Enhanced License Detection Capability for Components

License detection capability and license evidence mechanism for the following components was updated/added:

• Reciprocal Public License 1.1

• Reciprocal Public License 1.5

• Red Hat eCos Public License v1.1

• SGI Free Software License B v1.0

• SGI Free Software License B v1.1

• SGI Free Software License B v2.0

• SHL-2.0

• SHL-2.1

• SWI-exception

• Swift-exception

• Universal-FOSS-exception-1.0

• vsftpd-openssl-exception

• Autoconf-exception-generic

• Autoconf-exception-macro

• Asterisk-exception

• cryptsetup-OpenSSL-exception

• LLGPL

• OCaml-LGPL-linking-exception

• PS-or-PDF-font-exception-20170817

• QPL-1.0-INRIA-2004-exception

• GNAT-exception

• x11vnc-openssl-exception

• Qt-GPL-exception-1.0

• Qt-LGPL-exception-1.1

Collector Status

Name	Date of Last Successful Run
npm	8/15/2023
crates	8/25/2022
cpan	10/19/2023
clojars	10/19/2023
rubygems	10/19/2023
maven-google	10/13/2023
cran	10/21/2023
hackage	10/22/2023
packagist	10/22/2023
go	10/23/2023
pypi	10/16/2023
nuget gallery	10/15/2023
maven2-ibiblio	9/27/2023
github	10/23/2023
fedora-koji	10/20/2023
alpine	10/18/2023
gitlab	6/6/2023
debian	10/23/2023

Changes in Mini Update Released on 13-October-2023

This is a Mini PDL update release which is considerably smaller in size, containing data related to a specific component and a CVE.

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-50859	Addition of vulnerabilities "CVE-2023-38545" and "CVE-2023-38546" to curl/libcurl and related components

Updates to Curl and Libcurl Components

Added vulnerability information to the following Curl/Libcurl components:

Component ID	Component Name	URL
372	curl	https://sourceforge.net/projects/curl
63745	libcurl	https://directory.fsf.org/wiki?title=Libcurl&oldid=416
5400074	libcurl	http://curl.haxx.se/
5406656	curl	http://curl.haxx.se/
7466892	curl	http://curl.haxx.se
12395199	curl-curl	https://github.com/curl/curl
12960352	curl	https://directory.fsf.org/wiki?title=Curl&oldid=17934
27213212	curl	https://koji.fedoraproject.org/koji/packageinfo?packageID=curl
29960949	libcurl	https://pkgs.alpinelinux.org/package/v3.18/main/x86_64/libcurl
29968624	curl	https://pkgs.alpinelinux.org/package/v3.18/main/x86_64/curl
30362751	curl	https://tracker.debian.org/pkg/curl
22012687	pycurl	https://pypi.org/pypi/pycurl
4595372	pycurl-pycurl	https://github.com/pycurl/pycurl
8180	pycurl	https://sourceforge.net/projects/pycurl
21868341	pycurl	https://directory.fsf.org/wiki?title=PycURL&oldid=2278
3518205	curl	https://www.nuget.org/packages/curl
22329315	curl-vc140-static-32_64	https://www.nuget.org/packages/curl-vc140-static-32_64

 

Related to vulnerability CVEs:

1. CVE - 2023-38545 (https://nvd.nist.gov/vuln/detail/CVE-2023-38545)
2. CVE - 2023-38546 (https://nvd.nist.gov/vuln/detail/CVE-2023-38546)

Issue ID	Issue Summary
SCA-50859	Addition of vulnerabilities "CVE-2023-38545" and "CVE-2023-38546" to curl/libcurl and related components

Changes in Update Released on 14-September-2023

This update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-49924	Enhanced the SPDX collector to collect license exceptions from spdx.org and add to our data library.
SCA-49081, SCA-49078	Added License detection capability and license evidence mechanism (licenses mentioned below)
SCA-48734	Updated version for Npm component content-type (https://www.npmjs.com/package/content-type) and license information for nuget component castle.core (https://www.nuget.org/packages/Castle.Core)

Enhanced License Detection Capability for Components

License detection capability and license evidence mechanism for the following components was updated/added:

• i2p-gpl-java-exception
• u-boot-exception-2.0
• Qwt-exception-1.0
• Linux-syscall-note
• LLVM-exception
• LZMA-exception
• mif-exception
• OCCT-exception-1.0
• OpenJDK-assembly-exception-1.0
• openvpn-openssl-exception
• WxWindows-exception-3.1
• DigiRule-FOSS-exception
• eCos-exception-2.0
• Fawkes-Runtime-exception
• FLTK-exception<
• Font-exception-2.0
• freertos-exception-2.0
• GCC-exception-2.0
• GCC-exception-3.1
• gnu-javamail-exception
• Libtool Exception
• GPL-3.0-interface-exception
• GPL-3.0-linking-exception
• GPL-3.0-linking-source-exception
• GPL-CC-1.0
• GStreamer-exception-2005
• GStreamer-exception-2008
• KiCad-libraries-exception
• LGPL-3.0-linking-exception
• libpri-OpenH323-exception
• SHL-2.0
• SHL-2.1
• SWI-exception
• Swift-exception
• Universal-FOSS-exception-1.0
• vsftpd-openssl-exception
• Autoconf-exception-generic
• Autoconf-exception-macro
• Asterisk-exception
• cryptsetup-OpenSSL-exception

Collector Status

Name	Date of Last Successful Run
npm	8/15/2023
crates	8/25/2022
cpan	9/07/2023
clojars	9/07/2023
rubygems	9/07/2023
maven-google	9/08/2023
cran	9/09/2023
hackage	9/10/2023
packagist	9/10/2023
go	9/11/2023
pypi	9/11/2023
nuget gallery	9/07/2023
maven2-ibiblio	8/30/2023
github	8/25/2023
fedora-koji	9/11/2023
alpine	9/13/2023
gitlab	6/6/2023
debian	9/11/2023

Changes in Update Released on 10-August-2023

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-49244	Detection of OpenSC component.
SCA-49077, SCA-49076, SCA-49074, SCA-49072	Added License detection capability and license evidence mechanism.
SCA-48974	Alpine Zlib Missing Vulnerability

Enhanced License Detection Capability for Components

License detection capability and license evidence mechanism for the following components was updated/added:

• AdaCore-doc

• Bitstream-Charter

• Brian-Gladman-3-Clause

• BSD-4.3RENO

• BSD-4.3TAHOE

• CFITSIO

• checkmk

• CMU-Mach

• Cornell-Lossless-JPEG

• DRL-1.0

• FSFULLRWD

• Graphics-Gems

• HPND-Markus-Kuhn

• HPND-export-US

• IEC-Code-Components-EULA

• IJG-short

• JPL-image

• Kazlib

• Knuth-CTAN

• libutil-David-Nugent

• Linux-syscall-note

• snprintf

• Symlinks

• TPDL

• TTWL

• w3m

• xlock

• Loop

• Martin-Birgmeier

• Minpack

• MIT-Wu

• mpi-permissive

• NICTA-1.0

• OFFIS

• 389-exception

• Autoconf-exception-2.0

• Autoconf-exception-3.0

• Bison-exception-2.2

• Bootloader-exception

• Classpath-exception-2.0

• CLISP-exception-2.0

New Component Detection Rules

• OpenSC

Addition of Missing Vulnerability Mappings

Missing vulnerability mappings for the following components were added:

• Zlib (Alpine)

Collector Status

Name	Date of Last Successful Run
npm	8/7/2023
crates	8/25/2022
cpan	8/3/2023
clojars	8/3/2023
rubygems	8/3/2023
maven-google	8/4/2023
cran	8/5/2023
hackage	8/6/2023
packagist	8/6/2023
go	8/7/2023
pypi	7/31/2023
nuget gallery	8/1/2023
maven2-ibiblio	6/14/2023
github	7/14/2023
fedora-koji	8/8/2023
alpine	8/2/2023
gitlab	6/6/2023
debian	8/7/2023

Changes in Update Released on 23-June-2023

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-44211	Enhancements for License text extraction to improve the Third Party Notices text reports
SCA-48496	Fixed the false positive vulnerability CVE-2017-15288 for scala-java8-compat_2.12
SCA-48430	Updated vulnerability information for 7-zip component
SCA-44156	License cleanup for Bitstream license in our data library

Enhanced License Detection Capability for Components

License detection capability and license evidence mechanism for the following components was updated/added:

• Apache-2.0
• Apache-1.0
• Nethack General Public License
• Netizen Open Source License
• Nokia Open Source License
• Non-Profit Open Software License 3.0
• OCLC Research Public License 2.0
• Open Data Commons Open Database License v1.0
• Open Data Commons Public Domain Dedication & License 1.0
• Open Group Test Suite License
• Open Public License v1.0
• OpenSSL License

New Component Detection Rules

• Lua
• Linux Kernel

Collector Status

Name	Date of Last Successful Run
npm	6/19/2023
crates	8/25/2022
cpan	6/22/2023
clojars	6/15/2023
rubygems	6/15/2023
maven-google	6/15/2023
cran	6/17/2023
hackage	6/18/2023
packagist	6/18/2023
go	6/21/2023
pypi	2/13/2023
nuget gallery	6/1/2023
maven2-ibiblio	6/14/2023
github	6/3/2023
fedora-koji	6/21/2023
alpine	6/21/2023
gitlab	6/6/2023
debian	6/19/2023

Changes in Update Released on 31-May-2023

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-41334	Addition of Debian Packages Collection to our list of forge collections
SCA-47928	Extracting License Text from .py files
SCA-46100	Adding the missing priority to licenses and updating the incorrect ones in data library
SCA-47100	Updated vulnerabilities and versiosn for openssh component

Enhanced License Detection Capability for Components

License detection capability and license evidence mechanism for the following components was updated/added:

• libpng License

• Lucent Public License Version 1.0

• Lucent Public License v1.02

• Microsoft Public License

• Microsoft Reciprocal License

• The MirOS Licence

• Motosoto License

• Eurosym License

• Fair License

• Frameworx Open License 1.0

• FreeBSD Documentation License

• Freetype Project License

• gSOAP Public License v1.3b

• Historical Permission Notice and Disclaimer

• IBM Public License v1.0

• iMatix Standard Function Library Agreement

• Imlib2 License

Collector Status

Name	Date of Last Successful Run
npm	1/31/2023
crates	8/25/2022
cpan	5/25/2023
clojars	5/25/2023
rubygems	5/25/2023
maven-google	5/26/2023
cran	5/27/2023
hackage	5/28/2023
packagist	5/28/2023
go	5/29/2023
pypi	2/13/2023
nuget gallery	4/6/2023
maven2-ibiblio	1/18/2023
github	5/29/2023
fedora-koji	5/25/2023
alpine	5/4/2023
gitlab	5/30/2023
debian	5/4/2023

Changes in Update Released on 04-May-2023

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-47510	Enhancement to Nuget Collector to extract Notices Text from .cpp and .h files.
SCA-47790	Updated license mappings, license evidence and license detection capabilities for iText Commercial License related to the component itext7.

Collector Status

Name	Date of Last Successful Run
npm	1/31/2023
crates	8/25/2022
cpan	4/6/2023
clojars	2/9/2023
rubygems	4/6/2023
maven-google	4/7/2023
cran	4/8/2023
hackage	4/9/2023
packagist	2/13/2023
go	4/10/2023
pypi	2/13/2023
nuget gallery	4/6/2023
maven2-ibiblio	1/18/2023
github	2/14/2023
fedora-koji	2/13/2023
alpine	4/5/2023
gitlab	11/19/2022

Changes in Update Released on 17-April-2023

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-44500	Integration of PURL to collector - Github
SCA-46813	Enhancement to Npmjs to extract Notices Text from .mkd file.
SCA-47062	Updated vulnerabilities for the component Xstream 1.4.19.
SCA-47493	Fixed the false positive license evidences related to Baekmuk License

Enhanced License Detection Capability for Components

License detection capability and license evidence mechanism for the following components was updated/added:

• Clarified Artistic License
• Code Project Open License 1.02
• Common Development and Distribution License 1.0
• Common Development and Distribution License 1.1
• Common Public Attribution License 1.0
• Common Public License 1.0
• Computer Associates Trusted Open Source License 1.1
• Condor Public License v1.1
• LaTeX Project Public License v1.0
• LaTeX Project Public License v1.1
• LaTeX Project Public License v1.2
• LaTeX Project Public License v1.3a
• LaTeX Project Public License v1.3c

New/Update Component Requests

• microsoft-sql-server-2017-reporting-services
• microsoft-sql-server-2019-reporting-services
• microsoft-sql-server-2022-reporting-services
• Windows 10 SDK

Collector Status

Name	Date of Last Successful Run
crates	8/25/2022
gitlab	11/19/2022
maven2-ibiblio	01/10/2022
go	04/10/2023
cpan	04/06/2023
fedora-koji	02/13/2023
clojars	02/09/2023
rubygems	04/06/2023
maven-google	04/07/2023
cran	04/08/2023
hackage	04/09/2023
packagist	02/05/2023
npm	1/31/2023
nuget gallery	04/06/2023
alpine	04/05/2023
pypi	02/13/2023
github	02/14/2023

Changes in Update Released on 24-March-2023

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-44498, SCA-44503, SCA-45457	Integration of PURL to Alpine, Rubygems, Go in the data library
SCA-46214	Generic Mapper is an addition to our vulnerability mappers . This is an enhancement to the existing NPMJS mapper to include Maven and Packagist and make it a generic one.

Enhanced License Detection Capability for Components

License detection capability and license evidence mechanism for the following components was updated/added:

• 3dfx Glide License
• Academic Free License v1.1
• Academic Free License v1.2
• Academic Free License v2.0
• Academic Free License v2.1
• Academic Free License v3.0
• Adaptive Public License 1.0
• Adobe Systems Incorporated Source Code License Agreement
• Giftware License
• Adobe Glyph List License
• Apple Public Source License 1.0
• Apple Public Source License 1.1
• Apple Public Source License 1.2
• Apple Public Source License 2.0
• Artistic License 1.0
• Artistic License 2.0
• Beerware License
• eCos license version 2.0
• Educational Community License v1.0
• Educational Community License v2.0
• Educational Community License v2.0
• Attribution Assurance License
• Apache License 1.0
• Apache License 1.1
• Apache License 2.0
• Eiffel Forum License v1.0
• Eiffel Forum License v2.0
• Amazon Digital Services License
• ANTLR Software Rights Notice
• ANTLR Software Rights Notice with license fallback
• Adobe Postscript AFM License

Collector Status

Name	Date of Last Successful Run
npm	1/31/2023
crates	8/25/2022
cpan	3/23/2023
clojars	2/9/2023
rubygems	3/23/2023
maven-google	2/10/2023
cran	3/18/2023
hackage	2/12/2023
packagist	2/5/2023
go	3/24/2023
pypi	2/13/2023
nuget gallery	3/16/2023
maven2-ibiblio	1/18/2023
github	2/14/2023
fedora-koji	2/13/2023
alpine	3/22/2023
gitlab	11/19/2022

Changes in Update Released on 10-March-2023

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-44820	NPM Notices Text: Fixing the Missing release_license_text mappings for Npm components
SCA-46203, SCA-44502	Integration of PURL to the collectors Npmjs and Nuget
SCA-47061	Addition of cocoapods forge to our data library
SCA-46161, SCA-46144, SCA-42593, SCA-46477	Fixed false positive vulnerabilities for components like android-json, prometheus_client 0.15.0, jqueryui, Microsoft Reportviewer and Microsoft vcruntime etc.

Enhanced License Detection Capability for Components

License detection capability and license evidence mechanism for the following components was updated/added:

• Sendmail
• SISSL
• SISSL-1.2
• SMLNJ
• SMPPL
• SNIA
• Spencer-86
• Spencer-94
• Spencer-99
• TCL
• TCP-wrappers
• TORQUE-1.1
• TOSL
• u-boot-exception-2.0
• Unicode-DFS-2015
• Unicode-DFS-2016
• Unicode-TOU
• UPL-1.0
• VOSTROM
• W3C-20150513
• W3C-19980720
• Wsuipa
• WTFPL
• X11
• Xerox
• Xpp
• XSkat
• Zed
• Zimbra-1.4
• Zimbra-1.3
• zlib-acknowledgement
• zlib
• UCL-1.0
• SSPL-1.0
• SHL-0.5
• SHL-0.51
• Sendmail-8.23
• PSF-2.0
• TAPR-OHL-1.0
• PolyForm-Small-Business-1.0.0
• PolyForm-Noncommercial-1.0.0
• Parity-7.0.0
• Parity-6.0.0
• OGL-UK-1.0
• OGL-UK-2.0
• OGL-UK-3.0
• OGL-Canada-2.0
• OGDL-Taiwan-1.0
• TU-Berlin-1.0
• TU-Berlin-2.0
• SSH-OpenSSH
• SSH-short

Collector Status

Name	Date of Last Successful Run
npm	1/31/2023
crates	8/25/2022
cpan	2/9/2023
clojars	2/9/2023
rubygems	2/10/2023
maven-google	2/10/2023
cran	2/11/2023
hackage	2/12/2023
packagist	2/13/2023
go	2/14/2023
pypi	2/15/2023
nuget gallery	2/15/2023
maven2-ibiblio	1/18/2023
github	2/15/2023
fedora-koji	2/15/2023
alpine	2/15/2023
gitlab	11/19/2022

Changes in Update Released on 24-February-2023

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-46545	Update License URL of OpenPBS License v2.3 in the data library
SCA-44499	Integration of Purl to Cran collector

Collector Status

Name	Date of Last Successful Run
gitlab	11/19/2022
npm	1/31/2023
crates	8/25/2022
cpan	2/9/2023
clojars	2/9/2023
rubygems	2/10/2023
maven-google	2/10/2023
cran	2/11/2023
hackage	2/12/2023
packagist	2/13/2023
go	2/14/2023
alpine	2/15/2023
fedora-koji	2/15/2023
pypi	2/15/2023
github	2/15/2023
nuget gallery	2/15/2023
maven2-ibiblio	1/18/2023

Changes in Update Released on 20-February-2023

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Updates to OpenSSL Component

Added vulnerability information to the following openSSL components:

• openssl(id: 58316) - https://www.openssl.org
• openssl-openssl (id: 416271) - https://github.com/openssl/openssl
• openssl (id: 27181269) - https://koji.fedoraproject.org/koji/packageinfo?packageID=openssl

Related to Vulnerability CVEs:

• CVE-2023-0286 (https://nvd.nist.gov/vuln/detail/CVE-2023-0286)
• CVE-2022-4304 (https://nvd.nist.gov/vuln/detail/CVE-2022-4304)
• CVE-2023-0215 (https://nvd.nist.gov/vuln/detail/CVE-2023-0215)
• CVE-2022-4450 (https://nvd.nist.gov/vuln/detail/CVE-2022-4450)
• CVE-2023-0216 (https://nvd.nist.gov/vuln/detail/CVE-2023-0216)
• CVE-2023-0217 (https://nvd.nist.gov/vuln/detail/CVE-2023-0217)
• CVE-2023-0401 (https://nvd.nist.gov/vuln/detail/CVE-2023-0401)

 

Issue ID	Issue Summary
SCA-45980	Review and add the license priority for "commercial license" in licenses table

Enhanced License Detection Capability for Components

License detection capability and license evidence mechanism for the following components was updated/added:

• PostgreSQL
• psfrag
• psutils
• Qhull
• QPL-1.0
• Rdisc
• RSA-MD
• Saxpath
• SCEA

New/Update Component Requests

• krig-parallax
• inuitcss-generic.normalize

Collector Status

Name	Date of Last Successful Run
gitlab	11/19/2022
maven2-ibiblio	1/18/2023
alpine	2/8/2023
npm	1/31/2023
crates	8/25/2022
cpan	2/9/2023
clojars	2/9/2023
rubygems	2/10/2023
maven-google	2/10/2023
cran	2/11/2023
hackage	2/12/2023
fedora-koji	2/12/2023
packagist	2/13/2023
go	2/14/2023
pypi	2/15/2023
github	2/15/2023
nuget gallery	2/15/2023

Changes in Update Released on 30-January-2023

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-45333	SPDX Collector: Populate license_attribute values for all the licenses

Enhanced License Detection Capability for Components

License detection capability and license evidence mechanism for the following components was updated/added:

• NetCDF
• Newsletr
• NLOD-1.0
• NLOD-2.0
• NLPL
• OLDAP-1.1
• OLDAP-1.2
• OLDAP-1.3
• OLDAP-1.4
• OLDAP-2.0
• OLDAP-2.0.1
• OLDAP-2.1
• OLDAP-2.2
• OLDAP-2.2.1
• OLDAP-2.2.2
• OLDAP-2.4
• OLDAP-2.5
• OLDAP-2.6
• OLDAP-2.7

Addition of Missing Vulnerability Mappings

Missing vulnerability mappings for the following components were added:

• Tcexam

Collector Status

Name	Date of Last Successful Run
crates	8/25/2022
gitlab	11/19/2022
maven2-ibiblio	1/18/2023
go	1/23/2023
cpan	1/19/2023
fedora-koji	1/23/2023
clojars	1/19/2023
rubygems	1/20/2023
maven-google	1/20/2023
cran	1/21/2023
hackage	1/22/2023
packagist	1/23/2023
npm	1/23/2023
nuget gallery	1/18/2023
alpine	1/18/2023
pypi	1/18/2023
github	1/23/2023

Changes in Update Released on 12-January-2023

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-45214	Fixed missing vulnerability issue for component dom4j
SCA-44820	Fixed the missing release_license_text mappings for Npm components

Enhanced License Detection Capability for Components

License detection capability and license evidence mechanism for the following components was updated/added:

• MITNFA
• mpich2
• MTLL
• Mup
• NBPL-1.0
• OSET-PL-2.1
• Plexus
• Artistic-1.0
• Artistic-1.0-cl8
• Artistic-1.0-Perl
• Artistic-2.0
• Noweb
• NRL
• Nunit
• OCCT-PL
• OML

New/Update Component Requests

• Microsoft Capicom
• Microsoft Enterprise Library 5
• Microsoft .NET Framework

Collector Status

Name	Date of Last Successful Run
crates	8/25/2022
gitlab	11/19/2022
maven2-ibiblio	12/22/2022
go	1/4/2023
cpan	1/5/2023
fedora-koji	1/5/2023
clojars	1/5/2023
rubygems	1/6/2023
maven-google	1/6/2023
cran	1/7/2023
hackage	1/8/2023
packagist	1/9/2023
npm	1/10/2023
nuget gallery	1/10/2023
alpine	1/11/2023
pypi	1/11/2023
github	1/11/2023

Changes in Update Released on 22-December-2022

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-44946	Nuget version level licenses - Support for new licenses
SCA-44702	Update the Component versions for nvuillam-npm-groovy-lint

Enhanced License Detection Capability for Components

License detection capability and license evidence mechanism for the following components was updated/added:

• Leptonica

• LGPLLR

• libtiff

• LiLiQ-P-1.1

• LiLiQ-Rplus-1.1

• LiLiQ-R-1.1

• MakeIndex

• Net-SNMP

Collector Status

Name	Date of Last Successful Run
crates	8/25/2022
gitlab	11/19/2022
cpan	12/15/2022
clojars	12/15/2022
rubygems	12/16/2022
maven-google	12/16/2022
cran	12/17/2022
hackage	12/18/2022
packagist	12/19/2022
alpine	12/21/2022
fedora-koji	12/21/2022
npm	12/21/2022
pypi	12/21/2022
nuget gallery	12/21/2022
go	12/22/2022
github	12/22/2022
maven2-ibiblio	12/22/2022

Changes in Update Released on 08-December-2022

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-44052	Added Spice Software License and detection rules.
SCA-43599	Nuget Collector: Enhancement to collect version level licenses.
SCA-44396	Invalid URL's in the description for some of the components.
SCA-44439	Alpine Collector Enhancements - Version Level Date Enhancements.
SCA-44438	Alpine Collector Enhancements - RepoURL Enhancements.

Enhanced License Detection Capability for Components

License detection capability and license evidence mechanism for the following components was updated/added:

• ICU
• ImageMagick
• Intel-ACPI
• Interbase-1.0
• JasPer-2.0
• LAL-1.2
• LAL-1.3
• GL2PS
• Glulxe
• Gnuplot
• FSFUL
• HaskellReport
• IBM-pibs
• Latex2e

New/Update Component Requests

• None

Collector Status

Name	Date of Last Successful Run
crates	8/25/2022
npm	12/08/2022
pypi	10/18/2022
alpine	11/30/2022
gitlab	11/19/2022
cpan	12/08/2022
rubygems	12/08/2022
clojars	12/08/2022
github	12/07/2022
maven-google	12/02/2022
fedora-koji	12/07/2022
cran	12/03/2022
nuget gallery	12/01/2022
hackage	12/04/2022
packagist	12/04/2022
go	12/07/2022
maven2-ibiblio	11/28/2022

Changes in Update Released on 29-November-2022

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-44021	Addition of Go vulnerability mapper to the list of our automated vulnerability mappers
SCA-44283	Added the license Microsoft .Net Compiler Platform Redistributable Packages Preview to the data library
SCA-44290	Updated the invalid urls of few Go forge components like Alamofire/AlamofireImage, BoltsFramework/Bolts-Swift and bitstadium/hockeykit.
SCA-44376	Updating license information for the components jquery (id: 3526090)
SCA-44397, SCA-43635	Fixed false positive vulnerability for the components like system.threading.tasks nuget package and MySQL NPM module.

Enhanced License Detection Capability for Components

License detection capability and license evidence mechanism for the following components was updated/added:

• Qt-GPL-exception-1.0.txt

• SchemeReport.txt

• SWL.txt

• Universal-FOSS-exception-1.0.txt

• X11-distribute-modifications-variant.txt

• XSkat.txt

• CECILL-1.0

• CECILL-1.1

• CECILL-2.0

• CECILL-2.1

• CECILL-B

• CECILL-C

• MPL-1.0

• MPL-1.1

• MPL-2.0

• MPL-2.0-no-copyleft-exception

• NPL-1.0

• NPL-1.1

• MIT License

• MIT-open-group

• X11

• X11-distribute-modifications-variant

• XSkat

• SWL

• SchemeReport

New/Update Component Requests

• XIPH Flac
• XORG XServer

Collector Status

Name	Date of Last Successful Run
crates	8/25/2022
npm	10/11/2022
pypi	10/18/2022
alpine	11/8/2022
gitlab	11/19/2022
cpan	11/24/2022
rubygems	11/24/2022
clojars	11/24/2022
github	11/24/2022
maven-google	11/25/2022
fedora-koji	11/26/2022
cran	11/26/2022
nuget gallery	11/26/2022
hackage	11/27/2022
packagist	11/28/2022
go	11/28/2022
maven2-ibiblio	11/28/2022

Changes in Update Released on 11-November-2022

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-44237	Addition of missing vulnerabilities for junit(componentId: 437385)
SCA-44183	Addition of missing vulnerabilities for xercesimpl and spring-data-mongodb
SCA-44075	Update license text for the license Microsoft .NET Library License
SCA-44065	Fixing license evidences for net-tools component
SCA-41333	Addition of Alpine forge to list of our forge data collection

Enhanced License Detection Capability for Components

License detection capability and license evidence mechanism for the following components was updated/added:

• mplus.txt

• MulanPSL-1.0.txt

• MulanPSL-2.0.txt

• NAIST-2003.txt

• NCGL-UK-2.0.txt

• NIST-PD-fallback.txt

• NIST-PD.txt

• NTP-0.txt

• O-UDA-1.0.txt

• ODC-By-1.0.txt

• OpenJDK-assembly-exception-1.0.txt

• OPUBL-1.0.txt

• MIT-0

• MIT-CMU

• MIT-enna

• MIT-feh

• MIT-Modern-Variant.txt

• MIT-open-group.txt

New/Update Component Requests

• Google Play Services Android
• android-support-library-v13
• TrafficWatcher
• ata-project
• Telerik UI for ASP.NET MVC Components
• Microsoft.Data.SqlClient.SNI.runtime
• microsoft.aspnet.webapi.tracing
• Microsoft SQL Server Compact 3.5 Service Pack 2

Collector Status

Name	Date of Last Successful Run
alpine	11/8/2022
crates	8/25/2022
npm	10/11/2022
pypi	10/18/2022
cran	10/22/2022
maven2-ibiblio	10/27/2022
clojars	11/3/2022
rubygems	11/3/2022
maven-google	11/4/2022
cpan	11/4/2022
nuget gallery	11/5/2022
hackage	11/6/2022
packagist	11/7/2022
go	11/9/2022
github	11/9/2022
gitlab	11/9/2022
fedora-koji	11/10/2022

Changes in Mini Update Released on 02-November-2022

This is a Mini PDL update release which is considerably smaller in size, containing data related to a specific component and a CVE.

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Updates to OpenSSL Component

Added vulnerability information to the following openSSL components:

• openssl(id: 58316) - https://www.openssl.org
• openssl-openssl (id: 416271) - https://github.com/openssl/openssl
• openssl (id: 27181269) - https://koji.fedoraproject.org/koji/packageinfo?packageID=openssl

Related to vulnerability CVEs:

1. CVE - 2022-3786 (https://nvd.nist.gov/vuln/detail/CVE-2022-3786 )
2. CVE - 2022-3602 (https://nvd.nist.gov/vuln/detail/CVE-2022-3602 )

 

Issue ID	Issue Summary
SCA-44311	Addition of new vulnerabilities related to OpenSSL component

Changes in Mini Update Released on 21-October-2022

This is a Mini PDL update release which is considerably smaller in size, containing data related to a specific component and a CVE.

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Updates to Apache Commons Text Component

Added vulnerability information to the apache-commons-text component (https://github.com/apache/commons-text ) related to vulnerability cve

1. CVE-2022-42889 (https://nvd.nist.gov/vuln/detail/CVE-2022-42889 )

Issue ID	Issue Summary
SCA-44223	Mapping new vulnerability CVE-2022-42889 to the component apache-commons-text

Changes in Update Released on 18-October-2022

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-43662	Addition of latest versions for the component Akka
SCA-43253	Fixing the version information for the component https://github.com/Sequel-Ace/Sequel-Ace.
SCA-42544	Fixing false positive vulnerabilities for the component jquery UI

Enhanced License Detection Capability for Components

License detection capability and license evidence mechanism for the following components was updated/added:

• CERN-OHL-1.1.txt

• CERN-OHL-1.2.txt

• CERN-OHL-P-2.0.txt

• CERN-OHL-S-2.0.txt

• CERN-OHL-W-2.0.txt

• CC-BY-3.0-AT.txt

• CC-BY-3.0-DE.txt

• CC-BY-3.0-NL.txt

• CC-BY-NC-3.0-DE.txt

• CC-BY-NC-ND-3.0-DE.txt

• CC-BY-NC-SA-2.0-FR.txt

• CC-BY-NC-SA-3.0-DE.txt

• CC-BY-ND-3.0-DE.txt

• CC-BY-SA-2.1-JP.txt

• CC-BY-SA-3.0-AT.txt

• CC-BY-SA-3.0-DE.txt

• CDLA-Permissive-2.0.txt

• COIL-1.0.txt

• DL-DE-BY-2.0.txt

• FDK-AAC.txt

• Jam.txt

• Linux-man-pages-copyleft.txt

• KiCad-libraries-exception.txt

New/Update Component Requests

• zyantific/zycore-c

New Component Detection Rules

• aide/aide

Collector Status

Name	Date of Last Successful Run
gitlab	8/5/2022
crates	8/25/2022
hackage	10/9/2022
maven2-ibiblio	10/10/2022
npm	10/11/2022
pypi	10/12/2022
clojars	10/13/2022
cpan	10/13/2022
rubygems	10/13/2022
maven-google	10/14/2022
fedora-koji	10/14/2022
cran	10/15/2022
go	10/17/2022
github	10/17/2022
nuget gallery	10/17/2022
packagist	10/17/2022

Changes in Update Released on 23-September-2022

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-43521	Fixed false positives in license detection and license evidence mechanism for licenses like 0BSD, ISC and MIT.
SCA-42852	Updated version information for NPMJS components like @aws-sdk/client-dynamodb and @aws-sdk/client-dynamodb-streams

Addition of Missing Vulnerability Mappings

Missing vulnerability mappings for the following components were added:

• atomic
• crypto-utils
• fedmsg
• fedora-arm-installer
• python-fedora
• sectool
• coolkey
• sssd
• anaconda
• newsx
• rpmdevtools
• cronie

Collector Status

Name	Date of Last Successful Run
gitlab	8/5/2022
crates	8/25/2022
clojars	9/15/2022
maven2-ibiblio	9/15/2022
cpan	9/15/2022
rubygems	9/15/2022
maven-google	9/16/2022
cran	9/17/2022
nuget gallery	9/18/2022
hackage	9/18/2022
packagist	9/18/2022
npm	9/20/2022
go	9/21/2022
pypi	9/21/2022
github	9/21/2022
fedora-koji	9/21/2022

Changes in Mini Update Released on 13-September-2022

This is a Mini PDL update release which is considerably smaller in size, containing data related to a specific component and a CVE.

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Updates to commons_configuration2 Component

• Added vulnerability information to the commons_configuration2 maven component (https://mvnrepository.com/artifact/org.apache.commons/commons-configuration2 ) related to vulnerability cves,
  1. CVE-2022-33980 (https://nvd.nist.gov/vuln/detail/CVE-2022-33980 )
  2. CVE-2020-1953 (https://nvd.nist.gov/vuln/detail/CVE-2020-1953)

Issue ID	Issue Summary
SCA-43592	Missing vulnerability CVE-2022-33980 for the component commons_configuration2
SCA-43114	Updating component information for components like entityframework, mailbee.net and microsoft.sqlserver.sqlmanagementobjects.

Changes in Update Released on 09-September-2022

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-43115	Addition of new licenses to reflib like AfterLogic Software License Agreement , Entity Framework 5.0 For Microsoft Windows Operating System and Microsoft SQL SERVER 2017 Shared Management Objects.

Enhanced License Detection Capability for Components

License detection capability and license evidence mechanism for the following components was updated/added:

• EPICS.txt

• etalab-2.0.txt

• copyleft-next-0.3.0.txt

• copyleft-next-0.3.1.txt

• GD.txt

• GLWTPL.txt

• Hippocratic-2.1.txt

• HPND-sell-variant.txt

• HTMLTIDY.txt

• JPNIC.txt

• libpng-2.0.txt

• libselinux-1.0.txt

• Linux-OpenIB.txt

Collector Status

<

Name	Date of Last Successful Run
gitlab	8/5/2022
maven2-ibiblio	8/22/2022
clojars	9/1/2022
crates	8/25/2022
cpan	9/1/2022
rubygems	9/1/2022
maven-google	9/2/2022
hackage	9/4/2022
nuget gallery	9/5/2022
packagist	9/5/2022
go	9/6/2022
pypi	9/6/2022
cran	9/7/2022
github	9/7/2022
fedora-koji	9/7/2022
npm	9/7/2022

Changes in Update Released on 29-August-2022

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-42217	BSD 3-Clause license text not detected
SCA-43300	Fixed license detection and license evidence mechanism for dvipdfm license to avoid false positives

Enhanced License Detection Capability for Components

License detection capability and license evidence mechanism for the following components was updated/added:

• 0BSD

• BSD-1-Clause

• BSD-3-Clause-Modification

• BSD-3-Clause-No-Military-License

• BSD-3-Clause-Open-MPI.txt

New/Update Component Requests

• jridgewell/gen-mapping
• jridgewell/set-array
• jridgewell/sourcemap-codec
• CPUID CPU-Z
• get-image-file-type-programmatically-in-swift
• swift-5-4-hex-to-nscolor
• SNMP++ API
• supports-preserve-symlinks-flag

Addition of Missing Vulnerability Mappings

Missing vulnerability mappings for the following components were added:

• bwm-ng
• mattermost_server
• snipe-it
• cgal
• caldera-forms

Collector Status

<

Name	Date of Last Successful Run
fedora-koji	8/2/2022
gitlab	8/5/2022
cpan	8/18/2022
rubygems	8/18/2022
maven-google	8/19/2022
cran	8/20/2022
nuget gallery	8/21/2022
hackage	8/21/2022
maven2-ibiblio	8/22/2022
packagist	8/22/2022
go	8/23/2022
github	8/24/2022
crates	8/24/2022
npm	8/24/2022
clojars	8/25/2022
pypi	8/26/2022

Changes in Update Released on 12-August-2022

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-42725	Fixed False positive vulnerabilities related to SQL Lite
SCA-31133	Addition of Nuget vulnerability mapper to the list of vulnerability mappers
SCA-42767	Updated license information for the components datatables-fixedcolumns and datatables-tabletools in our data library
SCA-43007	GNU Library General Public License v2 or later (LGPL-2.0-or-later) License Evidence is not being detected for gettext.c file

Enhanced License Detection Capability for Components

License detection capability and license evidence mechanism for the following components was updated/added:

• LGPL-2.0-or-later
• SPDX licenses with additional clauses

• App-s2p

• Baekmuk

• blessing

• BlueOak-1.0.0

• C-UDA-1.0

New/Update Component Requests

• FixedColumns
• Autofill
• Tabletools

New Component Detection Rules

• Tabletools.js and Tabletools.min.js
• FixedColumns.js and FixedColumns.min.js

Collector Status

Name	Date of Last Successful Run
maven2-ibiblio	7/28/2022
fedora-koji	8/2/2022
clojars	8/4/2022
cpan	8/4/2022
rubygems	8/4/2022
maven-google	8/5/2022
gitlab	8/5/2022
cran	8/6/2022
nuget gallery	8/6/2022
hackage	8/7/2022
packagist	8/8/2022
go	8/9/2022
pypi	8/10/2022
github	8/10/2022
crates	8/10/2022
npm	8/10/2022

Changes in Update Released on 18-July-2022

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

GPL-AGPL-LGPL License Cleanup

There are three issues we are addressing as part of this GPL-AGPL-LGPL License data cleanup project:

Example: jquery 6.2.0 (GPL-1.0)

Here GPL-1.0 is the license with the short name associated with the component jquery.

1. Short Name Change

When a particular license short name is changed and released as part of an electronic update, the short name is not automatically propagated to the inventory items with that selected license. For example, when we change the short name of license id 343 from "GPL-1.0” to “GPL-1.0-only” in an electronic update, the existing inventory items names with that selected license will not be updated.

2. Component to License Mapping Change

When the component to license mapping is changed, let’s say jquery is mapped with "Apache-2.0" in the electronic update, then this new mapping wouldn’t be propagated to existing inventory items. This results in inconsistency between the license mapping, existing inventory items, and future inventory items using the new license mapping.

3. Duplicate entry cleanup

After running the cleanup scripts, there are possibility of having duplicate entries for the licenses which had mappings in component table and versions table. In our case, we have mappings for 3 licenses, i.e LGPL-2.1-or-later(License_id=704), AGPL-1.0-only(License_id=1654) and AGPL-3.0-only(License_id=229).

Note: Around 16 GPL-AGPL-LGPL related licenses are updated and workaround has been provided for necessary scenarios.

Please refer the article on GPL-LGPL-AGPL License Cleanup for detailed information and workarounds: https://community.flexera.com/t5/Code-Insight-Knowledge-Base/Code-Insight-GPL-LGPL-AGPL-License-Data-Cleanup-Project/ta-p/240679

Issue ID	Issue Summary
SCA-40135	Updating the GPL related licenses in the data library according to SPDX
SCA-40180, SCA-41672	Preparation of scripts related to changes made to GPL, LGPL and AGPL licenses.
SCA-42149	Updated version information for the component minimist.

Enhanced License Detection Capability for Components

License detection capability and license evidence mechanism for GPL-LGPL-AGPL related licenses (part of GPL-AGPL-LGPL license cleanup activity) was updated/added for the following components:

• AGPL-1.0-only
• AGPL-1.0-or-later
• AGPL-3.0-only
• AGPL-3.0-or-later
• GPL-1.0-only
• GPL-1.0-or-later
• GPL-2.0-only
• GPL-2.0-or-later
• GPL-3.0-only
• GPL-3.0-or-later
• LGPL-2.0-only
• LGPL-2.0-or-later
• LGPL-2.1-only
• LGPL-2.1-or-later
• LGPL-3.0-only
• LGPL-3.0-or-later

Collector Status

Name	Date of Last Successful Run
gitlab	5/13/2022
maven2-ibiblio	6/30/2022
nuget gallery	7/4/2022
clojars	7/7/2022
cpan	7/7/2022
rubygems	7/7/2022
cran	7/9/2022
maven-google	7/9/2022
hackage	7/10/2022
packagist	7/11/2022
go	7/12/2022
pypi	7/13/2022
github	7/13/2022
crates	7/13/2022
fedora-koji	7/13/2022
npm	1/30/2022

Changes in Update Released on 07-July-2022

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-42146	Addition of the license EDL 1.0 to PDL.

Collector Status

Name	Date of Last Successful Run
gitlab	5/13/2022
npm	1/30/2022
pypi	6/29/2022
crates	6/29/2022
clojars	6/30/2022
maven2-ibiblio	6/30/2022
cpan	6/30/2022
rubygems	6/30/2022
maven-google	7/1/2022
go	7/1/2022
cran	7/2/2022
fedora-koji	7/2/2022
hackage	7/3/2022
github	7/4/2022
nuget gallery	7/4/2022
packagist	7/4/2022

Changes in Mini Update Released on 28-June-2022

This is a Mini PDL update release which is considerably smaller in size, containing data related to a specific component and a CVE.

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Updates to jenkins Component

• Added the latest vulnerability information for jenkins component (Component id: 191327) related to vulnerability CVE-2022-34175 (https://nvd.nist.gov/vuln/detail/CVE-2022-34175)

Issue ID	Issue Summary
SCA-39993	Miniature PDL package creation and processing in product

Changes in Update Released on 15-June-2022

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-40437	Addition of Go Collector to the list of collectors Collected Batch 1- 50000 packages.
SCA-42001	Fixed license information for the component 'setuptools'.
SCA-42030	Fixed license information for the component 'react-leaflet'.
SCA-42040	Fixed license information for the component 'pillow'.
SCA-42108	Updated component-version information for the component 'url-parse'.

Collector Status

Name	Date of Last Successful Run
gitlab	5/13/2022
crates	5/28/2022
npm	1/30/2022
pypi	6/8/2022
clojars	6/9/2022
cpan	6/9/2022
rubygems	6/10/2022
cran	6/11/2022
maven2-ibiblio	6/11/2022
maven-google	6/11/2022
hackage	6/12/2022
nuget gallery	6/12/2022
packagist	6/13/2022
github	6/14/2022
fedora-koji	6/14/2022
go	6/14/2022

Changes in Update Released on 13-May-2022

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-41730	Addition of vulnerability mappings to zlib component (CVE-2018-25032).

Collector Status

Name	Date of Last Successful Run
hackage	5/8/2022
npm	1/30/2022
crates	4/26/2022
clojars	5/5/2022
cpan	5/5/2022
rubygems	5/6/2022
maven-google	5/6/2022
cran	5/7/2022
nuget gallery	5/8/2022
maven2-ibiblio	5/9/2022
packagist	5/10/2022
github	5/11/2022
gitlab	5/11/2022
pypi	5/11/2022
fedora-koji	5/11/2022

Changes in Update Released on 28-Apr-2022

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-41430	Addition and Updating components and license information for components like JakartaFtpWrapper, nsftools.com Standard Disclaimer etc.
SCA-41268	Fixed the incorrect license mapping for hibernate-core component.

Addition of License Detection Capability and License Evidence Mechanism

License detection capability and license evidence mechanism was added for the following licenses:

• FreeImage
• freertos-exception-2.0
• FSFAP
• FSFULLR

Collector Status

Name	Date of Last Successful Run
hackage	4/24/2022
npm	1/30/2022
maven2-ibiblio	4/12/2022
cpan	4/14/2022
fedora-koji	4/19/2022
rubygems	4/21/2022
cran	4/22/2022
maven-google	4/22/2022
nuget gallery	4/23/2022
crates	4/26/2022
clojars	4/27/2022
github	4/27/2022
packagist	4/27/2022
gitlab	4/27/2022
pypi	4/27/2022

Changes in Update Released on 13-Apr-2022

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Updates to spring-framework Component

• Added vulnerability information for spring-framework component ( CVE-2022-22950 and CVE-2022-22965).

Issue ID	Issue Summary
SCA-41311	Fix incorrect vulnerability mapping to the component POI.
SCA-41305	Addition of vulnerabilities to xmlbeans 2.6.0 component.
SCA-41141	Enhancement to collect missing licenses for Pypi components.
SCA-40144	Addition of Components from https://gitlab.xiph.org/xiph

Changes in Update Released on 25-Mar-2022

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-40941	Update license information for npm component- pixrem.
SCA-40777	Map Fair license to "Assert" component.
SCA-40872	License information for jquery 1.12.4 - MIT or GPL-2.0 license?

Addition of Missing Vulnerability Mappings

Missing vulnerability mappings for the following components were added:

• jhuisi-charm
• pear-archive_tar
• zopefoundation-accesscontrol
• nextcloud-richdocuments
• pear-archive_tar
• 3xxx-engineercms
• isomorphic-git-isomorphic-git
• justarchinet-archisteamfarm
• matanui159-replaysorcery
• xmldom-xmldom
• util-linux-util-linux

Addition of License Detection Capability and License Evidence Mechanism

License detection capability and license evidence mechanism was added for the following licenses:

• dvipdfm
• mif-exception
• eCos-exception-2.0
• eGenix
• EPL-2.0
• EUPL-1.2
• FLTK-exception

Collector Status

<

Name	Date of Last Successful Run
packagist	2/27/2022
maven2-ibiblio	3/7/2022
npm	1/30/2022
gitlab	3/8/2022
clojars	3/16/2022
rubygems	3/17/2022
cpan	3/17/2022
cran	3/18/2022
maven-google	3/18/2022
nuget gallery	3/19/2022
hackage	3/20/2022
github	3/22/2022
crates	3/23/2022
pypi	3/23/2022
fedora-koji	3/23/2022

Changes in Update Released on 14-Mar-2022

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-32308	Pypi forge vulnerability Mapper is an addition to our list of automated vulnerability mappers mechanism.
SCA-40984	Fix false positive vulnerabilities for Mono.Cecil

Addition of Missing Vulnerability Mappings

Missing vulnerability mappings for the following components were added:

• glances
• video.js
• nukeviet
• lavalite-cms
• evolution-cms-evolution
• flatpress
• yzmcms
• elfinder.aspnet

Collector Status

Name	Date of Last Successful Run
packagist	2/27/2022
cran	3/4/2022
maven-google	3/5/2022
hackage	3/6/2022
maven2-ibiblio	3/7/2022
nuget gallery	3/7/2022
crates	3/8/2022
npm	1/30/2022
gitlab	3/8/2022
clojars	3/9/2022
pypi	3/9/2022
rubygems	3/10/2022
github	3/10/2022
cpan	3/10/2022
fedora-koji	3/10/2022

Changes in Update Released on 24-Feb-2022

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-40339	Fixed license mappings for hangfire.core nuget component .
SCA-40332	Fixed license mappings for microsoft.net.workload.emscripten.manifest nuget component
SCA-40215	Fixed false positive CVE for system.threading.tasks.extensions 4.5.4 component

Addition of Missing Vulnerability Mappings

Missing vulnerability mappings for the following components were added:

• stuk-jszip
• firefly-iii
• pjsip-pjproject
• oisf-suricata
• gitlogplus
• velociraptor
• contour
• stmicroelectronics-stm32cubeh7
• mod_auth_openidc

New/Update Component Requests

• Microsoft Infographic Designer
• Microsoft Advance Card

Collector Status

Name	Date of Last Successful Run
npm	12/3/2021
gitlab	1/13/2022
maven2-ibiblio	2/15/2022
rubygems	2/17/2022
cran	2/18/2022
maven-google	2/18/2022
nuget gallery	2/19/2022
hackage	2/20/2022
packagist	2/20/2022
crates	2/22/2022
clojars	2/23/2022
github	2/23/2022
pypi	2/23/2022
fedora-koji	2/23/2022
cpan	2/24/2022

Changes in Update Released on 10-Feb-2022

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-40131	Fixing false positive component_cpe mappings
SCA-40004	Fix for "Unable to load or add component version libssh 0.7.3"
SCA-39146	GPL 3.0 or later and GPL 3.0 Only - both licenses are reported when the source clearly has only one SPDX ID
SCA-38096	Fixing redirecting urls for clojars collector

Addition of Missing Vulnerability Mappings

Missing vulnerability mappings for the following components were added:

• mosquitto
• lwip
• folly
• matio
• libheif
• manageiq
• redis

Addition of License Detection Capability and License Evidence Mechanism

License detection capability and license evidence mechanism was added for the following licenses:

• D-FSL-1.0
• diffmark
• DigiRule-FOSS-exception
• Dotseqn
• DSDP

New/Update Component Requests

• windowsazure.servicebus
• microsoft.azure.servicebus.eventprocessorhost
• mesa
• sharpmimetools

Changes in Update Released on 28-Jan-2022

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

MIT License Cleanup

There are two licenses in Code Insight for MIT – MIT License and MIT-Style License. While most licenses declared by open-source developers fall into the MIT License, the MIT-Style License is more of a template license consisting of various ways of how MIT license can be declared.

We noticed that the license mapping to majority of components are mapped incorrectly to the MIT-Style License. This is being resolved via an electronic update where the mappings are corrected and for existing projects that need mappings change a script will be provided.

Note:

Please refer the article on MIT License Cleanup for detailed information and workarounds: https://community.flexera.com/t5/Code-Insight-Knowledge-Base/Code-Insight-MIT-License-Data-Cleanup-Project/ta-p/214451/jump-to/first-unread-message

Known issue:

A script "MIT-CleanupQueries.sql" is provided which has to be run after the PDL update.

This script updates the license names and the incorrect license mappings in the existing system-generated inventories with the updated data changes as mentioned above.

There is a known issue for a particular set of inventories which have comma separated license names. This is observed in the inventories generated by AutoWriteup.

Ex: jQuery (MIT, MIT License)

In this case, the script provided to update the existing inventory names would not work. This causes a duplicate inventory on rescan.

The detailed issue description and workaround are provided in the jira: https://jira.flexera.com/browse/SCA-40194

Issue ID	Issue Summary
SCA-39812	Map vulnerabilities for gnu components
SCA-39748	Update version information for pilotmoon-scroll-reverser
SCA-38553	License detection XML detects both MIT and MIT-Style as evidence for MIT License
SCA-28851	MIT License cleanup: Enhancement to collector level license mappings mechanism to update invalid mappings for MIT and MIT-Style licenses.
SCA-28766	Perform entire sequence of MIT License Cleanup-License short_name changes and license remapping at component and version level.

Addition of Missing Vulnerability Mappings

Missing vulnerability mappings for the following components were added:

• Itop
• Mupdf
• Anchrome

Addition of License Detection Capability and License Evidence Mechanism

License detection capability and license evidence mechanism was added for the following licenses:

• CNRI-Jython
• CNRI-Python
• CNRI-Python-GPL-Compatible
• Crossword
• CrystalStacker
• PSF-2.0
• Python-2.0

Changes in Update Released on 13-Jan-2022

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Updates to log4j Component

• Added component detection capabilities to identify log4j components in "ivy.xml".

Issue ID	Issue Summary
SCA-39360	Fixed the license evidence mechanism to eliminate false positive findings.
SCA-39579	Addition of gnu vulnerable components to the data library
SCA-38160	GNU vulnerability Mapper is an addition to our list of automated vulnerability mappers mechanism.
SCA-38159	Jenkins vulnerability Mapper is an addition to our list of automated vulnerability mappers mechanism.

<

Addition of Missing Vulnerability Mappings

Missing vulnerability mappings for the following components were added:

• xml_database
• graphhopper
• Openvswitch-ovs
• osgeo-gdal
• unicorn-engine-unicorn
• open62541-open62541
• racket-racket
• mozilla-geckodriver
• gnuaspell-aspell
• libsndfile-libsndfile
• libarchive
• matio

Addition of License Detection Capability and License Evidence Mechanism

License detection capability and license evidence mechanism was added for the following licenses:

• CC-BY-NC-ND-1.0
• CC-BY-NC-ND-4.0
• CC-BY-NC-SA-4.0
• CC-BY-NC-4.0
• CC-BY-ND-4.0
• CC-BY-SA-4.0
• CC-BY-4.0
• Cube
• curl
• CDLA-Permissive-1.0
• CDLA-Sharing-1.0
• CECILL-2.1
• CLISP-exception-2.0

New Component Requests

• Windows SDK for Windows Server 2008 and .NET Framework 3.5
• Strictly Software htmlencode

Changes in Update Released on 23-Dec-2021

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Updates to Apache log4j2 Component

• Updated vulnerability information for log4j2 component (CVE-2021-44228,CVE-2021-45046,CVE-2021-4104).
• Updated versions for the log4j2 components.

Issue ID	Issue Summary
SCA-38791	Updated missing vulnerabilities for nuget top 100 component
SCA-35846	Enhancements to Nuget Collector for Version-Level License Collection

Addition of Missing Vulnerability Mappings

Missing vulnerability mappings for the following components were added:

• consul
• uri.js
• chatwoot
• bat
• cgm-remote-monitor
• connect
• muwire
• containerd
• discourse
• micronaut
• gatsby-source-wordpress
• venus_os

Updated Components List

• world-clock-and-the-timezoneinformation-class

Changes in Update Released on 16-Dec-2021

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Updates to Apache log4j2 Component

• Updated versions for the log4j2 components from different forges like github, maven and fedora.
• Updated vulnerabilities for log4j2 component (CVE-2021-44228).

Issue ID	Issue Summary
SCA-38864	Analysis & update license for jaxen component.
SCA-38669	AutoWriteup Rules: Map licenses to AutoWriteup Rules with no licenses.
SCA-38521	Increasing Component CPE mappings in Data Library.
SCA-38479	Updated version information for 27208706.
SCA-38791	Update missing license for top 100 Nuget components.

Addition of Missing Vulnerability Mappings

Missing vulnerability mappings for the following components were added:

• falco
• manageengine_admanager_plus
• esp32_firmware
• libvips-libvips
• junos
• rancher
• sheetjs
• etherpad
• stealth

Addition of License Detection Capability and License Evidence Mechanism

License detection capability and license evidence mechanism was added for the following licenses:

• bzip2-1.0
• bzip2-1.0.5
• Caldera
• BSD-3-Clause-Attribution
• BSD-3-Clause-Clear
• BSD-3-Clause-LBNL
• BSD-3-Clause-No-Nuclear-License-2014
• BSD-3-Clause-No-Nuclear-License
• BSD-3-Clause-No-Nuclear-Warranty
• BSD-4-Clause-UC
• BSD-Protection
• BSD-1-Clause
• BSD-Source-Code
• BSD-2-Clause-Patent
• BSD-2-Clause-NetBSD
• BSD-2-Clause-FreeBSD

Update Release on 26-Nov-2021 has been postponed

This update has been postponed to 9 Dec 2021 due to some technical issues.

Changes in Update Released on 11-Nov-2021

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-38476	Add component GenericDataExchangeFrameworkwithAJAX and ASP.NET Outlook-like Time Field to PDL library
SCA-38352	Enhancement to license mapping mechanism for Nuget Collector based on License Expression provided by Nuget Rest API
SCA-38223	Add missing vulnerability mappings to components like umeditor, thinkcmf, xuperchain, ok-file-formats, radare2-extras, polipo, gthumb.

Changes in Update Released on 28-Oct-2021

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

<

Issue ID	Issue Summary
SCA-38246	Add missing versions for openssl, net-snmp and system.data.sqlite components.
SCA-38221	Add missing vulnerability mappings to components like varnish_cache, elfinder.net. core, ectouch, is-email, booking_core, wolfssl.
SCA-37996	Invalid license for highcharts - npmjs component.
SCA-37673	Added license evidence and detection capability for licenses like Bahyph, Barr, Borceux, BSD-1-Clause, BSD-2-Clause-FreeBSD, BSD-2-Clause-NetBSD, BSD-2-Clause-Patent, BSD-Source-Code etc.
SCA-37671	Added license evidence and detection capability for licenses like 0BSD, 389-exception, Abstyles, Adobe-Glyph, Afmparse, AGPL-1.0, Aladdin, AMDPLPA, AML, AMPAS etc.
SCA-37461	Add missing vulnerability mappings to components like delta, xo-server, putil-merge, harmonyos, ant etc.
SCA-37459	Add missing vulnerability mappings to components like yop-poll, restsharp, event_streams, sshd, talk, nextcloud_mail, nextcloud, icinga etc.
SCA-37348	Github Vulnerabilities mapped to Java components.

Changes in Update Released on 18-Oct-2021

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-38185	Fixing invalid versions of lm_sensors.
SCA-38030	Update reference to component_mapping.csv to new github.com from git.palamida.com in update service.
SCA-37884	Missing vulnerabilities for Valeo.
SCA-37758	Adding spdx-license-identifier to the license-detection.xml and license-finder.json.
SCA-37658	Update license-names in the license evidence mechanism.
SCA-37447	Add missing vulnerabilty mappings to components like retty, everything, brave, node.js, total.js, total4, prismatic.
SCA-37442	Add missing vulnerabilty mappings to components like halo, pfsense, exiv2, caldera, jsish, moddable, mujs.
SCA-38254	Add license evidence capability for licenses like LLVM-exception,APAFML,Artistic-1.0-cl8,Artistic-1.0-Perl.

Changes in Update Released on 01-Oct-2021

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-37896	Validate and update Maven forge details in PDL library.
SCA-37837	Add new component ms-intune-app-sdk-android and Microsoft Intune App Software Development Kit For iOS license.
SCA-37651	Add Microsoft Windows Driver Kit For Windows 8.1 License and Updated versions for Microsoft windows driver kit.
SCA-37604	Update manually maintained component versions. Please refer list below
SCA-37376	Add the missing vulnerability mappings for components like cszcms, switch, fortimail, putty, emissary-ingress-emissary.
SCA-29724	Enhance License detection for Nuget forge components.
SCA-37544	Update versions and vulnerability mappings for oracle-jre component
SCA-37449	Add CWEs to PDL library.
SCA-38018	Update versions for Google Maven repository components.

Updated Components List

• glibmm24
• libsm
• wpa_supplicant
• cairo
• dmidecode
• chrony
• libxrandr
• libice
• networkmanager
• gobject-introspection
• glib-networking
• dnsmasq
• mesa
• elfutils
• dbus
• sudo
• libsoup
• libtalloc
• rpm-package-manager
• PowerTop
• libldb
• libxft
• openssl
• pygobject3
• gnutls
• libx11
• libnl3
• tzdata
• alsa-lib
• atk
• libxcb
• binutils
• ethtool
• libfontenc

Changes in Update Released on 13-Sep-2021

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-37290	Validate and update invalid versions for kong-insomnia component.
SCA-36444	License Finder rules for OGC-1.0,OFL-1.1-RFN.
SCA-35816	Addition of Gitlab forge to the list of forge collection.
SCA-33593	Enhance license mapping capability for Nuget collector.
SCA-31981	Add new non-spdx licenses like Parity Public Licence 3.0,Server Side Public License,Yoctopuce-License,Prosperity Public License,MS-ASP.NET-Web-Pages-2 License,MS-ASP.NET-WOF License to the library .
SCA-37371	Mapping the missing vulnerabilty-CVE's for various components like Tinydtls, Misp, Libxml2, Vapor, Grpc_swift, Linuxptp.

New Component Detection Rules

• liblouis

Changes in Update Released on 30-Aug-2021

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-35866	Grafana License changed from Apache License 2.0 to AGPL 3.0 from version 8.0.
SCA-35970	Data - Vulnerability Dates update. "Publication Date" and 'Modified Date".
SCA-36442	License-Finder.json rules for PSF-2.0,Parity-7.0.0,OGL-UK-3.0 etc.
SCA-36894	License Mappings for "pylouis" component.
SCA-36946	Data: Forge detail is incorrect for log4php component.
SCA-37030	False Positive Vulnerabilities for "file - npmjs" component.
SCA-37147	Handle URL discrepancies & case sensitive titles for FSF forge.
SCA-36815	Mapping of missing CVE's for components like thinksaas, routeros, alpinelinux-aports, gu, sansanyun-mipcms, hnaoyun-pbootcms.
SCA-37171	Mapping of missing CVE's for components like wp-plugins-wp-downloadmanager, benmonro-android, johnhaldeman-guarddetap, wp-plugins-cm-download-manager, just-safe-set, members, tizen, webclient, prusa3d-prusaslicer, webclient, webkitgtk.
SCA-37176	Mapping of missing CVE's for components like sanos, hyper, server, storage-manager, password-manager, ninjarmm, xevo.
SCA-37200	Update right URLs and title for code.google forge components.
SCA-37206	Mapping Vulnerability for json-smart-v1 and json-smart-v2.
SCA-35877	Updated components having URL discrepancies.

Changes in Update Released on 27-Jul-2021

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-35948​	NPMJS: Project Discovery is not Up to date with respect to NPMJS Forge​
SCA-35924	License mapping for the Pypi component "louis"
SCA-27819	Fixing nongnu.org 404 URL's
SCA-36610	Minio version license mapping
SCA-36607​	Grafana version license mapping
SCA-36110	Update matplotlib license text
SCA-36128	Manual Collector: Kernel: lvm2 versions are wrongly added
SCA-35933	False Positive vulnerabilities in mariadb-java-client
SCA-35908	Invalid versions for microsoft-azuredatastudio component

Changes in Update Released on 24-Jun-2021

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-34531	Update Matplotlib license text to version 3.4.1.
SCA-35177	New requests.
SCA-34953	Add components & license to reflib.
SCA-33894	CVE-2020-11971 associated with wrong components.
SCA-29232	Request to add component: logrotate.
SCA-30698	License Finder Rules for Matplotlib License.
SCA-35286	Unicode Terms of Use license not found in file.
SCA-35680	False positive GPL license detected for LGPL license text
SCA-25368	Request for identifying SPDX IDs.

Changes in Update Released on 11-Jun-2021

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-35178	Add OTN license and map missing license for oracle.manageddataaccess - NuGet Gallery component.
SCA-35087	Deprecating invalid versions of Apache projects on github.
SCA-35022	SPDX license collection. (Around 87 new licenses).
SCA-33894	License Name and SPDX License Name should be the same.
SCA-33805	Elastic Kibana: Add License Finder Rules for Elastic License 2.0
SCA-30698	License Finder Rules for Matplotlib License

Changes in Update Released on 28-May-2021

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-34581	Add component Microsoft JDBC Driver for SQL Server and licenses.
SCA-34431	Deprecating invalid version vulnerability Mapping which are protected
SCA-33541	Vulnerabilities for Netmask and PHP git server
SCA-33251	Vulnerability Dates: Addition/correction of columns for publication date and last modified date.
SCA-30785	SPDX license collection to staging db. (Not yet released).

Changes in Update Released on 14-May-2021

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-34508	PYPI URL's format are not consistent throughout in PDL_Component .
SCA-34395	False positive vulnerabilities for tomcat components - False PDL Mappings in PDL_COMP_VER_VULNERABILITY
SCA-34213	Deprecating the version for Apache project invalid versions-Set2
SCA-33485	The "Visual C++ Redistributable for Visual Studio" component name contains spaces making keyword search difficult
SCA-32592	Deprecating the version for Apache project invalid versions.
SCA-30879	Linux Kernel versions release which was obsolete by an year and a half.
SCA-34289	Libstdcpp component
SCA-34183	Add new licenses to license seed and schema.

Changes in Update Released on 22-Apr-2021

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-32074	License mismatch for popular components.
SCA-31667	License Acronym Data Changes for auto writeup rules.
SCA-29799	Inventory created with auto-writeup rules don't create with SPDX license ID
SCA-26931	Missing vulnerabilities (CPES with *) and wrong mappings for CPEs with *.

New Component Requests

• lsof(Component ID: 27350567)
• ntp(Component ID: 207771)
• libtiff(Component ID:27350365)
• gtk(Component ID: 27350362)
• gnome-shell-extensions(Component ID: 27350363)
• libgpg-error(Component ID: 27350364)
• dracut(Component ID: 123809)
• openssl-fips(Component ID: 27350368)
• lvm2(Component ID: 27350367)
• kbd(Component ID: 27350366)
• lzo(Component ID: 63041)
• treeview-with-columns(Component ID: 27350359)
• replace-a-windows-internal-scrollbar-with-a-customdraw-scrollbar-control(Component ID: 27350360)
• step-by-step-calling-c-dlls-from-vc-and-vb-part-1(Component ID: 27350361)
• strawberry-perl - 27344198)
• run-postinsts - 27344199)
• packagegroup-core-boot - 27344200)
• sha-1-in-C-by-steve-reID: - 27344201)
• zlib - 27344202)
• watchdog(Component ID: 5403203)
• perfmon2(Component ID: 53555)
• ust(Component ID: 186075)
• newmat(Component ID: 129995)
• netbase(Component ID: 207639)
• xml-pull-parser3(Component ID: 226748)
• shadow-utils(Component ID: 5403445)
• lipro-libftdi(Component ID: 7872851)
• csha1(Component ID: 27341784)
• timezonemap(Component ID: 27344433)

Changes in Update Released on 10-Apr-2021

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-33801	License detection.xml changes for PDL-2021-04-R1
SCA-31855	AutoWriteUp rules having outdated URLs
SCA-33557	Adding License - Purdue BSD-Style License
SCA-32649	Wrong (and hence fix) DOC Software License name and url
SCA-32983	Missing Elastic License for Elastic Kibana

New Component Requests

• File-file (component ID: 3102572)
• Cquicklist (component ID: 27337962)
• Nfs-utils (component ID: 27336321)
• Eglibc (component ID: 27337963)
• Lcms (component ID: 7597)
• Ti-rtos-mcu (component ID: 27336320)
• High-speed-charting-control (component ID: 27330960)
• Progress-control-with-text (component ID: 27330961)
• Oscilloscope-stripchart-control (component ID: 27330962)
• Skinx (component ID: 27330963)
• Keymaps (component ID: 27333199)
• Getprimarymacaddress (component ID: 27333200)
• Sampleds (component ID: 27333201)
• Microsoft Windows SDK for Windows 7 and .NET Framework 4 (component ID: 27334733)
• Csha1-a-c-class-implementation-of-the-sha-1-hash-a (component ID: 27334779)
• Trafficwatcher (component ID: 27334780)
• Using-colors-in-cedit-and-cstatic (component ID: 27335822)
• Gnu-which (component ID: 705519)
• Eclipse-aspectj (component ID: 55748)

Changes in Update Released on 25-Mar-2021

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-32971	URL fix for DOC License
SCA-32253	Map MICROSOFT SQL SERVER DATA-TIER APPLICATION FRAMEWORK to SQLpackage.commandline
SCA-31926	Update the missing license mappings for components-Phase1.
SCA-31800	Exception looking up rules' in FNCI Logs

New Component Requests

• mph-2b-damase
• simpleping
• twain-developer-toolkit
• texas-instruments-msp-430-lib-files
• CppSQLite
• CStdioFile
• CTrayIcon
• CXml
• CXPGroupBox
• A class to combine Slider Control and Progress Bar
• A very simple solution for partial bitmap encryption
• Adobe InDesign CC SDK
• libcomposite
• pango
• Microsoft Windows Driver Kit - WDK

Changes in Update Released between 20-Oct-2020 to 11-Mar-2021

This Update includes the changes described in the following sections.

Issues/Bugs Addressed

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-27739	False Positives when scanned Oracle OpenJDK
SCA-28603	Unable to find a component that is identified as first level dependency
SCA-26834	Sun (Restricted) and Sun-IP Licenses not detected
SCA-29523	License discrepancy for CURL component
SCA-27024	Gnutls component missing vulnerabilities, versions and wrong url
SCA-30866	Hdf5 license (ID: 1224) is not correct
SCA-30797	Incorrect Licensing Detection for Microsoft .Net
SCA-30525	Component gpg-gnupg missing encryption flag
SCA-27722	Incorrect vulnerabilities matched with component versions for Rust
SCA-32271	PDL_VULNERABILITY table is empty in the latest PDL update
SCA-33031	BOM: Discrepancies due to search term rule basics-vector

New Component Detection Rules

• Setup.js
• MD% algorithm class library
• PhantomJs
• Cefsharp
• Virtual-dom v2.1.1
• Named-js-regexp
• MarkupSafe
• OCHamcrest
• OCMockito
• Libsrtp
• Ans_up
• HockeySDK
• Aimage
• Ua-parser-js v0.7.10.
• Autofac.Wcf
• Vector.js
• Untildify v3.0.2
• Post-robot v7.0.15.
• Axios
• JSONTestSuite
• Rpc-server.js

New Features incorporated.

Issue ID	Issue Summary
SCA-26848	CVSS 3.1 - Data Collection
SCA-26808	Add Vulnerability dates to PDL tables
SCA-26181	Component CPE Mapping

New Component Requests released.

• Isc bind
• Canvas-toblob.js
• Newrelic.opentracing.amazonlambda.tracer
• Libepoxy
• Tags
• Json.net
• Jquery-menu-aim-fw
• Microsoft.appcenter for macos
• Microsoft.appcenter.analytics for macos
• Apache-apr
• Cyan4973-lz4
• Gnu-screen
• Jamesflorentino-nanoscrollerjs
• Mtd-utils
• Npth
• Pam
• Eeepc-acpi-scripts
• Sharpziplib
• Mahapps.metro.simplechildwindow - nuget gallery
• Wpfnotification - nuget gallery
• Microsoft-windowsapicodepack-shellextensions - nuget gallery
• Controlzex/controlzex - github
• Mahapps.metro.iconpacks - nuget gallery
• Mvvmlight - nuget gallery
• Ini-parser - nuget gallery
• Mahapps/mahapps.metro - github
• Angular/angular-cli - github
• System.data.sqlite.core - nuget gallery
• System.data.sqlite.ef6.migrations - nuget gallery
• Microsoft asp.net mvc 4 (***deprecated***)
• Wxwindows library license
• Wxwidgets
• Karma-runner karma
• Openssh - in c
• Base-passwd
• Init-ifupdown
• Procps
• Binutils
• 7-zip
• Kmod
• Matplotlib
• Scons - a software construction tool - scons
• Tagish library
• Qos-ch-slf4j
• Flex - lexical scanner generator
• Application insights persisted http channel
• Cairo-pixman
• Flat_hash_map
• Fontconfig
• Free type
• Gnutls library
• Tianmajs/libm - github
• Libsoup
• Microsoft.applicationinsights - nuget gallery
• Slodge/mvvmcross - github
• Pdfsharp - nuget gallery
• Sharppdf
• Twain data source manager
• Twain sample data source and application - twain 2.0 sample data source
• Windows driver kit (wdk) 8.0 samples for visual studio 2012
• Microsoft/windows-universal-samples - github
• Html agility pack
• Microsoft.extensions.caching.abstractions
• Microsoft.extensions.caching.memory
• Microsoft.extensions.dependencyinjection.abstractions
• Microsoft.extensions.options
• Microsoft.extensions.primitives
• Microsoft.netcore.platforms
• System.componentmodel.annotations
• System.runtime.compilerservices.unsafe
• System.security.cryptography.xml
• Microsoft.owin
• Microsoft.owin.host.systemweb
• Microsoft.owin.security
• Mimemapping
• Nconfiguration
• Nlog
• Nuget.commandline
• Nunit
• Restsharp
• Closedxml
• Apache cxf buildtools
• Apache neethi
• Weblinc-matchmedia
• Twain/twain-dsm
• Twain-twain-samples
• Windows driver kit (wdk) 8.0 samples for visual studio 2012

Changes in Update Released on 20-Oct-2020

This Update includes the changes described in the following sections.

Issues Addressed in the 20-Oct-2020 Release

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-28504	Components information
SCA-28691	NVD Feed: Upgrading NVD CVE-Feeds APIs (1.0) to NVD CVE-Feeds APIs (1.1)
SCA-27621	Difference in vulnerability information for 'expat' and 'libexpat-libexpat' component
SCA-28970	NVD-Feed Fix and client release to Codeaware
SCA-17974	Duplicate Inventory found for "gettext" and for the duplicate inventory as found license text is wrong
SCA-28740	With fresh scan, name of inventory item zlib is changed to madler-zlib in codeinsight 2020R4.
SCA-27773	Search terms need to be improved for few components
SCA-28288	False Positives for zlib and libjpeg
SCA-28508	Components information
SCA-22072	Stunnel support in DL
SCA-27119	Missing versions
SCA-29156	Pycryptodomex missing encryption flag

New Component Detection Rules in the 20-Oct-2020 Release

This Update introduces new Automated Analysis rules for the following components:

• Retry.js
• Jquery-mobile for react
• Expat (version released 2.2.6)
• Novell.Directory.ldap
• Spawn.js
• Jquery-vsdoc.js
• CodeMirror
• NUnit.Framework.dll
• Rsvp.js
• Twbs-bootstrap and Mathiasbynens-jquery-placeholder
• Libwebsockets
• Globalize 1.1.1
• CPU Topology
• JSON v3.3.0
• Pyomo v5.0.1
• CPU Topology 1.2.8 Class library
• Text-markdown
• Json v2.1.1
• V8
• Libuv

Changes in Update Released on 11-Sep-2020

This Update includes the changes described in the following sections.

Issues Addressed in the 11-Sep-2020 Release

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-27585	Add component " History-event"(JQuery.history.js)
SCA-27738	URL not working for freetype (Id: 1149) component

New Component Detection Rules in the 11-Sep-2020 Release

This Update introduces new Automated Analysis rules for the following components:

• 7za.exe
• Jazzy
• D3.js
• JSQR
• Doube-conversion
• HistoryEvent
• Bind
• Punycode.js
• Gaearon-Redux

Changes in Update Released on 28-Aug-2020

This Update includes the changes described in the following sections.

Issues Addressed in the 28-Aug-2020 Release

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-27456	Missing OSS component-udev
SCA-27203	Missing components – bind and jsqr

New Component Detection Rules in the 28-Aug-2020 Release

This Update introduces new Automated Analysis rules for the following components:

• Whiskas.py
• ProtectedData
• Dmidecode
• Libsmbios

Changes in Update Released on 14-Aug-2020

This Update includes the changes described in the following sections.

Issues Addressed in the 14-Aug-2020 Release

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-27191	Add tungsten fabric components to Data Library
SCA-27024	Gnutls component missing vulnerabilities, versions and wrong url.
SCA-27084	Libtiff license url needs to be updated

New Component Detection Rules in the 14-Aug-2020 Release

This Update introduces new Automated Analysis rules for the following components:

• SWIG v3.0.2
• VC Redistributable
• Apple Installer Plugin
• Appcenter-sdk-apple-3.0.0.tar.gz
• Code Project - WSE 3 Deployment: MSI and ClickOnce
• Wdksetup.exe
• MobileNumericUpDown
• Apple/cups
• Mhook
• GridAnimationDemo

Changes in Update Released on 03-Aug-2020

This Update includes the changes described in the following sections.

Issues Addressed in the 03-Aug-2020 Release

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-26931	Missing vulnerabilities.
SCA-26666	Missing Vulnerabilities for Apache Thrift 0.7.0

New Component Detection Rules in the 03-Aug-2020 Release

This Update introduces new Automated Analysis rules for the following components:

• JQuery Mobile
• JortSort
• CLR Security Class library
• BrockAllenCookieBasedTempdata.dll
• StackExchange.Redis
• Readline.js

Changes in Update Released on 17-Jul-2020

This Update includes the changes described in the following sections.

Issues Addressed in the 17-Jul-2020 Release

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-25108	Detection of xmlbeans 2.6.0 occurs twice
SCA-25905	Component system.diagnostics.diagnosticsource has had its license changed for version 4.4 and later
SCA-25907	New components added
SCA-26134	The component "app.min.js" is incorrectly mapped to the component "App( 62839)"

New Component Detection Rules in the 17-Jul-2020 Release

This Update introduces new Automated Analysis rules for the following components:

• Console.js
• LowPriorityWarning.js
• Nameddefine.js
• Prettier.js
• SQLite DLL
• Pacman Unicode
• D3 DES algorithm 5.09 Class library
• JCanvas
• Libxslt
• Node-tmp
• Libxml2

Changes in Update Released on 30-Jun-2020

This Update includes the changes described in the following sections.

Issues Addressed in the 30-Jun-2020 Release

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-25608	component "jodaorg-joda-time" has invalid license in list
SCA-25587	Review licenses for timescale DB GitHub components
SCA-23003	Collectors for bouncycastle,curl,gnu,haproxy,jquery,kernel,libarchive,libssh, openbsd,openflow,openssl.

New Component Detection Rules in the 30-Jun-2020 Release

This Update introduces new Automated Analysis rules for the following components:

• Node-Semver
• Speex
• Node-Static
• node-tree-kill
• node-winreg
• node-xml2js

Changes in Update Released on 15-Jun-2020

This Update includes the changes described in the following sections.

Issues Addressed in the 15-Jun-2020 Release

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-24724	Haproxy component missing 2.0.x versions
SCA-25348	Add missing vulnerabilities to u-boot component
SCA-25416	Errors in Oracle db during PDL Update
SCA-24986	UltrVNC - Missing latest versions and some versions are invalid
SCA-20156	Update component 302760 to important = true
SCA-22232	Missing component versions
SCA-24984	Component versions out of date

New Component Detection Rules in the 15-Jun-2020 Release

This Update introduces new Automated Analysis rules for the following components:

• Cross-BrowserSplit.
• Chromium-Breakpad.
• Request.js
• Sauce.js
• IsEventSupported.js
• Pubsuffix.js
• Node-ssl-root-cas(test-tunnel.js)

Changes in Update Released on 01-Jun-2020

This Update includes the changes described in the following sections.

Issues Addressed in the 01-Jun-2020 Release

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-24867	[Juniper Networks, Inc.] gnu-gcc component is showing invalid versions
SCA-25010	AMD: CodeAware Improper Identification of License for JQUERY Component.

New Component Detection Rules in the 01-Jun-2020 Release

This Update introduces new Automated Analysis rules for the following components:

• Connect-nocache.
• typescript.js
• aphrodite.js
• Newtonsoft.Json.dll
• tipsy v1.0.0a(jquery.tipsy.js,tipsy.css).
• prism.js
• systemjs
• Microsoft Ajax Minifier

Changes in Update Released on 18-May-2020

This Update includes the changes described in the following sections.

Issues Addressed in the 18-May-2020 Release

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-23316	OGIS: License detection is different in CodeAware and Auto-Analysis
SCA-22382	OGIS: Request to Add New Components and Versions
SCA-24622	Harmonic: stuk-jszip has MIT/GPL Dual License but "Possible Licenses" only show GPL
SCA-24711	Citrix: False positives CVEs

New Component Detection Rules in the 18-May-2020 Release

This Update introduces new Automated Analysis rules for the following components:

• bootstrap-select.js
• bootstrap-toggle.min.js
• React-pull-to-referesh
• rx.all.js
• narwhal.js
• bootstrap-checkbox v1.4.0
• IKVM.NET(IKVM.Reflection.dll).

Changes in Update Released on 04-May-2020

This Update includes the changes described in the following sections.

Issues Addressed in the 04-May-2020 Release

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-22381	Component 'ring' from crates.io forge missing license and encryption flag
SCA-22542	Encryption flag not set for 'rust-openssl' component
SCA-24708	Incorrect discovery of 'Primefaces-PrimeNG' component

New Component Detection Rules in the 04-May-2020 Release

This Update introduces new Automated Analysis rules for the following components:

• jquery.scrollTo-min.js, MatrixMath.js, jQuery.tmpl.js, lws-common.js
• React Router
• jsDump
• Reflect-Metadata
• NDesk.Options(.dll)
• MSBuild Community Tasks(.dll)

Changes in Update Released on 17-Apr-2020

This Update includes the changes described in the following sections.

Issues Addressed in the 17-Apr-2020 Release

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-23823	Few vulnerabilities not reported
SCA-24365	Invalid URL for 'lyceum' component
SCA-20305	Component 'apache-cordova-plugin-inappbrowser' has incorrect versions
SCA-18198	Incorrect vulnerability mapping for 'Docker' component
SCA-23837	Added rdklib (pypi) to the library

New Component Detection Rules in the 17-Apr-2020 Release

This Update introduces new Automated Analysis rules for the following components:

• webperftest
• jquery.color.js
• knockout
• Irrlicht(.dll file)
• jQuery(build_markdown.js)
• React Developer Tools(getReactData.js)
• moment.js,regex.js, moment-with-locales.js

Changes in Update Released on 3-Apr-2020

This Update includes the changes described in the following sections.

Issues Addressed in the 3-Apr-2020 Release

The following issues were addressed in the Update:

Issue ID	Issue Summary
SCA-22116	Invalid version specified for 'tpm2-tss-engine'
SCA-23712	Added 'SunPro' license to the library
SCA-22982	Incorrect URLs for few Ibiblio Maven2 components
SCA-20314	Licenses are not mapped for latest versions of 'pygresql' component (22014048)
SCA-21928	Component 'pycountry-convert' needs to be updated with latest details
SCA-19891	Invalid versions associated to the component 'c-ares'
SCA-15411	Incorrect details for component 'systemd-systemd'

New Component Detection Rules in the 13-Mar-2020 Release

This Update introduces new Automated Analysis rules for the following components:

• vector.js
• webcomponent.js
• globalize.js
• OCMock
• Bezier-Easing
• Punycode(.js File)
• Sphinx
• StructureMap
• cors
• jQuery validation plug-in v1.6
• jQuery Easing v1.3