Black Duck match - kotlinbukkitkit-architecture. False positive?

1

We are currently using MQTT Community Edition 2023.9, and we scanned it using the Black Duck Software Composition Analysis tool - it is mainly used to detect copyright and license issues in source code.

It flagged up files in hivemq.jar, specifically in the kotlin/ folder, as coming from kotlinbukkitkit-architecture v1.0.0, GitHub repo here. The concern is that this is detected to have a GPL v3 license. (The newest change on that repo changes its license to MIT.)

But if I dig into the files in that directory, it seems not to match anything from that CarcadeX repo, but rather just some version of files from the kotlin repo from JetBrains, here. That has a much more permissive license, Apache v2.0.

Could somebody (preferably a HiveMQ maintainer / engineer) clarify please?

Thanks!

2

Hi @EmbeddedHacker,

thank you for reaching out about this.

As you suspected Black Duck is giving you a false positive reading here. No part of the HiveMQ platform utilizes the kotlinbukkitkit-architecture dependency.

We actually include every thirdparty license with every product in every release. This can be found in a folder called third-party-licenses that is included in the root directory of the release .zip.

As you can see in this screenshot:

third-party-licenses folder in the platform .zip
third-party-licenses folder in the platform .zip1520×912 69.2 KB

Here is an excerpt of the licenses for the HiveMQ 4.22 Platform release broker product. (You can clearly see the actual kotlin dependency listed there).

...
 org.jctools:jctools-core                                                   | 4.0.1                                     | Apache-2.0    | https://spdx.org/licenses/Apache-2.0.html
 org.jetbrains.kotlin:kotlin-stdlib                                         | 1.8.22                                    | Apache-2.0    | https://spdx.org/licenses/Apache-2.0.html
 org.jetbrains.kotlin:kotlin-stdlib-common                                  | 1.8.22                                    | Apache-2.0    | https://spdx.org/licenses/Apache-2.0.html
 org.jetbrains.xodus:xodus-compress                                         | 1.2.3                                     | Apache-2.0    | https://spdx.org/licenses/Apache-2.0.html
 org.jetbrains.xodus:xodus-entity-store                                     | 1.2.3                                     | Apache-2.0    | https://spdx.org/licenses/Apache-2.0.html
 org.jetbrains.xodus:xodus-environment                                      | 1.2.3                                     | Apache-2.0    | https://spdx.org/licenses/Apache-2.0.html
 org.jetbrains.xodus:xodus-openAPI                                          | 1.2.3                                     | Apache-2.0    | https://spdx.org/licenses/Apache-2.0.html
 org.jetbrains.xodus:xodus-utils                                            | 1.2.3                                     | Apache-2.0    | https://spdx.org/licenses/Apache-2.0.html
...

Have a great evening

Georg Held
Director of Product Development at HiveMQ

3

Thanks Georg! Much appreciated for the quick reply.

1 Like