xBimTeam
During the .NET 8 upgrade, the Black Duck scan identified vulnerabilities in Xbim Packages version 6.0.445.
We routinely run Black Duck scans on our product to identify vulnerabilities or issues, whether they originate from third-party components or our own codebase. After upgrading to .NET 8 and using the latest Xbim packages version 6.0.445, we noticed some vulnerabilities associated with the Xbim package. Below are some logs for reference.
License Errors:
Component Xbim.Common version 6.0.445 with ID Xbim.Common/6.0.445 violates policy Requires Implementation Review - Overrideable: license Common Development and Distribution License 1.0
Component xBIM Essentials version 6.0.445 with ID Xbim.Essentials/6.0.445 violates policy Requires Implementation Review - Overrideable: license Common Development and Distribution License 1.0
Component Xbim.IO.Esent version 6.0.445 with ID Xbim.IO.Esent/6.0.445 violates policy Requires Implementation Review - Overrideable: license Common Development and Distribution License 1.0
Component Xbim.IO.MemoryModel version 6.0.445 with ID Xbim.IO.MemoryModel/6.0.445 violates policy Requires Implementation Review - Overrideable: license Common Development and Distribution License 1.0
Component Xbim.Ifc version 6.0.445 with ID Xbim.Ifc/6.0.445 violates policy Requires Implementation Review - Overrideable: license Common Development and Distribution License 1.0
Component Xbim.Ifc2x3 version 6.0.445 with ID Xbim.Ifc2x3/6.0.445 violates policy Requires Implementation Review - Overrideable: license Common Development and Distribution License 1.0
Component Xbim.Ifc4 version 6.0.445 with ID Xbim.Ifc4/6.0.445 violates policy Requires Implementation Review - Overrideable: license Common Development and Distribution License 1.0
Component Xbim.Ifc4x3 version 6.0.445 with ID Xbim.Ifc4x3/6.0.445 violates policy Requires Implementation Review - Overrideable: license Common Development and Distribution License 1.0
Component Xbim.Tessellator version 6.0.445 with ID Xbim.Tessellator/6.0.445 violates policy Requires Implementation Review - Overrideable: license Common Development and Distribution License 1.0
Could you please take a look and let us know if you have any insights or suggestions on how to address these vulnerabilities? Your guidance would be greatly appreciated.
This has been raised before - See #302. These are not vulnerabilities. I believe it's drawing attention to the fact that you need to check / understand the licence as a commercial entity. For some reason Black Duck raises a warning about the open source CDDL licence we make xbim toolkit available under, likely because it's classed as a 'weak copyleft' licence. This warning feels over-zealous since weak copy-left is very different to GPL style strong copy-left, where you do need to be cautious with $$$ software.
The key to this type of 'weak copy-left' licence (CDDL) is you can use the xbim code in commercial software and you'e not required to publish your private sourcecode. Only if you make changes to xbim Toolkit, do you need to publish those changes and make those modifications available under a CDDL licence. That's about it. You're supposed to supply a copy of the CDDL licence somewhere as well.
We don't plan to change the licence to keep Black Duck happy. You'll have to determine whether the black duck Policy is important or not - it's not something we can do or advise on.
Just for background I found this article on open source licences on BlackDuck's site - which references CDDL, with some vague OS comparison tables that make little sense in isolation. If you want to understand CDDL there's some useful plain english info on the CDDL licence here.
