33.0.0

What's Changed

Breaking Changes 🛠

• 60ef7c9 feat(advisor)!: Rework VulnerabilityReference semantics
• 01ca824 refactor(model)!: Generalize the scoring system mapping
• 6015cc9 refactor(yarn2)!: Inline YARN_PATH_PROPERTY_NAME
• 630a8db refactor(yarn2)!: Move some vals and funs outside of the companion

Bug Fixes 🐞

• 2ac103a bazel: MODULE.bazel files from a local registry should be ignored
• cb7c914 model: sslmode typo in reference.yml
• e8e9b83 osv: Improve error handling a bit
• 508dbfc spdx-utils: Support reading dashed reference category names

New Features 🎉

• 24656e2 model: Add underscore variants to CVSS names
• 95cba40 vulnerable-code: Add scoring elements to the data model

Build 🐘 & CI ⚙️

• e833172 gradle: Do not set a global duplicatesStrategy anymore
• 9928629 gradle: Replace custom code with the reproducible-builds plugin
• c6523c4 github: Do not configure a custom linter version anymore
• 9f7b625 renovate: Disable NuGet package manager updates

Chores 🔧

• 61eb5c1 evaluator: Remove a few named lambda variables to simplify code
• d29db08 gradle-plugin: Explicitly set a duplicatesStrategy
• ce409f9 helper-cli: Consistently make commands internal
• a577470 helper-cli: Consistently name the help parameter explicitly
• bb0654c node: Add a couple of links to upstream documentation
• c725523 node: Slightly simplify Yarn code to get package details
• f675a32 osv: Improve mapping from OSV to ORT vulnerability references
• 275c2c1 yarn2: Drop an obsolote TODO comment

Dependency Updates 🚀

• a488e05 Update clikt to version 5.0.0 and Mordant to version 3.0.0
• 0b24c91 Update dependency-analysis-gradle-plugin to version 2.0.2
• 0c10c2f Update kotlinx-coroutines to version 1.9.0
• 280d8fb update dependency org.semver4j:semver4j to v5.4.0
• 521bd69 update dependency software.amazon.awssdk:s3 to v2.28.0
• fd28fcf update github/codeql-action digest to 8214744
• 21a3289 update gradle/actions digest to d156388
• 12c8019 update jetbrains/qodana-action action to v2024.1.10
• c750cfd update jetbrains/qodana-action action to v2024.1.11
• 0c540bd update jetbrains/qodana-action action to v2024.2.2

Documentation 📖

• 8a1e42a gradle: Improve the wording of a code comment
• 1b15bfa yarn2: Fix-up a couple of broken KDoc references

Refactorings 🚜

• 5a303ad helper-cli: Introduce an abstract OrtHelperCommand base
• d1fa1f2 model: Extract vulnerability rating code to a function
• 8b45010 npm: Use a simpler return type for two functions
• 5bc030e yarn2: Extract isCorepackEnabled()
• e2bca6b yarn2: Inline DEFAULT_EXECUTABLE_NAME
• da6cc49 yarn2: Move a couple of functions / classes to the file level
• 12c99e1 yarn2: Move some sanity logic into getYarnExecutable()
• 5d0f002 yarn2: Reduce the scope of the version variable
• 098ef99 yarn2: Simplify cleanYarn2VersionString()
• 9db096c yarn2: Use a shorter name for versionFromLocator

Tests ✅

• c17e5c3 bazel: Update expected results
• 52cb0e0 conan: Split out the lockfile case into a dedicated test
• a9e964e conan: Update expected results
• 6123c13 node: Consistently place Npm projects in the npm directory
• 06fe673 node: Drop the README.md for Npm test assets
• c67d544 node: Improve a test case name
• b0bd418 node: Merge NpmVersionUrlFunTest into NpmFunTest
• 8cbbb57 node: Move Yarn test projects into a dedicated yarn directory
• 254a64a node: Slightly improve a project name and metadata
• 49b65dd osv: Update expected results
• 6e181ef bc819cc osv: Update expected results

32.1.0

What's Changed

Bug Fixes 🐞

• 023752f dos: Make the token a secret config option

New Features 🎉

• fcfab20 gradle-inspector: Add an option to bootstrap a JDK version

Chores 🔧

• f654747 node: Drop the now unused Jackson dependencies
• da5c922 yarn2: Make use of YARN2_RESOURCE_FILE in a log message

Documentation 📖

• f2f2f7c ort-utils: Fix environment property descriptions
• 65f58c3 Update link references of ownership

Refactorings 🚜

• 184eb55 yarn: Port the remaining Jackson code to KxS
• 45dd629 yarn2: Factor out getYarnExecutable()
• c137075 yarn2: Port getYarnExecutable() to KxS
• 519a76a yarn2: Port isCorepackEnabledInManifest() to KxS
• 841bd30 yarn2: Port listDependenciesByType() to KxS

32.0.0

What's Changed

Breaking Changes 🛠

• 1621941 feat(gradle)!: Make GradleInspector the new default
• c21b31b refactor(reporter)!: Rename the reporter to AOSD2 to avoid confusion

Bug Fixes 🐞

• 2438448 gradle-inspector: Do not assume all POM artifacts to be metadata-only
• 7c421cc gradle-inspector: Handle dependency cycles properly
• 78f0a07 gradle-inspector: Keep the artifact URL on invalid hash values
• 04b0356 model: Add a heuristic to get the manager in dependency graphs
• 7b12e72 osv: Remove an invalid reference type
• 694ac3c pub: Improve containsFlutterSdk()
• 9cca883 pub: Use the correct key name when replacing options

New Features 🎉

• 8ce9483 gradle-inspector: Allow to customize the Java home for analysis
• af559df jenkins: Allow to configure the list of advisors
• 9bcb485 osv: Add new ecosystem constants for completeness
• 723e003 plugins-api: Allow to manually set the plugin ID
• da7b11f pub: Always use the (one) enabled Gradle package manager
• 94e30b1 scripts: Add a script to generate all CLI completion scripts
• 3a68e61 scripts: Align on more portable env shebangs to discover bash

Build 🐘 & CI ⚙️

• e609a22 refactor: Use the new script to generate CLI completions

Chores 🔧

• 7c52615 analyzer: Remove a too strict assumption in dependency verification
• cc04a19 docker: Update Npm to the latest minor version
• 002b58b docker: Update Pnpm to version 9.9.0
• 45ff021 docker: Update Swift to version 5.10.1
• f2fc447 docker: Upgrade Go to version 1.23.0
• 7373195 gradle-inspector: Rename the init.gradle template
• 7689ecb yarn2: Fix a typo
• d9eb1da Remove references to JitPack in favor of Maven Central
• 54a2e4e Use ifEmpty and ifBlank to simplify code
• 714996c Use ifEmpty and ifBlank to simplify code
• de66c45 Use singleOrNull to simplfiy code

Dependency Updates 🚀

• 3a1fbf6 Update the native-gradle-plugin to version 0.10.3
• fbe3ae8 update actions/attest-build-provenance digest to 1c608d1
• f7d2368 update dependency ch.qos.logback:logback-classic to v1.5.8
• d80b9d2 update dependency dev.adamko.dokkatoo:dokkatoo-plugin to v2.4.0
• e20681a update dependency gradle to v8.10.1
• 64828ac update detektplugin to v1.23.7
• 80f62a1 update exposed to v0.54.0
• 8836de6 update ksp to v2.0.20-1.0.25
• 01f3d58 update log4j2 monorepo to v2.24.0
• 7be755c update wagoid/commitlint-github-action digest to 3d28780

Documentation 📖

• a53b7c6 README: Remove the wrapper validation badge
• d06e12e README: Swap OpenSSF Best Practices and Scorecard badges
• 0d1965b gradle-inspector: Fix the link to the init script resource
• eaba79c gradle-inspector: Mention javaHome as part of class docs
• 9646794 gradle-inspector: Update the list of known limitations
• 5daae47 issues: Limit ort requirements output to commands
• f5d54b8 model: Improve VulnerabilityReference property docs
• 15bf4fc osv: Add documentation to all top-level classes
• f57e046 osv: Generalize wording from "list" to "collection"
• f54636e plugins-api: Fix description of PluginDescriptor.id
• 785514e plugins-api: Improve docs for OrtPlugin
• 81561d1 Avoid "our" in comments and use passive voice
• 2b2bb87 Avoid "we" in comments and use passive voice

Refactorings 🚜

• b0fc861 model: Inline some default parameters in a test function
• dabcd27 model: Inline the misleading Project.managerName property
• 8272678 node: Drop the --fields option
• aa46f27 node: Factor out mapNpmLicenses()
• b4205ba node: Improve code for parsing package.json and beyond
• 2cd8fe4 node: Improve the name of packagesHeaders
• 4e19bbd node: Move Yarn2 into its own dedicated package
• 77590e3 node: Port the parsing of Yarn2 package infos to KxS
• f567582 node: Re-use getProjectAdditionalData() also for projects
• 9ea65f9 node: Rename parseNpmAuthors() to singular form
• 3382b5b node: Turn fixNpmDownloadUrl() into an extension
• 407172e node: Use an object mapper for parsing Yarn2's info output
• 4d854a7 node: Use the info alias for the view command
• 0efc494 npm: Use a more speaking name for packageFile
• 8553c7f npm: Use a more speaking name for packageJson
• 6ecdb9e plugins: Fix casing in plugin IDs
• 6c653f1 plugins-api: Rename OrtPlugin.name to displayName
• 399d507 pub: Inline some variables in parseProject()
• 7ef80e6 pub: Port Pubspec parsing to KxS and use a data class
• f5b8f6d pub: Rename several manifest variable
• fca5d83 pub: Use a more speaking name for pubspec
• 34e2339 yarn: Relax strictness in processAdditionalPackageInfo()

Tests ✅

• e571858 bazel: MODULE.bazel files from a local registry should be ignored
• 55fa8bd conan: Update expected results
• 1132b40 nuget: Disable NuGetFunTest
• 146f9a0 pub: Update expected results
• e84d43a pyhton: Update expected results

31.0.0

What's Changed

Breaking Changes 🛠

• 848e666 feat(advisor)!: Migrate the advisor to the new plugin API
• dd90907 refactor!: Move PackageConfigurationProvider to API module
• 90accbb refactor!: Move PackageCurationProvider from model to plugin API
• 3c8b32a refactor!: Move config helpers from model to new config-utils module
• 89467d9 refactor(analyzer)!: Move PackageManagerDependencyHandler to the root
• 4c7c9fc refactor(analyzer)!: Turn conversion functions into extensions
• bd4e76e refactor(common-utils)!: Remove the force argument from delete functions
• e785545 refactor(model)!: Remove PackageConfigurationProvider from OrtResult
• 1e5ae99 refactor(ort-utils)!: Remove the fallback to read uncompressed files
• 6636764 refactor(osv-client)!: Remove an unused constructor
• f787654 refactor(osv-client)!: Remove the Server enum
• 4f870c2 refactor(package-configuration-providers)!: Migrate to new plugin API
• 2a8ca2f refactor(package-configuration-providers)!: Remove unused EMPTY constant
• 934c6aa refactor(package-curation-providers)!: Migrate to the new plugin API
• d782466 refactor(plugins-api)!: Make PluginDescriptor.id the first argument
• d15eaa1 refactor(plugins-api)!: Rename PluginDescriptor.className to id
• 9b13596 refactor(plugins-api)!: Rename PluginDescriptor.name to displayName

Bug Fixes 🐞

• 5d11ab0 advisors: Make configuration properties secrets
• a477ded common-utils: Use the Path API to delete files
• ed095a6 compiler: Fix an error message
• f991e15 ort-utils: Fix handling of LocalFileStorage.transformPath()

New Features 🎉

• 29468d0 compiler: Add the descriptor to the factory companion object
• 35d18a6 compiler: Allow multiple plugins of the same type in a project
• e15091c compiler: Remove the parent class name suffix from the plugin id
• 1e0cdfe docker: Replace Syft for Docker own Scout SBOM generator
• 29a108a model: Check if an archive exists before trying to download it
• 71983f1 plugins: Add a new plugin API with symbol processing
• 5804107 plugins-api: Generate a JSON representation of the plugin spec

Build 🐘 & CI ⚙️

• c01b6c8 detekt-rules: Fix the import check for a single dotless import
• 90a570d gradle: Fix applying the dependency analysis plugin
• adbc676 package-managers: Make dependencies on GitCommand explicit
• b82a5c1 Introduce a convention plugin for plugins
• 1e9ae8a Rename the convention for plugin parent projects
• 3e94f07 github: Remove an unnecessary outdated parameter
• 627296b github: Remove the separate Gradle wrapper validation

Chores 🔧

• 2b8463d package-managers: Make gradlew of test projects executable
• 954eb96 plugins: Use the companion object descriptors
• 97a81dd reuse: Migrate from dep5 to TOML format

Dependency Updates 🚀

• 6be1533 update actions/setup-python digest to f677139
• cf72d14 update dependency com.autonomousapps.dependency-analysis to v2.0.1
• c737daf update dependency prism-react-renderer to v2.4.0
• 0cdbc49 update github/codeql-action digest to 4dd1613
• 43c8a20 update gradle/actions digest to 16bf8bc

Documentation 📖

• a4d249f downloader: Further improve a log message to include the revision
• 4da006b plugins-api: Fix docs for PluginDescriptor properties

Refactorings 🚜

• fdd90ca analyzer: Split package manager dependency classes across files
• 01a200e carthage: Trivially port from Jackson to KxS
• 78154d8 common-utils: Move recursive deletion tests to funTest
• ab12481 common-utils: Move several tests to funTest
• b67936d compiler: Use singleOrNull() to simplify code
• cb15705 gradle: Move OrtDependency extension functions to the model
• fbc786d gradle: Turn extension functions into properties
• 0e3900d gradle-inspector: Make use of OrtDependency extensions
• 080b303 gradle-inspector: Migrate the code to use the dependency graph
• 814e56e plugins: Move KSP compiler to separate project
• 40e0133 plugins-api: Add default value for PluginDescriptor.options
• 4dd5a49 plugins-api: Separate plugin analysis from code generation
• 2401bf2 pub: Extract constants for the scope names
• b42f894 pub: Remove a code redundancy from the construction of scopes
• 28c4149 pub: Remove an unnecessary for loop and comment
• d4fd3f1 pub: Use a data class for parsing the lockfile
• a45bd86 pub: Use a shorter name for pkgInfoFromLockfile

Tests ✅

• c8f2baa common-utils: Add a test for deleting files with bogus names
• bb012f3 common-utils: Add a test for deleting read-only files
• e0e8465 common-utils: Add a test for deleting with a base directory
• 8e05bcf ort-utils: Add missing tests for LocalFileStorage
• b68e3b9 ort-utils: Reduce indentation in tests
• af56607 ort-utils: Use function names for test containers
• 535ff62 osv: Update expected results
• b0ae065 pub: Add a () to a test case name
• bc98102 pub: Consistently use reader
• b3e173a pub: Remove an unhandled property
• ed29629 pub: Remove an unnecessary code comment

Other Changes 💡

• d0840a6 Revert "test(osv): Update expected results"

30.0.0

What's Changed

Breaking Changes 🛠

• c8e87e7 refactor(vcs)!: Make the aliases property private

Bug Fixes 🐞

• 34a222e bazel: Apply name and version overrides earlier
• eb8d2c8 bazel: Change metadata.json's model to comply with schema
• 4e887f2 bazel: Maintain the version also in case of archive overrides
• 16a121c helper-cli: Fix-up the exclude reason for ChangeLog files
• 456e3fc scancode: Make path comparisons separator-agnostic
• e72fd2a scanoss: Support multiple line ranges per snippet

New Features 🎉

• 26a0401 advisor: Add resolution reason for incorrect vulnerabilities
• 1ec14b5 bazel: Add support for archive_override
• 05d9658 bazel: Treat a package with archive override and patches as modified

Build 🐘 & CI ⚙️

• c6701f8 gradle: Enable consistent copy() visibility
• 7ad4bfe Ensure that the generated shell completion scripts are up-to-date

Chores 🔧

• 93ea5b3 bazel: Do not quote URLs in logs for visual simplicity
• d95b8b2 bazel: Improve archive override URL logging
• a85e0d6 clearly-defined: Do not pass a default value
• 61ad183 integrations: Regenerate shell completion scripts
• e951d63 web-app-template: Simplify adding to a map

Dependency Updates 🚀

• f87f923 spdx-utils: Update the SPDX license list version to 3.25.0
• 135b287 update actions/attest-build-provenance digest to 6149ea5
• f9a5452 update dependency com.autonomousapps.dependency-analysis to v2
• 0aad2f2 update dependency org.asciidoctor:asciidoctorj to v3
• 0d3b21e update dependency org.postgresql:postgresql to v42.7.4
• fe0a41c update github/codeql-action digest to 2c779ab
• 15c1031 update kotlin monorepo to v2.0.20
• ae29ff7 update kotlinxserialization to v1.7.2

Documentation 📖

• ebdc21f README: Remove the broken TODO badge
• 4841e02 analyzer: Clarify the input directory to be version-controlled
• 38c9efd analyzer: Explain that the analyzer is required to run
• a82f01c analyzer: Name precondition for analysis to work
• 99cd187 cli: Explain SLF4J API usage in addition to Log4j API usage
• e191061 model: Slightly improve LicenseFinding.license docs
• ddc0757 website: Fix the full AOSD reporter name
• 0ded5f8 website: Improve FossId report documentation
• f0b7b79 website: Make Opossum report documentation more compact

Refactorings 🚜

• b91c8ff clearly-defined: Rename a (so far unused) enum property
• 7ecf85d composer: Inline parseScope()
• a28a503 scanners: Rename a snippet's license to singular
• c309ada Port remaining code to kotlin.io.encoding.Base64
• 5228030 Use hex coding from Kotlin's stdlib

Tests ✅

• 32dfe21 bazel: Add another archive override with dev_dependency=True
• 1cd9699 clearly-defined: Make use of the projectUrl property
• 602ab3c pub: Update expected results
• 9e01f50 python: Update expected results

29.1.0

What's Changed

Bug Fixes 🐞

• 4813be3 conan: Ensure that Conan is running in non-interactive mode

New Features 🎉

• 3660ce0 downloader: Allow to specify parallel downloads on the CLI
• c64cc83 downloader: Display progress info for parallel downloads in the CLI

Chores 🔧

• 9932ab7 downloader: Say "verifying" in case of a dry run

Dependency Updates 🚀

• 549a0dd update github/codeql-action digest to f0f3afe
• eff9a93 update wagoid/commitlint-github-action digest to a2bc521
• 4261d1a update wagoid/commitlint-github-action digest to dbd4ecd

Tests ✅

• fe81e49 pub: Update expected results

29.0.0

What's Changed

Breaking Changes 🛠

• fb36bec chore(advisor)!: Remove the GitHub defects advisor

Bug Fixes 🐞

• 110f2e3 scanoss: Improve parsing of VCS URLs
• 5fff408 scanoss: Properly deal with empty licenses for snippets

New Features 🎉

• 88f4548 bazel: Add support for local_path_override
• a53082f docker: Add Buildozer to the Docker image
• dcc41df spdx: Allow to set creator person and organization
• d4d17d0 utils: Add runBlocking that preserves Log4j's MDC context

Chores 🔧

• 58deae0 scanoss: Directly map to sets
• e5303d7 scanoss: Make skipping of "none" file details explicit
• b1caae2 scanoss: Remove a superfluous distinct() call
• 97ece6d scanoss: Throw on unsupported line ranges in convertLines()
• f261664 web-app: Trivially change a variable in a test to be plural

Dependency Updates 🚀

• 161ea45 update dependency ch.qos.logback:logback-classic to v1.5.7
• f75bc26 update dependency org.apache.commons:commons-compress to v1.27.1
• 947f855 update docusaurus monorepo to v3.5.2
• 74557ba update github/codeql-action digest to 883d858
• 52ea6ca update maven to v3.9.9

Documentation 📖

• fe5a27f gradle: Add descriptions to tasks so they show up without --all
• aaf9012 spdx: Deep link to a nested property from reporter options

Refactorings 🚜

• ba9f17f clearly-defined: Make functions suspending
• dbc3fc5 clearly-defined: Remove the callBlocking function
• a061b06 fossid-webapp: Make factory functions suspending
• 9b3cb85 fossid-webapp: Rename instance function to create
• f04cb07 scanner: Make resolveNestedProvenance suspending
• 4e19363 scanner: Make resolveProvenance suspending
• ee3c33b Use the new runBlocking function

Tests ✅

• d1ee3dd pub: Update expected results

Other Changes 💡

• 17d1ff2 style(detekt): Forbid usage of kotlinx.coroutines.runBlocking

28.0.0

What's Changed

Breaking Changes 🛠

• 0137bde refactor!: Replace is{False,True}() with toBooleanStrictOrNull()
• d03abd4 refactor(bazel)!: Align create function and parameter naming
• fa35e72 refactor(bazel)!: Rework collection use for URLs
• 37ea3e6 refactor(bazel)!: Simplify code with an url not being nullable
• 56e2fb7 refactor(model)!: Use a secondary Hash constructor instead of create()
• 506ef31 refactor(reporter)!: Change to return per-file-format results

Bug Fixes 🐞

• c43047a Bazel: Fix BazelTest
• d6b7404 Bazel: Force a Bazel version for BazelTest
• 7d6a7e9 Bazel: Recreate the test data for the test with local registry
• b1dd96a bazel: Distict registry URLs by their normalized form
• 6160df2 compose: Ignore definition files from vendor directories
• 471a65d compose: Stash any present "vendor" directory
• 37e0e5c composer: Do not use the managerName for packages
• b579f88 composer: Support the license field to be a primitive string
• ae14f3f conan: Properly inspect null values
• 46aa773 ctrlx-reporter: Make the $schema field non-nullable
• b194374 ctrlx-reporter: Only use real SPDX IDs
• af556b0 downloader: Correctly get the repository root path
• 743873a scanoss: Ignore the logging provider from `scanoss'

New Features 🎉

• b4e4156 Bazel: Support Bazel 7.2.0
• ebd6454 bazel: Add MultiBazelModuleRegistryService class
• 378f6e2 bazel: Support multiple registry services
• e8e3416 reporter: Add a reporter for the AOSD 2 format

Build 🐘 & CI ⚙️

• bb0a326 gradle: Remove the unused scanoss client project
• a603d3d github: Use latest instead of linked CodeQL tooling
• 5092c18 renovate: Enable Renovate for the website
• 0b94998 renovate: Update NPM only once a week

Chores 🔧

• fb15bb1 Bazel: replace the test done by BazelTest by a functional test
• 48f4128 bazel: Omit a default argument
• 4e86921 bower: Remove the now unnecessary inspection hint suppressions
• b9f521e composer: Make top-level data classes internal
• fcc91b7 composer: Reduce the visibility of two constants
• 0454248 composer: Remove an uncessary log warning
• d2a1434 composer: Simplify associateBy to associate
• 949b5de docker: Replace Bazel by Bazelisk
• 727705f docker: Upgrade PHP to the latest active version
• b694901 docker: Upgrade composer to the latest version
• dfa843c downloader: Add a debug log when deleting working tree caches
• 977707d evaluated-model: Remove a superfluous file format case
• 400e0f4 gradle: Sort compiler options alphabetically
• 1ba1116 model: Consistently use HTTPS for example.com URLs
• df82c97 node: Use curly-brace-syntax for logging
• 2839a76 package-manager: Force a Bazel version for the existing test
• f8dc4e3 scanoss: Do not apply the BlacklistRules
• bdbc11d Align code and wording of either-or property checks
• f6ba8bc Do not used the named with parameter for @Serializable
• 424dfcb Use the recommended function to get serializers for a type

Dependency Updates 🚀

• 7aec1fb website: Upgrade to Docusaurus 3.4.0
• 4c3ed0b website: Upgrade transitive dependencies
• c8cf639 pin dependencies
• ce116dd update actions/attest-build-provenance digest to 210c191
• 090c43c update actions/attest-build-provenance digest to 310b0a4
• 7a297b5 update actions/deploy-pages action to v4
• 223676b update actions/setup-node action to v4
• aee9f08 update actions/upload-pages-artifact action to v3
• b2acb25 update dependency com.autonomousapps.dependency-analysis to v1.33.0
• f7c54c6 update dependency com.charleskorn.kaml:kaml to v0.61.0
• a469c1d update dependency com.github.ajalt.mordant:mordant to v2.7.2
• 9391fd1 update dependency com.networknt:json-schema-validator to v1.5.1
• 0621a90 update dependency gradle to v8.10
• dc6db0f update dependency org.apache.commons:commons-compress to v1.27.0
• 7f4903c update dependency org.apache.logging.log4j:log4j-api-kotlin to v1.5.0
• 897298d update dependency org.asciidoctor:asciidoctorj-pdf to v2.3.18
• 56d5421 update dependency org.cyclonedx:cyclonedx-core-java to v9.0.5
• 3e819a0 update dependency org.slf4j:slf4j-api to v2.0.14
• a0cbc63 update dependency org.slf4j:slf4j-api to v2.0.15
• 4f3af43 update dependency org.slf4j:slf4j-api to v2.0.16
• 93907bc update dependency org.springframework:spring-core to v5.3.39
• f891232 update dependency org.tukaani:xz to v1.10
• fd2290f update dependency org.wiremock:wiremock to v3.9.0
• a60d045 update dependency org.wiremock:wiremock to v3.9.1
• c1f1795 update dependency software.amazon.awssdk:s3 to v2.27.1
• ee94143 update docker/build-push-action digest to 16ebe77
• 85936e7 update docker/build-push-action digest to 5176d81
• e3087af update docker/build-push-action digest to 5cd11c3
• 39a638e update docker/login-action digest to 9780b0c
• 7faea4d update docker/setup-buildx-action digest to 988b5a0
• 5d4985b update docker/setup-buildx-action digest to aa33708
• dc9a0dc update docusaurus monorepo to v3.5.1
• 3b079c4 update exposed to v0.53.0
• 8853da4 update github/codeql-action digest to 29d86d2
• 5fdc763 update github/codeql-action digest to 2d79040
• 17ed779 update github/codeql-action digest to 429e197
• 942d706 update github/codeql-action digest to 5cf07d8
• b2ee73b update github/codeql-action digest to afb54ba
• eb64faa update github/codeql-action digest to eb055d7
• b0bddf9 update gradle/actions action to v4
• 1741aff update jetbrains/qodana-action action to v2024.1.9
• f9d3bd0 update kotlin monorepo to v2.0.10
• af4c8b1 update mavenresolver to v1.9.22
• 942539a update ossf/scorecard-action action to v2.4.0
• 691c31e update wagoid/commitlint-github-action digest to baa1b23

Documentation 📖

• 48bb017 README: Add a Repobeats contribution statistics image
• a98f22b README: Add a sentence aboout the governance model
• 2d8257c README: Reword the contribution section
• 742b393 bazel: Quote a file name in fluent text
• a7d5987 conan: Explain why a temporary file is required for inspect
• 1c0713d github: Add icons to the issue workflow
• b7ae659 reporter: Update the link to Ctrl-X Automation FOSS information
• f19c276 Add Volkswagen AG to the list of adopters

Refactorings 🚜

• 2c18272 bazel: Create an issue instead of throwing on no registry
• c2ff612 bazel: Map directly to a set
• 2274638 bazel: Nest an internal data class for better grouping
• 5dd19ff bazel: Simplify creating Bazel module registries
• 1cca35a bower: Also take the authors from the project package
• 1a00466 bower: Factor out getProjectPackageInfo()
• c8e47f2...

27.0.0

What's Changed

Breaking Changes 🛠

• 192736f refactor(model)!: Inline AdvisorRecord with AdvisorRun

Bug Fixes 🐞

• 89fe68d SpdxDocumentFile: Add created issues to the PackageReference
• c8eb52a SpdxDocumentFile: Ensure to collect issues from external doc refs
• d686957 cyclonedx: Avoid a NPE when clearing extensibleTypes
• 023dfb6 cyclonedx: Only set licenses at all if they are not empty
• b0b1f7c downloader: Support Git URLs with '.git' in domain
• fb1f601 gradle: Ignore dependencySources configurations during resolution
• 90226f2 sbt: Filter out garbage from sbt projects command

New Features 🎉

• 2d3847e analyzer: Add option to skip setup.py analysis of PIP dependencies
• 57911fe helper-cli: Add a command to show insights into scan issues
• b37ac5e helper-cli: Allow to omit the version when listing packages
• ed44b6a model: Add a constant for an empty AdvisorRun

Build 🐘 & CI ⚙️

• b3ae3d0 gradle: Add a "detektAll" convenience task
• 67c4807 gradle: Prepare for eventually using atlassian.io artifacts
• 82396bd github: Move Scorecard analysis to a separate workflow
• 113a44d github: Run OpenSSF Scorecard analysis
• d881059 renovate: Automatically pin GitHub action digests

Chores 🔧

• 3e2eb12 cocoapods: Add a bit fault tolerance for PODS / DEPENDENCIES
• 28c53b9 cocoapods: Fix-up an unnecessary mapNotNull
• dfb014d cocoapods: Generalize mapping IDs to packages
• f7ff51a conan: Replace a get() with an indexing operator
• 4aad014 cyclonedx: Remove an unneeded cast to Any
• 262d966 cyclonedx: Say for which file extension creation failed
• e93de8a pub: Improve function names

Dependency Updates 🚀

• 824cc38 pin dependencies
• 25f07db update dependency com.github.ajalt.mordant:mordant to v2.7.1
• 6229972 update dependency gradle to v8.9
• 0e47316 update dependency io.mockk:mockk to v1.13.12
• 639a454 update docker/build-push-action digest to 1ca370b
• 88084c1 update docker/build-push-action digest to a254f8c
• 2651da9 update github/codeql-action digest to 4fa2a79
• 0139c25 update gradle/actions digest to d9c87d4
• 0ac569e update graphqlplugin to v6.8.1
• 3f69531 update graphqlplugin to v6.8.2
• 144588e update graphqlplugin to v6.8.4

Documentation 📖

• f545e5e README: Add an OpenSSF Scorecard badge
• da70ac4 cyclonedx: Remove an obsolete TODO comment
• bdaf216 github: Ensure that all static analysis steps have names
• 1ae222a github: Explain what security-events: write is needed for
• 22cd864 pip: Correctly state the default Python version to analyze for
• efed39f pip: Refer to option constants instead of repeating their values

Refactorings 🚜

• 2df46c6 cocoapods: Decompose a MapEntry
• 7e776e3 cocoapods: Factor out YamlNode.toPod()
• 26c31cf cocoapods: Factor out parsePodspec()
• 7115b14 cocoapods: Move Podspec to a dedicated file
• 35e048f cocoapods: Move an orEmpty() a couple of lines upwards
• ebc4b63 cocoapods: Port the Podspec parsing to KxS
• d4f0b5a cocoapods: Port the lockfile parsing from Jackson to KxS
• 41c5bca cocoapods: Remove a minor code redundancy
• ed9ce11 cocoapods: Separate parsing the lockfile
• 8978ee4 cocoapods: Turn resolveDependencies() into an expression
• b3f6311 cocoapods: Use a data class for the source property
• 5d6827c cocoapods: Use a more speaking name for externalSources
• af02a8c conan: Extract the variable hashValue
• 3181191 conan: Inline a function
• 86d6ff7 conan: Port parsing package info from Jackson to KxS
• 802dfa8 conan: Port the remaining Jackson based code to KxS
• a942c7e conan: Remove a code redundancy
• 5dbe633 conan: Slightly simplify the code for obtaining the URL
• 5c6322a conan: Turn parseSourceArtifact() into an expression
• bbdbf10 conan: Use a data class for parsing the package infos
• d0ed6ca cyclonedx: Avoid exceptions to be swallowed
• 5503c68 cyclonedx: Continue with remaining formats even if one failed
• 229a76e cyclonedx: Extract generating the BOM string to a function

Tests ✅

• 2d9e67f SpdxDocumentFile: Add test for missing issues for external refs
• 9117279 SpdxDocumentFile: Use correct checksumValue for external document
• fe46f21 osv: Update expected results
• e4aa9e9 pub: Update expected results
• b590ad2 2f133e8 pub: Update expected results
• 1756495 python: Update expected results

26.0.0

What's Changed

Breaking Changes 🛠

• 43123ce refactor(ctrlx)!: Make all model classes internal

Bug Fixes 🐞

• 3f8f078 github: Do not use variables as part of attestation subject paths
• e8e80c2 github: Use correct syntax for environment variable expansion
• 72d9291 nuget: Parse namespaces for names that include versions correctly

New Features 🎉

• 799acd1 helper-cli: Allow listing only non-excluded packages

Build 🐘 & CI ⚙️

• dd4c197 ctrlx: Fix some project dependency issues

Dependency Updates 🚀

• bab1858 update dependency com.networknt:json-schema-validator to v1.5.0
• 51e5eb4 update jackson to v2.17.2
• 36f8c3b update mavenresolver to v1.9.21

Refactorings 🚜

• 6ad7675 spdx-utils: Move operator-relared code to a separate file

Tests ✅

• 3a37300 nuget: Use more fine-granular grouping of tests