Merge branch 'main' into heliocastro/funtest_race_condition

.github/workflows/static-analysis.yml

@@ -19,7 +19,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: wagoid/commitlint-github-action@v5
+      - uses: wagoid/commitlint-github-action@v6
         with:
           configFile: .commitlintrc.yml
   code-base-checks:
@@ -85,7 +85,7 @@ jobs:
       with:
         fetch-depth: 0
     - name: Qodana Scan
-      uses: JetBrains/[email protected].1
+      uses: JetBrains/[email protected].2
       with:
         post-pr-comment: false
         use-caches: false

.versions

@@ -27,7 +27,7 @@ PYTHON_VERSION=3.11.8
 RUBY_VERSION=3.1.2
 RUST_VERSION=1.72.0
 SBT_VERSION=1.9.7
-SCANCODE_VERSION=32.0.8
+SCANCODE_VERSION=32.1.0
 SWIFT_VERSION=5.9.2
 UBUNTU_VERSION=jammy
 YARN_VERSION=1.22.19

Dockerfile

@@ -151,7 +151,7 @@ ARG PYTHON_INSPECTOR_VERSION=0.10.0
 ARG PYTHON_PIPENV_VERSION=2023.10.24
 ARG PYTHON_POETRY_VERSION=1.7.0
 ARG PIPTOOL_VERSION=23.3.1
-ARG SCANCODE_VERSION=32.0.8
+ARG SCANCODE_VERSION=32.1.0
 
 RUN pip install --no-cache-dir -U \
     pip=="$PIPTOOL_VERSION" \

Dockerfile-legacy

@@ -39,7 +39,7 @@ ARG NUGET_INSPECTOR_VERSION=0.9.12
 ARG PYTHON_INSPECTOR_VERSION="0.10.0"
 
 # Set this to the ScanCode version to use.
-ARG SCANCODE_VERSION="32.0.8"
+ARG SCANCODE_VERSION="32.1.0"
 
 FROM eclipse-temurin:$JAVA_VERSION-jdk-jammy AS build
 

build.gradle.kts

@@ -152,7 +152,7 @@ val checkLicenseHeaders by tasks.registering {
             val headerLines = LicenseUtils.extractHeader(file)
 
             val holders = CopyrightUtils.extractHolders(headerLines)
-            if (holders.singleOrNull() != CopyrightUtils.expectedHolder) {
+            if (holders.singleOrNull() != CopyrightUtils.EXPECTED_HOLDER) {
                 hasErrors = true
                 logger.error("Unexpected copyright holder(s) in file '$file': $holders")
             }

buildSrc/src/main/kotlin/LicenseUtils.kt

@@ -71,10 +71,10 @@ object CopyrightableFiles {
 }
 
 object CopyrightUtils {
-    const val expectedHolder =
+    const val EXPECTED_HOLDER =
         "The ORT Project Authors (see <https://github.com/oss-review-toolkit/ort/blob/main/NOTICE>)"
 
-    private const val maxCopyrightLines = 50
+    private const val MAX_COPYRIGHT_LINES = 50
     private val copyrightPrefixRegex = Regex("Copyright .*\\d{2,}(-\\d{2,})? ", RegexOption.IGNORE_CASE)
 
     fun extract(file: File): List<String> {
@@ -84,7 +84,7 @@ object CopyrightUtils {
 
         file.useLines { lines ->
             lines.forEach { line ->
-                if (++lineCounter > maxCopyrightLines) return@forEach
+                if (++lineCounter > MAX_COPYRIGHT_LINES) return@forEach
                 val copyright = line.replaceBefore(" Copyright ", "", "").trim()
                 if (copyright.isNotEmpty() && !copyright.endsWith("\"")) copyrights += copyright
             }
@@ -123,11 +123,11 @@ object LicenseUtils {
         SPDX-License-Identifier: Apache-2.0
     """.trimIndent()
 
-    private const val lastHeaderLine = "License-Filename: LICENSE"
+    private const val LAST_HEADER_LINE = "License-Filename: LICENSE"
 
     fun extractHeader(file: File): List<String> {
         var headerLines = file.useLines { lines ->
-            lines.takeWhile { !it.endsWith(lastHeaderLine) }.toList()
+            lines.takeWhile { !it.endsWith(LAST_HEADER_LINE) }.toList()
         }
 
         while (true) {

downloader/src/main/kotlin/VcsHost.kt

@@ -39,7 +39,7 @@ enum class VcsHost(
     /**
      * The hostname of VCS host.
      */
-    protected val hostname: String,
+    val hostname: String,
 
     /**
      * The VCS types the host supports.

downloader/src/main/kotlin/VersionControlSystem.kt

@@ -207,7 +207,7 @@ abstract class VersionControlSystem(
     /**
      * Return true if this [VersionControlSystem] is available for use.
      */
-    fun isAvailable(): Boolean = commandLineTool?.isInPath() ?: true
+    fun isAvailable(): Boolean = commandLineTool?.isInPath() != false
 
     /**
      * Test - in a way specific to this [VersionControlSystem] - whether it can be used to download from the provided

gradle/libs.versions.toml

@@ -1,25 +1,25 @@
 [versions]
-dependencyAnalysisPlugin = "1.30.0"
-detektPlugin = "1.23.5"
-dokkatooPlugin = "2.2.0"
+dependencyAnalysisPlugin = "1.31.0"
+detektPlugin = "1.23.6"
+dokkatooPlugin = "2.3.0"
 downloadPlugin = "5.6.0"
 gitSemverPlugin = "0.12.6"
 graalVmNativeImagePlugin = "0.10.1"
-graphQlPlugin = "6.6.0"
+graphQlPlugin = "6.7.0"
 ideaExtPlugin = "1.1.8"
 kotlinPlugin = "1.9.23"
 mavenPublishPlugin = "0.28.0"
 versionsPlugin = "0.51.0"
 
 asciidoctorj = "2.5.12"
 asciidoctorjPdf = "2.3.15"
-clikt = "4.2.2"
+clikt = "4.3.0"
 commonsCompress = "1.26.1"
 cvssCalculator = "1.4.2"
 cyclonedx = "8.0.3"
 diffUtils = "4.12"
 diskLruCache = "2.0.2"
-exposed = "0.48.0"
+exposed = "0.49.0"
 flexmark = "0.64.8"
 freemarker = "2.3.32"
 greenmail = "2.0.1"
@@ -48,9 +48,9 @@ mockk = "1.13.10"
 mordant = "2.4.0"
 okhttp = "4.12.0"
 postgres = "42.7.3"
-postgresEmbedded = "1.0.2"
+postgresEmbedded = "1.0.3"
 reflections = "0.10.2"
-retrofit = "2.10.0"
+retrofit = "2.11.0"
 s3 = "2.25.0"
 saxonHe = "12.4"
 scanoss = "1.1.6"
@@ -59,7 +59,7 @@ slf4j = "2.0.12"
 springCore = "5.3.33"
 svnkit = "1.10.11"
 sw360Client = "17.0.1-m2"
-wiremock = "3.4.2"
+wiremock = "3.5.2"
 xz = "1.9"
 
 [plugins]

helper-cli/src/funTest/kotlin/commands/CreateAnalyzerResultFromPackageListCommandFunTest.kt

@@ -22,21 +22,21 @@ package org.ossreviewtoolkit.helper.commands
 import com.github.ajalt.clikt.testing.test
 
 import io.kotest.core.spec.style.WordSpec
+import io.kotest.engine.spec.tempdir
 import io.kotest.matchers.shouldBe
 
 import org.ossreviewtoolkit.helper.HelperMain
 import org.ossreviewtoolkit.model.OrtResult
 import org.ossreviewtoolkit.model.ResolvedConfiguration
 import org.ossreviewtoolkit.model.readValue
 import org.ossreviewtoolkit.utils.ort.Environment
-import org.ossreviewtoolkit.utils.ort.createOrtTempDir
 import org.ossreviewtoolkit.utils.test.getAssetFile
 
 class CreateAnalyzerResultFromPackageListCommandFunTest : WordSpec({
     "The command" should {
         "generate the expected analyzer result file" {
             val inputFile = getAssetFile("package-list.yml")
-            val outputFile = createOrtTempDir().resolve("analyzer-result.yml")
+            val outputFile = tempdir().resolve("analyzer-result.yml")
             val expectedOutputFile = getAssetFile("create-analyzer-result-from-pkg-list-expected-output.yml")
 
             HelperMain().test(

helper-cli/src/main/kotlin/commands/VerifySourceArtifactCurationsCommand.kt

@@ -78,7 +78,7 @@ internal class VerifySourceArtifactCurationsCommand : CliktCommand(
                 } finally {
                     tempDir.safeDeleteRecursively(force = true)
                 }
-            } ?: true
+            } != false
         }
 
         println("\n-----")

integrations/completions/ort-completion.bash

@@ -906,6 +906,12 @@ _ort_migrate() {
           [[ ${i} -gt COMP_CWORD ]] && in_param='--nuget-ids' || in_param=''
           continue
           ;;
+        --pub-ids)
+          __skip_opt_eq
+          (( i = i + 1 ))
+          [[ ${i} -gt COMP_CWORD ]] && in_param='--pub-ids' || in_param=''
+          continue
+          ;;
         -h|--help)
           __skip_opt_eq
           in_param=''
@@ -923,7 +929,7 @@ _ort_migrate() {
   done
   local word="${COMP_WORDS[$COMP_CWORD]}"
   if [[ "${word}" =~ ^[-] ]]; then
-    COMPREPLY=($(compgen -W '--hocon-to-yaml --nuget-ids -h --help' -- "${word}"))
+    COMPREPLY=($(compgen -W '--hocon-to-yaml --nuget-ids --pub-ids -h --help' -- "${word}"))
     return
   fi
 
@@ -939,6 +945,9 @@ _ort_migrate() {
     --nuget-ids)
        COMPREPLY=($(compgen -o default -- "${word}"))
       ;;
+    --pub-ids)
+       COMPREPLY=($(compgen -o default -- "${word}"))
+      ;;
     --help)
       ;;
   esac

integrations/completions/ort-completion.fish

@@ -34,7 +34,7 @@ complete -c ort -n "__fish_seen_subcommand_from advise" -s h -l help -d 'Show th
 complete -c ort -f -n __fish_use_subcommand -a analyze -d 'Determine dependencies of a software project.'
 
 ## Options for analyze
-complete -c ort -n "__fish_seen_subcommand_from analyze" -l input-dir -s i -r -F -d 'The project directory to analyze. As a special case, if only one package manager is enabled, this may point to a definition file for that package manager to only analyze that single project.'
+complete -c ort -n "__fish_seen_subcommand_from analyze" -l input-dir -s i -r -F -d 'The project directory to analyze. May point to a definition file if only a single package manager is enabled.'
 complete -c ort -n "__fish_seen_subcommand_from analyze" -l output-dir -s o -r -F -d 'The directory to write the ORT result file with analyzer results to.'
 complete -c ort -n "__fish_seen_subcommand_from analyze" -l output-formats -s f -r -fa "JSON XML YAML" -d 'The list of output formats to be used for the ORT result file(s).'
 complete -c ort -n "__fish_seen_subcommand_from analyze" -l repository-configuration-file -r -F -d 'A file containing the repository configuration. If set, overrides any repository configuration contained in a \'.ort.yml\' file in the repository.'
@@ -119,6 +119,7 @@ complete -c ort -f -n __fish_use_subcommand -a migrate -d 'Assist with migrating
 ## Options for migrate
 complete -c ort -n "__fish_seen_subcommand_from migrate" -l hocon-to-yaml -r -F -d 'Perform a simple conversion of the given HOCON configuration file to YAML and print the result.'
 complete -c ort -n "__fish_seen_subcommand_from migrate" -l nuget-ids -r -F -d 'Convert NuGet package IDs in curations and configurations to the new format that includes a namespace.'
+complete -c ort -n "__fish_seen_subcommand_from migrate" -l pub-ids -r -F -d 'Convert Pub package IDs in curations and configurations to the new format that has no namespace.'
 complete -c ort -n "__fish_seen_subcommand_from migrate" -s h -l help -d 'Show this message and exit'
 
 

integrations/completions/ort-completion.zsh

@@ -2,7 +2,9 @@
 # Command completion for ort
 # Generated by Clikt
 
-autoload bashcompinit
+autoload -Uz compinit
+compinit
+autoload -Uz bashcompinit
 bashcompinit
 
 __skip_opt_eq() {
@@ -909,6 +911,12 @@ _ort_migrate() {
           [[ ${i} -gt COMP_CWORD ]] && in_param='--nuget-ids' || in_param=''
           continue
           ;;
+        --pub-ids)
+          __skip_opt_eq
+          (( i = i + 1 ))
+          [[ ${i} -gt COMP_CWORD ]] && in_param='--pub-ids' || in_param=''
+          continue
+          ;;
         -h|--help)
           __skip_opt_eq
           in_param=''
@@ -926,7 +934,7 @@ _ort_migrate() {
   done
   local word="${COMP_WORDS[$COMP_CWORD]}"
   if [[ "${word}" =~ ^[-] ]]; then
-    COMPREPLY=($(compgen -W '--hocon-to-yaml --nuget-ids -h --help' -- "${word}"))
+    COMPREPLY=($(compgen -W '--hocon-to-yaml --nuget-ids --pub-ids -h --help' -- "${word}"))
     return
   fi
 
@@ -942,6 +950,9 @@ _ort_migrate() {
     --nuget-ids)
        COMPREPLY=($(compgen -o default -- "${word}"))
       ;;
+    --pub-ids)
+       COMPREPLY=($(compgen -o default -- "${word}"))
+      ;;
     --help)
       ;;
   esac

integrations/schemas/package-managers-schema.json

@@ -4,6 +4,7 @@
     "title": "ORT Package Managers",
     "description": "A list of package managers supported by the OSS Review Toolkit (ORT). A full list of all supported package managers can ve found at https://github.com/oss-review-toolkit/ort/blob/main/analyzer/src/main/resources/META-INF/services/org.ossreviewtoolkit.analyzer.PackageManagerFactory.",
     "enum": [
+        "Bazel",
         "Bower",
         "Bundler",
         "Cargo",
@@ -26,6 +27,7 @@
         "SBT",
         "SpdxDocumentFile",
         "Stack",
+        "SwiftPM",
         "Unmanaged",
         "Yarn",
         "Yarn2"

model/src/main/kotlin/OrtResult.kt

@@ -559,7 +559,7 @@ data class OrtResult(
      *
      * Return `false` if there is no dependency on this [id].
      */
-    fun isPackageExcluded(id: Identifier): Boolean = packages[id]?.isExcluded ?: false
+    fun isPackageExcluded(id: Identifier): Boolean = packages[id]?.isExcluded == true
 
     /**
      * Return `true` if the [Project] with the given [id] is excluded.
@@ -570,7 +570,7 @@ data class OrtResult(
      *
      * Return `false` if no project with the given [id] is found.
      */
-    fun isProjectExcluded(id: Identifier): Boolean = projects[id]?.isExcluded ?: false
+    fun isProjectExcluded(id: Identifier): Boolean = projects[id]?.isExcluded == true
 
     /**
      * Return true if and only if the given [id] denotes a [Package] contained in this [OrtResult].

model/src/main/kotlin/PackageCuration.kt

@@ -74,7 +74,7 @@ data class PackageCuration(
                 // `Semver.satisfies(String)` requires a valid version range to work as expected, see:
                 // https://github.com/semver4j/semver4j/issues/132.
                 val range = RangesListFactory.create(id.version)
-                require(range.get().size > 0) {
+                require(range.get().isNotEmpty()) {
                     "'${id.version}' is not a valid version range."
                 }
 

model/src/main/kotlin/ScanSummary.kt

@@ -128,7 +128,7 @@ data class ScanSummary(
             licenseFindings = licenseFindings.filterTo(mutableSetOf()) { it.location.matchesPaths() },
             copyrightFindings = copyrightFindings.filterTo(mutableSetOf()) { it.location.matchesPaths() },
             snippetFindings = snippetFindings.filterTo(mutableSetOf()) { it.sourceLocation.matchesPaths() },
-            issues = issues.filter { it.affectedPath?.matchesPaths() ?: true }
+            issues = issues.filter { it.affectedPath?.matchesPaths() != false }
         )
     }
 

model/src/main/kotlin/utils/ConfigurationResolver.kt

@@ -65,9 +65,11 @@ object ConfigurationResolver {
                 curationProvider.getCurationsFor(packages)
             }
 
+            // While every provider is supposed to only return applicable curations, filter to be on the safe side and
+            // only embed applicable curations in the ORT result.
             val (applicableCurations, nonApplicableCurations) = curations.partition { curation ->
                 packages.any { pkg -> curation.isApplicable(pkg.id) }
-            }.let { it.first to it.second }
+            }
 
             if (nonApplicableCurations.isNotEmpty()) {
                 logger.warn {

model/src/main/kotlin/utils/DependencyGraphBuilder.kt

@@ -327,7 +327,7 @@ class DependencyGraphBuilder<D>(
         if (!dependencies2.keys.containsAll(dependencies1)) return false
 
         return ref.dependencies.all { refDep ->
-            dependencies2[dependencyIds[refDep.pkg]]?.let { dependencyTreeEquals(refDep, it) } ?: false
+            dependencies2[dependencyIds[refDep.pkg]]?.let { dependencyTreeEquals(refDep, it) } == true
         }
     }
 

model/src/main/kotlin/utils/DependencyGraphConverter.kt

@@ -111,7 +111,7 @@ object DependencyGraphConverter {
      * their dependencies in a scope structure.
      */
     private fun AnalyzerResult.projectsWithScopes(): Set<Project> =
-        projects.filterTo(mutableSetOf()) { it.scopeDependencies?.isNotEmpty() ?: false }
+        projects.filterTo(mutableSetOf()) { it.scopeDependencies?.isNotEmpty() == true }
 
     /**
      * Convert the dependency representation used by this [Project] to the dependency graph format, i.e. a set of

model/src/main/kotlin/utils/FindingsMatcher.kt

@@ -287,7 +287,7 @@ fun associateLicensesWithExceptions(
  * licenses. Orphan license exceptions will get associated by [SpdxConstants.NOASSERTION]. Return a new expression that
  * does not contain stand-alone license exceptions anymore.
  */
-internal fun associateLicensesWithExceptions(license: SpdxExpression): SpdxExpression {
+fun associateLicensesWithExceptions(license: SpdxExpression): SpdxExpression {
     // If this is not a compound expression, there can be no stand-alone license exceptions with belonging licenses.
     if (license !is SpdxCompoundExpression) return license
 

plugins/advisors/github/src/main/kotlin/GitHubDefects.kt

@@ -164,7 +164,7 @@ class GitHubDefects(name: String, config: GitHubDefectsConfiguration) : AdvicePr
         if (tags.size == 1) return releases.find { it.tagName == tags.first() }
 
         val revision = "/${pkg.vcsProcessed.revision}"
-        return releases.find { it.tagCommit?.commitUrl?.endsWith(revision) ?: false }
+        return releases.find { it.tagCommit?.commitUrl?.endsWith(revision) == true }
     }
 
     /**
@@ -259,7 +259,7 @@ class GitHubDefects(name: String, config: GitHubDefectsConfiguration) : AdvicePr
     private fun List<GitHubIssue>.applyLabelFilters(): List<GitHubIssue> =
         filter { issue ->
             val labels = issue.labels()
-            labelFilters.find { it.matches(labels) }?.including ?: false
+            labelFilters.find { it.matches(labels) }?.including == true
         }
 }