v32.2.1

This is a minor release with updated package and copyright detection support.

• Add support for parsing resolved packages and dependency relationships
  from nuget lockfile packages.lock.json.
  See #3825

• Add support for parsing resolved packages and dependency relationships
  from cocoapods lockfile Podfile.lock.
  See #3827

• Add support for parsing packages and dependency relationships
  from swift swift-show-dependencies.deplock generated by DepLock.
  See #3829

• Add support for pip-inspect.deplock files to parse and store
  resolved packages and dependency relationships, to statically
  resolve a python dependency graph.
  See aboutcode-org/scancode.io#1262

• Add support for poetry packages, with poetry specific pyproject.toml
  support, poetry.lock and package assembly support. Also add support
  for parsing and storing resolved packages and dependency relationships
  required to statically resolve poetry dependecy graphs.
  See #2109

• Add support for pyproject.toml files in python projects.
  See #3753

• More improved copyright detection, see
  #3752

• scancode-toolkit is now installable from the fedora repo.
  See #3824

What's Changed

• Add handler for packages.lock.json in nuget by @TG1999 in #3825
• Improve copyrights detection by @pombredanne in #3752
• Mention that in Fedora you can now install scancode from Fedora repo by @xsuchy in #3824
• Update cocoapods podfile.lock parser by @AyanSinhaMahapatra in #3827
• Add parser for swift-show-dependencies.deplock by @keshav-space in #3829
• Upgrade python package detection by @AyanSinhaMahapatra in #3757
• Bump version to v32.2.1 by @AyanSinhaMahapatra in #3839

New Contributors

• @xsuchy made their first contribution in #3824

Full Changelog: v32.2.0...v32.2.1

v32.2.0

Major API changes/output data structure changes:

• Output Format Version updated to 3.2.0 (minor version bump)
• SPDX License List support for 3.24.0
• New attribute in top level packages and resource level package_data:
  • is_direct
• New attribute in top level dependencies and resource package_data level dependencies:
  • is_virtual
  • is_private

New changes:

• New and improved package/dependency data:

  • Added new attribute in DependentPackage is_direct to aid
    package resolution and dependency graph creation.
  • Added new attributes in PackageData: is_private and
    is_virtual. #3102 #3811
    #3779

• Improved javascript package detection:

  • Add support for pnpm manifests and lockfiles #3766
  • Add support for npm, pnpm and yarn workspaces #3746
  • Improve resolved package and dependencies support in lockfiles for
    yarn.lock, package-lock.json, and pnpm. #3780
  • Add support for private packages. #3120
  • Add support for new dependency scopes across javascript
  • Lots of misc bugfixes in yarn and npm parsers.
    #3779

• Improve cargo package detection support with various improvements
  and bugfixes:

  • Fix for parser crashing on cargo workspaces
  • Fix a bug in dependency parsing (we were not returning any dependencies)
  • Also support getting dependency versions from workspace
  • Support more attributes from cargo
  • Better handle workspace data thorugh extra_data attribute
    See #3783

• We now support parsing the Swift manifest JSON dump and the
  Package.resolved file #2657.
  Run the command below on your local Swift project before running the scan:
  `swift package dump-package > Package.swift.json && swift package resolve``

• New and updated licenses, including support for newly released
  SPDX license list versions:

  • SPDX License List 3.24:
    This release of the SPDX license list had 25 new licenses
    and exceptions, and out of them 12 were present as licenses
    and 5 were present as rules already. There were 3 new
    license/exception texts added, and the rest 5 were either
    texts with small variations, additions to texts or several
    rule texts together. And the rest have been added as new licenses.
    For more details see #3795

  • More new licenses and rules:

    • 23 new licenses in #3778

What's Changed

• Improve debian package detection by @AyanSinhaMahapatra in #3723
• Add RPM mariner package detection support by @AyanSinhaMahapatra in #3734
• Fix yarn lock v1 parser to handle aliases better by @AyanSinhaMahapatra in #3751
• Add support for Swift package manager by @keshav-space in #3788
• Improve cargo package detection support by @AyanSinhaMahapatra in #3783
• Add new Apache or MIT license rule #3738 by @vasily-pozdnyakov in #3750
• Update documentation for errors in Mac M1 by @swastkk in #3749
• Update to SPDX license list 3.24.0 by @AyanSinhaMahapatra in #3795
• Add new licenses by @AyanSinhaMahapatra in #3778
• Add new LGPL3.0 or later rule by @leslielazzarino in #3805
• Resolve dependencies and improve JS support by @AyanSinhaMahapatra in #3779
• Bump version to v32.2.0 by @AyanSinhaMahapatra in #3812
• Bump version in setup.cfg by @AyanSinhaMahapatra in #3815

New Contributors

• @vasily-pozdnyakov made their first contribution in #3750
• @swastkk made their first contribution in #3749
• @leslielazzarino made their first contribution in #3805

Full Changelog: v32.1.0...v32.2.0

v32.1.0

New CLI options:

• A new CLI option --package-only has been added which performs
  a faster package scan by skipping the package assembly step and
  also skipping license/copyright detection on package metadata.

Major API/other changes:

• Output Format Version updated to 3.1.0 (minor version bump)
• Drops python 3.7 and adopts python 3.12
• New license match attributes:
  • from_file
  • matched_text_diagnostics is added for --license-text-diagnostics
• In codebase-level license_detections we have a new attribute
  reference_matches
• SPDX license expressions everywhere side-by-side with ScanCode
  license expressions.
• All rule attribute level data provided in codebase level todo items.

Changes in Output Data Structure:

• The data structure of the JSON output has changed for
  licenses at file level, and license detections at top-level.
  But note that all the changes are additions to the JSON output,
  so we have a minor version bump 3.0.0 to 3.1.0:

  • There is a new attribute from_file in matches which is in
    license_detections in:

    • File level license_detections
    • Codebase level license_detections
    • license_detections and other_license_detections in
      file-level package_data
    • license_detections and other_license_detections in
      codebase level packages

  • On using the CLI option --license-text-diagnostics there is
    now a new license match attribute matched_text_diagnostics
    with the matched text and highlighted diagnostics, instead of
    having this replace the plain matched_text.

  • A new reference_matches attribute is added to codebase-level
    license_detections which is same as the matches attribute
    in other license detections.

  • We now have SPDX license expressions everywhere we have
    ScanCode license expressions for ease of use and adopting
    SPDX everywhere. A new attribute license_expression_spdx
    is added to:

    • license_detections in file and codebase level
    • in package license_detections and other_license_detections
    • matches for license_detections everywhere

  • Adds all rule atrribute level info in codebase level todo
    data, to assist in review. This includes length, text, notes,
    referenced_filenames, and the boolean attributes (like
    is_license_notice, is_license_intro etc, as applicable).

• New and updated licenses, including support for newly released
  SPDX license list versions:

  • SPDX License List 3.22:
    This release of the SPDX license list had 48 new licenses,
    and several of them we already had as licenses/rules, and
    these has been modified to be consistent with the SPDX list.
    And the rest have been added as new licenses.
    For more details see #3554

  • SPDX License List 3.23:
    This release of the SPDX license list had 43 new licenses,
    and out of them 22 were present as licenses and 10 were
    present as rules already. There were 4 new license/exception
    texts added, and the rest were either texts with small variations,
    additions to texts or several rule texts together.
    For more details see #3653

  • We also have lots of other misc new licenses and rules added to
    LicenseDB, see PRs below for more details:
    #3663
    #3642
    #3586
    #3584
    #3575
    #3570
    #3568
    #3562

• Improve debian namespace detection based on clues and fix
  namespace and qualifier bugs for debian purls.
  For more details see aboutcode-org/scancode.io#899
  and #3443
  Also improve debian manifests parsing and purl parsing from
  filenames. Support for aboutcode-org/purldb#245
  Bumps debian-inspector to v31.1.0

• Bump commoncode to v31.0.3

• Upgraded spdx-tools dependency to v0.8.
  See #3455

Support for Conan package parser:

• We now support the parsing of Conan manifest files, such as
  conanfile.py, as described here https://docs.conan.io/2.0/reference/conanfile.html.
  We also support source extraction from conandata.yml, as described here
  https://docs.conan.io/2/tutorial/creating_packages/handle_sources_in_packages.html#using-the-conandata-yml-file.

What's Changed

• fix: allow fedora based packages by @philcali in #3479
• Upgrade spdx-tools to v0.8.1 #3455 by @armintaenzertng in #3456
• Added docs server script, dark mode & copybutton for docs by @OmkarPh in #3549
• npm: support aliases in yarn lock v1 by @schischi in #3555
• Add license rules by @AyanSinhaMahapatra in #3562
• Fix failing tests by @AyanSinhaMahapatra in #3563
• Add more license rules by @pombredanne in #3567
• Add license detection rules by @AyanSinhaMahapatra in #3568
• More licenses by @AyanSinhaMahapatra in #3570
• Update to spdx 3.22 by @AyanSinhaMahapatra in #3554
• Add new license detection rules by @pombredanne in #3575
• TestRule.test_dump_rule_file: sort the rule file lists. by @licquia in #3582
• Fix reference to install section by @rettichschnidi in #3583
• Add new and updated licenses by @AyanSinhaMahapatra in #3586
• Fix-up an accidental use of SPDX's WITH operator in a rule by @fviernau in #3628
• Update home.rst by @machuii in #3627
• Fix SCTK doc build by @AyanSinhaMahapatra in #3636
• Yet more license rules by @AyanSinhaMahapatra in #3584
• Update license detections by @AyanSinhaMahapatra in #3620
• Support conan in packagedcode by @keshav-space in #3650
• Update LicenseDB by @AyanSinhaMahapatra in #3641
• Update debian package manifest parsing by @AyanSinhaMahapatra in #3647
• Fix debian source purl parsing in status by @AyanSinhaMahapatra in #3661
• Support SPDX License List 3.23 by @AyanSinhaMahapatra in #3653
• Add new licenses and license updates by @AyanSinhaMahapatra in #3663
• Update llgpl as a license exception by @AyanSinhaMahapatra in #3680
• Update license rules by @AyanSinhaMahapatra in #3642
• Add Misc updates by @pombredanne in #3662
• Update package handlers by @AyanSinhaMahapatra in #3682
• Support cargo workspaces by @AyanSinhaMahapatra in #3602
• Validate CLI inputs and paths #3596 by @pombredanne in #3609
• Support Python 3.12 by @AyanSinhaMahapatra in #3658
• Add a faster package scan with --package-only by @AyanSinhaMahapatra in #3689
• Refine referenced filenames #3547 by @AyanSinhaMahapatra in #3681
• Release prep v32.1.0 by @AyanSinhaMahapatra in #3701

New Contributors

• @philcali made their first contribution in #3479
• @schischi made their first contribution in #3555
• @licquia made their first contribution in #3582
• @rettichschnidi made their first contribution in #3583
• @machuii made their first contribution in #3627

Full Changelog: v32.0.8...v32.1.0

v32.0.8

What's Changed

• Fixed epoch parser failing for numeric values by @OmkarPh in #3520
• Update license rules and detections by @AyanSinhaMahapatra in #3519
• License rules update by @AyanSinhaMahapatra in #3545
• Bump version to v32.0.8 by @AyanSinhaMahapatra in #3548

New Contributors

• @OmkarPh made their first contribution in #3520

Full Changelog: v32.0.7...v32.0.8

v32.0.7

v32.0.6 - 2023-07-13

This is a minor release with a lot of license detection improvements, with new and updated license detection rules and new licenses.

• 33 new licenses, 30 licenses updated
• 70 new and updated license rules

The main updates over the previous stable release are:

• To the license Rule class adds is_license_clue attribute and is_deprecated attribute to support license clues detection, and always maintain consistency on unique rule names. Adds fixes for other license detection bug related to license clues, bug in setup.cfg license detection and makes license detection identifiers python-safe. See #3462
• Update/Add new licenses and license rules. See #3470 #3513
• Bump commoncode to v31.0.3 fixing a VirtualCodebase creation issue when there is a directory under the root with the same name as the root directory itself. aboutcode-org/commoncode#57 #3495

What's Changed

• Edit check_rdf_scan so that SPDX rdf tests don't automatically pass #3448 by @armintaenzertng in #3451
• Update misc detections by @AyanSinhaMahapatra in #3462
• Bump commoncode to v31.0.3 by @JonoYang in #3495
• Update and add licenses by @AyanSinhaMahapatra in #3470
• Update licenses and rules by @AyanSinhaMahapatra in #3513
• Release prep 32.0.7 by @AyanSinhaMahapatra in #3527

New Contributors

• @armintaenzertng made their first contribution in #3451

Full Changelog: v32.0.6...v32.0.7

v32.0.6

This is a minor release with a lot of license and package detection improvements, specially for maven packages. We also support the SPDX license list 3.21 now. The main updates over the previous stable release are:

• New and updated licenses, including support for newly released SPDX license list version 3.21. For more details see #3437
• Fixes in summary plugin for licenses, and top-level license detections. #3430
• Updated maven license and package detections, with fixes for various maven package manifest parsing, improved top-level package assembly, ecosystem specific package license detection, fixes in --todo plugin, updated license detection rules/heuristics and other misc changes. For more details see: #3447
• Improved Gemfile.lock parsing. For more details see #3444
• Auto-review plugin to get todo items for scan review, with the new --todo CLI option. For more details see: #3353
• Misc. license and copyright detection improvements at #3346
• Other misc. minor bugfixes detailed in all the previous release-candidates.

What's Changed

• Ambiguous Detections ToDo items by @AyanSinhaMahapatra in #3353
• License detection improvements and review by @pombredanne in #3346
• Fix maven pom resource assignment by @AyanSinhaMahapatra in #3427
• Bump version to v32.0.5rc1 by @AyanSinhaMahapatra in #3428
• Bump version to v32.0.5rc2 by @AyanSinhaMahapatra in #3433
• Release prep v32.0.5rc3 by @AyanSinhaMahapatra in #3436
• Update licenses and rules by @AyanSinhaMahapatra in #3437
• Fix licenses data in summary plugin by @AyanSinhaMahapatra in #3430
• Update proprietary-license_553.RULE by @pombredanne in #3441
• support parsing BUNDLED WITH by @akostadinov in #3444
• Update maven detections by @AyanSinhaMahapatra in #3447
• Release prep v32.0.6 by @AyanSinhaMahapatra in #3454

New Contributors

• @akostadinov made their first contribution in #3444

Full Changelog: v32.0.4...v32.0.6

v32.0.5rc3

Merge pull request #3436 from nexB/release-prep-v32.0.5rc3

Release prep v32.0.5rc3

v32.0.4

This is a minor bugfix release with the following updates:

• Fixes a performance issue issue arising out of license detection
  on files happening in a single-threaded process_codebase step when the
  license CLI option is disabled for a package scan.
  Reference: #3423

What's Changed

• Fix package scan only performance by @AyanSinhaMahapatra in #3423

Full Changelog: v32.0.3...v32.0.4

v32.0.3

This is a minor bugfix release with the following updates:

• We were missing scancode-toolkit-mini releases from v32.0.0rc2 and
  also the scancode-toolkit release wheels including and after v32.0.0rc2 were
  actually scancode-toolkit-mini releases.
  Reference: #3421

• Updated github actions, for more details see aboutcode-org/skeleton#75

What's Changed

• Fix scancode-toolkit-mini and release prep v32.0.3 #3421 by @AyanSinhaMahapatra in #3422

Full Changelog: v32.0.2...v32.0.3

v32.0.2

This is a minor license update release with:

• new and updated licenses in LicenseDB
• license-expression V30.1.1 with support for the new licenses

What's Changed

• Add new licenses to licenseDB by @AyanSinhaMahapatra in #3414
• Release Prep v32.0.2 by @AyanSinhaMahapatra in #3415
• Add doc redirects by @AyanSinhaMahapatra in #3413

Full Changelog: v32.0.1...v32.0.2