I'm using NexusIQ in order to analyze vulnerabilities that might come fom dependencies. My development is based on Spring boot using Webflux. NexusIQ raises a level 8 Copyleft license policy violation alert. Because it found licenses in the 'Copyleft' license threat group ('GPL-2.0-with-classpath-exception') on jakarta.annotation-api : 1.3.5 and on snakeyaml : 2.0. They are tagged as Direct Dependencies
Looking at my dependency tree using mvn dependency:tree command I see that jakarta.annotation-api and snakeyaml are spring-boot-starter dependencies :
[INFO] +- org.springframework.boot:spring-boot-starter-webflux:jar:2.7.13:compile
[INFO] | +- org.springframework.boot:spring-boot-starter:jar:2.7.13:compile
[INFO] | | +- org.springframework.boot:spring-boot:jar:2.7.13:compile
[INFO] | | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.7.13:compile
[INFO] | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.7.13:compile
[INFO] | | | +- ch.qos.logback:logback-classic:jar:1.2.12:compile
[INFO] | | | | \- ch.qos.logback:logback-core:jar:1.2.12:compile
[INFO] | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.2:compile
[INFO] | | | | \- org.apache.logging.log4j:log4j-api:jar:2.17.2:compile
[INFO] | | | \- org.slf4j:jul-to-slf4j:jar:1.7.36:compile
[INFO] | | +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] | | \- org.yaml:snakeyaml:jar:1.30:compile
I'm working on the last 2.X version of Spring boot and I forced the upgrade of snakeyaml version from 1.30 to 2.0. I saw from https://help.sonatype.com/iqserver/managing/policy-management/license-threat-groups link that CopyLeft threat group refers to "Strong copyleft licenses go a step further from weak copyleft licenses and mandate that any distributed software that links or otherwise incorporates such code be licensed under compatible licenses, which are a subset of the available open-source licenses. As a result, these licenses have been called viral." But I'm not sure that I really understand what does this sentence above means regarding the link between spring-boot-starter license and jakarta.annotation-api and snakeyaml licenses. I understand that Copyleft is a general method of making a program (or any other work) free and forcing all modified or extended versions of that program to be free as well. Does it mean that spring boot should not use jakarta.annotation-api and snakeyaml because they are free software?
If so I don't see how to solve those problems unless I do not use Spring boot anymore...
I saw also from this link https://openjdk.org/legal/gplv2+ce.html that "Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed." Well I do not know how to deal with those different information.
