Third-Party Audit Report
ObviousPDF โ .NET 8 PDF Generation Library
Last Updated: 2026 | Document Version: 1.0
Executive Summary
ObviousPDF is built with minimal external dependencies to maximize security, simplicity, and performance. This audit documents all runtime dependencies, bundled resources, and their respective licenses.
Runtime Dependencies: 1 NuGet package
Bundled Fonts: 3 font families (12 font files)
License Compliance: MIT (1) + SIL OFL 1.1 (3)
Known Vulnerabilities: None
1. Runtime Dependencies
ObviousPDF targets .NET 8 and depends on exactly one NuGet package from Microsoft:
| Package | Version | License | Purpose |
|---|---|---|---|
System.Security.Cryptography.Pkcs |
8.0.1 | MIT | Digital signatures, PKCS#7/CMS signing |
MIT License (System.Security.Cryptography.Pkcs)
Source: https://github.com/dotnet/runtime
License Text: https://github.com/dotnet/runtime/blob/main/LICENSE.TXT
The MIT License permits unrestricted use, modification, and redistribution of the software in source and binary forms, provided that the above copyright notice and license text are included in all copies or substantial portions of the software.
2. Bundled Fonts
ObviousPDF includes three font families bundled under the SIL Open Font License v1.1 (OFL). These fonts are embedded in the assembly and can be used, modified, and redistributed freely.
| Font Family | Files | License | Purpose |
|---|---|---|---|
| CMU Serif Computer Modern Unicode |
โข cmunrm.ttf (Roman) โข cmunbx.ttf (Bold) โข cmunti.ttf (Italic) โข cmunbi.ttf (Bold Italic) |
SIL OFL 1.1 | Times Roman substitute |
| Sora |
โข Sora-Regular.ttf โข Sora-Bold.ttf โข Sora-Italic.ttf โข Sora-BoldItalic.ttf |
SIL OFL 1.1 | Helvetica/Arial substitute |
| CMU Typewriter Computer Modern Unicode |
โข cmuntt.ttf (Regular) โข cmuntb.ttf (Bold) โข cmunit.ttf (Italic) โข cmuntx.ttf (Bold Italic) |
SIL OFL 1.1 | Courier/Monospace substitute |
Font License: SIL Open Font License v1.1
SIL Open Font License (OFL) v1.1 Summary
Sources:
โข CMU Serif: Font Squirrel (based on Computer Modern)
โข Sora: Google Fonts
โข CMU Typewriter: Font Squirrel
The SIL Open Font License permits you to:
- Use the fonts in your applications, documents, and publications.
- Embed the fonts in software, PDFs, and web pages.
- Modify the fonts to create derivative works (e.g., subsetting).
- Redistribute the fonts under the same OFL v1.1 license.
The only requirements are:
- Include the original copyright notice and OFL license text with any redistribution.
- Do not sell the fonts themselves as standalone products.
- Do not use the font names in modified versions without explicit permission (unless redistributing under OFL).
Full License Text: https://opensource.org/licenses/OFL-1.1
3. Dependencies Summary Table
| Component | Type | License | Status |
|---|---|---|---|
| System.Security.Cryptography.Pkcs (Microsoft) | NuGet Package | MIT | โ Current |
| CMU Serif Font Family | Bundled Resource | SIL OFL 1.1 | โ Current |
| Sora Font Family | Bundled Resource | SIL OFL 1.1 | โ Current |
| CMU Typewriter Font Family | Bundled Resource | SIL OFL 1.1 | โ Current |
4. Known Vulnerabilities
No known vulnerabilities have been identified in the current versions of ObviousPDF's dependencies.
The single runtime dependency (System.Security.Cryptography.Pkcs 8.0.1) is maintained by Microsoft and is regularly updated with security patches. Monitor the dotnet/runtime repository for security advisories.
5. License Compliance Verification
All dependencies are used in compliance with their respective licenses:
- โ MIT (System.Security.Cryptography.Pkcs): Copyright notices included in distributions
- โ SIL OFL 1.1 (Fonts): Fonts may be embedded; OFL license included with distributions
- โ No GPL/Copyleft: ObviousPDF uses no GPL or copyleft-licensed components
- โ Proprietary Use: All dependencies permit commercial and proprietary use
6. Audit Methodology
This audit was conducted by:
- Inspecting the
ObviousPDF.csprojproject file for declared NuGet dependencies - Reviewing embedded resources and font files in the project structure
- Verifying license terms for all dependencies via official sources
- Cross-referencing against common vulnerability databases (CVE, NVD)
7. Updates & Changes
| Date | Version | Changes |
|---|---|---|
| 2026 | 1.0 | Initial audit report for ObviousPDF v0.1.0 |
8. Contact & Questions
For questions about third-party components or license compliance, please contact:
- Licensing: licensing@obviouspdf.com
- GitHub: https://github.com/alanfrans/PDFPrime
ยฉ 2026 Relevant LLC. All rights reserved. ObviousPDF is a product of Relevant LLC.