DeltaSpike Config\n  https://deltaspike.apache.org\n  under Apache License, v2.0\n\nSPDXVersion: SPDX-2.1\nPackageName: Eclipse Microprofile\nPackageHomePage: http://www.eclipse.org/microprofile\nPackageLicenseDeclared: Apache-2.0\n\nPackageCopyrightText: <text>\nMark Struberg struberg@apache.org,\nGerhard Petracek gpetracek@apache.org,\nRomain Manni-Bucau rmannibucau@apache.org,\nRon Smeral rsmeral@apache.org,\nEmily Jiang emijiang@uk.ibm.com,\nOndrej Mihalyi ondrej.mihalyi@gmail.com,\nGunnar Morling gunnar@hibernate.org\n</text>\n
" + ] + }, + { + "nameMatch": "microprofile-metrics-api", + "mappedName": "MicroProfile Metrics API", + "attributionNotices": [ + "
=========================================================================\n==  NOTICE file corresponding to section 4(d) of the Apache License,   ==\n==  Version 2.0, in this case for Microprofile Metrics                 ==\n=========================================================================\n\nPortions of this software were originally based on the following:\n* Dropwizard Metrics\n  http://metrics.dropwizard.io/3.2.3/\n  under Apache License, v2.0\n\n* CDI Extension for Metrics by Antonin Stefanutti\n  https://github.com/astefanutti/metrics-cdi\n  under Apache License, v2.0\n\nSPDXVersion: SPDX-2.1\nPackageName: Eclipse Microprofile\nPackageHomePage: http://www.eclipse.org/microprofile\nPackageLicenseDeclared: Apache-2.0\n\nPackageCopyrightText: <text>\nHeiko Rupp hrupp@redhat.com,\nRaymond Lam lamr@ca.ibm.com,\nBrennan Nichyporuk brennan.nichyporuk@gmail.com,\nDavid Chan chdavid@ca.ibm.com,\nDon Bourne dbourne@ca.ibm.com,\nAntonin Stefanutti antonin@stefanutti.fr,\nArjun Sharma arjun.a.sharma@ibm.com,\nFahham Khan fahhamk@ca.ibm.com,\nFelix Wong fmhwong@ca.ibm.com,\nMike Croft mike.croft@payara.fish,\nWerner Keil werner@catmedia.us,\nJan Martiska jmartisk@redhat.com\n</text>\n
" + ] + }, + { + "nameMatch": "org\\.osgi\\.org\\.osgi.*", + "mappedName": "OSGI" + }, + { + "nameMatch": "annotation\\.versioning", + "mappedName": "OSGI Versioning", + "url": "https://docs.osgi.org/javadoc/r6/annotation/" + }, + { + "nameMatch": "passay", + "mappedName": "Passay", + "url": "https://github.com/vt-middleware/passay", + "attributionNotices": [ + "
Passay Java Library\nCopyright (C) 2003-2022 Virginia Tech.\nAll rights reserved.\n\nThis product includes software developed at\nVirginia Tech (http://www.vt.edu).\n
" + ], + "licenses": [ + "Apache-2.0", + "LGPL-3.0" + ] + }, + { + "nameMatch": "ph-commons", + "mappedName": "ph-commons", + "attributionNotices": [ + "
=============================================================================\n= NOTICE file corresponding to section 4d of the Apache License Version 2.0 =\n=============================================================================\nThis product includes Open Source Software developed by\nPhilip Helger - https://www.helger.com/\n\nThis product includes Open Source Software developed by phloc systems (http://www.phloc.com/)\n\nThis product includes/uses software(s) developed by 'Apache Software Foundation' (http://www.apache.org/)\n  - Abdera I18N (http://abdera.apache.org/)\n  - commons-primitives (http://commons.apache.org/proper/commons-primitives/)\n  - commons-codec (http://commons.apache.org/proper/commons-codec/)\n\nThis product includes/uses software(s) developed by 'Robert Harder' (http://iharder.net/)\n  - Base64 (http://iharder.net/base64)\n\nThis product includes/uses software(s) developed by 'Bytecode Pty Ltd.'\n  - OpenCSV (http://sourceforge.net/projects/opencsv/)\n
" + ] + }, + { + "nameMatch": "ph-css", + "mappedName": "ph-css", + "attributionNotices": [ + "
=============================================================================\n= NOTICE file corresponding to section 4d of the Apache License Version 2.0 =\n=============================================================================\nThis product includes Open Source Software developed by\nPhilip Helger - https://www.helger.com/\n\nThis product includes Open Source Software developed by phloc systems (http://www.phloc.com/)\n
" + ] + }, + { + "nameMatch": "reactive-streams", + "mappedName": "Reactive Streams", + "url": "https://github.com/reactive-streams/reactive-streams-jvm/tree/master", + "attributionNotices": [ + "
Legal\n  This project is a collaboration between engineers from Kaazing, Lightbend, Netflix, Pivotal, Red Hat, Twitter and many others. This project is licensed under MIT No Attribution (SPDX: MIT-0).\n
\n\n" + ], + "licenses": [ + "MIT-0" + ] + }, + { + "nameMatch": "reflections", + "mappedName": "Reflections", + "attributionNotices": [ + "
            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE\n                    Version 2, December 2004\n\n Copyright (C) 2004 Sam Hocevar <sam@hocevar.net>\n\n Everyone is permitted to copy and distribute verbatim or modified\n copies of this license document, and changing it is allowed as long\n as the name is changed.\n\n            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE\n   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION\n\n  0. You just DO WHAT THE FUCK YOU WANT TO.\n\n
" + ] + }, + { + "nameMatch": "resteasy-cache-core", + "mappedName": "RESTEasy Cache Core" + }, + { + "nameMatch": "rxjava", + "mappedName": "RxJava", + "url": "https://github.com/ReactiveX/RxJava", + "attributionNotices": [ + "
Copyright (c) 2016-present, RxJava Contributors.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\nhttp://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n
" + ] + }, + { + "nameMatch": "SparseBitSet", + "mappedName": "SparseBitSet" + }, + { + "nameMatch": "sqlite-jdbc", + "mappedName": "SQLITE JDBC", + "url": "https://github.com/xerial/sqlite-jdbc/tree/master", + "attributionNotices": [ + "
This product includes the following softwares developed by David Crawshaw.\nSee LICENSE.zentus file.\n\nAnd also, NestedVM (Apache License Version 2.0) is used inside sqlite-
" + ] + }, + { + "nameMatch": "swagger-annotations", + "mappedName": "Swagger", + "attributionNotices": [ + "
This product includes the following softwares developed by David Crawshaw.\nSee LICENSE.zentus file.\n\nAnd also, NestedVM (Apache License Version 2.0) is used inside sqlite-
" + ] + }, + { + "groupMatch": "com\\.vaadin.*", + "mappedName": "Vaadin", + "url": "https://github.com/vaadin", + "licenses": [ + "Apache-2.0", + "CVAL-3.0" + ] + }, + { + "groupMatch": "com\\.vaadin\\.flow.*", + "ignore": true, + "comment": "Ignore because it's a part of Vaadin, but has a different versioning scheme" + }, + { + "groupMatch": "com\\.vaadin.*", + "nameMatch": "vaadin-lumo-theme|vaadin-lumo-theme|vaadin-cdi", + "ignore": true, + "comment": "Ignore because it's a part of Vaadin, but has a different versioning scheme" + }, + { + "groupMatch": "com\\.vaadin\\.external.*", + "ignore": true, + "comment": "Ignore because it's a part of Vaadin, but has a different versioning scheme" + }, + { + "nameMatch": "enhanced-date-time-picker", + "mappedName": "Vaadin Componentfactory Enhanced Date Time Picker", + "url": "https://github.com/vaadin-component-factory/enhanced-date-time-picker", + "licenses": [ + "Apache-2.0" + ] + }, + { + "nameMatch": "mobile-drag-drop", + "mappedName": "Webjars NPM Mobile drag and drop" + }, + { + "nameMatch": "vaadin__vaadin-mobile-drag-drop", + "mappedName": "Webjars NPM Vaadin Mobile drag and drop" + }, + { + "nameMatch": "polymer", + "mappedName": "Webjars Polymer" + }, + { + "nameMatch": "iron-a11y-announcer", + "mappedName": "Webjars Polymerelement iron-a11y-announcer" + }, + { + "nameMatch": "iron-scroll-target-behavior", + "mappedName": "Webjars Polymerelement iron-scroll-target-behavior" + }, + { + "nameMatch": "iron-resizable-behavior", + "mappedName": "Webjars Polymerelement iron-resizable-behavior" + }, + { + "nameMatch": "iron-meta", + "mappedName": "Webjars Polymerelement iron-meta" + }, + { + "nameMatch": "iron-a11y-keys-behavior", + "mappedName": "Webjars Polymerelement iron-a11y-keys-behavior" + }, + { + "nameMatch": "iron-fit-behavior", + "mappedName": "Webjars Polymerelement iron-fit-behavior" + }, + { + "nameMatch": "iron-iconset-svg", + "mappedName": "Webjars Polymerelements iron-iconset-svg" + }, + { + "nameMatch": "iron-icon", + "mappedName": "Webjars Polymerelements iron-icon" + }, + { + "nameMatch": "iron-media-query", + "mappedName": "Webjars Polymerelement iron-media-query" + }, + { + "nameMatch": "iron-flex-layout", + "mappedName": "Webjars Polymerelement iron-flex-layout" + }, + { + "nameMatch": "iron-list", + "mappedName": "Webjars Polymerelement iron-list" + }, + { + "nameMatch": "iron-overlay-behavior", + "mappedName": "Webjars Polymerelement iron-overlay-behavior" + }, + { + "nameMatch": "polymer", + "mappedName": "Webjars Vaadin Button", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-combo-box", + "mappedName": "Webjars Vaadin Combo Box", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-control-state-mixin", + "mappedName": "Webjars Vaadin Control State Mixin", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-element-mixin", + "mappedName": "Webjars Vaadin Element Mixin", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-custom-field", + "mappedName": "Webjars Vaadin Custom Field", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-date-picker", + "mappedName": "Webjars Vaadin Date Picker", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "(vaadin-time-picker)|(vaadin-button)", + "mappedName": "Webjars Vaadin Time Picker, Button", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-date-time-picker", + "mappedName": "Webjars Vaadin Date Time Picker", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-development-mode-detector", + "mappedName": "Webjars Vaadin Development Mode Detector", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-item", + "mappedName": "Webjars Vaadin Item", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-lumo-styles", + "mappedName": "Webjars Vaadin Lumo Styles", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-material-styles", + "mappedName": "Webjars Vaadin Material Styles", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-overlay", + "mappedName": "Webjars Vaadin Overlay", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-text-field", + "mappedName": "Webjars Vaadin Text Field", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-themable-mixin", + "mappedName": "Webjars Vaadin Themable Mixin", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-themable-mixin", + "mappedName": "Webjars Vaadin Themable Mixin", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "vaadin-usage-statistics", + "mappedName": "Webjars Vaadin Statistics Usage", + "attributionNotices": [ + "
License\nApache License 2.0\n\nVaadin collects development time usage statistics to improve this product. For details and to opt-out, see https://github.com/vaadin/vaadin-usage-statistics.\n
\n" + ] + }, + { + "nameMatch": "shadycss", + "mappedName": "Webjars Webcomponents Shady CSS" + }, + { + "nameMatch": "webcomponentsjs", + "mappedName": "Webjars Webcomponents JS" + }, + { + "nameMatch": "wildfly-common", + "mappedName": "Wildfly Common", + "attributionNotices": [ + "
License\nThis software is in the public domain\n
\n" + ] + }, + { + "nameMatch": "xml-apis", + "mappedName": "XML APIs", + "url": "http://svn.apache.org/repos/asf/xerces/xml-commons/", + "attributionNotices": [ + "
   =========================================================================\n   ==  NOTICE file corresponding to section 4(d) of the Apache License,   ==\n   ==  Version 2.0, in this case for the Apache xml-commons xml-apis      ==\n   ==  distribution.                                                      ==\n   =========================================================================\n\n   Apache XML Commons\n   Copyright 2001-2003,2006 The Apache Software Foundation.\n\n   This product includes software developed at\n   The Apache Software Foundation (http://www.apache.org/).\n\n   Portions of this software were originally based on the following:\n     - software copyright (c) 1999, IBM Corporation., http://www.ibm.com.\n     - software copyright (c) 1999, Sun Microsystems., http://www.sun.com.\n     - software copyright (c) 2000 World Wide Web Consortium, http://www.w3.org\n
" + ], + "licenses": [ + "Apache-2.0" + ] + }, + { + "nameMatch": "aopalliance", + "mappedName": "AOP Alliance (Java/J2EE AOP standards)", + "url": "http://aopalliance.cvs.sourceforge.net:/cvsroot/aopalliance" + }, + { + "nameMatch": "ch-commons-charset", + "mappedName": "ch-commons-charset", + "url": "https://github.com/jjlauer/cloudhopper-commons-charset", + "attributionNotices": [ + "
\nch-commons-charset is Copyright (C) 2011 Twitter, Inc.\n\nLicensed under the Apache License, Version 2.0 (the "License"); you may not\nuse this work except in compliance with the License. You may obtain a copy of\nthe License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an "AS IS" BASIS, WITHOUT\nWARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the\nLicense for the specific language governing permissions and limitations under\nthe License.
\n" + ] + }, + { + "groupMatch": "xerces", + "mappedName": "Apache Xerces - Impl", + "url": "https://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_8_0/" + }, + { + "groupMatch": "apache-xerces", + "mappedName": "Apache Xerces", + "url": "https://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_9_1/", + "licenses": [ + "Apache-2.0" + ] + }, + { + "groupMatch": "com\\.github\\.kenglxn\\.qrgen", + "mappedName": "QRGen", + "url": "https://github.com/kenglxn/QRGen" + }, + { + "groupMatch": "com\\.beust", + "nameMatch": "jcommander", + "mappedName": "JCommander", + "url": "https://github.com/cbeust/jcommander" + }, + { + "groupMatch": "com\\.github\\.librepdf", + "nameMatch": "openpdf", + "mappedName": "OpenPDF", + "url": "https://github.com/LibrePDF/OpenPDF", + "attributionNotices": [ + "
\n# Licenses\n\n## Licenses of OpenPDF\n\n### Mozilla Public License Version 2.0\n\nPlease see https://www.mozilla.org/en-US/MPL/2.0/ or the attached file\n[MPL-2.0.txt](src/main/resources/META-INF/MPL-2.0.txt).\n\n### GNU Lesser General Public License 2.1\n\nPlease see https://www.gnu.org/licenses/old-licenses/lgpl-2.1 or the attached file\n[LGPL-2.1.md](src/main/resources/META-INF/LGPL-2.1.md).\n
" + ] + }, + { + "groupMatch": "com\\.github\\.albfernandez", + "nameMatch": "juniversalchardet", + "mappedName": "juniversalchardet", + "url": "https://github.com/albfernandez/juniversalchardet" + }, + { + "groupMatch": "com\\.google\\.zxing", + "mappedName": "ZXing", + "url": "https://github.com/zxing/zxing", + "attributionNotices": [ + "
Copyright (c) 2005 Sun Microsystems, Inc.\nCopyright © 2010-2014 University of Manchester\nCopyright © 2010-2015 Stian Soiland-Reyes\nCopyright © 2015 Peter Hull\nAll Rights Reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n- Redistribution of source code must retain the above copyright\n  notice, this list of conditions and the following disclaimer.\n\n- Redistribution in binary form must reproduce the above copyright\n  notice, this list of conditions and the following disclaimer in\n  the documentation and/or other materials provided with the\n  distribution.\n\nNeither the name of Sun Microsystems, Inc. or the names of\ncontributors may be used to endorse or promote products derived\nfrom this software without specific prior written permission.\n\nThis software is provided "AS IS," without a warranty of any\nkind. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND\nWARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE HEREBY\nEXCLUDED. SUN MIDROSYSTEMS, INC. ("SUN") AND ITS LICENSORS SHALL\nNOT BE LIABLE FOR ANY DAMAGES SUFFERED BY LICENSEE AS A RESULT OF\nUSING, MODIFYING OR DISTRIBUTING THIS SOFTWARE OR ITS\nDERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR\nANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL,\nCONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND\nREGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF THE USE OF OR\nINABILITY TO USE THIS SOFTWARE, EVEN IF SUN HAS BEEN ADVISED OF THE\nPOSSIBILITY OF SUCH DAMAGES.\n\nYou acknowledge that this software is not designed or intended for\nuse in the design, construction, operation or maintenance of any\nnuclear facility.
\n" + ] + }, + { + "groupMatch": "org\\.apache\\.activemq\\.protobuf", + "mappedName": "Apache ActiveMQ - Protobuf" + }, + { + "groupMatch": "org\\.apache\\.activemq", + "mappedName": "Apache ActiveMQ", + "url": "https://github.com/apache/activemq" + }, + { + "groupMatch": "net\\.java\\.dev\\.jna", + "mappedName": "Java Native Access (JNA)", + "url": "https://github.com/java-native-access/jna", + "attributionNotices": [ + "
\nSPDX-License-Identifier: Apache-2.0 OR LGPL-2.1\n\nJava Native Access (JNA) is licensed under the LGPL, version 2.1\nor later, or (from version 4.0 onward) the Apache License,\nversion 2.0.\n\nYou can freely decide which license you want to apply to the project.\n\nYou may obtain a copy of the LGPL License at:\n\nhttp://www.gnu.org/licenses/licenses.html\n\nA copy is also included in the downloadable source code package\ncontaining JNA, in file "LGPL2.1", under the same directory\nas this file.\n\nYou may obtain a copy of the Apache License at:\n\nhttp://www.apache.org/licenses/\n\nA copy is also included in the downloadable source code package\ncontaining JNA, in file "AL2.0", under the same directory\nas this file.\n\nCommercial support may be available, please e-mail\ntwall[at]users[dot]sf[dot]net.\n
" + ] + }, + { + "groupMatch": "org\\.apache\\.pdfbox", + "mappedName": "PDFBox", + "url": "https://svn.apache.org/repos/asf/pdfbox/", + "attributionNotices": [ + "
\nEXTERNAL COMPONENTS\n\nApache PDFBox includes a number of components with separate copyright notices\nand license terms. Your use of these components is subject to the terms and\nconditions of the following licenses.\n\nContributions made to the original PDFBox and FontBox projects:\n\n   Copyright (c) 2002-2007, www.pdfbox.org\n   All rights reserved.\n\n   Redistribution and use in source and binary forms, with or without\n   modification, are permitted provided that the following conditions are met:\n\n   1. Redistributions of source code must retain the above copyright notice,\n      this list of conditions and the following disclaimer.\n\n   2. Redistributions in binary form must reproduce the above copyright\n      notice, this list of conditions and the following disclaimer in the\n      documentation and/or other materials provided with the distribution.\n\n   3. Neither the name of pdfbox; nor the names of its contributors may be\n      used to endorse or promote products derived from this software without\n      specific prior written permission.\n\n   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"\n   AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\n   IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\n   ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE\n   FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\n   DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\n   SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\n   CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT\n   LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY\n   OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF\n   SUCH DAMAGE.\n\nAdobe Font Metrics (AFM) for PDF Core 14 Fonts\n\n   This file and the 14 PostScript(R) AFM files it accompanies may be used,\n   copied, and distributed for any purpose and without charge, with or without\n   modification, provided that all copyright notices are retained; that the\n   AFM files are not distributed without this file; that all modifications\n   to this file or any of the AFM files are prominently noted in the modified\n   file(s); and that this paragraph is not modified. Adobe Systems has no\n   responsibility or obligation to support the use of the AFM files. \n\nCMaps for PDF Fonts (http://opensource.adobe.com/wiki/display/cmap/Downloads)\n\n   Copyright 1990-2009 Adobe Systems Incorporated.\n   All rights reserved.\n\n   Redistribution and use in source and binary forms, with or without\n   modification, are permitted provided that the following conditions\n   are met:\n\n   Redistributions of source code must retain the above copyright notice,\n   this list of conditions and the following disclaimer.\n\n   Redistributions in binary form must reproduce the above copyright notice,\n   this list of conditions and the following disclaimer in the documentation\n   and/or other materials provided with the distribution. \n\n   Neither the name of Adobe Systems Incorporated nor the names of its\n   contributors may be used to endorse or promote products derived from this\n   software without specific prior written permission. \n\n   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"\n   AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\n   IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\n   ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE\n   LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR\n   CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF\n   SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS\n   INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN\n   CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)\n   ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF\n   THE POSSIBILITY OF SUCH DAMAGE.\n\nPaDaF PDF/A preflight (http://sourceforge.net/projects/padaf)\n\n  Copyright 2010 Atos Worldline SAS\n \n  Licensed by Atos Worldline SAS under one or more\n  contributor license agreements.  See the NOTICE file distributed with\n  this work for additional information regarding copyright ownership.\n  Atos Worldline SAS licenses this file to You under the Apache License, Version 2.0\n  (the "License"); you may not use this file except in compliance with\n  the License.  You may obtain a copy of the License at\n \n       http://www.apache.org/licenses/LICENSE-2.0\n \n  Unless required by applicable law or agreed to in writing, software\n  distributed under the License is distributed on an "AS IS" BASIS,\n  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n  See the License for the specific language governing permissions and\n  limitations under the License.\n\nOSXAdapter\n\n  Version: 2.0\n  \n  Disclaimer: IMPORTANT:  This Apple software is supplied to you by \n  Apple Inc. ("Apple") in consideration of your agreement to the\n  following terms, and your use, installation, modification or\n  redistribution of this Apple software constitutes acceptance of these\n  terms.  If you do not agree with these terms, please do not use,\n  install, modify or redistribute this Apple software.\n  \n  In consideration of your agreement to abide by the following terms, and\n  subject to these terms, Apple grants you a personal, non-exclusive\n  license, under Apple's copyrights in this original Apple software (the\n  "Apple Software"), to use, reproduce, modify and redistribute the Apple\n  Software, with or without modifications, in source and/or binary forms;\n  provided that if you redistribute the Apple Software in its entirety and\n  without modifications, you must retain this notice and the following\n  text and disclaimers in all such redistributions of the Apple Software. \n  Neither the name, trademarks, service marks or logos of Apple Inc. \n  may be used to endorse or promote products derived from the Apple\n  Software without specific prior written permission from Apple.  Except\n  as expressly stated in this notice, no other rights or licenses, express\n  or implied, are granted by Apple herein, including but not limited to\n  any patent rights that may be infringed by your derivative works or by\n  other works in which the Apple Software may be incorporated.\n  \n  The Apple Software is provided by Apple on an "AS IS" basis.  APPLE\n  MAKES NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION\n  THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY AND FITNESS\n  FOR A PARTICULAR PURPOSE, REGARDING THE APPLE SOFTWARE OR ITS USE AND\n  OPERATION ALONE OR IN COMBINATION WITH YOUR PRODUCTS.\n  \n  IN NO EVENT SHALL APPLE BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL\n  OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF\n  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS\n  INTERRUPTION) ARISING IN ANY WAY OUT OF THE USE, REPRODUCTION,\n  MODIFICATION AND/OR DISTRIBUTION OF THE APPLE SOFTWARE, HOWEVER CAUSED\n  AND WHETHER UNDER THEORY OF CONTRACT, TORT (INCLUDING NEGLIGENCE),\n  STRICT LIABILITY OR OTHERWISE, EVEN IF APPLE HAS BEEN ADVISED OF THE\n  POSSIBILITY OF SUCH DAMAGE.\n  \n  Copyright (C) 2003-2007 Apple, Inc., All Rights Reserved\n
" + ] + }, + { + "groupMatch": "org\\.apache\\.xmlgraphics", + "nameMatch": "batik.*", + "mappedName": "Apache XML Graphics Project - Batik", + "url": "https://svn.apache.org/repos/asf/xmlgraphics/batik/tags/batik-1_10/" + }, + { + "groupMatch": "org\\.apache\\.xmlgraphics", + "nameMatch": "xmlgraphics-commons", + "mappedName": "Apache XML Graphics Project - xmlgraphics-commons", + "url": "https://svn.apache.org/viewvc/xmlgraphics/commons/tags/commons-2_2/" + }, + { + "groupMatch": "xml-apis", + "nameMatch": "xml-apis-ext", + "mappedName": "Apache XML APIs Extensions", + "url": "https://xerces.apache.org/xml-commons/components/external/" + }, + { + "groupMatch": "xom", + "nameMatch": "xom", + "mappedName": "XOM: XML object model", + "url": "https://github.com/elharo/xom/", + "attributionNotices": [ + "
\nXOM is a dual streaming/tree-based API for processing XML with Java.\nCopyright 2004, 2005, 2009, 2010, 2020 Elliotte Rusty Harold\n   \n   This library is free software; you can redistribute it and/or modify\n   it under the terms of version 2.1 of the GNU Lesser General Public \n   License as published by the Free Software Foundation.\n   \n   This library is distributed in the hope that it will be useful,\n   but WITHOUT ANY WARRANTY; without even the implied warranty of\n   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the \n   GNU Lesser General Public License for more details.\n   \n   You should have received a copy of the GNU Lesser General Public\n   License along with this library. If not, see \n   \n   \nYou can contact Elliotte Rusty Harold by sending e-mail to\nelharo@ibiblio.org. Please include the word "XOM" in the\nsubject line. For more information see https://xom.nu/ \nor ask a question on the xom-interest mailing list.\n
" + ] + }, + { + "groupMatch": "relaxngDatatype", + "nameMatch": "relaxngDatatype", + "mappedName": "relaxngDatatype", + "url": "https://sourceforge.net/projects/relaxng/files/" + }, + { + "groupMatch": "pull-parser", + "nameMatch": "pull-parser", + "mappedName": "pull-parser", + "url": "https://extreme.indiana.edu/" + }, + { + "groupMatch": "org\\.springframework", + "mappedName": "Spring Framework", + "url": "https://github.com/SpringSource/spring-framework" + }, + { + "groupMatch": "org\\.slf4j", + "nameMatch": "slf4j.*", + "mappedName": "Simple Logging Facade for Java (SLF4J)", + "url": "https://github.com/qos-ch/slf4j" + }, + { + "groupMatch": "org\\.dcm4che.*", + "mappedName": "dcm4che DICOM Toolkit & Library", + "url": "https://github.com/dcm4che/dcm4che" + }, + { + "groupMatch": "commons-validator", + "nameMatch": "commons-validator", + "mappedName": "Apache Commons Validator", + "url": "https://github.com/apache/commons-validator/tree/VALIDATOR_1_6" + }, + { + "groupMatch": "commons-pool", + "nameMatch": "commons-pool", + "mappedName": "Apache Commons Pool", + "url": "https://github.com/apache/commons-pool/tree/POOL_1_6" + }, + { + "groupMatch": "commons-net", + "nameMatch": "commons-net", + "mappedName": "Apache Commons Net", + "url": "https://github.com/apache/commons-net/tree/NET_3_3" + }, + { + "groupMatch": "commons-digester", + "nameMatch": "commons-digester", + "mappedName": "Apache Commons Digester", + "url": "https://github.com/apache/commons-digester/tree/DIGESTER_1_8_1" + }, + { + "groupMatch": "commons-cli", + "nameMatch": "commons-cli", + "mappedName": "Apache Commons CLI", + "url": "https://github.com/apache/commons-cli/tree/cli-1.4" + }, + { + "groupMatch": "commons-httpclient", + "nameMatch": "commons-httpclient", + "mappedName": "Apache Commons HTTP-Client", + "url": "https://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/" + }, + { + "groupMatch": "io\\.github\\.openfeign", + "mappedName": "Openfeign" + }, + { + "groupMatch": "org\\.jodd", + "mappedName": "Jodd", + "url": "https://github.com/oblac/jodd/tree/v3.6.7" + }, + { + "groupMatch": "org\\.drools", + "mappedName": "Drools", + "url": "https://github.com/kiegroup/drools/tree/5.5.0.Final" + }, + { + "groupMatch": "org\\.checkerframework", + "nameMatch": "Checker framework", + "mappedName": "", + "attributionNotices": [ + "
\nThe Checker Framework\nCopyright 2004-present by the Checker Framework developers\n\n\nMost of the Checker Framework is licensed under the GNU General Public\nLicense, version 2 (GPL2), with the classpath exception.  The text of this\nlicense appears below.  This is the same license used for OpenJDK.\n\nA few parts of the Checker Framework have more permissive licenses, notably\nthe parts that you might want to include with your own program.\n\n * The annotations and utility files are licensed under the MIT License.\n   (The text of this license also appears below.)  This applies to\n   checker-qual*.jar and checker-util.jar and all the files that appear in\n   them, which is all files in checker-qual and checker-util directories.\n   It also applies to the cleanroom implementations of\n   third-party annotations (in checker/src/testannotations/,\n   framework/src/main/java/org/jmlspecs/, and\n   framework/src/main/java/com/google/).\n\nThe Checker Framework includes annotations for some libraries.  Those in\n.astub files use the MIT License.  Those in https://github.com/typetools/jdk\n(which appears in the annotated-jdk directory of file checker.jar) use the\nGPL2 license.\n\nSome external libraries that are included with the Checker Framework\ndistribution have different licenses.  Here are some examples.\n\n * JavaParser is dual licensed under the LGPL or the Apache license -- you\n   may use it under whichever one you want.  (The JavaParser source code\n   contains a file with the text of the GPL, but it is not clear why, since\n   JavaParser does not use the GPL.)  See\n   https://github.com/typetools/stubparser .\n\n * Annotation Tools (https://github.com/typetools/annotation-tools) uses\n   the MIT license.\n\n * Libraries in plume-lib (https://github.com/plume-lib/) are licensed\n   under the MIT License.\n\n===========================================================================\n
" + ], + "licenses": [ + "MIT", + "GPL-2" + ] + }, + { + "groupMatch": "com\\.google\\.j2objc", + "nameMatch": "j2objc-annotations", + "mappedName": "J2ODBC-Annotations", + "url": "https://github.com/google/j2objc", + "licenses": [ + "Apache-2.0" + ] + }, + { + "groupMatch": "org.vaadin.haijian", + "nameMatch": "exporter", + "mappedName": "Exporter", + "url": "https://github.com/haiwan/Exporter", + "attributionNotices": [ + "
\nAll parts, except the contents of the documentation module, are licenced\nunder Apache License v2.0. See the license text below.\n\nThe documentation is licensed under Creative Commons CC-BY-ND 2.0\n(http://creativecommons.org/licenses/by-nd/2.0/legalcode).\n
" + ] + }, + { + "groupMatch": "c3p0", + "nameMatch": "c3p0", + "mappedName": "C3p0", + "url": "https://sourceforge.net/projects/c3p0/files/" + }, + { + "groupMatch": "com\\.github\\.jai-imageio", + "nameMatch": "jai-imageio-core", + "licenses": [ + "BSD-3-Clause No Nuclear License" + ] + }, + { + "groupMatch": "com\\.mchange", + "nameMatch": "c3p0", + "mappedName": "Mchange - C3p0", + "url": "https://github.com/swaldman/c3p0", + "attributionNotices": [ + "
\n\nThis library is free software; you can redistribute it and/or modify\nit under the terms of EITHER:\n\n    1) The GNU Lesser General Public License (LGPL), version 2.1, as \n       published by the Free Software Foundation\n\nOR\n\n    2) The Eclipse Public License (EPL), version 1.0\n\nYou may choose which license to accept if you wish to redistribute\nor modify this work. You may offer derivatives of this work\nunder the license you have chosen, or you may provide the same\nchoice of license which you have been offered here.\n\nThis software is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n\nYou should have received copies of both LGPL v2.1 and EPL v1.0\nalong with this software; see the files LICENSE-EPL and LICENSE-LGPL.\nIf not, the text of these licenses are currently available at\n\nLGPL v2.1: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html\n EPL v1.0: http://www.eclipse.org/org/documents/epl-v10.php \n\n
" + ] + }, + { + "groupMatch": "com\\.mchange", + "nameMatch": "mchange-commons-java", + "mappedName": "Mchange - mchange-commons-java", + "url": "https://github.com/swaldman/mchange-commons-java", + "attributionNotices": [ + "
\n\nThis library is free software; you can redistribute it and/or modify\nit under the terms of EITHER:\n\n    1) The GNU Lesser General Public License (LGPL), version 2.1, as \n       published by the Free Software Foundation\n\nOR\n\n    2) The Eclipse Public License (EPL), version 1.0\n\nYou may choose which license to accept if you wish to redistribute\nor modify this work. You may offer derivatives of this work\nunder the license you have chosen, or you may provide the same\nchoice of license which you have been offered here.\n\nThis software is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n\nYou should have received copies of both LGPL v2.1 and EPL v1.0\nalong with this software; see the files LICENSE-EPL and LICENSE-LGPL.\nIf not, the text of these licenses are currently available at\n\nLGPL v2.1: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html\n EPL v1.0: http://www.eclipse.org/org/documents/epl-v10.php \n\n
" + ] + }, + { + "groupMatch": "com\\.twelvemonkeys.*", + "mappedName": "TwelveMonkeys" + }, + { + "groupMatch": "commons-codec", + "nameMatch": "commons-codec", + "mappedName": "Apache commons-codec", + "url": "https://github.com/apache/commons-codec" + }, + { + "groupMatch": "commons-logging", + "nameMatch": "commons-logging", + "mappedName": "Apache commons-logging", + "url": "https://github.com/apache/commons-logging" + }, + { + "groupMatch": "dom4j", + "nameMatch": "dom4j", + "mappedName": "Dom4j", + "url": "https://github.com/dom4j/dom4j", + "licenses": [ + "DOM4j-License" + ] + }, + { + "groupMatch": "javax\\.jmdns", + "nameMatch": "jmdns", + "mappedName": "JMDNS", + "url": "https://sourceforge.net/projects/jmdns/files/" + }, + { + "groupMatch": "javax\\.json", + "nameMatch": "javax\\.json-api", + "mappedName": "Javax Json-API", + "url": "https://github.com/javaee/json-processing-spec", + "licenses": [ + "CDDL-1.1" + ] + }, + { + "groupMatch": "javax\\.servlet", + "nameMatch": "javax\\.servlet-api", + "mappedName": "Javax Servlet-API", + "url": "https://github.com/javaee/servlet-spec", + "licenses": [ + "CDDL-1.1" + ] + }, + { + "groupMatch": "net\\.jpountz\\.lz4", + "nameMatch": "lz4", + "mappedName": "Lz4", + "url": "https://github.com/lz4/lz4-java" + }, + { + "groupMatch": "org\\.apache\\.cxf", + "nameMatch": "cxf-api", + "mappedName": "Apache CFX API", + "url": "https://github.com/apache/cxf.git" + }, + { + "groupMatch": "org\\.apache\\.cxf", + "nameMatch": "cxf-rt-core", + "mappedName": "Apache CFX RT Core", + "url": "https://github.com/apache/cxf.git" + }, + { + "groupMatch": "org\\.apache\\.cxf", + "mappedName": "Apache CFX Others", + "url": "https://github.com/apache/cxf.git" + }, + { + "groupMatch": "org\\.apache\\.deltaspike.*", + "mappedName": "Apache Deltaspike", + "url": "https://git-wip-us.apache.org/repos/asf?p=deltaspike.git;a=tree;hb=cb0d4d07a2ae8604f84eb4acaab89f4bd0504e72" + }, + { + "groupMatch": "org\\.apache\\.james", + "nameMatch": "apache-mime4j", + "mappedName": "Apache mime4j", + "url": "https://github.com/apache/james-mime4j" + }, + { + "groupMatch": "org\\.apache\\.geronimo\\.specs", + "nameMatch": "geronimo-javamail_1.4_spec", + "mappedName": "Apache Geronimo JavaMail 1.4", + "attributionNotices": [ + "
\n#########################################################################\n## ADDITIONAL LICENSES                                                 ##\n#########################################################################\n\nThe XMLSchema.dtd included in this project was developed by the\nW3C Consortium (http://www.w3c.org/).\nUse of the source code, thus licensed, and the resultant binary are\nsubject to the terms and conditions of the following license.\n\nW3C¨ SOFTWARE NOTICE AND LICENSE\nCopyright © 1994-2002 World Wide Web Consortium, (Massachusetts Institute of\nTechnology, Institut National de Recherche en Informatique et en Automatique,\nKeio University). All Rights Reserved. http://www.w3.org/Consortium/Legal/\n\nThis W3C work (including software, documents, or other related items) is\nbeing provided by the copyright holders under the following license. By\nobtaining, using and/or copying this work, you (the licensee) agree that you\nhave read, understood, and will comply with the following terms and\nconditions:\n\nPermission to use, copy, modify, and distribute this software and its\ndocumentation, with or without modification,  for any purpose and without\nfee or royalty is hereby granted, provided that you include the following on\nALL copies of the software and documentation or portions thereof, including\nmodifications, that you make:\n\n   1. The full text of this NOTICE in a location viewable to users of the\n         redistributed or derivative work.\n   2. Any pre-existing intellectual property disclaimers, notices, or terms\n         and conditions. If none exist, a short notice of the following form\n         (hypertext is preferred, text is permitted) should be used within\n         the body of any redistributed or derivative code: "Copyright ©\n         [$date-of-software] World Wide Web Consortium, (Massachusetts Institute\n         of Technology, Institut National de Recherche en Informatique et en\n         Automatique, Keio University). All Rights Reserved.\n         http://www.w3.org/Consortium/Legal/"\n   3. Notice of any changes or modifications to the W3C files, including the\n         date changes were made. (We recommend you provide URIs to the location\n         from which the code is derived.)\n\nTHIS SOFTWARE AND DOCUMENTATION IS PROVIDED "AS IS," AND COPYRIGHT HOLDERS MAKE\nNO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED\nTO, WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT\nTHE USE OF THE SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY PATENTS,\nCOPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.\n\nCOPYRIGHT HOLDERS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL OR\nCONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THE SOFTWARE OR DOCUMENTATION.\n\nThe name and trademarks of copyright holders may NOT be used in advertising or\npublicity pertaining to the software without specific, written prior permission.\nTitle to copyright in this software and any associated documentation will at all\ntimes remain with copyright holders.\n
" + ] + }, + { + "groupMatch": "org\\.apache\\.httpcomponents", + "nameMatch": "httpcore", + "mappedName": "Apache HttpComponents HttpCore", + "licenses": [ + "Apache-2.0", + "MPL-2.0" + ] + }, + { + "groupMatch": "org\\.apache\\.httpcomponents", + "nameMatch": "httpclient", + "mappedName": "Apache HttpComponents HttpClient", + "licenses": [ + "Apache-2.0", + "CC-BY-2.5" + ] + }, + { + "groupMatch": "org\\.apache\\.tomcat", + "nameMatch": "tomcat-servlet-api", + "mappedName": "Tomcat Servlet API", + "licenses": [ + "Apache-2.0", + "CDDL-1.0" + ] + }, + { + "groupMatch": "org\\.eclipse\\.jetty", + "mappedName": "Eclipse Jetty" + }, + { + "groupMatch": "org\\.eclipse\\.jetty\\.http2", + "mappedName": "Eclipse Jetty HTTP/2" + }, + { + "groupMatch": "org\\.eclipse\\.jetty\\.websocket", + "mappedName": "Eclipse Jetty Websocket" + }, + { + "groupMatch": "xml-resolver", + "nameMatch": "xml-resolver", + "mappedName": "Xerces XML-Resolver", + "url": "https://xerces.apache.org/xml-commons/components/resolver/" + }, + { + "nameMatch": "relaxngDatatype", + "licenses": [ + "BSD-3-Clause" + ] + }, + { + "groupMatch": "jaxen", + "nameMatch": "jaxen", + "mappedName": "Jaxen", + "url": "https://github.com/jaxen-xpath/jaxen", + "licenses": [ + "BSD-3-Clause" + ] + }, + { + "groupMatch": "org\\.jboss\\.spec\\.javax\\.interceptor", + "nameMatch": "jboss-interceptors-api_1.1_spec", + "mappedName": "JavaX Interceptor API", + "url": "https://github.com/jboss/jboss-interceptors-api_spec", + "licenses":[ + "GPL-2.0-with-classpath-exception", + "CDDL-1.0" + ] + }, + { + "nameMatch": "corretto8", + "mappedName": "Amazon Coretto 8", + "url": "https://github.com/corretto/corretto-8", + "licenses":[ + "GPL-2.0-with-classpath-exception" + ] + }, + { + "groupMatch": "org\\.wildfly\\.security\\.*", + "mappedName": "Wildfly Security", + "url": "https://github.com/wildfly-security/wildfly-elytron" + }, + { + "nameMatch": "wildfly-dist", + "mappedName": "Wildfly", + "url": "https://github.com/wildfly/wildfly", + "licenses":[ + "GPL-2.1" + ] + }, + { + "nameMatch": "wildfly-galleon-pack", + "mappedName": "Wildfly", + "url": "https://github.com/wildfly/wildfly" + }, + { + "groupMatch": "io\\.netty\\.*", + "mappedName": "Netty" + }, + { + "groupMatch": "org\\.infinispan.*", + "mappedName": "Infinispan" + }, + { + "nameMatch": "okhttp", + "mappedName": "OkHttp", + "url": "https://github.com/square/okhttp/" + }, + { + "nameMatch": "okio", + "mappedName": "OkIo", + "url": "https://github.com/square/okio/" + }, + { + "nameMatch": "JConnect", + "mappedName": "JConnect", + "url" : "https://help.sap.com/docs/SAP_ASE_SDK/e12c539de04b44a0bb17a545a148361c/b03e2db6bbf910148fc6bbe092513290.html?locale=en-US&version=16.0.4.3" + }, + { + "groupMatch": "org\\.rocksdb\\.*", + "mappedName": "Rocks DB" + }, + { + "nameMatch": "jboss-logging", + "mappedName": "JBoss Logging" + }, + { + "nameMatch": "jboss-marshalling-osgi", + "mappedName": "JBoss Marshalling OSGI" + }, + { + "nameMatch": "resteasy-jboss-modules", + "mappedName": "Resteasy JBoss Modules", + "url": "https://github.com/resteasy/resteasy", + "licenses": [ + "Apache-2.0" + ] + }, + { + "nameMatch": "httpd", + "mappedName": "Apache httpd", + "url": "https://github.com/apache/httpd", + "attributionNotices": [ + "
Apache HTTP Server\nCopyright 2021 The Apache Software Foundation.\n\nThis product includes software developed at\nThe Apache Software Foundation (https://www.apache.org/).\n\nPortions of this software were developed at the National Center\nfor Supercomputing Applications (NCSA) at the University of\nIllinois at Urbana-Champaign.\n\nThis software contains code derived from the RSA Data Security\nInc. MD5 Message-Digest Algorithm, including various\nmodifications by Spyglass Inc., Carnegie Mellon University, and\nBell Communications Research, Inc (Bellcore).\n\nThis software contains code derived from the PCRE library pcreposix.c\nsource code, written by Philip Hazel, Copyright 1997-2004\nby the University of Cambridge, England.\n
" + ], + "licenses": [ + "Apache-2.0" + ] + }, + { + "nameMatch": "vcredist", + "mappedName": "vcredist", + "url": "https://learn.microsoft.com/en-US/cpp/windows/latest-supported-vc-redist?view=msvc-160", + "licenses": [ + "Microsoft VC++ Redistributable" + ] + }, + { + "nameMatch": "postgresql", + "mappedName": "PostgreSQL", + "url": "https://github.com/postgres/postgres", + "licenses": [ + "PostgreSQL" + ] + }, + { + "nameMatch": "medavis-yajsw", + "mappedName": "Yet Another Java Service Wrapper", + "url": "https://yajsw.sourceforge.io", + "licenses": [ + "Apache-2.0" + ] + }, + { + "nameMatch": "xstream", + "mappedName": "XStream", + "licenses": [ + "BSD-3-Clause" + ] + }, + { + "nameMatch": "ical4j", + "mappedName": "iCal4j", + "url":"https://github.com/ical4j/ical4j", + "licenses": [ + "BSD-3-Clause" + ] + }, + { + "groupMatch": "org\\.ow2\\.asm", + "mappedName": "OW2 ASM" + }, + { + "groupMatch": "org\\.jdom", + "nameMatch": "jdom2", + "licenses": [ + "Apache-1.0-JDOM" + ] + }, + { + "purlMatch": "pkg:maven\\/us\\.springett\\/alpine-common@2\\.2\\.5\\?type=jar", + "licenses": [ + "Apache-2.0" + ] + }, + { + "purlMatch": "pkg:maven\\/com\\.pixelmed\\/any-lib@1\\.2\\.3\\.4\\?type=jar", + "licenses": [ + "BSD-2-Clause" + ] + } +] \ No newline at end of file diff --git a/pom.xml b/pom.xml index 4402a13..a28e951 100644 --- a/pom.xml +++ b/pom.xml @@ -1,7 +1,5 @@ - + 4.0.0 @@ -39,7 +37,7 @@ 3.26.3 - 9.0.3 + 9.0.5 1.11.2 2.3.32 33.3.1-jre @@ -65,6 +63,18 @@ org.cyclonedx cyclonedx-core-java ${cyclonedx.version} + + + + com.fasterxml.jackson.dataformat + jackson-dataformat-yaml + + + + + com.fasterxml.jackson.dataformat + jackson-dataformat-yaml + 2.17.0