44.0.0

What's Changed

🛠 Breaking Changes

• 4872713 feat(cyclonedx)!: Change default format to JSON

🐞 Bug Fixes

• 4b1fb5d aosd: Lookup node linkage breadth-first
• 6121e99 aosd: Only set the selectedLicense if it actually selects something
• 62cdb88 aosd: Populate the selectedLicense unless it offers a choice
• 3cb5f2b bazel: Correctly get the Buildozer version
• 81f58ea npm: Collect issues when listing the packages instead of failing
• 3c62407 reporter: Only write major / minor SPDX license list version info
• 806363a scripts: Use the default image root when running Docker
• a72d6b3 spdx-utils: Fix offersChoice() for equal OR-operands

🎉 New Features

• 804a505 aosd: Sort output by componentName for easier comparison
• a100dcb aosd: Trim trailing whitespace from license texts
• 69a15f4 cyclonedx: Change the default schema version to 1.6
• 8965839 spdx-utils: Make simplify() remove redundant choices

✅ Tests

• d2ba8e4 common-utils: Test EnvironmentVariableFilter with empty deny list
• 1dd2237 oss-index: Change some constants to use packages instead of ids
• 8bc47a4 oss-index: Use coordinates as keys
• 33f3470 osv: Move identifierToPackage() to test-utils
• 58dfc82 osv: Operate on coordinates keys instead of Packages
• 256bc5c e7f4ada pub: Update expected results
• acf9415 spdx-utils: Add a test for simplifying OR-operands
• 419f36e spdx-utils: Compare strings to not rely on semantic equality
• 60b6c4c spdx-utils: Increase a test timeout a bit
• 5d534ad spdx-utils: Simplify comparing a string representation

🐘 Build & ⚙️ CI

• 08b79a0 gradle: Remove an unneeded artifact version filter
• 9ccb771 renovate: Shorten the commit message for Gradle dependencies

📖 Documentation

• 83a9a58 analyzer: Improve PackageManager class documentation
• 7c12d92 bower: Clarify a misleading TODO regardig source artifacts
• c208a15 spdx-utils: Add comments about the validChoices() algorithm

🔧 Chores

• 6b68dd8 aosd: Rename a few variables to singular
• 0753d33 common-utils: Uniformly use lists in EnvironmentVariableFilterTest
• 7b412ef fossid: Add affected path for unmappable licenses
• 8ecb98f model: Allow setting the affected path of an issue
• b2e6c3d model: Return early from collectDependencies()
• ab90bf9 npm: Group lines about missing and invalid packages
• 8ad3a00 npm: Ignore the log file error message of NPM stderr output
• 03d9166 opossum: Prefer add functions when building collections
• 8c65925 scancode: Print JSON raw results non-pretty
• fce2829 Align on constructing URIs without create()

🚀 Dependency Updates

• 5dcde82 Upgrade the JIRA REST client to version 6.0.1
• 6c83409 update actions/setup-java digest to 7a6d8a8
• 12b4e3c update ch.qos.logback:logback-classic to v1.5.13
• cba5464 update codecov/codecov-action digest to 1e68e06
• 56179d5 update com.autonomousapps:dependency-analysis-gradle-plugin to v2.6.1
• 6db8eae update dependency prism-react-renderer to v2.4.1
• 72eca7e update docker/setup-buildx-action digest to 6524bf6
• f3c9a4f update gradle/actions digest to 0bdd871
• 44cbdcc update jetbrains/qodana-action action to v2024.3.3
• 5771756 update log4j2 monorepo to v2.24.3
• 7675665 update software.amazon.awssdk:s3 to v2.29.34
• c259ffb update wagoid/commitlint-github-action digest to 0184f5a

🚜 Refactorings

• efb0711 model: Extract effectiveLicense() code for later reuse
• 1c5cff8 npm: Rename installIssues to allow other issue types

43.0.2

What's Changed

🐞 Bug Fixes

• a9ce535 composer: Restore any modified files after analysis
• 1d0805f cyclonedx: Avoid a StackOverflowError due to dependency cycles
• 64f323b evaluator: Use invariant paths in ProjectSourceRule
• 23c9bb0 Use limited parallelism to prevent thread starvation

✅ Tests

• 958f871 node: Fix running NpmDetectionTest on Windows
• 7e51acc node: Fix running Yarn2Test on Windows

🐘 Build & ⚙️ CI

• 7abe559 gradle: Fix running OrtConfigurationTest on Windows
• ac6b3ae github: Run unit tests on Windows

📖 Documentation

• 69ace3b bower: Trivially add a comment to the model
• dd7a5ee common-utils: Improve FileMatcher class documentation

🔧 Chores

• 709053a common-utils: Only decide once which match() to call
• 50aa02b common-utils: Move FileMatcher's constructor
• fc5986b common-utils: Simplify a condition in FileMatcher
• 32ab460 common-utils: Simplify a function in FileMatcher
• 94ba630 evaluator: Prefer asList() to convert vararg
• ee6016c node: Move a function out of Yarn2Test
• 7b93abf node: Reduce indentation in Yarn2Test

🚀 Dependency Updates

• ae6e660 update dependency org.springframework:spring-core to v6.2.1
• d02f662 update github/codeql-action digest to df409f7

🚜 Refactorings

• fe2776e bower: Migrate to the dependency graph API
• 8516d2a Replace some remaining custom ProcessCapture calls

43.0.1

What's Changed

🐞 Bug Fixes

• aef875e composer: Always allow to create lockfiles
• 750141b composer: Ensure to not block for user input
• 29a6384 helper-cli: Add a default value for Dependency.purl
• a450c04 spdx: Use a single space after the person prefix for the supplier

✅ Tests

• 28bd90f common-utils: Verify stashed directories to be restored on exception
• 17df817 pub: Update expected results
• 015d6ac python: Update expected results

🐘 Build & ⚙️ CI

• e652a76 github: Switch to Linkspector for checking Markdown links

📖 Documentation

• 2231dbb ADOPTERS: Update the link to the EPAM Open Source page
• bc36c14 Adopters: Add HELLA Aglaia
• e39d798 composer: Add a comment about what mapDefinitionFiles() does

🔧 Chores

• 40ea8dd composer: Also run with "--no-audit" to save some time

🚀 Dependency Updates

• 04cd958 update dependency org.cyclonedx:cyclonedx-core-java to v10
• b91dbf2 update dependency org.metaeffekt.core:ae-security to v0.132.0
• 41adff3 update github/codeql-action digest to babb554
• 98c9248 update jetbrains/qodana-action action to v2024.3.2

🚜 Refactorings

• a88a0f3 package-managers: Prefer composition for CommandLineTools
• d88c122 version-control-systems: Reduce visibility of CommandLineTools

43.0.0 (SBOM Plugfest)

What's Changed

🛠 Breaking Changes

• b12f874 refactor(commands)!: Migrate command plugins to new plugin API
• b306a87 refactor(common-utils)!: Do not require success for a CLI's run()

🐞 Bug Fixes

• 390fd75 cyclonedx: Filter out scores that would cause problems
• c0c5ad6 cyclonedx: Improve mapping of vulnerability methods
• ef538ee model: Keep the description when converting a project to a package
• f56a744 ort-utils: Use the latest available JDK when bootstrapping
• d70813b spdx: Write the description instead of the summary

🎉 New Features

• 101f5e4 cyclonedx: Add the dependency graph
• 5d2b5a6 cyclonedx: Also set BOM-level component info
• 473ad0a cyclonedx: Also write out the vulnerability vector, if any
• 097eb5d cyclonedx: Set basic supplier information
• eead59c spdx: Set originator and supplier information

✅ Tests

• da80bad cyclonedx: Rewrite expected JSON test results
• e7da326 cyclonedx: Use a valid length for the fake UUID
• 4946204 osv: Update expected results
• 4f59b2a reporters: Set repository VcsInfo in test data

📖 Documentation

• 4a1031a cyclonedx: Document remaining functions
• 03ba516 ort-util: Improve an exception message when bootstrapping a JDK

🔧 Chores

• 2e31827 advisor: Prefer also over let when not mapping
• 431c75a conan: Move a potentially throwing call into runCatching
• 30b098e cyclonedx: Set a Component's properties in a different order
• e2c62d1 cyclonedx: Split functions across files
• 7674ae3 cyclonedx: Stick to CycloneDX naming for BOM extensions
• c7d7312 model: Align the YAML sequence / list style in reference.yml
• a2c5cd6 model: Sort the when cases in getPurlType() alphabetically
• 513a089 node: Remove unneeded open modifiers from Yarn code
• 1b024c4 spdx: Set SpdxPackage properties exactly in order

🚀 Dependency Updates

• cd6e57e update actions/attest-build-provenance digest to 7668571
• bd2b523 update actions/attest-build-provenance digest to c4fbc64
• 7a11f09 update codecov/codecov-action digest to 7f8b4b4
• b8edd0c update dependency com.github.jmongard.git-semver-plugin to v0.13.0
• 23eac5f update dependency org.metaeffekt.core:ae-security to v0.131.0
• f526c1a update dependency software.amazon.awssdk:s3 to v2.29.29
• ab9756a update exposed to v0.57.0

🚜 Refactorings

• 21be05b cyclonedx: Rename implicit it lambda arguments
• e6e24bd cyclonedx: Turn some functions into extension for ease of use

42.1.0

What's Changed

Bug Fixes 🐞

• 0999b1f reporter: Fix aliases for renamed reporter options

New Features 🎉

• b5cc0ea advisor: Centrally normalize vulnerability data
• f618030 helper-cli: Change a construction to not use EMPTY.copy()
• b1a157d helper-cli: Extend the PackageList by a purl
• a8cce08 scanner: Add a get function to FileListResolver
• 3d527a4 scanner: Make FileListResolver public

Chores 🔧

• d2ed373 advisor: Rename two variables for clarity
• dd2bca5 helper-cli: Re-format a function into a one-liner
• 8b56475 mailmap: Add Frank's Zeiss e-mail address
• 254809a osv: Give a variable a more fitting name
• 7ffce46 renovate: Remove spring-core version restriction
• f18383e renovate: Schedule AWS S3 SDK updates once a week

Dependency Updates 🚀

• 44a175a Update the dependency-analysis-gradle-plugin to version 2.6.0
• 3c654de Update the foojay-resolver-convention plugin to version 0.9.0
• b53e598 Update the native-gradle-plugin to version v0.10.4
• f9a90de Upgrade AWS S3 SDK to version 2.29.26
• 2d09508 Upgrade to spring-core version 6.2.0
• 10a3cee update actions/attest-build-provenance action to v2
• eb22e04 update dependency com.github.ajalt.clikt:clikt to v5.0.2
• 0bf948a update dependency com.icegreen:greenmail to v2.1.2
• 0a847b7 update dependency org.metaeffekt.core:ae-security to v0.128.0
• e1a308a update dependency org.metaeffekt.core:ae-security to v0.129.0
• 684436e update dependency org.metaeffekt.core:ae-security to v0.130.0
• b81a21b update dependency org.wiremock:wiremock to v3.10.0
• dbca2e0 update github/codeql-action digest to aa57810
• a9afe84 update jgit to v7.1.0.202411261347-r

Documentation 📖

• 6ebb731 advisor: Say that the original provider is kept in merged results
• ac270d8 scanner: Add missing docs for FileListResolver
• 64a4e8e website: Fix a typo in an evaluator CLI example

Tests ✅

• 6cc4614 helper-cli: Isolate a test from any existing ORT config file
• 4c60262 helper-cli: Test that curations get added as expected
• d231d1c osv: Convert OsvFunTest to WordSpec
• adbc271 python: Update expected results
• b8ce64e scanner: Add a test for serializing FileList
• bf8464b scanner: Convert FileListResolverTest to WordSpec
• f38b42d scanner: Inline the expected results for getting file lists

42.0.0 (DON'T PANIC 😱)

What's Changed

Breaking Changes 🛠

• 597e895 chore(aosd)!: Make the KxS Json instance private
• 4df0c5a refactor(aosd)!: Make the version 2.0 explicit
• 8e1df98 refactor(model)!: Simplify the DependencyNavigator API

Bug Fixes 🐞

• 1ddbc81 aosd: Always encode the schema field
• 3d1a87d aosd: Fix the default descriptor argument for the AOSD 2.1 reporter
• 0bd38c1 model: Change the ALPINE purl type into APK
• e238417 model: Normalize purl name(space segments)
• 4768cca reuse: Use the default "precedence" of "closest"

New Features 🎉

• cd871ca aosd: Add an AOSD 2.1 reporter
• 958918a model: Add all purl types that are used in the test suite
• 61a9846 model: Add the property Project.description
• eeba28e model: Extend Identifier.toPurl() with handling for Bazel
• 517f8ed node: Set the description of Npm, Yarn and Pnpm projects
• 8061a66 plugins-api: Generate a convenience factory function
• 044f377 yarn2: Set the project's description

Build 🐘 & CI ⚙️

• c56cf22 gradle: Fix issues about implicit platform dependencies
• a093540 web-app: Make cross-project sharing of outputs more reliable
• 28a26c3 web-app-template: Use typed tasks

Chores 🔧

• d0a240c gradle-inspector: Lower logging of missing checkums to debug
• eaa5499 model: Guarantee the static value of PurlType to be lowercase
• 799e808 model: Introduce a variable to ease inspection when debugging
• 06a7eeb model: Remove a trailing blank line from createPurl() docs
• dfce837 model: Remove the A_NAME purl type
• 6985c5a node: Make use of splitNamespaceAndName()
• d31d4d1 node: Remove redundant "Npm" infixes from function names
• 7241461 ort-utils: Remove a superfluous empty line
• 2458ed5 osv: Fix a typo in a function name
• 33837c0 yarn2: Remove some log output
• 8635514 Omit a default argument for KxS Json

Dependency Updates 🚀

• 234805d Update the dependency-analysis-gradle-plugin to version 2.5.0
• d68c5ef update dependency com.charleskorn.kaml:kaml to v0.66.0
• 9844c96 update dependency com.networknt:json-schema-validator to v1.5.4
• 2d66362 update dependency io.github.java-diff-utils:java-diff-utils to v4.15
• 13c0738 update dependency org.metaeffekt.core:ae-security to v0.127.0
• 8f25027 update docker/build-push-action digest to 48aba3b
• e269fd7 update docusaurus monorepo to v3.6.3
• fc225df update hoplite to v2.9.0
• 0ad375a update jackson monorepo to v2.18.2
• e3f22a0 update kotlin monorepo to v2.1.0
• 1d5676f update log4j2 monorepo to v2.24.2

Documentation 📖

• 9103ac2 model: Add a comment about the algorithm in traverse()
• 8658030 model: Correct DependencyHandler docs about collections vs. lists
• bd94e19 model: Remove some less relevant information from toPurl() docs
• 8b0b991 web-app-template: Update a link to the most recent Kotlin version
• e1d9178 yarn2: Remove two code comments which do not provide much info

Refactorings 🚜

• d09a639 Yarn2: Factor out PackageHeader.moduleId
• 18ddeed clearly-defined: Make it explicit that fromString() throws
• fcc3159 model: Make getPurlType() actually return the PurlType
• 21f1def node: Make name and version in npm.ModuleInfo nullable
• 99e611b opossum: Migrate the reporter to KxS
• 4c9569b yarn2: Factor out PackageHeader.isProject
• cb62ba0 yarn2: Factor out getPackageInfos()
• c781403 yarn2: Factor out installDependencies()
• 76c7958 yarn2: Make queryPackageDetails() only take identifiers

Tests ✅

• 0ff17e7 aosd: Validate reports against the schema
• 1232796 node: Use the path replace pattern in babel expected outputs
• ef427cd opossum: Rewrite the funTest to compare against an expected result
• 1f76243 plugins: Simplify creating plugin instances
• 1838c3b pub: Update expected results

Other Changes 💡

• c5bae26 Revert "fix(gradle): Be specific about using Adoptium / Temurin as the JDK"

41.0.0

What's Changed

Breaking Changes 🛠

• b724b62 chore(reporter)!: Remove the deprecated GitLab license model reporter

Bug Fixes 🐞

• a8e789b aosd: Always add a default part
• fc7ca86 aosd: Exclusively support SHA256 checksums
• bc6bdbb cli: Use the id to show enabled advisors
• 5371ce8 cyclonedx: Sanitize copyrights for the CycloneDX XML report
• 37dae9f pnpm: Tolerate absent name / version in projects' package.json
• 661d629 schema: Require exactly one of the storage provider configurations
• d286300 schema: Use correct ref key
• a4e01c0 spdx-utils: Avoid endless recursions with the and operator

New Features 🎉

• edad867 node: Handle scope excludes in Pnpm
• c3145d2 scancode: Add support for output format version 4.0.0
• 1223199 scancode: Support parsing arbitrary options
• 78303ed yarn2: Support parsing the project's authors

Chores 🔧

• 4601134 clearly-defined: Increase the maximum chunk size for bulk requests
• 2bca4d1 clearly-defined: Use "raw" mode for getting harvest data
• c0ff3b0 dos: Trivially improve logging multiple packages
• 7feab15 scancode: Drop a work-around for an old ScanCode bug
• 2d25785 scancode: Remove a work-around for old RC versions
• 16daaf4 scancode: Remove tests for old ScanCode versions
• c42600f scanner: Update a ScanCode test asset to a more recent version
• 3bb72b8 spdx-utils: Use singleOrNull() to shorten code

Dependency Updates 🚀

• ddfdef1 docker: Bump the ScanCode version to 32.3.0
• 9418bd4 docker: Update CocoaPods to the latest version
• 79aab39 scancode: Bump the minimum required version to 30.0.0
• 36444b9 update codecov/codecov-action digest to 015f24e
• f23fbb2 update codecov/codecov-action digest to 5c47607
• d19c625 update codecov/codecov-action digest to 985343d
• 5983dcb update dependency com.icegreen:greenmail to v2.1.1
• a2f46b5 update dependency com.zaxxer:hikaricp to v6.2.0
• 2d2690c update dependency com.zaxxer:hikaricp to v6.2.1
• 3434aa0 update dependency commons-io:commons-io to v2.18.0
• b5de62b update dependency gradle to v8.11.1
• 972c0da update dependency org.metaeffekt.core:ae-security to v0.126.0
• 7a5015a update docker/metadata-action digest to 359e915
• 894f587 update docker/metadata-action digest to 369eb59
• c1c584b update github/codeql-action digest to f09c1c0
• d7a5164 update gradle/actions digest to cc4fc85
• fa45428 update ksp to v2.0.21-1.0.28

Documentation 📖

• 4dbbf12 aosd: Add Provider documentation based on the schema description
• 682e1cd cli: Align enabled advisor output with other commands
• 4d11189 plugins: Align terminology for KSP-based plugins
• 76fd3e3 scancode: Clarify which ScanCode versions are affected by an issue
• 8837c7a scancode: Remove a semi-outdated comment that is covered by a test

Refactorings 🚜

• 8d81c6e scancode: Parameterize a test for easier version upgrades
• a7d31d8 scancode: Rely on output_format_version to be present
• 5f67c4e scanner: Extract VCSPath filtering functions
• 09f5afe scanner: Move all result parsing to the respective scanner

Tests ✅

• 212d1a1 aosd: Update expected results
• d9276e0 clearly-defined: Temporarily disable flaky tests
• 995ad41 node: Align project-with-lockfile dependencies
• dea89b0 node: Align the metadata of the project-with-lockfile
• b446e2a node: Re-create lockfiles of the project-with-lockfile projects
• dfaa896 node: Remove an incorrect replacement
• 1e58026 npm: Remove a left-over replacement
• 24b4ac0 npm: Remove another incorrect replacement
• 566b22f npm: Rename the package-lock project to project-with-lockfile
• c27fa95 npm: Sort the dependencies of project-with-lockfile
• ffda909 vulnerable-code: Correct a stub path and assertion condition
• fbfcd0c vulnerable-code: Update expected results
• bf0bb08 vulnerable-code: Update expected results
• 1bee82d yarn: Align a test case name with analog tests for other managers

Other Changes 💡

• f5bcf78 style: Remove empty lines after block starts

40.0.1

What's Changed

Chores 🔧

• 45b40d8 vulnerable-code: Make the API version part of the base URL

Dependency Updates 🚀

• 8da4a06 update codecov/codecov-action action to v5
• 8407d2b update github/codeql-action digest to ea9e4e3

Tests ✅

• 315123d python: Update expected results

Other Changes 💡

• a974802 Revert "fix(vulnerable-code): Still get vulnerabilities for which a fix exists"

40.0.0

What's Changed

Breaking Changes 🛠

• bd82abb refactor(asciidoc)!: Make AsciiDocTemplateReporter abstract
• 88aa4a0 refactor(asciidoc)!: Use a plugin config class
• 61e9dd0 refactor(cyclonedx)!: Use a plugin config class
• 2f1032a refactor(evaluatedmodel)!: Use a plugin config class
• 80b28c7 refactor(fossid)!: Use a plugin config class
• 27f0dae refactor(freemarker)!: Use a plugin config class
• 6fd7098 refactor(freemarker)!: Use dedicated arguments instead of options
• 553f50e refactor(gitlab)!: Use a plugin config class
• 94ebf3d refactor(maven)!: Make previously public parsing functions internal
• 15fdd7b refactor(maven)!: Move stand-alone parsing functions
• 03560a5 refactor(node)!: Make Npm separate from Yarn
• fd736f3 refactor(opossum)!: Use a plugin config class
• 5d5ea5c refactor(package-managers)!: Make explicit which project type gets managed
• fac5bf3 refactor(reporter)!: Migrate to new plugin API
• 4596888 refactor(reporter)!: Remove the unused config argument
• ff6ca62 refactor(spdx)!: Use a plugin config class
• 740436f refactor(web-app)!: Use a plugin config class

Bug Fixes 🐞

• 4a41869 clearly-defined: Consistently use ORT's OkHttp client for requests
• 2e70da8 conan: Correct the error handling when listing remotes
• affb9fe plugins-api: Fix handling of default values for string list options
• a00353f vulnerable-code: Still get vulnerabilities for which a fix exists

New Features 🎉

• 4cda010 analyzer: Support email and homepage in parseAuthorString()
• d6c8fad analyzer: Support multiple authors per author string
• 41b46fc node: Parse author email and URL from string primitives
• f236cba plugins-api: Add a way to configure plugin option aliases
• 95ea9a5 plugins-api: Make OrtPluginOption.defaultValue optional

Build 🐘 & CI ⚙️

• 254dbf9 Gradle: Enable parallel configuration cache access
• bf63013 Gradle: Remove an unneeded libs definition
• d61e927 github: Disable the build cache for CodeQL analysis

Chores 🔧

• c13dda6 analyzer: Use permalinks in the error for duplicate projects
• 0d455cd clearly-defined: Simplify a test asserting facets
• 08939a3 detekt: Remove unneeded @Suppress annotations
• 660d54d freemarker: Remove unused constants
• d2e6ae6 maven: Avoid unsafe non-null assertions via destructions
• 1850024 node: Remove an unneeded else case
• ec23aec node: Rename a field to plural as it is a set
• 15dcd7b npm: Remove an unneeded Suppress annotation
• 0f14d8d tests: Simplify shouldNotBeNull calls
• 92fdfa2 yarn2: Map directly to a set

Dependency Updates 🚀

• e841910 update dependency com.charleskorn.kaml:kaml to v0.63.0
• 2b7f063 update dependency com.charleskorn.kaml:kaml to v0.65.0
• 978a71f update dependency gradle to v8.11
• 2ff9f5f update docusaurus monorepo to v3.6.1
• 29183a4 update github/codeql-action digest to 396bb3e
• a5adf08 update github/codeql-action digest to 4f3212b
• a07baac update github/codeql-action digest to 9278e42
• 2bf483c update gradle/actions digest to 473878a
• 04772cd update ksp to v2.0.21-1.0.27

Documentation 📖

• 283689b asciidoc: Slightly improve docs of PdfTemplateReporter
• aee88f2 clearly-defined: Add (links to) rate limit documentation
• 41622d0 model: Trivially improve wording of a TODO statement
• 6fa4cb2 node: Remove a comment which does not provide much info
• 5a063c4 node: Remove a couple of comments

Refactorings 🚜

• 2487cfc AnalyzerResultBuilder: Introduce an addProject() function
• e13d2d6 conan: Split the function to configure remote authentication
• d192310 maven: Make a workspace reader's delegate property private
• 2034b29 maven: Move Maven support classes to separate files
• e5d0526 maven: Move non-public static functions to the top level
• dcc97a0 model: Introduce a function to add dependencies to the graph
• 617ccd9 node: Extract extractNpmIssues()
• 9a2cbc4 node: Extract code to wrap a primitive into an object
• 982580f node: Inline a function again
• 716420b node: Move NpmModuleInfo into a separate file
• 151858e node: Reduce the number of map conversions
• b86e0ae spdx: Inline the MANAGER_NAME constant
• b80ec20 swiftpm: Inline the PROJECT_TYPE constant

Tests ✅

• 156b371 node: Add missing toYaml() calls for textual result comparison
• 0d06faa node: Parse a Yarn instead of a Npm instance
• d562e97 package-managers: Remove all Windows-specific expected results
• 893f7f0 python: Update expected results
• 8d70428 stack: Update the .cabal file

Other Changes 💡

• 959b3af style(maven): Slightly reformat code to match similar code

39.0.0

What's Changed

Breaking Changes 🛠

• 31592d4 refactor(node)!: Also move Npm into its own dedicated directory
• 743fd64 refactor(node)!: Invert the inheritance between Yarn and Npm
• 96ded74 refactor(node)!: Limit visibility of NpmDetection code to internal
• 5e1d04e refactor(node)!: Move Yarn into its own dedicated directory
• 5f8ee66 refactor(node)!: Move all files from utils one level up
• 9d63529 refactor(yarn)!: Make loadWorkspaceSubmodules() private

Bug Fixes 🐞

• 06059dd cli: Guard against foreign classpath items with a pathing JAR
• 4a7d58a freemarker: Apply license choices for NOTICE_DEFAULT
• 78fa878 jenkins: Do not use deprecated config key names
• 9c22891 node: Deserialize repository: {} in package.json to null
• bfcfe62 spdx-report: Apply license choices

New Features 🎉

• 0b2b2af osv: Support parsing CVSS v4 vectors
• 70c5179 spdx-reporter: Report detected root licenses for packages
• f1da1cf spdx-utils: Add a function to simplify SPDX expressions
• 31b9be8 spdx-utils: Simplify and / or operators for equal operands

Chores 🔧

• 1de3e08 freemarker: Trivially improve formatting of a comment
• ec77849 npm: Add a missing import
• 390a055 spdx-reporter: Simplify licenseDeclared expressions
• fb6e648 vulnerable-code: Sort tests alphabetically

Dependency Updates 🚀

• f8a0c39 Update the dependency-analysis-gradle-plugin to version 2.4.2
• 95cec36 update actions/attest-build-provenance digest to ef24412
• 151437d update dependency com.charleskorn.kaml:kaml to v0.62.2
• 0690c94 update dependency com.networknt:json-schema-validator to v1.5.3
• 757d38d update dependency com.zaxxer:hikaricp to v6.1.0
• ea8470f update dependency io.github.pdvrieze.xmlutil:serialization to v0.90.3
• fe80e46 update dependency org.jruby:jruby to v9.4.9.0
• f2f45c0 update mordant to v3.0.1

Documentation 📖

• 1f45fda integrations: Add note on running Jenkins as a docker container
• b43a41a integrations: Add required plugin for Jenkins >=2.462.3 to list

Refactorings 🚜

• c702648 dos: Add error message from DOS in issue
• 241da93 dos: Log id for scan job
• 8478040 node: Move the logger variable to the top
• f566a2d node: Move two model mapping functions to NpmSupport
• ccdcad4 node: Remove a dependency on Npm
• 7f61de7 spdx: Move nullOrBlankToSpdxNoassertionOrNone()
• d44917c spdx-reporter: Extract a variable for later reuse
• 94a8708 spdx-utils: Split the large SpdxExpressionTest

Tests ✅

• 5cf22e6 node: Re-align test class name and location
• f100ed0 753d72d 482a499 python: Update expected results
• 254ae3b spdx-reporter: Add a test for a Go project
• 52d1ce0 vulnerable-code: Add a test for an NPM package

Other Changes 💡

• 8e196ab Revert "refactor(script): Migrate from deprecated constructorArgs to properties"