Merge branch 'develop' into improve-pypi-package-detection

Signed-off-by: Ayan Sinha Mahapatra <[email protected]>

Author: AyanSinhaMahapatra

.gitignore

@@ -108,7 +108,6 @@ TAGS
 Procfile
 local.cfg
 geckodriver.log
-var
 .metaflow
 selenium
 /dist/

CHANGELOG.rst

@@ -34,8 +34,56 @@ v33.0.0 (next next, roadmap)
   of these in other summary plugins.
   See https://github.com/nexB/scancode-toolkit/issues/1745
 
-v32.1.0 (next, roadmap)
-----------------------------
+v32.2.0 - 2024-06-19
+----------------------
+
+- New and improved package/dependency data:
+  - Added new attribute in DependentPackage `is_direct` to aid
+    package resolution and dependency graph creation.
+  - Added new attributes in PackageData: `is_private` and
+    `is_virtual`. #3102 #3811
+  https://github.com/nexB/scancode-toolkit/pull/3779
+
+- Improved javascript package detection:
+  - Add support for pnpm manifests and lockfiles #3766
+  - Add support for npm, pnpm and yarn workspaces #3746
+  - Improve resolved package and dependencies support in lockfiles for
+    yarn.lock, package-lock.json, and pnpm. #3780
+  - Add support for private packages. #3120
+  - Add support for new dependency scopes across javascript
+  - Lots of misc bugfixes in yarn and npm parsers.
+  https://github.com/nexB/scancode-toolkit/pull/3779
+
+- Improve cargo package detection support with various improvements
+  and bugfixes:
+  - Fix for parser crashing on cargo workspaces
+  - Fix a bug in dependency parsing (we were not returning any dependencies)
+  - Also support getting dependency versions from workspace
+  - Support more attributes from cargo
+  - Better handle workspace data thorugh extra_data attribute
+  See https://github.com/nexB/scancode-toolkit/pull/3783
+
+- We now support parsing the Swift manifest JSON dump and the
+  ``Package.resolved`` file https://github.com/nexB/scancode-toolkit/issues/2657.
+  Run the command below on your local Swift project before running the scan:
+    `swift package dump-package > Package.swift.json && swift package resolve``
+
+- New and updated licenses, including support for newly released
+  SPDX license list versions:
+  - SPDX License List 3.24:
+    This release of the SPDX license list had 25 new licenses
+    and exceptions, and out of them 12 were present as licenses
+    and 5 were present as rules already. There were 3 new
+    license/exception texts added, and the rest 5 were either
+    texts with small variations, additions to texts or several
+    rule texts together. And the rest have been added as new licenses.
+    For more details see https://github.com/nexB/scancode-toolkit/pull/3795
+
+  - More new licenses and rules:
+    - 23 new licenses in https://github.com/nexB/scancode-toolkit/pull/3778
+
+v32.1.0 - 2024-03-23
+---------------------
 
 New CLI options:
 

docs/source/getting-started/install.rst

@@ -160,6 +160,32 @@ in the extracted directory and run::
 
 This will configure ScanCode and display the command line :ref:`cli_help_text`.
 
+.. note::
+   If you encounter a "No matching distribution" error while running the ``./configure`` command on a Mac M1, it may indicate compatibility issues with the current architecture. Here's a step-by-step guide to address this:
+
+   - **Change Mac M1 Architecture to x86_64:**
+     Switch the architecture from amd64 to x86_64 using the command:
+     ::
+
+         env /usr/bin/arch -x86_64 /bin/zsh --login
+   - **Use Rosetta Translation:**
+     Enable Rosetta translation in Terminal by executing:
+     ::
+
+         softwareupdate --install-rosetta
+   - **Transition Homebrew from arm64 to Intel:**
+     Change Homebrew from the arm64 architecture to the Intel (x86) architecture by running:
+     ::
+
+         /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
+   - **Install Intel-Specific Python:**
+     Use Homebrew to install Python specifically optimized for Intel architecture with:
+     ::
+
+         /usr/local/Homebrew/bin/brew install python3
+
+   Then rerun the ``./configure`` command. This sets up the project according to the new architecture and ensures proper configuration.
+   Following these steps should help resolve compatibility issues and allow smooth operation of the project on Mac M1 devices.
 
 .. _windows_app_install:
 

docs/source/reference/available_package_parsers.rst

@@ -233,6 +233,7 @@ parsers in scancode-toolkit during documentation builds.
      - https://r-pkgs.org/description.html
    * - Debian control file - extracted layout
      - ``*/control.tar.gz-extract/control``
+       ``*/control.tar.xz-extract/control``
      - ``deb``
      - ``debian_control_extracted_deb``
      - None
@@ -538,6 +539,24 @@ parsers in scancode-toolkit during documentation builds.
      - ``npm_shrinkwrap_json``
      - JavaScript
      - https://docs.npmjs.com/cli/v8/configuring-npm/npm-shrinkwrap-json
+   * - pnpm pnpm-lock.yaml lockfile
+     - ``*/pnpm-lock.yaml``
+     - ``npm``
+     - ``pnpm_lock_yaml``
+     - JavaScript
+     - https://github.com/pnpm/spec/blob/master/lockfile/6.0.md
+   * - pnpm shrinkwrap.yaml lockfile
+     - ``*/shrinkwrap.yaml``
+     - ``npm``
+     - ``pnpm_shrinkwrap_yaml``
+     - JavaScript
+     - https://github.com/pnpm/spec/blob/master/lockfile/4.md
+   * - pnpm workspace yaml file
+     - ``*/pnpm-workspace.yaml``
+     - ``npm``
+     - ``pnpm_workspace_yaml``
+     - JavaScript
+     - https://pnpm.io/pnpm-workspace_yaml
    * - yarn.lock lockfile v1 format
      - ``*/yarn.lock``
      - ``npm``
@@ -716,6 +735,19 @@ parsers in scancode-toolkit during documentation builds.
      - ``rpm_installed_database_sqlite``
      - None
      - https://fedoraproject.org/wiki/Changes/Sqlite_Rpmdb
+   * - RPM mariner distroless package manifest
+     - ``*var/lib/rpmmanifest/container-manifest-2``
+     - ``rpm``
+     - ``rpm_mariner_manifest``
+     - None
+     - https://github.com/microsoft/marinara/
+   * - RPM mariner distroless package license files
+     - ``*usr/share/licenses/*/COPYING*``
+       ``*usr/share/licenses/*/LICENSE*``
+     - ``rpm``
+     - ``rpm_package_licenses``
+     - None
+     - https://github.com/microsoft/marinara/
    * - RPM specfile
      - ``*.spec``
      - ``rpm``
@@ -734,6 +766,19 @@ parsers in scancode-toolkit during documentation builds.
      - ``squashfs_disk_image``
      - None
      - https://en.wikipedia.org/wiki/SquashFS
+   * - JSON dump of Package.swift created with ``swift package dump-package > Package.swift.json``
+     - ``*/Package.swift.json``
+     - ``swift``
+     - ``swift_package_manifest_json``
+     - Swift
+     - https://docs.swift.org/package-manager/PackageDescription/PackageDescription.html
+   * - Resolved full dependency lockfile for Package.swift created with ``swift package resolve``
+     - ``*/Package.resolved``
+       ``*/.package.resolved``
+     - ``swift``
+     - ``swift_package_resolved``
+     - swift
+     - https://docs.swift.org/package-manager/PackageDescription/PackageDescription.html#package-dependency
    * - Java Web Application Archive
      - ``*.war``
      - ``war``

setup-mini.cfg

@@ -1,6 +1,6 @@
 [metadata]
 name = scancode-toolkit-mini
-version = 32.1.0
+version = 32.2.0
 license = Apache-2.0 AND CC-BY-4.0 AND LicenseRef-scancode-other-permissive AND LicenseRef-scancode-other-copyleft
 
 # description must be on ONE line https://github.com/pypa/setuptools/issues/1390

setup.cfg

@@ -1,6 +1,6 @@
 [metadata]
 name = scancode-toolkit
-version = 32.1.0
+version = 32.2.0
 license = Apache-2.0 AND CC-BY-4.0 AND LicenseRef-scancode-other-permissive AND LicenseRef-scancode-other-copyleft
 
 # description must be on ONE line https://github.com/pypa/setuptools/issues/1390

src/licensedcode/data/licenses/3dslicer-1.0.LICENSE

@@ -5,11 +5,15 @@ name: 3D Slicer Contribution and Software License Agreement v1.0
 category: Permissive
 owner: Slicer Project
 homepage_url: https://www.slicer.org/wiki/License
-spdx_license_key: LicenseRef-scancode-3dslicer-1.0
+spdx_license_key: 3D-Slicer-1.0
+other_spdx_license_keys:
+    - LicenseRef-scancode-3dslicer-1.0
 text_urls:
     - https://github.com/Slicer/Slicer/blob/v4.6.2/COPYRIGHT.txt
 faq_url: https://www.slicer.org/wiki/CommercialUse
 other_urls:
+    - https://slicer.readthedocs.io/en/latest/user_guide/about.html#license
+    - https://github.com/Slicer/Slicer/blob/main/License.txt
     - http://www.slicer.org
     - http://wiki.na-mic.org/Wiki/index.php/Slicer3
 ignorable_authors:

src/licensedcode/data/licenses/amd-historical.LICENSE

@@ -5,7 +5,11 @@ name: AMD Historical License
 category: Permissive
 owner: Advanced Micro Devices
 notes: this is a short historical permissive license seen in the newlib C library
-spdx_license_key: LicenseRef-scancode-amd-historical
+spdx_license_key: AMD-newlib
+other_spdx_license_keys:
+    - LicenseRef-scancode-amd-historical
+other_urls:
+    - https://sourceware.org/git/?p=newlib-cygwin.git;a=blob;f=newlib/libc/sys/a29khif/_close.S;h=04f52ae00de1dafbd9055ad8d73c5c697a3aae7f;hb=HEAD
 ---
 
 This software is the property of Advanced Micro Devices, Inc  (AMD)  which

src/licensedcode/data/licenses/any-osi.LICENSE

@@ -0,0 +1,18 @@
+---
+key: any-osi
+short_name: Any OSI License
+name: Any OSI License
+category: Unstated License
+owner: Unspecified
+spdx_license_key: any-OSI
+minimum_coverage: 100
+other_urls:
+    - http://www.opensource.org/licenses/alphabetical
+    - https://metacpan.org/pod/Exporter::Tidy#LICENSE
+ignorable_urls:
+    - http://www.opensource.org/licenses/alphabetical
+---
+
+Pick your favourite OSI approved license :)
+
+http://www.opensource.org/licenses/alphabetical

src/licensedcode/data/licenses/asterisk-linking-protocols-exception.LICENSE

@@ -0,0 +1,25 @@
+---
+key: asterisk-linking-protocols-exception
+short_name: Asterisk linking protocols exception
+name: Asterisk linking protocols exception
+owner: Asterisk
+category: Copyleft Limited
+is_exception: yes
+spdx_license_key: Asterisk-linking-protocols-exception
+other_urls:
+    - https://github.com/asterisk/asterisk/blob/115d7c01e32ccf4566a99e9d74e2b88830985a0b/LICENSE#L27
+---
+
+Specific permission is also granted to link Asterisk with OpenSSL, OpenH323
+UniMRCP, and/or the UW IMAP Toolkit and distribute the resulting binary files.
+
+In addition, Asterisk implements several management/control protocols.
+This includes the Asterisk Manager Interface (AMI), the Asterisk Gateway
+Interface (AGI), and the Asterisk REST Interface (ARI). It is our belief
+that applications using these protocols to manage or control an Asterisk
+instance do not have to be licensed under the GPL or a compatible license,
+as we believe these protocols do not create a 'derivative work' as referred
+to in the GPL. However, should any court or other judiciary body find that
+these protocols do fall under the terms of the GPL, then we hereby grant you a
+license to use these protocols in combination with Asterisk in external
+applications licensed under any license you wish.

src/licensedcode/data/licenses/bsd-2-clause-first-lines.LICENSE

@@ -0,0 +1,39 @@
+---
+key: bsd-2-clause-first-lines
+short_name: BSD 2-Clause first lines
+name: BSD 2-Clause - first lines requirement
+owner: Nippon Telegraph and Telephone Corporation
+category: Permissive
+notes: |
+    Added in SPDX license list 3.24
+    This was previously the license rule: freebsd-doc_5.RULE
+spdx_license_key: BSD-2-Clause-first-lines
+other_urls:
+    - https://github.com/krb5/krb5/blob/krb5-1.21.2-final/NOTICE#L664-L690
+    - https://web.mit.edu/kerberos/krb5-1.21/doc/mitK5license.html
+---
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above
+   copyright notice, this list of conditions and the following
+   disclaimer as the first lines of this file unmodified.
+
+2. Redistributions in binary form must reproduce the above
+   copyright notice, this list of conditions and the following
+   disclaimer in the documentation and/or other materials provided
+   with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY NTT "AS IS" AND ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+OF THE POSSIBILITY OF SUCH DAMAGE.

src/licensedcode/data/licenses/catharon-osl.LICENSE

@@ -5,7 +5,9 @@ name: Catharon Open Source License
 category: Permissive
 owner: Catharon
 homepage_url: https://github.com/scummvm/scummvm/blob/master/LICENSES/CatharonLicense.txt
-spdx_license_key: LicenseRef-scancode-catharon-osl
+spdx_license_key: Catharon
+other_spdx_license_keys:
+    - LicenseRef-scancode-catharon-osl
 text_urls:
     - https://github.com/scummvm/scummvm/tree/master/engines/ags/lib/freetype-2.1.3/autohint
     - https://www.copperspice.com/docs/cs_overview/legal-3rdparty.html

src/licensedcode/data/licenses/cexcept-2008.LICENSE

@@ -0,0 +1,20 @@
+---
+key: cexcept-2008
+short_name: cexcept License 2008
+name: cexcept License 2008
+category: Permissive
+owner: nicemice
+spdx_license_key: LicenseRef-scancode-cexcept-2008
+text_urls:
+    - https://github.com/cloudflare/pngcrush/blob/deflate.gcc.amd64/cexcept.h
+other_urls:
+    - http://www.nicemice.net/cexcept/
+---
+
+This software may be modified only if its author and version
+information is updated accurately, and may be redistributed
+only if accompanied by this unaltered notice.  Subject to those
+restrictions, permission is granted to anyone to do anything
+with this software.  The copyright holders make no guarantees
+regarding this software, and are not responsible for any damage
+resulting from its use.