0

All- we scanned our internal code base with whitesource open source scan and it resulted in a policy violation for the opennms-26.0.0-1 and upon research it is found that this is coming from struts-JQuery-plug-in which is licensed under apache2.0 Our org policy rejects agpl or lgpl licenses. So whitesource shows the opennms library as a violation. Can someone advise on the remediation for this ? If struts-JQuery plug-in is bringing an agpl licensed java script file shouldn’t the struts JQuery plug-in be licensed under agpl ?

Jughead1217
  • 63
  • 1
  • 10
  • The remediation is to not use the plugin. Questions around licensing are off-topic on SO; a legal site would be more appropriate. AFAIK there's nothing in S2 that has anything to do with OpenNMS--what makes you think it does? – Dave Newton Nov 21 '21 at 13:15
  • it does have open nms references from the following js files. /struts2-jquery-plugin-4.0.3/template/i18n/datepicker-et.js, struts2-jquery-plugin-4.0.3/template/i18n/datepicker-en-GB.js etc and Whitesource is saying opennms is being referenced in these js files – Jughead1217 Nov 22 '21 at 00:16
  • Then you'll need to discuss it with them. Those are I18N files for the jQuery UI datepicker and contain things like the names of the months. There is nothing in those files related to OpenNMS. – Dave Newton Nov 22 '21 at 00:25

1 Answers1

0

The S2 jQuery plugin has no dependency on OpenNMS:

➜  struts2-jquery-plugin git:(release/4.1.x) mvn dependency:tree
[INFO] Scanning for projects...
[INFO]
[INFO] ---------< com.jgeppert.struts2.jquery:struts2-jquery-plugin >----------
[INFO] Building Struts 2 jQuery Plugin 4.1.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ struts2-jquery-plugin ---
[WARNING] The artifact xml-apis:xml-apis:jar:2.0.2 has been relocated to xml-apis:xml-apis:jar:1.0.b2
[INFO] com.jgeppert.struts2.jquery:struts2-jquery-plugin:jar:4.1.0-SNAPSHOT
[INFO] +- taglibs:standard:jar:1.1.2:test
[INFO] +- javax.servlet:jstl:jar:1.1.2:test
[INFO] +- org.apache.struts:struts-annotations:jar:1.0.6:compile
[INFO] |  \- org.freemarker:freemarker:jar:2.3.11:compile
[INFO] +- org.apache.struts:struts2-core:jar:2.5.26:compile
[INFO] |  +- ognl:ognl:jar:3.1.28:compile
[INFO] |  |  \- org.javassist:javassist:jar:3.20.0-GA:compile
[INFO] |  +- org.apache.logging.log4j:log4j-api:jar:2.12.1:compile
[INFO] |  +- commons-fileupload:commons-fileupload:jar:1.4:compile
[INFO] |  +- commons-io:commons-io:jar:2.6:compile
[INFO] |  \- org.apache.commons:commons-lang3:jar:3.8.1:compile
[INFO] +- org.apache.velocity:velocity:jar:1.5:compile
[INFO] |  +- commons-collections:commons-collections:jar:3.1:compile
[INFO] |  +- commons-lang:commons-lang:jar:2.1:compile
[INFO] |  \- oro:oro:jar:2.0.8:compile
[INFO] +- javax.servlet:jsp-api:jar:2.0:provided
[INFO] |  \- javax.servlet:servlet-api:jar:2.4:provided
[INFO] \- javax.servlet.jsp:jsp-api:jar:2.1:test

I'm not aware of any S2 dependency on OpenNMS (and it wouldn't make a lot of sense).

Dave Newton
  • 158,873
  • 26
  • 254
  • 302