LAST UPDATED: SimpleRisk 20241209-001 Release
As with just about any software product these days, SimpleRisk did not write 100% of the code included in the product. Over the years, we have used a variety of third-party software to provide features and functionality for our user base. Attached is the Software Bill of Materials (SBOM) for the above noted release of SimpleRisk. It is provided in the CycloneDX format as both a JSON and XML file so that SimpleRisk customers may programmatically verify the composition of our software and the licenses utilized. If you are the developer, maintainer, or licensor for any of these packages and believe that this information is in error, we'd ask that you please submit a support ticket to address your concerns.
Manually Managed Dependencies
| Name | Location | License | Dependency Note |
|---|---|---|---|
| csrf-magic | /vendor/simplerisk/csrf-magic | BSD-2-Clause license | As the original CSRF-Magic library is no longer supported, we have forked this library under our control and made updates to it to resolve known vulnerabilities. |
| jeasyui | /vendor/simplerisk/jeasyui | Proprietary | This is a proprietary library which is licensed by SimpleRisk. It is included from a repository under our control and manually updated there. We are looking to phase out use of EasyUI in a future release of SimpleRisk. |
Additional Dependency Notes
- TinyMCE: SimpleRisk is running the latest 6.x release of TinyMCE, but we are unable to update it to use the newer 7.x branch as the licensing was changed. We are looking for a replacement WYSIWYG editor. CVE-2024-29203 and CVE-2024-29881 have been identified as vulnerabilities in this version of TinyMCE, however, they have been fixed in 6.8.1 and we are running version 6.8.4.
- Bootstrap: SimpleRisk is running version 5.3.3. CVE-2024-6484 and CVE-2024-6531 relate to vulnerabilities in this version of Bootstrap, however, SimpleRisk does not utilize the impacted carousel component.
- The SimpleRisk Core has the ability to perform self-assessments using a handful of control frameworks. While we have been able to verify the license status of the CIS Critical Security Controls and NIST 800-171 control frameworks as acceptable, we were unable to verify the license status of the HIPAA (April 2016), PCI DSS 3.2 or PCI DSS 4.0 frameworks. While we believe these to be acceptable, customers should verify with their legal team before using.
- The Secure Controls Framework, which is included in the Secure Controls Framework (SCF) Extra, has been verified as licensed under the Creative Commons Attribution-NoDerivatives 4.0 International Public License.