v32.0.0rc1

[pombredanne]

This is a major new release with API breaking changes.
v32.0.0rc1 is the first release candidate and we expect to have a few more.

Important API changes:

This is a major release with major API and output format changes and significant
feature updates.

In particular changed to the output format for the licenses and packages, and
we changed some of the command line options.

The output format version is now 3.0.0.

Package detection:

• Update GemfileLockParser to track the gem which the Gemfile.lock is for,
  which we assign to the new GemfileLockParser.primary_gem field. Update
  GemfileLockHandler.parse() to handle the case where there is a primary gem
  detected from a gemfile.lock. If there is a primary gem, a single Package
  is created and the detected gem data within the gemfile.lock are assigned as
  dependencies. If there is no primary gem, then all of the dependencies are
  collected into Package with no name and yielded.

  Repeated package and dependency results when scanning extracted rubygem #3072

• Fix issue where dependencies were not reported when scanning an extracted
  Python project by modifying BaseExtractedPythonLayout.assemble() to favor
  using package data from a PKG-INFO file from an egg-info directory. Package
  data from a PKG-INFO file from an egg-info directory contains the dependency
  information collected from the requirements.txt file along side PKG-INFO.

  No dependency results when scanning celery-5.2.7.tar.gz #3083

• Fix issue where we were returning incorrect purl package type for cocoapods.
  pods was being returned as a purl type for cocoapods, it should be
  cocoapods instead.
  https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#cocoapods

  Incorrect purl type for cocoapods #3081

• Code for parsing a Maven POM, npm package.json, freebsd manifest and haxelib
  JSON have been separated into two functions: one that creates a PackageData
  object from the parsed Resource, and another that calls the previous function
  and yields the PackageData. This was done such that we can use the package
  manifest data parsing code outside of the scancode-toolkit context in other
  libraries.

License detection:

• The SPDX license list has been updated to the latest v3.19

• This is a major update to license detection where we now combine one or more
  license matches in a larger license detection. This approach improves the
  accuracy of license detection and removes a larger number of false positive
  or ambiguous license detections. See for details
  RFC: a plan for false positive license detection #2878

• There is a new license_detections codebase level attribute with all the
  unique license detections in the whole scan, both in resources and packages.
  This has the 3 attributes also present in package/resource level license
  detections: license_expression, matches and detection_log and has
  two additional attributes:

  • identifier: which is the license_expression with an UUID created out
    of the detection contents and is the same for same detections.

  • count: Number of times in the codebase this unique license detection
    was encountered.

• The data structure of the JSON output has changed for licenses at file level:

  • The licenses attribute is deleted.

  • A new for_license_detections attribute is aded which references the codebase
    level unique license detections, and this is a list of identifer strings from
    the codebase level license detections it references.

  • A new license_detections attribute contains license detections in that file.
    This object has three attributes: license_expression, detection_log
    and matches. matches is a list of license matches and is roughly
    the same as licenses in the previous version with additional structure
    changes detailed below.

  • A new attribute license_clues contains license matches with the
    same data structure as the matches attribute in license_detections.
    This contains license matches that are mere clues and where not considered
    to be a proper conclusive license detection.

  • The license_expressions list of license expressions is deleted and
    replaced by a detected_license_expression single expression.
    Similarly spdx_license_expressions was removed and replaced by
    detected_license_expression_spdx.

  • See license updates documentation <https://scancode-toolkit.readthedocs.io/en/latest/explanations/license-detection-reference.html#change-in-license-data-format-resource>_
    for examples and details.

• The data structure of license attributes in package_data and the codebase
  level packages has been updated accordingly:

  • There is a new license_detections attribute for the primary, top-level
    declared licenses of a package and an other_license_detections attribute
    for the other secondary detections.

  • The license_expression is replaced by the declared_license_expression
    and other_license_expression attributes with their SPDX counterparts
    declared_license_expression_spdx and other_license_expression_spdx.
    These expressions are parallel to detections.

  • The declared_license attribute is renamed extracted_license_statement
    and is now a YAML-encoded string.

    See license updates documentation <https://scancode-toolkit.readthedocs.io/en/latest/explanations/license-detection-reference.html#change-in-license-data-format-package>_
    for examples and details.

• The license matches structure has changed: we used to report one match for each
  license key of a matched license expression. We now report instead one
  single match for each matched license expression, and list the license keys
  as a licenses attribute. This avoids data duplication.
  Inside each match, we list each match and matched rule attributred directly
  avoiding nesting. See license updates doc <https://scancode-toolkit.readthedocs.io/en/latest/explanations/license-detection-reference.html#licensematch-result-data>_
  for examples and details.

• There are new and codebase level attributes default with --licenses to report
  reference license metadata and texts once for each license matched across the
  scan; we now have two codebase level attributes: license_references and
  license_rule_references that list unique detected license and license rules.
  for examples and details. This reference data is also removed from license matches
  in all levels i.e. from codebase, package and resource level license detections and
  resource level license clues.
  See license updates documentation <https://scancode-toolkit.readthedocs.io/en/latest/explanations/license-detection-reference.html#comparision-before-after-license-references>_

• We replaced the scancode --reindex-licenses command line option with a
  new separate command named scancode-reindex-licenses.

  • The --reindex-licenses-for-all-languages CLI option is also moved to
    the scancode-reindex-licenses command as an option --all-languages.

  • We can now detect licenses using custom license texts and license rules
    stored in a directory or packaged as a plugin for consistent reuse and deployment.

  • There is an --additional-directory option with the scancode-reindex-licenses
    command to add the licenses from a directory.

  • There is also a --only-builtin option to use ony builtin licenses
    ignoring any additional license plugins.

  • See Add support for "extra", e.g. private or local licenses #480 for more details.

• We combined the licensedata file and text file of each license in a single
  file with a .LICENSE extension. The .yml data file is now included at the
  top of each .LICENSE file as "YAML frontmatter". The same applies to license
  rules and their .RULE and .yml files. This halves the number of data files
  from about 60,000 to 30,000. Git line history is preserved for the combined
  text + yml files.

  • See ScanCode contains too many data files #3049

• There is a new console script scancode-license-data to export
  license data in JSON, YAML and HTML, with indexes and a static website for use
  in the licensedb web site. This becomes the API way to getr scancode license
  data.

  See Add a command line option to dump the license data #2738

• The deprecated "--is-license-text" option has been removed.
  This is now built-in with the --license-text option and --info
  and exposed with the "percentage_of_license_text" attribute.

All Changes

• Add support for external licenses in scans by @KevinJi22 in Add support for external licenses in scans #2979
• Separate Package parsing functions by @JonoYang in Separate Package parsing functions #3135
• Update docs for deprecated and other options consolidate option should be marked as deprecated in the docs #3126 by @AyanSinhaMahapatra in Update docs for deprecated and other options #3126 #3127
• Add license dump option by @AyanSinhaMahapatra in Add license dump option #3100
• Combine license matches in new LicenseDetection by @AyanSinhaMahapatra in Combine license matches in new LicenseDetection #2961
• Fix issue 3155 by running scancode-reindex-licenses subcommand instead of using --reindex-licenses flag by @abhi-kr-2100 in Fix issue 3155 by running scancode-reindex-licenses subcommand instead of using --reindex-licenses flag #3159
• Detect wurfl commercial license by @pombredanne in Detect wurfl commercial license #3163
• Do not use packaging.LegacyVersion ImportError: cannot import name 'LegacyVersion' from 'packaging.version' #3171 setup: Use packaging version <22 #3177 by @pombredanne in Do not use packaging.LegacyVersion #3171 #3177 #3180
• More License Detection changes by @AyanSinhaMahapatra in More License Detection changes #3154
• docs(fix): how to install Py. 3.8 on recent Ubuntu by @camillem in docs(fix): how to install Py. 3.8 on recent Ubuntu #3146
• Add links to basic options in docs by @AyanSinhaMahapatra in Add links to basic options in docs #3142
• install.rst: spelling by @vargenau in install.rst: spelling #3184
• Release 32.0.0rc1 prep by @AyanSinhaMahapatra in Release 32.0.0rc1 prep #3150
• Remove deprecated images from CI and release-script by @AyanSinhaMahapatra in Remove deprecated images from CI and release-script #3099
• Fix unhashable type error in cyclonedx Exception when creating cyclonedx output #3016 by @AyanSinhaMahapatra in Fix unhashable type error in cyclonedx #3016 #3189
• Update license db generation by @AyanSinhaMahapatra in Update license db generation #3197
• Remove license text from index.json of licenseDB by @AyanSinhaMahapatra in Remove license text from index.json of licenseDB #3201
• Support python 3.11 by @AyanSinhaMahapatra in Support python 3.11 #3199
• Properly assign boolean to is_resolved None assigned to is_resolved field when parsing dependencies from a Maven POM #3152 by @JonoYang in Properly assign boolean to is_resolved #3152 #3153
• Vendor attrs to avoid unpickle issues An error occurs when parsing a general text file. #3179 Vendor some key libraries #3192 by @pombredanne in Vendor attrs to avoid unpickle issues #3179 #3192 #3193
• Remove trailing T in date by @pombredanne in Remove trailing T in date #3203
• Restore help.html from Improve help and doc #22 scancode-licensedb#23 by @AyanSinhaMahapatra in Restore help.html from nexB/scancode-licensedb#23 #3202
• adapt code to new spdx-tools release by @meretp in adapt code to new spdx-tools release #3173
• Add nuget nuspec dependencies by @pombredanne in Add nuget nuspec dependencies #3206
• Fix release scripts by @AyanSinhaMahapatra in Fix release scripts #3208
• Fix attrs version in requirements by @AyanSinhaMahapatra in Fix attrs version in requirements #3209

New Contributors

• @abhi-kr-2100 made their first contribution in Fix issue 3155 by running scancode-reindex-licenses subcommand instead of using --reindex-licenses flag #3159
• @camillem made their first contribution in docs(fix): how to install Py. 3.8 on recent Ubuntu #3146
• @vargenau made their first contribution in install.rst: spelling #3184
• @meretp made their first contribution in adapt code to new spdx-tools release #3173

Full Changelog: v31.2.4...v32.0.0rc1

---

This discussion was created from the release v32.0.0rc1.