SummaryThis article discusses the Match Slider in Workspace Settings.QuestionWhat does the Match Slider in Workspace Settings do?AnswerThe 'Match' filter restricts the results of your 'Contains Source Matches' tag to only files that contain at least ...
SummaryThis article lists the required, default, and other ports used by FlexNet Code Insight.QuestionWhich ports are used by FlexNet Code Insight?Answer Required Application Ports for Palamida 6.6.2 and prior PortFromToDescription1099Detector, Co...
SummaryThis article documents the full procedure for submitting requests for addition of new components or review of existing components in our Compliance LibraryQuestionHow to submit FlexNet Code Insight requests for Compliance Library entries?Answe...
SummaryThe entirety of FlexNet Code Insight?s LDAP configuration is done through the $palamida/config/core/core.ldap.properties file. The article discusses some of the primary properties in this file. The 'Additional Information' section of this arti...
SummaryConfiguring FNCI 6.x for a Friendly URLQuestionFlexNet Code Insight deploys the web UI under the "palamida" Tomcat webapp on port 8888, accessible by a URL like:http://my-server.com:8888/palamidaThis article is useful if a user wants to remove...
SummaryThe purpose of this article is to enumerate the necessary materials to be sent to Flexera SoftwareSupport if your scan appears to be running for an unusually long period.QuestionSometimes, a FlexNet Code Insight scan appears to be running for ...
SummaryThis article provides steps for getting a JWT token to authorize scriptRunner for FlexNet Code Insight 6.8.QuestionHow do I get a JWT token to authorize scriptRunner for FlexNet Code Insight 6.8?Answer Launch the web browser as a user who has...
SummaryThis articles provide information on the differences between the Compliance Library and the Electronic Update.QuestionWhat is the difference between the FlexNet Code Insight Compliance Library and the Electronic Update?AnswerThe physical CL dr...
We welcome all types of support cases!
Bugs, Features, Enhancements, Questions, Ideas
Cases provide an audit trail, tracking mechanism and assessment across entire customer base
Not sure if it’s case worthy?
Ask your CSM/Services/PM but don’t hesitate to submit a case of type “Question”
Have multiple issues to report?
Break them down into multiple cases if possible
Issue is too complex / too broad / not reproduceable?
We still want to hear about it and can often tell you if others are impacted
Prioritize in context of other issues submitted by your organization
Customers usually know best which issues are most critical for their organization but Revenera may not always have this knowledge. It removes a lot of ambiguity when customers help us with prioritization. Remember, you can view all suppport cases filed by your organization by using the 'All Cases' filter.
We will take care of prioritizing your case in context of our entire customer base and strategic initiatives.
Remember Priority = Urgency + Business Impact
These are not pre-defined case fields, but this is critical information for our PMs.
Urgency is all about time.
Help us identify issues that may not be blockers today but you expect them to turn into blockers in a week, a month, a year. Advise us of any known deadlines this bug will affect.
Business Impact is the effect of the issue on your business
Here are some examples of business impact to consider:
Business activity is affected
Potential operational loss
Potential financial loss
Reputation shattering
Inability or length of time to recover
Don't forget to update the case if circumstances change
Perhaps you found an acceptable workaround or moved to a different release alltogether. Please don't forget to update us on the changes so that we can better apply our valuable time and resources.
The following are the Release Notes available for FlexNet Code Insight Electronic Update releases:
2024
2023
2022
2021
2020
10-Oct-2024
27-Sep-2024
29-Aug-2024
12-Aug-2024
25-July-2024
11-July-2024
21-June-2024
14-June-2024
17-May-2024
11-Apr-2024
28-Mar-2024
13-Mar-2024
01-Mar-2024
05-Feb-2024
03-Jan-2024
28-Nov-2023 10-Nov-2023 27-Oct-2023 13-Oct-2023 14-Sep-2023 10-Aug-2023 23-Jun-2023 31-May-2023 04-May-2023 17-Apr-2023 24-Mar-2023 10-Mar-2023 24-Feb-2023 20-Feb-2023 30-Jan-2023 12-Jan-2023
22-Dec-2022 08-Dec-2022 29-Nov-2022 11-Nov-2022 02-Nov-2022 21-Oct-2022 18-Oct-2022 23-Sep-2022 13-Sep-2022 09-Sep-2022 29-Aug-2022 12-Aug-2022 18-Jul-2022 07-Jul-2022 28-Jun-2022 15-Jun-2022 13-May-2022 28-Apr-2022 13-Apr-2022 25-Mar-2022 14-Mar-2022 24-Feb-2022 10-Feb-2022 28-Jan-2022 13-Jan-2022
23-Dec-2021 16-Dec-2021 26-Nov-2021 11-Nov-2021 28-Oct-2021 18-Oct-2021 01-Oct-2021 13-Sep-2021 30-Aug-2021 27-Jul-2021 24-Jun-2021 11-Jun-2021 28-May-2021 14-May-2021 22-Apr-2021 10-Apr-2021 25-Mar-2021 11-Mar-2021
20-Oct-2020 11-Sep-2020 28-Aug-2020 14-Aug-2020 03-Aug-2020 17-Jul-2020 30-Jun-2020 15-Jun-2020 01-Jun-2020 18-May-2020 04-May-2020 17-Apr-2020 03-Apr-2020
Changes in Update Released on 10-October-2024
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-54218
Updated the versions for component opentelemetry-collector-contrib (Component_Id: 27129544)
SCA-54259, SCA-54535, SCA-54555, SCA-55186
Fixed license detection capability for BSD and GPL-Style licenses to remove false positive inventories
New/Update component_version requests:
Deprecated the incorrect versions for component opentelemetry-collector-contrib. (Component_Id: 27129544).
Enhanced License Detection Capability for licenses
License detection capability and license evidence mechanism for the following licenses was updated/added:
BSD
GPL-Style
Collector Status
Name
Date of Last Successful Run
Alpine
10/09/2024
Clojars
10/03/2024
Cocoapods
10/08/2024
Conan
10/03/2024
Cpan
10/03/2024
Cran
10/05/2024
Crates
08/25/2022
Debian
10/07/2024
fedora-koji
10/03/2024
Github
10/08/2024
Gitlab
06/06/2023
Go
10/07/2024
Hackage
10/06/2024
maven2-ibiblio
09/18/2024
maven-google
10/04/2024
Npm
10/07/2024
nuget gallery
09/19/2024
packagist
10/06/2024
Pypi
09/30/2024
rubygems
10/03/2024
Changes in Update Released on 27-September-2024
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
FLEX-4435
Data collection of Source Repo URL for the components of the forges - GitHub, Gitlab, Npmjs.
SCA-54892
Updated the detection technique for Sizzle component to remove duplicate inventories.
New Component Detection Rules
Sizzle
Collector Status
Name
Date of Last Successful Run
Alpine
09/18/2024
Clojars
09/19/2024
Cocoapods
09/17/2024
Conan
09/19/2024
Cpan
09/19/2024
Cran
09/14/2024
Crates
08/25/2022
Debian
09/16/2024
fedora-koji
09/16/2024
Github
09/10/2024
Gitlab
06/06/2023
Go
09/16/2024
Hackage
09/15/2024
maven2-ibiblio
09/13/2024
maven-google
09/13/2024
Npm
09/01/2024
nuget gallery
09/26/2024
packagist
09/15/2024
Pypi
09/16/2024
rubygems
09/26/2024
Changes in Update Released on 29-August-2024
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-54501
Fixed False positive vulnerability mappings to multiple maven components added by the legacy Maven Mapper.
SCA-53350
Fixed license detection capability for CDDL-1.1 and GPL-2.0-with-classpath-exception licenses to remove false positive inventories
SCA-54217
Deprecated the incorrect version (1.0.0.0) and added the correct license mappings to microsoft.web.infrastructure component.
SCA-54532
Fixed the False positive license for freemarker 2.3.8.
New/Update license mappings requests:
Added component and version level license mappings to the component " microsoft.web.infrastructure" (componentId: 3529708).
New/Update component_version requests:
Deprecated the incorrect version (1.0.0.0) of microsoft.web.infrastructure component. (versionId: 9997221).
New/Update license requests:
Updated license URL of FreeMarker License (licenseid: 1482)
Enhanced License Detection Capability for licenses
License detection capability and license evidence mechanism for the following licenses was updated/added:
CDDL-1.1
GPL-2.0-with-classpath-exception
Collector Status
Name
Date of Last Successful Run
Alpine
08/22/2024
Clojars
08/22/2024
Cocoapods
08/22/2024
Conan
08/22/2024
Cpan
08/22/2024
Cran
08/24/2024
Crates
08/25/2022
Debian
08/26/2024
fedora-koji
08/22/2024
Github
08/26/2024
Gitlab
06/06/2023
Go
08/05/2024
Hackage
08/25/2024
maven2-ibiblio
08/05/2024
maven-google
08/23/2024
Npm
08/27/2024
nuget gallery
08/16/2024
packagist
08/25/2024
Pypi
08/19/2024
rubygems
08/22/2024
Changes in Update Released on 12-August-2024
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-53760
Fixed False positive inventories being generated due to incorrect URL match by RPM Analyzer. As a part of this we have updated few legacy invalid/incorrect components. Please refer to details in below sections.
SCA-53994
Added component and version level license mappings to the component "perl-mozilla-ldap (Id: 27183535)".
SCA-54247
Enhancement of Github Advisory Feed to handle updated and deprecated vulnerability data.
SCA-54428
Enhancing the GHSA mapper to handle deprecation of affected versions records.
New/Update component requests:
Deprecated the legacy invalid component typyahoo2-testproject (componentid: 10518835)
Updated component url of malbers-mp (componentid: 11092024)
Updated component url of amoldjoshi-likh (componentid: 11892667)
New/Update license mappings requests:
Added component and version level license mappings to the component "perl-mozilla-ldap" (componentId: 27183535).
Collector Status
Name
Date of Last Successful Run
alpine
08/07/2024
clojars
08/08/2024
cocoapods
08/06/2024
Conan
08/08/2024
cpan
08/08/2024
cran
08/10/2024
crates
08/25/2022
debian
08/05/2024
fedora-koji
08/09/2024
github
08/10/2024
gitlab
06/06/2023
go
08/05/2024
hackage
08/11/2024
maven2-ibiblio
07/28/2024
maven-google
08/09/2024
npm
08/09/2024
nuget gallery
08/01/2024
packagist
07/28/2024
pypi
08/05/2024
rubygems
08/08/2024
Changes in Update Released on 25-July-2024
This update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-53928
Fixed False Positive vulnerability (CVE-2022-25758) reported on scss-tokenizer 0.4.3 (component id: 13388895)
SCA-53168
Addition of vulnerability mappings to the component moment.js (component id: 3530129) (CVE-2022-24785 ,CVE-2022-31129)
SCA-53075
Addition/Updating components, versions, licenses. Details are in the sections below
New/Update component requests:
SNMP++ API (component id : 32304497)
ata-project (component id : 32304498)
foundation-icon-fonts-3 (component id : 32304496)
vistadb (component id : 32304499)
Updated component URL for jquery-validation (component id: 247443)
New/Update component_version requests:
SNMP++ API (component id : 32304497) - Versions from 3.0 to 3.5.2
ata-project (component id : 32304498) - Version 1.0
foundation-icon-fonts-3 (component id : 32304496) - Version 3
vistadb (component id : 32304499) - Version 5.0 to 6.5
nsis (component id: 6422) - Version 2.47 to 3.10
New/Update license requests:
Rebex General License(license-id: 2304)
SNMP++ License(license-id: 2302)
VistaDB License(license-id: 2303)
New/Update license mappings requests:
Added Rebex General License for rebex.ftp (component id: 22421074)
Added OpenSSL License for openssl (component id: 58316) versions 0.9.0 to 1.1.1w and added Apache-2.0 for openssl versions 3.0.0 and above
Collector Status
Name
Date of Last Successful Run
alpine
7/24/2024
clojars
7/18/2024
cocoapods
7/23/2024
Conan
7/18/2024
cpan
7/18/2024
cran
7/20/2024
crates
8/25/2022
debian
7/22/2024
fedora-koji
7/18/2024
github
7/22/2024
gitlab
6/6/2023
go
7/24/2024
hackage
7/21/2024
maven2-ibiblio
7/3/2024
maven-google
7/19/2024
npm
7/23/2024
nuget gallery
7/11/2024
packagist
7/21/2024
pypi
7/15/2024
rubygems
7/18/2024
Changes in Update Released on 11-July-2024
This update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-54193
Updated the forge search criteria for forges like Conan, Debian, Cocoapods, Alpine etc
SCA-54188
Enhancement to the Github Adbisory Feed to collect the accurate GHSA url.
SCA-53761, SCA-53649
Updated license mappings for the component asciidoc-py3 (Id: 29955909), grpcio etc
SCA-53760
Fixed False positive inventories detected due to incorrect URL match (RPM Analyzer).
SCA-53393, SCA-53350, SCA-53349
License detection capability and license evidence mechanism was added/updated for licenses like BSD, Dom4j, CDDL-1.1 etc
SCA-53184
Added/updated licenses like "Aspose End User License Agreement (2017)", "ABCpdf license" etc
SCA-52723
Fixed False negative vulnerability mappings for components like tomcat-embed-core for CVE-2023-44487
New Vulnerability mappings:
CVE -2024-6387 (https://nvd.nist.gov/vuln/detail/CVE-2024-6387) for below Components.
openbsd-openssh (componentID: 58168)
openssh-openssh-portable (componentId: 684672)
redhat-enterprise-linux (componentId: 23215031)
openssh (componentId: 29970186)
openssh (componentId : 32188020)
New/Update component_version requests:
Saxon XSLT and XQuery Processor:(compoent-id: 8657)
New/Update license requests:
ABCPDF License : License-id 2298
Accusoft Software License: License-id 2301
Aspose License 2017: License-id 2299
Aspose License 2024: License-id 2300
SelectPDF HTML to PDF Converter License: License-id 2297
New/Update license mappings requests:
added Accusoft Software License to Accusoft ImageGear component (Id: 13512007)
added GPL-2.0-or-later license to asciidoc-py3 (Id: 29955909)]
added SelectPDF HTML to PDF Converter License to select.htmltopdf - NuGet Gallery (Id: 3537714)
added ABCPDF License to abcpdf - NuGet Gallery (Id: 3512350)
added Aspose License 2017 and Aspose License 2024 License to groupdocs.conversion (Id: 22358106)
added Accusoft Software License to Accusoft ImageGear component (Id: 13512007)
added GPL-2.0-or-later license to asciidoc-py3 (Id: 29955909)]
added SelectPDF HTML to PDF Converter License to select.htmltopdf - NuGet Gallery (Id: 3537714)
added ABCPDF License to abcpdf - NuGet Gallery (Id: 3512350)
added Aspose License 2017 and Aspose License 2024 License to groupdocs.conversion (Id: 22358106)
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
Dom4j license
BSD License
CDDL-1.1 License
Collector Status
Name
Date of Last Successful Run
alpine
7/10/2024
clojars
7/4/2024
cocoapods
7/9/2024
Conan
7/4/2024
cpan
7/4/2024
cran
7/6/2024
crates
8/25/2022
debian
7/8/2024
fedora-koji
7/4/2024
github
7/9/2024
gitlab
6/6/2023
go
7/10/2024
hackage
7/7/2024
maven2-ibiblio
6/12/2024
maven-google
7/5/2024
npm
6/21/2024
nuget gallery
7/4/2024
packagist
7/7/2024
pypi
7/8/2024
rubygems
7/4/2024
Changes in Update Released on 21-June-2024
This update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
FLEX-1845
Collection of components from Conan Package Manager - This is an addition to the set of forge collections.
FLEX-7421
Enhancement to Go collection Gaps for components with versions v2,v3..vX
SCA-53291
Updated component and license mappings for the component pmezard-go-difflib
FLEX-7607
Data - Mapping of GHSA advisories to component-versions
New/Update component requests:
pmezard-go-difflib (component-id: 8881995)
Collector Status
Name
Date of Last Successful Run
npm
6/17/2024
crates
8/25/2022
cpan
6/20/2024
cocoapods
6/18/2024
Conan
6/20/2024
clojars
6/20/2024
rubygems
6/14/2024
maven-google
6/14/2024
cran
6/15/2024
hackage
6/16/2024
packagist
6/16/2024
go
6/14/2024
pypi
6/17/2024
nuget gallery
6/6/2024
maven2-ibiblio
6/5/2024
github
6/20/2024
fedora-koji
5/2/2024
alpine
6/15/2024
gitlab
6/6/2023
debian
6/17/2024
Changes in Update Released on 14-June-2024
This update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-53076
Addition or update component, version, licenses and license mapping details for requested components. Details are mentioned in below sections
New/Update component requests:
adoptium-temurin-openjdk (component-id: 32084809)
pclbox (component-id: 32084808)
New/Update component_version requests:
adoptium-temurin-openjdk (component-id: 32084809) from 8.0.302+8 to 22.0.1+8
pclbox (component-id: 32084808) 1.0 and 2.0
jqueryui - (component-id: 122113) from 1.0 to 1.13.3
New/Update license mappings requests:
adoptium-temurin-openjdk (component-id: 32084809)
pclbox (component-id: 32084808)
jqueryui (component-id: 122113)
Collector Status
Name
Date of Last Successful Run
npm
6/12/2024
crates
8/25/2022
cpan
6/6/2024
cocoapods
6/11/2024
clojars
6/6/2024
rubygems
6/6/2024
maven-google
6/7/2024
cran
6/8/2024
hackage
6/9/2024
packagist
6/9/2024
go
6/12/2024
pypi
6/10/2024
nuget gallery
6/6/2024
maven2-ibiblio
6/5/2024
github
6/12/2024
fedora-koji
5/2/2024
alpine
6/12/2024
gitlab
6/6/2023
debian
6/10/2024
Changes in Update Released on 17-May-2024
This update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-52995
Fixed False Negative Vulnerability for the nuget component Microsoft.IdentityModel
SCA-52933
Fixed False positive vulnerabilities for commons-compress 1.26.0
SCA-52724
Fixed False Negative Vulnerability for the component commons-text
Collector Status
Name
Date of Last Successful Run
npm
4/28/2024
crates
8/25/2022
cpan
5/9/2024
cocoapods
4/30/2024
clojars
5/9/2024
rubygems
5/9/2024
maven-google
4/26/2024
cran
5/11/2024
hackage
5/12/2024
packagist
5/12/2024
go
5/13/2024
pypi
5/7/2024
nuget gallery
5/7/2024
maven2-ibiblio
5/01/2024
github
5/13/2024
fedora-koji
4/5/2024
alpine
5/8/2024
gitlab
6/6/2023
debian
5/13/2024
Changes in Update Released on 11-April-2024
This update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-52738
Fixed False Positive vulnerability for openbsd-openssh component for CVE-2002-0639 for version '2.5.1'
SCA-52947, SCA-53074, SCA-52305
Addition or update component, version, licenses and license mapping details for requested components. Details are mentioned in below sections
New/Update component requests:
xcurveballx-tablesorter - 31937493
artifexsoftware-jbig2dec - 31937495
artifexsoftware-urw-base35-fonts - 31937496
azure-macro-utils-c - 31937497
stleary-json-java - 12684762
editd-jquery-menu-aim - 31686788
initscripts-ipv6 - 31935720
cstring-clone-using-standard-c - 31935721
wixtoolset-visualstudioextension - 31937494
Updated URL for rillke-libogg
Updated URL for jboss-logging-jboss-logging
Updated URL for stleary-json-java
New/Update component_version requests:
Apache Xerces Java XML Parser (component-id: 33071)
Added missing versions 2.12.0 and higher. versions id for 2.12.0 is 267185709.
ub-mannheim/tesseract (component-id: 14721072)
version- 4.1 (184251962)
jboss-logging/jboss-logging (component-id: 294410)
versions are up-to-date till 3.5.3, version-id for 3.4.3 is 267185974.
New/Update license requests:
SelectPDF EULA(license-id: 2296) - https://selectpdf.com/eula/
New/Update license mappings requests:
Updated public domain license to stleary-json-java(12684762)
Updated Apache-2.0 license to krzyzanowskim-openssl(12973107)
Updated MIT license to jQuery-menu-aim(31686788)
Updated MIT to azure-azure-uamqp-c(18246106)
Updated MIT to azure-azure-umqtt-c(17219194)
Updated MIT to azure-azure-c-shared-utility(17219172)
Collector Status
Name
Date of Last Successful Run
npm
3/27/2024
crates
8/25/2022
cpan
4/4/2024
cocoapods
4/09/2024
clojars
4/4/2024
rubygems
4/4/2024
maven-google
4/5/2024
cran
4/6/2024
hackage
4/7/2024
packagist
4/7/2024
go
4/10/2024
pypi
4/1/2024
nuget gallery
4/10/2024
maven2-ibiblio
3/21/2024
github
4/9/2024
fedora-koji
4/5/2024
alpine
4/10/2024
gitlab
6/6/2023
debian
4/8/2024
Changes in Update Released on 28-March-2024
This update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
FLEX-4584
Github Security Advisory is an addition to our list of vulnerability feeds.
SCA-52359
Update license mappings for GNU GCC component
SCA-51961
License detection automation for licenses like Simple Public License 2.0, SleepyCat License etc
SCA-52405
Updated incorrect Apache licenses for components in Pypi forge
SCA-52301, SCA-52623
Addition/Update component, version and license details for below mentioned components
New/Update component requests:
JustMock
PDFjet for Java - https://github.com/edragoev1/pdfjet
Mozilla LDAP C SDK - https://github.com/dogtagpki/ldap-sdk
X Library - https://www.cross-browser.com/x/lib
Jigsaw W3Cs server - https://www.w3.org/Jigsaw
New/Update license requests:
W3C IPR SOFTWARE NOTICE https://www.w3.org/Consortium/Legal/copyright-software-19980519.html
Collector Status
Name
Date of Last Successful Run
npm
3/27/2024
crates
8/25/2022
cpan
3/21/2024
cocoapods
3/26/2024
clojars
3/21/2024
rubygems
3/21/2024
maven-google
3/22/2024
cran
3/23/2024
hackage
3/24/2024
packagist
3/24/2024
go
3/25/2024
pypi
3/25/2024
nuget gallery
3/21/2024
maven2-ibiblio
3/21/2024
github
3/26/2024
fedora-koji
3/21/2024
alpine
3/27/2024
gitlab
6/6/2023
debian
3/25/2024
Changes in Update Released on 13-March-2024
This update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-52086
Fixed false positive vulnerability for the component snappy-java.
SCA-51389
Publishing EPSS scores to PDL update package
Collector Status
Name
Date of Last Successful Run
npm
3/08/2024
crates
8/25/2022
cpan
3/07/2024
cocoapods
3/05/2024
clojars
3/07/2024
rubygems
3/07/2024
maven-google
3/08/2024
cran
3/09/2024
hackage
3/10/2024
packagist
3/03/2024
go
3/06/2024
pypi
3/04/2024
nuget gallery
2/29/2024
maven2-ibiblio
2/27/2024
github
3/11/2024
fedora-koji
3/08/2024
alpine
3/06/2024
gitlab
6/6/2023
debian
3/11/2024
Changes in Update Released on 01-March-2024
This update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-52077
Fixed False Negative Vulnerability for PostGres SQL driver
SCA-51813, SCA-51823, SCA-51828
Updated license detection and license evidence mechanism for licenses like CDDL , Public Domain, BSD, GPL-2.0
SCA-51814
Updated component detection mechanism for libtommath component
SCA-51907
Added/Updated components, versions and license mappings for components like Json in Java, async etc
SCA-52018
Fixed license mappings for component "justmock" from Nuget forge
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
CDDL-1.0
CDDL-1.1
GPL-2.0
BSD-Style
Public Domain
New/Update component requests:
libtommath
async
Json in Java
New/Update license requests:
Added a new license from https://www.telerik.com/purchase/license-agreement/kendo-ui - Telerik Kendo End User License Agreement
Collector Status
Name
Date of Last Successful Run
npm
2/26/2024
crates
8/25/2022
cpan
2/22/2024
clojars
2/22/2024
rubygems
2/22/2024
maven-google
2/23/2024
cran
2/24/2024
hackage
2/25/2024
packagist
2/25/2024
go
2/26/2024
pypi
2/26/2024
nuget gallery
2/22/2024
maven2-ibiblio
2/14/2024
github
2/27/2024
fedora-koji
2/23/2024
alpine
2/28/2024
gitlab
6/6/2023
debian
2/26/2024
Changes in Update Released on 05-February-2024
This update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-51559
Fix to handle "rejected" cves from NVD in data library.
SCA-38151,
SCA-51747, SCA-51959
Addition/update license evidence mechanism and license detection capability for licenses like Yahoo! Public License, Open Software License, NASA Open Source Agreement, Sleepycat License etc
SCA-51269, SCA-51036, SCA-51858
Added/updated component, version, license or license mappings in data library for the requested components, details are in the separate sections below.
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
SIL Open Font License 1.1
Yahoo! Public License v1.0
Yahoo! Public License v1.1
Open Software License 1.0
Open Software License 1.1
Open Software License 2.0
Open Software License 2.1
Open Software License 3.0
Multics License
NASA Open Source Agreement 1.3
Naumen Public License
Apple Public Source License 1.0
CUA Office Public License v1.0
Simple Public License 2.0
Sleepycat License
SugarCRM Public License v1.1.3
Independent JPEG Group License
New/Update component requests:
ljharb-define-data-property (Component_id:31686787)
editd-jquery-menu-aim (Component_id:31686788)
ljharb-set-function-length (Component_id:31686789)
imagegear-net-samples (Component_id: 31490027)
The-Ultimate-Toolbox-Application-Skins (Component_id: 31490026)
SNMP4j (Component_id: 31490028)
OpenSSL Project (Component_id: 58316)
Bouncy Castle Crypto Csharp (Component_id: 11253334)
New/Update license requests:
ANTLR 3 License - Updated the license url to https://www.antlr3.org/license.html (license_id: )
Collector Status
Name
Date of Last Successful Run
npm
1/24/2024
crates
8/25/2022
cpan
1/18/2024
clojars
1/18/2024
rubygems
1/18/2024
maven-google
1/19/2024
cran
1/20/2024
hackage
1/21/2024
packagist
1/21/2024
go
1/22/2024
pypi
1/08/2024
nuget gallery
1/11/2024
maven2-ibiblio
1/10/2024
github
1/23/2024
fedora-koji
1/17/2024
alpine
1/24/2024
gitlab
6/6/2023
debian
1/22/2024
Changes in Update Released on 03-January-2024
This update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Updates to Apache Struts Components
Added vulnerability information to the following apache-struts components:
Component ID
Name
URL
33042
apache-struts
http://struts.apache.org
565248
struts2-core
https://repo1.maven.org/maven2/org/apache/struts/struts2-core
738786
apache-struts
https://github.com/apache/struts
5398957
struts
http://struts.apache.org/
Related to Vulnerability CVEs
CVE-2023-50164 (https://nvd.nist.gov/vuln/detail/CVE-2023-50164).
Issues/Bugs Addressed
Issue ID
Issue Summary
SCA-51793
Addition of vulnerability mappings for Apache struts component for CVE-2023-50164 (https://nvd.nist.gov/vuln/detail/CVE-2023-50164).
Updated component/version info for the below components
SCA-51532
Addition of new licenses to data library MICROSOFT.WEB.XDT and MICROSOFT ASP.NET SIGNALR and also updating component/version information for Nuget components
SCA-51265, SCA-51033
Updating component/version information for Npmjs/Pypi components.
Collector Status
Name
Date of Last Successful Run
npm
12/28/2023
crates
8/25/2022
cpan
12/28/2023
clojars
12/28/2023
rubygems
12/21/2023
maven-google
12/22/2023
cran
12/23/2023
hackage
12/24/2023
packagist
12/24/2023
go
12/27/2023
pypi
12/27/2023
nuget gallery
12/21/2023
maven2-ibiblio
12/06/2023
github
12/27/2023
fedora-koji
12/13/2023
alpine
12/27/2023
gitlab
6/6/2023
debian
12/25/2023
Changes in Update Released on 28-November-2023
This update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-48882
Addition of Cocoapods forge to our list of forge collection
SCA-51152
Addition of new component detection capability for the component NTAP/Quant
New Component Detection Rules
NTAP/Quant
Collector Status
Name
Date of Last Successful Run
npm
8/15/2023
crates
8/25/2022
cpan
11/16/2023
clojars
11/16/2023
rubygems
11/16/2023
maven-google
11/17/2023
cran
11/18/2023
hackage
11/19/2023
packagist
11/19/2023
go
11/17/2023
pypi
11/13/2023
nuget gallery
11/09/2023
maven2-ibiblio
11/23/2023
github
11/24/2023
fedora-koji
11/26/2023
alpine
11/15/2023
gitlab
6/6/2023
debian
11/20/2023
Changes in Update Released on 10-November-2023
This update includes the changes described in the following sections.
Updates to Apache Activemq Components
Added vulnerability information to the following activemq components:
Component ID
Component Name
URL
58129
apache-activemq
http://activemq.apache.org/
173954
apache-activemq
https://github.com/apache/activemq
573649
activemq-all
https://repo1.maven.org/maven2/org/apache/activemq/activemq-all
581532
apache-activemq
https://repo1.maven.org/maven2/org/apache/activemq/apache-activemq
596014
activemq-openwire-legacy
https://repo1.maven.org/maven2/org/apache/activemq/activemq-openwire-legacy
30391285
activemq
https://tracker.debian.org/pkg/activemq
Related to Vulnerability CVEs
CVE-2023-46604 (https://nvd.nist.gov/vuln/detail/CVE-2023-46604)
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-50558
License Evidence - "OpenSSL License" Evidence is missing on scanning "attribution-file.zip" file.
SCA-38149
Addition of License evidence mechanism and license detection capabilities to licenses like "Sax Public Domain Notice", "The unlicense" etc
SCA-50018
Updated license evidence mechanism and license detection capability for "IBM Public License v1.0" as the License evidence was missing on scanning "autoglyph.c" file
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
Sax Public Domain Notice
University of Illinois/NCSA Open Source License
The Unlicense
Vovida Software License v1.0
W3C Software Notice and License (2002-12-31)
X.Net License
XFree86 License 1.1
Zend License v2.0
Zope Public License 1.1
Zope Public License 2.0
Zope Public License 2.1
Collector Status
Name
Date of Last Successful Run
npm
8/15/2023
crates
8/25/2022
cpan
11/02/2023
clojars
11/09/2023
rubygems
11/02/2023
maven-google
11/03/2023
cran
11/04/2023
hackage
11/05/2023
packagist
11/05/2023
go
11/06/2023
pypi
11/06/2023
nuget gallery
11/02/2023
maven2-ibiblio
11/01/2023
github
11/08/2023
fedora-koji
11/03/2023
alpine
11/08/2023
gitlab
6/6/2023
debian
11/06/2023
Changes in Update Released on 27-October-2023
This update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-50609
Resolved False Positive vulnerabilities being detected for Component ckan (Id: 21948217) with version 0.6 (Id: 117793043).
SCA-49864
Addition of vulnerability mappings to Chart.js 1.0.2 for CVE-2020-7746
SCA-49752
Enhanced the Debian collector to collect more packages from different folders like non-free, non-free-firmware, contrib
SCA-48039
Resolved False Positive vulnerabilities for components like "bootstrap" and "commons-collections"
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
Reciprocal Public License 1.1
Reciprocal Public License 1.5
Red Hat eCos Public License v1.1
SGI Free Software License B v1.0
SGI Free Software License B v1.1
SGI Free Software License B v2.0
SHL-2.0
SHL-2.1
SWI-exception
Swift-exception
Universal-FOSS-exception-1.0
vsftpd-openssl-exception
Autoconf-exception-generic
Autoconf-exception-macro
Asterisk-exception
cryptsetup-OpenSSL-exception
LLGPL
OCaml-LGPL-linking-exception
PS-or-PDF-font-exception-20170817
QPL-1.0-INRIA-2004-exception
GNAT-exception
x11vnc-openssl-exception
Qt-GPL-exception-1.0
Qt-LGPL-exception-1.1
Collector Status
Name
Date of Last Successful Run
npm
8/15/2023
crates
8/25/2022
cpan
10/19/2023
clojars
10/19/2023
rubygems
10/19/2023
maven-google
10/13/2023
cran
10/21/2023
hackage
10/22/2023
packagist
10/22/2023
go
10/23/2023
pypi
10/16/2023
nuget gallery
10/15/2023
maven2-ibiblio
9/27/2023
github
10/23/2023
fedora-koji
10/20/2023
alpine
10/18/2023
gitlab
6/6/2023
debian
10/23/2023
Changes in Mini Update Released on 13-October-2023
This is a Mini PDL update release which is considerably smaller in size, containing data related to a specific component and a CVE.
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-50859
Addition of vulnerabilities "CVE-2023-38545" and "CVE-2023-38546" to curl/libcurl and related components
Updates to Curl and Libcurl Components
Added vulnerability information to the following Curl/Libcurl components:
Component ID
Component Name
URL
372
curl
https://sourceforge.net/projects/curl
63745
libcurl
https://directory.fsf.org/wiki?title=Libcurl&oldid=416
5400074
libcurl
http://curl.haxx.se/
5406656
curl
http://curl.haxx.se/
7466892
curl
http://curl.haxx.se
12395199
curl-curl
https://github.com/curl/curl
12960352
curl
https://directory.fsf.org/wiki?title=Curl&oldid=17934
27213212
curl
https://koji.fedoraproject.org/koji/packageinfo?packageID=curl
29960949
libcurl
https://pkgs.alpinelinux.org/package/v3.18/main/x86_64/libcurl
29968624
curl
https://pkgs.alpinelinux.org/package/v3.18/main/x86_64/curl
30362751
curl
https://tracker.debian.org/pkg/curl
22012687
pycurl
https://pypi.org/pypi/pycurl
4595372
pycurl-pycurl
https://github.com/pycurl/pycurl
8180
pycurl
https://sourceforge.net/projects/pycurl
21868341
pycurl
https://directory.fsf.org/wiki?title=PycURL&oldid=2278
3518205
curl
https://www.nuget.org/packages/curl
22329315
curl-vc140-static-32_64
https://www.nuget.org/packages/curl-vc140-static-32_64
Related to vulnerability CVEs:
CVE - 2023-38545 (https://nvd.nist.gov/vuln/detail/CVE-2023-38545)
CVE - 2023-38546 (https://nvd.nist.gov/vuln/detail/CVE-2023-38546)
Issue ID
Issue Summary
SCA-50859
Addition of vulnerabilities "CVE-2023-38545" and "CVE-2023-38546" to curl/libcurl and related components
Changes in Update Released on 14-September-2023
This update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-49924
Enhanced the SPDX collector to collect license exceptions from spdx.org and add to our data library.
SCA-49081, SCA-49078
Added License detection capability and license evidence mechanism (licenses mentioned below)
SCA-48734
Updated version for Npm component content-type (https://www.npmjs.com/package/content-type) and license information for nuget component castle.core (https://www.nuget.org/packages/Castle.Core)
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
i2p-gpl-java-exception
u-boot-exception-2.0
Qwt-exception-1.0
Linux-syscall-note
LLVM-exception
LZMA-exception
mif-exception
OCCT-exception-1.0
OpenJDK-assembly-exception-1.0
openvpn-openssl-exception
WxWindows-exception-3.1
DigiRule-FOSS-exception
eCos-exception-2.0
Fawkes-Runtime-exception
FLTK-exception<
Font-exception-2.0
freertos-exception-2.0
GCC-exception-2.0
GCC-exception-3.1
gnu-javamail-exception
Libtool Exception
GPL-3.0-interface-exception
GPL-3.0-linking-exception
GPL-3.0-linking-source-exception
GPL-CC-1.0
GStreamer-exception-2005
GStreamer-exception-2008
KiCad-libraries-exception
LGPL-3.0-linking-exception
libpri-OpenH323-exception
SHL-2.0
SHL-2.1
SWI-exception
Swift-exception
Universal-FOSS-exception-1.0
vsftpd-openssl-exception
Autoconf-exception-generic
Autoconf-exception-macro
Asterisk-exception
cryptsetup-OpenSSL-exception
Collector Status
Name
Date of Last Successful Run
npm
8/15/2023
crates
8/25/2022
cpan
9/07/2023
clojars
9/07/2023
rubygems
9/07/2023
maven-google
9/08/2023
cran
9/09/2023
hackage
9/10/2023
packagist
9/10/2023
go
9/11/2023
pypi
9/11/2023
nuget gallery
9/07/2023
maven2-ibiblio
8/30/2023
github
8/25/2023
fedora-koji
9/11/2023
alpine
9/13/2023
gitlab
6/6/2023
debian
9/11/2023
Changes in Update Released on 10-August-2023
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-49244
Detection of OpenSC component.
SCA-49077, SCA-49076, SCA-49074, SCA-49072
Added License detection capability and license evidence mechanism.
SCA-48974
Alpine Zlib Missing Vulnerability
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
AdaCore-doc
Bitstream-Charter
Brian-Gladman-3-Clause
BSD-4.3RENO
BSD-4.3TAHOE
CFITSIO
checkmk
CMU-Mach
Cornell-Lossless-JPEG
DRL-1.0
FSFULLRWD
Graphics-Gems
HPND-Markus-Kuhn
HPND-export-US
IEC-Code-Components-EULA
IJG-short
JPL-image
Kazlib
Knuth-CTAN
libutil-David-Nugent
Linux-syscall-note
snprintf
Symlinks
TPDL
TTWL
w3m
xlock
Loop
Martin-Birgmeier
Minpack
MIT-Wu
mpi-permissive
NICTA-1.0
OFFIS
389-exception
Autoconf-exception-2.0
Autoconf-exception-3.0
Bison-exception-2.2
Bootloader-exception
Classpath-exception-2.0
CLISP-exception-2.0
New Component Detection Rules
OpenSC
Addition of Missing Vulnerability Mappings
Missing vulnerability mappings for the following components were added:
Zlib (Alpine)
Collector Status
Name
Date of Last Successful Run
npm
8/7/2023
crates
8/25/2022
cpan
8/3/2023
clojars
8/3/2023
rubygems
8/3/2023
maven-google
8/4/2023
cran
8/5/2023
hackage
8/6/2023
packagist
8/6/2023
go
8/7/2023
pypi
7/31/2023
nuget gallery
8/1/2023
maven2-ibiblio
6/14/2023
github
7/14/2023
fedora-koji
8/8/2023
alpine
8/2/2023
gitlab
6/6/2023
debian
8/7/2023
Changes in Update Released on 23-June-2023
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-44211
Enhancements for License text extraction to improve the Third Party Notices text reports
SCA-48496
Fixed the false positive vulnerability CVE-2017-15288 for scala-java8-compat_2.12
SCA-48430
Updated vulnerability information for 7-zip component
SCA-44156
License cleanup for Bitstream license in our data library
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
Apache-2.0
Apache-1.0
Nethack General Public License
Netizen Open Source License
Nokia Open Source License
Non-Profit Open Software License 3.0
OCLC Research Public License 2.0
Open Data Commons Open Database License v1.0
Open Data Commons Public Domain Dedication & License 1.0
Open Group Test Suite License
Open Public License v1.0
OpenSSL License
New Component Detection Rules
Lua
Linux Kernel
Collector Status
Name
Date of Last Successful Run
npm
6/19/2023
crates
8/25/2022
cpan
6/22/2023
clojars
6/15/2023
rubygems
6/15/2023
maven-google
6/15/2023
cran
6/17/2023
hackage
6/18/2023
packagist
6/18/2023
go
6/21/2023
pypi
2/13/2023
nuget gallery
6/1/2023
maven2-ibiblio
6/14/2023
github
6/3/2023
fedora-koji
6/21/2023
alpine
6/21/2023
gitlab
6/6/2023
debian
6/19/2023
Changes in Update Released on 31-May-2023
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-41334
Addition of Debian Packages Collection to our list of forge collections
SCA-47928
Extracting License Text from .py files
SCA-46100
Adding the missing priority to licenses and updating the incorrect ones in data library
SCA-47100
Updated vulnerabilities and versiosn for openssh component
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
libpng License
Lucent Public License Version 1.0
Lucent Public License v1.02
Microsoft Public License
Microsoft Reciprocal License
The MirOS Licence
Motosoto License
Eurosym License
Fair License
Frameworx Open License 1.0
FreeBSD Documentation License
Freetype Project License
gSOAP Public License v1.3b
Historical Permission Notice and Disclaimer
IBM Public License v1.0
iMatix Standard Function Library Agreement
Imlib2 License
Collector Status
Name
Date of Last Successful Run
npm
1/31/2023
crates
8/25/2022
cpan
5/25/2023
clojars
5/25/2023
rubygems
5/25/2023
maven-google
5/26/2023
cran
5/27/2023
hackage
5/28/2023
packagist
5/28/2023
go
5/29/2023
pypi
2/13/2023
nuget gallery
4/6/2023
maven2-ibiblio
1/18/2023
github
5/29/2023
fedora-koji
5/25/2023
alpine
5/4/2023
gitlab
5/30/2023
debian
5/4/2023
Changes in Update Released on 04-May-2023
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-47510
Enhancement to Nuget Collector to extract Notices Text from .cpp and .h files.
SCA-47790
Updated license mappings, license evidence and license detection capabilities for iText Commercial License related to the component itext7.
Collector Status
Name
Date of Last Successful Run
npm
1/31/2023
crates
8/25/2022
cpan
4/6/2023
clojars
2/9/2023
rubygems
4/6/2023
maven-google
4/7/2023
cran
4/8/2023
hackage
4/9/2023
packagist
2/13/2023
go
4/10/2023
pypi
2/13/2023
nuget gallery
4/6/2023
maven2-ibiblio
1/18/2023
github
2/14/2023
fedora-koji
2/13/2023
alpine
4/5/2023
gitlab
11/19/2022
Changes in Update Released on 17-April-2023
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-44500
Integration of PURL to collector - Github
SCA-46813
Enhancement to Npmjs to extract Notices Text from .mkd file.
SCA-47062
Updated vulnerabilities for the component Xstream 1.4.19.
SCA-47493
Fixed the false positive license evidences related to Baekmuk License
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
Clarified Artistic License
Code Project Open License 1.02
Common Development and Distribution License 1.0
Common Development and Distribution License 1.1
Common Public Attribution License 1.0
Common Public License 1.0
Computer Associates Trusted Open Source License 1.1
Condor Public License v1.1
LaTeX Project Public License v1.0
LaTeX Project Public License v1.1
LaTeX Project Public License v1.2
LaTeX Project Public License v1.3a
LaTeX Project Public License v1.3c
New/Update Component Requests
microsoft-sql-server-2017-reporting-services
microsoft-sql-server-2019-reporting-services
microsoft-sql-server-2022-reporting-services
Windows 10 SDK
Collector Status
Name
Date of Last Successful Run
crates
8/25/2022
gitlab
11/19/2022
maven2-ibiblio
01/10/2022
go
04/10/2023
cpan
04/06/2023
fedora-koji
02/13/2023
clojars
02/09/2023
rubygems
04/06/2023
maven-google
04/07/2023
cran
04/08/2023
hackage
04/09/2023
packagist
02/05/2023
npm
1/31/2023
nuget gallery
04/06/2023
alpine
04/05/2023
pypi
02/13/2023
github
02/14/2023
Changes in Update Released on 24-March-2023
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-44498, SCA-44503, SCA-45457
Integration of PURL to Alpine, Rubygems, Go in the data library
SCA-46214
Generic Mapper is an addition to our vulnerability mappers . This is an enhancement to the existing NPMJS mapper to include Maven and Packagist and make it a generic one.
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
3dfx Glide License
Academic Free License v1.1
Academic Free License v1.2
Academic Free License v2.0
Academic Free License v2.1
Academic Free License v3.0
Adaptive Public License 1.0
Adobe Systems Incorporated Source Code License Agreement
Giftware License
Adobe Glyph List License
Apple Public Source License 1.0
Apple Public Source License 1.1
Apple Public Source License 1.2
Apple Public Source License 2.0
Artistic License 1.0
Artistic License 2.0
Beerware License
eCos license version 2.0
Educational Community License v1.0
Educational Community License v2.0
Educational Community License v2.0
Attribution Assurance License
Apache License 1.0
Apache License 1.1
Apache License 2.0
Eiffel Forum License v1.0
Eiffel Forum License v2.0
Amazon Digital Services License
ANTLR Software Rights Notice
ANTLR Software Rights Notice with license fallback
Adobe Postscript AFM License
Collector Status
Name
Date of Last Successful Run
npm
1/31/2023
crates
8/25/2022
cpan
3/23/2023
clojars
2/9/2023
rubygems
3/23/2023
maven-google
2/10/2023
cran
3/18/2023
hackage
2/12/2023
packagist
2/5/2023
go
3/24/2023
pypi
2/13/2023
nuget gallery
3/16/2023
maven2-ibiblio
1/18/2023
github
2/14/2023
fedora-koji
2/13/2023
alpine
3/22/2023
gitlab
11/19/2022
Changes in Update Released on 10-March-2023
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-44820
NPM Notices Text: Fixing the Missing release_license_text mappings for Npm components
SCA-46203, SCA-44502
Integration of PURL to the collectors Npmjs and Nuget
SCA-47061
Addition of cocoapods forge to our data library
SCA-46161, SCA-46144, SCA-42593, SCA-46477
Fixed false positive vulnerabilities for components like android-json, prometheus_client 0.15.0, jqueryui, Microsoft Reportviewer and Microsoft vcruntime etc.
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
Sendmail
SISSL
SISSL-1.2
SMLNJ
SMPPL
SNIA
Spencer-86
Spencer-94
Spencer-99
TCL
TCP-wrappers
TORQUE-1.1
TOSL
u-boot-exception-2.0
Unicode-DFS-2015
Unicode-DFS-2016
Unicode-TOU
UPL-1.0
VOSTROM
W3C-20150513
W3C-19980720
Wsuipa
WTFPL
X11
Xerox
Xpp
XSkat
Zed
Zimbra-1.4
Zimbra-1.3
zlib-acknowledgement
zlib
UCL-1.0
SSPL-1.0
SHL-0.5
SHL-0.51
Sendmail-8.23
PSF-2.0
TAPR-OHL-1.0
PolyForm-Small-Business-1.0.0
PolyForm-Noncommercial-1.0.0
Parity-7.0.0
Parity-6.0.0
OGL-UK-1.0
OGL-UK-2.0
OGL-UK-3.0
OGL-Canada-2.0
OGDL-Taiwan-1.0
TU-Berlin-1.0
TU-Berlin-2.0
SSH-OpenSSH
SSH-short
Collector Status
Name
Date of Last Successful Run
npm
1/31/2023
crates
8/25/2022
cpan
2/9/2023
clojars
2/9/2023
rubygems
2/10/2023
maven-google
2/10/2023
cran
2/11/2023
hackage
2/12/2023
packagist
2/13/2023
go
2/14/2023
pypi
2/15/2023
nuget gallery
2/15/2023
maven2-ibiblio
1/18/2023
github
2/15/2023
fedora-koji
2/15/2023
alpine
2/15/2023
gitlab
11/19/2022
Changes in Update Released on 24-February-2023
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-46545
Update License URL of OpenPBS License v2.3 in the data library
SCA-44499
Integration of Purl to Cran collector
Collector Status
Name
Date of Last Successful Run
gitlab
11/19/2022
npm
1/31/2023
crates
8/25/2022
cpan
2/9/2023
clojars
2/9/2023
rubygems
2/10/2023
maven-google
2/10/2023
cran
2/11/2023
hackage
2/12/2023
packagist
2/13/2023
go
2/14/2023
alpine
2/15/2023
fedora-koji
2/15/2023
pypi
2/15/2023
github
2/15/2023
nuget gallery
2/15/2023
maven2-ibiblio
1/18/2023
Changes in Update Released on 20-February-2023
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Updates to OpenSSL Component
Added vulnerability information to the following openSSL components:
openssl(id: 58316) - https://www.openssl.org
openssl-openssl (id: 416271) - https://github.com/openssl/openssl
openssl (id: 27181269) - https://koji.fedoraproject.org/koji/packageinfo?packageID=openssl
Related to Vulnerability CVEs:
CVE-2023-0286 (https://nvd.nist.gov/vuln/detail/CVE-2023-0286)
CVE-2022-4304 (https://nvd.nist.gov/vuln/detail/CVE-2022-4304)
CVE-2023-0215 (https://nvd.nist.gov/vuln/detail/CVE-2023-0215)
CVE-2022-4450 (https://nvd.nist.gov/vuln/detail/CVE-2022-4450)
CVE-2023-0216 (https://nvd.nist.gov/vuln/detail/CVE-2023-0216)
CVE-2023-0217 (https://nvd.nist.gov/vuln/detail/CVE-2023-0217)
CVE-2023-0401 (https://nvd.nist.gov/vuln/detail/CVE-2023-0401)
Issue ID
Issue Summary
SCA-45980
Review and add the license priority for "commercial license" in licenses table
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
PostgreSQL
psfrag
psutils
Qhull
QPL-1.0
Rdisc
RSA-MD
Saxpath
SCEA
New/Update Component Requests
krig-parallax
inuitcss-generic.normalize
Collector Status
Name
Date of Last Successful Run
gitlab
11/19/2022
maven2-ibiblio
1/18/2023
alpine
2/8/2023
npm
1/31/2023
crates
8/25/2022
cpan
2/9/2023
clojars
2/9/2023
rubygems
2/10/2023
maven-google
2/10/2023
cran
2/11/2023
hackage
2/12/2023
fedora-koji
2/12/2023
packagist
2/13/2023
go
2/14/2023
pypi
2/15/2023
github
2/15/2023
nuget gallery
2/15/2023
Changes in Update Released on 30-January-2023
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-45333
SPDX Collector: Populate license_attribute values for all the licenses
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
NetCDF
Newsletr
NLOD-1.0
NLOD-2.0
NLPL
OLDAP-1.1
OLDAP-1.2
OLDAP-1.3
OLDAP-1.4
OLDAP-2.0
OLDAP-2.0.1
OLDAP-2.1
OLDAP-2.2
OLDAP-2.2.1
OLDAP-2.2.2
OLDAP-2.4
OLDAP-2.5
OLDAP-2.6
OLDAP-2.7
Addition of Missing Vulnerability Mappings
Missing vulnerability mappings for the following components were added:
Tcexam
Collector Status
Name
Date of Last Successful Run
crates
8/25/2022
gitlab
11/19/2022
maven2-ibiblio
1/18/2023
go
1/23/2023
cpan
1/19/2023
fedora-koji
1/23/2023
clojars
1/19/2023
rubygems
1/20/2023
maven-google
1/20/2023
cran
1/21/2023
hackage
1/22/2023
packagist
1/23/2023
npm
1/23/2023
nuget gallery
1/18/2023
alpine
1/18/2023
pypi
1/18/2023
github
1/23/2023
Changes in Update Released on 12-January-2023
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-45214
Fixed missing vulnerability issue for component dom4j
SCA-44820
Fixed the missing release_license_text mappings for Npm components
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
MITNFA
mpich2
MTLL
Mup
NBPL-1.0
OSET-PL-2.1
Plexus
Artistic-1.0
Artistic-1.0-cl8
Artistic-1.0-Perl
Artistic-2.0
Noweb
NRL
Nunit
OCCT-PL
OML
New/Update Component Requests
Microsoft Capicom
Microsoft Enterprise Library 5
Microsoft .NET Framework
Collector Status
Name
Date of Last Successful Run
crates
8/25/2022
gitlab
11/19/2022
maven2-ibiblio
12/22/2022
go
1/4/2023
cpan
1/5/2023
fedora-koji
1/5/2023
clojars
1/5/2023
rubygems
1/6/2023
maven-google
1/6/2023
cran
1/7/2023
hackage
1/8/2023
packagist
1/9/2023
npm
1/10/2023
nuget gallery
1/10/2023
alpine
1/11/2023
pypi
1/11/2023
github
1/11/2023
Changes in Update Released on 22-December-2022
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-44946
Nuget version level licenses - Support for new licenses
SCA-44702
Update the Component versions for nvuillam-npm-groovy-lint
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
Leptonica
LGPLLR
libtiff
LiLiQ-P-1.1
LiLiQ-Rplus-1.1
LiLiQ-R-1.1
MakeIndex
Net-SNMP
Collector Status
Name
Date of Last Successful Run
crates
8/25/2022
gitlab
11/19/2022
cpan
12/15/2022
clojars
12/15/2022
rubygems
12/16/2022
maven-google
12/16/2022
cran
12/17/2022
hackage
12/18/2022
packagist
12/19/2022
alpine
12/21/2022
fedora-koji
12/21/2022
npm
12/21/2022
pypi
12/21/2022
nuget gallery
12/21/2022
go
12/22/2022
github
12/22/2022
maven2-ibiblio
12/22/2022
Changes in Update Released on 08-December-2022
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-44052
Added Spice Software License and detection rules.
SCA-43599
Nuget Collector: Enhancement to collect version level licenses.
SCA-44396
Invalid URL's in the description for some of the components.
SCA-44439
Alpine Collector Enhancements - Version Level Date Enhancements.
SCA-44438
Alpine Collector Enhancements - RepoURL Enhancements.
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
ICU
ImageMagick
Intel-ACPI
Interbase-1.0
JasPer-2.0
LAL-1.2
LAL-1.3
GL2PS
Glulxe
Gnuplot
FSFUL
HaskellReport
IBM-pibs
Latex2e
New/Update Component Requests
None
Collector Status
Name
Date of Last Successful Run
crates
8/25/2022
npm
12/08/2022
pypi
10/18/2022
alpine
11/30/2022
gitlab
11/19/2022
cpan
12/08/2022
rubygems
12/08/2022
clojars
12/08/2022
github
12/07/2022
maven-google
12/02/2022
fedora-koji
12/07/2022
cran
12/03/2022
nuget gallery
12/01/2022
hackage
12/04/2022
packagist
12/04/2022
go
12/07/2022
maven2-ibiblio
11/28/2022
Changes in Update Released on 29-November-2022
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-44021
Addition of Go vulnerability mapper to the list of our automated vulnerability mappers
SCA-44283
Added the license Microsoft .Net Compiler Platform Redistributable Packages Preview to the data library
SCA-44290
Updated the invalid urls of few Go forge components like Alamofire/AlamofireImage, BoltsFramework/Bolts-Swift and bitstadium/hockeykit.
SCA-44376
Updating license information for the components jquery (id: 3526090)
SCA-44397, SCA-43635
Fixed false positive vulnerability for the components like system.threading.tasks nuget package and MySQL NPM module.
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
Qt-GPL-exception-1.0.txt
SchemeReport.txt
SWL.txt
Universal-FOSS-exception-1.0.txt
X11-distribute-modifications-variant.txt
XSkat.txt
CECILL-1.0
CECILL-1.1
CECILL-2.0
CECILL-2.1
CECILL-B
CECILL-C
MPL-1.0
MPL-1.1
MPL-2.0
MPL-2.0-no-copyleft-exception
NPL-1.0
NPL-1.1
MIT License
MIT-open-group
X11
X11-distribute-modifications-variant
XSkat
SWL
SchemeReport
New/Update Component Requests
XIPH Flac
XORG XServer
Collector Status
Name
Date of Last Successful Run
crates
8/25/2022
npm
10/11/2022
pypi
10/18/2022
alpine
11/8/2022
gitlab
11/19/2022
cpan
11/24/2022
rubygems
11/24/2022
clojars
11/24/2022
github
11/24/2022
maven-google
11/25/2022
fedora-koji
11/26/2022
cran
11/26/2022
nuget gallery
11/26/2022
hackage
11/27/2022
packagist
11/28/2022
go
11/28/2022
maven2-ibiblio
11/28/2022
Changes in Update Released on 11-November-2022
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-44237
Addition of missing vulnerabilities for junit(componentId: 437385)
SCA-44183
Addition of missing vulnerabilities for xercesimpl and spring-data-mongodb
SCA-44075
Update license text for the license Microsoft .NET Library License
SCA-44065
Fixing license evidences for net-tools component
SCA-41333
Addition of Alpine forge to list of our forge data collection
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
mplus.txt
MulanPSL-1.0.txt
MulanPSL-2.0.txt
NAIST-2003.txt
NCGL-UK-2.0.txt
NIST-PD-fallback.txt
NIST-PD.txt
NTP-0.txt
O-UDA-1.0.txt
ODC-By-1.0.txt
OpenJDK-assembly-exception-1.0.txt
OPUBL-1.0.txt
MIT-0
MIT-CMU
MIT-enna
MIT-feh
MIT-Modern-Variant.txt
MIT-open-group.txt
New/Update Component Requests
Google Play Services Android
android-support-library-v13
TrafficWatcher
ata-project
Telerik UI for ASP.NET MVC Components
Microsoft.Data.SqlClient.SNI.runtime
microsoft.aspnet.webapi.tracing
Microsoft SQL Server Compact 3.5 Service Pack 2
Collector Status
Name
Date of Last Successful Run
alpine
11/8/2022
crates
8/25/2022
npm
10/11/2022
pypi
10/18/2022
cran
10/22/2022
maven2-ibiblio
10/27/2022
clojars
11/3/2022
rubygems
11/3/2022
maven-google
11/4/2022
cpan
11/4/2022
nuget gallery
11/5/2022
hackage
11/6/2022
packagist
11/7/2022
go
11/9/2022
github
11/9/2022
gitlab
11/9/2022
fedora-koji
11/10/2022
Changes in Mini Update Released on 02-November-2022
This is a Mini PDL update release which is considerably smaller in size, containing data related to a specific component and a CVE.
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Updates to OpenSSL Component
Added vulnerability information to the following openSSL components:
openssl(id: 58316) - https://www.openssl.org
openssl-openssl (id: 416271) - https://github.com/openssl/openssl
openssl (id: 27181269) - https://koji.fedoraproject.org/koji/packageinfo?packageID=openssl
Related to vulnerability CVEs:
CVE - 2022-3786 (https://nvd.nist.gov/vuln/detail/CVE-2022-3786 )
CVE - 2022-3602 (https://nvd.nist.gov/vuln/detail/CVE-2022-3602 )
Issue ID
Issue Summary
SCA-44311
Addition of new vulnerabilities related to OpenSSL component
Changes in Mini Update Released on 21-October-2022
This is a Mini PDL update release which is considerably smaller in size, containing data related to a specific component and a CVE.
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Updates to Apache Commons Text Component
Added vulnerability information to the apache-commons-text component (https://github.com/apache/commons-text ) related to vulnerability cve
CVE-2022-42889 (https://nvd.nist.gov/vuln/detail/CVE-2022-42889 )
Issue ID
Issue Summary
SCA-44223
Mapping new vulnerability CVE-2022-42889 to the component apache-commons-text
Changes in Update Released on 18-October-2022
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-43662
Addition of latest versions for the component Akka
SCA-43253
Fixing the version information for the component https://github.com/Sequel-Ace/Sequel-Ace.
SCA-42544
Fixing false positive vulnerabilities for the component jquery UI
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
CERN-OHL-1.1.txt
CERN-OHL-1.2.txt
CERN-OHL-P-2.0.txt
CERN-OHL-S-2.0.txt
CERN-OHL-W-2.0.txt
CC-BY-3.0-AT.txt
CC-BY-3.0-DE.txt
CC-BY-3.0-NL.txt
CC-BY-NC-3.0-DE.txt
CC-BY-NC-ND-3.0-DE.txt
CC-BY-NC-SA-2.0-FR.txt
CC-BY-NC-SA-3.0-DE.txt
CC-BY-ND-3.0-DE.txt
CC-BY-SA-2.1-JP.txt
CC-BY-SA-3.0-AT.txt
CC-BY-SA-3.0-DE.txt
CDLA-Permissive-2.0.txt
COIL-1.0.txt
DL-DE-BY-2.0.txt
FDK-AAC.txt
Jam.txt
Linux-man-pages-copyleft.txt
KiCad-libraries-exception.txt
New/Update Component Requests
zyantific/zycore-c
New Component Detection Rules
aide/aide
Collector Status
Name
Date of Last Successful Run
gitlab
8/5/2022
crates
8/25/2022
hackage
10/9/2022
maven2-ibiblio
10/10/2022
npm
10/11/2022
pypi
10/12/2022
clojars
10/13/2022
cpan
10/13/2022
rubygems
10/13/2022
maven-google
10/14/2022
fedora-koji
10/14/2022
cran
10/15/2022
go
10/17/2022
github
10/17/2022
nuget gallery
10/17/2022
packagist
10/17/2022
Changes in Update Released on 23-September-2022
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-43521
Fixed false positives in license detection and license evidence mechanism for licenses like 0BSD, ISC and MIT.
SCA-42852
Updated version information for NPMJS components like @aws-sdk/client-dynamodb and @aws-sdk/client-dynamodb-streams
Addition of Missing Vulnerability Mappings
Missing vulnerability mappings for the following components were added:
atomic
crypto-utils
fedmsg
fedora-arm-installer
python-fedora
sectool
coolkey
sssd
anaconda
newsx
rpmdevtools
cronie
Collector Status
Name
Date of Last Successful Run
gitlab
8/5/2022
crates
8/25/2022
clojars
9/15/2022
maven2-ibiblio
9/15/2022
cpan
9/15/2022
rubygems
9/15/2022
maven-google
9/16/2022
cran
9/17/2022
nuget gallery
9/18/2022
hackage
9/18/2022
packagist
9/18/2022
npm
9/20/2022
go
9/21/2022
pypi
9/21/2022
github
9/21/2022
fedora-koji
9/21/2022
Changes in Mini Update Released on 13-September-2022
This is a Mini PDL update release which is considerably smaller in size, containing data related to a specific component and a CVE.
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Updates to commons_configuration2 Component
Added vulnerability information to the commons_configuration2 maven component (https://mvnrepository.com/artifact/org.apache.commons/commons-configuration2 ) related to vulnerability cves,
CVE-2022-33980 (https://nvd.nist.gov/vuln/detail/CVE-2022-33980 )
CVE-2020-1953 (https://nvd.nist.gov/vuln/detail/CVE-2020-1953)
Issue ID
Issue Summary
SCA-43592
Missing vulnerability CVE-2022-33980 for the component commons_configuration2
SCA-43114
Updating component information for components like entityframework, mailbee.net and microsoft.sqlserver.sqlmanagementobjects.
Changes in Update Released on 09-September-2022
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-43115
Addition of new licenses to reflib like AfterLogic Software License Agreement , Entity Framework 5.0 For Microsoft Windows Operating System and Microsoft SQL SERVER 2017 Shared Management Objects.
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
EPICS.txt
etalab-2.0.txt
copyleft-next-0.3.0.txt
copyleft-next-0.3.1.txt
GD.txt
GLWTPL.txt
Hippocratic-2.1.txt
HPND-sell-variant.txt
HTMLTIDY.txt
JPNIC.txt
libpng-2.0.txt
libselinux-1.0.txt
Linux-OpenIB.txt
Collector Status
<
Name
Date of Last Successful Run
gitlab
8/5/2022
maven2-ibiblio
8/22/2022
clojars
9/1/2022
crates
8/25/2022
cpan
9/1/2022
rubygems
9/1/2022
maven-google
9/2/2022
hackage
9/4/2022
nuget gallery
9/5/2022
packagist
9/5/2022
go
9/6/2022
pypi
9/6/2022
cran
9/7/2022
github
9/7/2022
fedora-koji
9/7/2022
npm
9/7/2022
Changes in Update Released on 29-August-2022
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-42217
BSD 3-Clause license text not detected
SCA-43300
Fixed license detection and license evidence mechanism for dvipdfm license to avoid false positives
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
0BSD
BSD-1-Clause
BSD-3-Clause-Modification
BSD-3-Clause-No-Military-License
BSD-3-Clause-Open-MPI.txt
New/Update Component Requests
jridgewell/gen-mapping
jridgewell/set-array
jridgewell/sourcemap-codec
CPUID CPU-Z
get-image-file-type-programmatically-in-swift
swift-5-4-hex-to-nscolor
SNMP++ API
supports-preserve-symlinks-flag
Addition of Missing Vulnerability Mappings
Missing vulnerability mappings for the following components were added:
bwm-ng
mattermost_server
snipe-it
cgal
caldera-forms
Collector Status
<
Name
Date of Last Successful Run
fedora-koji
8/2/2022
gitlab
8/5/2022
cpan
8/18/2022
rubygems
8/18/2022
maven-google
8/19/2022
cran
8/20/2022
nuget gallery
8/21/2022
hackage
8/21/2022
maven2-ibiblio
8/22/2022
packagist
8/22/2022
go
8/23/2022
github
8/24/2022
crates
8/24/2022
npm
8/24/2022
clojars
8/25/2022
pypi
8/26/2022
Changes in Update Released on 12-August-2022
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-42725
Fixed False positive vulnerabilities related to SQL Lite
SCA-31133
Addition of Nuget vulnerability mapper to the list of vulnerability mappers
SCA-42767
Updated license information for the components datatables-fixedcolumns and datatables-tabletools in our data library
SCA-43007
GNU Library General Public License v2 or later (LGPL-2.0-or-later) License Evidence is not being detected for gettext.c file
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for the following components was updated/added:
LGPL-2.0-or-later
SPDX licenses with additional clauses
App-s2p
Baekmuk
blessing
BlueOak-1.0.0
C-UDA-1.0
New/Update Component Requests
FixedColumns
Autofill
Tabletools
New Component Detection Rules
Tabletools.js and Tabletools.min.js
FixedColumns.js and FixedColumns.min.js
Collector Status
Name
Date of Last Successful Run
maven2-ibiblio
7/28/2022
fedora-koji
8/2/2022
clojars
8/4/2022
cpan
8/4/2022
rubygems
8/4/2022
maven-google
8/5/2022
gitlab
8/5/2022
cran
8/6/2022
nuget gallery
8/6/2022
hackage
8/7/2022
packagist
8/8/2022
go
8/9/2022
pypi
8/10/2022
github
8/10/2022
crates
8/10/2022
npm
8/10/2022
Changes in Update Released on 18-July-2022
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
GPL-AGPL-LGPL License Cleanup
There are three issues we are addressing as part of this GPL-AGPL-LGPL License data cleanup project:
Example: jquery 6.2.0 (GPL-1.0)
Here GPL-1.0 is the license with the short name associated with the component jquery.
1. Short Name Change
When a particular license short name is changed and released as part of an electronic update, the short name is not automatically propagated to the inventory items with that selected license. For example, when we change the short name of license id 343 from "GPL-1.0” to “GPL-1.0-only” in an electronic update, the existing inventory items names with that selected license will not be updated.
2. Component to License Mapping Change
When the component to license mapping is changed, let’s say jquery is mapped with "Apache-2.0" in the electronic update, then this new mapping wouldn’t be propagated to existing inventory items. This results in inconsistency between the license mapping, existing inventory items, and future inventory items using the new license mapping.
3. Duplicate entry cleanup
After running the cleanup scripts, there are possibility of having duplicate entries for the licenses which had mappings in component table and versions table. In our case, we have mappings for 3 licenses, i.e LGPL-2.1-or-later(License_id=704), AGPL-1.0-only(License_id=1654) and AGPL-3.0-only(License_id=229).
Note: Around 16 GPL-AGPL-LGPL related licenses are updated and workaround has been provided for necessary scenarios.
Please refer the article on GPL-LGPL-AGPL License Cleanup for detailed information and workarounds: https://community.flexera.com/t5/Code-Insight-Knowledge-Base/Code-Insight-GPL-LGPL-AGPL-License-Data-Cleanup-Project/ta-p/240679
Issue ID
Issue Summary
SCA-40135
Updating the GPL related licenses in the data library according to SPDX
SCA-40180, SCA-41672
Preparation of scripts related to changes made to GPL, LGPL and AGPL licenses.
SCA-42149
Updated version information for the component minimist.
Enhanced License Detection Capability for Components
License detection capability and license evidence mechanism for GPL-LGPL-AGPL related licenses (part of GPL-AGPL-LGPL license cleanup activity) was updated/added for the following components:
AGPL-1.0-only
AGPL-1.0-or-later
AGPL-3.0-only
AGPL-3.0-or-later
GPL-1.0-only
GPL-1.0-or-later
GPL-2.0-only
GPL-2.0-or-later
GPL-3.0-only
GPL-3.0-or-later
LGPL-2.0-only
LGPL-2.0-or-later
LGPL-2.1-only
LGPL-2.1-or-later
LGPL-3.0-only
LGPL-3.0-or-later
Collector Status
Name
Date of Last Successful Run
gitlab
5/13/2022
maven2-ibiblio
6/30/2022
nuget gallery
7/4/2022
clojars
7/7/2022
cpan
7/7/2022
rubygems
7/7/2022
cran
7/9/2022
maven-google
7/9/2022
hackage
7/10/2022
packagist
7/11/2022
go
7/12/2022
pypi
7/13/2022
github
7/13/2022
crates
7/13/2022
fedora-koji
7/13/2022
npm
1/30/2022
Changes in Update Released on 07-July-2022
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-42146
Addition of the license EDL 1.0 to PDL.
Collector Status
Name
Date of Last Successful Run
gitlab
5/13/2022
npm
1/30/2022
pypi
6/29/2022
crates
6/29/2022
clojars
6/30/2022
maven2-ibiblio
6/30/2022
cpan
6/30/2022
rubygems
6/30/2022
maven-google
7/1/2022
go
7/1/2022
cran
7/2/2022
fedora-koji
7/2/2022
hackage
7/3/2022
github
7/4/2022
nuget gallery
7/4/2022
packagist
7/4/2022
Changes in Mini Update Released on 28-June-2022
This is a Mini PDL update release which is considerably smaller in size, containing data related to a specific component and a CVE.
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Updates to jenkins Component
Added the latest vulnerability information for jenkins component (Component id: 191327) related to vulnerability CVE-2022-34175 (https://nvd.nist.gov/vuln/detail/CVE-2022-34175)
Issue ID
Issue Summary
SCA-39993
Miniature PDL package creation and processing in product
Changes in Update Released on 15-June-2022
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-40437
Addition of Go Collector to the list of collectors
Collected Batch 1- 50000 packages.
SCA-42001
Fixed license information for the component 'setuptools'.
SCA-42030
Fixed license information for the component 'react-leaflet'.
SCA-42040
Fixed license information for the component 'pillow'.
SCA-42108
Updated component-version information for the component 'url-parse'.
Collector Status
Name
Date of Last Successful Run
gitlab
5/13/2022
crates
5/28/2022
npm
1/30/2022
pypi
6/8/2022
clojars
6/9/2022
cpan
6/9/2022
rubygems
6/10/2022
cran
6/11/2022
maven2-ibiblio
6/11/2022
maven-google
6/11/2022
hackage
6/12/2022
nuget gallery
6/12/2022
packagist
6/13/2022
github
6/14/2022
fedora-koji
6/14/2022
go
6/14/2022
Changes in Update Released on 13-May-2022
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-41730
Addition of vulnerability mappings to zlib component (CVE-2018-25032).
Collector Status
Name
Date of Last Successful Run
hackage
5/8/2022
npm
1/30/2022
crates
4/26/2022
clojars
5/5/2022
cpan
5/5/2022
rubygems
5/6/2022
maven-google
5/6/2022
cran
5/7/2022
nuget gallery
5/8/2022
maven2-ibiblio
5/9/2022
packagist
5/10/2022
github
5/11/2022
gitlab
5/11/2022
pypi
5/11/2022
fedora-koji
5/11/2022
Changes in Update Released on 28-Apr-2022
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-41430
Addition and Updating components and license information for components like JakartaFtpWrapper, nsftools.com Standard Disclaimer etc.
SCA-41268
Fixed the incorrect license mapping for hibernate-core component.
Addition of License Detection Capability and License Evidence Mechanism
License detection capability and license evidence mechanism was added for the following licenses:
FreeImage
freertos-exception-2.0
FSFAP
FSFULLR
Collector Status
Name
Date of Last Successful Run
hackage
4/24/2022
npm
1/30/2022
maven2-ibiblio
4/12/2022
cpan
4/14/2022
fedora-koji
4/19/2022
rubygems
4/21/2022
cran
4/22/2022
maven-google
4/22/2022
nuget gallery
4/23/2022
crates
4/26/2022
clojars
4/27/2022
github
4/27/2022
packagist
4/27/2022
gitlab
4/27/2022
pypi
4/27/2022
Changes in Update Released on 13-Apr-2022
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Updates to spring-framework Component
Added vulnerability information for spring-framework component ( CVE-2022-22950 and CVE-2022-22965).
Issue ID
Issue Summary
SCA-41311
Fix incorrect vulnerability mapping to the component POI.
SCA-41305
Addition of vulnerabilities to xmlbeans 2.6.0 component.
SCA-41141
Enhancement to collect missing licenses for Pypi components.
SCA-40144
Addition of Components from https://gitlab.xiph.org/xiph
Changes in Update Released on 25-Mar-2022
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-40941
Update license information for npm component- pixrem.
SCA-40777
Map Fair license to "Assert" component.
SCA-40872
License information for jquery 1.12.4 - MIT or GPL-2.0 license?
Addition of Missing Vulnerability Mappings
Missing vulnerability mappings for the following components were added:
jhuisi-charm
pear-archive_tar
zopefoundation-accesscontrol
nextcloud-richdocuments
pear-archive_tar
3xxx-engineercms
isomorphic-git-isomorphic-git
justarchinet-archisteamfarm
matanui159-replaysorcery
xmldom-xmldom
util-linux-util-linux
Addition of License Detection Capability and License Evidence Mechanism
License detection capability and license evidence mechanism was added for the following licenses:
dvipdfm
mif-exception
eCos-exception-2.0
eGenix
EPL-2.0
EUPL-1.2
FLTK-exception
Collector Status
<
Name
Date of Last Successful Run
packagist
2/27/2022
maven2-ibiblio
3/7/2022
npm
1/30/2022
gitlab
3/8/2022
clojars
3/16/2022
rubygems
3/17/2022
cpan
3/17/2022
cran
3/18/2022
maven-google
3/18/2022
nuget gallery
3/19/2022
hackage
3/20/2022
github
3/22/2022
crates
3/23/2022
pypi
3/23/2022
fedora-koji
3/23/2022
Changes in Update Released on 14-Mar-2022
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-32308
Pypi forge vulnerability Mapper is an addition to our list of automated vulnerability mappers mechanism.
SCA-40984
Fix false positive vulnerabilities for Mono.Cecil
Addition of Missing Vulnerability Mappings
Missing vulnerability mappings for the following components were added:
glances
video.js
nukeviet
lavalite-cms
evolution-cms-evolution
flatpress
yzmcms
elfinder.aspnet
Collector Status
Name
Date of Last Successful Run
packagist
2/27/2022
cran
3/4/2022
maven-google
3/5/2022
hackage
3/6/2022
maven2-ibiblio
3/7/2022
nuget gallery
3/7/2022
crates
3/8/2022
npm
1/30/2022
gitlab
3/8/2022
clojars
3/9/2022
pypi
3/9/2022
rubygems
3/10/2022
github
3/10/2022
cpan
3/10/2022
fedora-koji
3/10/2022
Changes in Update Released on 24-Feb-2022
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-40339
Fixed license mappings for hangfire.core nuget component .
SCA-40332
Fixed license mappings for microsoft.net.workload.emscripten.manifest nuget component
SCA-40215
Fixed false positive CVE for system.threading.tasks.extensions 4.5.4 component
Addition of Missing Vulnerability Mappings
Missing vulnerability mappings for the following components were added:
stuk-jszip
firefly-iii
pjsip-pjproject
oisf-suricata
gitlogplus
velociraptor
contour
stmicroelectronics-stm32cubeh7
mod_auth_openidc
New/Update Component Requests
Microsoft Infographic Designer
Microsoft Advance Card
Collector Status
Name
Date of Last Successful Run
npm
12/3/2021
gitlab
1/13/2022
maven2-ibiblio
2/15/2022
rubygems
2/17/2022
cran
2/18/2022
maven-google
2/18/2022
nuget gallery
2/19/2022
hackage
2/20/2022
packagist
2/20/2022
crates
2/22/2022
clojars
2/23/2022
github
2/23/2022
pypi
2/23/2022
fedora-koji
2/23/2022
cpan
2/24/2022
Changes in Update Released on 10-Feb-2022
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-40131
Fixing false positive component_cpe mappings
SCA-40004
Fix for "Unable to load or add component version libssh 0.7.3"
SCA-39146
GPL 3.0 or later and GPL 3.0 Only - both licenses are reported when the source clearly has only one SPDX ID
SCA-38096
Fixing redirecting urls for clojars collector
Addition of Missing Vulnerability Mappings
Missing vulnerability mappings for the following components were added:
mosquitto
lwip
folly
matio
libheif
manageiq
redis
Addition of License Detection Capability and License Evidence Mechanism
License detection capability and license evidence mechanism was added for the following licenses:
D-FSL-1.0
diffmark
DigiRule-FOSS-exception
Dotseqn
DSDP
New/Update Component Requests
windowsazure.servicebus
microsoft.azure.servicebus.eventprocessorhost
mesa
sharpmimetools
Changes in Update Released on 28-Jan-2022
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
MIT License Cleanup
There are two licenses in Code Insight for MIT – MIT License and MIT-Style License. While most licenses declared by open-source developers fall into the MIT License, the MIT-Style License is more of a template license consisting of various ways of how MIT license can be declared.
We noticed that the license mapping to majority of components are mapped incorrectly to the MIT-Style License. This is being resolved via an electronic update where the mappings are corrected and for existing projects that need mappings change a script will be provided.
Note:
Please refer the article on MIT License Cleanup for detailed information and workarounds: https://community.flexera.com/t5/Code-Insight-Knowledge-Base/Code-Insight-MIT-License-Data-Cleanup-Project/ta-p/214451/jump-to/first-unread-message
Known issue:
A script "MIT-CleanupQueries.sql" is provided which has to be run after the PDL update.
This script updates the license names and the incorrect license mappings in the existing system-generated inventories with the updated data changes as mentioned above.
There is a known issue for a particular set of inventories which have comma separated license names. This is observed in the inventories generated by AutoWriteup.
Ex: jQuery (MIT, MIT License)
In this case, the script provided to update the existing inventory names would not work. This causes a duplicate inventory on rescan.
The detailed issue description and workaround are provided in the jira: https://jira.flexera.com/browse/SCA-40194
Issue ID
Issue Summary
SCA-39812
Map vulnerabilities for gnu components
SCA-39748
Update version information for pilotmoon-scroll-reverser
SCA-38553
License detection XML detects both MIT and MIT-Style as evidence for MIT License
SCA-28851
MIT License cleanup: Enhancement to collector level license mappings mechanism to update invalid mappings for MIT and MIT-Style licenses.
SCA-28766
Perform entire sequence of MIT License Cleanup-License short_name changes and license remapping at component and version level.
Addition of Missing Vulnerability Mappings
Missing vulnerability mappings for the following components were added:
Itop
Mupdf
Anchrome
Addition of License Detection Capability and License Evidence Mechanism
License detection capability and license evidence mechanism was added for the following licenses:
CNRI-Jython
CNRI-Python
CNRI-Python-GPL-Compatible
Crossword
CrystalStacker
PSF-2.0
Python-2.0
Changes in Update Released on 13-Jan-2022
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Updates to log4j Component
Added component detection capabilities to identify log4j components in "ivy.xml".
Issue ID
Issue Summary
SCA-39360
Fixed the license evidence mechanism to eliminate false positive findings.
SCA-39579
Addition of gnu vulnerable components to the data library
SCA-38160
GNU vulnerability Mapper is an addition to our list of automated vulnerability mappers mechanism.
SCA-38159
Jenkins vulnerability Mapper is an addition to our list of automated vulnerability mappers mechanism.
<
Addition of Missing Vulnerability Mappings
Missing vulnerability mappings for the following components were added:
xml_database
graphhopper
Openvswitch-ovs
osgeo-gdal
unicorn-engine-unicorn
open62541-open62541
racket-racket
mozilla-geckodriver
gnuaspell-aspell
libsndfile-libsndfile
libarchive
matio
Addition of License Detection Capability and License Evidence Mechanism
License detection capability and license evidence mechanism was added for the following licenses:
CC-BY-NC-ND-1.0
CC-BY-NC-ND-4.0
CC-BY-NC-SA-4.0
CC-BY-NC-4.0
CC-BY-ND-4.0
CC-BY-SA-4.0
CC-BY-4.0
Cube
curl
CDLA-Permissive-1.0
CDLA-Sharing-1.0
CECILL-2.1
CLISP-exception-2.0
New Component Requests
Windows SDK for Windows Server 2008 and .NET Framework 3.5
Strictly Software htmlencode
Changes in Update Released on 23-Dec-2021
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Updates to Apache log4j2 Component
Updated vulnerability information for log4j2 component (CVE-2021-44228,CVE-2021-45046,CVE-2021-4104).
Updated versions for the log4j2 components.
Issue ID
Issue Summary
SCA-38791
Updated missing vulnerabilities for nuget top 100 component
SCA-35846
Enhancements to Nuget Collector for Version-Level License Collection
Addition of Missing Vulnerability Mappings
Missing vulnerability mappings for the following components were added:
consul
uri.js
chatwoot
bat
cgm-remote-monitor
connect
muwire
containerd
discourse
micronaut
gatsby-source-wordpress
venus_os
Updated Components List
world-clock-and-the-timezoneinformation-class
Changes in Update Released on 16-Dec-2021
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Updates to Apache log4j2 Component
Updated versions for the log4j2 components from different forges like github, maven and fedora.
Updated vulnerabilities for log4j2 component (CVE-2021-44228).
Issue ID
Issue Summary
SCA-38864
Analysis & update license for jaxen component.
SCA-38669
AutoWriteup Rules: Map licenses to AutoWriteup Rules with no licenses.
SCA-38521
Increasing Component CPE mappings in Data Library.
SCA-38479
Updated version information for 27208706.
SCA-38791
Update missing license for top 100 Nuget components.
Addition of Missing Vulnerability Mappings
Missing vulnerability mappings for the following components were added:
falco
manageengine_admanager_plus
esp32_firmware
libvips-libvips
junos
rancher
sheetjs
etherpad
stealth
Addition of License Detection Capability and License Evidence Mechanism
License detection capability and license evidence mechanism was added for the following licenses:
bzip2-1.0
bzip2-1.0.5
Caldera
BSD-3-Clause-Attribution
BSD-3-Clause-Clear
BSD-3-Clause-LBNL
BSD-3-Clause-No-Nuclear-License-2014
BSD-3-Clause-No-Nuclear-License
BSD-3-Clause-No-Nuclear-Warranty
BSD-4-Clause-UC
BSD-Protection
BSD-1-Clause
BSD-Source-Code
BSD-2-Clause-Patent
BSD-2-Clause-NetBSD
BSD-2-Clause-FreeBSD
Update Release on 26-Nov-2021 has been postponed
This update has been postponed to 9 Dec 2021 due to some technical issues.
Changes in Update Released on 11-Nov-2021
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-38476
Add component GenericDataExchangeFrameworkwithAJAX and ASP.NET Outlook-like Time Field to PDL library
SCA-38352
Enhancement to license mapping mechanism for Nuget Collector based on License Expression provided by Nuget Rest API
SCA-38223
Add missing vulnerability mappings to components like umeditor, thinkcmf, xuperchain, ok-file-formats, radare2-extras, polipo, gthumb.
Changes in Update Released on 28-Oct-2021
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
<
Issue ID
Issue Summary
SCA-38246
Add missing versions for openssl, net-snmp and system.data.sqlite components.
SCA-38221
Add missing vulnerability mappings to components like varnish_cache, elfinder.net. core, ectouch, is-email, booking_core, wolfssl.
SCA-37996
Invalid license for highcharts - npmjs component.
SCA-37673
Added license evidence and detection capability for licenses like Bahyph, Barr, Borceux, BSD-1-Clause, BSD-2-Clause-FreeBSD, BSD-2-Clause-NetBSD, BSD-2-Clause-Patent, BSD-Source-Code etc.
SCA-37671
Added license evidence and detection capability for licenses like 0BSD, 389-exception, Abstyles, Adobe-Glyph, Afmparse, AGPL-1.0, Aladdin, AMDPLPA, AML, AMPAS etc.
SCA-37461
Add missing vulnerability mappings to components like delta, xo-server, putil-merge, harmonyos, ant etc.
SCA-37459
Add missing vulnerability mappings to components like yop-poll, restsharp, event_streams, sshd, talk, nextcloud_mail, nextcloud, icinga etc.
SCA-37348
Github Vulnerabilities mapped to Java components.
Changes in Update Released on 18-Oct-2021
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-38185
Fixing invalid versions of lm_sensors.
SCA-38030
Update reference to component_mapping.csv to new github.com from git.palamida.com in update service.
SCA-37884
Missing vulnerabilities for Valeo.
SCA-37758
Adding spdx-license-identifier to the license-detection.xml and license-finder.json.
SCA-37658
Update license-names in the license evidence mechanism.
SCA-37447
Add missing vulnerabilty mappings to components like retty, everything, brave, node.js, total.js, total4, prismatic.
SCA-37442
Add missing vulnerabilty mappings to components like halo, pfsense, exiv2, caldera, jsish, moddable, mujs.
SCA-38254
Add license evidence capability for licenses like LLVM-exception,APAFML,Artistic-1.0-cl8,Artistic-1.0-Perl.
Changes in Update Released on 01-Oct-2021
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-37896
Validate and update Maven forge details in PDL library.
SCA-37837
Add new component ms-intune-app-sdk-android and Microsoft Intune App Software Development Kit For iOS license.
SCA-37651
Add Microsoft Windows Driver Kit For Windows 8.1 License and Updated versions for Microsoft windows driver kit.
SCA-37604
Update manually maintained component versions. Please refer list below
SCA-37376
Add the missing vulnerability mappings for components like cszcms, switch, fortimail, putty, emissary-ingress-emissary.
SCA-29724
Enhance License detection for Nuget forge components.
SCA-37544
Update versions and vulnerability mappings for oracle-jre component
SCA-37449
Add CWEs to PDL library.
SCA-38018
Update versions for Google Maven repository components.
Updated Components List
glibmm24
libsm
wpa_supplicant
cairo
dmidecode
chrony
libxrandr
libice
networkmanager
gobject-introspection
glib-networking
dnsmasq
mesa
elfutils
dbus
sudo
libsoup
libtalloc
rpm-package-manager
PowerTop
libldb
libxft
openssl
pygobject3
gnutls
libx11
libnl3
tzdata
alsa-lib
atk
libxcb
binutils
ethtool
libfontenc
Changes in Update Released on 13-Sep-2021
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-37290
Validate and update invalid versions for kong-insomnia component.
SCA-36444
License Finder rules for OGC-1.0,OFL-1.1-RFN.
SCA-35816
Addition of Gitlab forge to the list of forge collection.
SCA-33593
Enhance license mapping capability for Nuget collector.
SCA-31981
Add new non-spdx licenses like Parity Public Licence 3.0,Server Side Public License,Yoctopuce-License,Prosperity Public License,MS-ASP.NET-Web-Pages-2 License,MS-ASP.NET-WOF License to the library .
SCA-37371
Mapping the missing vulnerabilty-CVE's for various components like Tinydtls, Misp, Libxml2, Vapor, Grpc_swift, Linuxptp.
New Component Detection Rules
liblouis
Changes in Update Released on 30-Aug-2021
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-35866
Grafana License changed from Apache License 2.0 to AGPL 3.0 from version 8.0.
SCA-35970
Data - Vulnerability Dates update. "Publication Date" and 'Modified Date".
SCA-36442
License-Finder.json rules for PSF-2.0,Parity-7.0.0,OGL-UK-3.0 etc.
SCA-36894
License Mappings for "pylouis" component.
SCA-36946
Data: Forge detail is incorrect for log4php component.
SCA-37030
False Positive Vulnerabilities for "file - npmjs" component.
SCA-37147
Handle URL discrepancies & case sensitive titles for FSF forge.
SCA-36815
Mapping of missing CVE's for components like thinksaas, routeros, alpinelinux-aports, gu, sansanyun-mipcms, hnaoyun-pbootcms.
SCA-37171
Mapping of missing CVE's for components like wp-plugins-wp-downloadmanager, benmonro-android, johnhaldeman-guarddetap, wp-plugins-cm-download-manager, just-safe-set, members, tizen, webclient, prusa3d-prusaslicer, webclient, webkitgtk.
SCA-37176
Mapping of missing CVE's for components like sanos, hyper, server, storage-manager, password-manager, ninjarmm, xevo.
SCA-37200
Update right URLs and title for code.google forge components.
SCA-37206
Mapping Vulnerability for json-smart-v1 and json-smart-v2.
SCA-35877
Updated components having URL discrepancies.
Changes in Update Released on 27-Jul-2021
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-35948
NPMJS: Project Discovery is not Up to date with respect to NPMJS Forge
SCA-35924
License mapping for the Pypi component "louis"
SCA-27819
Fixing nongnu.org 404 URL's
SCA-36610
Minio version license mapping
SCA-36607
Grafana version license mapping
SCA-36110
Update matplotlib license text
SCA-36128
Manual Collector: Kernel: lvm2 versions are wrongly added
SCA-35933
False Positive vulnerabilities in mariadb-java-client
SCA-35908
Invalid versions for microsoft-azuredatastudio component
Changes in Update Released on 24-Jun-2021
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-34531
Update Matplotlib license text to version 3.4.1.
SCA-35177
New requests.
SCA-34953
Add components & license to reflib.
SCA-33894
CVE-2020-11971 associated with wrong components.
SCA-29232
Request to add component: logrotate.
SCA-30698
License Finder Rules for Matplotlib License.
SCA-35286
Unicode Terms of Use license not found in file.
SCA-35680
False positive GPL license detected for LGPL license text
SCA-25368
Request for identifying SPDX IDs.
Changes in Update Released on 11-Jun-2021
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-35178
Add OTN license and map missing license for oracle.manageddataaccess - NuGet Gallery component.
SCA-35087
Deprecating invalid versions of Apache projects on github.
SCA-35022
SPDX license collection. (Around 87 new licenses).
SCA-33894
License Name and SPDX License Name should be the same.
SCA-33805
Elastic Kibana: Add License Finder Rules for Elastic License 2.0
SCA-30698
License Finder Rules for Matplotlib License
Changes in Update Released on 28-May-2021
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-34581
Add component Microsoft JDBC Driver for SQL Server and licenses.
SCA-34431
Deprecating invalid version vulnerability Mapping which are protected
SCA-33541
Vulnerabilities for Netmask and PHP git server
SCA-33251
Vulnerability Dates: Addition/correction of columns for publication date and last modified date.
SCA-30785
SPDX license collection to staging db. (Not yet released).
Changes in Update Released on 14-May-2021
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-34508
PYPI URL's format are not consistent throughout in PDL_Component .
SCA-34395
False positive vulnerabilities for tomcat components - False PDL Mappings in PDL_COMP_VER_VULNERABILITY
SCA-34213
Deprecating the version for Apache project invalid versions-Set2
SCA-33485
The "Visual C++ Redistributable for Visual Studio" component name contains spaces making keyword search difficult
SCA-32592
Deprecating the version for Apache project invalid versions.
SCA-30879
Linux Kernel versions release which was obsolete by an year and a half.
SCA-34289
Libstdcpp component
SCA-34183
Add new licenses to license seed and schema.
Changes in Update Released on 22-Apr-2021
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-32074
License mismatch for popular components.
SCA-31667
License Acronym Data Changes for auto writeup rules.
SCA-29799
Inventory created with auto-writeup rules don't create with SPDX license ID
SCA-26931
Missing vulnerabilities (CPES with *) and wrong mappings for CPEs with *.
New Component Requests
lsof(Component ID: 27350567)
ntp(Component ID: 207771)
libtiff(Component ID:27350365)
gtk(Component ID: 27350362)
gnome-shell-extensions(Component ID: 27350363)
libgpg-error(Component ID: 27350364)
dracut(Component ID: 123809)
openssl-fips(Component ID: 27350368)
lvm2(Component ID: 27350367)
kbd(Component ID: 27350366)
lzo(Component ID: 63041)
treeview-with-columns(Component ID: 27350359)
replace-a-windows-internal-scrollbar-with-a-customdraw-scrollbar-control(Component ID: 27350360)
step-by-step-calling-c-dlls-from-vc-and-vb-part-1(Component ID: 27350361)
strawberry-perl - 27344198)
run-postinsts - 27344199)
packagegroup-core-boot - 27344200)
sha-1-in-C-by-steve-reID: - 27344201)
zlib - 27344202)
watchdog(Component ID: 5403203)
perfmon2(Component ID: 53555)
ust(Component ID: 186075)
newmat(Component ID: 129995)
netbase(Component ID: 207639)
xml-pull-parser3(Component ID: 226748)
shadow-utils(Component ID: 5403445)
lipro-libftdi(Component ID: 7872851)
csha1(Component ID: 27341784)
timezonemap(Component ID: 27344433)
Changes in Update Released on 10-Apr-2021
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-33801
License detection.xml changes for PDL-2021-04-R1
SCA-31855
AutoWriteUp rules having outdated URLs
SCA-33557
Adding License - Purdue BSD-Style License
SCA-32649
Wrong (and hence fix) DOC Software License name and url
SCA-32983
Missing Elastic License for Elastic Kibana
New Component Requests
File-file (component ID: 3102572)
Cquicklist (component ID: 27337962)
Nfs-utils (component ID: 27336321)
Eglibc (component ID: 27337963)
Lcms (component ID: 7597)
Ti-rtos-mcu (component ID: 27336320)
High-speed-charting-control (component ID: 27330960)
Progress-control-with-text (component ID: 27330961)
Oscilloscope-stripchart-control (component ID: 27330962)
Skinx (component ID: 27330963)
Keymaps (component ID: 27333199)
Getprimarymacaddress (component ID: 27333200)
Sampleds (component ID: 27333201)
Microsoft Windows SDK for Windows 7 and .NET Framework 4 (component ID: 27334733)
Csha1-a-c-class-implementation-of-the-sha-1-hash-a (component ID: 27334779)
Trafficwatcher (component ID: 27334780)
Using-colors-in-cedit-and-cstatic (component ID: 27335822)
Gnu-which (component ID: 705519)
Eclipse-aspectj (component ID: 55748)
Changes in Update Released on 25-Mar-2021
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-32971
URL fix for DOC License
SCA-32253
Map MICROSOFT SQL SERVER DATA-TIER APPLICATION FRAMEWORK to SQLpackage.commandline
SCA-31926
Update the missing license mappings for components-Phase1.
SCA-31800
Exception looking up rules' in FNCI Logs
New Component Requests
mph-2b-damase
simpleping
twain-developer-toolkit
texas-instruments-msp-430-lib-files
CppSQLite
CStdioFile
CTrayIcon
CXml
CXPGroupBox
A class to combine Slider Control and Progress Bar
A very simple solution for partial bitmap encryption
Adobe InDesign CC SDK
libcomposite
pango
Microsoft Windows Driver Kit - WDK
Changes in Update Released between 20-Oct-2020 to 11-Mar-2021
This Update includes the changes described in the following sections.
Issues/Bugs Addressed
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-27739
False Positives when scanned Oracle OpenJDK
SCA-28603
Unable to find a component that is identified as first level dependency
SCA-26834
Sun (Restricted) and Sun-IP Licenses not detected
SCA-29523
License discrepancy for CURL component
SCA-27024
Gnutls component missing vulnerabilities, versions and wrong url
SCA-30866
Hdf5 license (ID: 1224) is not correct
SCA-30797
Incorrect Licensing Detection for Microsoft .Net
SCA-30525
Component gpg-gnupg missing encryption flag
SCA-27722
Incorrect vulnerabilities matched with component versions for Rust
SCA-32271
PDL_VULNERABILITY table is empty in the latest PDL update
SCA-33031
BOM: Discrepancies due to search term rule basics-vector
New Component Detection Rules
Setup.js
MD% algorithm class library
PhantomJs
Cefsharp
Virtual-dom v2.1.1
Named-js-regexp
MarkupSafe
OCHamcrest
OCMockito
Libsrtp
Ans_up
HockeySDK
Aimage
Ua-parser-js v0.7.10.
Autofac.Wcf
Vector.js
Untildify v3.0.2
Post-robot v7.0.15.
Axios
JSONTestSuite
Rpc-server.js
New Features incorporated.
Issue ID
Issue Summary
SCA-26848
CVSS 3.1 - Data Collection
SCA-26808
Add Vulnerability dates to PDL tables
SCA-26181
Component CPE Mapping
New Component Requests released.
Isc bind
Canvas-toblob.js
Newrelic.opentracing.amazonlambda.tracer
Libepoxy
Tags
Json.net
Jquery-menu-aim-fw
Microsoft.appcenter for macos
Microsoft.appcenter.analytics for macos
Apache-apr
Cyan4973-lz4
Gnu-screen
Jamesflorentino-nanoscrollerjs
Mtd-utils
Npth
Pam
Eeepc-acpi-scripts
Sharpziplib
Mahapps.metro.simplechildwindow - nuget gallery
Wpfnotification - nuget gallery
Microsoft-windowsapicodepack-shellextensions - nuget gallery
Controlzex/controlzex - github
Mahapps.metro.iconpacks - nuget gallery
Mvvmlight - nuget gallery
Ini-parser - nuget gallery
Mahapps/mahapps.metro - github
Angular/angular-cli - github
System.data.sqlite.core - nuget gallery
System.data.sqlite.ef6.migrations - nuget gallery
Microsoft asp.net mvc 4 (***deprecated***)
Wxwindows library license
Wxwidgets
Karma-runner karma
Openssh - in c
Base-passwd
Init-ifupdown
Procps
Binutils
7-zip
Kmod
Matplotlib
Scons - a software construction tool - scons
Tagish library
Qos-ch-slf4j
Flex - lexical scanner generator
Application insights persisted http channel
Cairo-pixman
Flat_hash_map
Fontconfig
Free type
Gnutls library
Tianmajs/libm - github
Libsoup
Microsoft.applicationinsights - nuget gallery
Slodge/mvvmcross - github
Pdfsharp - nuget gallery
Sharppdf
Twain data source manager
Twain sample data source and application - twain 2.0 sample data source
Windows driver kit (wdk) 8.0 samples for visual studio 2012
Microsoft/windows-universal-samples - github
Html agility pack
Microsoft.extensions.caching.abstractions
Microsoft.extensions.caching.memory
Microsoft.extensions.dependencyinjection.abstractions
Microsoft.extensions.options
Microsoft.extensions.primitives
Microsoft.netcore.platforms
System.componentmodel.annotations
System.runtime.compilerservices.unsafe
System.security.cryptography.xml
Microsoft.owin
Microsoft.owin.host.systemweb
Microsoft.owin.security
Mimemapping
Nconfiguration
Nlog
Nuget.commandline
Nunit
Restsharp
Closedxml
Apache cxf buildtools
Apache neethi
Weblinc-matchmedia
Twain/twain-dsm
Twain-twain-samples
Windows driver kit (wdk) 8.0 samples for visual studio 2012
Changes in Update Released on 20-Oct-2020
This Update includes the changes described in the following sections.
Issues Addressed in the 20-Oct-2020 Release
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-28504
Components information
SCA-28691
NVD Feed: Upgrading NVD CVE-Feeds APIs (1.0) to NVD CVE-Feeds APIs (1.1)
SCA-27621
Difference in vulnerability information for 'expat' and 'libexpat-libexpat' component
SCA-28970
NVD-Feed Fix and client release to Codeaware
SCA-17974
Duplicate Inventory found for "gettext" and for the duplicate inventory as found license text is wrong
SCA-28740
With fresh scan, name of inventory item zlib is changed to madler-zlib in codeinsight 2020R4.
SCA-27773
Search terms need to be improved for few components
SCA-28288
False Positives for zlib and libjpeg
SCA-28508
Components information
SCA-22072
Stunnel support in DL
SCA-27119
Missing versions
SCA-29156
Pycryptodomex missing encryption flag
New Component Detection Rules in the 20-Oct-2020 Release
This Update introduces new Automated Analysis rules for the following components:
Retry.js
Jquery-mobile for react
Expat (version released 2.2.6)
Novell.Directory.ldap
Spawn.js
Jquery-vsdoc.js
CodeMirror
NUnit.Framework.dll
Rsvp.js
Twbs-bootstrap and Mathiasbynens-jquery-placeholder
Libwebsockets
Globalize 1.1.1
CPU Topology
JSON v3.3.0
Pyomo v5.0.1
CPU Topology 1.2.8 Class library
Text-markdown
Json v2.1.1
V8
Libuv
Changes in Update Released on 11-Sep-2020
This Update includes the changes described in the following sections.
Issues Addressed in the 11-Sep-2020 Release
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-27585
Add component " History-event"(JQuery.history.js)
SCA-27738
URL not working for freetype (Id: 1149) component
New Component Detection Rules in the 11-Sep-2020 Release
This Update introduces new Automated Analysis rules for the following components:
7za.exe
Jazzy
D3.js
JSQR
Doube-conversion
HistoryEvent
Bind
Punycode.js
Gaearon-Redux
Changes in Update Released on 28-Aug-2020
This Update includes the changes described in the following sections.
Issues Addressed in the 28-Aug-2020 Release
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-27456
Missing OSS component-udev
SCA-27203
Missing components – bind and jsqr
New Component Detection Rules in the 28-Aug-2020 Release
This Update introduces new Automated Analysis rules for the following components:
Whiskas.py
ProtectedData
Dmidecode
Libsmbios
Changes in Update Released on 14-Aug-2020
This Update includes the changes described in the following sections.
Issues Addressed in the 14-Aug-2020 Release
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-27191
Add tungsten fabric components to Data Library
SCA-27024
Gnutls component missing vulnerabilities, versions and wrong url.
SCA-27084
Libtiff license url needs to be updated
New Component Detection Rules in the 14-Aug-2020 Release
This Update introduces new Automated Analysis rules for the following components:
SWIG v3.0.2
VC Redistributable
Apple Installer Plugin
Appcenter-sdk-apple-3.0.0.tar.gz
Code Project - WSE 3 Deployment: MSI and ClickOnce
Wdksetup.exe
MobileNumericUpDown
Apple/cups
Mhook
GridAnimationDemo
Changes in Update Released on 03-Aug-2020
This Update includes the changes described in the following sections.
Issues Addressed in the 03-Aug-2020 Release
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-26931
Missing vulnerabilities.
SCA-26666
Missing Vulnerabilities for Apache Thrift 0.7.0
New Component Detection Rules in the 03-Aug-2020 Release
This Update introduces new Automated Analysis rules for the following components:
JQuery Mobile
JortSort
CLR Security Class library
BrockAllenCookieBasedTempdata.dll
StackExchange.Redis
Readline.js
Changes in Update Released on 17-Jul-2020
This Update includes the changes described in the following sections.
Issues Addressed in the 17-Jul-2020 Release
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-25108
Detection of xmlbeans 2.6.0 occurs twice
SCA-25905
Component system.diagnostics.diagnosticsource has had its license changed for version 4.4 and later
SCA-25907
New components added
SCA-26134
The component "app.min.js" is incorrectly mapped to the component "App( 62839)"
New Component Detection Rules in the 17-Jul-2020 Release
This Update introduces new Automated Analysis rules for the following components:
Console.js
LowPriorityWarning.js
Nameddefine.js
Prettier.js
SQLite DLL
Pacman Unicode
D3 DES algorithm 5.09 Class library
JCanvas
Libxslt
Node-tmp
Libxml2
Changes in Update Released on 30-Jun-2020
This Update includes the changes described in the following sections.
Issues Addressed in the 30-Jun-2020 Release
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-25608
component "jodaorg-joda-time" has invalid license in list
SCA-25587
Review licenses for timescale DB GitHub components
SCA-23003
Collectors for bouncycastle,curl,gnu,haproxy,jquery,kernel,libarchive,libssh, openbsd,openflow,openssl.
New Component Detection Rules in the 30-Jun-2020 Release
This Update introduces new Automated Analysis rules for the following components:
Node-Semver
Speex
Node-Static
node-tree-kill
node-winreg
node-xml2js
Changes in Update Released on 15-Jun-2020
This Update includes the changes described in the following sections.
Issues Addressed in the 15-Jun-2020 Release
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-24724
Haproxy component missing 2.0.x versions
SCA-25348
Add missing vulnerabilities to u-boot component
SCA-25416
Errors in Oracle db during PDL Update
SCA-24986
UltrVNC - Missing latest versions and some versions are invalid
SCA-20156
Update component 302760 to important = true
SCA-22232
Missing component versions
SCA-24984
Component versions out of date
New Component Detection Rules in the 15-Jun-2020 Release
This Update introduces new Automated Analysis rules for the following components:
Cross-BrowserSplit.
Chromium-Breakpad.
Request.js
Sauce.js
IsEventSupported.js
Pubsuffix.js
Node-ssl-root-cas(test-tunnel.js)
Changes in Update Released on 01-Jun-2020
This Update includes the changes described in the following sections.
Issues Addressed in the 01-Jun-2020 Release
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-24867
[Juniper Networks, Inc.] gnu-gcc component is showing invalid versions
SCA-25010
AMD: CodeAware Improper Identification of License for JQUERY Component.
New Component Detection Rules in the 01-Jun-2020 Release
This Update introduces new Automated Analysis rules for the following components:
Connect-nocache.
typescript.js
aphrodite.js
Newtonsoft.Json.dll
tipsy v1.0.0a(jquery.tipsy.js,tipsy.css).
prism.js
systemjs
Microsoft Ajax Minifier
Changes in Update Released on 18-May-2020
This Update includes the changes described in the following sections.
Issues Addressed in the 18-May-2020 Release
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-23316
OGIS: License detection is different in CodeAware and Auto-Analysis
SCA-22382
OGIS: Request to Add New Components and Versions
SCA-24622
Harmonic: stuk-jszip has MIT/GPL Dual License but "Possible Licenses" only show GPL
SCA-24711
Citrix: False positives CVEs
New Component Detection Rules in the 18-May-2020 Release
This Update introduces new Automated Analysis rules for the following components:
bootstrap-select.js
bootstrap-toggle.min.js
React-pull-to-referesh
rx.all.js
narwhal.js
bootstrap-checkbox v1.4.0
IKVM.NET(IKVM.Reflection.dll).
Changes in Update Released on 04-May-2020
This Update includes the changes described in the following sections.
Issues Addressed in the 04-May-2020 Release
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-22381
Component 'ring' from crates.io forge missing license and encryption flag
SCA-22542
Encryption flag not set for 'rust-openssl' component
SCA-24708
Incorrect discovery of 'Primefaces-PrimeNG' component
New Component Detection Rules in the 04-May-2020 Release
This Update introduces new Automated Analysis rules for the following components:
jquery.scrollTo-min.js, MatrixMath.js, jQuery.tmpl.js, lws-common.js
React Router
jsDump
Reflect-Metadata
NDesk.Options(.dll)
MSBuild Community Tasks(.dll)
Changes in Update Released on 17-Apr-2020
This Update includes the changes described in the following sections.
Issues Addressed in the 17-Apr-2020 Release
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-23823
Few vulnerabilities not reported
SCA-24365
Invalid URL for 'lyceum' component
SCA-20305
Component 'apache-cordova-plugin-inappbrowser' has incorrect versions
SCA-18198
Incorrect vulnerability mapping for 'Docker' component
SCA-23837
Added rdklib (pypi) to the library
New Component Detection Rules in the 17-Apr-2020 Release
This Update introduces new Automated Analysis rules for the following components:
webperftest
jquery.color.js
knockout
Irrlicht(.dll file)
jQuery(build_markdown.js)
React Developer Tools(getReactData.js)
moment.js,regex.js, moment-with-locales.js
Changes in Update Released on 3-Apr-2020
This Update includes the changes described in the following sections.
Issues Addressed in the 3-Apr-2020 Release
The following issues were addressed in the Update:
Issue ID
Issue Summary
SCA-22116
Invalid version specified for 'tpm2-tss-engine'
SCA-23712
Added 'SunPro' license to the library
SCA-22982
Incorrect URLs for few Ibiblio Maven2 components
SCA-20314
Licenses are not mapped for latest versions of 'pygresql' component (22014048)
SCA-21928
Component 'pycountry-convert' needs to be updated with latest details
SCA-19891
Invalid versions associated to the component 'c-ares'
SCA-15411
Incorrect details for component 'systemd-systemd'
New Component Detection Rules in the 13-Mar-2020 Release
This Update introduces new Automated Analysis rules for the following components:
vector.js
webcomponent.js
globalize.js
OCMock
Bezier-Easing
Punycode(.js File)
Sphinx
StructureMap
cors
jQuery validation plug-in v1.6
jQuery Easing v1.3