25.1.0

What's Changed

Bug Fixes 🐞

• 767475e Bazel: Fix local registry modules path
• a6894a2 bazel: Always disable the disk cache
• 6aaa408 bazel: Always disable the wrapper script
• c4b1d66 github: Be explicit about artifact paths to attest for
• 4d49fc2 spdx: Avoid serializing the document into a string

New Features 🎉

• 7193af3 bundler: Add fallbacks for the description field
• 9bdeaaf bundler: Add the description -> summary fallback for gemspecs
• ae8b9b9 detekt-rules: Add a rule to enforce empty lines after blocks
• 4bb80bb dos: Allow to configure scan storage settings
• d2b5779 evaluator: Update the OSADL license compliance matrix
• e4e4859 stack: Derive the VCS path from the subdir in the cabal file

Build 🐘 & CI ⚙️

• 129ec48 go: Remove the unused tomlkt dependency
• 6e836b1 renovate: Only allow digit-versions of the Jira REST client
• de9dbc9 renovate: Remove Maven resolver related package rules

Chores 🔧

• dc12ef2 bazel: Consistently refer to lockfile as single word
• 0ddc883 bazel: Drop an unnecessary code comment
• fd6b3fb bazel: Simplify obtaining the Bazel version
• 74ab0cd bundler: Align Ruby helper scripts on to_yaml
• 7e49e1b bundler: Correct a few test / variable names
• 18c7ae4 bundler: Make Ruby helper scripts executable
• 5904433 bundler: Use the portable env shebang
• 70209af cyclonedx: Simplify BOM generation code
• 78fb986 model: Remove the unused XML mapper
• 62ba50f stack: Move a function to the top level
• 32f8d45 stack: Remove a misleading comment

Dependency Updates 🚀

• 8eff1ea docker: Upgrade ScanCode to version 32.2.1
• 146ab3b update dependency com.github.ajalt.mordant:mordant to v2.7.0
• b67dda9 update dependency net.sf.saxon:saxon-he to v12.5
• 01f347e update dependency org.jruby:jruby to v9.4.8.0
• 70f8de8 update dependency org.wiremock:wiremock to v3.8.0
• d332eba update jetbrains/qodana-action action to v2024.1.7
• 2c0dc49 update jetbrains/qodana-action action to v2024.1.8

Documentation 📖

• 61866be stack: Turn a code comment into a test

Refactorings 🚜

• 8ea4205 Gradle: Remove the kotlinxSerialization bundle
• 73b579c Gradle: Rename the tomltk dependency
• f1bc44b bazel: Align on the "to" prefix for several functions
• b6b7686 bazel: Avoid some toSet() calls
• 6e44eca bazel: Drop an explicit return type
• acdf397 bazel: Extract expandRepositoryUrl()
• ee1df8b bazel: Factor out parseBazelModule()
• 37f4aa5 bazel: Simplify expandRepositoryUrl() a bit
• dccd7f7 bazel: Simplify partitioning the dependencies
• 55ee953 bazel: Turn parseModuleGraph() into an expression function
• 0035d76 bazel: Use a more speaking name for node
• 9318b6d bazel: Use a shorter name for the graph data model
• 065e1ca bundler: Migrate from Jackson to KxS
• a8f6547 bundler: Refer to data from https://rubygems.org as "RubyGems"
• 1699c84 bundler: Rename the GemSpec class to GemInfo
• 51d0bec bundler: Simplify the description fallback logic
• 81af6f8 common: Remove a code redundancy
• dd09f54 cyclonedx: Remove the dependency on FileFormat
• e929d4d dos: Edit job query parameters
• eae8cbe dos: Edit scan results query parameters
• ed740e9 fossid: Make a constructor argument a non-member
• 2c3d0a8 git: Migrate from Jackson to KxS
• cb1a182 stack: Avoid copying the project package
• 5a9700f stack: Factor out getProject()
• 46a3d76 stack: Factor out toPackage()
• 34e7e95 stack: Generalize filtering out the "ghc" package
• 17ff138 stack: Inline a couple of variables
• 4a33f34 stack: Make toPackage() return a non-nullable package
• c0587e1 stack: Make use of isProject()
• f13733d stack: Migrate from Jackson to KxS
• f81750a stack: Move several function to the top level
• 1331ef7 stack: Move the model classes into a dedicated file
• b11d47c stack: Move two constants to the model
• be27bed stack: Move two functions to the class level
• 46ff1b8 stack: Re-order the constuctor arguments for VcsInfo
• f8fc96c stack: Remove code reduncancies in scope creation
• 28fe497 stack: Simplify toPackage() a bit
• 1e765df stack: Use buildMap and inline allDependencies
• 325c842 stack: Use a shorter name for the dependencies variables

Other Changes 💡

• fabe6c8 style: Add empty lines after multi-line blocks for readability

25.0.0

What's Changed

Breaking Changes 🛠

• 50c0512 refactor(Bazel)!: Rename the Bazel registry service

Bug Fixes 🐞

• 72c1a14 Bazel: Make the flags property of the lock file optional
• 5968180 Bazel: Support local registries
• 82c11ce analyzer: Re-align the version requirement for pnpm
• f77a29f dos: Correctly get error body strings

New Features 🎉

• 15defa6 clients: Add the Double Open Server (DOS) client
• 0629f3d github: Attest build provenance for releases
• ae0ca85 scanners: Add the DOS scanner wrapper plugin
• 2c8dd49 Add the package configuration provider for DOS

Build 🐘 & CI ⚙️

• 17a956c Gradle: Also check testFixtures with Detekt
• 94e2fb7 github: Create test summaries for workflow jobs

Chores 🔧

• a4ca0ee package-managers: Do not log all Gradle stderr output as warnings

Dependency Updates 🚀

• 5494c69 Gradle: Update the gradle-maven-publish-plugin to version 0.29.0
• f449b70 update dependency com.github.jmongard.git-semver-plugin to v0.12.10
• 126ea60 update dependency com.github.jmongard.git-semver-plugin to v0.12.9
• f995050 update dependency com.networknt:json-schema-validator to v1.4.2
• 35825dd update dependency com.networknt:json-schema-validator to v1.4.3
• 2d86b98 update dependency org.cyclonedx:cyclonedx-core-java to v9.0.4
• 60ab3b7 update dependency org.wiremock:wiremock to v3.7.0
• 5bcaf9b update exposed to v0.52.0
• 5886773 update kotlinxserialization to v1.7.1
• 6a26070 update ktor monorepo to v2.3.12

Documentation 📖

• 6fb9c25 chore: Reorder named arguments to match the function signature
• 9420a9f dos: Improve the wording of two log messages
• f9e7f72 dos: Link from the package configuration provider to the scanner
• ec2b3e9 fossid: Improve class docs

Refactorings 🚜

• ec73b97 fossid: Add a function to create ignore rules
• 0bcbbad fossid: Align filterLegacyRules with Kotlin standards
• f27de64 fossid: Change functions to return issues
• ea37669 fossid: Deduplicate a message
• d93fd02 fossid: Make a function argument immutable

Tests ✅

• 135615c fossid-webapp: Ensure to use unique IDs per stub mapping
• 940af6a osv: Update expected results

Other Changes 💡

• b11c32a style(dos): Unwrap a line that fits into one

24.0.0

What's Changed

Breaking Changes 🛠

• 9e6bf29 feat(model)!: Stop silently ignoring invalid declared license mappings
• a601dbe refactor(clients)!: Rename OSV classes according to ORT conventions
• 794befc refactor(clients)!: Rename a class to BazelModuleRegistryService

Bug Fixes 🐞

• 5e5296e Bundler: Enforce Ruby platform when fetching version data
• 9c7494f fossid-webapp: Generate ignore rules also for non-delta scans
• d42a87a scanner: Store only distinct results of package scanners

New Features 🎉

• c9351b3 spdx-utils: Introduce a toSpdxOrNull() utility extension function

Build 🐘 & CI ⚙️

• 631db0f Gradle: Use the new way to opt-in to build scan terms

Chores 🔧

• d477384 clearly-defined: Avoid a now redundant receiver-based let call
• 5d0a178 conan: Avoid deprecated section name

Dependency Updates 🚀

• 8d16697 update dependency com.opentable.components:otj-pg-embedded to v1.1.0
• 5618227 update dependency net.peanuuutz.tomlkt:tomlkt to v0.4.0
• 373d047 update dependency org.cyclonedx:cyclonedx-core-java to v9.0.3
• 980f5ea update dependency org.springframework:spring-core to v5.3.37
• 951bbc4 update docker/build-push-action action to v6
• 56c9c11 update maven to v3.9.8

Documentation 📖

• c021ca5 clients: Trivially improve BazelModuleRegistryClient class docs
• aa1a5a6 github: Clarify that console output is preferred over screenshots
• fc5389c spdx-utils: Duplicate mapping docs into the YML files for visibility
• bfa3112 spdx-utils: Improve function docs to use imperative mood
• fce6a94 spdx-utils: Refer to SpdxSimpleLicenseMapping in normalize()
• de7785c spdx-utils: Remove an obsolete SpdxSimpleLicenseMapping sentence

Refactorings 🚜

• 8d8480b ort-utils: Semantically separate mapping from processing licenses

Tests ✅

• 9b0a825 model: Use valid SPDX expressions in declared license mapping
• 40ca101 pub: Update expected results
• 2226fe1 Disable scanning for Kotest project config in third-party JARs

23.0.0

What's Changed

Breaking Changes 🛠

• 6f50cf5 refactor!: Move the WorkingTreeCache from the scanner to the downloader
• b2328c7 refactor(downloader)!: Make getDefaultBranchName() non-nullable

Bug Fixes 🐞

• 96fd771 conan: Fix supported version indication
• 8ebfe9a github: Do not cache-to Docker image builds from PRs

New Features 🎉

• 2e1399c scanner: Add branch name to FossID scan code

Chores 🔧

• afdd4fa docker: Update Pnpm to the latest version
• 28308a7 docker: Upgrade Conan to version 1.64.1
• dd81d17 model: Make also readValueOrNull() throw on multiple documents
• 64fccd8 model: Reject reading multiple YAML documents per file
• 503edee model: Remove the unused createMissingArchives scanner option
• 3a825fb model: Use named arguments for the tempfile() suffix

Dependency Updates 🚀

• 804892a update dependency com.github.jmongard.git-semver-plugin to v0.12.8
• 3b98c7d update dependency software.amazon.awssdk:s3 to v2.26.0
• 0da841f update jgit to v6.10.0.202406032230-r

Documentation 📖

• 6d1db78 github: Explain why there is no cache-to for the "minimal" image
• 4b093ed scanoss: Add a link to the API docs
• c1543d8 website: Clarify supported Conan version
• c7bd73e website: Remove superfluous subdirectory

Tests ✅

• 4d4714e model: Add readValueOrNull() tests for input with no content
• b2f0588 model: Clarify that "empty" means "zero size"
• 7953965 model: Verify the current readValue() behavior for empty files
• 2c14d9a node: Update Pnpm lockfiles to the latest lockfile format version
• e20d80f osv: Update expected results

22.8.0

What's Changed

Bug Fixes 🐞

• 8de3b46 node: Fix a special case when parsing the first issue line
• 1ba253a pub: Use the correct option for the Gradle version

New Features 🎉

• 811daef node: Add logic for combining single sentence issues lines
• 2d65064 node: Support lowercase NPM issue output
• 42fd409 pub: Add a package manager option for the Flutter version

Chores 🔧

• 5df6592 fossid: Reduce visibility of a reporter variable
• 117609e node: Make a function an expression
• 0b703b8 node: Prefer Kotlin's in operator over contains()

Dependency Updates 🚀

• 419cd30 docker: Downgrade Node to the latest LTS version
• ff2baef Update Kotest to version 5.9.1
• a09167d update dependency org.asciidoctor:asciidoctorj-pdf to v2.3.17
• 882907a update kotlinxserialization to v1.7.0

Documentation 📖

• 667b4c8 pub: Improve class docs
• 42862bf reference: Add another example of a reporter option

Refactorings 🚜

• 2ffb557 Pub: Rename GRADLE_VERSION to DEFAULT_GRADLE_VERSION
• 1b5a925 node: Make NpmTest a WordSpec
• 6f8ab8d plugins: Extract CommandLineTool.displayName()
• 53a7b8f pub: Add a constant for the default Flutter version
• 7abb18f pub: Move Flutter variables into the class
• f2ced6d version-control-system: Override some display names
• 33c0f1a version-control-systems: Extract GitRepoCommand

Tests ✅

• 303dbda pub: Update expected results

22.7.0

What's Changed

New Features 🎉

• 3e9d8f4 Yarn: Add basic support for Corepack

Dependency Updates 🚀

• ee0ee5e update dependency gradle to v8.8
• e3ec11e update dependency org.freemarker:freemarker to v2.3.33
• d55242e update exposed to v0.51.0
• f560e02 update exposed to v0.51.1

Documentation 📖

• b38fb5f osv: Remove an obsolete code comment

Tests ✅

• 0efd110 conan: Update expected results
• f850f6b osv: Update expected results
• afbca2f 1a9f122 pub: Update expected results

22.6.0

What's Changed

Bug Fixes 🐞

• 99f6c97 scripts: Export variables in docker_build.sh again

New Features 🎉

• 230beec evaluated-model: Re-filter scan summary by VCS path
• c7edb85 osv: Enable querying vulnerabilities for the SwiftURL ecosystem

Chores 🔧

• 5f31ec6 common-utils: Consistently use "()" in test names for functions
• 5f034b4 docker: Do not run pip install pip ... twice
• e2f71f0 docker: Update Poetry to the latest version
• 2bfa41f docker: Update pip to the latest version
• b1d557b docker: Update pyenv to the latest version
• 042ded5 docker: Upgrate Python to the latest 3.11.x version
• 69f8c6e model: Drop some unnecessary sorting

Dependency Updates 🚀

• b6044b0 Dockerfile: Ensure to use the latest dockerfile-x syntax
• 1113161 spdx-utils: Update the SPDX license list version to 3.24.0
• d293a19 Update CycloneDX to version 9.0.2
• 22aee3e update dependency com.autonomousapps.dependency-analysis to v1.32.0
• a97d099 update dependency org.apache.commons:commons-compress to v1.26.2
• 8d77eaf update dependency us.springett:cvss-calculator to v1.4.3
• db8c595 update maven to v3.9.7

Documentation 📖

• 740b7d6 model: Use the new SCANOSS API endpoint also in reference.yml

Refactorings 🚜

• f19867c clearly-defined: Get enum serial names more efficiently
• 7b10a04 clearly-defined: Get enums for serial names directly
• 11baaeb common-utils: Prefer a symbolic name for the charset
• 4fb504e common-utils: Use forAll in tests to simplify code
• 2693bba docker: Swap two RUN statements in pythonbuild
• 4342001 evaluated-model: Factor out some mapping to a function
• f6fa2cb evaluated-model: Inline actualScanResult
• d8fb1d0 model: Do not use SortedSet for dependencies
• 0dba9c9 model: Serialize dependency graph edges in sorted order
• 64f7aae model: Turn a function parameter type into a Set
• 76f8121 model: Use a more generic name for SortedSetConverters
• 4c2db37 model: Use sets instead of lists for DependencyGraphEdge
• d22d659 utils: Slightly re-write a function
• 41b450b Remove some unnecessary uses of sorted sets

Tests ✅

• 1765a15 analyzer: Fix-up a broken assertion
• 53752d5 common-utils: Extend the percentEncode test with decoding
• eef3dac osv: Update expected results
• 2d0d1e7 pub: Update expected results
• ae9ede0 Re-serialize test assets

22.5.0

What's Changed

Bug Fixes 🐞

• 2bfeec1 fossid-webapp: Count snippets when enforcing the snippet limit
• f55ce56 reporter: Prevent null in snippet report template
• d42863c spdx-utils: List correct choices in an exception message

New Features 🎉

• 84aa5b0 scripting: Make the logger available by default
• 869bf65 static-html: Make the descriptions of issues more compact

Build 🐘 & CI ⚙️

• 6ae4429 github: Use a non-deprecated value to configure CodeQL tools

Chores 🔧

• ae6fc78 docker: Update CocoaPods to the latest version
• 808b005 docker: Update NodeJS to the current version
• 1636ddc docker: Update Pipenv to the latest version
• b8026ba docker: Update sbt to the latest version
• c0977c5 docker: Upgrade Bower to the latest version
• ba9541a spdx-utils: Slightly simplify code via isSubExpression()

Dependency Updates 🚀

• 8bc7f88 update dependency com.github.ajalt.mordant:mordant to v2.6.0
• 10d9b6e update dependency org.asciidoctor:asciidoctorj to v2.5.13
• ce2e767 update dependency org.springframework:spring-core to v5.3.36
• 8e2817f update dependency org.wiremock:wiremock to v3.6.0
• f0d81ea update kotlin monorepo to v2

Documentation 📖

• 55c2003 spdx-utils: Add a missing comma in a code comment
• 64d8b4f spdx-utils: Use "an" instead of "a" before "Spdx"
• 599dbc2 Add OpossumUI to the list of related tools
• c78e8ed Add the ORT Server to the list of related tools

Refactorings 🚜

• 8451714 script: Migrate from deprecated constructorArgs to properties

Tests ✅

• a9b800e asciidoc: Use placeholders for the asciidoctor version
• 823613c pub: Update expected results
• 64bd622 spdx-utils: Add DNF / CNF tests for validChoices()

22.4.0

What's Changed

Bug Fixes 🐞

• 4bd380b analyzer: Serialize sharedPackages ordered by their id
• b051095 model: Fix-up filtering excluded issues
• e074893 model: Serialize project's scope names in alphabetical order

New Features 🎉

• 9bf11d3 clients/osv: Align model with latest OSV schema version 1.6.3
• a765916 gradle: Also make distribution archives reproducible
• fc60edc gradle: Configure signing of distribution archives

Build 🐘 & CI ⚙️

• 6f4735e github: Make signing properties available to the distribution
• 37ec96b github: Sign releases and upload them along with their signatures

Chores 🔧

• 833dac3 downloader: Map directly to a set instead of converting a list
• 268a2b4 gradle: Sort a list of options alphabetically

Dependency Updates 🚀

• 723299a Update the native-gradle-plugin to version 0.10.2
• 8181666 update dependency io.mockk:mockk to v1.13.11
• c57ded4 update dependency org.springframework:spring-core to v5.3.35
• 62f008b update jetbrains/qodana-action action to v2024.1.5

Documentation 📖

• 19dfc01 README: Update CII links to OpenSSF

Tests ✅

• 066413b Align test assets with recent changes in advisor result model
• 889f474 Re-serialize a couple of test assets

22.3.0

What's Changed

Bug Fixes 🐞

• 2b19f91 asciidoc: Handle vulnerability URLs with special characters
• 1d8e089 bundler: Make parsing of dependency output more robust
• 7916730 evaluator: Do not add default rules unless they exist
• b793e22 fossid-webapp: List snippets concurrently
• 0b56a4e helper-cli: Fix broken reading of scan results by identifier
• 559aafa node: Use a fallback name for (unpublished) project-packages
• 208d958 python: Support ZIP archives for source artifacts
• 1fc611f scanner: Mention the correct source code origins in an error
• 1f689aa scanoss: Update the official REST API URL
• f2018b7 spdx: Accept "additional-terms" as part of LicenseRef exceptions
• 587b594 web-app-template: Fixup issues / violations / vulnerabilities terms

New Features 🎉

• 124b984 cli: Add some coloring to output before program exit
• 10cef09 fossid-webapp: Add a new scanner property snippetsLimit
• bee55e3 fossid-webapp: Add an issue when the snippet limit has been reached
• 9223e90 fossid-webapp: Enforce the snippets limit
• 6a53cc0 fossid-webapp: List snippets from FossID lazily
• 45bb867 static-html: Also show advisor issues in the project tables
• 71f1eb8 static-html: Re-design the project table
• 10a4ff9 static-html: Sort the concluded license expression

Build 🐘 & CI ⚙️

• c49fdf9 gradle: Use the dedicated optIn DSL for Kotlin compiler options
• 6298797 github: Fix permissions to upload SARIF results

Chores 🔧

• 106ef01 NOTICE: Update the HERE Europe B.V. contribution year
• cea1df6 fossid-webapp: Align the configuration property names
• e764ff0 fossid-webapp: Extract the function mapSnippetFindingsForFile
• c080db0 model: Do not serialize empty defects or vulnerabilities
• ca63a52 osv: Do not create empty advisor results
• a25da75 static-html: Remove the hover effect from the project tables
• 23b7b70 web-app-template: Trim a trailing space

Dependency Updates 🚀

• ee73c93 Update Kotlin to version 1.9.24
• ec0bfdc Update kotlinx-coroutines to version 1.8.1
• e1932ba update exposed to v0.50.1
• 76237c2 update jackson to v2.17.1
• 9b34a7b update jetbrains/qodana-action action to v2024.1.3
• 43131ad update jetbrains/qodana-action action to v2024.1.4
• a1ac10a update kotest to v5.9.0
• 2e5cbfc update ktor to v2.3.11

Documentation 📖

• c15c8b8 bundler: Correct a script reference
• a8787d3 spdx: Distinguish all "The name must not be blank" requirements
• 5d48b31 static-html: Drop an obsolete comment
• 8ed8e2b static-html: Fix-up the KDoc for Row.issue
• ec016a4 static-html: Re-align the KDocs for the summary tables

Refactorings 🚜

• ff2780e bundler: Inline a script variable
• ae16d01 docker: Define tool versions only once
• d4c16a5 static-html: Drop ort- prefix from class attribute names
• 2cbe474 static-html: Extract getProjectTable()
• 3332c90 static-html: Extract a variable for the effective license
• 5ec427a static-html: Factor out Row.isExcluded()
• b8b0fe3 static-html: Factor out Scope.isExcluded()
• 62295cb static-html: Improve the naming of TablesReport properties
• ccdc852 static-html: Inline a variable
• 6fee2c3 static-html: Inline a variable
• b5f42f7 static-html: Inline another variable
• 69e5491 static-html: Introduce ProjectTable.Scope
• 685bf39 static-html: Make ProjectTable.projectDependencies a List
• d28923f static-html: Make constructing allIds a one-liner
• e8360e6 static-html: Make the ProjectTable self-contained
• e984471 static-html: Move `containsUnresolved()´ out of the model
• a47efba static-html: Pass the project table to projectRow()
• ddd4497 static-html: Re-arrange the CSS file
• 3ac0573 static-html: Reduce nesting of model classes
• 106e553 static-html: Remove some unnecessary specialization
• 387303f static-html: Rename the model and mapper to TablesReport*
• c0471df static-html: Shorten a variable name
• 2a30b5c static-html: Simplify getting scanner issues
• 62b6318 static-html: Simplify the sorting of the project table rows
• 31c30dc static-html: Style the report label at the top via ID
• 3ebfaff static-html: Use a more speaking name for ort-report-labels
• e547afa static-html: Use a more speaking name for pkg
• e8a563a static-html: Use a shorter name for DependencyRow
• 22a86a1 static-html: Use a shorter name for IssueRow
• 801b3ad static-html: Use a shorter name for ReportTableModel
• edff378 static-html: Use better names for issues and violations
• 358049e static-html: Use more speaking names for two top level tables
• dbc1de6 statichtml: Make getScopesForDependencies() OrtResult-aware

Tests ✅

• 894895d bundler: Add a test for a GitHub dependency
• f804dd0 osv: Update expected results
• 1b99133 8d760c4 osv: Update expected results
• cdb317d pub: Update expected results
• c99fe7b pub: Update expected results
• 60aa728 python: Update expected results

Other Changes 💡

• ac7614a style(Gradle): Fix alphabetical sorting of paths