SpringBoot spring-boot-starter-logging 2.7.18 has a dependency containing LGPL-2.1-only

Springboot version 2.7.8, 2.7.18 (and probably all in between) are being flagged by FOSSA on license violation by a transitive dependency: ch.qos.logback:logback-classic (1.12.2) - it contains "LGPL-2.1-only".

Can org.springframework.boot:spring-boot-starter-logging depend on a "non-GPL" alternative library?

spring-boot-starter-web (2.7.18): org.springframework.boot:spring-boot-starter-web -> org.springframework.boot:spring-boot-starter -> org.springframework.boot:spring-boot-starter-logging -> ch.qos.logback:logback-classic

Comment From: mhalbritter

Why is a LGPL licensed library a problem for you?

You can switch from Logback to Log4J or Java Util Logging if you like.

Please note that Spring Boot 2.7.x is out of OSS support, you should upgrade or consider commercial support.

Comment From: bclozel

@artursouza additionnally, this should be reported to the FOSSA tool, as the library is released under a dual license: https://logback.qos.ch/license.html and https://github.com/qos-ch/logback/blob/master/LICENSE.txt

Maven Central does detect this dual license situation just fine.

Comment From: artursouza

Thanks for the responses, I will report it in FOSSA.