15.0.0

What's Changed

Breaking Changes 🛠

• ddc09eb refactor(scancode)!: Move default configuration
• 0ec34f7 refactor(scanner)!: Make commandLineOptions private
• 2d6d287 refactor(spdx-utils)!: Move SpdxLicenseChoice out of model

Bug Fixes 🐞

• 4f21bb5 git: Again use the Git CLI to perform the actual reset
• 8472931 git: Do not rely on FETCH_HEAD to list the current branch first
• f5d3c2f node: Deduplicate issue lines before collapsing them
• a234ae5 pub: Do not use the revision from the pubspec.yaml of dependencies

Build 🐘 & CI ⚙️

• d673e1b Only sign when making official releases

Chores 🔧

• 46de195 docker: Re-align SWIFT_VERSION
• 61fbc32 docker: Upgrade Android command line tools to the latest version
• 2f6c6ef docker: Upgrade Go to the latest version
• b58f9d9 exception-mapping: Remove an invalid comment about sorting
• f2a799f scancode: Reorder command line options when running ScanCode
• 681f0bb scancode: Reorder functions for a better overview
• 3ce8889 scancode: Specify the timeout as a duration for convenience
• c0a9b4e Remove Batect as it has become unmaintained

Dependency Updates 🚀

• 195ddb7 Dockerfile-legacy: Update the available Cargo version
• 5012819 update codecov/codecov-action action to v4
• d8bb7e8 update dependency com.github.ajalt.mordant:mordant to v2.3.0
• a053fec update dependency com.networknt:json-schema-validator to v1.3.0
• 7b4f823 update dependency com.networknt:json-schema-validator to v1.3.1
• 8387ed4 update detektplugin to v1.23.5
• 68309b4 update exposed to v0.47.0
• e0fc5a8 update gradle/gradle-build-action action to v3
• 82190b5 update gradle/wrapper-validation-action action to v2
• b3063be update ktor to v2.3.8

Documentation 📖

• 77ff88e Git: Improve some code comments
• f228d98 jenkins: Improve the ORT_FAILURE_STATUS_CODE documentation
• 00cd17a model: Document the impact of the severe threshold properties
• acb8ad4 model: Fix the docs of Hash.create() for blank values
• 3852572 npm: Explain why the severity is only lowered for NPM CLI warnings

New Features 🎉

• d60ac69 docker: Enable multiarch build for amd64 and arm64
• e13c625 exception-mapping: Add Asterisk-exception
• ca7a2bf exception-mapping: Add Autoconf-exception-generic*
• eb108b3 node: Add a new single line warning prefix to support
• 232bc19 pub: Parse source artifacts for hosted packages
• 4af6360 scancode: Add an option to prefer file- over line-level findings

Other Changes 💡

• 2f84a01 Npm: Make mapLinesToIssues() a top-level extension function
• b8dd813 Npm: Move some functions to top-level
• a09afa4 Npm: Rename a few groupLines() variables for clarity
• fd795d3 github: Run functional tests against the snapshot Docker image
• c00cbbc model: Move the constant for the reference configuration file
• 32e0072 npm: Reduce severity of warnings from the output of npm
• 57c3659 pub: Extract a source variable
• a8d6171 scancode: Disregard the output format in scanner configuration
• e8f4e0a scancode: Inline the output format option
• 95dcce2 Introduce a constant for the status code for failures

Performance Enhancements ⚡

• 47da430 spdx-utils: Make the cheap check go first

Tests ✅

• c9d0b74 conan: Update expected results
• 37c0c4d node: Compare deeply nested data classes by YAML representation
• c96a389 node: Update NpmVersionUrlFunTest's lockfile to v3
• edbb3ad e9f36c4 osv: Update expected results
• f471b7b pip: Update expected results
• af7b45b pub: Update expected test results
• c297ec8 pub: Use placeholders for project VCS
• 75e6fb9 scancode: Also assert the number of license findings in a test
• 5364048 spdx-utils: Add a test for semantic matching of given expressions
• 5d7e4d7 spdx-utils: Remove a duplicate test
• 3bd4893 swiftpm: Fix-up a test case name
• 64fd9db swiftpm: Fix-up an expected result filename

Other Changes 💡

• 9bd9454 style(Git): Adjust formatting to ease setting line breakpoints

14.0.0

What's Changed

Breaking Changes 🛠

• 4116d16 refactor(spm)!: Make LibraryDependency a nested class
• a8e5dc7 refactor(spm)!: Make toPackage() an extension function
• 6afed08 refactor(spm)!: Turn toPackage() into an extension function
• 1c42352 refactor(spm)!: Use a better name for AppDependency
• 0289776 refactor(spm)!: Use the term SwiftPm in classes, files and package

Bug Fixes 🐞

• 8deb4b3 gradle-plugin: Take repositories defined in settings into account
• 360dbe1 node: Do not follow cyclic directory links
• 81d11a2 pub: Do not rely on the package name to be present
• 2d909ee scanner: Fix the one-off in the provenance count for the file lists
• 814a298 spm: Ensure identifiers of packages are unique
• 12563d0 swiftpm: Fix the broken requireLockfile check

Build 🐘 & CI ⚙️

• 6d35192 Gradle: Use dashes to group dependencies

Chores 🔧

• 1be19d5 analyzer: Remove an unneeded annotation
• 3a23af5 mailmap: Update some full names
• c6793a6 node: Ensure that package.json is a file

Dependency Updates 🚀

• 309b15d update dependency com.github.ben-manes.versions to v0.51.0
• 7485770 update dependency com.networknt:json-schema-validator to v1.2.0
• 90931c5 update dependency org.jetbrains.kotlinx:kotlinx-html-jvm to v0.11.0
• 1df8a97 update graphqlplugin to v6.6.0
• a95722a update jetbrains/qodana-action action to v2023.3.1

Documentation 📖

• f2316e0 README: Reduce duplication with docs
• 578af02 README: Rename Swift package manager
• 2ec282b analyzer: Rename Swift package manager to SwiftPM
• 559a6ca config: Add forceOverwrite option to reference.yml
• e2371ba gradle-inspector: Improve wording in the README.md
• 1d82e3b gradle-inspector: Reorder sections in the README.md
• b169d6b spm: Improve the KDoc for resolveLibraryDependencies()
• 656da24 spm: Improve the Kdoc for resolveAppDependencies()
• ac87105 website: Add a section about using the official Docker images
• c690d0a website: Enable syntax highlighting for bash code blocks
• 7cb26cf website: Enable syntax highlighting for batch code blocks
• f91408e website: Fix the edit URL
• 0ab9e49 website: Remove Kotlin from the additional languages
• dce9002 website: Update the section about using binary releases

New Features 🎉

• 2f9af0e jenkins: Add a label to link back the the build URL
• 0aaceb1 migrate: Add an option to migrate Pub identifiers
• 2f7723a swiftpm: Gracefully handle unsupported lockfile format
• b9016e3 swiftpm: Support lockfile format version 2

Other Changes 💡

• 1fe54e3 gradle-plugin: Introduce an extension function
• 119de17 migrate: Extract a function to migrate identifiers
• bd860f3 spm: Factor out createPackage()
• 71b23a6 spm: Improve name and KDoc for SpmDependenciesOutput
• 92efeaa spm: Improve readability of a string construction
• 3722643 spm: Inline a toString() function
• 57ec57b spm: Move two properties into a function
• 2910db4 spm: Remove inheritance between model classes
• e2f86e7 spm: Rename the spm module to swiftpm
• a3b09cc spm: Use a better name for resolveAppDependencies()
• 8fa37e7 spm: Use a better name for resolveLibraryDependencies()
• 5b87095 spm: Use an empty namespace for project IDs
• 43faef8 spm: Use better values for Identifier.type
• edb508f swiftpm: Apply a minor code beautification
• 31312ed swiftpm: Extract parseLockfile()
• d9f27bb swiftpm: Move a comment next to the related command
• 9cc7e75 swiftpm: Stop setting the homepageURL also for projects

Tests ✅

• d895de6 osv: Update expected results
• a51fc94 02e2d47 osv: Update expected results
• f88041a python: Update expected results
• 05417b7 a5fedf5 562b368 spm: Update expected results
• a0ea682 swiftpm: Add a lockfile for the synthetic spm-lib project
• 8ed897e swiftpm: Avoid a hard-coded path in test results
• 56d1226 swiftpm: Clarify the functional tests a bit
• bb7f83b swiftpm: Further isolate lockfile-only projects from other ones
• bff12f9 swiftpm: Specify branch name instead of version for one dep
• dfd1cd1 swiftpm: Update expected results

13.0.0

What's Changed

Breaking Changes 🛠

• 4e4c475 refactor(model)!: Simplify constructor of DefaultLicenseInfoProvider
• 3042e35 refactor(reporter)!: Remove ReporterInput.packageConfigurationProvider
• 233eb8b refactor(scanner)!: Remove the Package parameter from scanPackage()

Bug Fixes 🐞

• 488027d cargo: Only read checksum metadata entries as hashes
• e7bdb21 pub: Do not set namespaces for "Pub" packages
• a547788 scanner: Keep the VCS path for a package scanner's reference package
• 1e22bc4 spdx-utils: Correctly determine choices for AND expressions
• 3205ec9 spm: Ensure uniqueness of identifiers for projects
• 59942dc spm: Stop setting the author field for consistency
• 6a8bd94 spm: Stop using the repository name as the name of dependencies

Chores 🔧

• 0a33af9 scanner: Add a closing quote when logging the scanner name

Dependency Updates 🚀

• 89521b5 website: Upgrade to Docusaurus 3.1.0
• 25e1de1 Update the foojay-resolver-convention plugin to version 0.8.0
• 711bdd5 update davidanson/markdownlint-cli2-action action to v15
• d7dbd01 update dependency com.autonomousapps.dependency-analysis to v1.29.0

Documentation 📖

• e0560f3 evaluated-model: Fixup references to resolutions
• 920fd0c helper-cli: Fix-up a copy and paste mistake
• 5dca9cf jenkins: Document that VulnerableCode is enabled by default
• 2cf9032 model: Improve docs for RepositoryProvenance properties
• 00bc82b model: Improve various ProvenanceResolutionResult texts

New Features 🎉

• 0c748f4 composer: Use PackageManager.getFallbackProjectName
• 07d06bb model: Introduce OrtResult.getPackageConfigurations()
• c5671ee pub: Use PackageManager.getFallbackProjectName
• 3f4073f reporter: Use

   block for issue messages

• 2b230b8 website: Integrate tutorial with docs

Other Changes 💡

• 523e898 evaluated-model: Consume package configs via the OrtResult
• 2bf0203 evalutator-command: Include package configs in input OrtResult
• 7754349 list-copyrights-command: Simplify passing on package configs
• 79fcd67 reporter-command: Include package configs in the OrtResult
• be38f7f scanner: Get the nested provenance only once
• 972e24c scanner: Move downloadRecursively() to ProvenanceDownloader
• 3c795a1 spdx-utils: Remove disjunctiveNormalForm()
• 0ea02d6 spdx-utils: Simplify the OR case of validChoicesForDnf()
• dac1854 spm: Stop setting the homepage URL

Tests ✅

• 8bc273e fossid: Align the way to call scanPackage()
• ccb4d67 node: Update expected test results
• 4336048 ort-utils: Add more Copyright symbol tests
• 6ae49d8 osv: Update expected results
• cb47b19 osv: Update expected test results
• 0fb41d1 pub: Update expected test results
• 34046a6 spdx-utils: Add a test for a complex license choice
• 43b446c spdx-utils: Compare choices by string representation
• fad0008 spm: Update expected results
• 7032df2 utils: Improve assertions for the processed statements
• 4d915d6 utils: Use a shorter name for actualResult

12.0.0

What's Changed

Breaking Changes 🛠

• 8bd464f refactor(StatisticsCalculator)!: Stop using resolutionProvider
• 490a641 refactor(model)!: Move PURL-related extension functions to a separate file
• e782ba3 refactor(python)!: Move PYPROJECT_FILENAME to Poetry
• 330646f refactor(reporter)!: Remove ReporterInput.resolutionProvider
• 708afae refactor(scanner)!: Pass the resolved provenance to scanPackage()

Bug Fixes 🐞

• c5109a7 analyzer-command: Resolve repo config correctly if input is a file
• d0301b4 common-utils: Do not extract TAR directory entries as files
• 27e53e2 helper-cli: Fix-up the reason for pattern test_*.c
• 19553b6 model: Correctly en- / decode a VCS subpath to / from PURLs
• bd836a3 node: Strip a trailing "/" before creating globs

Build 🐘 & CI ⚙️

• dfbaa8e Gradle: Do not apply the built-in maven-publish plugin anymore
• 4fc7a39 Gradle: Explicitly set name for buildSrc module
• 4f4def4 Gradle: Reply on default values for publishing coordinates
• e769b0b Gradle: Use type-safe project accessors
• 04c1033 github: Enable auto-release of artifacts from staging to production
• f933760 github: Simplify the release process a bit

Chores 🔧

• 3d911f0 model: Make newly added PURL extension function public
• fe76d2c static-html-reporter: Align YAML assets to use unindented lists

Dependency Updates 🚀

• 0a1065f Update gradle-maven-publish-plugin to version 0.27.0
• a5ed041 update dependency com.github.ajalt.clikt:clikt to v4.2.2
• 86be29e update dependency io.mockk:mockk to v1.13.9
• 41a0b9e update dependency org.apache.logging.log4j:log4j-api-kotlin to v1.4.0
• f9f938b update dependency org.asciidoctor:asciidoctorj to v2.5.11
• d5d0507 update dependency org.slf4j:slf4j-api to v2.0.10
• 2484f24 update dependency org.slf4j:slf4j-api to v2.0.11
• 9c665ce update dependency software.amazon.awssdk:s3 to v2.23.0
• 33eb0df update exposed to v0.46.0
• abcec81 update graphqlplugin to v6.5.7
• 71dc4c4 update jackson to v2.16.1
• fbf5988 update kotlin monorepo to v1.9.22
• c74a28b update log4j2 monorepo to v2.22.1

Documentation 📖

• e1c0651 evaluated-model-reporter: Use imperative mood in function docs
• 515bc73 jenkins: Update the screenshot to include the unstash stage
• ba3220d model: Improve docs for the includedLicenseCategories property
• 98b4026 scanner: Also use the term "wrapper" in the class docs
• 83308a1 scanner: Generally write "scanner-specific" with a dash

New Features 🎉

• 3348189 helper-cli: Add versioneer path exclude generator's patterns
• 71e38b9 jenkins: Add a parameter for an existing analyzer result file
• 3e767e3 model: Add a toPurl() overload that takes PurlExtras directly
• 758fd7a model: Add functions to en-/decode provenance into PURL extras
• fa6943b python: Detect the Python version for Poetry projects

Other Changes 💡

• 21a4085 downloader: Use more specific provenance return types
• bdfff4c evaluated-model: Stop using resolutionProvider
• 901d8c9 fossid: Align the provenance returned if there are issues
• 69fe155 fossid: Do not measure the scan duration twice
• 91335c1 fossid: Inline createSingleIssueResult()
• b189232 fossid: Make issue handling more compact
• 8a9aa9d fossid: Simplify the creation of single issue summaries
• b1dfed0 freemarker: Stop using resolutionProvider
• 0794697 model: Handle UnknownProvenance in toPurlExtras()
• 88e0f29 model: Make OrtResult implement ResolutionProvider
• 1609034 python: Apply default values for inspector options later
• 3a71a70 scanner: Remove findNestedProvenance()
• 71f82f9 spdx-utils: Implement licenses() based on decompose()
• 8679649 static-html: Stop using resolutionProvider

Tests ✅

• 4ba9271 conan: Update expected results
• a677430 python: Import the PYPROJECT_FILENAME constant
• 2320258 reporter: Add issue resolutions to all test assets
• a7f21df reporter: Include all resolutions also in resolved config
• 36e82ba e3616ec a51be8e spm: Update expected results
• 42bf356 spm: Update expected test results

11.0.0

What's Changed

Breaking Changes 🛠

• c08a624 refactor(model)!: Improve ResolutionProviders getter names
• 6c5ef66 refactor(model)!: Improve the name of a couple of setters
• 8a60d67 refactor(model)!: Make use of getResolutions() in several functions
• 4ac3106 refactor(model)!: Use a more specific name for getResolutions()

Bug Fixes 🐞

• 96d87c0 vulnerable-code: Fixup another case of wrong URL escaping

Build 🐘 & CI ⚙️

• d168e88 Gradle: Remove the docsHtmlJar task
• 4629bd7 Gradle: Rename catalog entries that are actually plugins
• d082b92 Gradle: Rename the docsJavadocJar task to javadocJar
• bae6ef3 Gradle: Use the gradle-maven-publish-plugin for publishing
• 07f9efb github: Disable the Gradle daemon globally in always the same way
• 4115c37 github: Use the new publishing mechanism in the release workflow

Chores 🔧

• 979847b commands: Deprecate the --skip-excluded options
• 2ac0dfe downloader: Improve the log message for Cargo VCS handling

Dependency Updates 🚀

• 8fa33e6 update dependency com.networknt:json-schema-validator to v1.1.0
• 97763c0 update dependency org.asciidoctor:asciidoctorj-pdf to v2.3.10
• fe994d7 update dependency software.amazon.awssdk:s3 to v2.22.0

New Features 🎉

• 58ceee7 model: Introduce OrtResult.getResolutions()
• cd8e1bf ort-utils: Find names even if the version has an (ignorable) suffix

Other Changes 💡

• 759e542 helper-cli: Remove getUnresolvedRuleViolations()
• c9fdf41 model: Make resolveResolutions() an extension function
• f15ba6b reporter-command: Include all resolutions in the OrtResult

Tests ✅

• 9e4d666 carthage: Make the test independent of the GitHub org ORT is hosted
• 10c0362 evaluated-model: Include all resolutions also in resolved config
• f70df1d spm: Update expected results
• e1803f0 vulnerable-code: Improve the test by verifying URI creation

10.0.0

What's Changed

Breaking Changes 🛠

• ce6839d refactor(reporter)!: Use default interface implementations to reduce code

Bug Fixes 🐞

• 7aa4895 GoMod: Stop crashing with NoSuchElementException
• 5e82e20 asciidoc-reporter: Use monospaced text without "nested formatting"
• e5e0f3f evaluator: Apply excludes before lookups in the OSADL matrix
• fed0cd3 evaluator: Apply repository license choices to the project
• 6a7d63d reporter: Do not take blank license texts
• 57f85f0 reporter: Fix a potential failure in the FossID snippet report
• 686f953 reporter: Process only valid scancodes in FossIdReporter

Chores 🔧

• 41e559c asciidoc-reporter: Remove an unused test asset
• e6adeec docker: Upgrade Swift to the latest version
• 7092afb scancode: Align JSON assets to have a trailing newline

Dependency Updates 🚀

• ab808c9 update dependency com.autonomousapps.dependency-analysis to v1.28.0
• 25361dd update dependency com.networknt:json-schema-validator to v1.0.88
• 064cf50 update github/codeql-action action to v3
• 664e89c update jetbrains/qodana-action action to v2023.3.0
• 9b3349d update ktor to v2.3.7

Documentation 📖

• 4111605 cli: Distribute a README.md to show where to put plugins
• 3d78d64 go: Fix an obsolete code comment
• 706ee15 model: Improve the wording of IssueListConverter's documentation
• 221cad8 Clarify that repository license choices also apply to projects
• c63f489 Fix-up the KDoc for DefaultResolutionProvider.create()
• f7406d9 Improve the KDoc for getOpenIssues()

New Features 🎉

• 7e1f3a8 Fossid-webapp: Increase the read timeout for listMatchedLines
• eaa29e5 fossid-webapp: Make the comment of a project optional
• 1109a7a jenkins: Allow to mix OSADL matrix and configured rules
• bf1b032 model: Associate licenses and exceptions from the same expression
• d5548c3 scancode: Get the key to ID mapping without --license-references

Other Changes 💡

• 4ad17d3 go: Align a function name with upstream terminology
• 4aa865f go: Drop some unused obsolete code
• c04c3ee model: Make a function signature a bit more speaking
• e0e02ce Use SPDX constants in more places

Tests ✅

• b7f5a38 go: Add () to function names in test case names
• 81aee12 scancode: Test license mapping without license references

9.0.0

What's Changed

Breaking Changes 🛠

• 247b046 refactor(scancode)!: Make parseScanResult(JsonElement) private

Bug Fixes 🐞

• 374b4a0 command: Drop an obsolete scanner command option
• ba66567 commands: Avoid a duplicate plural "s" in the summary sentence
• 281a854 integrations: Re-generate shell completions
• f16bf59 integrations: Re-generate shell completions
• 849f987 node: Default to NPM if there is no indication for any Node manager
• 8e1ec1d node: Do not crash on projects that do not set a version
• f99e2ed node: Rewrite manager detection to solve issues
• b6f6bc5 scancode: Fix the broken file paths in mapped timeout errors

Build 🐘 & CI ⚙️

• a951533 github: Disable parallelization when publishing

Chores 🔧

• a464678 Jenkinsfile: Remove the VULNERABLE_CODE_API_KEY parameter
• bec02fd cli: Make properties come before functions and classes
• 161acdd detekt: Remove an exception for an unused wildcard import
• 7aac204 jenkins: Omit empty string default values
• f9d1124 reporters: Improve log wording about the generated (temporary) file
• ff9e1cf scancode: Make the internal timeout constant private
• b3c98bb spdx: Give more context in require checks

Dependency Updates 🚀

• 7fbd47f gradle-inspector: Again use current Gradle's tooling API version
• e86a1b9 Update kotlinx-serialization to version 1.6.2
• fd8fc8e update actions/setup-python action to v5
• 5af7043 update dependency ch.qos.logback:logback-classic to v1.4.14
• 99b0f86 update dependency com.autonomousapps.dependency-analysis to v1.27.0
• 33be29a update dependency net.sf.saxon:saxon-he to v12.4
• 36e8138 update dependency org.jetbrains.kotlinx:kotlinx-html-jvm to v0.10.1
• 894a29e update dependency org.postgresql:postgresql to v42.7.1
• 8c4879c update jetbrains/qodana-action action to v2023.2.9
• f898d75 update jgit to v6.8.0.202311291450-r
• bff2d01 update maven to v3.9.6

New Features 🎉

• 53a8dd3 helper-cli: Add two patterns to path exclude generation
• eb93dd5 jenkins: Allow to use a custom scanner from a plugin
• 81b3130 jenkins: Show the active configuration to ease debugging
• 521640b model: Add the property Issue.affectedPath
• 5839604 model: Adhere to Issue.affectedPath when filtering a summary
• 4d532d8 model: Enable Issue.affectedPath also for older scan results
• 0033123 scancode: Relax precondition for mapping timeout issues
• 27bc117 scancode: Set Issue.affectedPath for timeout errors

Other Changes 💡

• 67297b2 config: Align on setting "skip excluded" in the config
• e14dc23 scancode: Move toSummary() to ScanCodeResultModelMapper
• da463b8 scancode: Move mapping of scan errors into toSummary()
• d6f39ce scancode: Use a more generic name for ScanCodeErrorMappers

Tests ✅

• f073323 conan: Update expected results
• 69ab754 model: Add a test for ScanSummary.filterByPaths()
• 91d07c2 scancode: Factor out getAssetFile()
• 97c121e scancode: Include timeout errors in the assets for output formats
• 51d7faf scancode: Remove some redundant variable definitions
• 7cc5e49 scanner: Never read or write stored results for the "Dummy" scanner
• d9b1f8d scanner: Simplify filtering files
• 9b26515 scanner: Use NOASSERTION instead of NONE for dummy findings
• 84d2f6d 46816a5 0a2ca2c cc92894 spm: Update expected results
• 55e226f vulnerable-code: Also assert issues to be empty
• 4bf0241 vulnerable-code: Always enable the test, even without an API key

Other Changes 💡

• bd6d9ec Revert "chore(jenkins): Omit empty string default values"
• 58f1155 style(vulnerable-code): Unwrap lines that do not need wrapping

8.0.0

What's Changed

Breaking Changes 🛠

• 1be48b4 chore(reporter)!: Reduce the visibility of ReportTableModel
• eb0e6f1 chore(reporter)!: Remove the unused SummaryTable
• b76b7a7 refactor(plugins)!: Move all ALL properties to Plugin implementations
• 89aaf0c refactor(reporter)!: Move ReportTableModel to the static HTML plugin

Bug Fixes 🐞

• a1ea611 compare-command: Fix the program exit codes
• f1abea1 helper-cli: Fix two issues with listing licenses
• eadf828 helper-cli: Remove package.json from path exclude generator

Chores 🔧

• 62a3bc5 mailmap: Add another email to map list
• 94defb1 node: Improve formatting of a code comment
• e4d894b node: Remove an unnecessary capturing group

Dependency Updates 🚀

• d785b4f Dockerfile-legacy: Update the the available Cargo version
• 4503fcc Gradle: Update the detekt plugin to version 1.23.4
• bd2d37d docker: Upgrade Cargo to the version available in Ubuntu Jammy
• 2bdec8f Update the Maven resolver to version 1.9.18
• 123984a update actions/setup-java action to v4
• c73f351 update davidanson/markdownlint-cli2-action action to v14
• 5bb6a68 update dependency ch.qos.logback:logback-classic to v1.4.12
• 52985f6 update dependency ch.qos.logback:logback-classic to v1.4.13
• a66bf0e update dependency com.github.jmongard.git-semver-plugin to v0.11.0
• 956d12e update dependency gradle to v8.5
• 5fca795 update dependency org.jetbrains.exposed:exposed-dao to v0.45.0
• 6d43649 update kotlin monorepo to v1.9.21

Documentation 📖

• 4a1e0b2 ADOPTERS: Slightly improve the wording for Cariad
• b742da7 compare-command: Add / improve some code comments
• 77d8804 plugins: Align documentation for the ALL properties

New Features 🎉

• aff3519 CompareCommand: Add the SEMANTIC_DIFF as a new compare method
• 4cfab70 CompareCommand: Implement custom deserializer
• d591aec compare-command: Make the context size configurable via an option
• 2107657 helper-cli: Extend path exclude generator by a couple of patterns
• 738790c jenkins: Allow to set arbitrary environment variables
• 7ad4e31 requirements: Add an option to toggle listing plugins and commands
• 1dcb1ff requirements: Also list all found ORT plugin implementations
• eb6e82f scanner: Teach package scanners about all packages covered by a scan

Other Changes 💡

• a1ccc6d CompareCommand: Move the deserialization out of the when
• 19bfbe0 VersionControlSystem: Implement the Plugin interface
• 777b1ff compare-command: Move an enum classs closer to its use
• a1bb32d compare-command: Rename deserializer to mapper
• 1dbed2e helper-cli: Adjust return type of getScannedProvenance()
• f887133 helper-cli: Use a more speaking name for getProvenance()
• de5027e node: Split out code to detect the right Node package manager
• 5d2fb19 reporter: Make map() take ReporterInput as param
• 1d2d88a reporter: Simplify obtaining a package or project
• 6bc8c31 requirements: Factor out getting plugins by type
• 8c91864 requirements: Further separate detecting from printing versions
• 805a6e7 requirements: Split out long code to functions

Performance Enhancements ⚡

• a176fc5 requirements: Limit scanning to sub-types

Tests ✅

• 6eeb729 compare-command: Add a functional test for the text diff method
• 6c90a2e conan: Update expected results
• 18f9318 node: Add tests for remaining support functions
• 89c3ed6 osv: Update expected results
• 665aa87 requirements: Add a test for core plugins to be found

Other Changes 💡

• f563d2a style(Jenkinsfile): Fix a string parameter's indentation
• 1fe0eb5 style(fossid): Remove some named arguments
• cdd3993 style(reporter): Use a shorter name for packageforId

7.1.0

What's Changed

Bug Fixes 🐞

• a9bd271 analyzer: Support uppercase-letters in Go module version
• 5334b19 helper-cli: Use the "pluginClasspath" approach to bundle plugins
• acda964 jenkins: Align Java's user.home with HOME
• fced3d8 jenkins: Limit the credentials type to the supported type
• 49b66c9 opossum: Get license texts via the provider
• 45e1e63 spdx: Add the missing OTHER relationship
• 40630f4 spdx: Add the missing snippet ranges
• e8d9c53 spdx: Do not allow the snippet name to be blank
• b9c038e Remove any YAML front matter from ScanCode license files

Build 🐘 & CI ⚙️

• 54f72d9 Align on tools from .versions also for the build / test workflow

Chores 🔧

• b76ae85 adopters: Officially add Cariad to the list
• 0557aeb docker: Extract .NET version to a variable
• a07f3d6 docker: Upgrade Android Command line tools to the latest version
• 0818afb docker: Upgrade Poetry to the latest version
• 6d72e44 github: Remove the duplicate Batect wrapper validation
• 333d1d7 jenkins: Use the name ignored for an ignored exception
• a2d87c6 mailmap: Map to Mikko's Double Open email address
• 0bf2b1a ort-utils: Add a debug log if a netrc file has not been found
• e4b018b ort-utils: Add more environment variables relevant for debugging
• 2ce1460 reporter: Remove unnecessary braces
• 22b5c1f scanner: Trivially improve the wording of log messages
• fb37893 Improve and align the wording for non-SPDX licenses in info fields

Dependency Updates 🚀

• 6bf2206 evaluator: Update the OSADL matrix
• 2f7d381 Update Apache commons-compress to version 1.25.0
• 1a7c848 Update the Maven resolver to version 1.9.17
• 5f43743 update dependency com.github.ben-manes.versions to v0.50.0
• 8884e0f update dependency com.icegreen:greenmail to v2.0.1
• 9222331 update dependency org.postgresql:postgresql to v42.7.0
• ed6b029 update dependency org.springframework:spring-core to v5.3.31
• 5005851 update log4japi to v2.22.0

Documentation 📖

• b89610f jenkins: Clarify that the credentials type should be for HTTP
• 29f9aef Add Double Open to the NOTICE file
• 23a8136 Document setting metadata about a package's authors
• 4b2d663 trim trailing spaces in package-curations.md

New Features 🎉

• c64efc7 docker: Make Android SDK version a build arg in Dockerfile-legacy
• 8e22723 evaluator: Also print the rules used as part of configuration
• 1098569 helper-cli: Add 'annotationProcessor' to scope exclude generation
• ec49977 helper-cli: Add 'lombok' to scope exclude generation
• 1e4a20c jenkins: Allow to specify a VCS path for configuration
• 623b2fa model: Sort the detected license mapping during serialization

Refactorings 🚜

• 8b44818 docker: Rename ANDROID_SDK_VERSION
• f42b72d evaluator: Rename a variable according to its type
• 8880747 reporter: Drop an also
• caedab1 reporter: Simplify computing isRowExcluded
• a8511d9 static-html: Relocate some functions / constant
• bddecf4 utils: Move ORT directory properties to Environment
• adaf89c Move the SPDX <-> Conan resolution test to the SPDX project

Tests ✅

• 5cddcaa cli: Reduce an expected result to the intended scope
• 448a8bb f5c5f7d 67194c5 spm: Update expected results
• a9594cb Fixup the user home directory also when running tests (in Docker)
• 8a50ca7 Run CLI functional tests outside of Docker

Other Changes 💡

• 8bf89ad Revert "chore(stack)!: Temporarily disable Stack in Dockerfile-legacy and tests"
• 04b33b3 style: Omit trailing dots from some NOTICE parties

7.0.0

What's Changed

Breaking Changes 🛠

• a455329 feat(reporter)!: Support secrets in reporter options
• bd03101 feat(scanner)!: Pass properties to configure storage usage to wrappers
• cc7d534 refactor(PackageCurationData)!: Drop support for legacy property name
• 72cbc73 refactor(maven)!: Make some class members private
• a552258 refactor(maven)!: Make the container property private
• 13564f9 refactor(scanner)!: Use ScannerWrapperConfig in factory
• 801948f refactor(vcs)!: Make all WorkingTree implementations internal

Bug Fixes 🐞

• f1c5959 docker: Base image should not refer itself
• bb742aa docker: Bump up The Node.JS version in another place
• 528e5c7 docker: Match docker scripts to upstream image naming
• 6ce0978 docker: No build or publish in pull_request events
• a21905e docker: Stop accidentally skipping component image builds
• 5a21932 helper-cli: Fix an issue with listing licenses
• 05d8acc node: Allow deserializing empty pnpm-workspace.yaml files
• 552b0e2 Add advisor plugins to the plugin classpath for distribution

Build 🐘 & CI ⚙️

• 272b508 git: Explicitly add transitive Jackson dependencies
• c9a730b git: Split out the jgitSshApache dependency
• 400e9ef Move all VCS plugins to separate Gradle projects

Chores 🔧

• 059190d docker: Align the Pip version with Dockerfile
• cec3ec7 docker: Avoid the use of tee if stdout is not needed
• d0f67e2 docker: Rename output of custom Dockerfile
• 343d2ff docker: Upgrade CocoaPods to the latest version
• 5dd26aa docker: Upgrade Conan to the latest 1.x version
• 1599731 docker: Upgrade Pipenv to the latest version
• ccabd1f docker: Upgrade SBT to the latest version
• 16ff51f docker: Upgrade ScanCode to the latest version
• 595261c docker: Upgrade Yarn to the latest 1.x version
• ab87104 docker: Upgrade Pipto the latest version
• cb68cb0 docker: Upgrade pnpm to the latest version
• 876c1d4 docker: Upgrade the Haskell Tool Stack to the latest version
• 9079062 mailmap: Use Thomas's personal email address
• 1223273 maven: Add an import to resolve a KDoc reference

Dependency Updates 🚀

• 6556366 git-repo: Upgrade to the latest stable git-repo release
• 45fbb1a update dependency com.autonomousapps.dependency-analysis to v1.26.0
• d44c243 update jackson to v2.16.0
• ae8e4db update kotlinxserialization to v1.6.1

Documentation 📖

• 1fa6529 README: Fix further broken links
• 551c79f README: Fix the link to version control system implementations
• 551b68b README: Remove a broken link for the Notifier bullet point
• eccf170 scanner: Fix a typo
• bd4e1c7 scanner: Improve logging for packages with incomplete scan results

New Features 🎉

• cd323ab docker: Change naming default and unify docker files
• 8d7b82d docker: Rename images to agreed names
• f06a4ac helper-cli: Extend path exclude generator by a couple of patterns
• 1534d39 helper-cli: Improve the output of list licenses command
• dcd3b19 helper-cli: Re-filter scan summary by VCS path
• 2147b4f osv: Add the missing handling for the Hackage ecosystem
• 4d5b611 reporter: Read FossID credentials from secrets
• 937e4fb scanner: Add a class to hold the common scanner wrapper config
• ab27a19 scanner: Add properties to configure storage usage
• 87db6d4 scanner: Use the new properties that configure scan storage usage

Refactorings 🚜

• 7eb2ffe analyzer: Port Java's walkFileTree() to Kotlin's walk()
• 17f3ad1 maven: Operate on sets of repositories
• 4c940af plugins: Do not hard-code dependencies on Git
• f93e651 scanner: Move ScanResult.filterByVcsPath() to utils

Tests ✅

• 1622397 fossid: Mock the abstract VersionControlSystem instead of Git
• 0a8dcb7 node: Make the empty pnpm-workspace.yaml be well-formed YAML
• a702a3c osv: Fix the assertion for ecosystem support
• 65125cb osv: Improve package list for supported ecosystems
• 150530c 9d29e6d osv: Update expected results
• f514519 scanner: Improve tests for ScannerWrapperConfig
• 4771276 spm: Update expected results
• fc47411 Run analyzer functional tests outside of Docker

Other Changes 💡

• befe8c0 style(scanner): Remove a redundant empty line