Invalid License Expressions for non-listed SPDX license IDs #7716

goneall · 2024-10-10T23:22:01Z

goneall
Oct 10, 2024

Description

In some cases, a license expression uses an ID which is not on the SPDX listed license list.

From the SPDX Spec on license expressions, a simple license must be either an ID on the license list, an ID starting with LicenseRef-, or a reference to a license defined in an external SPDX document starting with DocumentRef-.

Desired Behavior

Any non-standard licenses should have a LicenseRef created. If the license text is available, it should be included in the extracted license represented by the LicenseRef otherwise the text of the license should provide some context (e.g. "This license represent the license identifier Apache found in a POM file").

For reference, this pull request fixes up all the invalid license ID's found in a Trivy generated file: lfscanning/scaffold#93

For the Java package com.github.java-json-tools:json-schema-validator, the following should be produced:

{
      "name": "com.github.java-json-tools:json-schema-validator",
      "SPDXID": "SPDXRef-Package-5057bcef68a69a7c",
      "versionInfo": "2.2.14",
      "supplier": "NOASSERTION",
      "downloadLocation": "git+https://github.com/spdx/tools-java",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "LicesenRef-6057bcef68a69a7c AND Apache-2.0",
      "licenseDeclared": "LicesenRef-6057bcef68a69a7c AND Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.github.java-json-tools/[email protected]"
        }
      ],
},
...
"hasExtractedLicensingInfos" : [ {
    "licenseId" : "LicenseRef-6057bcef68a69a7c",
    "extractedText" : "This license represents the string 'Lesser-General-Public-License--version-3 OR greater' being found in a POM file"
  },


### Actual Behavior

For the POM file references to com.github.java-json-tools:json-schema-validator, the following license is created:

{
"name": "com.github.java-json-tools:json-schema-validator",
"SPDXID": "SPDXRef-Package-5057bcef68a69a7c",
"versionInfo": "2.2.14",
"supplier": "NOASSERTION",
"downloadLocation": "git+https://github.com/spdx/tools-java",
"filesAnalyzed": false,
"sourceInfo": "package found in: pom.xml",
"licenseConcluded": "(Lesser-General-Public-License--version-3 OR greater) AND Apache-2.0",
"licenseDeclared": "(Lesser-General-Public-License--version-3 OR greater) AND Apache-2.0",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:maven/com.github.java-json-tools/[email protected]"
}
],


### Reproduction Steps

```bash
1. git clone [email protected]:spdx/tools-java.git
2. cd tools-java
3. trivy fs --scanners license,vuln --format spdx-json --debug .
...

Target

Filesystem

Scanner

License

Output Format

SPDX

Mode

Standalone

Debug Output

trivy fs --scanners license,vuln --format spdx-json --debug .
2024-10-10T16:19:09-07:00       DEBUG   No plugins loaded
2024-10-10T16:19:09-07:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2024-10-10T16:19:09-07:00       DEBUG   Cache dir       dir="C:\\Users\\gary\\AppData\\Local\\trivy"
2024-10-10T16:19:09-07:00       DEBUG   Cache dir       dir="C:\\Users\\gary\\AppData\\Local\\trivy"
2024-10-10T16:19:09-07:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-10-10T16:19:09-07:00       DEBUG   Ignore statuses statuses=[]
2024-10-10T16:19:09-07:00       DEBUG   DB update was skipped because the local DB is the latest
2024-10-10T16:19:09-07:00       DEBUG   DB info schema=2 updated_at=2024-10-10T12:16:40.822906715Z next_update=2024-10-11T12:16:40.822906214Z downloaded_at=2024-10-10T17:58:21.4052752Z
2024-10-10T16:19:09-07:00       DEBUG   [pkg] Package types     types=[os library]
2024-10-10T16:19:09-07:00       DEBUG   [pkg] Package relationships     relationships=[unknown root direct indirect]
2024-10-10T16:19:09-07:00       INFO    [vuln] Vulnerability scanning is enabled
2024-10-10T16:19:09-07:00       INFO    [license] License scanning is enabled
2024-10-10T16:19:09-07:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-10-10T16:19:09-07:00       DEBUG   Initializing scan cache...      type="memory"
2024-10-10T16:19:09-07:00       DEBUG   Skipping path   path=".git"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.spdx" artifact_id="java-spdx-library" version="1.1.10"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.spdx" artifact_id="spdx-rdf-store" version="1.1.9"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.spdx" artifact_id="spdx-jackson-store" version="1.1.9"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.apache.ws.xmlschema" artifact_id="xmlschema-core" version="2.3.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.ws.xmlschema:xmlschema:2.3.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:23"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:23"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.ws.xmlschema:xmlschema:2.3.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.spdx" artifact_id="spdx-spreadsheet-store" version="1.1.7"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.spdx" artifact_id="spdx-tagvalue-store" version="1.1.7"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.github.java-json-tools" artifact_id="json-schema-validator" version="2.2.14"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.slf4j" artifact_id="slf4j-api" version="2.0.7"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.slf4j:slf4j-parent:2.0.7"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.slf4j:slf4j-parent:2.0.7"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.apache.commons" artifact_id="commons-lang3" version="3.5"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.commons:commons-parent:41"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:18"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:18"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.commons:commons-parent:41"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.jsoup" artifact_id="jsoup" version="1.15.3"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.google.code.gson" artifact_id="gson" version="2.8.9"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.google.code.gson:gson-parent:2.8.9"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:7"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:7"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.google.code.gson:gson-parent:2.8.9"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.google.code.findbugs" artifact_id="jsr305" version="3.0.2"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:7"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:7"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.apache.jena" artifact_id="jena-core" version="4.10.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.jena:jena:4.10.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:30"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:30"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.jena:jena:4.10.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson" artifact_id="jackson-bom" version="2.15.3"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-parent:2.15"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.fasterxml:oss-parent:50"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml:oss-parent:50"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-parent:2.15"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.eclipse.jetty" artifact_id="jetty-bom" version="10.0.17"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.apache.logging.log4j" artifact_id="log4j-bom" version="2.21.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.logging:logging-parent:10.1.1"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:30"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:30"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.logging:logging-parent:10.1.1"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.apache.jena" artifact_id="jena-arq" version="4.10.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.jena:jena:4.10.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.jena:jena:4.10.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.apache.jena" artifact_id="jena-base" version="4.10.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.jena:jena:4.10.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.jena:jena:4.10.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.core" artifact_id="jackson-databind" version="2.16.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-base:2.16.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-bom:2.16.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-parent:2.16"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.fasterxml:oss-parent:56"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml:oss-parent:56"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-parent:2.16"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-bom:2.16.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-base:2.16.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.junit" artifact_id="junit-bom" version="5.9.2"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.dataformat" artifact_id="jackson-dataformat-xml" version="2.15.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-base:2.15.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-bom:2.15.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-parent:2.15"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-parent:2.15"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-bom:2.15.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-base:2.15.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.dataformat" artifact_id="jackson-dataformat-yaml" version="2.15.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson.dataformat:jackson-dataformats-text:2.15.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-base:2.15.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-base:2.15.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson.dataformat:jackson-dataformats-text:2.15.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.json" artifact_id="json" version="20231013"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.core" artifact_id="jackson-core" version="2.15.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-base:2.15.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-base:2.15.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.apache.poi" artifact_id="poi" version="5.2.3"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.opencsv" artifact_id="opencsv" version="5.7.1"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.apache.poi" artifact_id="poi-ooxml" version="5.2.3"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.google.guava" artifact_id="guava" version="28.2-android"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.google.guava:guava-parent:28.2-android"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.google.guava:guava-parent:28.2-android"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.github.java-json-tools" artifact_id="jackson-coreutils-equivalence" version="1.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.github.java-json-tools" artifact_id="json-schema-core" version="1.2.14"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.sun.mail" artifact_id="mailapi" version="1.6.2"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.sun.mail:all:1.6.2"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="net.java:jvnet-parent:1"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Adding repository id="jvnet-nexus-snapshots" url="https://maven.java.net/content/repositories/snapshots"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="net.java:jvnet-parent:1"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.sun.mail:all:1.6.2"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="joda-time" artifact_id="joda-time" version="2.10.5"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.googlecode.libphonenumber" artifact_id="libphonenumber" version="8.11.1"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.googlecode.libphonenumber:libphonenumber-parent:8.11.1"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:7"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:7"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.googlecode.libphonenumber:libphonenumber-parent:8.11.1"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="net.sf.jopt-simple" artifact_id="jopt-simple" version="5.0.4"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:7"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:7"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.apache.jena" artifact_id="jena-iri" version="4.10.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.jena:jena:4.10.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.jena:jena:4.10.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="commons-cli" artifact_id="commons-cli" version="1.5.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.commons:commons-parent:52"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:23"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:23"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.commons:commons-parent:52"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.roaringbitmap" artifact_id="RoaringBitmap" version="1.0.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.github.jsonld-java" artifact_id="jsonld-java" version="0.13.4"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.github.jsonld-java:jsonld-java-parent:0.13.4"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.github.jsonld-java:jsonld-java-parent:0.13.4"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson" artifact_id="jackson-bom" version="2.11.4"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-parent:2.11"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.fasterxml:oss-parent:38"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml:oss-parent:38"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-parent:2.11"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.apache.httpcomponents" artifact_id="httpclient-cache" version="4.5.14"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.httpcomponents:httpcomponents-client:4.5.14"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.httpcomponents:httpcomponents-parent:11"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:21"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:21"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.httpcomponents:httpcomponents-parent:11"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.httpcomponents:httpcomponents-client:4.5.14"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.apache.httpcomponents" artifact_id="httpclient" version="4.5.14"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.httpcomponents:httpcomponents-client:4.5.14"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.httpcomponents:httpcomponents-client:4.5.14"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.slf4j" artifact_id="jcl-over-slf4j" version="1.7.36"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.slf4j:slf4j-parent:1.7.36"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.slf4j:slf4j-parent:1.7.36"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.apicatalog" artifact_id="titanium-json-ld" version="1.3.2"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.glassfish" artifact_id="jakarta.json" version="2.0.1"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.glassfish:json:2.0.1"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.eclipse.ee4j:project:1.0.6"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.eclipse.ee4j:project:1.0.6"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.glassfish:json:2.0.1"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.google.protobuf" artifact_id="protobuf-java" version="3.24.3"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.google.protobuf:protobuf-parent:3.24.3"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.google.protobuf:protobuf-parent:3.24.3"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.apache.thrift" artifact_id="libthrift" version="0.19.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.apache.commons" artifact_id="commons-csv" version="1.10.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.commons:commons-parent:56"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:29"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:29"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.commons:commons-parent:56"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.junit" artifact_id="junit-bom" version="5.9.1"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="commons-io" artifact_id="commons-io" version="2.14.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.commons:commons-parent:62"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:30"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:30"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.commons:commons-parent:62"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.junit" artifact_id="junit-bom" version="5.10.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="commons-codec" artifact_id="commons-codec" version="1.16.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.commons:commons-parent:58"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:29"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:29"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.commons:commons-parent:58"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.junit" artifact_id="junit-bom" version="5.9.3"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.apache.commons" artifact_id="commons-compress" version="1.24.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.commons:commons-parent:61"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:30"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:30"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.commons:commons-parent:61"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.apache.commons" artifact_id="commons-collections4" version="4.4"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.commons:commons-parent:48"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:21"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:21"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.commons:commons-parent:48"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.github.ben-manes.caffeine" artifact_id="caffeine" version="3.1.8"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.github.andrewoma.dexx" artifact_id="collection" version="0.7"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.jackson.core" artifact_id="jackson-annotations" version="2.16.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Adding repository id="sonatype-nexus-snapshots" url="https://oss.sonatype.org/content/repositories/snapshots"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.fasterxml.jackson:jackson-parent:2.16"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml.jackson:jackson-parent:2.16"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.codehaus.woodstox" artifact_id="stax2-api" version="4.2.1"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.fasterxml:oss-parent:38"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml:oss-parent:38"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.fasterxml.woodstox" artifact_id="woodstox-core" version="6.5.1"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.fasterxml:oss-parent:50"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.fasterxml:oss-parent:50"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.yaml" artifact_id="snakeyaml" version="2.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.apache.commons" artifact_id="commons-math3" version="3.6.1"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.commons:commons-parent:39"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:16"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:16"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.commons:commons-parent:39"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.zaxxer" artifact_id="SparseBitSet" version="1.2"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:7"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:7"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.apache.logging.log4j" artifact_id="log4j-api" version="2.18.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.logging.log4j:log4j:2.18.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.logging:logging-parent:5"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:24"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:24"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.logging:logging-parent:5"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.logging.log4j:log4j:2.18.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.apache.commons" artifact_id="commons-text" version="1.10.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.commons:commons-parent:54"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:27"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:27"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.commons:commons-parent:54"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="commons-beanutils" artifact_id="commons-beanutils" version="1.9.4"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.commons:commons-parent:47"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:19"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:19"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.commons:commons-parent:47"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.apache.poi" artifact_id="poi-ooxml-lite" version="5.2.3"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.apache.xmlbeans" artifact_id="xmlbeans" version="5.1.1"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.github.virtuald" artifact_id="curvesapi" version="1.07"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.google.guava" artifact_id="failureaccess" version="1.0.1"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.google.guava:guava-parent:26.0-android"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:9"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:9"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.google.guava:guava-parent:26.0-android"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.google.guava" artifact_id="listenablefuture" version="9999.0-empty-to-avoid-conflict-with-guava"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.google.guava:guava-parent:26.0-android"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.google.guava:guava-parent:26.0-android"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.checkerframework" artifact_id="checker-compat-qual" version="2.5.5"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.google.errorprone" artifact_id="error_prone_annotations" version="2.3.4"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="com.google.errorprone:error_prone_parent:2.3.4"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:7"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:7"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="com.google.errorprone:error_prone_parent:2.3.4"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.google.j2objc" artifact_id="j2objc-annotations" version="1.3"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:7"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:7"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.github.java-json-tools" artifact_id="jackson-coreutils" version="2.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.github.java-json-tools" artifact_id="uri-template" version="0.10"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.mozilla" artifact_id="rhino" version="1.7.7.2"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.sonatype.oss:oss-parent:7"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.sonatype.oss:oss-parent:7"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.apache.httpcomponents" artifact_id="httpcore" version="4.4.16"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.httpcomponents:httpcomponents-core:4.4.16"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.httpcomponents:httpcomponents-parent:11"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.httpcomponents:httpcomponents-parent:11"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.httpcomponents:httpcomponents-core:4.4.16"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="org.checkerframework" artifact_id="checker-qual" version="3.37.0"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="commons-logging" artifact_id="commons-logging" version="1.2"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.commons:commons-parent:34"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache:apache:13"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache:apache:13"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.commons:commons-parent:34"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="commons-collections" artifact_id="commons-collections" version="3.2.2"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Start parent      artifact="org.apache.commons:commons-parent:39"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Exit parent       artifact="org.apache.commons:commons-parent:39"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.github.java-json-tools" artifact_id="msg-simple" version="1.2"
2024-10-10T16:19:09-07:00       DEBUG   [pom] Resolving...      group_id="com.github.java-json-tools" artifact_id="btf" version="1.3"
2024-10-10T16:19:09-07:00       DEBUG   OS is not detected.
2024-10-10T16:19:09-07:00       DEBUG   Detected OS: unknown
2024-10-10T16:19:09-07:00       INFO    Number of language-specific files       num=1
2024-10-10T16:19:09-07:00       INFO    [pom] Detecting vulnerabilities...
2024-10-10T16:19:09-07:00       DEBUG   [pom] Scanning packages for vulnerabilities     file_path="pom.xml"
2024-10-10T16:19:09-07:00       DEBUG   [vex] VEX filtering is disabled
2024-10-10T16:19:09-07:00       WARN    Unable to marshal SPDX licenses license="(GNU General Public License, version 2 (GPL2), with the classpath exception) AND (The MIT License)"
{
  "spdxVersion": "SPDX-2.3",
  "dataLicense": "CC0-1.0",
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": ".",
  "documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/.-f334dc7f-33fe-4cc6-b4ed-2fd8d55af69e",
  "creationInfo": {
    "creators": [
      "Organization: aquasecurity",
      "Tool: trivy-dev"
    ],
    "created": "2024-10-10T23:19:09Z"
  },
  "packages": [
    {
      "name": "pom.xml",
      "SPDXID": "SPDXRef-Application-f8f4c07e63afadde",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "attributionTexts": [
        "Class: lang-pkgs",
        "Type: pom"
      ],
      "primaryPackagePurpose": "APPLICATION"
    },
    {
      "name": "com.apicatalog:titanium-json-ld",
      "SPDXID": "SPDXRef-Package-8b016d5b11b0f50b",
      "versionInfo": "1.3.2",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.apicatalog/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.apicatalog:titanium-json-ld:1.3.2",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.fasterxml.jackson.core:jackson-annotations",
      "SPDXID": "SPDXRef-Package-774e8aaf88500cea",
      "versionInfo": "2.16.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.fasterxml.jackson.core/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.fasterxml.jackson.core:jackson-annotations:2.16.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.fasterxml.jackson.core:jackson-core",
      "SPDXID": "SPDXRef-Package-c7ea49c36c723843",
      "versionInfo": "2.15.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.fasterxml.jackson.core/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.fasterxml.jackson.core:jackson-core:2.15.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.fasterxml.jackson.core:jackson-databind",
      "SPDXID": "SPDXRef-Package-f4b3bb3f9630fc2",
      "versionInfo": "2.16.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.fasterxml.jackson.core/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.fasterxml.jackson.core:jackson-databind:2.16.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.fasterxml.jackson.dataformat:jackson-dataformat-xml",
      "SPDXID": "SPDXRef-Package-73ff72c1f44ea727",
      "versionInfo": "2.15.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.fasterxml.jackson.dataformat/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.15.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml",
      "SPDXID": "SPDXRef-Package-8ac05d5727f6f713",
      "versionInfo": "2.15.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.fasterxml.jackson.dataformat/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.15.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.fasterxml.woodstox:woodstox-core",
      "SPDXID": "SPDXRef-Package-4e806e6735d7c9ff",
      "versionInfo": "6.5.1",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.fasterxml.woodstox/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.fasterxml.woodstox:woodstox-core:6.5.1",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.github.andrewoma.dexx:collection",
      "SPDXID": "SPDXRef-Package-78a4555696bb3cf6",
      "versionInfo": "0.7",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "MIT-License",
      "licenseDeclared": "MIT-License",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.github.andrewoma.dexx/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.github.andrewoma.dexx:collection:0.7",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.github.ben-manes.caffeine:caffeine",
      "SPDXID": "SPDXRef-Package-697c3fc4d10373ac",
      "versionInfo": "3.1.8",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.github.ben-manes.caffeine/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.github.ben-manes.caffeine:caffeine:3.1.8",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.github.java-json-tools:btf",
      "SPDXID": "SPDXRef-Package-c5a0f1624d061122",
      "versionInfo": "1.3",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "(Lesser-General-Public-License--version-3 OR greater) AND Apache-2.0",
      "licenseDeclared": "(Lesser-General-Public-License--version-3 OR greater) AND Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.github.java-json-tools/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.github.java-json-tools:btf:1.3",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.github.java-json-tools:jackson-coreutils",
      "SPDXID": "SPDXRef-Package-8fc92945d9a46a23",
      "versionInfo": "2.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "(Lesser-General-Public-License--version-3 OR greater) AND Apache-2.0",
      "licenseDeclared": "(Lesser-General-Public-License--version-3 OR greater) AND Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.github.java-json-tools/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.github.java-json-tools:jackson-coreutils:2.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.github.java-json-tools:jackson-coreutils-equivalence",
      "SPDXID": "SPDXRef-Package-d24dcc6ceec5f3de",
      "versionInfo": "1.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "(Lesser-General-Public-License--version-3 OR greater) AND Apache-2.0",
      "licenseDeclared": "(Lesser-General-Public-License--version-3 OR greater) AND Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.github.java-json-tools/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.github.java-json-tools:jackson-coreutils-equivalence:1.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.github.java-json-tools:json-schema-core",
      "SPDXID": "SPDXRef-Package-881684823f8a1a8",
      "versionInfo": "1.2.14",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "(Lesser-General-Public-License--version-3 OR greater) AND Apache-2.0",
      "licenseDeclared": "(Lesser-General-Public-License--version-3 OR greater) AND Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.github.java-json-tools/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.github.java-json-tools:json-schema-core:1.2.14",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.github.java-json-tools:json-schema-validator",
      "SPDXID": "SPDXRef-Package-5057bcef68a69a7c",
      "versionInfo": "2.2.14",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "(Lesser-General-Public-License--version-3 OR greater) AND Apache-2.0",
      "licenseDeclared": "(Lesser-General-Public-License--version-3 OR greater) AND Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.github.java-json-tools/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.github.java-json-tools:json-schema-validator:2.2.14",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.github.java-json-tools:msg-simple",
      "SPDXID": "SPDXRef-Package-d3da186f561d5349",
      "versionInfo": "1.2",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "(Lesser-General-Public-License--version-3 OR greater) AND Apache-2.0",
      "licenseDeclared": "(Lesser-General-Public-License--version-3 OR greater) AND Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.github.java-json-tools/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.github.java-json-tools:msg-simple:1.2",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.github.java-json-tools:uri-template",
      "SPDXID": "SPDXRef-Package-d2a2548d657c77f6",
      "versionInfo": "0.10",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "(Lesser-General-Public-License--version-3 OR greater) AND Apache-2.0",
      "licenseDeclared": "(Lesser-General-Public-License--version-3 OR greater) AND Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.github.java-json-tools/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.github.java-json-tools:uri-template:0.10",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.github.jsonld-java:jsonld-java",
      "SPDXID": "SPDXRef-Package-5481778817399de5",
      "versionInfo": "0.13.4",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "BSD-3-Clause",
      "licenseDeclared": "BSD-3-Clause",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.github.jsonld-java/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.github.jsonld-java:jsonld-java:0.13.4",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.github.virtuald:curvesapi",
      "SPDXID": "SPDXRef-Package-42cf2f3a2e92b389",
      "versionInfo": "1.07",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "BSD-3-Clause",
      "licenseDeclared": "BSD-3-Clause",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.github.virtuald/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.github.virtuald:curvesapi:1.07",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.google.code.findbugs:jsr305",
      "SPDXID": "SPDXRef-Package-3a8adbe502da5a0f",
      "versionInfo": "3.0.2",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.google.code.findbugs/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.google.code.findbugs:jsr305:3.0.2",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.google.code.gson:gson",
      "SPDXID": "SPDXRef-Package-c34044ac092c7bd5",
      "versionInfo": "2.8.9",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.google.code.gson/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.google.code.gson:gson:2.8.9",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.google.errorprone:error_prone_annotations",
      "SPDXID": "SPDXRef-Package-d9ab7da3f7940ab",
      "versionInfo": "2.3.4",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.google.errorprone/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.google.errorprone:error_prone_annotations:2.3.4",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.google.guava:failureaccess",
      "SPDXID": "SPDXRef-Package-5fa256080935396d",
      "versionInfo": "1.0.1",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.google.guava/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.google.guava:failureaccess:1.0.1",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.google.guava:guava",
      "SPDXID": "SPDXRef-Package-b7e682d44d209e63",
      "versionInfo": "28.2-android",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.google.guava/[email protected]"
        },
        {
          "referenceCategory": "SECURITY",
          "referenceType": "advisory",
          "referenceLocator": "https://avd.aquasec.com/nvd/cve-2023-2976"
        },
        {
          "referenceCategory": "SECURITY",
          "referenceType": "advisory",
          "referenceLocator": "https://avd.aquasec.com/nvd/cve-2020-8908"
        }
      ],
      "attributionTexts": [
        "PkgID: com.google.guava:guava:28.2-android",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.google.guava:listenablefuture",
      "SPDXID": "SPDXRef-Package-7ff6134f42cef405",
      "versionInfo": "9999.0-empty-to-avoid-conflict-with-guava",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.google.guava/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.google.j2objc:j2objc-annotations",
      "SPDXID": "SPDXRef-Package-12ed566ad49c286",
      "versionInfo": "1.3",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.google.j2objc/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.google.j2objc:j2objc-annotations:1.3",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.google.protobuf:protobuf-java",
      "SPDXID": "SPDXRef-Package-9fed95bc45fc628b",
      "versionInfo": "3.24.3",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "BSD-3-Clause",
      "licenseDeclared": "BSD-3-Clause",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.google.protobuf/[email protected]"
        },
        {
          "referenceCategory": "SECURITY",
          "referenceType": "advisory",
          "referenceLocator": "https://avd.aquasec.com/nvd/cve-2024-7254"
        }
      ],
      "attributionTexts": [
        "PkgID: com.google.protobuf:protobuf-java:3.24.3",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.googlecode.libphonenumber:libphonenumber",
      "SPDXID": "SPDXRef-Package-1beac771fe6fc3b6",
      "versionInfo": "8.11.1",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.googlecode.libphonenumber/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.googlecode.libphonenumber:libphonenumber:8.11.1",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.opencsv:opencsv",
      "SPDXID": "SPDXRef-Package-6a14a31b1aa0b3ca",
      "versionInfo": "5.7.1",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.opencsv/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.opencsv:opencsv:5.7.1",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.sun.mail:mailapi",
      "SPDXID": "SPDXRef-Package-df3437b38985adee",
      "versionInfo": "1.6.2",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "CDDL-GPLv2-CE",
      "licenseDeclared": "CDDL-GPLv2-CE",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.sun.mail/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.sun.mail:mailapi:1.6.2",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "com.zaxxer:SparseBitSet",
      "SPDXID": "SPDXRef-Package-9dead10809d23a94",
      "versionInfo": "1.2",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/com.zaxxer/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: com.zaxxer:SparseBitSet:1.2",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "commons-beanutils:commons-beanutils",
      "SPDXID": "SPDXRef-Package-3fcb5435a11b584e",
      "versionInfo": "1.9.4",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/commons-beanutils/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: commons-beanutils:commons-beanutils:1.9.4",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "commons-cli:commons-cli",
      "SPDXID": "SPDXRef-Package-7b0c54dd1d4572a1",
      "versionInfo": "1.5.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/commons-cli/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: commons-cli:commons-cli:1.5.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "commons-codec:commons-codec",
      "SPDXID": "SPDXRef-Package-20253d86d6bfa5e4",
      "versionInfo": "1.16.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/commons-codec/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: commons-codec:commons-codec:1.16.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "commons-collections:commons-collections",
      "SPDXID": "SPDXRef-Package-b8ab077a2ba85715",
      "versionInfo": "3.2.2",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/commons-collections/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: commons-collections:commons-collections:3.2.2",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "commons-io:commons-io",
      "SPDXID": "SPDXRef-Package-20e591dd50723fc2",
      "versionInfo": "2.14.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/commons-io/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: commons-io:commons-io:2.14.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "commons-logging:commons-logging",
      "SPDXID": "SPDXRef-Package-1dd6b257d2d00341",
      "versionInfo": "1.2",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/commons-logging/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: commons-logging:commons-logging:1.2",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "joda-time:joda-time",
      "SPDXID": "SPDXRef-Package-32ae0b5d875daec7",
      "versionInfo": "2.10.5",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/joda-time/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: joda-time:joda-time:2.10.5",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "net.sf.jopt-simple:jopt-simple",
      "SPDXID": "SPDXRef-Package-93b3436a5e2971b3",
      "versionInfo": "5.0.4",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "The-MIT-License",
      "licenseDeclared": "The-MIT-License",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/net.sf.jopt-simple/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: net.sf.jopt-simple:jopt-simple:5.0.4",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.apache.commons:commons-collections4",
      "SPDXID": "SPDXRef-Package-ec2bbefe9f54eb7e",
      "versionInfo": "4.4",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.apache.commons/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.apache.commons:commons-collections4:4.4",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.apache.commons:commons-compress",
      "SPDXID": "SPDXRef-Package-47c5f6bd3513ca8b",
      "versionInfo": "1.24.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.apache.commons/[email protected]"
        },
        {
          "referenceCategory": "SECURITY",
          "referenceType": "advisory",
          "referenceLocator": "https://avd.aquasec.com/nvd/cve-2024-25710"
        },
        {
          "referenceCategory": "SECURITY",
          "referenceType": "advisory",
          "referenceLocator": "https://avd.aquasec.com/nvd/cve-2024-26308"
        }
      ],
      "attributionTexts": [
        "PkgID: org.apache.commons:commons-compress:1.24.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.apache.commons:commons-csv",
      "SPDXID": "SPDXRef-Package-fec34be7aef84037",
      "versionInfo": "1.10.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.apache.commons/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.apache.commons:commons-csv:1.10.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.apache.commons:commons-lang3",
      "SPDXID": "SPDXRef-Package-c8bedb7450b4e27",
      "versionInfo": "3.5",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.apache.commons/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.apache.commons:commons-lang3:3.5",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.apache.commons:commons-math3",
      "SPDXID": "SPDXRef-Package-3da8bd7b64acc32e",
      "versionInfo": "3.6.1",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.apache.commons/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.apache.commons:commons-math3:3.6.1",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.apache.commons:commons-text",
      "SPDXID": "SPDXRef-Package-f366e0a6e8c41c90",
      "versionInfo": "1.10.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.apache.commons/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.apache.commons:commons-text:1.10.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.apache.httpcomponents:httpclient",
      "SPDXID": "SPDXRef-Package-e74ff67a35fd49e",
      "versionInfo": "4.5.14",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.apache.httpcomponents/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.apache.httpcomponents:httpclient:4.5.14",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.apache.httpcomponents:httpclient-cache",
      "SPDXID": "SPDXRef-Package-be19a0f695f601d3",
      "versionInfo": "4.5.14",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.apache.httpcomponents/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.apache.httpcomponents:httpclient-cache:4.5.14",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.apache.httpcomponents:httpcore",
      "SPDXID": "SPDXRef-Package-5988d2f5cb5a7962",
      "versionInfo": "4.4.16",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.apache.httpcomponents/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.apache.httpcomponents:httpcore:4.4.16",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.apache.jena:jena-arq",
      "SPDXID": "SPDXRef-Package-43fdfc498bbd56fb",
      "versionInfo": "4.10.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.apache.jena/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.apache.jena:jena-arq:4.10.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.apache.jena:jena-base",
      "SPDXID": "SPDXRef-Package-c5ec34ab11152df",
      "versionInfo": "4.10.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.apache.jena/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.apache.jena:jena-base:4.10.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.apache.jena:jena-core",
      "SPDXID": "SPDXRef-Package-9cf62d26a5f2b2f2",
      "versionInfo": "4.10.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.apache.jena/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.apache.jena:jena-core:4.10.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.apache.jena:jena-iri",
      "SPDXID": "SPDXRef-Package-759e1bbe6d7289c6",
      "versionInfo": "4.10.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.apache.jena/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.apache.jena:jena-iri:4.10.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.apache.logging.log4j:log4j-api",
      "SPDXID": "SPDXRef-Package-996b20a06ca535a9",
      "versionInfo": "2.18.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.apache.logging.log4j/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.apache.logging.log4j:log4j-api:2.18.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.apache.poi:poi",
      "SPDXID": "SPDXRef-Package-3164463450e0d8a3",
      "versionInfo": "5.2.3",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.apache.poi/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.apache.poi:poi:5.2.3",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.apache.poi:poi-ooxml",
      "SPDXID": "SPDXRef-Package-4af4e940e6971063",
      "versionInfo": "5.2.3",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.apache.poi/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.apache.poi:poi-ooxml:5.2.3",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.apache.poi:poi-ooxml-lite",
      "SPDXID": "SPDXRef-Package-e348de727a4166a4",
      "versionInfo": "5.2.3",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.apache.poi/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.apache.poi:poi-ooxml-lite:5.2.3",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.apache.thrift:libthrift",
      "SPDXID": "SPDXRef-Package-775c4035e8d09ce8",
      "versionInfo": "0.19.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.apache.thrift/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.apache.thrift:libthrift:0.19.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.apache.ws.xmlschema:xmlschema-core",
      "SPDXID": "SPDXRef-Package-6ba7cce72805bc73",
      "versionInfo": "2.3.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.apache.ws.xmlschema/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.apache.ws.xmlschema:xmlschema-core:2.3.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.apache.xmlbeans:xmlbeans",
      "SPDXID": "SPDXRef-Package-d7f4c0880df0e9b5",
      "versionInfo": "5.1.1",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.apache.xmlbeans/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.apache.xmlbeans:xmlbeans:5.1.1",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.checkerframework:checker-compat-qual",
      "SPDXID": "SPDXRef-Package-b738343142abf8d6",
      "versionInfo": "2.5.5",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.checkerframework/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.checkerframework:checker-compat-qual:2.5.5",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.checkerframework:checker-qual",
      "SPDXID": "SPDXRef-Package-83532c6f780e1336",
      "versionInfo": "3.37.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "The-MIT-License",
      "licenseDeclared": "The-MIT-License",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.checkerframework/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.checkerframework:checker-qual:3.37.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.codehaus.woodstox:stax2-api",
      "SPDXID": "SPDXRef-Package-c8f3df5e78d6fcdf",
      "versionInfo": "4.2.1",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "BSD-4-Clause",
      "licenseDeclared": "BSD-4-Clause",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.codehaus.woodstox/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.codehaus.woodstox:stax2-api:4.2.1",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.glassfish:jakarta.json",
      "SPDXID": "SPDXRef-Package-1d86ca2175e2946f",
      "versionInfo": "2.0.1",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Eclipse-Public-License-2.0 AND GNU-General-Public-License--version-2 WITH the-GNU-Classpath-Exception",
      "licenseDeclared": "Eclipse-Public-License-2.0 AND GNU-General-Public-License--version-2 WITH the-GNU-Classpath-Exception",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.glassfish/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.glassfish:jakarta.json:2.0.1",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.json:json",
      "SPDXID": "SPDXRef-Package-cab6ea5b3c9ac170",
      "versionInfo": "20231013",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Unlicense",
      "licenseDeclared": "Unlicense",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.json/json@20231013"
        }
      ],
      "attributionTexts": [
        "PkgID: org.json:json:20231013",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.jsoup:jsoup",
      "SPDXID": "SPDXRef-Package-573ef005ef9d09b3",
      "versionInfo": "1.15.3",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "The-MIT-License",
      "licenseDeclared": "The-MIT-License",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.jsoup/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.jsoup:jsoup:1.15.3",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.mozilla:rhino",
      "SPDXID": "SPDXRef-Package-d3e53681a672c7ca",
      "versionInfo": "1.7.7.2",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Mozilla-Public-License--Version-2.0",
      "licenseDeclared": "Mozilla-Public-License--Version-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.mozilla/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.mozilla:rhino:1.7.7.2",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.roaringbitmap:RoaringBitmap",
      "SPDXID": "SPDXRef-Package-db80206f0f108d7d",
      "versionInfo": "1.0.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.roaringbitmap/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.roaringbitmap:RoaringBitmap:1.0.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.slf4j:jcl-over-slf4j",
      "SPDXID": "SPDXRef-Package-e134d5c31b74ed46",
      "versionInfo": "1.7.36",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.slf4j/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.slf4j:jcl-over-slf4j:1.7.36",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.slf4j:slf4j-api",
      "SPDXID": "SPDXRef-Package-fdde201acfca6a9a",
      "versionInfo": "2.0.7",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "MIT-License",
      "licenseDeclared": "MIT-License",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.slf4j/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.slf4j:slf4j-api:2.0.7",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.spdx:java-spdx-library",
      "SPDXID": "SPDXRef-Package-e933f4b96102f6e9",
      "versionInfo": "1.1.10",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.spdx/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.spdx:java-spdx-library:1.1.10",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.spdx:spdx-jackson-store",
      "SPDXID": "SPDXRef-Package-87b7c32520d93c52",
      "versionInfo": "1.1.9",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.spdx/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.spdx:spdx-jackson-store:1.1.9",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.spdx:spdx-rdf-store",
      "SPDXID": "SPDXRef-Package-86ed729ad6383e03",
      "versionInfo": "1.1.9",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.spdx/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.spdx:spdx-rdf-store:1.1.9",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.spdx:spdx-spreadsheet-store",
      "SPDXID": "SPDXRef-Package-366825f01e83ac86",
      "versionInfo": "1.1.7",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.spdx/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.spdx:spdx-spreadsheet-store:1.1.7",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.spdx:spdx-tagvalue-store",
      "SPDXID": "SPDXRef-Package-80ce5bfcff5790fa",
      "versionInfo": "1.1.7",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.spdx/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.spdx:spdx-tagvalue-store:1.1.7",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.spdx:tools-java",
      "SPDXID": "SPDXRef-Package-25028abbefc88e4a",
      "versionInfo": "1.1.8",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.spdx/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.spdx:tools-java:1.1.8",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": "org.yaml:snakeyaml",
      "SPDXID": "SPDXRef-Package-b2d9da2b4d566c73",
      "versionInfo": "2.0",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: pom.xml",
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:maven/org.yaml/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: org.yaml:snakeyaml:2.0",
        "PkgType: pom"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": ".",
      "SPDXID": "SPDXRef-Filesystem-1465386cfbe4e9c7",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "attributionTexts": [
        "SchemaVersion: 2"
      ],
      "primaryPackagePurpose": "SOURCE"
    }
  ],
  "relationships": [
    {
      "spdxElementId": "SPDXRef-Application-f8f4c07e63afadde",
      "relatedSpdxElement": "SPDXRef-Package-25028abbefc88e4a",
      "relationshipType": "CONTAINS"
    },
    {
      "spdxElementId": "SPDXRef-DOCUMENT",
      "relatedSpdxElement": "SPDXRef-Filesystem-1465386cfbe4e9c7",
      "relationshipType": "DESCRIBES"
    },
    {
      "spdxElementId": "SPDXRef-Filesystem-1465386cfbe4e9c7",
      "relatedSpdxElement": "SPDXRef-Application-f8f4c07e63afadde",
      "relationshipType": "CONTAINS"
    },
    {
      "spdxElementId": "SPDXRef-Package-25028abbefc88e4a",
      "relatedSpdxElement": "SPDXRef-Package-366825f01e83ac86",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-25028abbefc88e4a",
      "relatedSpdxElement": "SPDXRef-Package-5057bcef68a69a7c",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-25028abbefc88e4a",
      "relatedSpdxElement": "SPDXRef-Package-6ba7cce72805bc73",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-25028abbefc88e4a",
      "relatedSpdxElement": "SPDXRef-Package-80ce5bfcff5790fa",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-25028abbefc88e4a",
      "relatedSpdxElement": "SPDXRef-Package-86ed729ad6383e03",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-25028abbefc88e4a",
      "relatedSpdxElement": "SPDXRef-Package-87b7c32520d93c52",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-25028abbefc88e4a",
      "relatedSpdxElement": "SPDXRef-Package-e933f4b96102f6e9",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-3164463450e0d8a3",
      "relatedSpdxElement": "SPDXRef-Package-20253d86d6bfa5e4",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-3164463450e0d8a3",
      "relatedSpdxElement": "SPDXRef-Package-20e591dd50723fc2",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-3164463450e0d8a3",
      "relatedSpdxElement": "SPDXRef-Package-3da8bd7b64acc32e",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-3164463450e0d8a3",
      "relatedSpdxElement": "SPDXRef-Package-996b20a06ca535a9",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-3164463450e0d8a3",
      "relatedSpdxElement": "SPDXRef-Package-9dead10809d23a94",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-3164463450e0d8a3",
      "relatedSpdxElement": "SPDXRef-Package-ec2bbefe9f54eb7e",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-366825f01e83ac86",
      "relatedSpdxElement": "SPDXRef-Package-3164463450e0d8a3",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-366825f01e83ac86",
      "relatedSpdxElement": "SPDXRef-Package-4af4e940e6971063",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-366825f01e83ac86",
      "relatedSpdxElement": "SPDXRef-Package-6a14a31b1aa0b3ca",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-366825f01e83ac86",
      "relatedSpdxElement": "SPDXRef-Package-e933f4b96102f6e9",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-3fcb5435a11b584e",
      "relatedSpdxElement": "SPDXRef-Package-1dd6b257d2d00341",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-3fcb5435a11b584e",
      "relatedSpdxElement": "SPDXRef-Package-b8ab077a2ba85715",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-43fdfc498bbd56fb",
      "relatedSpdxElement": "SPDXRef-Package-1d86ca2175e2946f",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-43fdfc498bbd56fb",
      "relatedSpdxElement": "SPDXRef-Package-5481778817399de5",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-43fdfc498bbd56fb",
      "relatedSpdxElement": "SPDXRef-Package-775c4035e8d09ce8",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-43fdfc498bbd56fb",
      "relatedSpdxElement": "SPDXRef-Package-8b016d5b11b0f50b",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-43fdfc498bbd56fb",
      "relatedSpdxElement": "SPDXRef-Package-9cf62d26a5f2b2f2",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-43fdfc498bbd56fb",
      "relatedSpdxElement": "SPDXRef-Package-9fed95bc45fc628b",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-43fdfc498bbd56fb",
      "relatedSpdxElement": "SPDXRef-Package-be19a0f695f601d3",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-43fdfc498bbd56fb",
      "relatedSpdxElement": "SPDXRef-Package-c34044ac092c7bd5",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-43fdfc498bbd56fb",
      "relatedSpdxElement": "SPDXRef-Package-c7ea49c36c723843",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-43fdfc498bbd56fb",
      "relatedSpdxElement": "SPDXRef-Package-c8bedb7450b4e27",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-43fdfc498bbd56fb",
      "relatedSpdxElement": "SPDXRef-Package-e134d5c31b74ed46",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-43fdfc498bbd56fb",
      "relatedSpdxElement": "SPDXRef-Package-e74ff67a35fd49e",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-43fdfc498bbd56fb",
      "relatedSpdxElement": "SPDXRef-Package-f4b3bb3f9630fc2",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-4af4e940e6971063",
      "relatedSpdxElement": "SPDXRef-Package-20e591dd50723fc2",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-4af4e940e6971063",
      "relatedSpdxElement": "SPDXRef-Package-3164463450e0d8a3",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-4af4e940e6971063",
      "relatedSpdxElement": "SPDXRef-Package-42cf2f3a2e92b389",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-4af4e940e6971063",
      "relatedSpdxElement": "SPDXRef-Package-47c5f6bd3513ca8b",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-4af4e940e6971063",
      "relatedSpdxElement": "SPDXRef-Package-996b20a06ca535a9",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-4af4e940e6971063",
      "relatedSpdxElement": "SPDXRef-Package-d7f4c0880df0e9b5",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-4af4e940e6971063",
      "relatedSpdxElement": "SPDXRef-Package-e348de727a4166a4",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-4af4e940e6971063",
      "relatedSpdxElement": "SPDXRef-Package-ec2bbefe9f54eb7e",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-4e806e6735d7c9ff",
      "relatedSpdxElement": "SPDXRef-Package-c8f3df5e78d6fcdf",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-5057bcef68a69a7c",
      "relatedSpdxElement": "SPDXRef-Package-1beac771fe6fc3b6",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-5057bcef68a69a7c",
      "relatedSpdxElement": "SPDXRef-Package-32ae0b5d875daec7",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-5057bcef68a69a7c",
      "relatedSpdxElement": "SPDXRef-Package-3a8adbe502da5a0f",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-5057bcef68a69a7c",
      "relatedSpdxElement": "SPDXRef-Package-881684823f8a1a8",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-5057bcef68a69a7c",
      "relatedSpdxElement": "SPDXRef-Package-93b3436a5e2971b3",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-5057bcef68a69a7c",
      "relatedSpdxElement": "SPDXRef-Package-b7e682d44d209e63",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-5057bcef68a69a7c",
      "relatedSpdxElement": "SPDXRef-Package-d24dcc6ceec5f3de",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-5057bcef68a69a7c",
      "relatedSpdxElement": "SPDXRef-Package-df3437b38985adee",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-697c3fc4d10373ac",
      "relatedSpdxElement": "SPDXRef-Package-83532c6f780e1336",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-697c3fc4d10373ac",
      "relatedSpdxElement": "SPDXRef-Package-d9ab7da3f7940ab",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-6a14a31b1aa0b3ca",
      "relatedSpdxElement": "SPDXRef-Package-3fcb5435a11b584e",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-6a14a31b1aa0b3ca",
      "relatedSpdxElement": "SPDXRef-Package-c8bedb7450b4e27",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-6a14a31b1aa0b3ca",
      "relatedSpdxElement": "SPDXRef-Package-ec2bbefe9f54eb7e",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-6a14a31b1aa0b3ca",
      "relatedSpdxElement": "SPDXRef-Package-f366e0a6e8c41c90",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-73ff72c1f44ea727",
      "relatedSpdxElement": "SPDXRef-Package-4e806e6735d7c9ff",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-73ff72c1f44ea727",
      "relatedSpdxElement": "SPDXRef-Package-774e8aaf88500cea",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-73ff72c1f44ea727",
      "relatedSpdxElement": "SPDXRef-Package-c7ea49c36c723843",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-73ff72c1f44ea727",
      "relatedSpdxElement": "SPDXRef-Package-c8f3df5e78d6fcdf",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-73ff72c1f44ea727",
      "relatedSpdxElement": "SPDXRef-Package-f4b3bb3f9630fc2",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-80ce5bfcff5790fa",
      "relatedSpdxElement": "SPDXRef-Package-e933f4b96102f6e9",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-86ed729ad6383e03",
      "relatedSpdxElement": "SPDXRef-Package-43fdfc498bbd56fb",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-86ed729ad6383e03",
      "relatedSpdxElement": "SPDXRef-Package-9cf62d26a5f2b2f2",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-86ed729ad6383e03",
      "relatedSpdxElement": "SPDXRef-Package-c5ec34ab11152df",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-86ed729ad6383e03",
      "relatedSpdxElement": "SPDXRef-Package-e933f4b96102f6e9",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-87b7c32520d93c52",
      "relatedSpdxElement": "SPDXRef-Package-73ff72c1f44ea727",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-87b7c32520d93c52",
      "relatedSpdxElement": "SPDXRef-Package-8ac05d5727f6f713",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-87b7c32520d93c52",
      "relatedSpdxElement": "SPDXRef-Package-c34044ac092c7bd5",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-87b7c32520d93c52",
      "relatedSpdxElement": "SPDXRef-Package-c7ea49c36c723843",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-87b7c32520d93c52",
      "relatedSpdxElement": "SPDXRef-Package-cab6ea5b3c9ac170",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-87b7c32520d93c52",
      "relatedSpdxElement": "SPDXRef-Package-e933f4b96102f6e9",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-87b7c32520d93c52",
      "relatedSpdxElement": "SPDXRef-Package-f4b3bb3f9630fc2",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-881684823f8a1a8",
      "relatedSpdxElement": "SPDXRef-Package-3a8adbe502da5a0f",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-881684823f8a1a8",
      "relatedSpdxElement": "SPDXRef-Package-8fc92945d9a46a23",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-881684823f8a1a8",
      "relatedSpdxElement": "SPDXRef-Package-b7e682d44d209e63",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-881684823f8a1a8",
      "relatedSpdxElement": "SPDXRef-Package-d24dcc6ceec5f3de",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-881684823f8a1a8",
      "relatedSpdxElement": "SPDXRef-Package-d2a2548d657c77f6",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-881684823f8a1a8",
      "relatedSpdxElement": "SPDXRef-Package-d3e53681a672c7ca",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-881684823f8a1a8",
      "relatedSpdxElement": "SPDXRef-Package-f4b3bb3f9630fc2",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-8ac05d5727f6f713",
      "relatedSpdxElement": "SPDXRef-Package-b2d9da2b4d566c73",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-8ac05d5727f6f713",
      "relatedSpdxElement": "SPDXRef-Package-c7ea49c36c723843",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-8ac05d5727f6f713",
      "relatedSpdxElement": "SPDXRef-Package-f4b3bb3f9630fc2",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-8fc92945d9a46a23",
      "relatedSpdxElement": "SPDXRef-Package-3a8adbe502da5a0f",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-8fc92945d9a46a23",
      "relatedSpdxElement": "SPDXRef-Package-d3da186f561d5349",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-8fc92945d9a46a23",
      "relatedSpdxElement": "SPDXRef-Package-f4b3bb3f9630fc2",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-9cf62d26a5f2b2f2",
      "relatedSpdxElement": "SPDXRef-Package-759e1bbe6d7289c6",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-9cf62d26a5f2b2f2",
      "relatedSpdxElement": "SPDXRef-Package-7b0c54dd1d4572a1",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-9cf62d26a5f2b2f2",
      "relatedSpdxElement": "SPDXRef-Package-c5ec34ab11152df",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-9cf62d26a5f2b2f2",
      "relatedSpdxElement": "SPDXRef-Package-db80206f0f108d7d",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-b7e682d44d209e63",
      "relatedSpdxElement": "SPDXRef-Package-12ed566ad49c286",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-b7e682d44d209e63",
      "relatedSpdxElement": "SPDXRef-Package-3a8adbe502da5a0f",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-b7e682d44d209e63",
      "relatedSpdxElement": "SPDXRef-Package-5fa256080935396d",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-b7e682d44d209e63",
      "relatedSpdxElement": "SPDXRef-Package-7ff6134f42cef405",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-b7e682d44d209e63",
      "relatedSpdxElement": "SPDXRef-Package-b738343142abf8d6",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-b7e682d44d209e63",
      "relatedSpdxElement": "SPDXRef-Package-d9ab7da3f7940ab",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-be19a0f695f601d3",
      "relatedSpdxElement": "SPDXRef-Package-e74ff67a35fd49e",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-c5a0f1624d061122",
      "relatedSpdxElement": "SPDXRef-Package-3a8adbe502da5a0f",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-c5ec34ab11152df",
      "relatedSpdxElement": "SPDXRef-Package-20253d86d6bfa5e4",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-c5ec34ab11152df",
      "relatedSpdxElement": "SPDXRef-Package-20e591dd50723fc2",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-c5ec34ab11152df",
      "relatedSpdxElement": "SPDXRef-Package-47c5f6bd3513ca8b",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-c5ec34ab11152df",
      "relatedSpdxElement": "SPDXRef-Package-697c3fc4d10373ac",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-c5ec34ab11152df",
      "relatedSpdxElement": "SPDXRef-Package-78a4555696bb3cf6",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-c5ec34ab11152df",
      "relatedSpdxElement": "SPDXRef-Package-c8bedb7450b4e27",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-c5ec34ab11152df",
      "relatedSpdxElement": "SPDXRef-Package-ec2bbefe9f54eb7e",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-c5ec34ab11152df",
      "relatedSpdxElement": "SPDXRef-Package-fdde201acfca6a9a",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-c5ec34ab11152df",
      "relatedSpdxElement": "SPDXRef-Package-fec34be7aef84037",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-d24dcc6ceec5f3de",
      "relatedSpdxElement": "SPDXRef-Package-8fc92945d9a46a23",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-d24dcc6ceec5f3de",
      "relatedSpdxElement": "SPDXRef-Package-b7e682d44d209e63",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-d24dcc6ceec5f3de",
      "relatedSpdxElement": "SPDXRef-Package-f4b3bb3f9630fc2",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-d2a2548d657c77f6",
      "relatedSpdxElement": "SPDXRef-Package-3a8adbe502da5a0f",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-d2a2548d657c77f6",
      "relatedSpdxElement": "SPDXRef-Package-b7e682d44d209e63",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-d2a2548d657c77f6",
      "relatedSpdxElement": "SPDXRef-Package-d3da186f561d5349",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-d3da186f561d5349",
      "relatedSpdxElement": "SPDXRef-Package-3a8adbe502da5a0f",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-d3da186f561d5349",
      "relatedSpdxElement": "SPDXRef-Package-c5a0f1624d061122",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-d7f4c0880df0e9b5",
      "relatedSpdxElement": "SPDXRef-Package-996b20a06ca535a9",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-e134d5c31b74ed46",
      "relatedSpdxElement": "SPDXRef-Package-fdde201acfca6a9a",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-e348de727a4166a4",
      "relatedSpdxElement": "SPDXRef-Package-d7f4c0880df0e9b5",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-e74ff67a35fd49e",
      "relatedSpdxElement": "SPDXRef-Package-5988d2f5cb5a7962",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-e933f4b96102f6e9",
      "relatedSpdxElement": "SPDXRef-Package-3a8adbe502da5a0f",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-e933f4b96102f6e9",
      "relatedSpdxElement": "SPDXRef-Package-573ef005ef9d09b3",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-e933f4b96102f6e9",
      "relatedSpdxElement": "SPDXRef-Package-c34044ac092c7bd5",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-e933f4b96102f6e9",
      "relatedSpdxElement": "SPDXRef-Package-c8bedb7450b4e27",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-e933f4b96102f6e9",
      "relatedSpdxElement": "SPDXRef-Package-fdde201acfca6a9a",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-f366e0a6e8c41c90",
      "relatedSpdxElement": "SPDXRef-Package-c8bedb7450b4e27",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-f4b3bb3f9630fc2",
      "relatedSpdxElement": "SPDXRef-Package-774e8aaf88500cea",
      "relationshipType": "DEPENDS_ON"
    },
    {
      "spdxElementId": "SPDXRef-Package-f4b3bb3f9630fc2",
      "relatedSpdxElement": "SPDXRef-Package-c7ea49c36c723843",
      "relationshipType": "DEPENDS_ON"
    }
  ]
}

Operating System

Windows 11

Version

dev - from branch v0.55.2

Checklist

Run trivy clean --all
Read the troubleshooting

knqyf263 · 2024-10-11T07:54:59Z

knqyf263
Oct 11, 2024
Maintainer

@DmitriyLewen Can you please take a look?

0 replies

goneall · 2024-10-11T17:50:08Z

goneall
Oct 11, 2024
Author

A couple thoughts, suggestions - It looks like the license ID is being generated from the text in the license POM file.

I have found that the license URL to be much more reliable in identifying listed license IDs. The text can be somewhat ambiguous and unreliable.

For an implementation in Java of this approach, see the MavenToSpdxLicenseMapper. It is licensed under Apache 2.0 - so please feel free to leverage whatever makes sense.

0 replies

DmitriyLewen · 2024-10-14T06:28:23Z

DmitriyLewen
Oct 14, 2024
Maintainer

Hello @goneall
Thanks for this info and help!

Created #7721 for this task.

Regards, Dmitriy

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Invalid License Expressions for non-listed SPDX license IDs #7716

{{title}}

Replies: 3 comments

{{title}}

{{title}}

{{title}}

Select a reply

Invalid License Expressions for non-listed SPDX license IDs #7716

goneall Oct 10, 2024

Description

Desired Behavior

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 3 comments

knqyf263 Oct 11, 2024 Maintainer

goneall Oct 11, 2024 Author

DmitriyLewen Oct 14, 2024 Maintainer

goneall
Oct 10, 2024

knqyf263
Oct 11, 2024
Maintainer

goneall
Oct 11, 2024
Author

DmitriyLewen
Oct 14, 2024
Maintainer