Fgerthoffert
commented
2 months ago As for background for this request, on an open source project (for which there's a requirement for Apache 2 license), we're currently using a version of the client (7.4.2) under Apache 2 license but that version includes jackson-dataformat 2.8.1 (version with a vulnerability: CVE-2020-28491).
The vulnerability does not expose the project itself, but it does come up in automated security scans. Removing that false positive would require an upgrade to the client in v7.15+
We're aware of the new java client under Apache 2 license, but it would require some refactoring on our end, which we have in sight, but on a longer term.
elasticsearchmachine
Elasticsearch Version
7.17
Installed Plugins
No response
Java Version
Not Java specific
OS Version
Not OS Specific
Problem Description
Hello,
In v7.17 the documentation states that the license is "Apache License, Version 2.0".
But in the corresponding source code, the license appears to be "Elastic License 2.0" https://github.com/elastic/elasticsearch/blob/7.17/client/rest-high-level/build.gradle#L23
Resulting in this pom in maven central: https://repo1.maven.org/maven2/org/elasticsearch/client/elasticsearch-rest-high-level-client/7.17.0/elasticsearch-rest-high-level-client-7.17.0.pom
Could you please provide some clarifications regarding the license of the Java High-Level REST client (and ideally align the two)?
Thanks,
Steps to Reproduce
Opening up the rendered doc and corresponding POM files in the source code highlight the inconsistency.
Logs (if relevant)
No response