Scancode-toolkit

----------------------------

- We now support new package manifest formats:

- OpenWRT packages.
- Yocto/BitBake .bb recipes.


- Fallback packages for non-native dependencies of SCTK.
- Dependencies for
- Support for copyright detection objects.

- We can now collect packages from a Go binary using go-inspector (Linux-only)

- A new field in packages with the license category for the
detected license expression and also an API function to
compute license categories from license expressions.
See https://github.com/nexB/scancode-toolkit/issues/2897

- More support for tabular output formats: New command-line
options for XSLX output, and the old `--csv` command line
option is removed.
See https://github.com/nexB/scancode-toolkit/issues/830

- `--unknown-licenses` is removed and this is always enabled
and only used in case of improper detections automatically.
Also tag all license rules with required phrases to improve
license detection and reduce false positives.
See https://github.com/nexB/scancode-toolkit/issues/3300

- File categorization support added, a post scan plugin tagging
files with priority levels for review, and also take advantage
of these in other summary plugins.
See https://github.com/nexB/scancode-toolkit/issues/1745

--------------------

Major API/other changes:

- Output Format Version updated to 4.0.0 (major version bump)
- Dependency attribute rename: ``is_resolved`` renamed to ``is_pinned``
See https://github.com/nexB/scancode-toolkit/pull/3888 for more details.
- License Match attribute rename: ``spdx_license_expression`` is renamed to
``license_expression_spdx``.

Changes in Output Data Structure:

- The data structure of the JSON output has changed for:
- dependencies at file level package_data, and at top-level.
- license matches at file level or unique codebase level license detections
Note that the change is a modification to the JSON output,
so we have a major version bump ``3.2.0`` to ``4.0.0``:

- Dependency attribute ``is_resolved`` renamed to ``is_pinned``
- LicenseMatch attribute ``spdx_license_expression`` renamed to
``license_expression_spdx``

- Update link references of ownership from nexB to aboutcode-org
See https://github.com/aboutcode-org/scancode-toolkit/issues/3885

- New and updated licenses, including support for newly released
SPDX license list versions:
- SPDX License List 3.25.0:
This release of the SPDX license list had 9 new licenses
and exceptions, and out of them 5 were present as licenses
and 2 were present as rules already. There were 2 new
license/exception texts added, and also 1 license was deprecated.
For more details see https://github.com/aboutcode-org/scancode-toolkit/pull/3897

- New and improved copyright detection with many false positive removed
and refined detection added.

- Fix Python ``SyntaxWarning`` in textcode module.

- Improve python, npm, yarn, go package detections:
https://github.com/aboutcode-org/scancode-toolkit/pull/3857
https://github.com/aboutcode-org/scancode-toolkit/pull/3869
https://github.com/aboutcode-org/scancode-toolkit/pull/3943
https://github.com/aboutcode-org/scancode-toolkit/pull/3894

- Drop python 3.8 support as this is end of life. Please use older releases if you
are using python 3.8 but this is not recommended.

---------------------

- Add support for parsing resolved packages and dependency relationships
from nuget lockfile `packages.lock.json`.
See https://github.com/nexB/scancode-toolkit/pull/3825

- Add support for parsing resolved packages and dependency relationships
from cocoapods lockfile `Podfile.lock`.
See https://github.com/nexB/scancode-toolkit/pull/3827

- Add support for parsing packages and dependency relationships
from swift `swift-show-dependencies.deplock` generated by DepLock.
See https://github.com/nexB/scancode-toolkit/pull/3829

- Add support for `pip-inspect.deplock` files to parse and store
resolved packages and dependency relationships, to statically
resolve a python dependency graph.
See https://github.com/nexB/scancode.io/issues/1262

- Add support for poetry packages, with poetry specific pyproject.toml
support, poetry.lock and package assembly support. Also add support
for parsing and storing resolved packages and dependency relationships
required to statically resolve poetry dependecy graphs.
See https://github.com/nexB/scancode-toolkit/issues/2109

- Add support for pyproject.toml files in python projects.
See https://github.com/nexB/scancode-toolkit/issues/3753

- More improved copyright detection, see
https://github.com/nexB/scancode-toolkit/pull/3752

- ``scancode-toolkit`` is now installable from the fedora repo.
See https://github.com/nexB/scancode-toolkit/pull/3824

----------------------

- New and improved package/dependency data:
- Added new attribute in DependentPackage `is_direct` to aid
package resolution and dependency graph creation.
- Added new attributes in PackageData: `is_private` and
`is_virtual`. 3102 3811
https://github.com/nexB/scancode-toolkit/pull/3779

- Improved javascript package detection:
- Add support for pnpm manifests and lockfiles 3766
- Add support for npm, pnpm and yarn workspaces 3746
- Improve resolved package and dependencies support in lockfiles for
yarn.lock, package-lock.json, and pnpm. 3780
- Add support for private packages. 3120
- Add support for new dependency scopes across javascript
- Lots of misc bugfixes in yarn and npm parsers.
https://github.com/nexB/scancode-toolkit/pull/3779

- Improve cargo package detection support with various improvements
and bugfixes:
- Fix for parser crashing on cargo workspaces
- Fix a bug in dependency parsing (we were not returning any dependencies)
- Also support getting dependency versions from workspace
- Support more attributes from cargo
- Better handle workspace data thorugh extra_data attribute
See https://github.com/nexB/scancode-toolkit/pull/3783

- We now support parsing the Swift manifest JSON dump and the
``Package.resolved`` file https://github.com/nexB/scancode-toolkit/issues/2657.
Run the command below on your local Swift project before running the scan:
`swift package dump-package > Package.swift.json && swift package resolve``

- New and updated licenses, including support for newly released
SPDX license list versions:
- SPDX License List 3.24:
This release of the SPDX license list had 25 new licenses
and exceptions, and out of them 12 were present as licenses
and 5 were present as rules already. There were 3 new
license/exception texts added, and the rest 5 were either
texts with small variations, additions to texts or several
rule texts together. And the rest have been added as new licenses.
For more details see https://github.com/nexB/scancode-toolkit/pull/3795

- More new licenses and rules:
- 23 new licenses in https://github.com/nexB/scancode-toolkit/pull/3778

---------------------

New CLI options:

- A new CLI option ``--package-only`` has been added which performs
a faster package scan by skipping the package assembly step and
also skipping license/copyright detection on package metadata.

Major API/other changes:

- Output Format Version updated to 3.1.0 (minor version bump)
- Drops python 3.7 and adopts python 3.12
- New license match attributes:
- ``from_file``
- ``matched_text_diagnostics`` is added for ``--license-text-diagnostics``
- In codebase-level ``license_detections`` we have a new attribute
``reference_matches``
- SPDX license expressions everywhere side-by-side with ScanCode
license expressions.
- All rule attribute level data provided in codebase level ``todo`` items.

Changes in Output Data Structure:

- The data structure of the JSON output has changed for
licenses at file level, and license detections at top-level.
But note that all the changes are additions to the JSON output,
so we have a minor version bump ``3.0.0`` to ``3.1.0``:

- There is a new attribute ``from_file`` in ``matches`` which is in
``license_detections`` in:
* File level ``license_detections``
* Codebase level ``license_detections``
* ``license_detections`` and ``other_license_detections`` in
file-level ``package_data``
* ``license_detections`` and ``other_license_detections`` in
codebase level ``packages``

- On using the CLI option ``--license-text-diagnostics`` there is
now a new license match attribute ``matched_text_diagnostics``
with the matched text and highlighted diagnostics, instead of
having this replace the plain ``matched_text``.

- A new ``reference_matches`` attribute is added to codebase-level
``license_detections`` which is same as the ``matches`` attribute
in other license detections.

- We now have SPDX license expressions everywhere we have
ScanCode license expressions for ease of use and adopting
SPDX everywhere. A new attribute ``license_expression_spdx``
is added to:
- ``license_detections`` in file and codebase level
- in package ``license_detections`` and ``other_license_detections``
- ``matches`` for ``license_detections`` everywhere

- Adds all rule atrribute level info in codebase level ``todo``
data, to assist in review. This includes length, text, notes,
referenced_filenames, and the boolean attributes (like
is_license_notice, is_license_intro etc, as applicable).

- New and updated licenses, including support for newly released
SPDX license list versions:
- SPDX License List 3.22:
This release of the SPDX license list had 48 new licenses,
and several of them we already had as licenses/rules, and
these has been modified to be consistent with the SPDX list.
And the rest have been added as new licenses.
For more details see https://github.com/nexB/scancode-toolkit/pull/3554

- SPDX License List 3.23:
This release of the SPDX license list had 43 new licenses,
and out of them 22 were present as licenses and 10 were
present as rules already. There were 4 new license/exception
texts added, and the rest were either texts with small variations,
additions to texts or several rule texts together.
For more details see https://github.com/nexB/scancode-toolkit/pull/3653

- We also have lots of other misc new licenses and rules added to
LicenseDB, see PRs below for more details:
https://github.com/nexB/scancode-toolkit/pull/3663
https://github.com/nexB/scancode-toolkit/pull/3642
https://github.com/nexB/scancode-toolkit/pull/3586
https://github.com/nexB/scancode-toolkit/pull/3584
https://github.com/nexB/scancode-toolkit/pull/3575
https://github.com/nexB/scancode-toolkit/pull/3570
https://github.com/nexB/scancode-toolkit/pull/3568
https://github.com/nexB/scancode-toolkit/pull/3562

- Improve debian namespace detection based on clues and fix
namespace and qualifier bugs for debian purls.
For more details see https://github.com/nexB/scancode.io/issues/899
and https://github.com/nexB/scancode-toolkit/issues/3443
Also improve debian manifests parsing and purl parsing from
filenames. Support for https://github.com/nexB/purldb/issues/245
Bumps debian-inspector to v31.1.0

- Bump commoncode to v31.0.3

- Upgraded spdx-tools dependency to v0.8.
See https://github.com/nexB/scancode-toolkit/issues/3455

Support for Conan package parser:

- We now support the parsing of Conan manifest files, such as
`conanfile.py`, as described here https://docs.conan.io/2.0/reference/conanfile.html.
We also support source extraction from `conandata.yml`, as described here
https://docs.conan.io/2/tutorial/creating_packages/handle_sources_in_packages.html#using-the-conandata-yml-file.

------------------------

This is a minor release with license detection
improvements, with new and updated license detection rules
and new licenses.

The main updates over the previous stable release are:

- New and updated license rules fixing several license
detection bugs. See for more details:
https://github.com/nexB/scancode-toolkit/pull/3545
https://github.com/nexB/scancode-toolkit/pull/3519

- Bugfix for an epoch parser bug with numeric values
in rpm. See for more details:
https://github.com/nexB/scancode-toolkit/pull/3520