What’s wrong with iText?
How it all begun?
If you are exporting data into PDF using Java you are very likely to use the iText library which has been a go to solution by many Java developers over a decade.
iText was originally developed in 1998 as part of a software project at the University of Gent. At that time iText authors had released it into open source and up until version 4.2.0 iText was licensed under both LGPL and MPL and was used in hundreds of projects.
Versions of iText starting from 5.1 had changed license to AGPL 3.0. Those projects that do not find such restrictive license suitable could purchase a commercial license or alternatively use older version of the library i.e. 4.2.0 or earlier versions. This last point led to the fact that even today many projects use older versions of iText licensed with LGPL/MPL.
Why it matters to you?
According to the iText authors, during the due diligence process related to preparation of iText 5 several intellectual property (IP) issues were discovered which violate copyrights or IP rights of others. Some examples are below:
• Some code snippets of iText were borrowed from projects with two licenses. The original developer thought it was “dual-licensing” and he could go by the more permissive license, but according to the new legal assessment, both licenses apply.
• Some parts of the code were without license. The original authors could not be reached for license clarification. The code was then used anyway.
• In some cases, a CLA* had to be negotiated
In the newer versions, parts with unclear license were removed, or the licenses were clarified and steps taken to comply with all obligations. Hence, from a compliance perspective, older versions are at risk of infringing IP right of respective authors.
What should you do?
Therefore, whenever an older version of iText (4.x or earlier) appears in one of our audits, our recommendation is either to obtain the latest version of iText (and potentially obtain a commercial license) or switch to any available alternative e.g.: PDFBox or html2pdf or some other.
How Bitsea help?
Bitsea is conducting software audits which aim at discovering full list of third party and open-source libraries that you use in your code. We use comprehensive scanning techniques on your code which can go as deep as detection of third party copy-pasted code and deliver you bill of materials containing third party library names, versions, license names and vulnerabilities associated with those libraries.
* Contributor License Agreement, A Contributor License Agreement (CLA), also called Contributor Agreement, is a document describing the conditions under which intellectual property can be contributed to a project or endeavor; usually a software project under an open source license [Wikipedia].