azure-cognitiveservices-speech SDK Vulnerability Issue Due to License Type

[hifaz1012]

• azure-cognitiveservices-speech:
• 1.42.0
• Windows
• 3.11:

Describe the bug
When customer source code was scanned using Azure DevOps Vulnerability Scanner Sonatype azure-cognitiveservices-speech SDK was detected as High Risk.

The issue is probably due to license type and therefore detected as threat. The license is set as "Other/Proprietary," whereas typically, other Azure SDKs have an "MIT License."

References: -

https://help.sonatype.com/en/license-threat-groups.html

[github-actions]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @oscholz @robch.

[BrianMouncer]

I think the scan tool is just flagging any package it finds with a license type of "other" as an unknown risk and flagged them for human review. That doesn't mean there is anything wrong with the package or license, just that you need to read the EULA and make sure it is not a viral copy left, or pay per use type license...

If you look at any of the released for this package on pypi.org, that will point you to a standard Microsoft EULA type license file and a Thrid Party Notice file required recognize the use of any Open Source components that require attribution as part of their license types.

Hope that helps you resolve this scan tool warning.

[github-actions]

Hi @hifaz1012. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.