Merge branch 'main' into exclusion-framework-ruby

Author: AyanSinhaMahapatra

.github/workflows/ci.yml

@@ -31,7 +31,7 @@ jobs:
     strategy:
       max-parallel: 4
       matrix:
-        python-version: ["3.10", "3.11", "3.12"]
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
 
     steps:
       - name: Checkout code

.github/workflows/generate-sboms.yml

@@ -0,0 +1,39 @@
+name: Generate SBOMS
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - "v*.*.*"
+
+env:
+  INPUTS_PATH: scancode-inputs
+
+jobs:
+  generate-sboms:
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Ensure INPUTS_PATH directory exists
+        run: mkdir -p "${{ env.INPUTS_PATH }}"
+
+      - name: Build the Docker image from local Dockerfile
+        run: docker build -t local-image .
+
+      - name: Run pip freeze inside the built Docker container
+        run: docker run --rm local-image pip freeze --all --exclude scancodeio > "${{ env.INPUTS_PATH }}/requirements.txt"
+
+      - name: Collect all .ABOUT files in the scancodeio/ directory
+        run: |
+          mkdir -p "${{ env.INPUTS_PATH }}/about-files"
+          find scancodeio/ -type f -name "*.ABOUT" -exec cp {} "${{ env.INPUTS_PATH }}/about-files/" \;
+
+      - name: Resolve the dependencies using ScanCode-action
+        uses: aboutcode-org/scancode-action@main
+        with:
+          pipelines: "resolve_dependencies:DynamicResolver"
+          inputs-path: ${{ env.INPUTS_PATH }}
+          scancodeio-repo-branch: main

.github/workflows/pypi-release-aboutcode-pipeline.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: 3.12
+          python-version: 3.13
 
       - name: Install flot
         run: python -m pip install flot --user

.github/workflows/pypi-release.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: 3.12
+          python-version: 3.13
 
       - name: Install pypa/build
         run: python -m pip install build --user

.gitignore

@@ -51,6 +51,7 @@ local
 *.rdb
 *.aof
 .vscode
+.ipynb_checkpoints
 
 # This is only created when packaging for external redistribution
 /thirdparty/

CHANGELOG.rst

@@ -1,7 +1,102 @@
 Changelog
 =========
 
-v34.9.5 (unreleased)
+v35.0.0 (2025-06-23)
+--------------------
+
+- Add support for Python 3.13.
+  Upgrade the base image in Dockerfile to ``python:3.13-slim``.
+  https://github.com/aboutcode-org/scancode.io/pull/1469/files
+
+- Display matched snippets details in "Resource viewer", including the package,
+  resource, and similarity values.
+  https://github.com/aboutcode-org/scancode.io/issues/1688
+
+- Add filtering by label and pipeline in the ``flush-projects`` management command.
+  Also, a new ``--dry-run`` option is available to test the filters before applying
+  the deletion.
+  https://github.com/aboutcode-org/scancode.io/pull/1690
+
+- Add support for using Package URL (purl) as project input.
+  This implementation is based on ``purl2url.get_download_url``.
+  https://github.com/aboutcode-org/scancode.io/issues/1383
+
+- Raise a ``MatchCodeIOException`` when the response from the MatchCode.io service is
+  not valid in ``send_project_json_to_matchcode``.
+  This generally means an issue on the MatchCode.io server side.
+  https://github.com/aboutcode-org/scancode.io/issues/1665
+
+- Upgrade Bulma CSS and Ace JS libraries to latest versions.
+  Refine the CSS for the Resource viewer.
+  https://github.com/aboutcode-org/scancode.io/pull/1692
+
+- Add "(No value detected)" for Copyright and Holder charts.
+  https://github.com/aboutcode-org/scancode.io/issues/1697
+
+- Add "Package Compliance Alert" chart in the Policies section.
+  https://github.com/aboutcode-org/scancode.io/pull/1699
+
+v34.11.0 (2025-05-02)
+---------------------
+
+- Add a ``UUID`` field on the DiscoveredDependency model.
+  Use the UUID for the DiscoveredDependency spdx_id for better SPDX compatibility.
+  https://github.com/aboutcode-org/scancode.io/issues/1651
+
+- Add MatchCode-specific functions to compute fingerprints from stemmed code
+  files. Update CodebaseResource file content view to display snippet matches,
+  if available, when the codebase has been sent for matching to MatchCode.
+  https://github.com/aboutcode-org/scancode.io/pull/1656
+
+- Add the ability to export filtered QuerySet of a FilterView into the JSON format.
+  https://github.com/aboutcode-org/scancode.io/pull/1572
+
+- Include ``ProjectMessage`` records in the JSON output ``headers`` section.
+  https://github.com/aboutcode-org/scancode.io/issues/1659
+
+v34.10.1 (2025-03-26)
+---------------------
+
+- Convert the ``declared_license`` field value return by ``python-inspector`` in
+  ``resolve_pypi_packages``.
+  Resolving requirements.txt files will now return proper license data.
+  https://github.com/aboutcode-org/scancode.io/issues/1598
+
+- Add support for installing on Apple Silicon (macOS ARM64) in dev mode.
+  https://github.com/aboutcode-org/scancode.io/pull/1646
+
+v34.10.0 (2025-03-21)
+---------------------
+
+- Rename the ``docker``, ``docker_windows``, and ``root_filesystem`` modules to
+  ``analyze_docker``, ``analyze_docker_windows``, and ``analyze_root_filesystem``
+  for consistency.
+
+- Refine and document the Webhook system
+  https://github.com/aboutcode-org/scancode.io/issues/1587
+  * Add UI to add/delete Webhooks from the project settings
+  * Add a new ``add-webhook`` management command
+  * Add a ``add_webhook`` REST API action
+  * Add a new ``SCANCODEIO_GLOBAL_WEBHOOK`` setting
+  * Add a new chapter dedicated to Webhooks management in the documentation
+  * Add support for custom payload dedicated to Slack webhooks
+
+- Upgrade Bulma CSS library to version 1.0.2
+  https://github.com/aboutcode-org/scancode.io/pull/1268
+
+- Disable the creation of the global webhook in the ``batch-create`` command by default.
+  The global webhook can be created by providing the ``--create-global-webhook`` option.
+  A ``--no-global-webhook`` option was also added to the ``create-project`` command to
+  provide the ability to skip the global webhook creation.
+  https://github.com/aboutcode-org/scancode.io/pull/1629
+
+- Add support for "Permission denied" file access in make_codebase_resource.
+  https://github.com/aboutcode-org/scancode.io/issues/1630
+
+- Refine the ``scan_single_package`` pipeline to work on git fetched inputs.
+  https://github.com/aboutcode-org/scancode.io/issues/1376
+
+v34.9.5 (2025-02-19)
 --------------------
 
 - Add support for the XLSX report in REST API.
@@ -11,6 +106,18 @@ v34.9.5 (unreleased)
   Also, the Project labels are kept during reset.
   https://github.com/aboutcode-org/scancode.io/issues/1568
 
+- Add aboutcode.pipeline as an install_requires external dependency to prevent conflicts
+  with other aboutcode submodules.
+  https://github.com/aboutcode-org/scancode.io/issues/1423
+
+- Add a ``add-webhook`` management command that allows to add webhook subscription on
+  a project.
+  https://github.com/aboutcode-org/scancode.io/issues/1587
+
+- Add proper progress logging for the ``assemble`` section of the
+  ``scan_for_application_packages``.
+  https://github.com/aboutcode-org/scancode.io/issues/1601
+
 v34.9.4 (2025-01-21)
 --------------------
 

Dockerfile

@@ -20,7 +20,7 @@
 # ScanCode.io is a free software code scanning tool from nexB Inc. and others.
 # Visit https://github.com/aboutcode-org/scancode.io for support and download.
 
-FROM python:3.12-slim
+FROM python:3.13-slim
 
 LABEL org.opencontainers.image.source="https://github.com/aboutcode-org/scancode.io"
 LABEL org.opencontainers.image.description="ScanCode.io"

Makefile

@@ -26,6 +26,7 @@ VENV_LOCATION=.venv
 ACTIVATE?=. ${VENV_LOCATION}/bin/activate;
 MANAGE=${VENV_LOCATION}/bin/python manage.py
 VIRTUALENV_PYZ=etc/thirdparty/virtualenv.pyz
+PIP_ARGS=--find-links=./etc/thirdparty/dummy_dist
 # Do not depend on Python to generate the SECRET_KEY
 GET_SECRET_KEY=`head -c50 /dev/urandom | base64 | head -c50`
 # Customize with `$ make envfile ENV_FILE=/etc/scancodeio/.env`
@@ -51,11 +52,11 @@ virtualenv:
 
 conf: virtualenv
 	@echo "-> Install dependencies"
-	@${ACTIVATE} pip install -e .
+	@${ACTIVATE} pip install ${PIP_ARGS} --editable .
 
 dev: virtualenv
 	@echo "-> Configure and install development dependencies"
-	@${ACTIVATE} pip install -e .[dev]
+	@${ACTIVATE} pip install ${PIP_ARGS} --editable .[dev]
 
 envfile:
 	@echo "-> Create the .env file and generate a secret key"
@@ -79,6 +80,8 @@ check:
 	@echo "-> Run Ruff format validation"
 	@${ACTIVATE} ruff format --check
 	@$(MAKE) doc8
+	@echo "-> Run ABOUT files validation"
+	@${ACTIVATE} about check --exclude .venv/ --exclude scanpipe/tests/ .
 
 check-deploy:
 	@echo "-> Check Django deployment settings"

RELEASE.md

@@ -0,0 +1,31 @@
+# Release instructions for `ScanCode.io`
+
+### Automated release workflow
+
+- Create a new `release-x.x.x` branch
+- Update the version in:
+  - `setup.cfg` (2 entries)
+  - `scancodeio/__init__.py`
+  - `CHANGELOG.rst` (set date)
+- Commit and push this branch
+- Create a PR and merge once approved
+- Tag and push that tag. This will trigger the `pypi-release.yml` GitHub workflow that 
+  takes care of building the dist release files and upload those to pypi:
+  ```
+  VERSION=vx.x.x  # <- Set the new version here
+  git tag -a $VERSION -m ""
+  git push origin $VERSION
+  ```
+- Review the GitHub release created by the workflow at 
+  https://github.com/aboutcode-org/scancode.io/releases
+
+### Manual build
+
+```
+cd scancode.io
+source .venv/bin/activate
+pip install build
+python -m build --sdist --wheel --outdir dist/ .
+```
+
+The distribution files will be available in the local `dist/` directory.

aboutcode/pipeline/CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## Release 0.2.1 (February 24, 2025)
+
+* Include the ``optional_step`` steps in the ``get_graph()`` list.
+  [Issue #1599](https://github.com/aboutcode-org/scancode.io/issues/1599)
+
 ## Release 0.2.0 (November 21, 2024)
 
 * Refactor the ``group`` decorator for pipeline optional steps as ``optional_step``.