Skip to content

Releases: nexB/scancode.io

v34.5.0

22 May 14:57
@github-actions github-actions
v34.5.0
6192657
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v34.5.0 Latest
Latest

Changelog

  • Display the current path location in the "Codebase" panel as a navigation breadcrumbs. #1158
  • Fix a rendering issue in the dependency details view when for_package or
    datafile_resource fields do not have a value. #1177
  • Add a new CollectPygmentsSymbolsAndStrings pipeline (addon) for collecting source
    symbol, string and comments using Pygments. #1179
  • Workaround an issue with the cyclonedx-python-lib that does not allow to load
    SBOMs that contains properties with no values.
    Also, a few fixes pre-validation are applied before deserializing thr SBOM for
    maximum compatibility. #1185 #1230
  • Add a new CollectTreeSitterSymbolsAndStrings pipeline (addon) for collecting source
    symbol and string using tree-sitter. #1181
  • Fix inspect_packages pipeline to properly link discovered packages and dependencies to
    codebase resources of package manifests where they were found. Also correctly assign
    the datasource_ids attribute for packages and dependencies. #1180
  • Add "Product name" and "Product version" as new project settings. #1197
  • Add "Product name" and "Product version" as new project settings. #1197
  • Raise the minimum RAM required per CPU code in the docs.
    A good rule of thumb is to allow 2 GB of memory per CPU.
    For example, if Docker is configured for 8 CPUs, a minimum of 16 GB of memory is
    required. #1191
  • Add value validation for the search complex query syntax. #1183
  • Bump matchcode-toolkit version to v5.0.0.
  • Fix the content of the package_url field in CycloneDX outputs. #1224
  • Enhance support for encoded package_url during the conversion to model fields. #1171
  • Remove the scancode_license_score option from the Project configuration. #1231
  • Remove the extract_recursively option from the Project configuration. #1236
  • Add support for a ignored_dependency_scopes field on the Project configuration. #1197
  • Add support for storing the scancode-config.yml file in codebase.
    The scancode-config.yml file can be provided as a project input, or can be located
    in the codebase/ immediate subdirectories. This allows to provide the configuration
    file as part of an input archive or a git clone for example. #1236
  • Provide a downloadable YAML scancode-config.yml template in the documentation. #1197
  • Add support for CycloneDX SBOM component properties as generated by external tools.
    For example, the ResolvedUrl generated by cdxgen is now imported as the package
    download_url.

What's Changed

Full Changelog: v34.4.0...v34.5.0

Contributors

tdruez, JonoYang, and 3 other contributors
Assets 4

v34.4.0

22 Apr 09:30
@github-actions github-actions
v34.4.0
9375ec0
Compare
Choose a tag to compare
v34.4.0

Changelog

  • Upgrade Gunicorn to v22.0.0 security release.
  • Display the list of fields available for the advanced search syntax in the modal UI. #1164
  • Add support for CycloneDX 1.6 outputs and inputs.
    Also, the CycloneDX outputs can be downloaded as 1.6, 1.5, and 1.4 spec versions. #1165
  • Update matchcode-toolkit to v4.1.0
  • Add a new function
    scanpipe.pipes.matchcode.fingerprint_codebase_resources(), which computes
    approximate file matching fingerprints for text files using the new
    get_file_fingerprint_hashes function from matchcode-toolkit.
  • Rename the purldb-scan-queue-worker management command to purldb-scan-worker.
  • Add docker-compose.purldb-scan-worker.yml to run ScanCode.io as a PurlDB
    scan worker service.

What's Changed

Full Changelog: v34.3.0...v34.4.0

Contributors

tdruez and JonoYang
Assets 4

v34.3.0

10 Apr 16:29
@github-actions github-actions
v34.3.0
This tag was signed with the committer’s verified signature.
keshav-space Keshav Priyadarshi
GPG key ID: E81173F64C858246
Learn about vigilant mode.
70787ad
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v34.3.0

Changelog

  • Associate resolved packages with their source codebase resource. #1140

  • Add a new CollectSourceStrings pipeline (addon) for collecting source string using xgettext. #1160

Full Changelog: v34.2.0...v34.3.0

Assets 4

v34.2.0

28 Mar 16:07
@github-actions github-actions
v34.2.0
4c8eb37
Compare
Choose a tag to compare
v34.2.0

Changelog

  • Add support for Python 3.12 and upgrade to Python 3.12 in the Dockerfile. #1138
  • Add support for CycloneDX XML inputs. #1136
  • Upgrade the SPDX schema to v2.3.1 #1130

Full Changelog: v34.1.0...v34.2.0

Assets 4

v34.1.0

27 Mar 11:20
@github-actions github-actions
v34.1.0
8afebab
Compare
Choose a tag to compare
v34.1.0

Changelog:

  • Add support for importing CycloneDX SBOM 1.2, 1.3, 1.4 and 1.5 spec formats. #1045
  • The pipeline help modal is now available from all project views: form, list, details.
    The docstring are converted from markdown to html for proper rendering. #1105
  • Add a new CollectSymbols pipeline (addon) for collecting codebase symbols using
    Universal Ctags. #1116
  • Capture errors during the inspect_elf_binaries pipeline execution.
    Errors on resource inspection are stored as project error message instead of global
    pipeline failure.
    The problematic resource path is stored in the message details and displayed in the
    message list UI as a link to the resource details view. #1121 #1122
  • Use the package_only option in scancode get_package_data API in
    inspect_packages pipeline, to skip license and copyright detection in
    extracted license and copyright statements found in package metadata. nexB/scancode-toolkit#3689
  • Rename the match_to_purldb pipeline to match_to_matchcode, and add
    MatchCode.io API settings to ScanCode.io settings.
  • In the DiscoveredPackage model, rename the "datasource_id" attribute to
    "datasource_ids" and add a new attribute "datafile_paths". This is aligned
    with the scancode-toolkit Package model, and package detection information
    is now stored correctly. Also update the UI for discovered packages to
    show the corresponding package datafiles and their datasource IDs.
    A data migration is included to facilitate the migration of existing data. #1099
  • Add PurlDB tab, displayed when the PURLDB_URL settings is configured.
    When loading the package details view, a request is made on the PurlDB to fetch and
    and display any available data. #1125
  • Create a new management command purldb-scan-queue-worker, that runs
    scancode.io as a Package scan queue worker for PurlDB.
    purldb-scan-queue-worker gets the next available Package to be scanned and
    the list of pipeline names to be run on the Package from PurlDB, creates a
    Project, fetches the Package, runs the specified pipelines, and returns the
    results to PurlDB. #1078 nexB/purldb#236
  • Update matchcode-toolkit to v4.0.0

Full Changelog: v34.1.0...v34.1.0

Assets 4

v34.0.0

04 Mar 12:30
@github-actions github-actions
v34.0.0
385f3c0
Compare
Choose a tag to compare
v34.0.0

Changelog:

  • Add ability to "group" pipeline steps to control their inclusion in a pipeline run.
    The groups can be selected in the UI, or provided using the
    "pipeline_name:group1,group2" syntax in CLI and REST API. #1045

  • Refine pipeline choices in the "Add pipeline" modal based on the project context.

    • When there is at least one existing pipeline in the project, the modal now includes
      all addon pipelines along with the existing pipeline for selection.
    • In cases where no pipelines are assigned to the project, the modal displays all
      base (non-addon) pipelines for user selection. #1071

  • Rename pipeline for consistency and precision:

    • scan_codebase_packages: inspect_packages

    Restructure the inspect_manifest pipeline into:

    • load_sbom: for loading SPDX/CycloneDX SBOMs and ABOUT files
    • resolve_dependencies: for resolving package dependencies
    • inspect_packages: gets package data from package manifests/lockfiles

    A data migration is included to facilitate the migration of existing data.
    Only the new names are available in the web UI but the REST API and CLI are backward
    compatible with the old names. #1034 https://github.com/nexB/scancode.io/discussions/1035

  • Remove "packageFileName" entry from SPDX output. #1076

  • Add an add-on pipeline for collecting DWARF debug symbol compilation
    unit paths when available from elfs. nexB/purldb#260

  • Extract all archives recursively in the scan_single_package pipeline. #1081

  • Add URL scheme validation with explicit error messages for input URLs. #1047

  • All supported output_format can now be downloaded using the results_download API
    action providing a value for the new output_format parameter. #1091

  • Add settings related to fetching private files. Those settings allow to
    define credentials for various authentication types. #620 #203

  • Update matchcode-toolkit to v3.0.0

What's Changed

Full Changelog: v33.1.0...v34.0.0

Contributors

tdruez, JonoYang, and 3 other contributors
Assets 4

v33.1.0

02 Feb 13:30
@github-actions github-actions
v33.1.0
6e35324
Compare
Choose a tag to compare
v33.1.0

Changelog:

  • Rename multiple pipelines for consistency and precision:
    • docker: analyze_docker_image
    • root_filesystems: analyze_root_filesystem_or_vm_image
    • docker_windows: analyze_windows_docker_image
    • inspect_manifest: inspect_packages
    • deploy_to_develop: map_deploy_to_develop
    • scan_package: scan_single_package
      A data migration is included to facilitate the migration of existing data.
      Only the new names are available in the web UI but the REST API and CLI are backward
      compatible with the old names. #1044
  • Generate CycloneDX SBOM in 1.5 spec format, migrated from 1.4 previously.
    The Package vulnerabilities are now included in the CycloneDX SBOM when available. #807
  • Improve the inspect_manifest pipeline to accept archives as inputs. #1034
  • Add support for "tagging" download URL inputs using the "#" section of URLs.
    This feature is particularly useful in the map_develop_to_deploy pipeline when
    download URLs are utilized as inputs. Tags such as "from" and "to" can be specified
    by adding "#from" or "#to" fragments at the end of the download URLs.
    Using the CLI, the uploaded files can be tagged using the "filename:tag" syntax
    while using the --input-file arguments.
    In the UI, tags can be edited from the Project details view "Inputs" panel.
    On the REST API, a new upload_file_tag field is available to use along the
    upload_file. #708

What's Changed

New Contributors

Full Changelog: v33.0.0...v33.1.0

Contributors

tdruez, JonoYang, and 3 other contributors
Assets 4

v33.0.0

16 Jan 17:39
@github-actions github-actions
v33.0.0
3d676d4
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v33.0.0

Changelog:

  • Upgrade Django to version 5.0 and drop support for Python 3.8 and 3.9 #1020
  • Fetching "Download URL" inputs is now delegated to an initial pipeline step that is
    always run as the start of a pipeline.
    This allows to run pipelines on workers running from a remote location, external to
    the main ScanCode.io app server. #410
  • Migrate the Project.input_sources field into a InputSource model. #410
  • Refactor run_scancode to not fail on scan errors happening at the resource level,
    such as a timeout. Project error message are created instead. #1018
  • Add support for the SCANCODEIO_SCAN_FILE_TIMEOUT setting in the scan_package pipeline. #1018
  • Add support for non-archive single file in the scan_package pipeline. #1009
  • Do not include "add-on" pipelines in the "New project" form choices. #1041
  • Display a "Run pipelines" button in the "Pipelines" panel.
    Remove the ability to run a single pipeline in favor of running all "not started"
    project pipeline. #997
  • Fix an issue where the pipeline details cannot be fetched when using URLs that
    include credentials such as "user:pass@domain". #998

What's Changed

New Contributors

Full Changelog: v32.7.0...v33.0.0

Contributors

tdruez, pombredanne, and 4 other contributors
Assets 4

v32.7.0

25 Oct 06:24
@tdruez tdruez
v32.7.0
20ac41a
Compare
Choose a tag to compare
v32.7.0

  • Display the Run.scancodeio_version in the Pipeline run modal.
    When possible this value is displayed as a link to the diff view between the current
    ScanCode.io version and the version used when the Pipeline was run. #956

  • Improve presentation of the "Resources detected license expressions" project section. #937

  • Add ability to sort by Package URL in the package list #938

  • Fix an issue where the empty project settings were overriding the settings loaded
    from a config file. #961

  • Control the execution order of Pipelines within a Project. Pipelines are not allowed
    to start anymore unless all the previous ones within a Project have been completed. #901

  • Add support for webhook subscriptions in project clone. #910

  • Add resources license expression summary panel in the project details view.
    This panel displays the list of licenses detected in the project and includes links
    to the resources list. #355

  • Add the tag field on the DiscoveredPackage model. This new field is used to store
    the layer id where the package was found in the Docker context. #919

  • Add to apply actions, such as archive, delete, and reset to a selection of projects
    from the main list. #488

  • Add new "Outputs" panel in the Project details view.
    Output files are listed and can be downloaded from the panel. #678

  • Add a step in the deploy_to_develop pipelines to create "local-files" packages
    with from-side resource files that have one or more relations with to-side resources
    that are not part of a package.
    This allows to include those files in the SBOMs and attribution outputs. #914

  • Enable sorting the packages list by resource count. #978

What's Changed

Full Changelog: v32.6.0...v32.7.0

Contributors

tdruez, pombredanne, and 3 other contributors
Assets 2

v32.6.0

29 Aug 09:59
@tdruez tdruez
v32.6.0
e8f7c6a
Compare
Choose a tag to compare
v32.6.0
  • Improve the performance of the codebase relations list view to support large number
    of entries. #858
  • Improve DiscoveredPackageListView query performances refining the prefetch_related. #856
  • Fix the map_java_to_class d2d pipe to skip if no .java file is found. #853
  • Enhance Package search to handle full pkg: purls and segment of purls. #859
  • Add a new step in the deploy_to_develop pipeline where we tag archives as
    processed, if all the resources in their extracted directory is mapped/processed. #827
  • Add the ability to clone a project. #874
  • Improve perceived display performance of projects charts and stats on home page.
    The charts are displayed when the number of resources or packages are less than
    5000 records. Else, a button to load the charts is displayed. #844
  • Add advanced search query system to all list views. Refer to the documentation for details about the search syntax. #871
  • Migrate the ProjectError model to a global ProjectMessage.
    3 level of severity available: INFO, WARNING, and ERROR. #338
  • Add label/tag system that can be used to group and filters projects. #769

What's Changed

New Contributors

Full Changelog: v32.5.2...v32.6.0

Contributors

tdruez, JonoYang, and 3 other contributors
Assets 2