I'm trying to get Spring AI approved for use at my dayjob employer, but as it stands, the request is being rejected due to the Black Duck / OpenHub "Security Confidence Index" of the project. As of right now, OpenHub has Spring AI at 75.68%. Unfortunately we require a score of 90% or higher to allow an OSS library to be used here.

Sadly the score doesn't provide a ton of details about exactly what aspects contribute to the score and how they are weighted, so I can't be very specific about suggested changes. All I can ask is that the project try to improve this score.

FWIW, I expect that this type of policy is going to be common for large firms in highly regulated industries, so this isn't just a "me" request. It's my guess that many users will eventually be impacted by this.

https://openhub.net/p/spring-ai

Comment From: dafriz

If you click on the security link from that page - https://openhub.net/p/spring-ai/security the versions it is looking at for CVEs appear to be Spring Boot rather than Spring AI. I.e. version range is 2.6.12 through to 3.5.5

Comment From: mindcrime

If you click on the security link from that page - https://openhub.net/p/spring-ai/security the versions it is looking at for CVEs appear to be Spring Boot rather than Spring AI. I.e. version range is 2.6.12 through to 3.5.5

Oh wow. Yeah, that is weird. I guess the Black Duck thing is mis-configured and reading the wrong code. I'll try emailing them and let them know, see if maybe they'll resolve it.

Thanks for pointing that out, @dafriz!

Comment From: ilayaperumalg

@mindcrime Thanks for reporting and @dafriz Thanks for the insights.

I have submitted a PR which will upgrade the Spring Boot version on 1.1.x (current main branch) to 3.5.5 (the latest available Spring Boot version on 3.5.x). Hopefully, that improves the security confidence and helps you unblock.

Comment From: mindcrime

@mindcrime Thanks for reporting and @dafriz Thanks for the insights.

I have submitted a PR which will upgrade the Spring Boot version on 1.1.x (current main branch) to 3.5.5 (the latest available Spring Boot version on 3.5.x). Hopefully, that improves the security confidence and helps you unblock.

Thanks. I'll keep watching the Black Duck thing and see if anything changes.

Comment From: mindcrime

FYI, I did reach out to Black Duck. They acknowledged that there may be an issue on their end, and are investigating. I'll update here when / if I hear more.

Comment From: ilayaperumalg

@mindcrime Thank you very much for the follow up and update!