46.0.0

What's Changed

🛠 Breaking Changes

• 4363881 chore(common-utils)!: Remove zipWithCollection() for collections
• e37bf19 chore(common-utils)!: Remove zipWithDefault()
• 716e3b8 feat(fossid)!: Remove support for custom naming variables
• 87b4c04 refactor(commands)!: Migrate VCS plugins to new plugin API
• 5e0f716 refactor(common-utils)!: Rename zipWithCollection() for sets
• 3f2bf92 refactor(common-utils)!: Simplify the semantics of zip() for maps
• 3ea4ec5 refactor(fossid)!: Define URL mappings in a single option
• 43c6e36 refactor(fossid)!: Rename projectName to repositoryName
• e98c703 refactor(fossid)!: Replace namingProjectPattern with projectName
• fa6e2be refactor(vcs)!: Directly store the VCS type as a VcsType

🐞 Bug Fixes

• f57751d VersionControlSystem: Also take configs for forDirectory()
• 0030739 cargo: Add lockfile version 4 to allow-list
• 3498798 common-utils: Make zip work as expected for sorted maps
• f827885 model: Make withPackageManagerOption() case-insensitive
• fdc2be7 python: Use the correct projectType for Pipenv and Poetry
• 7900f0f Correctly mark VersionControlSystem plugins as not configurable yet
• 482ffc8 Remove VersionControlSystemConfiguration

🎉 New Features

• 7c84264 PluginManager: Allow to create plugins with default configuration
• bb301a1 cargo: Handle virtual workspaces
• a5abd0a fossid: Add projectName as a built-in variable
• 6243b60 model: Allow duplicate PackageManagerConfigurations and merge them
• e50fcce vcs: Add Git-specific configuration options for submodule handling

✅ Tests

• c212fc0 VersionControlSystemTest: Remove tests for isAvailable()
• 6bd50bc dfd0292 7241bd8 05ae5d4 8f8de6a 05d94a6 ba0e4ed osv: Update expected results

📖 Documentation

• 373f997 OrtPlugin: Be more specific about the plugin ID derivation logic
• 9d1a14d README: Update the installation from binaries section
• a7238a1 VersionControlSystemFactory: Rewrap comments for compactness
• b85af8b black-duck: Add a missing "the"
• 84e29b1 fossid: Fix issues in FossIdNamingProvider docs
• 7d79190 fossid: Improve docs of normalizeBranchName
• f032c13 fossid: Improve docs of the built-in branch naming variable
• bb610d0 npm: Document the ModuleInfo class
• e8c0b8b sbt: Move a comment before the correct line
• 35b668c website: Fix color for links in banner
• 749d6ff website: Use <Link> instead of <a>
• 1d9f415 Add a missing whitespace to all "BlackDuck" occurences
• c40a759 Extend the Copyright year to 2025 in Markdown files

🔧 Chores

• e9daee1 AnalyzerConfigurationTest: Improve test names
• 355b657 AnalyzerConfigurationTest: Start with the simpler test
• d3901da BlackDuck: Remove the default value of the plugin id
• e86c8be BlackDuck: The display name should spell "Back Duck" with space
• a032f27 EvaluatedModelReporter: Remove unused properties
• ccd0dac Git: Import JGit's Git as JGit for clarity
• d2e2732 NpmDependencyHandler: Make a non-null assumption explicit
• 5238f3e PnpmDependencyHandler: Make use of Dependency.workingDir
• ce80152 YarnDependencyHandler: Rename a variable for clarity
• 1b316ee fossid: Improve error message for too long scan code
• c9de4c6 gradle-inspector: Rename the handler's constructor parameter
• 6cb7dd8 model: Rename other merge parameters
• 842d3c9 node: Introduce a typealias for getting package details
• 402d2ee node: Make use of the definition file constant
• 9ea70d9 node: Remove the workingDir parameter for getting package info
• 95a192f node: Rename the typealias to get package details
• ab91b6a package-curation-providers: Align the display names
• 9aca6b0 version-control-systems: Omit null default arguments
• eb7b571 Do not silently map unparsable booleans to false
• 22a13c8 Do not silently map unparsable booleans to true
• 1858cb7 Prefer the char-version of split() for single chars
• 85defa3 Prefer the infix version of shouldBeInstanceOf where possible
• ec69780 Remove unneeded default java.lang imports

🚀 Dependency Updates

• a7078fe docker: Upgrade Rust to the latest version 1.84
• 5033ab1 update com.autonomousapps:dependency-analysis-gradle-plugin to v2.7.0
• 768060d update com.github.jmongard.git-semver-plugin to v0.14.0
• f7ecd6e update com.networknt:json-schema-validator to v1.5.5
• 5cd9a00 update docker/build-push-action digest to 67a2d40
• 75cf08a update docker/build-push-action digest to b32b51a
• e20304b update exposed to v0.58.0
• ab0161e update github/codeql-action digest to b6a472f
• 1b63f86 update org.jetbrains.kotlinx:kotlinx-html-jvm to v0.12.0
• f373751 update org.metaeffekt.core:ae-security to v0.134.0
• 2eaaaa1 update org.postgresql:postgresql to v42.7.5
• 10583c3 update wagoid/commitlint-github-action digest to b948419

🚜 Refactorings

• 5d8fb72 AnalyzerConfigurationTest: Inline expected result variables
• a967f9d NpmDependencyHandler: Inline the only use of readPackageJson
• 5c67bcd fossid: Add namingScanPattern to FossIdConfig
• 35095c4 fossid: Extract a regular expression to a constant
• 1a9be88 fossid: Extract logic to build default naming pattern
• c21cb64 fossid: Inline scan code generation functions
• 29ef411 fossid: Make convertGitUrlToProjectName internal
• a1b8c3a fossid: Remove #branch inside of normalizeBranchName
• 2931b4c fossid: Rename a function for clarity
• 9859afc gradle: Make handlers take the projectType explicitly
• 226d277 node: Only pass required information to dependency handlers
• 61a3a06 scancode: Always add all built-in variables
• fcced14 vcs: Decouple the base class from CommandLineTool
• debbc8d vcs: Make VCS plugins configurable

💡 Other Changes

• 0f6dad4 style(version-control-systems): Define factory classes at the top

45.0.0

What's Changed

🛠 Breaking Changes

• f9c7220 refactor(model)!: Simplify the CuratedPackage and its creation

🐞 Bug Fixes

• 59702b2 evaluator: Add remaining configuration files to console output
• c57a94c model: Apply author to copyright mapping also for concluded licenses
• 958c08c scancode: Ensure to find license texts in the Docker image
• d03afe6 website: Move a link out of the tagline variable

🎉 New Features

• ef95789 ReporterCommand: Use console colors for the result summary
• 8c2d67a advisor: Add BlackDuck as security vulnerability provider
• f0dd53a cocoapods: Add custom error message
• 98ee1ee cocoapods: Add support for Podspecs from external sources
• de04788 cocoapods: Support tag and branch names in checkout options
• d3ee492 helper-cli: Extend the PackageList by labels
• 79f7805 model: Add the property Package.labels
• 9465fba model: Allow setting package labels via curations

✅ Tests

• a83e03e model: Make use of Package.EMPTY to make the code more compact
• 0e4eb80 model: Verify that authors are added to concluded license
• 6b4e302 7a49056 60edfdf osv: Update expected results
• 17fd3c3 18031e3 90cd058 bf65b8c osv: Update expected results
• bbbb900 17bb877 pub: Update expected results
• e70f36a python: Update expected results

🐘 Build & ⚙️ CI

• c7d899a notifier: Make the Jakarta REST API dependency a constraint

📖 Documentation

• ca43fab cocoapods: Document all Lockfile-related properties
• 31c718a examples: Add a curation which sets a package label
• ab0256c model: Illustrate how to configure the BlackDuck advisor
• 1ca8d2a model: Trivially end comment sentences with dots
• e1a32cc website: Add a curation which sets a package label
• e7b8a3a website: Add a section for the new BlackDuck advisor
• 85fc02f website: Further fix-up the configuration entries
• 547c295 website: Link to the server and make clear these are CLI tools
• 1d6fcf5 website: Re-align the advisor configuration examples
• 11fbb12 website: Sort the advisor sections alphabetically
• c07420d Clarify that repo config is specific to a "distribution"

🔧 Chores

• 666120a GradleDependencyHandler: Use a more specific variable name
• 79ef703 SpdxResolvedDocument: Use a more specific variable name
• ba1d093 bundler: Use StringFormat's decodeFromString
• 6c7b108 cargo: Be explicit about the defintion file to query metadata for
• 37ec0b1 cargo: Give a variable a more fitting name
• b74e81c cocoapods: Remove the workingDir parameter from getPodspec()
• 2663df0 cocoapods: Reorder Lockfile properties to match file order
• dbc5d4f cocoapods: Simplify error handling in getPodspec()
• 5aef26b gradle: Drop a trailing slash for consistency
• 35dde45 model: Rename package curation apply variables for clarity
• d5ccb50 model: Serialize OrtResult.labels in alphabetical order

🚀 Dependency Updates

• 8ebd8c0 docker: Upgrade Node.js to the latest LTS version 22.13.0
• 1ffe4df docker: Upgrade Yarn 1 to the latest version 1.22.22
• 4227d86 docker: Upgrade to the latest ScanCode patch version 32.3.1
• 8527570 web-app-template: Sync the Node / Yarn versions with Docker
• f0b825b update ch.qos.logback:logback-classic to v1.5.14
• 96139ed update ch.qos.logback:logback-classic to v1.5.15
• 2ad4db4 update ch.qos.logback:logback-classic to v1.5.16
• 8b3ff75 update com.charleskorn.kaml:kaml to v0.67.0
• af19524 update dependency gradle to v8.12
• fa99144 update docusaurus monorepo to v3.7.0
• 3523d00 update github/codeql-action digest to 48ab28a
• c3e6c58 update io.mockk:mockk to v1.13.14
• 9370d95 update jetbrains/qodana-action action to v2024.3.4
• f70acdc update ks3 to v1
• 227ca61 update org.cyclonedx:cyclonedx-core-java to v10.1.0
• 7c8d867 update org.freemarker:freemarker to v2.3.34
• f9c4d3e update org.jetbrains.kotlinx:kotlinx-coroutines-core to v1.10.0
• 4cf87b5 update org.jetbrains.kotlinx:kotlinx-coroutines-core to v1.10.1
• 77b0526 update org.jetbrains.kotlinx:kotlinx-serialization-core to v1.8.0
• 1558a59 update org.metaeffekt.core:ae-security to v0.133.0
• fedb94b update org.semver4j:semver4j to v5.5.0
• 2df03a1 update software.amazon.awssdk:s3 to v2.29.39
• d665978 update software.amazon.awssdk:s3 to v2.29.43
• 9b481ba update software.amazon.awssdk:s3 to v2.29.45

🚜 Refactorings

• 4a31d54 MavenDependencyHandler: Make support internal
• dab7a88 cocoapods: Correct the type of a Pod's direct dependencies
• 31153a7 cocoapods: Migrate to the dependency graph API
• 8174eb6 cocoapods: Simplify caching of Podspecs
• 40c9d15 maven: Inline an identifier() extension function
• 7d65f74 maven: Split the handler's managerName property into two
• cbeabfc maven: Use regular AnalyzerConfiguration to set sbtMode
• 4cae987 model: Turn `getDeclaredLicenseMapping()´ into an extension
• 14b2d68 reporter: Extract function for resolving copyrights

44.0.0

What's Changed

🛠 Breaking Changes

• 4872713 feat(cyclonedx)!: Change default format to JSON

🐞 Bug Fixes

• 4b1fb5d aosd: Lookup node linkage breadth-first
• 6121e99 aosd: Only set the selectedLicense if it actually selects something
• 62cdb88 aosd: Populate the selectedLicense unless it offers a choice
• 3cb5f2b bazel: Correctly get the Buildozer version
• 81f58ea npm: Collect issues when listing the packages instead of failing
• 3c62407 reporter: Only write major / minor SPDX license list version info
• 806363a scripts: Use the default image root when running Docker
• a72d6b3 spdx-utils: Fix offersChoice() for equal OR-operands

🎉 New Features

• 804a505 aosd: Sort output by componentName for easier comparison
• a100dcb aosd: Trim trailing whitespace from license texts
• 69a15f4 cyclonedx: Change the default schema version to 1.6
• 8965839 spdx-utils: Make simplify() remove redundant choices

✅ Tests

• d2ba8e4 common-utils: Test EnvironmentVariableFilter with empty deny list
• 1dd2237 oss-index: Change some constants to use packages instead of ids
• 8bc47a4 oss-index: Use coordinates as keys
• 33f3470 osv: Move identifierToPackage() to test-utils
• 58dfc82 osv: Operate on coordinates keys instead of Packages
• 256bc5c e7f4ada pub: Update expected results
• acf9415 spdx-utils: Add a test for simplifying OR-operands
• 419f36e spdx-utils: Compare strings to not rely on semantic equality
• 60b6c4c spdx-utils: Increase a test timeout a bit
• 5d534ad spdx-utils: Simplify comparing a string representation

🐘 Build & ⚙️ CI

• 08b79a0 gradle: Remove an unneeded artifact version filter
• 9ccb771 renovate: Shorten the commit message for Gradle dependencies

📖 Documentation

• 83a9a58 analyzer: Improve PackageManager class documentation
• 7c12d92 bower: Clarify a misleading TODO regardig source artifacts
• c208a15 spdx-utils: Add comments about the validChoices() algorithm

🔧 Chores

• 6b68dd8 aosd: Rename a few variables to singular
• 0753d33 common-utils: Uniformly use lists in EnvironmentVariableFilterTest
• 7b412ef fossid: Add affected path for unmappable licenses
• 8ecb98f model: Allow setting the affected path of an issue
• b2e6c3d model: Return early from collectDependencies()
• ab90bf9 npm: Group lines about missing and invalid packages
• 8ad3a00 npm: Ignore the log file error message of NPM stderr output
• 03d9166 opossum: Prefer add functions when building collections
• 8c65925 scancode: Print JSON raw results non-pretty
• fce2829 Align on constructing URIs without create()

🚀 Dependency Updates

• 5dcde82 Upgrade the JIRA REST client to version 6.0.1
• 6c83409 update actions/setup-java digest to 7a6d8a8
• 12b4e3c update ch.qos.logback:logback-classic to v1.5.13
• cba5464 update codecov/codecov-action digest to 1e68e06
• 56179d5 update com.autonomousapps:dependency-analysis-gradle-plugin to v2.6.1
• 6db8eae update dependency prism-react-renderer to v2.4.1
• 72eca7e update docker/setup-buildx-action digest to 6524bf6
• f3c9a4f update gradle/actions digest to 0bdd871
• 44cbdcc update jetbrains/qodana-action action to v2024.3.3
• 5771756 update log4j2 monorepo to v2.24.3
• 7675665 update software.amazon.awssdk:s3 to v2.29.34
• c259ffb update wagoid/commitlint-github-action digest to 0184f5a

🚜 Refactorings

• efb0711 model: Extract effectiveLicense() code for later reuse
• 1c5cff8 npm: Rename installIssues to allow other issue types

43.0.2

What's Changed

🐞 Bug Fixes

• a9ce535 composer: Restore any modified files after analysis
• 1d0805f cyclonedx: Avoid a StackOverflowError due to dependency cycles
• 64f323b evaluator: Use invariant paths in ProjectSourceRule
• 23c9bb0 Use limited parallelism to prevent thread starvation

✅ Tests

• 958f871 node: Fix running NpmDetectionTest on Windows
• 7e51acc node: Fix running Yarn2Test on Windows

🐘 Build & ⚙️ CI

• 7abe559 gradle: Fix running OrtConfigurationTest on Windows
• ac6b3ae github: Run unit tests on Windows

📖 Documentation

• 69ace3b bower: Trivially add a comment to the model
• dd7a5ee common-utils: Improve FileMatcher class documentation

🔧 Chores

• 709053a common-utils: Only decide once which match() to call
• 50aa02b common-utils: Move FileMatcher's constructor
• fc5986b common-utils: Simplify a condition in FileMatcher
• 32ab460 common-utils: Simplify a function in FileMatcher
• 94ba630 evaluator: Prefer asList() to convert vararg
• ee6016c node: Move a function out of Yarn2Test
• 7b93abf node: Reduce indentation in Yarn2Test

🚀 Dependency Updates

• ae6e660 update dependency org.springframework:spring-core to v6.2.1
• d02f662 update github/codeql-action digest to df409f7

🚜 Refactorings

• fe2776e bower: Migrate to the dependency graph API
• 8516d2a Replace some remaining custom ProcessCapture calls

43.0.1

What's Changed

🐞 Bug Fixes

• aef875e composer: Always allow to create lockfiles
• 750141b composer: Ensure to not block for user input
• 29a6384 helper-cli: Add a default value for Dependency.purl
• a450c04 spdx: Use a single space after the person prefix for the supplier

✅ Tests

• 28bd90f common-utils: Verify stashed directories to be restored on exception
• 17df817 pub: Update expected results
• 015d6ac python: Update expected results

🐘 Build & ⚙️ CI

• e652a76 github: Switch to Linkspector for checking Markdown links

📖 Documentation

• 2231dbb ADOPTERS: Update the link to the EPAM Open Source page
• bc36c14 Adopters: Add HELLA Aglaia
• e39d798 composer: Add a comment about what mapDefinitionFiles() does

🔧 Chores

• 40ea8dd composer: Also run with "--no-audit" to save some time

🚀 Dependency Updates

• 04cd958 update dependency org.cyclonedx:cyclonedx-core-java to v10
• b91dbf2 update dependency org.metaeffekt.core:ae-security to v0.132.0
• 41adff3 update github/codeql-action digest to babb554
• 98c9248 update jetbrains/qodana-action action to v2024.3.2

🚜 Refactorings

• a88a0f3 package-managers: Prefer composition for CommandLineTools
• d88c122 version-control-systems: Reduce visibility of CommandLineTools

43.0.0 (SBOM Plugfest)

What's Changed

🛠 Breaking Changes

• b12f874 refactor(commands)!: Migrate command plugins to new plugin API
• b306a87 refactor(common-utils)!: Do not require success for a CLI's run()

🐞 Bug Fixes

• 390fd75 cyclonedx: Filter out scores that would cause problems
• c0c5ad6 cyclonedx: Improve mapping of vulnerability methods
• ef538ee model: Keep the description when converting a project to a package
• f56a744 ort-utils: Use the latest available JDK when bootstrapping
• d70813b spdx: Write the description instead of the summary

🎉 New Features

• 101f5e4 cyclonedx: Add the dependency graph
• 5d2b5a6 cyclonedx: Also set BOM-level component info
• 473ad0a cyclonedx: Also write out the vulnerability vector, if any
• 097eb5d cyclonedx: Set basic supplier information
• eead59c spdx: Set originator and supplier information

✅ Tests

• da80bad cyclonedx: Rewrite expected JSON test results
• e7da326 cyclonedx: Use a valid length for the fake UUID
• 4946204 osv: Update expected results
• 4f59b2a reporters: Set repository VcsInfo in test data

📖 Documentation

• 4a1031a cyclonedx: Document remaining functions
• 03ba516 ort-util: Improve an exception message when bootstrapping a JDK

🔧 Chores

• 2e31827 advisor: Prefer also over let when not mapping
• 431c75a conan: Move a potentially throwing call into runCatching
• 30b098e cyclonedx: Set a Component's properties in a different order
• e2c62d1 cyclonedx: Split functions across files
• 7674ae3 cyclonedx: Stick to CycloneDX naming for BOM extensions
• c7d7312 model: Align the YAML sequence / list style in reference.yml
• a2c5cd6 model: Sort the when cases in getPurlType() alphabetically
• 513a089 node: Remove unneeded open modifiers from Yarn code
• 1b024c4 spdx: Set SpdxPackage properties exactly in order

🚀 Dependency Updates

• cd6e57e update actions/attest-build-provenance digest to 7668571
• bd2b523 update actions/attest-build-provenance digest to c4fbc64
• 7a11f09 update codecov/codecov-action digest to 7f8b4b4
• b8edd0c update dependency com.github.jmongard.git-semver-plugin to v0.13.0
• 23eac5f update dependency org.metaeffekt.core:ae-security to v0.131.0
• f526c1a update dependency software.amazon.awssdk:s3 to v2.29.29
• ab9756a update exposed to v0.57.0

🚜 Refactorings

• 21be05b cyclonedx: Rename implicit it lambda arguments
• e6e24bd cyclonedx: Turn some functions into extension for ease of use

42.1.0

What's Changed

Bug Fixes 🐞

• 0999b1f reporter: Fix aliases for renamed reporter options

New Features 🎉

• b5cc0ea advisor: Centrally normalize vulnerability data
• f618030 helper-cli: Change a construction to not use EMPTY.copy()
• b1a157d helper-cli: Extend the PackageList by a purl
• a8cce08 scanner: Add a get function to FileListResolver
• 3d527a4 scanner: Make FileListResolver public

Chores 🔧

• d2ed373 advisor: Rename two variables for clarity
• dd2bca5 helper-cli: Re-format a function into a one-liner
• 8b56475 mailmap: Add Frank's Zeiss e-mail address
• 254809a osv: Give a variable a more fitting name
• 7ffce46 renovate: Remove spring-core version restriction
• f18383e renovate: Schedule AWS S3 SDK updates once a week

Dependency Updates 🚀

• 44a175a Update the dependency-analysis-gradle-plugin to version 2.6.0
• 3c654de Update the foojay-resolver-convention plugin to version 0.9.0
• b53e598 Update the native-gradle-plugin to version v0.10.4
• f9a90de Upgrade AWS S3 SDK to version 2.29.26
• 2d09508 Upgrade to spring-core version 6.2.0
• 10a3cee update actions/attest-build-provenance action to v2
• eb22e04 update dependency com.github.ajalt.clikt:clikt to v5.0.2
• 0bf948a update dependency com.icegreen:greenmail to v2.1.2
• 0a847b7 update dependency org.metaeffekt.core:ae-security to v0.128.0
• e1a308a update dependency org.metaeffekt.core:ae-security to v0.129.0
• 684436e update dependency org.metaeffekt.core:ae-security to v0.130.0
• b81a21b update dependency org.wiremock:wiremock to v3.10.0
• dbca2e0 update github/codeql-action digest to aa57810
• a9afe84 update jgit to v7.1.0.202411261347-r

Documentation 📖

• 6ebb731 advisor: Say that the original provider is kept in merged results
• ac270d8 scanner: Add missing docs for FileListResolver
• 64a4e8e website: Fix a typo in an evaluator CLI example

Tests ✅

• 6cc4614 helper-cli: Isolate a test from any existing ORT config file
• 4c60262 helper-cli: Test that curations get added as expected
• d231d1c osv: Convert OsvFunTest to WordSpec
• adbc271 python: Update expected results
• b8ce64e scanner: Add a test for serializing FileList
• bf8464b scanner: Convert FileListResolverTest to WordSpec
• f38b42d scanner: Inline the expected results for getting file lists

42.0.0 (DON'T PANIC 😱)

What's Changed

Breaking Changes 🛠

• 597e895 chore(aosd)!: Make the KxS Json instance private
• 4df0c5a refactor(aosd)!: Make the version 2.0 explicit
• 8e1df98 refactor(model)!: Simplify the DependencyNavigator API

Bug Fixes 🐞

• 1ddbc81 aosd: Always encode the schema field
• 3d1a87d aosd: Fix the default descriptor argument for the AOSD 2.1 reporter
• 0bd38c1 model: Change the ALPINE purl type into APK
• e238417 model: Normalize purl name(space segments)
• 4768cca reuse: Use the default "precedence" of "closest"

New Features 🎉

• cd871ca aosd: Add an AOSD 2.1 reporter
• 958918a model: Add all purl types that are used in the test suite
• 61a9846 model: Add the property Project.description
• eeba28e model: Extend Identifier.toPurl() with handling for Bazel
• 517f8ed node: Set the description of Npm, Yarn and Pnpm projects
• 8061a66 plugins-api: Generate a convenience factory function
• 044f377 yarn2: Set the project's description

Build 🐘 & CI ⚙️

• c56cf22 gradle: Fix issues about implicit platform dependencies
• a093540 web-app: Make cross-project sharing of outputs more reliable
• 28a26c3 web-app-template: Use typed tasks

Chores 🔧

• d0a240c gradle-inspector: Lower logging of missing checkums to debug
• eaa5499 model: Guarantee the static value of PurlType to be lowercase
• 799e808 model: Introduce a variable to ease inspection when debugging
• 06a7eeb model: Remove a trailing blank line from createPurl() docs
• dfce837 model: Remove the A_NAME purl type
• 6985c5a node: Make use of splitNamespaceAndName()
• d31d4d1 node: Remove redundant "Npm" infixes from function names
• 7241461 ort-utils: Remove a superfluous empty line
• 2458ed5 osv: Fix a typo in a function name
• 33837c0 yarn2: Remove some log output
• 8635514 Omit a default argument for KxS Json

Dependency Updates 🚀

• 234805d Update the dependency-analysis-gradle-plugin to version 2.5.0
• d68c5ef update dependency com.charleskorn.kaml:kaml to v0.66.0
• 9844c96 update dependency com.networknt:json-schema-validator to v1.5.4
• 2d66362 update dependency io.github.java-diff-utils:java-diff-utils to v4.15
• 13c0738 update dependency org.metaeffekt.core:ae-security to v0.127.0
• 8f25027 update docker/build-push-action digest to 48aba3b
• e269fd7 update docusaurus monorepo to v3.6.3
• fc225df update hoplite to v2.9.0
• 0ad375a update jackson monorepo to v2.18.2
• e3f22a0 update kotlin monorepo to v2.1.0
• 1d5676f update log4j2 monorepo to v2.24.2

Documentation 📖

• 9103ac2 model: Add a comment about the algorithm in traverse()
• 8658030 model: Correct DependencyHandler docs about collections vs. lists
• bd94e19 model: Remove some less relevant information from toPurl() docs
• 8b0b991 web-app-template: Update a link to the most recent Kotlin version
• e1d9178 yarn2: Remove two code comments which do not provide much info

Refactorings 🚜

• d09a639 Yarn2: Factor out PackageHeader.moduleId
• 18ddeed clearly-defined: Make it explicit that fromString() throws
• fcc3159 model: Make getPurlType() actually return the PurlType
• 21f1def node: Make name and version in npm.ModuleInfo nullable
• 99e611b opossum: Migrate the reporter to KxS
• 4c9569b yarn2: Factor out PackageHeader.isProject
• cb62ba0 yarn2: Factor out getPackageInfos()
• c781403 yarn2: Factor out installDependencies()
• 76c7958 yarn2: Make queryPackageDetails() only take identifiers

Tests ✅

• 0ff17e7 aosd: Validate reports against the schema
• 1232796 node: Use the path replace pattern in babel expected outputs
• ef427cd opossum: Rewrite the funTest to compare against an expected result
• 1f76243 plugins: Simplify creating plugin instances
• 1838c3b pub: Update expected results

Other Changes 💡

• c5bae26 Revert "fix(gradle): Be specific about using Adoptium / Temurin as the JDK"

41.0.0

What's Changed

Breaking Changes 🛠

• b724b62 chore(reporter)!: Remove the deprecated GitLab license model reporter

Bug Fixes 🐞

• a8e789b aosd: Always add a default part
• fc7ca86 aosd: Exclusively support SHA256 checksums
• bc6bdbb cli: Use the id to show enabled advisors
• 5371ce8 cyclonedx: Sanitize copyrights for the CycloneDX XML report
• 37dae9f pnpm: Tolerate absent name / version in projects' package.json
• 661d629 schema: Require exactly one of the storage provider configurations
• d286300 schema: Use correct ref key
• a4e01c0 spdx-utils: Avoid endless recursions with the and operator

New Features 🎉

• edad867 node: Handle scope excludes in Pnpm
• c3145d2 scancode: Add support for output format version 4.0.0
• 1223199 scancode: Support parsing arbitrary options
• 78303ed yarn2: Support parsing the project's authors

Chores 🔧

• 4601134 clearly-defined: Increase the maximum chunk size for bulk requests
• 2bca4d1 clearly-defined: Use "raw" mode for getting harvest data
• c0ff3b0 dos: Trivially improve logging multiple packages
• 7feab15 scancode: Drop a work-around for an old ScanCode bug
• 2d25785 scancode: Remove a work-around for old RC versions
• 16daaf4 scancode: Remove tests for old ScanCode versions
• c42600f scanner: Update a ScanCode test asset to a more recent version
• 3bb72b8 spdx-utils: Use singleOrNull() to shorten code

Dependency Updates 🚀

• ddfdef1 docker: Bump the ScanCode version to 32.3.0
• 9418bd4 docker: Update CocoaPods to the latest version
• 79aab39 scancode: Bump the minimum required version to 30.0.0
• 36444b9 update codecov/codecov-action digest to 015f24e
• f23fbb2 update codecov/codecov-action digest to 5c47607
• d19c625 update codecov/codecov-action digest to 985343d
• 5983dcb update dependency com.icegreen:greenmail to v2.1.1
• a2f46b5 update dependency com.zaxxer:hikaricp to v6.2.0
• 2d2690c update dependency com.zaxxer:hikaricp to v6.2.1
• 3434aa0 update dependency commons-io:commons-io to v2.18.0
• b5de62b update dependency gradle to v8.11.1
• 972c0da update dependency org.metaeffekt.core:ae-security to v0.126.0
• 7a5015a update docker/metadata-action digest to 359e915
• 894f587 update docker/metadata-action digest to 369eb59
• c1c584b update github/codeql-action digest to f09c1c0
• d7a5164 update gradle/actions digest to cc4fc85
• fa45428 update ksp to v2.0.21-1.0.28

Documentation 📖

• 4dbbf12 aosd: Add Provider documentation based on the schema description
• 682e1cd cli: Align enabled advisor output with other commands
• 4d11189 plugins: Align terminology for KSP-based plugins
• 76fd3e3 scancode: Clarify which ScanCode versions are affected by an issue
• 8837c7a scancode: Remove a semi-outdated comment that is covered by a test

Refactorings 🚜

• 8d81c6e scancode: Parameterize a test for easier version upgrades
• a7d31d8 scancode: Rely on output_format_version to be present
• 5f67c4e scanner: Extract VCSPath filtering functions
• 09f5afe scanner: Move all result parsing to the respective scanner

Tests ✅

• 212d1a1 aosd: Update expected results
• d9276e0 clearly-defined: Temporarily disable flaky tests
• 995ad41 node: Align project-with-lockfile dependencies
• dea89b0 node: Align the metadata of the project-with-lockfile
• b446e2a node: Re-create lockfiles of the project-with-lockfile projects
• dfaa896 node: Remove an incorrect replacement
• 1e58026 npm: Remove a left-over replacement
• 24b4ac0 npm: Remove another incorrect replacement
• 566b22f npm: Rename the package-lock project to project-with-lockfile
• c27fa95 npm: Sort the dependencies of project-with-lockfile
• ffda909 vulnerable-code: Correct a stub path and assertion condition
• fbfcd0c vulnerable-code: Update expected results
• bf0bb08 vulnerable-code: Update expected results
• 1bee82d yarn: Align a test case name with analog tests for other managers

Other Changes 💡

• f5bcf78 style: Remove empty lines after block starts

40.0.1

What's Changed

Chores 🔧

• 45b40d8 vulnerable-code: Make the API version part of the base URL

Dependency Updates 🚀

• 8da4a06 update codecov/codecov-action action to v5
• 8407d2b update github/codeql-action digest to ea9e4e3

Tests ✅

• 315123d python: Update expected results

Other Changes 💡

• a974802 Revert "fix(vulnerable-code): Still get vulnerabilities for which a fix exists"