[GitHub] [zookeeper] ztzg commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

[GitBox <gi...@apache.org>]

ztzg commented on pull request #1549:
URL: https://github.com/apache/zookeeper/pull/1549#issuecomment-732311186


   > The most confusing part is that I found Eclipse Public Lincence in latest Jetty release tarball and also in the version that we're using now, despite that we include ASF licence in Jetty licence file in our codebase.
   
   The JAR manifest says either:
   
       Bundle-License: http://www.apache.org/licenses/LICENSE-2.0, https://www.eclipse.org/org/documents/epl-v10.php
   
   And, indeed, `META-INF/LICENSE` says **or**:
   
   > This program and the accompanying materials are made available under the terms of the Eclipse Public License 2.0 which is available at http://www.eclipse.org/legal/epl-2.0, **or** the Apache Software License 2.0 which is available at https://www.apache.org/licenses/LICENSE-2.0.
   
   In case it helps: here is something I tried, which seems to work, and might facilitate future maintenance:
   
   ```sh
   rm -f zookeeper-server/src/main/resources/lib/jetty-*.LICENSE.txt
   for i in zookeeper-server/target/lib/jetty-*.jar; do
       unzip -qq -c "$i" META-INF/LICENSE \
           >"zookeeper-server/src/main/resources/lib/$(basename "$i" .jar).LICENSE.txt"
   done
   ```
   
   Cheers, -D


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org