As with just about any software product these days, SimpleRisk did not write 100% of the code included in the product. Over the years, we have used a variety of third-party software to provide features and functionality for our user base. In 2019, we performed a full audit of all third-party source code that has been included in the product and verified that we are in compliance with all known licenses for the included software. Below is the Bill of Materials (BOM), produced from that effort, which outlines each of these software packages and the licensing that was found for them. If you are the developer, maintainer, or licensor for any of these packages and believe that this information is in error, we'd ask that you please submit a support ticket to address your concerns.
SimpleRisk Bill of Materials (BOM)
SimpleRisk Core: This is the free and open source offering from SimpleRisk that also forms the basis for both our on-prem and hosted offerings. It is licensed under the Mozilla Public License (MPL) 2.0.
PHP Libraries Included in the SimpleRisk Core
HighchartsPHP: Licensed under the GNU General Public License (Version 3, 29 June 2007).
PHPMailer: Licensed under the GNU Lesser General Public License (Version 2.1, February 1999)
CSRF-Magic (http://csrf.htmlpurifier.org/): Licensed under the BSD 2-Clause "Simplified" License.
Epiphany: Custom copyright notice and license located under simplerisk/includes/epiphany/LICENSE.
Zend Escaper: Custom copyright notice and license located under simplerisk/includes/Component_ZendEscaper/LICENSE.md.
HighCharts: SimpleRisk has purchased a perpetual Highcharts OEM License for unlimited installations. This license applies for all customers using SimpleRisk, regardless of whether they are utilizing it in a hosted or on-premise installation.
jQuery Tree Widget (https://github.com/daredevel/jquery-tree): Licensed under the MIT license.
Datatables: Licensed under the MIT license.
Bootstrap (http://getbootstrap.com): Licensed under the MIT license.
Bootstrap Multiselect (http://davidstutz.de/bootstrap-multiselect/): Licensed under the Apache License, Version 2.0.
Color picker: Dual licensed under the MIT and GPL licenses
Date Range Picker (https://www.daterangepicker.com): Licensed under the MIT license.
TableSorter (http://tablesorter.com): Dual licensed under the MIT and GPL licenses.
MomentJS (momentjs.com): Licensed under the MIT license.
SelectizeJS (https://github.com/selectize/selectize.js): Licensed under the Apache License (v2).
AngularJS (http://angularjs.org): Licensed under the MIT license.
Control Frameworks Included in the SimpleRisk Core
CIS Critical Security Controls: Verified with CIS that can be included in SimpleRisk.
HIPAA (April 2016): Unsure of license status.
NIST 800-171 : Publication is free of charge.
PCI DSS 3.2: Unsure of license status.
SimpleRisk Extras: These are the paid-for plug and play additions to the SimpleRisk Core. These may be individually licensed or purchased as a package. Terms and conditions vary by customer as well as deployment scenario.
PHP Libraries Included in SimpleRisk Extras
- PHPOffice (https://github.com/PHPOffice): Included in the SimpleRisk Risk Assessment and Import-Export Extras. Licensed under the GNU Lesser General Public License.
- Spout (https://opensource.box.com/spout/): Included in the ComplianceForge SCF Extra. Licensed under the Apache License 2.0.
Control Frameworks Included in SimpleRisk Extras
ComplianceForge Secure Controls Framework: Included in the ComplianceForge SCF Extra. Licensed under the Creative Commons Attribution-NoDerivatives 4.0 International Public License.