• State Resolved
  • Locked Locked
  • Replies 1 reply
  • Subscribers 51 subscribers
  • Views 184 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC2340R5-Q1: We used BLACKDUCK to scan TI's SDK and is requesting TI's assistance in resolving the issue

james zhou
Intellectual 335 points
Part Number: CC2340R5-Q1

Tool/software:

Hi ,TI:

Currently, our company is using CC2340 and CC2745 for project development. In accordance with the requirements from the client, we need to sign a FOSS declaration document. We have scanned the SDK provided by TI using BLACKDUCK and found the following open-source code. We hope TI can assist in providing a solution.

We have scanned a total of three SDKs and detected the same open source code issues in all of them. Here is a list of inferred reasons based on the scan results.

No. Components Source Match Type Match Score Usage License License Risk Security Risks Operational Risk BlackDuck Recommendation and FII's requirements
1 ble_examples simplelink_cc2640r2_sdk-4.10.00.00 1 match The file has been modified. 4% Dynamic Link LGPL-2.1-or-later Medium High FII:Scan results indicate a high-risk associated file in the SDK's \SOURCE\TI\ble5stack_flash\common\cc26xx\time directory, but no associated files were found in that directory. However, the code in this directory is identical to the code in the time directory of the ble_examples simplelink_cc2640r2_sdk-4.10.00.00 project on git. Both sets of code in the TIME directories have licenses provided by TI, without LGPL licenses. Did TI adopt the LGPL license to provide this segment of open-source code? If so, can FII declare only the TI license? Or can TI provide alternative solutions without LGPL?
2 FreeRTOS Real Time Kernel V10.5.1 16 matches Accurate Index 79% Dynamic Link MIT High Low BlackDuck:This version has obvious vulnerabilities and needs to be updated to version V10.6.2 or above.
FII:We hope that TI can update this code in the SDK to the new version or provide us with code that meets the update requirements.
3 mcuboot MCUBOOT_062_RC4 2 matches The file has been modified. 7% Dynamic Link Apache-2.0 High BlackDuck:This version was updated on April 16, 2020, and it is recommended to update to a newer version.
FII:We hope that TI can update this code in the SDK to the new version or provide us with code that meets the update requirements.

Note: We have scanned three versions of the SDK as listed below.

1.simplelinklowpower_f3_sdk_8_10_00_63_ea

2.simplelinklowpower_f3_sdk_8_10_00_46_eng

3.simplelinklowpower_f3_sdk_8_10_00_01_ea

have a good day!

james

2024.08.01

  • +1
    TI__Mastermind 39870 points

    Hi,

    I would discard the results on the CC2640R2 examples because that's an entirely different device referring to an SDK from nearly 4-5 years ago. Not sure what else to say there.

    Regarding FreeRTOS and MCUBoot, we will not update the version supported in that SDK because the SDK is validated with those versions. In future releases, you will see continued updates though for these components. Will give this feedback though internally so they can be aware of the request to update on future releases.