Skip to content

Release beta/preview v2.9.2: a beta/preview for the latest develop, before 3.0

Pre-release
Pre-release
Compare
Choose a tag to compare
@pombredanne pombredanne released this 08 May 15:02
· 8742 commits to develop since this release
v2.9.2
7e654ef

This is a stable pre-release of what will come up for 3.0
This has many changes and bug fixes including improved SPDX license detection, package reporting and additional plugins and more: these are not yet fully documented but this release can be used for testing and is stable.

Some major changes include:

  • A security fix The support for Rar archives extraction in extractcode has been changed and downgraded to use libarchive instead of 7zip as a mitigation for a 7Zip vulnerability referenced as CVE-2018-10115 https://nvd.nist.gov/vuln/detail/CVE-2018-10115 . As a result, you may expect some extraction failures when extracting some Rar archives as fewer Rar archive formats are supported by libarchive. When the bug is properly fixed on all OS in 7Zip this may be reverted.

  • The package models have been updated significantly and streamlined. Then now also use the Package URL (purl) semantics. If you rely on the previous v2.x models and data structures, with a --package scans things are rather improved now. Documentation will come up next.

  • The license detection has been updated in several ways:

    • a new --license-expression option allow to return license expressions (using ScanCode keys)
    • several licenses have been added, updated or retired after a sync with the latest SPDX license list v3.1 and AboutCode
    • SPDX license identifiers are now detected by the license scan
Assets 4
Loading