17.0.0

What's Changed

Breaking Changes 🛠

• 0abc6a2 chore(common-utils)!: Remove the unused ByteArray.unpackZip() function
• 521782d refactor(spdx-utils)!: Let compound expressions have multiple children

Bug Fixes 🐞

• 3355b85 fossid-webapp: Add a version check in waitDownloadComplete
• f63e655 fossid-webapp: Add license category property to identified files
• 6a97e85 fossid-webapp: Add missing license category
• 00b02e1 fossid-webapp: Filter snippets with invalid match types earlier
• eed25cf fossid-webapp: Replace version comparison with Semver
• 6d04874 gradle: Bump the SPDX license list version to 3.23
• 1d86e6f model: Fix license / exception association for complex expressions
• b2eeb35 npm: Improve the npm view based fallback logic

New Features 🎉

• e831921 RepositoryConfiguration: Add support for snippet choice
• 71d94ec fossid-webapp: Remove chosen snippets from snippet findings
• d319fa9 fossid-webapp: Remove not relevant snippets from snippet findings
• fbc6489 reporter: Add snippet choice examples to the snippet report
• 4e0b6a1 scanner: Expose the snippet choices to the scanner
• 8e6c96c spdx-utils: Prevent creating invalid compound expressions

Build 🐘 & CI ⚙️

• 3d802aa Docker: Upgrade Cargo to the version available in Ubuntu 22.04
• d1c4e0e Gradle: Force color for the run task if the terminal supports it
• 454135c Gradle: Improve enforcing terminal color
• bbd71db Gradle: Simplify the declaration of detekt plugins
• 5d12d9b github: Let Detekt also check main with type resolution
• 3297051 github: Let Detekt also check testFixtures with type resolution
• 3c20400 github: Run Detekt with type resolution in a separate step
• a72e907 gradle: Apply a minor code simplification
• 72ab654 gradle: Exclude generated code from Detekt checks
• 6489dab gradle: Fix alphabetic sorting of dependencies

Chores 🔧

• dd58b4b fossid-webapp: Move test utility functions to a TestUtils file
• e62e68b package-managers: Simplify some set constructions
• b1d0bcd python: Use just listOf() for non-nullable types
• de60539 sbt: Move static private entities to the top level
• 55e08aa sbt: Remove a superfluous absoluteFile conversion
• 8936311 scanoss: Add an explicit type to avoid a warning
• ba46f52 spdx-utils: Upgrade the SPDX license list to version 3.23
• 84b9e1f Suppress several warnings about unsafe calls on nullable types
• 4036d3c Use .orEmpty() in more places

Dependency Updates 🚀

• 05ed888 update dependency ch.qos.logback:logback-classic to v1.5.1
• bcb2d33 update dependency com.github.jmongard.git-semver-plugin to v0.12.5
• 02c967d update dependency de.undercouch.download to v5.6.0
• 65d0e72 update dependency io.mockk:mockk to v1.13.10
• d14c144 update dependency org.wiremock:wiremock to v3.4.2
• b1b9161 update exposed to v0.48.0

Documentation 📖

• 792ca26 model: Clarify the associateLicensesWithExceptions() documentation
• 9e0f7f6 spdx-utils: Update class documentation with valid links
• bca56db vulnerable-code: Document the read timeout option

Performance Enhancements ⚡

• 37d9523 common-utils: Redirect to a byte stream instead of a file

Refactorings 🚜

• 1216335 node: Restructure parseNpmVcsInfo() to use an early return
• 52effe5 sbt: Refactor moveGeneratedPom() to log in the caller
• 52ee940 spdx-utils: Make SpdxCompoundExpression take a Collection
• 49ac14d spdx-utils: Make a SpdxCompoundExpression constructor public
• 036a576 Migrate from custom kotlinx-serializers for Java types to ks3

Tests ✅

• e1214f6 common-utils: Make RedirectionTest a bit more strict
• 5713ab0 fixtures: Fix analyzer formatting issues
• 1e5d102 fixtures: Fix the analyzer package name
• 12f41c2 fixtures: Fix the scanner package name
• 331ce5e fixtures: Remove receivers from functions that do not require it
• 320bb7c model: Assert multiple assertions in a test case softly
• eb5c266 node: Align the names of the result variables in fun tests
• f62b6b9 osv: Make the test resilient WRT trailing slashes in URLs
• 0d44726 osv: Update an expected result
• 2a75dce osv: Update expected results
• f44b0bd scanner: Remove an unused property
• 835d1c7 spdx-utils: Improve names of helper functions
• 29507ae spdx-utils: Remove obsolete tests

16.0.0

What's Changed

Breaking Changes 🛠

• b4675eb refactor(model)!: Rename a boolean HashAlgorithm property
• 4cda5b4 refactor(scanner)!: Align provenance storages on write instead of put

Bug Fixes 🐞

• 263b64d downloader: Handle IOExceptions during a file existence ping
• 64ece6e gradle: Unquote JVM args before forwarding them to Gradle
• 25c9790 gradle-inspector: Ignore zero by size artifact archive files
• d30e302 scanner: Catch a DownloadException instead of IOException
• 141be6e subversion: Throw IOException instead of DownloadException

New Features 🎉

• 7701382 HashAlgorithm: Add empty value constants for empty input
• 44fba5e helper-cli: Add a command to delete stored provenance by package id
• 64ddf2a scanner: Add delete functionality to storage interfaces
• a22360a scanner: Log the configured provenance storages

Build 🐘 & CI ⚙️

• 8fa603c Docker: Upgrade Cargo to the version available in Ubuntu 22.04
• ab4b104 Gradle: Enable the configuration cache for faster builds
• 2ea20c9 Gradle: Use conventions to opt-in to ExperimentalSerializationApi
• b83fe67 Gradle: Use older syntax for an enum's entries
• ae01aa8 github: Disable the Gradle configuration cache when releasing
• 563459b github: Pass a token to Codecov

Chores 🔧

• 78ea000 NOTICE: Add Robert Bosch GmbH to the NOTICE file
• 918a73d NOTICE: Update the Bosch.IO GmbH contribution year
• 2300487 cyclonedx: Disable Base64-encoding of license texts
• 550f922 docker: Upgrade Go to version 1.22.0
• 2cb5ad7 examples: Add a missing dot to a rule violation message
• 2fe4915 gradle: Align JVM args mapping code with GradleInspector
• bc88ad9 gradle-inspector: Use lambda-syntax for a log statement
• 5a72163 mailmap: Use Martin's new Bosch address
• 5d77dd3 scanner: Wrap a string differently to avoid a string interpolation

Dependency Updates 🚀

• db15d0c Update kotlinx-coroutines to version 1.8.0
• 78c5712 Update the native-gradle-plugin to version 0.10.1
• ea88ee8 update dependency ch.qos.logback:logback-classic to v1.5.0
• 70cc2e1 update dependency com.github.jmongard.git-semver-plugin to v0.12.4
• 44fc219 update dependency com.networknt:json-schema-validator to v1.3.3
• 659b302 update dependency org.apache.commons:commons-compress to v1.26.0
• bf5661b update dependency org.asciidoctor:asciidoctorj-pdf to v2.3.13
• 90083ca update dependency org.jruby:jruby to v9.4.6.0
• 3e9ad25 update dependency org.postgresql:postgresql to v42.7.2
• 0fb4375 update dependency org.springframework:spring-core to v5.3.32
• 3f8415c update dependency org.wiremock:wiremock to v3.4.0
• 24c029f update dependency org.wiremock:wiremock to v3.4.1
• 3643954 update kotlinxserialization to v1.6.3
• 7d6c642 update log4j2 monorepo to v2.23.0

Documentation 📖

• a6ad62b spdx: Consistently refer to patch-level version 2 of SPDX 2.2

Performance Enhancements ⚡

• 13d7611 downloader: Return early from archive download for an empty revision

Refactorings 🚜

• 764e284 gradle-inspector: Remove an unused function parameter
• efc2310 gradle-inspector: Simplify check for zero byte artifacts
• fed338e ort-utils: Extract common request builder code
• 4b7573e ort-utils: Remove some superfluous apply statements
• 0698175 package-managers: Trivially improve size > 0 checks
• 66202ad Take empty value constants for hashes into use in various places
• 0374af1 Use Kotlin's Base64-encoding

Tests ✅

• caa22c8 HashAlgorithm: Use a WordSpec to group tests
• 389ee60 1a7ac5f osv: Update expected results

Other Changes 💡

• 1ea5f37 Revert "fix(common-utils): Do not extract TAR directory entries as files"
• 58332a0 revert(docker): Revert "Upgrade Go to version 1.22.0"

15.3.0

What's Changed

Bug Fixes 🐞

• a547091 askalono: Correctly handle errors in results
• 9fb12a9 model: Use the correct class for log output
• 39b3a0f spdx-utils: Do not test for sub-expressions based on strings
• 875108b spdx-utils: Make single expressions sub-expression of themselves
• acb7fe6 sw360: Do not use a path as the temp dir infix
• 0c64591 swiftpm: Drop an unnecessary function call
• 9e94eb5 swiftpm: Ignore "unspecified" versions
• 9f2f094 swiftpm: Make PinV2.toVcsInfo adhere to kind
• 14dc179 swiftpm: Remove the assumption that the lockfile always exists
• e1781aa swiftpm: Simplify PinV2.toVcsInfo()

New Features 🎉

• 8efc8ee helper-cli: Add scope exclude patterns for debug builds (Gradle)
• 6b99276 helper-cli: Generalize the scope exclude pattern for kapt
• bd0371f jenkins: Add optional parameters to install plugins from another job
• e8e68aa jenkins: Allow to pass Docker build arguments as job parameters
• 8819ac9 jenkins: Allow to specify an input path within the repository
• 8cb1a79 spdx-utils: Add a new SPDX expression parser implementation
• 41e6f98 spdx-utils: Take the new parser implementation into use

Build 🐘 & CI ⚙️

• d3ec5fb Gradle: Enable the configuration cache for faster builds
• 283dc6d github: Disable the Gradle configuration cache when releasing
• 5a17d05 web-app-template: Explicitly depend on a task's output files
• ea104df web-app-template: Remove manual task caching logic

Chores 🔧

• 9bab90a Gradle: Remove a work-around for the SemVersioning plugin
• b47c3d4 NOTICE: Update the Double Open Oy contribution year
• 2e3b5f1 NOTICE: Update the EPAM Systems, Inc. contribution year
• e64db59 askalono: Allow results and errors both to be present
• 4c73645 spdx-utils: Remove ANTLR parser
• 18fa677 Remove logging source overrides where not needed

Dependency Updates 🚀

• 46ecd08 Docker: Upgrade python-inspector to version 0.11.0
• e4cd566 evaluator: Update the OSADL license compliance matrix
• 8d5a305 spdx-utils: Add a test dependency on kotest-framework-datatest
• 266d628 update dependency com.autonomousapps.dependency-analysis to v1.30.0
• e069ba1 update dependency com.github.jmongard.git-semver-plugin to v0.12.0
• e80c5b1 update dependency com.github.jmongard.git-semver-plugin to v0.12.2
• e45f1d5 update dependency com.github.jmongard.git-semver-plugin to v0.12.3
• 32751d4 update dependency dev.adamko.dokkatoo:dokkatoo-plugin to v2.1.0
• 4e3b23f update dependency org.asciidoctor:asciidoctorj-pdf to v2.3.12
• 5c5eae4 update dependency software.amazon.awssdk:s3 to v2.24.0

Documentation 📖

• 0264f7f analyer-command: Align with simpler wording from Jenkinsfile
• cf6fbb2 model: Improve ResolvedLicense docs
• b5e6dff spdx-utils: Correct a double "not not" in an exception message

Other Changes 💡

• 959902c jenkins: Move getting Docker build arguments to a function
• da63723 spdx-utils: Move normalize() tests to a dedicated block
• 5ca5643 spdx-utils: Move tests out of SpdxExpressionParserTest
• a28b0d7 spdx-utils: Prefer toSpdx() over SpdxExpression.parse()

Tests ✅

• c23c9d8 osv: Update an expected result
• ea6140a spdx-utils: Add a test for isSubExpression()
• 0d6b0bf spdx-utils: Move parsing of constants also to the parse() block
• de7247d spdx-utils: Move testing toString() to the bottom
• 08d58bd spdx-utils: Rename a block of tests after the function
• 7b6537d swiftpm: Consistently use \<REPLACE_DEFINITION_FILE_PATH>
• dca2be0 swiftpm: Test analyzing a definition file without deps
• 74e99df swiftpm: Trivially simplify a create() call
• 03c14c3 vulnerable-code: Add a test for a Commons-Compress CVE

Other Changes 💡

• 6c9c5de Revert "build(Gradle): Enable the configuration cache for faster builds"
• 1a53592 Revert "build(github): Disable the Gradle configuration cache when releasing"
• 38187ca revert(docker): Disable arm64 build
• 884a073 style(jenkins): Move a function below variable declarations

15.2.0

What's Changed

Bug Fixes 🐞

• e876f30 swiftpm: Remove an invalid fallback for the VCS revision
• 4af96e3 vulnerable-code: Correct an URL escape fixup case
• 6ec2a31 vulnerable-code: Fixup yet another case of wrong URL escaping

Chores 🔧

• d602075 pub: Directly specify the hash algorithm as it is known
• 4f8cb5e vulnerable-code: Log details about the error cause of an issue

Dependency Updates 🚀

• 7f60160 Dockerfile-legacy: Update the available Cargo version
• 5b63a3f Update the native-gradle-plugin to version 0.10.0
• 35bcb54 update dependency com.networknt:json-schema-validator to v1.3.2
• 2e2cf95 update dependency gradle to v8.6
• ae3da69 update dependency org.slf4j:slf4j-api to v2.0.12

Documentation 📖

• 5213ce3 common-utils: Say that hex digits are returned lowercase
• ca14861 swiftpm: Fix-up a TODO comment

New Features 🎉

• 90e9d36 jenkins: Add a parameter to skip excluded scopes and paths
• 50f12d5 swiftpm: Add missing package references to the lockfile analysis
• 227317c swiftpm: Gracefully handle dependencies specified by branch name

Other Changes 💡

• b45b2bf SwiftPM: De-duplicate a class
• acfc84a SwiftPm: Stop using the dependency graph builder
• c1b90c9 swiftpm: Avoid an unnecessary copy operation
• 70a350e swiftpm: Factor out SwiftPackage.toVcsInfo()
• e9a06de swiftpm: Factor out getSwiftPackage()
• ab1d875 swiftpm: Factor out parseSwiftPackage()
• 736eb19 swiftpm: Make parseLockfile() return the pins
• ba94222 swiftpm: Make use of the default parameter value
• 89aad09 swiftpm: Move parseLockFile to the model file
• 8c6d7ae swiftpm: Move the dependency handler into SwiftPm
• bcdac56 swiftpm: Move the mapping to ORT's model into SwiftPM
• 22a7baa swiftpm: Re-order the classes
• 38709a7 swiftpm: Reduce the visibility of the model to internal
• 2dcbeeb swiftpm: Split up PinV2.toPackage()
• 9e71678 swiftpm: Turn a property into a function

Tests ✅

• ad7070a python: Update expected test results

Other Changes 💡

• 10de9ef style(vulnerable-code): Use multiline strings to reduce escaping confusion

15.1.0

What's Changed

Bug Fixes 🐞

• 56a81a5 model: Always construct Hash with lowercase value
• cf5d3c3 model: Always use lowercase for serialized hash values

Chores 🔧

• b9f65d1 swiftpm: Add the attribute kind
• e51454a Generally do not quote URL as part of messages

New Features 🎉

• b55f91f ort-config: Support namespace-level package curations
• 89b6325 vulnerable-code: Make the read timeout configurable

Other Changes 💡

• 99e3b1c conan: Pass also the hash algorithm
• 974fbba swiftpm: De-duplicate the class for the Pin state
• 505f2a2 swiftpm: Remove code redundancy for converting Pin to Package

Tests ✅

• f745c51 conan: Update an expected result
• 384e657 ort-config: Improve test names
• 83d193a python: Update an expected result

Other Changes 💡

• 4661582 Revert "refactor(scancode): Disregard the output format in scanner configuration"

15.0.0

What's Changed

Breaking Changes 🛠

• ddc09eb refactor(scancode)!: Move default configuration
• 0ec34f7 refactor(scanner)!: Make commandLineOptions private
• 2d6d287 refactor(spdx-utils)!: Move SpdxLicenseChoice out of model

Bug Fixes 🐞

• 4f21bb5 git: Again use the Git CLI to perform the actual reset
• 8472931 git: Do not rely on FETCH_HEAD to list the current branch first
• f5d3c2f node: Deduplicate issue lines before collapsing them
• a234ae5 pub: Do not use the revision from the pubspec.yaml of dependencies

Build 🐘 & CI ⚙️

• d673e1b Only sign when making official releases

Chores 🔧

• 46de195 docker: Re-align SWIFT_VERSION
• 61fbc32 docker: Upgrade Android command line tools to the latest version
• 2f6c6ef docker: Upgrade Go to the latest version
• b58f9d9 exception-mapping: Remove an invalid comment about sorting
• f2a799f scancode: Reorder command line options when running ScanCode
• 681f0bb scancode: Reorder functions for a better overview
• 3ce8889 scancode: Specify the timeout as a duration for convenience
• c0a9b4e Remove Batect as it has become unmaintained

Dependency Updates 🚀

• 195ddb7 Dockerfile-legacy: Update the available Cargo version
• 5012819 update codecov/codecov-action action to v4
• d8bb7e8 update dependency com.github.ajalt.mordant:mordant to v2.3.0
• a053fec update dependency com.networknt:json-schema-validator to v1.3.0
• 7b4f823 update dependency com.networknt:json-schema-validator to v1.3.1
• 8387ed4 update detektplugin to v1.23.5
• 68309b4 update exposed to v0.47.0
• e0fc5a8 update gradle/gradle-build-action action to v3
• 82190b5 update gradle/wrapper-validation-action action to v2
• b3063be update ktor to v2.3.8

Documentation 📖

• 77ff88e Git: Improve some code comments
• f228d98 jenkins: Improve the ORT_FAILURE_STATUS_CODE documentation
• 00cd17a model: Document the impact of the severe threshold properties
• acb8ad4 model: Fix the docs of Hash.create() for blank values
• 3852572 npm: Explain why the severity is only lowered for NPM CLI warnings

New Features 🎉

• d60ac69 docker: Enable multiarch build for amd64 and arm64
• e13c625 exception-mapping: Add Asterisk-exception
• ca7a2bf exception-mapping: Add Autoconf-exception-generic*
• eb108b3 node: Add a new single line warning prefix to support
• 232bc19 pub: Parse source artifacts for hosted packages
• 4af6360 scancode: Add an option to prefer file- over line-level findings

Other Changes 💡

• 2f84a01 Npm: Make mapLinesToIssues() a top-level extension function
• b8dd813 Npm: Move some functions to top-level
• a09afa4 Npm: Rename a few groupLines() variables for clarity
• fd795d3 github: Run functional tests against the snapshot Docker image
• c00cbbc model: Move the constant for the reference configuration file
• 32e0072 npm: Reduce severity of warnings from the output of npm
• 57c3659 pub: Extract a source variable
• a8d6171 scancode: Disregard the output format in scanner configuration
• e8f4e0a scancode: Inline the output format option
• 95dcce2 Introduce a constant for the status code for failures

Performance Enhancements ⚡

• 47da430 spdx-utils: Make the cheap check go first

Tests ✅

• c9d0b74 conan: Update expected results
• 37c0c4d node: Compare deeply nested data classes by YAML representation
• c96a389 node: Update NpmVersionUrlFunTest's lockfile to v3
• edbb3ad e9f36c4 osv: Update expected results
• f471b7b pip: Update expected results
• af7b45b pub: Update expected test results
• c297ec8 pub: Use placeholders for project VCS
• 75e6fb9 scancode: Also assert the number of license findings in a test
• 5364048 spdx-utils: Add a test for semantic matching of given expressions
• 5d7e4d7 spdx-utils: Remove a duplicate test
• 3bd4893 swiftpm: Fix-up a test case name
• 64fd9db swiftpm: Fix-up an expected result filename

Other Changes 💡

• 9bd9454 style(Git): Adjust formatting to ease setting line breakpoints

14.0.0

What's Changed

Breaking Changes 🛠

• 4116d16 refactor(spm)!: Make LibraryDependency a nested class
• a8e5dc7 refactor(spm)!: Make toPackage() an extension function
• 6afed08 refactor(spm)!: Turn toPackage() into an extension function
• 1c42352 refactor(spm)!: Use a better name for AppDependency
• 0289776 refactor(spm)!: Use the term SwiftPm in classes, files and package

Bug Fixes 🐞

• 8deb4b3 gradle-plugin: Take repositories defined in settings into account
• 360dbe1 node: Do not follow cyclic directory links
• 81d11a2 pub: Do not rely on the package name to be present
• 2d909ee scanner: Fix the one-off in the provenance count for the file lists
• 814a298 spm: Ensure identifiers of packages are unique
• 12563d0 swiftpm: Fix the broken requireLockfile check

Build 🐘 & CI ⚙️

• 6d35192 Gradle: Use dashes to group dependencies

Chores 🔧

• 1be19d5 analyzer: Remove an unneeded annotation
• 3a23af5 mailmap: Update some full names
• c6793a6 node: Ensure that package.json is a file

Dependency Updates 🚀

• 309b15d update dependency com.github.ben-manes.versions to v0.51.0
• 7485770 update dependency com.networknt:json-schema-validator to v1.2.0
• 90931c5 update dependency org.jetbrains.kotlinx:kotlinx-html-jvm to v0.11.0
• 1df8a97 update graphqlplugin to v6.6.0
• a95722a update jetbrains/qodana-action action to v2023.3.1

Documentation 📖

• f2316e0 README: Reduce duplication with docs
• 578af02 README: Rename Swift package manager
• 2ec282b analyzer: Rename Swift package manager to SwiftPM
• 559a6ca config: Add forceOverwrite option to reference.yml
• e2371ba gradle-inspector: Improve wording in the README.md
• 1d82e3b gradle-inspector: Reorder sections in the README.md
• b169d6b spm: Improve the KDoc for resolveLibraryDependencies()
• 656da24 spm: Improve the Kdoc for resolveAppDependencies()
• ac87105 website: Add a section about using the official Docker images
• c690d0a website: Enable syntax highlighting for bash code blocks
• 7cb26cf website: Enable syntax highlighting for batch code blocks
• f91408e website: Fix the edit URL
• 0ab9e49 website: Remove Kotlin from the additional languages
• dce9002 website: Update the section about using binary releases

New Features 🎉

• 2f9af0e jenkins: Add a label to link back the the build URL
• 0aaceb1 migrate: Add an option to migrate Pub identifiers
• 2f7723a swiftpm: Gracefully handle unsupported lockfile format
• b9016e3 swiftpm: Support lockfile format version 2

Other Changes 💡

• 1fe54e3 gradle-plugin: Introduce an extension function
• 119de17 migrate: Extract a function to migrate identifiers
• bd860f3 spm: Factor out createPackage()
• 71b23a6 spm: Improve name and KDoc for SpmDependenciesOutput
• 92efeaa spm: Improve readability of a string construction
• 3722643 spm: Inline a toString() function
• 57ec57b spm: Move two properties into a function
• 2910db4 spm: Remove inheritance between model classes
• e2f86e7 spm: Rename the spm module to swiftpm
• a3b09cc spm: Use a better name for resolveAppDependencies()
• 8fa37e7 spm: Use a better name for resolveLibraryDependencies()
• 5b87095 spm: Use an empty namespace for project IDs
• 43faef8 spm: Use better values for Identifier.type
• edb508f swiftpm: Apply a minor code beautification
• 31312ed swiftpm: Extract parseLockfile()
• d9f27bb swiftpm: Move a comment next to the related command
• 9cc7e75 swiftpm: Stop setting the homepageURL also for projects

Tests ✅

• d895de6 osv: Update expected results
• a51fc94 02e2d47 osv: Update expected results
• f88041a python: Update expected results
• 05417b7 a5fedf5 562b368 spm: Update expected results
• a0ea682 swiftpm: Add a lockfile for the synthetic spm-lib project
• 8ed897e swiftpm: Avoid a hard-coded path in test results
• 56d1226 swiftpm: Clarify the functional tests a bit
• bb7f83b swiftpm: Further isolate lockfile-only projects from other ones
• bff12f9 swiftpm: Specify branch name instead of version for one dep
• dfd1cd1 swiftpm: Update expected results

13.0.0

What's Changed

Breaking Changes 🛠

• 4e4c475 refactor(model)!: Simplify constructor of DefaultLicenseInfoProvider
• 3042e35 refactor(reporter)!: Remove ReporterInput.packageConfigurationProvider
• 233eb8b refactor(scanner)!: Remove the Package parameter from scanPackage()

Bug Fixes 🐞

• 488027d cargo: Only read checksum metadata entries as hashes
• e7bdb21 pub: Do not set namespaces for "Pub" packages
• a547788 scanner: Keep the VCS path for a package scanner's reference package
• 1e22bc4 spdx-utils: Correctly determine choices for AND expressions
• 3205ec9 spm: Ensure uniqueness of identifiers for projects
• 59942dc spm: Stop setting the author field for consistency
• 6a8bd94 spm: Stop using the repository name as the name of dependencies

Chores 🔧

• 0a33af9 scanner: Add a closing quote when logging the scanner name

Dependency Updates 🚀

• 89521b5 website: Upgrade to Docusaurus 3.1.0
• 25e1de1 Update the foojay-resolver-convention plugin to version 0.8.0
• 711bdd5 update davidanson/markdownlint-cli2-action action to v15
• d7dbd01 update dependency com.autonomousapps.dependency-analysis to v1.29.0

Documentation 📖

• e0560f3 evaluated-model: Fixup references to resolutions
• 920fd0c helper-cli: Fix-up a copy and paste mistake
• 5dca9cf jenkins: Document that VulnerableCode is enabled by default
• 2cf9032 model: Improve docs for RepositoryProvenance properties
• 00bc82b model: Improve various ProvenanceResolutionResult texts

New Features 🎉

• 0c748f4 composer: Use PackageManager.getFallbackProjectName
• 07d06bb model: Introduce OrtResult.getPackageConfigurations()
• c5671ee pub: Use PackageManager.getFallbackProjectName
• 3f4073f reporter: Use

   block for issue messages

• 2b230b8 website: Integrate tutorial with docs

Other Changes 💡

• 523e898 evaluated-model: Consume package configs via the OrtResult
• 2bf0203 evalutator-command: Include package configs in input OrtResult
• 7754349 list-copyrights-command: Simplify passing on package configs
• 79fcd67 reporter-command: Include package configs in the OrtResult
• be38f7f scanner: Get the nested provenance only once
• 972e24c scanner: Move downloadRecursively() to ProvenanceDownloader
• 3c795a1 spdx-utils: Remove disjunctiveNormalForm()
• 0ea02d6 spdx-utils: Simplify the OR case of validChoicesForDnf()
• dac1854 spm: Stop setting the homepage URL

Tests ✅

• 8bc273e fossid: Align the way to call scanPackage()
• ccb4d67 node: Update expected test results
• 4336048 ort-utils: Add more Copyright symbol tests
• 6ae49d8 osv: Update expected results
• cb47b19 osv: Update expected test results
• 0fb41d1 pub: Update expected test results
• 34046a6 spdx-utils: Add a test for a complex license choice
• 43b446c spdx-utils: Compare choices by string representation
• fad0008 spm: Update expected results
• 7032df2 utils: Improve assertions for the processed statements
• 4d915d6 utils: Use a shorter name for actualResult

12.0.0

What's Changed

Breaking Changes 🛠

• 8bd464f refactor(StatisticsCalculator)!: Stop using resolutionProvider
• 490a641 refactor(model)!: Move PURL-related extension functions to a separate file
• e782ba3 refactor(python)!: Move PYPROJECT_FILENAME to Poetry
• 330646f refactor(reporter)!: Remove ReporterInput.resolutionProvider
• 708afae refactor(scanner)!: Pass the resolved provenance to scanPackage()

Bug Fixes 🐞

• c5109a7 analyzer-command: Resolve repo config correctly if input is a file
• d0301b4 common-utils: Do not extract TAR directory entries as files
• 27e53e2 helper-cli: Fix-up the reason for pattern test_*.c
• 19553b6 model: Correctly en- / decode a VCS subpath to / from PURLs
• bd836a3 node: Strip a trailing "/" before creating globs

Build 🐘 & CI ⚙️

• dfbaa8e Gradle: Do not apply the built-in maven-publish plugin anymore
• 4fc7a39 Gradle: Explicitly set name for buildSrc module
• 4f4def4 Gradle: Reply on default values for publishing coordinates
• e769b0b Gradle: Use type-safe project accessors
• 04c1033 github: Enable auto-release of artifacts from staging to production
• f933760 github: Simplify the release process a bit

Chores 🔧

• 3d911f0 model: Make newly added PURL extension function public
• fe76d2c static-html-reporter: Align YAML assets to use unindented lists

Dependency Updates 🚀

• 0a1065f Update gradle-maven-publish-plugin to version 0.27.0
• a5ed041 update dependency com.github.ajalt.clikt:clikt to v4.2.2
• 86be29e update dependency io.mockk:mockk to v1.13.9
• 41a0b9e update dependency org.apache.logging.log4j:log4j-api-kotlin to v1.4.0
• f9f938b update dependency org.asciidoctor:asciidoctorj to v2.5.11
• d5d0507 update dependency org.slf4j:slf4j-api to v2.0.10
• 2484f24 update dependency org.slf4j:slf4j-api to v2.0.11
• 9c665ce update dependency software.amazon.awssdk:s3 to v2.23.0
• 33eb0df update exposed to v0.46.0
• abcec81 update graphqlplugin to v6.5.7
• 71dc4c4 update jackson to v2.16.1
• fbf5988 update kotlin monorepo to v1.9.22
• c74a28b update log4j2 monorepo to v2.22.1

Documentation 📖

• e1c0651 evaluated-model-reporter: Use imperative mood in function docs
• 515bc73 jenkins: Update the screenshot to include the unstash stage
• ba3220d model: Improve docs for the includedLicenseCategories property
• 98b4026 scanner: Also use the term "wrapper" in the class docs
• 83308a1 scanner: Generally write "scanner-specific" with a dash

New Features 🎉

• 3348189 helper-cli: Add versioneer path exclude generator's patterns
• 71e38b9 jenkins: Add a parameter for an existing analyzer result file
• 3e767e3 model: Add a toPurl() overload that takes PurlExtras directly
• 758fd7a model: Add functions to en-/decode provenance into PURL extras
• fa6943b python: Detect the Python version for Poetry projects

Other Changes 💡

• 21a4085 downloader: Use more specific provenance return types
• bdfff4c evaluated-model: Stop using resolutionProvider
• 901d8c9 fossid: Align the provenance returned if there are issues
• 69fe155 fossid: Do not measure the scan duration twice
• 91335c1 fossid: Inline createSingleIssueResult()
• b189232 fossid: Make issue handling more compact
• 8a9aa9d fossid: Simplify the creation of single issue summaries
• b1dfed0 freemarker: Stop using resolutionProvider
• 0794697 model: Handle UnknownProvenance in toPurlExtras()
• 88e0f29 model: Make OrtResult implement ResolutionProvider
• 1609034 python: Apply default values for inspector options later
• 3a71a70 scanner: Remove findNestedProvenance()
• 71f82f9 spdx-utils: Implement licenses() based on decompose()
• 8679649 static-html: Stop using resolutionProvider

Tests ✅

• 4ba9271 conan: Update expected results
• a677430 python: Import the PYPROJECT_FILENAME constant
• 2320258 reporter: Add issue resolutions to all test assets
• a7f21df reporter: Include all resolutions also in resolved config
• 36e82ba e3616ec a51be8e spm: Update expected results
• 42bf356 spm: Update expected test results

11.0.0

What's Changed

Breaking Changes 🛠

• c08a624 refactor(model)!: Improve ResolutionProviders getter names
• 6c5ef66 refactor(model)!: Improve the name of a couple of setters
• 8a60d67 refactor(model)!: Make use of getResolutions() in several functions
• 4ac3106 refactor(model)!: Use a more specific name for getResolutions()

Bug Fixes 🐞

• 96d87c0 vulnerable-code: Fixup another case of wrong URL escaping

Build 🐘 & CI ⚙️

• d168e88 Gradle: Remove the docsHtmlJar task
• 4629bd7 Gradle: Rename catalog entries that are actually plugins
• d082b92 Gradle: Rename the docsJavadocJar task to javadocJar
• bae6ef3 Gradle: Use the gradle-maven-publish-plugin for publishing
• 07f9efb github: Disable the Gradle daemon globally in always the same way
• 4115c37 github: Use the new publishing mechanism in the release workflow

Chores 🔧

• 979847b commands: Deprecate the --skip-excluded options
• 2ac0dfe downloader: Improve the log message for Cargo VCS handling

Dependency Updates 🚀

• 8fa33e6 update dependency com.networknt:json-schema-validator to v1.1.0
• 97763c0 update dependency org.asciidoctor:asciidoctorj-pdf to v2.3.10
• fe994d7 update dependency software.amazon.awssdk:s3 to v2.22.0

New Features 🎉

• 58ceee7 model: Introduce OrtResult.getResolutions()
• cd8e1bf ort-utils: Find names even if the version has an (ignorable) suffix

Other Changes 💡

• 759e542 helper-cli: Remove getUnresolvedRuleViolations()
• c9fdf41 model: Make resolveResolutions() an extension function
• f15ba6b reporter-command: Include all resolutions in the OrtResult

Tests ✅

• 9e4d666 carthage: Make the test independent of the GitHub org ORT is hosted
• 10c0362 evaluated-model: Include all resolutions also in resolved config
• f70df1d spm: Update expected results
• e1803f0 vulnerable-code: Improve the test by verifying URI creation