CAST SBOM Manager’s Third-Party Components
Version: 2.0-RC4
Last update: July 22nd 2024
Last update: July 22nd 2024
Open Source components
| Third-Party Component | Licenses | Version |
| org.json:json | Creative Commons Zero v1.0 Universal | 20231013 |
| org.apache.maven:maven-plugin-api | Apache License 2.0 | 3.0 |
| com.networknt:json-schema-validator | Apache License 2.0 | 1.0.87 |
| org.jruby.joni:joni | MIT License | 2.1.41 |
| org.osgi:osgi.core | Apache License 2.0 | 6.0.0 |
| avalon-framework:avalon-framework | 4.1.3 | |
| org.ow2.asm:asm-commons | BSD 3-Clause “New” or “Revised” License | 9.2 |
| io.zipkin.brave:brave-instrumentation-jersey-server | Apache License 2.0 | 5.12.3 |
| commons-codec:commons-codec | Apache License 2.0 | 1.3 |
| org.codehaus.woodstox:stax2-api | BSD Licenses Family | 4.2.1 |
| jakarta.xml.bind:jakarta.xml.bind-api | BSD 3-Clause “New” or “Revised” License | 3.0.1 |
| org.glassfish.findbugs:findbugs | GNU General Public License v2.0 w/Classpath exception
Common Development and Distribution License 1.1 |
1.0 |
| com.github.jnr:jnr-posix | Eclipse Public License 2.0
GNU Lesser General Public License v2.1 only GNU General Public License v2.0 only |
3.1.15 |
| com.fasterxml.woodstox:woodstox-core | Apache License 2.0 | 5.0.3 |
| com.orientechnologies:orientdb-tools | Apache License 2.0 | 3.2.21 |
| com.github.jnr:jffi | Apache License 2.0 | 1.3.6 |
| commons-codec:commons-codec | Apache License 2.0 | 1.11 |
| net.java.dev.msv:xsdlib | BSD Licenses Family | 2013.6.1 |
| com.github.spotbugs:spotbugs | GNU Lesser General Public License v2.1 only | 4.0.0 |
| javax.servlet:javax.servlet-api | GNU General Public License v2.0 w/Classpath exception
Common Development and Distribution License 1.1 |
3.0.1 |
| io.jsonwebtoken:jjwt-impl | Apache License 2.0 | 0.11.5 |
| com.google.code.gson:gson | Apache License 2.0 | 2.10.1 |
| org.apache.poi:poi | Apache License 2.0 | 5.2.4 |
| com.ethlo.time:itu | Apache License 2.0 | 1.7.0 |
| javax.servlet:servlet-api | 2.4 | |
| org.projectlombok:lombok | MIT License | 1.18.28 |
| org.apache.geronimo.specs:geronimo-javamail_1.4_spec | Apache License 2.0 | 1.7.1 |
| org.apache.commons:commons-lang3 | Apache License 2.0 | 3.13.0 |
| com.google.guava:failureaccess | Apache License 2.0 | 1.0.1 |
| org.ow2.asm:asm-util | BSD 3-Clause “New” or “Revised” License | 9.2 |
| xml-apis:xml-apis | Sax Public Domain Notice
W3C Software Notice and License (2002-12-31) Apache License 2.0 |
1.4.01 |
| com.orientechnologies:orientdb-core | Apache License 2.0 | 3.2.21 |
| org.apache.maven.surefire:surefire-junit47 | Apache License 2.0 | 2.7.1 |
| xerces:xercesImpl | Apache License 2.0 | 2.11.0 |
| org.slf4j:slf4j-api | MIT License | 1.7.12 |
| com.google.guava:listenablefuture | Apache License 2.0 | 9999.0-empty-to-avoid-conflict-with-guava |
| com.orientechnologies:orientdb-server | Apache License 2.0 | 3.2.21 |
| stax:stax-api | Apache License 2.0 | 1.0.1 |
| org.apache.ant:ant-junit | 1.8.1 | |
| com.fasterxml.jackson.core:jackson-databind | Apache License 2.0 | 2.15.2 |
| com.ceilfors.maven.plugin:enforcer-rules | MIT License | 1.2.0 |
| org.codehaus.plexus:plexus-compiler-javac-errorprone | Apache License 2.0 | 2.8.5 |
| logkit:logkit | 1.0.1 | |
| org.eclipse.persistence:org.eclipse.persistence.moxy | NOASSERTION
Eclipse Public License 1.0 |
2.5.1 |
| commons-lang:commons-lang | Apache License 2.0 | 2.6 |
| org.joda:joda-convert | Apache License 2.0 | 1.2 |
| org.springframework.security:spring-security-saml2-service-provider | Apache License 2.0 | 5.4.11 |
| lt.velykis.maven.skins:reflow-velocity-tools | Apache License 2.0 | 1.1.1 |
| org.glassfish.jaxb:jaxb-runtime | BSD 3-Clause “New” or “Revised” License | 3.0.2 |
| com.google.guava:guava | Apache License 2.0 | 31.1-jre |
| ch.qos.logback:logback-classic | Eclipse Public License 1.0
GNU Lesser General Public Licenses Family |
1.1.8 |
| javax.inject:javax.inject | Apache License 2.0 | 1 |
| commons-beanutils:commons-beanutils | Apache License 2.0 | 1.8.0 |
| com.puppycrawl.tools:checkstyle | GNU Lesser General Public License v2.1 only | 9.3 |
| com.fasterxml.jackson.core:jackson-core | Apache License 2.0 | 2.14.2 |
| log4j:log4j | 1.2.12 | |
| org.codehaus.groovy:groovy-jsr223 | Apache License 2.0 | 2.5.19 |
| commons-logging:commons-logging | Apache License 2.0 | 1.1.1 |
| jakarta.xml.bind:jakarta.xml.bind-api | BSD 3-Clause “New” or “Revised” License | 2.3.2 |
| commons-digester:commons-digester | Apache License 2.0 | 1.8 |
| commons-jxpath:commons-jxpath | Apache License 2.0 | 1.3 |
| xml-apis:xml-apis | Apache License 2.0 | 1.0.b2 |
| com.cenqua.clover:clover | 3.0.2 | |
| org.slf4j:slf4j-api | MIT License | 1.7.25 |
| org.apache.maven:maven-model | Apache License 2.0 | 3.0 |
| com.puppycrawl.tools:checkstyle | GNU Lesser General Public License v2.1 only | 8.29 |
| com.github.jnr:jnr-ffi | Apache License 2.0 | 2.2.11 |
| org.springframework:spring-context | Apache License 2.0 | 5.3.25 |
| javax.validation:validation-api | Apache License 2.0 | 2.0.1.Final |
| com.github.jnr:jnr-a64asm | Apache License 2.0 | 1.0.0 |
| commons-io:commons-io | Apache License 2.0 | 2.14.0 |
| org.eclipse.jgit:org.eclipse.jgit | BSD 3-Clause “New” or “Revised” License | 6.7.0.202309050840-r |
| org.osgi:org.osgi.core | Apache License 2.0 | 6.0.0 |
| net.i2p.crypto:eddsa | Creative Commons Zero v1.0 Universal | 0.3.0 |
| org.glassfish.jaxb:jaxb-core | BSD 3-Clause “New” or “Revised” License | 3.0.2 |
| org.apache.poi:poi-ooxml-full | Apache License 2.0 | 5.2.4 |
| javax.xml.bind:jaxb-api | GNU General Public License v2.0 w/Classpath exception
Common Development and Distribution License 1.1 |
2.4.0-b180830.0359 |
| org.brotli:dec | MIT License | 0.1.2 |
| com.googlecode.concurrentlinkedhashmap:concurrentlinkedhashmap-lru | Apache License 2.0 | 1.4.2 |
| com.google.errorprone:error_prone_core | Apache License 2.0 | 2.3.2 |
| com.github.jnr:jnr-x86asm | MIT License | 1.0.2 |
| lz4/lz4-java | Apache License 2.0 | 1.8.0 |
| commons-lang:commons-lang | Apache License 2.0 | 2.4 |
| com.fasterxml.jackson.dataformat:jackson-dataformat-xml | Apache License 2.0 | 2.15.3 |
| log4j:log4j | 1.2.8 | |
| org.cryptacular:cryptacular | GNU Lesser General Public Licenses Family
Apache License 2.0 |
1.2.5 |
| org.lz4:lz4-java | Apache License 2.0 | 1.8.0 |
| com.auth0:java-jwt | MIT License | 4.4.0 |
| com.fasterxml.woodstox:woodstox-core | Apache License 2.0 | 6.2.3 |
| me.fabriciorby:maven-surefire-junit5-tree-reporter | Apache License 2.0 | 1.1.0 |
| org.codehaus.jettison:jettison | Apache License 2.0 | 1.3.3 |
| org.ow2.asm:asm-analysis | BSD 3-Clause “New” or “Revised” License | 9.2 |
| org.passay:passay | GNU Lesser General Public Licenses Family
Apache License 2.0 |
1.6.3 |
| org.apache.poi:poi-ooxml | Apache License 2.0 | 5.2.4 |
| org.codehaus.groovy:groovy | Apache License 2.0 | 2.5.19 |
| javax.activation:javax.activation-api | GNU General Public License v2.0 only
Common Development and Distribution License 1.1 GNU General Public License v2.0 w/Classpath exception |
1.2.0 |
| org.ow2.asm:asm-tree | BSD 3-Clause “New” or “Revised” License | 9.2 |
| xalan:xalan | Apache License 2.0 | 2.7.2 |
| org.apache.maven:maven-model | Apache License 2.0 | 3.9.3 |
| net.roboconf:roboconf-target-docker | Apache License 2.0 | 0.2 |
| relaxngDatatype:relaxngDatatype | 20020414 | |
| org.apache.felix:org.osgi.core | Apache License 2.0 | 1.4.0 |
| com.github.javaparser:javaparser-core | Apache License 2.0
GNU Lesser General Public Licenses Family |
3.24.4 |
| io.jsonwebtoken:jjwt-jackson | Apache License 2.0 | 0.11.5 |
| org.jetbrains:annotations | Apache License 2.0 | 24.0.1 |
| org.ow2.asm:asm | BSD 3-Clause “New” or “Revised” License | 9.2 |
| com.github.jnr:jnr-constants | Apache License 2.0 | 0.10.3 |
| net.sf.saxon:Saxon-HE | Mozilla Public License 2.0 | 11.4 |
| org.reactivestreams:reactive-streams | Creative Commons Zero v1.0 Universal | 1.0.2 |
| org.ow2.asm:asm | BSD 3-Clause “New” or “Revised” License | 9.5 |
| commons-io:commons-io | Apache License 2.0 | 2.13.0 |
| javax.servlet:servlet-api | 2.3 | |
| org.apache.maven.plugin-tools:maven-plugin-annotations | Apache License 2.0 | 3.4 |
| org.eclipse.jgit:org.eclipse.jgit.ssh.apache | BSD 3-Clause “New” or “Revised” License | 6.7.0.202309050840-r |
| commons-codec:commons-codec | Apache License 2.0 | 1.16.0 |
| org.codehaus.mojo:extra-enforcer-rules | Apache License 2.0 | 1.0-beta-3 |
| org.jruby:jruby | GNU General Public License v2.0 only
Common Public License 1.0 GNU Lesser General Public License v2.1 only |
1.7.0.RC1 |
| io.jsonwebtoken:jjwt-api | Apache License 2.0 | 0.11.5 |
| com.github.luben:zstd-jni | BSD 2-Clause “Simplified” License | 1.5.5-10 |
| io.netty:netty-transport-native-epoll | Apache License 2.0 | 4.1.65.Final |
| org.tukaani:xz | Creative Commons Zero v1.0 Universal | 1.9 |
| com.fasterxml.jackson.core:jackson-databind | Apache License 2.0 | 2.14.2 |
| com.github.jnr:jffi | Apache License 2.0 | 1.3.9 |
| commons-configuration:commons-configuration | Apache License 2.0 | 1.6 |
| log4j:log4j | Apache License 2.0 | 1.2.16 |
| com.orientechnologies:orientdb-client | Apache License 2.0 | 3.2.23 |
| com.fasterxml.jackson.dataformat:jackson-dataformat-yaml | Apache License 2.0 | 2.15.2 |
| com.carrotsearch:hppc | Apache License 2.0 | 0.6.0 |
| org.cyclonedx:cyclonedx-core-java | Apache License 2.0 | 8.0.3 |
| org.apache.logging.log4j:log4j-api | Apache License 2.0 | 2.11.2 |
| ant:ant-optional | 1.5.3-1 | |
| org.apache.commons:commons-compress | Apache License 2.0 | 1.25.0 |
| com.orientechnologies:orientdb-graphdb | Apache License 2.0 | 3.2.21 |
| net.java.dev.msv:msv-core | BSD Licenses Family | 2013.6.1 |
| com.github.spotbugs:spotbugs | GNU Lesser General Public License v2.1 only | 3.1.10 |
| org.bouncycastle:bcprov-jdk15on | NOASSERTION | 1.59 |
| com.github.package-url:packageurl-java | MIT License | 1.4.1 |
| jakarta.activation:jakarta.activation-api | BSD 3-Clause “New” or “Revised” License | 1.2.1 |
| com.google.code.findbugs:jsr305 | Apache License 2.0 | 2.0.1 |
| org.yaml:snakeyaml | Apache License 2.0 | 1.26 |
| org.jboss.logmanager:jboss-logmanager | Apache License 2.0 | 2.1.9.Final |
| commons-collections:commons-collections | Apache License 2.0 | 3.2.1 |
| org.codehaus.groovy:groovy-all | Apache License 2.0 | 2.4.8 |
| org.osgi:osgi.cmpn | Apache License 2.0 | 6.0.0 |
| org.slf4j:slf4j-api | MIT License | 2.0.7 |
| com.fasterxml.jackson.core:jackson-databind | GNU Lesser General Public License v2.1 only
Apache License 2.0 |
2.2.3 |
| ant:ant | Apache License 2.0 | 1.6.5 |
| org.apache.velocity:velocity | Apache License 2.0 | 1.7 |
| org.apache.logging.log4j:log4j-api | Apache License 2.0 | 2.18.0 |
List of commercial 3rd Parties
None to report.