Skip to content

Releases: oss-review-toolkit/ort

38.0.0 (Halloween edition 🎃)

31 Oct 08:35
Compare
Choose a tag to compare

What's Changed

Breaking Changes 🛠

  • e01a1f2 refactor(node)!: Move Pnpm into its own dedicated package

Bug Fixes 🐞

  • a1652ea dos: Edit downloading the source to be scanned
  • 3a8812d model: Correctly map Identifier namespaces to purl namespaces
  • b1740ef model: Rework purl conversion according to the specs
  • 42f0f33 spdx-reporter: Also check LicenseRef exceptions of snippets
  • fe7d1ef spdx-reporter: Remove a conflicting license validity check
  • f1a49b5 utils: Support deleting read-only files on Windows
  • 41d1c6f yarn: Fix up the error handling in getRemotePackageDetails()

New Features 🎉

  • c9d2a49 spdx: Deal with cycles in dependency relations
  • 2161ffd yarn: Also log warnings output by yarn info

Chores 🔧

  • d2dd061 model: Nest purl tests in preparation for adding more tests
  • 2c79d17 model: Remove a few redundant purl tests
  • 24f44d8 osv: Remove the work-around for Swift
  • 51f5ec6 spdx-reporter: Map to a Set for distinct entries
  • 7cd95a4 spdx-reporter: Remove a default strictness argument
  • 4814301 Align on "purl" spelling for Package URLs

Dependency Updates 🚀

  • e39a48c Update the dependency-analysis-gradle-plugin to version 2.3.0
  • b3c1124 Update the dependency-analysis-gradle-plugin to version 2.4.0
  • d2cfce1 update actions/checkout digest to 11bd719
  • bc94e33 update actions/setup-java digest to 8df1039
  • 17767fb update actions/setup-node digest to 39370e3
  • d0cf5be update dependency ch.qos.logback:logback-classic to v1.5.12
  • f38c1f4 update dependency com.charleskorn.kaml:kaml to v0.62.0
  • 2b4e7fb update dependency com.charleskorn.kaml:kaml to v0.62.1
  • 52162c5 update dependency software.amazon.awssdk:s3 to v2.29.0
  • 01340ed update exposed to v0.56.0
  • cee8a78 update github/codeql-action digest to 6624720
  • 69fcc36 update jackson to v2.18.1
  • 31edf71 update jetbrains/qodana-action action to v2024.2.5
  • 8f00ece update jetbrains/qodana-action action to v2024.2.6

Documentation 📖

  • 1219605 model: Clarify in a test what a "clean" purl is supposed to be
  • b4d9313 spdx-utils: Clarify that licenseInfoFromFiles contains license IDs
  • 6f3aaa5 spdx-utils: Document each main class with a link to the spec
  • 0460948 yarn: Add information about the mentioned network issue
  • 02192a3 yarn: Re-align the docs with the function

Refactorings 🚜

  • 7f07648 model: Move purl-related tests to PurlExtensionsTest
  • 49c654a model: Turn purl test data assertions into sanity checks
  • 771a6a5 npm: Allow getRemotePackageDetails() to return null
  • 6f802f8 npm: Make getRemotePackageDetails() handle unsuccessful runs
  • 1394274 npm: Move parsePackage() outside of the Npm class
  • 5bff7a2 npm: Move parseProject() out of the class
  • 6999a12 npm: Remove a now unnecessary runCatching()
  • 0223e40 osv: Simplify queries with purls
  • 0eb1eea pnpm: Make Pnpm separate from Npm
  • 26703f9 yarn: Extract extractDataNodes()
  • 8e90a79 yarn: Use a more speaking name for output

Tests ✅

  • a265d38 model: Add name(space) specific purl tests
  • 419b42b model: Test against the official purl test suite data
  • bfa893b npm: Re-create the lockfile for the babel project
  • f63b068 osv: Update expected results
  • 61c4721 pnpm: Add some more functional test coverage
  • db0ec55 python: Update expected results
  • b688a9c python: Update expected results
  • c535f61 vulnerable-code: Test lookup for a Go package
  • 507ee30 yarn: Add some more functional test coverage
  • d59b609 yarn2: Move the functional test into the yarn2 package

37.0.0

24 Oct 08:07
Compare
Choose a tag to compare

What's Changed

Breaking Changes 🛠

  • e4e8396 chore(model)!: Remove old plugin config aliases
  • d1fa585 refactor(model)!: Rename a LicenseFilePatterns property
  • 131c130 refactor(model)!: Rename a class to PathLicenseMatcher

Bug Fixes 🐞

  • 9ccccf6 gradle-inspector: Optimize memory by caching dependency subtrees
  • 1b83831 jenkins: Allow to select DOS as a project and package scanner
  • 950624a pub: Support deserializing hosted deps without version constraint
  • ad9a363 yarn: Deal with retries when parsing the command output

Chores 🔧

  • 7b1c5b9 pub: Handle dependency types in the same order as documented
  • 9b9d996 pub: Order dependency classes as in the linked documentation
  • 5c27750 pub: Simplify deserializing dependencies
  • e612c50 scanner: Give a variable in a test a better name
  • d743b8a Align custom kotlinx-serializers to be objects, part 2

Dependency Updates 🚀

  • e65ff6b docker: Upgrade Askalono to version 0.5.0
  • 622655e Update the dependency-analysis-gradle-plugin to version 2.2.0
  • 1106470 update dependency @mdx-js/react to v3.1.0
  • ed4bccf update dependency com.github.jmongard.git-semver-plugin to v0.12.11
  • 8885a75 update dependency com.squareup:kotlinpoet to v2
  • f24b2b3 update dependency org.asciidoctor:asciidoctorj-pdf to v2.3.19
  • 65df485 update dependency org.semver4j:semver4j to v5.4.1
  • 606c475 update dependency org.wiremock:wiremock to v3.9.2
  • 3101aa8 update github/codeql-action digest to f779452
  • d169fae update ksp to v2.0.21-1.0.26

Documentation 📖

  • 786aba4 model: Improve LicenseFilePatterns docs
  • 89f8422 pub: Add links to dependency types
  • 36418b6 pub: Move a comment to the data class docs

Refactorings 🚜

  • 6c7a4b1 model: Make LicenseFilePatterns properties sets
  • 1151e95 model: Move RootLicenseMatcherTest to the correct package
  • 7143c32 npm: Drop a slightly misleading log output
  • cbdb228 npm: Remove unused parallelization constructs
  • 19aaa1c pub: Add a default value for version for consistency
  • 201e0de pub: Only use a single shared YAML instance
  • bd745c1 pub: Reduce code by delegating to the default serializer
  • 0efd79b pub: Reorder classes into packages

Tests ✅

36.0.0

17 Oct 13:38
Compare
Choose a tag to compare

What's Changed

Breaking Changes 🛠

  • 4470675 chore(clearly-defined)!: Make CoordinatesSerializer internal

Bug Fixes 🐞

  • 03b4ed9 cli: Remove credentials from environment variables
  • 47f73b4 gradle-plugin: Guard dependencyResolutionManagement usage
  • acfb440 maven: Correctly convert repositories
  • 0d99de2 pub: Properly end the input structure when parsing specs
  • 9d0873c spdx-utils: Accept the "no patent" exception

New Features 🎉

  • e5c6e0c fossid: Make FossID sensitivity configurable

Build 🐘 & CI ⚙️

  • 1d9c188 gradle: Update transitive commons-io versions
  • bac154a release: Increase the timeout for creating the staging repository

Chores 🔧

  • 9607cd0 Align custom kotlinx-serializers to be objects

Dependency Updates 🚀

  • b4523c9 Update the gradle-maven-publish-plugin to version 0.30.0
  • d67369d update dependency ch.qos.logback:logback-classic to v1.5.10
  • b54962b update dependency ch.qos.logback:logback-classic to v1.5.11
  • 06537b2 update dependency io.github.pdvrieze.xmlutil:serialization to v0.90.2
  • 8c103c4 update dependency org.cyclonedx:cyclonedx-core-java to v9.1.0
  • 89af4ed update kotlin monorepo to v2.0.21
  • 0b82618 update ksp to v2.0.21-1.0.25

Refactorings 🚜

  • 831b113 pub: Port the lockfile parsing to KxS

Tests ✅

35.0.0

10 Oct 07:30
Compare
Choose a tag to compare

What's Changed

Breaking Changes 🛠

  • ab39b4d build(gradle)!: Build with Java 21

Bug Fixes 🐞

  • 0092efa Npm: Stop creating dangling packages for non-workspace projects
  • 1965e25 bazel: Disable the wrapper script only for the --version call
  • bca9748 gradle: Also check for non-empty resolution alternatives
  • c9d114c gradle: Be specific about using Adoptium / Temurin as the JDK
  • f272825 gradle-plugin: Build with the lowest supported Java version
  • 864d19f node: Represent workspace submodules as Projects
  • b9e6b8d Tolerate LicenseRef-* exceptions in declared license mappings

New Features 🎉

  • 9b9beac bazel: Support github in the module metadata JSON file

Build 🐘 & CI ⚙️

  • 9e26438 gradle: Make the Java version used for KSP configurable
  • 085020f gradle: Remove unused Ktor version catalog entries

Chores 🔧

  • c48533b bazel: Output the registry's URL with each error message
  • 901aa9d gradle: Omit a default argument when publishing
  • 6ab1310 model: Rename "components" variables in Identifier
  • e47d5c8 npm: Move a TODO comment above the function signature
  • 23f425c pub: Align the Gradle check with DependencyGraphNavigator
  • 796cd27 scanner: Remove an unused label

Dependency Updates 🚀

  • 953a4b6 Update the dependency-analysis-gradle-plugin to version 2.1.3
  • 7509ece Update the dependency-analysis-gradle-plugin to version 2.1.4
  • 2097810 update actions/checkout digest to eef6144
  • c4c2177 update actions/setup-java digest to b36c23c
  • 546550e update dependency ch.qos.logback:logback-classic to v1.5.9
  • 3087efe update dependency com.github.ajalt.clikt:clikt to v5.0.1
  • 58e3c6f update dependency com.icegreen:greenmail to v2.1.0
  • 32f0263 update dependency io.foojay.api:discoclient to v21
  • 86606ff update dependency io.mockk:mockk to v1.13.13
  • 46afc3a update docker/setup-buildx-action digest to c47758b
  • 8b030ab update github/codeql-action digest to 6db8d63
  • f9ddacb update github/codeql-action digest to c36620d
  • a8031bf update jgit to v7

Documentation 📖

  • 8369f2a gradle: Add links to the Gradle Java-compatibility matrix
  • 175f03a model: Clarify an Identifier's project vs. package use

Refactorings 🚜

  • 28dce9a node: Use Set<File> as the type for submodule directories
  • dc5fc90 npm: Reduce the amount of filterTo()s
  • 01eaf8f npm: Replace two !! with checkNotNull()
  • e4b37aa npm: Use named arguments in a constructor call

Tests ✅

  • 1d71126 bazel: Add a missing test for when there is no lockfile
  • 6a8a46c cli: Remove a Gradle project analysis
  • 973bc59 common-utils: Remove a test that relies on the Security Manager
  • 70e0f81 osv: Update expected results
  • c6003b8 python: Update expected results
  • 8b07534 python: Update expected results
  • e34734a Ensure to use a compatible Java version for Gradle projects
  • 118fab7 Ensure to use a compatible Java version for Gradle projects

34.0.0

03 Oct 07:43
Compare
Choose a tag to compare

What's Changed

Breaking Changes 🛠

  • 1f4d723 chore(advisor)!: Remove the NexusIQ advisor
  • baa1fd4 refactor(common-utils)!: Clarify the use of resolveExecutable()

Bug Fixes 🐞

  • 6d576c3 analyzer: Maintain package manager names as keys in the graph
  • 83a4465 gradle-inspector: Properly pass through the managerName for issues
  • a3460f3 node: Support deserializing PackageJson.author from an array

New Features 🎉

  • 6b896c3 common-utils: Stricten a check in resolveExecutable()
  • c180727 gradle: Allow to configure the Java version and / or home
  • e18b08e helper-cli: Add an option to override the repository configuration
  • e642295 model: Add Git-only VCS host names as Git aliases
  • 789f15b ort-utils: Improve the JDK check to not accept a JRE
  • 2673ccb ort-utils: Support file URLs in downloads

Build 🐘 & CI ⚙️

  • 7d48df1 github: Associate the dependency graph to the main branch
  • f92ad12 Simplify the reuse check

Chores 🔧

  • 6311935 .ort.yml: Trim trailing whitespace
  • 062221e analyzer: Avoid unnecessary mutable maps
  • 1e7ec04 analyzer: Slightly optimize a check
  • 8b7d02c gradle: Make managerName in GradleDependencyHandler private
  • 20d7898 gradle-inspector: Improve a log message
  • 38d88ab helper-cli: Drop the obsolete command to create analyzer results
  • 720a23c node: Remove the unused parseNpmLicenses() function
  • f9a91f9 package-managers: Simplify code to get javaHome a bit
  • 95c604b Simplify mapping of non-empty strings

Dependency Updates 🚀

  • ae10e2f Update the dependency-analysis-gradle-plugin to version 2.1.1
  • 7bdbcd1 update codecov/codecov-action digest to b9fd7d1
  • 90c8fb0 update dependency ubuntu to v24
  • fcb93d8 update docker/build-push-action digest to 32945a3
  • 7625dae update docker/build-push-action digest to 4f58ea7
  • 1811b5f update github/codeql-action digest to e2b3eaf
  • a03471c update hoplite to v2.8.2
  • cd61f12 update jackson to v2.18.0
  • a8bff04 update log4j2 monorepo to v2.24.1

Documentation 📖

  • 2c8b259 analyzer: Remove a comma to fix grammar
  • d200260 dos: Fix a typo
  • 3b0c858 model: Fix a typo in documentation for addDependency()
  • c363749 ort-utils: Align wording of Environment property docs
  • ef8b61c ort.yml: Improve code block titles for examples
  • b4922ec scanoss: Fix a typo
  • b3e9ddb website: Fix a typo
  • e309c3b website: Use the correct property for the description header

Refactorings 🚜

  • b5dd8d7 go: Combine getProjectName() into getModuleInfo()
  • c03ecf3 model: Extract a dependenciesAccessor() function for reuse
  • 7b4177d model: Inline a referenceFor() overload function
  • ed4a537 model: Inline the graphForManager() function
  • d347153 model: Make DependencyGraph.edges non-nullable
  • e815570 model: Make DependencyGraph.nodes non-nullable
  • 407d287 ort-utils: Introduce a helper to check the JDK version
  • 988dd17 ort-utils: Introduce a static Java version property

Tests ✅

  • 2b08e9e conan: Update expected results
  • d26e12f pub: Update expected results

Other Changes 💡

  • b5723d6 style(analyzer): Use parentheses after functions in test names

33.1.0

26 Sep 08:01
Compare
Choose a tag to compare

What's Changed

Bug Fixes 🐞

  • a980b5d bazel: Force the generation of a MODULE.bazel.lock file
  • 3e1a8c4 scanner: Create intermediate nested provenance directories
  • 7a1c59d scanner: Properly handle scanPath() exceptions

New Features 🎉

  • 7f3764e bazel: Add support for the git_repository source info type
  • 0430090 bazel: Add support for the local_path source info type
  • 573b86f bazel: Prepare for other types of module source info
  • 0e2a943 sbt: Add back checking the global SBT version as well
  • b5efe6f sbt: Allow to configure the SBT version, and Java version / home
  • cd70325 scancode: Try to to get more information on failures
  • 165b3e6 yarn: Fail in case an update of the lockfile is needed

Build 🐘 & CI ⚙️

  • 12d16ab github: Submit the Gradle dependency graph for releases

Chores 🔧

  • 9fa1666 scanner: Get the time for a failure summary only once

Dependency Updates 🚀

  • 211890e docker: Pin setuptools version to 74.1.3
  • 5b9da04 docker: Upgrade Python to 3.11.10
  • a58ac50 docker: Upgrade pyenv to 2.4.13
  • f17d292 docker: Upgrade the INCLUDE-syntax extension
  • bc92f57 Update the dependency-analysis-gradle-plugin to version 2.1.0
  • 93fe4f9 update actions/setup-node digest to 0a44ba7
  • 426c04b update dependency com.networknt:json-schema-validator to v1.5.2
  • 442b553 update dependency com.zaxxer:hikaricp to v6
  • bfe97b1 update dependency gradle to v8.10.2
  • f883120 update dependency org.jetbrains.exposed:exposed-java-time to v0.55.0
  • 7512eeb update dependency org.jetbrains.gradle.plugin.idea-ext to v1.1.9
  • e63a244 update github/codeql-action digest to 294a9d9
  • 9e30e9d update github/codeql-action digest to 461ef6c
  • ad3b9fb update jetbrains/qodana-action action to v2024.2.3
  • 12efc26 update kotlinxserialization to v1.7.3

Documentation 📖

  • 062f517 scancode: Move a comment to a more relevant location

Refactorings 🚜

  • 047efd1 sbt: Factor code out of checkConfiguredSbtVersions()
  • 922e42f sbt: Only check SBT versions configured in the build
  • d9b30a6 sbt: Simplify the definition of default options
  • bff2ac8 yarn2: Improve a constant name

Tests ✅

  • 837d588 node: Make the naming of expected result files more consistent
  • 412a010 node: Move Pnpm test projects into a dedicated pnpm directory
  • 563ce35 node: Move Yarn2 test projects into a dedicated yarn2 directory
  • 9860496 node: Move the expected result files into each respective dir
  • 9198c5b npm: Stop using npm-expected-output.yml for multiple test cases
  • d346925 c44408f 2308b11 ac771e4 osv: Update expected results
  • 10618d5 pnpm: Slightly improve a project name and metadata
  • ad1329b pub: Update expected results
  • adeb51e python: Update expected results
  • 8f4b542 yarn2: Slighly improve a project name and metadata

33.0.0

19 Sep 07:21
Compare
Choose a tag to compare

What's Changed

Breaking Changes 🛠

  • 60ef7c9 feat(advisor)!: Rework VulnerabilityReference semantics
  • 01ca824 refactor(model)!: Generalize the scoring system mapping
  • 6015cc9 refactor(yarn2)!: Inline YARN_PATH_PROPERTY_NAME
  • 630a8db refactor(yarn2)!: Move some vals and funs outside of the companion

Bug Fixes 🐞

  • 2ac103a bazel: MODULE.bazel files from a local registry should be ignored
  • cb7c914 model: sslmode typo in reference.yml
  • e8e9b83 osv: Improve error handling a bit
  • 508dbfc spdx-utils: Support reading dashed reference category names

New Features 🎉

  • 24656e2 model: Add underscore variants to CVSS names
  • 95cba40 vulnerable-code: Add scoring elements to the data model

Build 🐘 & CI ⚙️

  • e833172 gradle: Do not set a global duplicatesStrategy anymore
  • 9928629 gradle: Replace custom code with the reproducible-builds plugin
  • c6523c4 github: Do not configure a custom linter version anymore
  • 9f7b625 renovate: Disable NuGet package manager updates

Chores 🔧

  • 61eb5c1 evaluator: Remove a few named lambda variables to simplify code
  • d29db08 gradle-plugin: Explicitly set a duplicatesStrategy
  • ce409f9 helper-cli: Consistently make commands internal
  • a577470 helper-cli: Consistently name the help parameter explicitly
  • bb0654c node: Add a couple of links to upstream documentation
  • c725523 node: Slightly simplify Yarn code to get package details
  • f675a32 osv: Improve mapping from OSV to ORT vulnerability references
  • 275c2c1 yarn2: Drop an obsolote TODO comment

Dependency Updates 🚀

  • a488e05 Update clikt to version 5.0.0 and Mordant to version 3.0.0
  • 0b24c91 Update dependency-analysis-gradle-plugin to version 2.0.2
  • 0c10c2f Update kotlinx-coroutines to version 1.9.0
  • 280d8fb update dependency org.semver4j:semver4j to v5.4.0
  • 521bd69 update dependency software.amazon.awssdk:s3 to v2.28.0
  • fd28fcf update github/codeql-action digest to 8214744
  • 21a3289 update gradle/actions digest to d156388
  • 12c8019 update jetbrains/qodana-action action to v2024.1.10
  • c750cfd update jetbrains/qodana-action action to v2024.1.11
  • 0c540bd update jetbrains/qodana-action action to v2024.2.2

Documentation 📖

  • 8a1e42a gradle: Improve the wording of a code comment
  • 1b15bfa yarn2: Fix-up a couple of broken KDoc references

Refactorings 🚜

  • 5a303ad helper-cli: Introduce an abstract OrtHelperCommand base
  • d1fa1f2 model: Extract vulnerability rating code to a function
  • 8b45010 npm: Use a simpler return type for two functions
  • 5bc030e yarn2: Extract isCorepackEnabled()
  • e2bca6b yarn2: Inline DEFAULT_EXECUTABLE_NAME
  • da6cc49 yarn2: Move a couple of functions / classes to the file level
  • 12c99e1 yarn2: Move some sanity logic into getYarnExecutable()
  • 5d0f002 yarn2: Reduce the scope of the version variable
  • 098ef99 yarn2: Simplify cleanYarn2VersionString()
  • 9db096c yarn2: Use a shorter name for versionFromLocator

Tests ✅

  • c17e5c3 bazel: Update expected results
  • 52cb0e0 conan: Split out the lockfile case into a dedicated test
  • a9e964e conan: Update expected results
  • 6123c13 node: Consistently place Npm projects in the npm directory
  • 06fe673 node: Drop the README.md for Npm test assets
  • c67d544 node: Improve a test case name
  • b0bd418 node: Merge NpmVersionUrlFunTest into NpmFunTest
  • 8cbbb57 node: Move Yarn test projects into a dedicated yarn directory
  • 254a64a node: Slightly improve a project name and metadata
  • 49b65dd osv: Update expected results
  • 6e181ef bc819cc osv: Update expected results

32.1.0

12 Sep 11:12
Compare
Choose a tag to compare

What's Changed

Bug Fixes 🐞

  • 023752f dos: Make the token a secret config option

New Features 🎉

  • fcfab20 gradle-inspector: Add an option to bootstrap a JDK version

Chores 🔧

  • f654747 node: Drop the now unused Jackson dependencies
  • da5c922 yarn2: Make use of YARN2_RESOURCE_FILE in a log message

Documentation 📖

  • f2f2f7c ort-utils: Fix environment property descriptions
  • 65f58c3 Update link references of ownership

Refactorings 🚜

  • 184eb55 yarn: Port the remaining Jackson code to KxS
  • 45dd629 yarn2: Factor out getYarnExecutable()
  • c137075 yarn2: Port getYarnExecutable() to KxS
  • 519a76a yarn2: Port isCorepackEnabledInManifest() to KxS
  • 841bd30 yarn2: Port listDependenciesByType() to KxS

32.0.0

12 Sep 07:32
Compare
Choose a tag to compare

What's Changed

Breaking Changes 🛠

  • 1621941 feat(gradle)!: Make GradleInspector the new default
  • c21b31b refactor(reporter)!: Rename the reporter to AOSD2 to avoid confusion

Bug Fixes 🐞

  • 2438448 gradle-inspector: Do not assume all POM artifacts to be metadata-only
  • 7c421cc gradle-inspector: Handle dependency cycles properly
  • 78f0a07 gradle-inspector: Keep the artifact URL on invalid hash values
  • 04b0356 model: Add a heuristic to get the manager in dependency graphs
  • 7b12e72 osv: Remove an invalid reference type
  • 694ac3c pub: Improve containsFlutterSdk()
  • 9cca883 pub: Use the correct key name when replacing options

New Features 🎉

  • 8ce9483 gradle-inspector: Allow to customize the Java home for analysis
  • af559df jenkins: Allow to configure the list of advisors
  • 9bcb485 osv: Add new ecosystem constants for completeness
  • 723e003 plugins-api: Allow to manually set the plugin ID
  • da7b11f pub: Always use the (one) enabled Gradle package manager
  • 94e30b1 scripts: Add a script to generate all CLI completion scripts
  • 3a68e61 scripts: Align on more portable env shebangs to discover bash

Build 🐘 & CI ⚙️

  • e609a22 refactor: Use the new script to generate CLI completions

Chores 🔧

  • 7c52615 analyzer: Remove a too strict assumption in dependency verification
  • cc04a19 docker: Update Npm to the latest minor version
  • 002b58b docker: Update Pnpm to version 9.9.0
  • 45ff021 docker: Update Swift to version 5.10.1
  • f2fc447 docker: Upgrade Go to version 1.23.0
  • 7373195 gradle-inspector: Rename the init.gradle template
  • 7689ecb yarn2: Fix a typo
  • d9eb1da Remove references to JitPack in favor of Maven Central
  • 54a2e4e Use ifEmpty and ifBlank to simplify code
  • 714996c Use ifEmpty and ifBlank to simplify code
  • de66c45 Use singleOrNull to simplfiy code

Dependency Updates 🚀

  • 3a1fbf6 Update the native-gradle-plugin to version 0.10.3
  • fbe3ae8 update actions/attest-build-provenance digest to 1c608d1
  • f7d2368 update dependency ch.qos.logback:logback-classic to v1.5.8
  • d80b9d2 update dependency dev.adamko.dokkatoo:dokkatoo-plugin to v2.4.0
  • e20681a update dependency gradle to v8.10.1
  • 64828ac update detektplugin to v1.23.7
  • 80f62a1 update exposed to v0.54.0
  • 8836de6 update ksp to v2.0.20-1.0.25
  • 01f3d58 update log4j2 monorepo to v2.24.0
  • 7be755c update wagoid/commitlint-github-action digest to 3d28780

Documentation 📖

  • a53b7c6 README: Remove the wrapper validation badge
  • d06e12e README: Swap OpenSSF Best Practices and Scorecard badges
  • 0d1965b gradle-inspector: Fix the link to the init script resource
  • eaba79c gradle-inspector: Mention javaHome as part of class docs
  • 9646794 gradle-inspector: Update the list of known limitations
  • 5daae47 issues: Limit ort requirements output to commands
  • f5d54b8 model: Improve VulnerabilityReference property docs
  • 15bf4fc osv: Add documentation to all top-level classes
  • f57e046 osv: Generalize wording from "list" to "collection"
  • f54636e plugins-api: Fix description of PluginDescriptor.id
  • 785514e plugins-api: Improve docs for OrtPlugin
  • 81561d1 Avoid "our" in comments and use passive voice
  • 2b2bb87 Avoid "we" in comments and use passive voice

Refactorings 🚜

  • b0fc861 model: Inline some default parameters in a test function
  • dabcd27 model: Inline the misleading Project.managerName property
  • 8272678 node: Drop the --fields option
  • aa46f27 node: Factor out mapNpmLicenses()
  • b4205ba node: Improve code for parsing package.json and beyond
  • 2cd8fe4 node: Improve the name of packagesHeaders
  • 4e19bbd node: Move Yarn2 into its own dedicated package
  • 77590e3 node: Port the parsing of Yarn2 package infos to KxS
  • f567582 node: Re-use getProjectAdditionalData() also for projects
  • 9ea65f9 node: Rename parseNpmAuthors() to singular form
  • 3382b5b node: Turn fixNpmDownloadUrl() into an extension
  • 407172e node: Use an object mapper for parsing Yarn2's info output
  • 4d854a7 node: Use the info alias for the view command
  • 0efc494 npm: Use a more speaking name for packageFile
  • 8553c7f npm: Use a more speaking name for packageJson
  • 6ecdb9e plugins: Fix casing in plugin IDs
  • 6c653f1 plugins-api: Rename OrtPlugin.name to displayName
  • 399d507 pub: Inline some variables in parseProject()
  • 7ef80e6 pub: Port Pubspec parsing to KxS and use a data class
  • f5b8f6d pub: Rename several manifest variable
  • fca5d83 pub: Use a more speaking name for pubspec
  • 34e2339 yarn: Relax strictness in processAdditionalPackageInfo()

Tests ✅

  • e571858 bazel: MODULE.bazel files from a local registry should be ignored
  • 55fa8bd conan: Update expected results
  • 1132b40 nuget: Disable NuGetFunTest
  • 146f9a0 pub: Update expected results
  • e84d43a pyhton: Update expected results

31.0.0

05 Sep 07:50
Compare
Choose a tag to compare

What's Changed

Breaking Changes 🛠

  • 848e666 feat(advisor)!: Migrate the advisor to the new plugin API
  • dd90907 refactor!: Move PackageConfigurationProvider to API module
  • 90accbb refactor!: Move PackageCurationProvider from model to plugin API
  • 3c8b32a refactor!: Move config helpers from model to new config-utils module
  • 89467d9 refactor(analyzer)!: Move PackageManagerDependencyHandler to the root
  • 4c7c9fc refactor(analyzer)!: Turn conversion functions into extensions
  • bd4e76e refactor(common-utils)!: Remove the force argument from delete functions
  • e785545 refactor(model)!: Remove PackageConfigurationProvider from OrtResult
  • 1e5ae99 refactor(ort-utils)!: Remove the fallback to read uncompressed files
  • 6636764 refactor(osv-client)!: Remove an unused constructor
  • f787654 refactor(osv-client)!: Remove the Server enum
  • 4f870c2 refactor(package-configuration-providers)!: Migrate to new plugin API
  • 2a8ca2f refactor(package-configuration-providers)!: Remove unused EMPTY constant
  • 934c6aa refactor(package-curation-providers)!: Migrate to the new plugin API
  • d782466 refactor(plugins-api)!: Make PluginDescriptor.id the first argument
  • d15eaa1 refactor(plugins-api)!: Rename PluginDescriptor.className to id
  • 9b13596 refactor(plugins-api)!: Rename PluginDescriptor.name to displayName

Bug Fixes 🐞

  • 5d11ab0 advisors: Make configuration properties secrets
  • a477ded common-utils: Use the Path API to delete files
  • ed095a6 compiler: Fix an error message
  • f991e15 ort-utils: Fix handling of LocalFileStorage.transformPath()

New Features 🎉

  • 29468d0 compiler: Add the descriptor to the factory companion object
  • 35d18a6 compiler: Allow multiple plugins of the same type in a project
  • e15091c compiler: Remove the parent class name suffix from the plugin id
  • 1e0cdfe docker: Replace Syft for Docker own Scout SBOM generator
  • 29a108a model: Check if an archive exists before trying to download it
  • 71983f1 plugins: Add a new plugin API with symbol processing
  • 5804107 plugins-api: Generate a JSON representation of the plugin spec

Build 🐘 & CI ⚙️

  • c01b6c8 detekt-rules: Fix the import check for a single dotless import
  • 90a570d gradle: Fix applying the dependency analysis plugin
  • adbc676 package-managers: Make dependencies on GitCommand explicit
  • b82a5c1 Introduce a convention plugin for plugins
  • 1e9ae8a Rename the convention for plugin parent projects
  • 3e94f07 github: Remove an unnecessary outdated parameter
  • 627296b github: Remove the separate Gradle wrapper validation

Chores 🔧

  • 2b8463d package-managers: Make gradlew of test projects executable
  • 954eb96 plugins: Use the companion object descriptors
  • 97a81dd reuse: Migrate from dep5 to TOML format

Dependency Updates 🚀

  • 6be1533 update actions/setup-python digest to f677139
  • cf72d14 update dependency com.autonomousapps.dependency-analysis to v2.0.1
  • c737daf update dependency prism-react-renderer to v2.4.0
  • 0cdbc49 update github/codeql-action digest to 4dd1613
  • 43c8a20 update gradle/actions digest to 16bf8bc

Documentation 📖

  • a4d249f downloader: Further improve a log message to include the revision
  • 4da006b plugins-api: Fix docs for PluginDescriptor properties

Refactorings 🚜

  • fdd90ca analyzer: Split package manager dependency classes across files
  • 01a200e carthage: Trivially port from Jackson to KxS
  • 78154d8 common-utils: Move recursive deletion tests to funTest
  • ab12481 common-utils: Move several tests to funTest
  • b67936d compiler: Use singleOrNull() to simplify code
  • cb15705 gradle: Move OrtDependency extension functions to the model
  • fbc786d gradle: Turn extension functions into properties
  • 0e3900d gradle-inspector: Make use of OrtDependency extensions
  • 080b303 gradle-inspector: Migrate the code to use the dependency graph
  • 814e56e plugins: Move KSP compiler to separate project
  • 40e0133 plugins-api: Add default value for PluginDescriptor.options
  • 4dd5a49 plugins-api: Separate plugin analysis from code generation
  • 2401bf2 pub: Extract constants for the scope names
  • b42f894 pub: Remove a code redundancy from the construction of scopes
  • 28c4149 pub: Remove an unnecessary for loop and comment
  • d4fd3f1 pub: Use a data class for parsing the lockfile
  • a45bd86 pub: Use a shorter name for pkgInfoFromLockfile

Tests ✅

  • c8f2baa common-utils: Add a test for deleting files with bogus names
  • bb012f3 common-utils: Add a test for deleting read-only files
  • e0e8465 common-utils: Add a test for deleting with a base directory
  • 8e05bcf ort-utils: Add missing tests for LocalFileStorage
  • b68e3b9 ort-utils: Reduce indentation in tests
  • af56607 ort-utils: Use function names for test containers
  • 535ff62 osv: Update expected results
  • b0ae065 pub: Add a () to a test case name
  • bc98102 pub: Consistently use reader
  • b3e173a pub: Remove an unhandled property
  • ed29629 pub: Remove an unnecessary code comment

Other Changes 💡

  • d0840a6 Revert "test(osv): Update expected results"