ort

What's Changed

Breaking Changes 🛠

• 6c082264d630b717efb5a0a9a85b9a8ed52900e1 refactor(model)!: Use a better name for getIssues()

Bug Fixes 🐞

• adf14d48ec85fab9ab0ef6ec8250f644e1e29814 cargo: Do not make assumptions about the package ID for hash lookups
• 7522a0c3e9051a7bb8961ae56e7ce35f063a673f cargo: Do not make assumptions about the package ID for projects
• 09400533f74d02446f497554145caa2aafaa78e5 cargo: Improve parsing of lockfile formats
• bef2e95546fcc59f9ad7958d859ae4e1e9f88804 fossid-webapp: Remove unecessary call to normalize
• f71f994c15e489d3e6bdfd6fc32d53be703a19b0 schemas: Add missing entries for package managers

New Features 🎉

• 9ef7945f138acaff68863e5fe5a10e87aeb3a26f cargo: Add the alternative deps to the metadata model
• 4771b24aa11e946ce91558e53d428806ea1da2f2 requirements: Add a dedicated version status for unknown versions

Build 🐘 & CI ⚙️

• c7d5c3a4d2c247bc0f3a411edeea118086e15d37 renovate: Extend from config:recommended

Chores 🔧

• cf06ac9457af8b2dac9c011573c26bef5df39c7d cargo: Move two variables closer to where they are being used
• 303705ce9c3dcb0270f6f09af54dc6af3b80f591 cargo: Reorder top-level functions
• e407d11ea350c55c6fd7701f3b8d0404085cf8b0 downloader: Remove the redundant protected enum qualifier
• f54813ef1b04cbeb75bfc9e92b5f81a91cdc41f2 go: Drop the support for the Go dep package manager
• f0121b2fbdbdb93b4d7d11b1a9063bdb05e1b63e integrations: Re-generate shell completion scripts
• b9481f0bbf2c92f53ad0f6171309048f0f5bc494 model: Replace a size check with isNotEmpty()
• 9707529209dc423fe334c2e14694f7993a9c0c60 requirements: Add "!" prefixes for identified problems
• 968f956962301538b5e99c82a58f2da2a8cd72d9 Sort NOTICE file entries alphabetically

Dependency Updates 🚀

• 65ed1079484b213b744275580a3f9a6244f0e46d update dependency ch.qos.logback:logback-classic to v1.5.4
• 9cb8e7cec64c6302a35200102741818e84a8b583 update dependency com.autonomousapps.dependency-analysis to v1.31.0
• 87f2675b1aa59cb970c90f4f87aad4054a56061a update dependency com.opentable.components:otj-pg-embedded to v1.0.3
• f1623e83ee072534a993721da5a4328f5af3a5e4 update dependency org.semver4j:semver4j to v5.2.3
• 6fca2678dc7bb9ddcd93244a46e3655b24ed519b update ktor to v2.3.10

Documentation 📖

• c7ed840d503fd1ab8196e92e2157919abdfc5100 cargo: Document CargoMetadata members
• 67dda3387117b804bb82ed6c322b6e04a582bfca requirements: Document the VersionStatus enum members

Refactorings 🚜

• c1a0c66c7cafa39a82d753ef67503944eea065ca cargo: Do not require parsing the manifest
• 5e701a8f623d09182785e3e832b4dbc137a82a3f cargo: Extract kind names to constants
• e6b84fa771607dc18c1918213acfc7e0396cee44 cargo: Get project authors and homepage from projectPkg
• 887fcc25ec70e3cce43779812a5de25f93aa22db cargo: Get the project's processed declared licenses directly
• 85c452316467f3cf27d12e8e8c8e1065e759947a cargo: Inline processDeclaredLicenses()
• b815e659a7add85e270660d088f0c72521303623 cargo: Make fewer assumptions about internal package IDs
• acb18cbd7f709690f93f9b6af01d1e61a7a76b39 cargo: Move serializers to their respective model classes
• c7d24d9ed360da2ba8493b1e26e61fcabdcd6adc cargo: Turn some functions into extensions for convenience
• 5818de3573c18fd45fc6aa5337ff251dd5e5ba51 go: Move normalizeModuleVersion() to GoMod.kt
• 2f8c7b58e77a056d50a0495cf5bdc2bd9c4d0a17 model: Simplify filtering resolved issues
• 8b63ffe61474147de4afbd0944900b23a0c71605 model: Simplify filtering resolved vulnerabilities
• 03bd19473cbe04794fa5705dca52cfcd0da9e249 model: Simplify resolving rule violations

Other Changes 💡

• 3ce77c798770ff3980736ed0fb32e00ffc93d68f revert(docker): Revert "Revert Upgrade Go to version 1.22.0"
• 1a10da7bfe155e67a7c51e0d1b7295dc6b2295aa style(Gradle): Adhere to const naming conventions
• 3876ec71e2f1eadabef03ac7e928be8526042cf2 style: Prefer equality checks over Elvis operator use

What's Changed

Bug Fixes 🐞

• b73f36b083365772bcbbbc56de14717095952122 scancode: Filter out non-originary findings that are just references
• b1de4395eafe92c339079a9208588ec3acbd54c8 scancode: Use SPDX expressions for file matches if present

New Features 🎉

• 85ef86adfef09554546fe1ef9eb0cf87de6bbb82 scancode: Support reading matched_text fields

Chores 🔧

• 858f29bed8f11224b5cc491494feb54f51031a32 gradle-plugin: End a log message with a dot for consistency

Dependency Updates 🚀

• 5d61699c008112dab5b6a8fd213e433fdbfa621f Upgrade ScanCode to version 32.1.0
• edb691989de65f5b43f4895a410e1de265a4ae12 update dependency org.wiremock:wiremock to v3.5.0
• cf19739d8c73133ca85d5dd703d0e7623e3ef3af update dependency org.wiremock:wiremock to v3.5.1
• 48ae81634c5a3bd4d55e89d2474dc05825a5ae03 update dependency org.wiremock:wiremock to v3.5.2
• 96c5e1809336e261b3880675e05218dac5e972bf update graphqlplugin to v6.7.0
• 563d91ce171487618908ac09df4b68d04d01ca5e update retrofit to v2.11.0
• 0cc08fcfb099ccd43b952b61a126676dd81d0fe0 update wagoid/commitlint-github-action action to v6

Refactorings 🚜

• 747187fc7c25aac993cb5a4628f985e9daa5dfb6 Use Kotest's own tempdir() in tests

Tests ✅

• 71d637569abfa81cce3b33b73d53daeb6952e560 python: Update expected test results
• 3e929b61112aff5f224b0287045fd0c4b1953cde scancode: Add a test for findings from other files

What's Changed

Breaking Changes 🛠

• 7c0717f5e1e07ebbd2b432c0c8f78e7a7392f04f chore(model)!: Remove findPathExcludes() that is only used in tests

Bug Fixes 🐞

• e9b6d35777076858e16ee1d5ef51a4b2c7b7214f fossid: Map to the normalized license on success
• 4f32b500b2d29404d2260c191f25f4aea09d5fa3 gradle-plugin: Do not fail with NPE when dependency POMs are missing
• e2dbfc8951efbbdef1b23b396509ae957db1e3df version: Add missing Bazel version

New Features 🎉

• 2577dd0ce19ddfc7f70f1c929097552b27b06738 clients: Add Bazel module registry client
• 79f9da07322fbc0e2145dbabebc61788608cf179 docker: Add Bazel to runtime image and env path
• d860271705f81a344ccd0a0cfe064a70fcf52eaa package-manager: Add initial support for Bazel

Build 🐘 & CI ⚙️

• 3126b410fc41eabc2e162f91e79e17e940becf8a GitHub: Include Bazel in docker-ort workflow

Chores 🔧

• 4578371937aebdc1c4a60faf2ff9f807e76081d1 fossid: Remove a redundant qualifier
• 5cca2828cf5e55e9ad9233cf62e8d2e82ce49fc1 model: Remove a superfluous conversion via let
• bb28def2cebb2758649dfb22c603a4f33487340a model: Remove the unused transactionAsync() function

Dependency Updates 🚀

• 0a486983c433053cd742ec1bf5392a1bc11336fb update dependency com.github.ajalt.clikt:clikt to v4.3.0
• ad247469bdd08bb8eb0f78b5d174034e5c56426e update dependency dev.adamko.dokkatoo:dokkatoo-plugin to v2.3.0
• 399665fd01a817cc57ab017ded2fdbaa813ec460 update dependency gradle to v8.7
• 28f4ae65dfbd931580db2d29a0c3b2d08e5b5f10 update detektplugin to v1.23.6
• d8d70ce1c0e195082ab3da7d6e080663adec5692 update exposed to v0.49.0
• 653f29684b1e705dc248350df54ab55f9474e91b update jetbrains/qodana-action action to v2023.3.2

Documentation 📖

• e4af83c3f24f032d3c021cab7cfc4109100b3082 model: Explain why the ConfigurationResolver filters curations
• ed751085e04453416b384fbe4cb1d36b14665484 model: Improve PathExclude class documentation
• 3bf311584813d6ddf15f7ee18da393aed5604375 scanner: Add a missing import for KnownProvenance
• c9c8f49bbb0bd31e37399195d1121ac0dd60a4bb scanner: Fix scan storage references

Refactorings 🚜

• 9495d548c6e74cef9342ee1b9b028c1a0268277b model: Make an associateLicensesWithExceptions overload public

What's Changed

New Features 🎉

• a23c65023a6b29687a958d5413cac8aba69270a2 fossid-webapp: Identify snippet choice entries that have been removed

What's Changed

Breaking Changes 🛠

• 85b6df49960b58bc0818504d0181bfcd18039384 refactor(scanner)!: Inline a constant
• 70b1b869815ae1ff4fbdf53828939e25ad98d829 refactor(scanner)!: Merge read functions of package based storage reader
• 7168c9f0b75d2c71e32798e82fe2c2df43a812c4 refactor(scanner)!: Merge read functions of provenance based storage reader
• 9044c4c44e1ed1dd7815269917f927998be120d8 refactor(scanner)!: Move ScanResultsStorage to storage package
• f7dd71961496b92f293a97ef39bc9b9cfba68da9 refactor(scanner)!: Remove unused function from ScanResultsStorage
• 160312af9e2cb2578c2f791702e0459914543626 refactor(scanner)!: Rename ScanResultsStorage
• 20df88537df986ee74227dd8152924aedd38707a refactor(scanner)!: Rename the package based storages

Bug Fixes 🐞

• 0301583c14ec97c4f5e4c6d0e0f10b788bf7e3ad fossid-webapp: Align license mapping for snippets
• e2c09b2bdbc1be8577b148f497a5a4fc20ff35b6 gradle: Add a dedicated work-around for a Gradle 8.5 bug
• 0905a9053862402b34e0ff326b20c36d8b94d55c gradle: Only register a ProgressListener in debug log mode
• a9a064c0572ffa03a7f75c307f15318cc94fd329 gradle-inspector: Use ORT's fixed-up user home directory
• 986c7623f75ba28c12fd2fdae8fda34a8b5dfdae gradle-model: Ensure compatibility by lowering the Java target
• 568465f8645531a84976954daf508e0533ce4fc8 gradle-plugin: Add a work-around for a regression in Gradle 8.2
• 4bf2ada0bf6dc8da937b1f1b5d4b70f8f3715c51 Make the logger implementation available to test-utils consumers

New Features 🎉

• 6279ba7d04aae6406bf33dd9be9ecd27ed2f7c96 cli: Use the resolved resolutions in NotifierCommand
• 829dad7fb3513b1054684dca836341483a207432 downloader: Adhere to Package.sourceCodeOrigins
• 16ee7fd9f0a1ecd9b547b2616db64aa0cf9cf24b flutter: Upgrade flutter version to 3.19.3
• 118af8ae791043ba407eb3a0184b63e353aa70ea fossid-webapp: Add license findings from snippet choice
• 18b456d60d438e00513530d7ac6a31ef4f7ce423 fossid-webapp: Retain snippet choice state in FossID
• cadf56aa09c2ce1f771ebf48ccdaaaf3fe404cd0 model: Add the property Package.sourceCodeOrigins
• bf1218430e7c827af5adddc3b55b8695fdf2dcea model: Allow to set sourceCodeOrigins via package curations
• 87f5d32488e8424a001450d8ec17d267f1ab5c5e scanner: Adhere to Package.sourceCodeOrigins
• 786d3a645fbf56363966e09389357a96a948a703 swiftpm: Support lockfile format version 3

Build 🐘 & CI ⚙️

• 494a32434823a3f0190db4e8e128b2efb223a14a GitHub: Do not set up a specific version of Java anymore
• 04e60c6098c5778c4fab84389670c9e7d8f0d755 GitHub: Reactivate unified test result diffs
• d7af7364be933aef0b9af20c66c58c7c03867b95 Gradle: Switch to the official KxS converter for Retrofit

Chores 🔧

• fe710995b3ffa83c520f807793d29648f0739e5f fossid-webapp: Extract license mapping code to a separate function
• e569df9a5aa9d94399454fea6e927ac6a383a313 fossid-webapp: Move createMarkAsIdentifiedFile to TestUtils
• 199cc9ecc25c7e6a380c17e8cdc774c627ca098b scanner: Remove obsolete docs

Dependency Updates 🚀

• 409ddccf172b28b21f71109b5346de979cda0da2 spdx-utils: Re-import the SPDX 3.23 list
• e16b6f9c14d8119892ab4fb0da2dcae204bf8551 Upgrade the ks3 library to version 0.6.0
• da8bd03e5c572fa4d27e94cabca9cc89af362aae update dependency com.networknt:json-schema-validator to v1.4.0
• b84dcc438a9b57da55275d5d233506d5bc31895d update dependency org.asciidoctor:asciidoctorj-pdf to v2.3.15
• 487c30cdf52eb9f8d8ed26734941a2137328d6f5 update dependency org.jetbrains.gradle.plugin.idea-ext to v1.1.8
• fc5fd10c697f4d525ce839ecc28815df649dd0ea update dependency org.postgresql:postgresql to v42.7.3
• 8b007307189cae1f8dd9942c6363c29d961e92e1 update dependency org.springframework:spring-core to v5.3.33
• dbbaac816440b059511341866bbbdb9fb2517a72 update retrofit to v2.10.0

Documentation 📖

• f1b3d58cd6517b0a68b3752f7b8f4764fd022f6d common-utils: Update the link to AntPathMatcher
• 30849b5ed0cdad2b0f499aa9c13bec8b1147ea0c examples: Add an example for setting sourceCodeOrigins
• 12292928a01ff0a29b538c76b7b124c96833b9f0 gradle: Fix a grammar mistake
• 2fefbc19f6d49521d9c87a56c4e5f941b6a080f9 model: Mention constraints for sourceCodeOrigins property
• 97ca2ff95b79d265ea7b88066f21a0dd16e2c1b8 model: Remove some double dot
• 38f9ddead5d4827c74f3348286f5137503a8b3e5 node: Add a missing quote
• ac9e019a66f9593cdcdc73620a161c63d93ed5d7 scanner: Fix punctuation in ScannerMatcher docs
• f8b76d72888c213c440553fcea48105340c8b44f swiftpm: Add links to the data model of the lockfile
• 433778b8183a78000b79ca2298b55e4b7e05a0bc website: Explain the new sourceCodeOrigins property

Performance Enhancements ⚡

• f3f536626e5da0c46850f67cd501b9682b27da33 Disable Kotest's classpath scanning for faster test startup

Refactorings 🚜

• d2583acc141c9342a5badddf2778406f8ec826f6 gitlab-reporter: Use Ks3 serializers
• e68a7c1aaa483b24653823bb31e77ed3719881f3 go: Drop an unnecessary data mapping
• 5b0ede14952b8f8eb2776f54e6a3ed65b70c3eb2 go: Drop an unnecessary log warning
• c74e1ebf07fb703e49b6d7171fca6468e0b6a808 go: Factor out parseGoDepLockfile()
• e536dec933f8d7c5ca364cd569c490e1eca358d2 model: Extract a function to check source code origins
• e89a4997218d0b28fe00b8ea7080e23fc87979fb package-managers: Align on Lockfile instead of LockFile
• 1ddb89bb2cbe78588e199c29fc0b2554228f78fb package-managers: Align on lowercase lockfile in var names
• 3c83d5fa0b035485e73e86fe0c5eebeef736deeb scanner: Rename sourceCodeOriginsPriority
• 6c6ddbf21deff5a573dd2622ea20208614b2d688 Align on wording "lockfile" as a single word

Tests ✅

• 3c74aa17afd2c90e041cad0fc35005e379a23559 scanner: Rename the abstract storage test classes

Other Changes 💡

• 0ddcfe4875df7f3d91715375d47cf1765b709e2f style(gradle-plugin): Reformat code fluently to reduce indentation

What's Changed

Breaking Changes 🛠

• 39c0ecb4fa357c7b5b123c7f7de15fed6194190f refactor(model)!: Reduce the visibility of two converters

Bug Fixes 🐞

• 0e3cb55e5f5f7be1e0da16bd6305185b75a3a506 advisors: Use potentially customized PURLs in advisor queries

New Features 🎉

• fad4d5e724bad288fad6077ef8f821d9023d924a cli: Print the JDK version ORT was built with
• 3238adb9559432c21179d1b4e45b8edf38d5a12c fossid-webapp: Mark files with all qualified snippets as identified

Build 🐘 & CI ⚙️

• f29a5d25fdaf55b07c139153a195e72d67819b71 Gradle: Allow to configure the build JDK via toolchains

Chores 🔧

• a5051ae8ad36e488fcf2c906e83d1fd09400e1bc Gradle: Remove an unneeded work-around for KT-48745
• b6defe6b1d009e9593d2e042e6e4026f3eebc617 Gradle: Remove unneeded default imports
• d201f9ebed4bf9aa40b957140b8d32eaa511615a docker: Upgrade Conan to version 1.63
• d298f52819e40006d048f39c2ca296034a2a6746 spdx: Get the scope relationships dynamically

Dependency Updates 🚀

• c81a79aa4cc72b0c7a45f8bc2a5a269df4355910 Gradle: Update the gradle-maven-publish-plugin to version 0.28.0
• 40fb4abafd7cff51c20adfb406ff65eed3874e5a update dependency com.github.ajalt.mordant:mordant to v2.4.0
• c1297741f5375a564127011bc4a88ae743275ce2 update dependency com.github.jmongard.git-semver-plugin to v0.12.6
• c0aa6833d326ce4a822a6ff6fe2149942a6a5f3f update dependency org.apache.commons:commons-compress to v1.26.1
• 9935f319314b063a76df2eb2d3f2cbfeb6cd882b update dependency org.asciidoctor:asciidoctorj to v2.5.12
• 4590097d0bc6f8e7432bcba8716b3aeb429c4087 update dependency org.asciidoctor:asciidoctorj-pdf to v2.3.14
• 9267b43bc573217d273923edc126299015e246fe update jackson to v2.16.2
• fcddf518b5d17aef6c3b0158d34583ee0dadf8d0 update jackson to v2.17.0
• 5e1af3bac0c3b3de571223181230f6f03b383937 update jgit to v6.9.0.202403050737-r
• 287cc399d9f965df209bcba41ebf283ec3251eef update kotest to v5.8.1
• 1dafba07a29d844960fc497bf1b44cfafc197187 update log4j2 monorepo to v2.23.1

Documentation 📖

• 0b8731e2d2566cdafec80c551d22b2b8133383ba ADOPTERS: Fix typos and improve wording
• 5cbb03ce31740d16b6aa961ec8db1f2330cbba09 README: Minor wording and punctuation improvements
• d2aca89f9edeb5d013e043c9c341159e0eacd383 development: Add a link to the GitHub discussions
• b427e64f5c405a62a51344fcf69d580f435589fe development: Add a section about the used static analysis tools
• e034461901982095a05735407942f808266c396b development: Simplify a sentence
• bf37b09f236397ccb0158783a9c85308c230b0da downloader: Fix link to version control systems
• afcad4785f2f36674c0d784811ac52aed6f11c96 snippet-choice: Fix link to SnippetChoiceReason.kt
• 4c0147142116e65c6677df0695e552d9bbe37c91 Improve grammar, punctuation, and wording

Refactorings 🚜

• 3112df6080a56872c72ac3df1f41dad48bb9385b test-utils: Use ORT's Environment to patch existing results

Tests ✅

• 534c5746d756b132fab4006d342cd5869a6e6630 model: Fix a typo

Other Changes 💡

• 4459cfb920352f3b457c9a684b6cfcc5133ffadb style(README): Reformat to one sentence per line
• d8529f7fa3e2c83a2785308b2f12006745966da9 style: Disable line length limit for Markdown files
• ff6a5beb04d3a8fbaa8f465eae23b38fc047b22d style: Enable Markdownlint rule max-one-sentence-per-line
• 2955c0ccc8f403bfabd069a10b3a51f737599cfe style: Ignore Markdown files in build directories
• 326a64a66d77c1057a8312e446fce734d4a38163 style: Reformat all Markdown files to one sentence per line

What's Changed (ORT Community Days Edition)

Bug Fixes 🐞

• d0bfd1b758f866caa065049dd3cb8b57d81648b2 SpdxDocumentFile: Support nested DEPENDS_ON relations
• 8d3376057fbcb0dab35b75b6dcd8f872f1562e21 pip: Only pass major and minor version to python-inspector

New Features 🎉

• 62e22bf174dd320e1fab935f8aef7111adfce743 pip: Detect the Python version from .python-version
• 82faa95198423dc974bea26277fb549da26eb5c2 reporter: Sort license finding paths with localeCompare

Dependency Updates 🚀

• 13b39eff8462a566a23926c2c3c1404546d35057 update dependency ch.qos.logback:logback-classic to v1.5.2
• c9269415f2c66d94a7a28fca52c991ca54fd44c6 update dependency ch.qos.logback:logback-classic to v1.5.3
• 4eaf96c864751e91ada041480d3120bae3b97b7c update dependency dev.adamko.dokkatoo:dokkatoo-plugin to v2.2.0
• 2b80e63c6298d31498599fb231aa2ea8dc450866 update kotlin monorepo to v1.9.23
• 4cfddd3bcbadaaf3f7359cc8612f4434d495ad2c update ktor to v2.3.9

What's Changed

Bug Fixes 🐞

• 2d83b351d8890a5131442dd324408e5bd9a00ac9 fossid-webapp: Add missing license category

Build 🐘 & CI ⚙️

• 38e0447bf43f7fe5fd2b35258dd6c0f89e4294d8 Docker: Remove explicit Cargo version
• dfd784ec4cdc239d625334a7ffa92e63f7f0e0fb GitHub: Also release archive as compressed TARs
• b70a60dd76d566cd782e02fdb93a90530fb6797a Gradle: Configure the distTar task to use GZIP compression

Dependency Updates 🚀

• 129bb204691b05729793a97b5709c6205b4b9670 docker: Upgrade Python to the latest 3.11.x version
• 2928caf3f17b20020b3b8a4b7f27e97759999738 docker: Upgrade pyenv to the latest version
• 95eeedd13d17e873e145456f632ad484d5be4ff5 update dependency software.amazon.awssdk:s3 to v2.25.0

Other Changes 💡

• 165c2102e0dea0cec2f60d434b154effb8a5ab84 Revert "deps(Docker): Upgrade python-inspector to version 0.11.0"

What's Changed

Breaking Changes 🛠

• 0abc6a2266594c6e7c3ac2db10ee704d2cc2bf85 chore(common-utils)!: Remove the unused ByteArray.unpackZip() function
• 521782df59e525c4d02d760df01244ad1525d5d1 refactor(spdx-utils)!: Let compound expressions have multiple children

Bug Fixes 🐞

• 3355b85803936a01ba706fffbad9ab3978b44ffe fossid-webapp: Add a version check in waitDownloadComplete
• f63e6550ee7f6fdab817946de39eeb982e9523ea fossid-webapp: Add license category property to identified files
• 6a97e858b90ac3719a5b073fa462a4ae8a72b62b fossid-webapp: Add missing license category
• 00b02e1f438c86a2434f707a272957a5a97adf7c fossid-webapp: Filter snippets with invalid match types earlier
• eed25cf827d3475df907d6fe1bca50dc2a0ef7cb fossid-webapp: Replace version comparison with Semver
• 6d04874140e4bf760ade6f1657173b67d0f4db41 gradle: Bump the SPDX license list version to 3.23
• 1d86e6fce368c2d23c28f63f127ca83dc7cb82ec model: Fix license / exception association for complex expressions
• b2eeb35ff86e107d1261bbc3318c9460cf7c4576 npm: Improve the npm view based fallback logic

New Features 🎉

• e8319219c8bccf20b5c80211fb4ce2c904c89dc3 RepositoryConfiguration: Add support for snippet choice
• 71d94ec3e1a007f6a4d178417dd30c52e874844a fossid-webapp: Remove chosen snippets from snippet findings
• d319fa9115a1d85e16ee548fb144a3096713d687 fossid-webapp: Remove not relevant snippets from snippet findings
• fbc6489ff2af846e64d8fb7408217f9436239e30 reporter: Add snippet choice examples to the snippet report
• 4e0b6a1603f3ed24621b9bec74b0c03f8a7bf758 scanner: Expose the snippet choices to the scanner
• 8e6c96cb5a58413b1a8fc092f84941ba00c912b7 spdx-utils: Prevent creating invalid compound expressions

Build 🐘 & CI ⚙️

• 3d802aa2900529157c3b3ce54af99253a5f9e78d Docker: Upgrade Cargo to the version available in Ubuntu 22.04
• d1c4e0e684384418283bac2923c183423a1b774d Gradle: Force color for the run task if the terminal supports it
• 454135ccc8187413661ff767af9ea1121fde316d Gradle: Improve enforcing terminal color
• bbd71db6307b89dac175583b4ff447f4a2b23160 Gradle: Simplify the declaration of detekt plugins
• 5d12d9bf9468f80549b5b26ec10a18dd0dc5b4c9 github: Let Detekt also check main with type resolution
• 3297051195d3964299fc3ef78015219f1cb45baf github: Let Detekt also check testFixtures with type resolution
• 3c20400ad4821624e904f73c236e739b7f0723cb github: Run Detekt with type resolution in a separate step
• a72e907c36dbec0c2fbe1160c452f3bcd3f1b7df gradle: Apply a minor code simplification
• 72ab654519b0d52e850dadee32e7e8a40cfda26e gradle: Exclude generated code from Detekt checks
• 6489dab7fc832e2d05201f4c1cd0288609bc73c9 gradle: Fix alphabetic sorting of dependencies

Chores 🔧

• dd58b4be630a56a10f52adf09b292fda7046f32f fossid-webapp: Move test utility functions to a TestUtils file
• e62e68b008ea13967cd16bef1404c5d1eab42622 package-managers: Simplify some set constructions
• b1d0bcdb6f95958b95f100254199fa6d06cc7ea7 python: Use just listOf() for non-nullable types
• de60539f1de06d35abf015439b6b499230ce3b77 sbt: Move static private entities to the top level
• 55e08aa5f9bc3417cea66ce7be9f5eba3dd9586e sbt: Remove a superfluous absoluteFile conversion
• 8936311114d7a712d70093254f3c2b7153c35b79 scanoss: Add an explicit type to avoid a warning
• ba46f52127e839aae0c334dda9cfd64928cac864 spdx-utils: Upgrade the SPDX license list to version 3.23
• 84b9e1fd82f94eed0fb1cd69817b20db3047966e Suppress several warnings about unsafe calls on nullable types
• 4036d3cd17ce88a49e3330d3e3d305906cc135eb Use .orEmpty() in more places

Dependency Updates 🚀

• 05ed8881fd1293c9604037cdd28e96759b6715ec update dependency ch.qos.logback:logback-classic to v1.5.1
• bcb2d33c733cfff867ea93c7577d6cfd39d8eabc update dependency com.github.jmongard.git-semver-plugin to v0.12.5
• 02c967d525b00cad70ca16fe750d67764e1fcab8 update dependency de.undercouch.download to v5.6.0
• 65d0e72615c02dea1fba97154c9e009de00433d0 update dependency io.mockk:mockk to v1.13.10
• d14c144283f840e057d422ca0587b12e449abffa update dependency org.wiremock:wiremock to v3.4.2
• b1b916186b84a5aa606270d13d6682738276ff5c update exposed to v0.48.0

Documentation 📖

• 792ca26d02b669ae77547fb90ebeb421a451eede model: Clarify the associateLicensesWithExceptions() documentation
• 9e0f7f6fc50225db5c1ea8e3adf0311a0855ffbb spdx-utils: Update class documentation with valid links
• bca56db8404beba77d075753116aa30305492125 vulnerable-code: Document the read timeout option

Performance Enhancements ⚡

• 37d9523c6a8ca776bbfd3a4ebd0b63d0a7b08cf8 common-utils: Redirect to a byte stream instead of a file

Refactorings 🚜

• 1216335384b6e14fb0207abf32f12ae091ef8484 node: Restructure parseNpmVcsInfo() to use an early return
• 52effe5efd297b2f66b0720738281e84813e3647 sbt: Refactor moveGeneratedPom() to log in the caller
• 52ee940ff7b9a9170302b9f58f315ab60f6c9e33 spdx-utils: Make SpdxCompoundExpression take a Collection
• 49ac14d668d99a573b748be0c74f182eaed94850 spdx-utils: Make a SpdxCompoundExpression constructor public
• 036a576f356ba39137ef8cc2a9a1bbc4813f216b Migrate from custom kotlinx-serializers for Java types to ks3

Tests ✅

• e1214f61cb8ccdaa3abbb7a82173d75585f7a501 common-utils: Make RedirectionTest a bit more strict
• 5713ab0665ee318f4903e8c8e788eaf38a079bf0 fixtures: Fix analyzer formatting issues
• 1e5d102ed2b97cff485d4adc57a7d25bff56b85e fixtures: Fix the analyzer package name
• 12f41c293776f5be8e8c0251b94f87e8d0597351 fixtures: Fix the scanner package name
• 331ce5e5086a087577ac69a7ec53f66c0adc0cd0 fixtures: Remove receivers from functions that do not require it
• 320bb7c100d873b7d985e15bfba546bf686f343a model: Assert multiple assertions in a test case softly
• eb5c266cf960daa301aed1cdc69b7ae843367f7f node: Align the names of the result variables in fun tests
• f62b6b9e8715d1a221a988aea3f44d64ab311699 osv: Make the test resilient WRT trailing slashes in URLs
• 0d44726fb336b7fa10685c0f094a4ab0c488192d osv: Update an expected result
• 2a75dceb58ca1a8550febdb0f2847b8f64e36cc0 osv: Update expected results
• f44b0bd079529e57581acffadec99aa6897d2c0c scanner: Remove an unused property
• 835d1c75fd1a7cc91730c39f6dd74e22ff2d2d48 spdx-utils: Improve names of helper functions
• 29507aefa4a441e7b8bf2ce2d790ac1c6eedd128 spdx-utils: Remove obsolete tests

What's Changed

Breaking Changes 🛠

• b4675ebaa1b5f34edb56dc56e7b042a8e3fd10f3 refactor(model)!: Rename a boolean HashAlgorithm property
• 4cda5b4d8152c94fd4966aaccc7273242021f680 refactor(scanner)!: Align provenance storages on write instead of put

Bug Fixes 🐞

• 263b64d24089281c503abf4a3e22c2375fb2f777 downloader: Handle IOExceptions during a file existence ping
• 64ece6edc55c7e605ecdd1c90ecd3d56a425b5cd gradle: Unquote JVM args before forwarding them to Gradle
• 25c97903c4ab89ad2adbe1886da2c50754fe480b gradle-inspector: Ignore zero by size artifact archive files
• d30e3027a2005f82e9fa04a0b9c32759654373f3 scanner: Catch a DownloadException instead of IOException
• 141be6e4509f9d922555351cc82a3d906aed2a65 subversion: Throw IOException instead of DownloadException

New Features 🎉

• 77013824ed2ac594b2c4106b1047e4b189271666 HashAlgorithm: Add empty value constants for empty input
• 44fba5edec9fecaf989bd703a236dbbe5cdda364 helper-cli: Add a command to delete stored provenance by package id
• 64ddf2a47f0685016eb008d6f6207f287da59be4 scanner: Add delete functionality to storage interfaces
• a22360a6d9193c75d855207e142a2ccd6b120f62 scanner: Log the configured provenance storages

Build 🐘 & CI ⚙️

• 8fa603c7098340e8d35cf1d8d96f11cc7af40654 Docker: Upgrade Cargo to the version available in Ubuntu 22.04
• ab4b10488805594ebd9fe12407ccdce9e389ec34 Gradle: Enable the configuration cache for faster builds
• 2ea20c9f1f717ceab5bd768a739cb67361ff658b Gradle: Use conventions to opt-in to ExperimentalSerializationApi
• b83fe670b636b3528f85cc26db586ec8637671ef Gradle: Use older syntax for an enum's entries
• ae01aa84661ac79122521eccf5444487bd9d9f0f github: Disable the Gradle configuration cache when releasing
• 563459b0bd8ffdbdd3c317eb7dff19dde38c3c0c github: Pass a token to Codecov

Chores 🔧

• 78ea000818d9be64648dd853e8a9af5b5d80b0b0 NOTICE: Add Robert Bosch GmbH to the NOTICE file
• 918a73d93126f285db84ad019133caf6e0d7ee36 NOTICE: Update the Bosch.IO GmbH contribution year
• 2300487c85f01951782db5bb14db66cef0a706a6 cyclonedx: Disable Base64-encoding of license texts
• 550f922d23bbf8bd439a8ae1aafe61fa81dacd4b docker: Upgrade Go to version 1.22.0
• 2cb5ad7512dd606972b61ce7b79dcc754c81feb2 examples: Add a missing dot to a rule violation message
• 2fe4915207e29f59c58a0109bad357f05db03621 gradle: Align JVM args mapping code with GradleInspector
• bc88ad9e9b55b268014cf0000481731eebda1cbd gradle-inspector: Use lambda-syntax for a log statement
• 5a7216372dcd13f382442417497d71368c44abae mailmap: Use Martin's new Bosch address
• 5d77dd33d8b1761c6b2553189857a56f5cd8f031 scanner: Wrap a string differently to avoid a string interpolation

Dependency Updates 🚀

• db15d0ca06e0d2245acfb4cb6ba772c312561f3a Update kotlinx-coroutines to version 1.8.0
• 78c5712105750b826133d873610697c1ccc1cc4e Update the native-gradle-plugin to version 0.10.1
• ea88ee889cfbcef14d81d1b2a7e532fbe77e94f3 update dependency ch.qos.logback:logback-classic to v1.5.0
• 70cc2e14da51fbf9fcf20a912e848b427b7a2227 update dependency com.github.jmongard.git-semver-plugin to v0.12.4
• 44fc21959f6b41476cef3cb72638b742e911dfe5 update dependency com.networknt:json-schema-validator to v1.3.3
• 659b302bbad04775d7761a189c46365f3de8c5db update dependency org.apache.commons:commons-compress to v1.26.0
• bf5661b1853e4febb182cc615215387f27b3983f update dependency org.asciidoctor:asciidoctorj-pdf to v2.3.13
• 90083ca6926f1929a7115f45a2d1abcb3b1004f0 update dependency org.jruby:jruby to v9.4.6.0
• 3e9ad2547900a832f6541f3abffbbede7ca84e15 update dependency org.postgresql:postgresql to v42.7.2
• 0fb4375f54c9a80ff88725bc906cb2eb3884d93d update dependency org.springframework:spring-core to v5.3.32
• 3f8415c63bf8b46fb8f210e2b80c667abd1bd387 update dependency org.wiremock:wiremock to v3.4.0
• 24c029f73836fe8304728d3fe218b14fa1f20227 update dependency org.wiremock:wiremock to v3.4.1
• 3643954db07d9df7ca76198deecba070a23f2012 update kotlinxserialization to v1.6.3
• 7d6c64201a16d9680c4f9dacd4a0e38571ff3544 update log4j2 monorepo to v2.23.0

Documentation 📖

• a6ad62b7e407b8d18994a22e27ae635d5026982e spdx: Consistently refer to patch-level version 2 of SPDX 2.2

Performance Enhancements ⚡

• 13d76113d24d7502d8248bd22a58ef31453bb48c downloader: Return early from archive download for an empty revision

Refactorings 🚜

• 764e284d254c07a60912c7eaa02f9b9dfc825e5d gradle-inspector: Remove an unused function parameter
• efc23100c5edc7e650636962c7e7972f911199fb gradle-inspector: Simplify check for zero byte artifacts
• fed338e91e05793d04445be7601b25a1ee36d70d ort-utils: Extract common request builder code
• 4b7573e804093f647a695f0f2f2fce311c5a5454 ort-utils: Remove some superfluous apply statements
• 0698175aa3766538b5d9531b14cd2bbbc06e9aef package-managers: Trivially improve size > 0 checks
• 66202ad683640065a2237c9fdcf6b2efd0b44690 Take empty value constants for hashes into use in various places
• 0374af1c220a0c1e0937b3fb146c06eb235a1bad Use Kotlin's Base64-encoding

Tests ✅

• caa22c8f7f354c1704b65f54fcd31bc03f174887 HashAlgorithm: Use a WordSpec to group tests
• 389ee606ea14fa0fe6f0373b256e727c5b66d6a7 1a7ac5f8fa4b47e071a83ac7f6080a324a294e5f osv: Update expected results

Other Changes 💡

• 1ea5f3763839626a0c1cf44627e5e561781d062d Revert "fix(common-utils): Do not extract TAR directory entries as files"
• 58332a056034fc52bd8063d2dd007981ee84c6d8 revert(docker): Revert "Upgrade Go to version 1.22.0"

What's Changed

Bug Fixes 🐞

• a5470912ec3bca8adea8e1d1790ac6c21e262c41 askalono: Correctly handle errors in results
• 9fb12a9c631bdd866f9019d78131df5383760c32 model: Use the correct class for log output
• 39b3a0f7732ac114bcb3c210c1a0da876f7d0b41 spdx-utils: Do not test for sub-expressions based on strings
• 875108bbcea7c25953eb36b64837e9023d5043b1 spdx-utils: Make single expressions sub-expression of themselves
• acb7fe6660d34f0405e85b2715bb277c66ae1125 sw360: Do not use a path as the temp dir infix
• 0c64591ebf80ff94a41ff771b30d85f7c112c6f9 swiftpm: Drop an unnecessary function call
• 9e94eb52471d17c3a692edb1599c9eccf5caf659 swiftpm: Ignore "unspecified" versions
• 9f2f0942cfefd8a4473dd706e98e223a06ea8604 swiftpm: Make PinV2.toVcsInfo adhere to kind
• 14dc179ff167f3ff54efb384d9f60661272c1503 swiftpm: Remove the assumption that the lockfile always exists
• e1781aa02c40850db0ff0dfb91b72062add1f505 swiftpm: Simplify PinV2.toVcsInfo()

New Features 🎉

• 8efc8eeeeeb715e3d38f6a5acc858e3e6ae0e684 helper-cli: Add scope exclude patterns for debug builds (Gradle)
• 6b99276a4699e5fc8af38ca1f6c21be8b8949f17 helper-cli: Generalize the scope exclude pattern for kapt
• bd0371fbc6897ed7eef03a4658249948d2cf37c9 jenkins: Add optional parameters to install plugins from another job
• e8e68aa5597f89f5bee21ad297c33bc6a735091b jenkins: Allow to pass Docker build arguments as job parameters
• 8819ac940475a9922f1f3e4b3e3a1d77bbe12a20 jenkins: Allow to specify an input path within the repository
• 8cb1a79cea664eaf8f1777874e8ba8e04f4a0f1f spdx-utils: Add a new SPDX expression parser implementation
• 41e6f98ff4c0e9476a63918b79006662309f313b spdx-utils: Take the new parser implementation into use

Build 🐘 & CI ⚙️

• d3ec5fb690018aa0d227ec28ed795d4c99445ab4 Gradle: Enable the configuration cache for faster builds
• 283dc6d64f68cffa9ca2ce6feace9416f1f21093 github: Disable the Gradle configuration cache when releasing
• 5a17d05d93b919a12b513dbf1b454ba480bf99b3 web-app-template: Explicitly depend on a task's output files
• ea104dffd3f32c298086932da59bbeaecbacfb80 web-app-template: Remove manual task caching logic

Chores 🔧

• 9bab90aafb0ab90a99d9f320013bb489c90eb198 Gradle: Remove a work-around for the SemVersioning plugin
• b47c3d42863071203efe46eeb05c4b3116445ce2 NOTICE: Update the Double Open Oy contribution year
• 2e3b5f16e9e2c333eebddf5e1f38930aea215844 NOTICE: Update the EPAM Systems, Inc. contribution year
• e64db59e4ec85c8e4eac6b3068aeebb6c1bad69c askalono: Allow results and errors both to be present
• 4c73645328088310856f70f1f08f53eccac25652 spdx-utils: Remove ANTLR parser
• 18fa67748588c5ba0571d407a6a5aac4aa603a6c Remove logging source overrides where not needed

Dependency Updates 🚀

• 46ecd08419628455fcc189bf0ffa1018db56dc96 Docker: Upgrade python-inspector to version 0.11.0
• e4cd5663def3c28de1fd733df8727ebc13e2a494 evaluator: Update the OSADL license compliance matrix
• 8d5a305a766c2dc420c797a6661ed971490f8cdd spdx-utils: Add a test dependency on kotest-framework-datatest
• 266d6280e47a2c7f82ea1c05af8a6ad200692123 update dependency com.autonomousapps.dependency-analysis to v1.30.0
• e069ba12d059ea34d31e9aae9d4dc0240f42bd69 update dependency com.github.jmongard.git-semver-plugin to v0.12.0
• e80c5b13f9afb6acc067003d5c4e387935f197e2 update dependency com.github.jmongard.git-semver-plugin to v0.12.2
• e45f1d52d0214bca560d56dad756ccc7c8d8a0d3 update dependency com.github.jmongard.git-semver-plugin to v0.12.3
• 32751d4117ad2f00e9f144e74cf0c3715cd0b1f9 update dependency dev.adamko.dokkatoo:dokkatoo-plugin to v2.1.0
• 4e3b23f4b17e9f1d9e06ce320d4a8751f026cf07 update dependency org.asciidoctor:asciidoctorj-pdf to v2.3.12
• 5c5eae44a5bd4934c4600a56ee08b79cb074f072 update dependency software.amazon.awssdk:s3 to v2.24.0

Documentation 📖

• 0264f7f78383fbb88098f3c37f701227e3ba3f8e analyer-command: Align with simpler wording from Jenkinsfile
• cf6fbb24e585129158a608fcb7db107939725298 model: Improve ResolvedLicense docs
• b5e6dffa4f75c1a2608ba16b5a9c4a4ee9355cd0 spdx-utils: Correct a double "not not" in an exception message

Other Changes 💡

• 959902c3429f4a209edd95c3d93e1dd38f38c133 jenkins: Move getting Docker build arguments to a function
• da637233948c6160916a7ae134dc982308d37b22 spdx-utils: Move normalize() tests to a dedicated block
• 5ca56438eab60ab0fa4a69653c3a5514f66f2621 spdx-utils: Move tests out of SpdxExpressionParserTest
• a28b0d7b019c12afdb222ecf3ede158d879343e5 spdx-utils: Prefer toSpdx() over SpdxExpression.parse()

Tests ✅

• c23c9d88ec9671a0c659d21c771546d87a97ac14 osv: Update an expected result
• ea6140aae79a72fdce1ca9bcf1084f9bb8f53871 spdx-utils: Add a test for isSubExpression()
• 0d6b0bf1e06af42dfc6d3621e3115195f38285e4 spdx-utils: Move parsing of constants also to the parse() block
• de7247d293f6bb026e7dea652a400eab0740b69d spdx-utils: Move testing toString() to the bottom
• 08d58bd127e3cceb5ef3cbd61152608d0dce3311 spdx-utils: Rename a block of tests after the function
• 7b6537de397ace63c03bc71b63fa5984cadbdfaa swiftpm: Consistently use \<REPLACE_DEFINITION_FILE_PATH>
• dca2be0a56cafa84cec3d623630bae3b8b983eb3 swiftpm: Test analyzing a definition file without deps
• 74e99df245c81ab8db4e314ee009753e73db5da1 swiftpm: Trivially simplify a create() call
• 03c14c35433a00c64b036d26a9a05dfba2a93a19 vulnerable-code: Add a test for a Commons-Compress CVE

Other Changes 💡

• 6c9c5deae73cae669b41e041c2159bc48f4e84c2 Revert "build(Gradle): Enable the configuration cache for faster builds"
• 1a53592bbededf512a4ec90c41d0220e6e0842b3 Revert "build(github): Disable the Gradle configuration cache when releasing"
• 38187cac3a4b8a1791fa47fbffa02e8f3d7f3c0b revert(docker): Disable arm64 build
• 884a073d6ac1c2d523bdf00ea43d59bfa4a308ad style(jenkins): Move a function below variable declarations

What's Changed

Bug Fixes 🐞

• e876f3073d4003b165aa4b5212df9309388e101d swiftpm: Remove an invalid fallback for the VCS revision
• 4af96e364842de76fc1049288915430212e61c86 vulnerable-code: Correct an URL escape fixup case
• 6ec2a31a1a4440ba2663e7f8efc0ccbfd70e5535 vulnerable-code: Fixup yet another case of wrong URL escaping

Chores 🔧

• d6020754541130dec9faec9104d232629e1c3bad pub: Directly specify the hash algorithm as it is known
• 4f8cb5e3d7c4283a7da658ffbfecb3975ecc9686 vulnerable-code: Log details about the error cause of an issue

Dependency Updates 🚀

• 7f601605920927dbeebd68321eed4484d3766be7 Dockerfile-legacy: Update the available Cargo version
• 5b63a3f8319ae9f593ac497e81709f0576540375 Update the native-gradle-plugin to version 0.10.0
• 35bcb5492a6f22f61c7b694d17e36adcb7ccd3d2 update dependency com.networknt:json-schema-validator to v1.3.2
• 2e2cf958763198c7e2971270832e1eb9c4083c28 update dependency gradle to v8.6
• ae3da6984dc172e7e348245387d8d0353b8155c4 update dependency org.slf4j:slf4j-api to v2.0.12

Documentation 📖

• 5213ce3c7e7dfa2a4323ffec12371a14cc4abc26 common-utils: Say that hex digits are returned lowercase
• ca148613f9cd171ac8c41aa403e19362a4234af9 swiftpm: Fix-up a TODO comment

New Features 🎉

• 90e9d36bb1c2808e5a25fe82d08a34ff6481df47 jenkins: Add a parameter to skip excluded scopes and paths
• 50f12d5e9d5d6b98e8a01c10211c0c6ac3a3d83f swiftpm: Add missing package references to the lockfile analysis
• 227317c22a0a1f19f1ef2349a8a1afbc8d02b7ee swiftpm: Gracefully handle dependencies specified by branch name

Other Changes 💡

• b45b2bffd4866a7d6f0edee45ec094a1ba1c2ace SwiftPM: De-duplicate a class
• acfc84acfd037e1589530fab78aa8006f3866bba SwiftPm: Stop using the dependency graph builder
• c1b90c9bbdf151897952fa6f8c14daf887e2d45a swiftpm: Avoid an unnecessary copy operation
• 70a350e866f3d3ff1a3e01769b2ff8252d0a9804 swiftpm: Factor out SwiftPackage.toVcsInfo()
• e9a06de75d0a06f51f3a91aba7cad86821bce8a6 swiftpm: Factor out getSwiftPackage()
• ab1d875230e733cf676de9f8d74d57771f4a2e99 swiftpm: Factor out parseSwiftPackage()
• 736eb19a0027f17709675334e3faf0256054c06e swiftpm: Make parseLockfile() return the pins
• ba9422282b08b70416dee2f21f691723a5671de6 swiftpm: Make use of the default parameter value
• 89aad09964944f2f117110d5f75605dfc50bccfd swiftpm: Move parseLockFile to the model file
• 8c6d7aea2390bbcd84c6052fd19d3a08278a89a7 swiftpm: Move the dependency handler into SwiftPm
• bcdac56326162b3a1b054aa1746701133469bb03 swiftpm: Move the mapping to ORT's model into SwiftPM
• 22a7baa489ab81f85a6378aac4aaa528c420c196 swiftpm: Re-order the classes
• 38709a7888b7311df44865cf7766dab594f1f77d swiftpm: Reduce the visibility of the model to internal
• 2dcbeeb04cee7c0372d2759f84f7e913486f7087 swiftpm: Split up PinV2.toPackage()
• 9e7167844799c8efd0d65c104fd0fd2ab13120ee swiftpm: Turn a property into a function

Tests ✅

• ad7070a709560268c948e0de23eeb7c40604644e python: Update expected test results

Other Changes 💡

• 10de9ef22004fd7b74d325c662880fdca8a0333e style(vulnerable-code): Use multiline strings to reduce escaping confusion

What's Changed

Bug Fixes 🐞

• 56a81a50a04f9fe5d1ef7155a2ddf6c7a1ade3a4 model: Always construct Hash with lowercase value
• cf5d3c370dfe0bc1266fc763468390d1b64dbfc8 model: Always use lowercase for serialized hash values

Chores 🔧

• b9f65d17b0d6ec848c8f479979e32fffcea663f8 swiftpm: Add the attribute kind
• e51454a8022339e9db440dff4bd4edf8b7cb94f6 Generally do not quote URL as part of messages

New Features 🎉

• b55f91f8b4a213be0100c6bd03164a870d2f27ff ort-config: Support namespace-level package curations
• 89b632557f91baf38daa3e7314ad57646b563a18 vulnerable-code: Make the read timeout configurable

Other Changes 💡

• 99e3b1c7543bc533845f2ed0661d7e47ab13e657 conan: Pass also the hash algorithm
• 974fbbae92d86e95f58cd5a22bab74a424933b00 swiftpm: De-duplicate the class for the Pin state
• 505f2a2ca05c72affceb24f9993a859429d2898a swiftpm: Remove code redundancy for converting Pin to Package

Tests ✅

• f745c51ed5432e451736c362e6ca1c2fc104d88f conan: Update an expected result
• 384e657938a4b254b770ffae68ae8b9d1c43a50f ort-config: Improve test names
• 83d193a6e687e0f6bc0a6e80cfadcbaea4629cb8 python: Update an expected result

Other Changes 💡

• 4661582e39534df3a626cec2a93ae0c2f271fb8a Revert "refactor(scancode): Disregard the output format in scanner configuration"

What's Changed

Breaking Changes 🛠

• ddc09eba60368043d58a9abb715c75400588786c refactor(scancode)!: Move default configuration
• 0ec34f7d14e4cea7693cc57c85ea008ec98e16da refactor(scanner)!: Make commandLineOptions private
• 2d6d2870927c040ac07e62abeedd5a555d3c8063 refactor(spdx-utils)!: Move SpdxLicenseChoice out of model

Bug Fixes 🐞

• 4f21bb5a407053dcf539ec8854bf3f29eb9e73eb git: Again use the Git CLI to perform the actual reset
• 8472931f67e223f37d22d9a447f28dbadcef00d4 git: Do not rely on FETCH_HEAD to list the current branch first
• f5d3c2f77ca6053a9157cf5514f6f2cc7bf0c3dd node: Deduplicate issue lines before collapsing them
• a234ae567bb7dabdf481952a51bf82cde0c8c592 pub: Do not use the revision from the pubspec.yaml of dependencies

Build 🐘 & CI ⚙️

• d673e1b65372d153f36f10c2ccd8b4e41edabd93 Only sign when making official releases

Chores 🔧

• 46de195fa9a43f0379989ff90e15696d99425ccc docker: Re-align SWIFT_VERSION
• 61fbc328ae18392c0f2484d2f09e18454cefc777 docker: Upgrade Android command line tools to the latest version
• 2f6c6ef094ada5df8944846138a7b0cfe2aa469a docker: Upgrade Go to the latest version
• b58f9d9ffc383391d0d08d935936bb1680c3a6c4 exception-mapping: Remove an invalid comment about sorting
• f2a799f0bfe36a110beb8f164fd708c99f2e4380 scancode: Reorder command line options when running ScanCode
• 681f0bb93e83ed2861b6a124f53b52a5755c2822 scancode: Reorder functions for a better overview
• 3ce8889b1c4c8d947b4d9a88c0ad5537a38c0250 scancode: Specify the timeout as a duration for convenience
• c0a9b4e93e16264e2d4a263df7d199fa65ed4220 Remove Batect as it has become unmaintained

Dependency Updates 🚀

• 195ddb7114a7561dd430b6f8f4436501805baac8 Dockerfile-legacy: Update the available Cargo version
• 5012819c3fdf123a71360dc9ec42a3fb43b548c8 update codecov/codecov-action action to v4
• d8bb7e8e2eb9c7dd3e9e14dfb8efab406d35088a update dependency com.github.ajalt.mordant:mordant to v2.3.0
• a053fec233c8e66df80af4bff711587871578364 update dependency com.networknt:json-schema-validator to v1.3.0
• 7b4f8238bf07632adaaa80db99fba6f1f75fbd33 update dependency com.networknt:json-schema-validator to v1.3.1
• 8387ed4c0984c23d12493e72fe1a342c14d3c5bb update detektplugin to v1.23.5
• 68309b4a952a5b0b50889e13e350970aec49f6f6 update exposed to v0.47.0
• e0fc5a8be1a3eda18bdabc31bb8cd9b88cef0481 update gradle/gradle-build-action action to v3
• 82190b5e195e08e7f1ceb1154ff8a8273e2d473a update gradle/wrapper-validation-action action to v2
• b3063be09c4f5dc14c8962d1a8ef44ec24eb99d8 update ktor to v2.3.8

Documentation 📖

• 77ff88e9432424b5d2ceb59f21150dc191b45d20 Git: Improve some code comments
• f228d98db3581b9d7ca5bc645c395c7ac0fbb588 jenkins: Improve the ORT_FAILURE_STATUS_CODE documentation
• 00cd17a42ea491e30afb12c1f0b3a3c4cf2bc070 model: Document the impact of the severe threshold properties
• acb8ad4b81e6307a6648ca90beb9f7a8677af213 model: Fix the docs of Hash.create() for blank values
• 385257204063f575d833a3e3fa54b28fb63bf285 npm: Explain why the severity is only lowered for NPM CLI warnings

New Features 🎉

• d60ac69115f45a9d9cfca62da4bf1531a40c7023 docker: Enable multiarch build for amd64 and arm64
• e13c625a87f39f7e012c03bdcc3ceb1310ecff78 exception-mapping: Add Asterisk-exception
• ca7a2bf06f81b87d9f4f0b4b09400f1d347b3323 exception-mapping: Add Autoconf-exception-generic*
• eb108b3cbeef899b29e2046b9b807ebbfec760b9 node: Add a new single line warning prefix to support
• 232bc197f62d12fce7ae98da63f0378bad21e163 pub: Parse source artifacts for hosted packages
• 4af636070381c704c0609582a43c068989092abe scancode: Add an option to prefer file- over line-level findings

Other Changes 💡

• 2f84a017651b8d7068e9e12ffae92090ef3cec73 Npm: Make mapLinesToIssues() a top-level extension function
• b8dd813f552c3d42bea177885b7c6be4023088fd Npm: Move some functions to top-level
• a09afa42287224795a4d7717d958753ea94064ab Npm: Rename a few groupLines() variables for clarity
• fd795d3d3651d2f17d86247370ddc6eecf663848 github: Run functional tests against the snapshot Docker image
• c00cbbcf92a610b68013efce1fd9d5c1033033a8 model: Move the constant for the reference configuration file
• 32e007258d4b08920fa2bb9b5d9856e81415c5ff npm: Reduce severity of warnings from the output of npm
• 57c3659681b06bbd6d9be0266048f84a09a7de54 pub: Extract a source variable
• a8d6171433ac0549ecf880cccb4f4c9be4036416 scancode: Disregard the output format in scanner configuration
• e8f4e0a00db13d37427d9689173f2fd1f283061b scancode: Inline the output format option
• 95dcce2aecfb0a45a3fedcb2c01788370f46e864 Introduce a constant for the status code for failures

Performance Enhancements ⚡

• 47da430767b20b24cc4aa29bb4f569e8e5bfdce9 spdx-utils: Make the cheap check go first

Tests ✅

• c9d0b74f4470907c7452fefe03c88c147cdae6f1 conan: Update expected results
• 37c0c4dbeaec7a33e7efefe66afdaec68d6cf3d5 node: Compare deeply nested data classes by YAML representation
• c96a3898fda90cb469b4dc55a16a65b71ae72e55 node: Update NpmVersionUrlFunTest's lockfile to v3
• edbb3ad5c94056a4723e7c20fbc6127db2d6b38f e9f36c4382d05e6294d568ed75c6d745e3ab1147 osv: Update expected results
• f471b7bba612cf9a48688f7a262105dd53b76378 pip: Update expected results
• af7b45b5b5b223d4f97886697e99299684c00941 pub: Update expected test results
• c297ec83d8edc00c78f275a9702fe22543c4045f pub: Use placeholders for project VCS
• 75e6fb9d6186682850f3baccbccf54d20aea6a3a scancode: Also assert the number of license findings in a test
• 5364048a9f001ce9010834911bf1c9fcff9001b2 spdx-utils: Add a test for semantic matching of given expressions
• 5d7e4d72346c6832fff8e6ddebd38d2071f93b7f spdx-utils: Remove a duplicate test
• 3bd4893c5cd8ebcdb0818e955477a9d1685603dd swiftpm: Fix-up a test case name
• 64fd9db7fd5c27e2a9d50692fea6def98e2a037b swiftpm: Fix-up an expected result filename

Other Changes 💡

• 9bd9454faaa00a59598ebc857a804242f4d5272f style(Git): Adjust formatting to ease setting line breakpoints

What's Changed

Breaking Changes 🛠

• 4116d161682f02b3dcc4ba20bf8aee9e6f5f8bd1 refactor(spm)!: Make LibraryDependency a nested class
• a8e5dc7205fd0ed42b842573ca7e3671c3e68019 refactor(spm)!: Make toPackage() an extension function
• 6afed08e57b4a1ab161955119667f87c9d2d8754 refactor(spm)!: Turn toPackage() into an extension function
• 1c42352796a8ff184a3b10635cfb13bf8f6cd6f6 refactor(spm)!: Use a better name for AppDependency
• 0289776773191c7bb37d94a8942d41fe5fbb2737 refactor(spm)!: Use the term SwiftPm in classes, files and package

Bug Fixes 🐞

• 8deb4b325ff808e5491183b49ac896d66296d629 gradle-plugin: Take repositories defined in settings into account
• 360dbe199fd15b74cebea94014d8bd6aa6296356 node: Do not follow cyclic directory links
• 81d11a200c15b73aebe2c1a4f86fc7c7c9a2d78e pub: Do not rely on the package name to be present
• 2d909ee6a99ed660f0e8ee5ca687901b71cf1889 scanner: Fix the one-off in the provenance count for the file lists
• 814a2983e01f36527fd1498d2ded740376acd4e0 spm: Ensure identifiers of packages are unique
• 12563d0d0c1cd8dab10fc867873f06d370738c7c swiftpm: Fix the broken requireLockfile check

Build 🐘 & CI ⚙️

• 6d351925c9d1e0fa3161142f69692a4bea1dd7e8 Gradle: Use dashes to group dependencies

Chores 🔧

• 1be19d5716a2b739227b69b048a6610a1825fcde analyzer: Remove an unneeded annotation
• 3a23af575ba73fb6819fbed6a7ec36978c122bb1 mailmap: Update some full names
• c6793a65078769dc71de99304571f299239f5932 node: Ensure that package.json is a file

Dependency Updates 🚀

• 309b15d231050ddac01e347fdc687320244ee8f1 update dependency com.github.ben-manes.versions to v0.51.0
• 7485770a82c11a32a86bb2ab10bd56f20d1e4a48 update dependency com.networknt:json-schema-validator to v1.2.0
• 90931c5ed6a52fe37d193b389abf1ba483205e90 update dependency org.jetbrains.kotlinx:kotlinx-html-jvm to v0.11.0
• 1df8a971a93f5ee039da67f3d57fc1803d279eac update graphqlplugin to v6.6.0
• a95722a87d1f9db416d326491acff9dd18b9906b update jetbrains/qodana-action action to v2023.3.1

Documentation 📖

• f2316e0297b27d9b57486305c40a06d460f78f68 README: Reduce duplication with docs
• 578af027156f74b8e9b18bf1ddf77358141f71c6 README: Rename Swift package manager
• 2ec282b9840fc26ee38477f74aea842b0fae5959 analyzer: Rename Swift package manager to SwiftPM
• 559a6ca1fa6cd2d95236dd0d15dee2105c64bd1c config: Add forceOverwrite option to reference.yml
• e2371ba6020f398854e6a344aa75dcb2d845bb59 gradle-inspector: Improve wording in the README.md
• 1d82e3bbedef475730e642cd9702dda1b9db0f7a gradle-inspector: Reorder sections in the README.md
• b169d6bdf127c4a3bb2da1cd238c18b526e0e916 spm: Improve the KDoc for resolveLibraryDependencies()
• 656da241fba6f9c4c306195a21b957ead99c9204 spm: Improve the Kdoc for resolveAppDependencies()
• ac87105f6aa74d938aaa8e4aeece34e9232dfaf3 website: Add a section about using the official Docker images
• c690d0afe68d106b89efd6b51d47abf422d3bd26 website: Enable syntax highlighting for bash code blocks
• 7cb26cf4dd674e09725c640c471597eabdee722a website: Enable syntax highlighting for batch code blocks
• f91408eb8968bf5f900a1e1e174fe94c410a8742 website: Fix the edit URL
• 0ab9e49b333aff9b83227223e9be9f4c45a106f7 website: Remove Kotlin from the additional languages
• dce9002d389f322fd318fab9a52c712ce75b6164 website: Update the section about using binary releases

New Features 🎉

• 2f9af0e3f7df9b806eff9132cfcbd6c8a68efd8a jenkins: Add a label to link back the the build URL
• 0aaceb117f476ef93c77a8e7bd65df573cebd996 migrate: Add an option to migrate Pub identifiers
• 2f7723ae8549ca715089e7b99562d88b57447a1a swiftpm: Gracefully handle unsupported lockfile format
• b9016e3063853d8e22a619f70896ebba49eb565e swiftpm: Support lockfile format version 2

Other Changes 💡

• 1fe54e319956045454eef84111e9f7a0d14b1a94 gradle-plugin: Introduce an extension function
• 119de17ba891e960e8cd31d6384c1d5ad3a536e0 migrate: Extract a function to migrate identifiers
• bd860f35527688b8de737b5843f1c23fc94305e7 spm: Factor out createPackage()
• 71b23a60a5a0ca705f4ecc5c0f183bbf5ce67887 spm: Improve name and KDoc for SpmDependenciesOutput
• 92efeaa122312ca28ff245b7491e45228ec17494 spm: Improve readability of a string construction
• 3722643e1b6cd42d0acbb08aa47be57e560c0625 spm: Inline a toString() function
• 57ec57b0068963b75751b7b51d424614489a17a7 spm: Move two properties into a function
• 2910db4ba62b22084c141f183d2a50cacfb05650 spm: Remove inheritance between model classes
• e2f86e749b7583f99ca28f750f7d03600aff59e3 spm: Rename the spm module to swiftpm
• a3b09cccd47ba79a5ff303bb5fda23db9398249f spm: Use a better name for resolveAppDependencies()
• 8fa37e7fbbbb85553c785edce483a97d43d67917 spm: Use a better name for resolveLibraryDependencies()
• 5b87095052bcca1d585eef5f23a88d724e61dc71 spm: Use an empty namespace for project IDs
• 43faef833ec35f0c5d31859fe18b38fc14d770a3 spm: Use better values for Identifier.type
• edb508fd3107ec953358d21d638ff32cc4c582e6 swiftpm: Apply a minor code beautification
• 31312ed5f9ceebf11811b0cc50d1ed5312945a3e swiftpm: Extract parseLockfile()
• d9f27bb6121919babf96ffd7651a99a2e472f4a3 swiftpm: Move a comment next to the related command
• 9cc7e75351e476d27a183745402ec7dcb7d568aa swiftpm: Stop setting the homepageURL also for projects

Tests ✅

• d895de63a071fcd43a65f62745bcfa2eaedfe441 osv: Update expected results
• a51fc940f702bcb9f4b9112825e0d4ec3fada0ba 02e2d4720d881c29ac548047b59dd56deef919a9 osv: Update expected results
• f88041afc23b1950583efac0b396f41504e1c8ee python: Update expected results
• 05417b7d8fe6031829980c70df9b85c38cd51e1e a5fedf5c7031f4c3c789435c50117edacc3da5f4 562b3687fa7843e768e66f144eb0a52173e0a82b spm: Update expected results
• a0ea68220b985d0e2d1c2f69429ca0966af2ed7d swiftpm: Add a lockfile for the synthetic spm-lib project
• 8ed897e5f8e2fbcc3a5b1db63004a995218fdd37 swiftpm: Avoid a hard-coded path in test results
• 56d1226851df160c1ef3559670cb3cd49e67cbc8 swiftpm: Clarify the functional tests a bit
• bb7f83b810b3a5d1f144aac9182b282c4d182b13 swiftpm: Further isolate lockfile-only projects from other ones
• bff12f96ac56d5e38ee0a33a15f8a77f01729c29 swiftpm: Specify branch name instead of version for one dep
• dfd1cd1340e1d82e91c1bb04005748b471583dd3 swiftpm: Update expected results

What's Changed

Breaking Changes 🛠

• 4e4c4752d500ab7935f24d48a4f6739ee48bb762 refactor(model)!: Simplify constructor of DefaultLicenseInfoProvider
• 3042e35c85add620f97a711df65b2ea3ee500926 refactor(reporter)!: Remove ReporterInput.packageConfigurationProvider
• 233eb8be493ac7ff7160aa925b4f8f2ad576bb8a refactor(scanner)!: Remove the Package parameter from scanPackage()

Bug Fixes 🐞

• 488027d8deb92829212178bc720bdc7b6de443ee cargo: Only read checksum metadata entries as hashes
• e7bdb212993a6fe84936f598f0c25a1e264445ec pub: Do not set namespaces for "Pub" packages
• a547788e18b949fa82cf31bb5d06cc35dd05a261 scanner: Keep the VCS path for a package scanner's reference package
• 1e22bc4f507ebf390a87031bc63da9d288e6bc6e spdx-utils: Correctly determine choices for AND expressions
• 3205ec9c18c0fd49ebf2ac40540788ca8d0e973a spm: Ensure uniqueness of identifiers for projects
• 59942dc3c4080d3c5fe3f48c640aaf9b9a9342cb spm: Stop setting the author field for consistency
• 6a8bd94886776c0504875149f18b2f8cd6f0a875 spm: Stop using the repository name as the name of dependencies

Chores 🔧

• 0a33af94a451201ffee80a545dd87c480f3ece17 scanner: Add a closing quote when logging the scanner name

Dependency Updates 🚀

• 89521b516f14760b5509b796ccd0c5976ee676d2 website: Upgrade to Docusaurus 3.1.0
• 25e1de16f43a95396d69fe9a2b5603efec3a82be Update the foojay-resolver-convention plugin to version 0.8.0
• 711bdd5722f0213e651f6b2890db453bf2ae7474 update davidanson/markdownlint-cli2-action action to v15
• d7dbd015898cef886ea6d20ae790b8e7e7eeaa19 update dependency com.autonomousapps.dependency-analysis to v1.29.0

Documentation 📖

• e0560f3dd4138a28db1372ed50ba19a11ca92bc3 evaluated-model: Fixup references to resolutions
• 920fd0ccb5667526003ec17fe40d9117e83e990f helper-cli: Fix-up a copy and paste mistake
• 5dca9cfce2895cb2e923a89614f2406f8b721bce jenkins: Document that VulnerableCode is enabled by default
• 2cf9032fd25a4c1e90b5f98bbf1b4f3f598bd39f model: Improve docs for RepositoryProvenance properties
• 00bc82b99bbd60d4b1e92bd651323d482bf16209 model: Improve various ProvenanceResolutionResult texts

New Features 🎉

• 0c748f4c24c499f058f169c6c66497c4646f983f composer: Use PackageManager.getFallbackProjectName
• 07d06bbcefdb7e5e183f6eda5fa023d364973f85 model: Introduce OrtResult.getPackageConfigurations()
• c5671ee08d522a3c2af78e5c738117f58a42d6de pub: Use PackageManager.getFallbackProjectName
• 3f4073f858fd407364409746cb6e802a3aff334c reporter: Use block for issue messages
• 2b230b8c377d5472457508cd974dd39b40d7e0bf website: Integrate tutorial with docs

Other Changes 💡

• 523e8989bfe389fe4f93abe5262123fc09aaa067 evaluated-model: Consume package configs via the OrtResult
• 2bf0203988c3ab27a90749c35c505adcf49d7cf5 evalutator-command: Include package configs in input OrtResult
• 7754349ac7f056a0f438baaa201bc4df4052bea0 list-copyrights-command: Simplify passing on package configs
• 79fcd679a5f81833469dd41370f01f557ee198f5 reporter-command: Include package configs in the OrtResult
• be38f7f5f0d456776052fc68291f3c139d372a24 scanner: Get the nested provenance only once
• 972e24c60e47eda6d56646e1acd62c73d6da341a scanner: Move downloadRecursively() to ProvenanceDownloader
• 3c795a1446ce11a02e420ceb71c4f446d40b40e3 spdx-utils: Remove disjunctiveNormalForm()
• 0ea02d68ac50bfbe90f09be0d1a48f290e3f6780 spdx-utils: Simplify the OR case of validChoicesForDnf()
• dac1854ed9ace2542ab76d941418a090031fb697 spm: Stop setting the homepage URL

Tests ✅

• 8bc273e36ee8b0a64b6109faa1bf8919db84fc11 fossid: Align the way to call scanPackage()
• ccb4d67b789c4a061b97e1b16899ec47866e6502 node: Update expected test results
• 43360484fc895afa8437ebf47cba46991f373788 ort-utils: Add more Copyright symbol tests
• 6ae49d8d9a84d677f86baba715a58c5202d32663 osv: Update expected results
• cb47b19baf89ea97a725055af0e983651f4af8ca osv: Update expected test results
• 0fb41d16281dd2868b372cc02f23f6625aa24420 pub: Update expected test results
• 34046a6e487279be0a01437d50048e6ab79b558b spdx-utils: Add a test for a complex license choice
• 43b446c798d2ea9c3d60032bf0d533c07ce7310c spdx-utils: Compare choices by string representation
• fad0008c09424fc8f452bc45e5344483d4689ba4 spm: Update expected results
• 7032df2121c85d661d9608951683cabdbc2a72f7 utils: Improve assertions for the processed statements
• 4d915d6e0aedf8548b6eb22116f06908b5fed11f utils: Use a shorter name for actualResult

What's Changed

Breaking Changes 🛠

• 8bd464f56b7652879b0d16ea9c10cdb7ca80047c refactor(StatisticsCalculator)!: Stop using resolutionProvider
• 490a641226b124fc4b742a32a25345d1774c897e refactor(model)!: Move PURL-related extension functions to a separate file
• e782ba3bc851dc8fdb091b1c0fd91d23f19fe0ee refactor(python)!: Move PYPROJECT_FILENAME to Poetry
• 330646f0e9764e8864458f287008a0b66991d0ff refactor(reporter)!: Remove ReporterInput.resolutionProvider
• 708afae93a86a53f13cacd7e698a30e593893baf refactor(scanner)!: Pass the resolved provenance to scanPackage()

Bug Fixes 🐞

• c5109a7220b8c136a50a6395e1602934b681bb12 analyzer-command: Resolve repo config correctly if input is a file
• d0301b414a0bd6247126f9c86833c02349b8c914 common-utils: Do not extract TAR directory entries as files
• 27e53e28b3da96cd9b783e141c8411854f415513 helper-cli: Fix-up the reason for pattern test_*.c
• 19553b6a76453efba95757564b5bdce15b946e9e model: Correctly en- / decode a VCS subpath to / from PURLs
• bd836a305c3dce5bb8d80980f64433f3a4e7ab50 node: Strip a trailing "/" before creating globs

Build 🐘 & CI ⚙️

• dfbaa8e34e09b988a69a92cc1d09e6c55a4651ad Gradle: Do not apply the built-in maven-publish plugin anymore
• 4fc7a39386fbad2b41f4d4c13e24274b345a4c41 Gradle: Explicitly set name for buildSrc module
• 4f4def4d4c82b5fdb618f59356283b3352c8a910 Gradle: Reply on default values for publishing coordinates
• e769b0b8840c292aae22b8fad70f0016213f4296 Gradle: Use type-safe project accessors
• 04c1033021252dd7322a36a1ac78a28b601f04d4 github: Enable auto-release of artifacts from staging to production
• f933760645938251b528146c930fc867deeaa8c4 github: Simplify the release process a bit

Chores 🔧

• 3d911f0165e8d693088d2d05a9bfcf6c14d53491 model: Make newly added PURL extension function public
• fe76d2c1f25f1ae185ccb9dc3461d9ee3accf4af static-html-reporter: Align YAML assets to use unindented lists

Dependency Updates 🚀

• 0a1065f85e1d8da7f36012346b94487ad160bcd7 Update gradle-maven-publish-plugin to version 0.27.0
• a5ed041d1886e7bbe48ab10262089ced0e643b03 update dependency com.github.ajalt.clikt:clikt to v4.2.2
• 86be29e031a686cb61ec1241a368c3e6266933bd update dependency io.mockk:mockk to v1.13.9
• 41a0b9ecbaf71908d443b7804a7e03efd6e81690 update dependency org.apache.logging.log4j:log4j-api-kotlin to v1.4.0
• f9f938b263bfe4ae3c8e8c45272bfdc65259035b update dependency org.asciidoctor:asciidoctorj to v2.5.11
• d5d0507fad6d75a7fc7f884808fab64a3e5fe79d update dependency org.slf4j:slf4j-api to v2.0.10
• 2484f24d998fa875d217eeec8ae16aac3cb41c4e update dependency org.slf4j:slf4j-api to v2.0.11
• 9c665ce8fb5c1051588b7a155da8aae215693cfb update dependency software.amazon.awssdk:s3 to v2.23.0
• 33eb0df83b73b74d9f6fd5e959be83c9bedc8308 update exposed to v0.46.0
• abcec81c46d21b5bbebf04b79d72f38539f3b66d update graphqlplugin to v6.5.7
• 71dc4c493c9837f845afb5930109e501fcde4dda update jackson to v2.16.1
• fbf5988271d91257932fbbf72de19aabf2f9f520 update kotlin monorepo to v1.9.22
• c74a28baae70f35fec2559dbcbca878f651f989a update log4j2 monorepo to v2.22.1

Documentation 📖

• e1c06516550065b489a491b2148f16c0ef2b3293 evaluated-model-reporter: Use imperative mood in function docs
• 515bc73e4c78853bd0cf114603bc42370bbd01c7 jenkins: Update the screenshot to include the unstash stage
• ba3220dcb16015c6b6cf6be864df19208107e7c3 model: Improve docs for the includedLicenseCategories property
• 98b40268d6792ca679ad0eb94ab8c53d7c447319 scanner: Also use the term "wrapper" in the class docs
• 83308a1c184982c96a3a955829b524ec8fb1471a scanner: Generally write "scanner-specific" with a dash

New Features 🎉

• 3348189ecef790b888e9ee37ed95c57a6ff2802e helper-cli: Add versioneer path exclude generator's patterns
• 71e38b90e0564525d09e801b2790f7c20d9ce954 jenkins: Add a parameter for an existing analyzer result file
• 3e767e324a1fccf320791323e0acb308c83c5e9d model: Add a toPurl() overload that takes PurlExtras directly
• 758fd7a619cc2de3df625e7dd35502fa465955d6 model: Add functions to en-/decode provenance into PURL extras
• fa6943b13c24960131be1a1864b2af877d6677bc python: Detect the Python version for Poetry projects

Other Changes 💡

• 21a4085eec8b1faaa2942fcf468b52e65ef596e4 downloader: Use more specific provenance return types
• bdfff4cd47a8f55d74dc2c3713242c1267249333 evaluated-model: Stop using resolutionProvider
• 901d8c94b4b887c20f48bbd39892e47a15f88e9f fossid: Align the provenance returned if there are issues
• 69fe1558c6f281786539bd1b93458ed77733d9e3 fossid: Do not measure the scan duration twice
• 91335c1d66b1cacbffa3201715919a62c3d884ff fossid: Inline createSingleIssueResult()
• b1892321b21ebabd55eecfa313a63b786ce8f975 fossid: Make issue handling more compact
• 8a9aa9dbc0923c73bc6bbb5c76d4ec9532634604 fossid: Simplify the creation of single issue summaries
• b1dfed03ce65d8ab2accf093763b4aedb53fe2ed freemarker: Stop using resolutionProvider
• 0794697f0c3e315d6ea6491ca00abb4084a40c77 model: Handle UnknownProvenance in toPurlExtras()
• 88e0f29977c12308851da499fdef91af4d374461 model: Make OrtResult implement ResolutionProvider
• 1609034f1d9eed7e016ffc207abe4ed0b0980c2e python: Apply default values for inspector options later
• 3a71a70724145bc7f1f487616f4431faa8875845 scanner: Remove findNestedProvenance()
• 71f82f900718317075ce5f6a6f2e030735d06eb0 spdx-utils: Implement licenses() based on decompose()
• 86796498190c85b2b053f715fcf07d1a350d571e static-html: Stop using resolutionProvider

Tests ✅

• 4ba9271c339ba7cd5e71340a9b24f340f5eec4ef conan: Update expected results
• a67743003cc541296430b5e55c0730ce76916214 python: Import the PYPROJECT_FILENAME constant
• 23202589c06ba8af99491cf18e56e19a7330b01b reporter: Add issue resolutions to all test assets
• a7f21df3fde4d5cd6c71552396465c7c445fb04b reporter: Include all resolutions also in resolved config
• 36e82bac689a1effcc43d33cbabd91e3b84aced6 e3616ec96d7eeb327ae29c90c7ca2965d6607c08 a51be8eaa12bc92bffb685f5ede5c0b358d4c189 spm: Update expected results
• 42bf356ff81abe720e875eba669b65f27ede83f1 spm: Update expected test results

What's Changed

Breaking Changes 🛠

• c08a62498b4b547a52b74337e144fe610fa0aeb6 refactor(model)!: Improve ResolutionProviders getter names
• 6c5ef66cc0a69c485d2303ad183022f5bd5392eb refactor(model)!: Improve the name of a couple of setters
• 8a60d6762dcf72fb00428cbf5a9b86a9e2827437 refactor(model)!: Make use of getResolutions() in several functions
• 4ac3106b7c68e4d815af154fdc8e0b28d0c0379b refactor(model)!: Use a more specific name for getResolutions()

Bug Fixes 🐞

• 96d87c03dc15f5d0d671e84cd026798e96364d30 vulnerable-code: Fixup another case of wrong URL escaping

Build 🐘 & CI ⚙️

• d168e88156fb5ddb4398c3801a86bddab3a39807 Gradle: Remove the docsHtmlJar task
• 4629bd7b84c1d7db037faba52f930b01089e373a Gradle: Rename catalog entries that are actually plugins
• d082b92f35534be43a47ab451d524db8b80c4a7b Gradle: Rename the docsJavadocJar task to javadocJar
• bae6ef396ff241c67ecae7089d85fe97ce72884e Gradle: Use the gradle-maven-publish-plugin for publishing
• 07f9efb09370a1936f69a35f181d1155f347f0fb github: Disable the Gradle daemon globally in always the same way
• 4115c37852b2e4d21b7e070bb28b748f563426aa github: Use the new publishing mechanism in the release workflow

Chores 🔧

• 979847bbb5a4558a7f8cbe2a7c5256600da913cb commands: Deprecate the --skip-excluded options
• 2ac0dfe71b5aeb8de8c6001488dd316c7815e98d downloader: Improve the log message for Cargo VCS handling

Dependency Updates 🚀

• 8fa33e6bb6c61e182101924e72de962c2feac1ed update dependency com.networknt:json-schema-validator to v1.1.0
• 97763c018cc412f034841d9c6703de94ce505e47 update dependency org.asciidoctor:asciidoctorj-pdf to v2.3.10
• fe994d7f5860318c9b448fe5e795e7793d47fc97 update dependency software.amazon.awssdk:s3 to v2.22.0

New Features 🎉

• 58ceee73c71a0ec0173ab11ad2e940e21fd1abe0 model: Introduce OrtResult.getResolutions()
• cd8e1bf05a35a41b399b2797a1a74c6919115d2c ort-utils: Find names even if the version has an (ignorable) suffix

Other Changes 💡

• 759e542d70424c66f5a91037781672a597e36b42 helper-cli: Remove getUnresolvedRuleViolations()
• c9fdf417c8e15c3fd2e0c6d4d48ee4f7ad6f0d77 model: Make resolveResolutions() an extension function
• f15ba6b844d2e175d9b2089232b601d33ac29aa5 reporter-command: Include all resolutions in the OrtResult

Tests ✅

• 9e4d666deb1975701aeaecc8ac6c4527bf58991f carthage: Make the test independent of the GitHub org ORT is hosted
• 10c03628e5163bed01ccafc4ec5a2efb232736f9 evaluated-model: Include all resolutions also in resolved config
• f70df1de6040438c33d32a4c6c4da56e3ddcbb1c spm: Update expected results
• e1803f099c56539d6061345aa01320315f8fd666 vulnerable-code: Improve the test by verifying URI creation

What's Changed

Breaking Changes 🛠

• ce6839d6139493eede38414bd1088d1fee834424 refactor(reporter)!: Use default interface implementations to reduce code

Bug Fixes 🐞

• 7aa48950ca1f2fa899a622288a750a4be84c7b64 GoMod: Stop crashing with NoSuchElementException
• 5e82e201cf3be8ed7d6a692bfdac1a27011e6d77 asciidoc-reporter: Use monospaced text without "nested formatting"
• e5e0f3f47135eae01852b5ce9329478a1d90dac2 evaluator: Apply excludes before lookups in the OSADL matrix
• fed0cd3ac3d83fcdaed644d87ea9ecfdf8f7d7c5 evaluator: Apply repository license choices to the project
• 6a7d63dd6b9019a9bb978620b218655d0725aa42 reporter: Do not take blank license texts
• 57f85f0060c32eec758cf2e80c556afcc80ea988 reporter: Fix a potential failure in the FossID snippet report
• 686f9532d333d2f8f19381e873c6e051d880e3b6 reporter: Process only valid scancodes in FossIdReporter

Chores 🔧

• 41e559cd96e9abc3aba26ed7f2334b8bd7c5e929 asciidoc-reporter: Remove an unused test asset
• e6adeec1c6df37c13a9ffcdfa01430b58114f5cf docker: Upgrade Swift to the latest version
• 7092afb0dfca910bc40d2d8a58ca2fc625143b88 scancode: Align JSON assets to have a trailing newline

Dependency Updates 🚀

• ab808c98ed9abc2aad8e323500edfc24ba4c55aa update dependency com.autonomousapps.dependency-analysis to v1.28.0
• 25361dd02648e8705bc0e0be3736ce9a09365f6f update dependency com.networknt:json-schema-validator to v1.0.88
• 064cf505bf4d07b9b274ac1cceada2e740d12960 update github/codeql-action action to v3
• 664e89c346d0031ac5f9358d7d3dbcfdbee7a95b update jetbrains/qodana-action action to v2023.3.0
• 9b3349db70ec9c0c88a2e8888e799d738f536179 update ktor to v2.3.7

Documentation 📖

• 41116051833cd5c9fc135b0f826e2be11b7ea8a0 cli: Distribute a README.md to show where to put plugins
• 3d78d6473263db2a5a591bb98b9c4d9765302020 go: Fix an obsolete code comment
• 706ee15507f7cb988b5bbbf492006d4f3b04f17e model: Improve the wording of IssueListConverter's documentation
• 221cad8c96ba431f9bb8738c91163a57e1b5f802 Clarify that repository license choices also apply to projects
• c63f4898aa319d752d30d609555968f8a713a3e5 Fix-up the KDoc for DefaultResolutionProvider.create()
• f7406d923939212d76f23408c34cab253491c448 Improve the KDoc for getOpenIssues()

New Features 🎉

• 7e1f3a86594a8958fa8f8b2317baca95973b4c9f Fossid-webapp: Increase the read timeout for listMatchedLines
• eaa29e51164a4c2a8ce48a6617bc3922a1efef1f fossid-webapp: Make the comment of a project optional
• 1109a7a3fe7bda6b9b88978d6b2d143895678e27 jenkins: Allow to mix OSADL matrix and configured rules
• bf1b0323b9077fc1f715c5cce62c9f9219acd49d model: Associate licenses and exceptions from the same expression
• d5548c36698136e5360c96523a7a8e3b720dee72 scancode: Get the key to ID mapping without --license-references

Other Changes 💡

• 4ad17d3a27679d50d02e2a3b8dc593980bdd3197 go: Align a function name with upstream terminology
• 4aa865f9d2835e183949c5fee2e95dd4a03bc5e5 go: Drop some unused obsolete code
• c04c3ee8110ffcdb52c3fa77d3045931437f05b3 model: Make a function signature a bit more speaking
• e0e02ce4799b534b8673c83c0bc7ff2212e6142b Use SPDX constants in more places

Tests ✅

• b7f5a38ca62223ada9c97b7470f96da01f2fa5e8 go: Add () to function names in test case names
• 81aee121a012d77597ed82fa5359fe534e75a982 scancode: Test license mapping without license references

What's Changed

Breaking Changes 🛠

• 247b046f56de8935269c9f6545b7be188e155b56 refactor(scancode)!: Make parseScanResult(JsonElement) private

Bug Fixes 🐞

• 374b4a0f72b358dc6434d76f1409b1d1d5e11a51 command: Drop an obsolete scanner command option
• ba66567963444b4060abd450565e356d27ceca84 commands: Avoid a duplicate plural "s" in the summary sentence
• 281a854b472a6e265be4e207c5ab26a8767554cd integrations: Re-generate shell completions
• f16bf59835b3f5558b9fd68b0e9db1bbfc333a54 integrations: Re-generate shell completions
• 849f987a80451c27d3fa943cce078c33860c95e1 node: Default to NPM if there is no indication for any Node manager
• 8e1ec1d77289fe8c9f20c8339eb9d4399643c50f node: Do not crash on projects that do not set a version
• f99e2ede5053200cef966836b051e77f5328d575 node: Rewrite manager detection to solve issues
• b6f6bc553c6c596e256ede4ccf0331181a35a825 scancode: Fix the broken file paths in mapped timeout errors

Build 🐘 & CI ⚙️

• a9515337b079c3db7c37e594e0c16b68a1dfe3b8 github: Disable parallelization when publishing

Chores 🔧

• a464678e9f6f9c3fb298ba2be265dbcb28ca4922 Jenkinsfile: Remove the VULNERABLE_CODE_API_KEY parameter
• bec02fd68ce12fbc520a0262f3ea259885f0ea3b cli: Make properties come before functions and classes
• 161acddc544fc24fa0b52ac10ab91c774b998db6 detekt: Remove an exception for an unused wildcard import
• 7aac20409dd9f7de31cf5e92e5147cf9e61fca8b jenkins: Omit empty string default values
• f9d11246cdd0f3c2ea140cfc82a32cb5d4a45852 reporters: Improve log wording about the generated (temporary) file
• ff9e1cfc0bb4bbecadca06a81dbafcf59caf1dc8 scancode: Make the internal timeout constant private
• b3c98bbf24907d36ca003d78f532054d3c7b12a5 spdx: Give more context in require checks

Dependency Updates 🚀

• 7fbd47f06f2fc70f2134442667a521c8f492b9cb gradle-inspector: Again use current Gradle's tooling API version
• e86a1b98aaadd87885dab00ee507fac2fd53dba2 Update kotlinx-serialization to version 1.6.2
• fd8fc8ef2fb9fdd94bca7ee1ea65b27ee1fbaa51 update actions/setup-python action to v5
• 5af7043ae27e1022d070832330882a3bbdd05f88 update dependency ch.qos.logback:logback-classic to v1.4.14
• 99b0f8681b12d2058c7a0c50612cde376fb94282 update dependency com.autonomousapps.dependency-analysis to v1.27.0
• 33be29a7d275d8e76e3363c41d08710952757ded update dependency net.sf.saxon:saxon-he to v12.4
• 36e81383d6273836612a0e3a6455c120c2116319 update dependency org.jetbrains.kotlinx:kotlinx-html-jvm to v0.10.1
• 894a29e3e5ab472898bc33c00857d25f213736ab update dependency org.postgresql:postgresql to v42.7.1
• 8c4879c3ff32b8fc5a925253e5f4c785a4236d59 update jetbrains/qodana-action action to v2023.2.9
• f898d75d94de13f04a089a2b73b33a2d76f235be update jgit to v6.8.0.202311291450-r
• bff2d014cd3c26ca1f02502240fd9fb903b3cd57 update maven to v3.9.6

New Features 🎉

• 53a8dd36cc7afd621a04dc5654295784c8872674 helper-cli: Add two patterns to path exclude generation
• eb93dd57432f9114b2357aa857f201f809e455a8 jenkins: Allow to use a custom scanner from a plugin
• 81b3130cace6187759523830bc3a2a07e69da8c3 jenkins: Show the active configuration to ease debugging
• 521640b4f55edfbfb357f65a12db480eb9521474 model: Add the property Issue.affectedPath
• 583960404ccdf6846858396e5355a6ea23915a39 model: Adhere to Issue.affectedPath when filtering a summary
• 4d532d862022df5921d21be19f8862e1409e1fce model: Enable Issue.affectedPath also for older scan results
• 00331236c7c25aa2e2f85103c083327eacc85b44 scancode: Relax precondition for mapping timeout issues
• 27bc117306f9110f06a841558cfe6cf70e172496 scancode: Set Issue.affectedPath for timeout errors

Other Changes 💡

• 67297b2b7e76899cd20e7b7cfef5c51c99fb12d3 config: Align on setting "skip excluded" in the config
• e14dc23ce7c555c7c9a7ca08867443d326180b9f scancode: Move toSummary() to ScanCodeResultModelMapper
• da463b8f150e53833c8f1e87c4df241381007769 scancode: Move mapping of scan errors into toSummary()
• d6f39ce18a3b9fd41d65ae6dede271b155144e30 scancode: Use a more generic name for ScanCodeErrorMappers

Tests ✅

• f073323cbccc9c0edf4738feabda256d9e09125c conan: Update expected results
• 69ab754a92d289371e3e4c157ca829386a7d2359 model: Add a test for ScanSummary.filterByPaths()
• 91d07c29d3b3f6133fa995cb10d6fd418a9ddabf scancode: Factor out getAssetFile()
• 97c121e255d892f732b71112fd0937454d8b81d4 scancode: Include timeout errors in the assets for output formats
• 51d7fafa3c542873247ac7a155d3264703d09f81 scancode: Remove some redundant variable definitions
• 7cc5e49f2f5497f4c66b8bb432c8c8c0931764d6 scanner: Never read or write stored results for the "Dummy" scanner
• d9b1f8de2539f37b269bf2d8b3cb0d6e1fa4e29c scanner: Simplify filtering files
• 9b265150cf6b049b5ba81f2c09c5d4444d0cccf2 scanner: Use NOASSERTION instead of NONE for dummy findings
• 84d2f6dd12bbad1834ff9cf5e84507dd3055b1aa 46816a5fe65d086f30f545445141b0018c925743 0a2ca2c2108d48dd2ab954a36df2d817a2f48381 cc9289462e81c622b97e6e6be954998a8630b531 spm: Update expected results
• 55e226f559b2c95f554d8a18b874841791596a58 vulnerable-code: Also assert issues to be empty
• 4bf0241915e6d6748261b4c8f69bf3f4cd78bf85 vulnerable-code: Always enable the test, even without an API key

Other Changes 💡

• bd6d9ecdae44cc099cd3cbdcf1de8f0668c84a72 Revert "chore(jenkins): Omit empty string default values"
• 58f115558d2ee76ab237be9d505fcb6e4d05f5c4 style(vulnerable-code): Unwrap lines that do not need wrapping