Update to scancode-toolkit v32.5.0 (#2000)

Signed-off-by: Ayan Sinha Mahapatra <asmahapatra@aboutcode.org>

Author: AyanSinhaMahapatra

.github/workflows/publish-pypi-release-aboutcode-pipeline.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: 3.13
+          python-version: 3.14
 
       - name: Install flot
         run: python -m pip install flot --user

.github/workflows/publish-pypi-release.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: 3.13
+          python-version: 3.14
 
       - name: Install pypa/build
         run: python -m pip install build --user

.github/workflows/run-unit-tests-macos.yml

@@ -21,7 +21,7 @@ jobs:
 
     strategy:
       matrix:
-        python-version: ["3.10", "3.11", "3.12", "3.13"]
+        python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
 
     steps:
       - name: Checkout code

.github/workflows/run-unit-tests.yml

@@ -39,7 +39,7 @@ jobs:
     strategy:
       max-parallel: 4
       matrix:
-        python-version: ["3.10", "3.11", "3.12", "3.13"]
+        python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
 
     steps:
       - name: Checkout code

CHANGELOG.rst

@@ -7,6 +7,46 @@ Docker Compose users with existing data: run `./migrate-pg13-to-17.sh` before st
 the stack.
 Fresh installations require no action.
 
+v36.1.0 (2026-01-22)
+--------------------
+
+- Bump to latest scancode-toolkit v32.5.0 with:
+  * package and license detection performance improvement
+  * python3.14 support with updated dependencies
+  * improved copyright, license and package detection
+  For more details see https://github.com/aboutcode-org/scancode-toolkit/releases/tag/v32.5.0
+  https://github.com/aboutcode-org/scancode.io/pull/2000
+
+- Support python3.14
+  https://github.com/aboutcode-org/scancode.io/pull/2000
+
+- Update to scancode-toolkit v32.4.1
+  https://github.com/aboutcode-org/scancode.io/pull/1984
+  For more details see https://github.com/aboutcode-org/scancode-toolkit/releases/tag/v32.4.1
+
+- Store the whole vulnerability data from cdx to local models
+  https://github.com/aboutcode-org/scancode.io/pull/2007
+
+- Add project vulnerability list view
+  https://github.com/aboutcode-org/scancode.io/pull/2018
+
+- Update minecode-pipelines to latest v0.1.1
+  https://github.com/aboutcode-org/scancode.io/pull/2013
+
+- Refine d2d pipelines with misc improvements
+  https://github.com/aboutcode-org/scancode.io/pull/1996
+  https://github.com/aboutcode-org/scancode.io/pull/1995
+  https://github.com/aboutcode-org/scancode.io/pull/1999
+  https://github.com/aboutcode-org/scancode.io/pull/2021
+
+- Sanitize ORT package IDs to handle colons in versions
+  https://github.com/aboutcode-org/scancode.io/pull/2005
+
+- Restructure docs and README
+  https://github.com/aboutcode-org/scancode.io/pull/2032
+
+
+
 v36.0.1 (2025-12-09)
 --------------------
 

pyproject.toml

@@ -4,10 +4,10 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "scancodeio"
-version = "36.0.1"
+version = "36.1.0"
 description = "Automate software composition analysis pipelines"
 readme = "README.rst"
-requires-python = ">=3.10,<3.14"
+requires-python = ">=3.10"
 license = "Apache-2.0"
 license-files = ["LICENSE", "NOTICE", "scan.NOTICE"]
 authors = [
@@ -30,6 +30,7 @@ classifiers = [
     "Programming Language :: Python :: 3.11",
     "Programming Language :: Python :: 3.12",
     "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.14",
     "Topic :: Utilities"
 ]
 
@@ -56,26 +57,23 @@ dependencies = [
   # WSGI server
   "gunicorn==23.0.0",
   # Docker
-  "container-inspector==33.0.0",
+  "container-inspector==33.1.0",
   # ScanCode-toolkit
-  "scancode-toolkit[packages]==32.4.1",
+  "scancode-toolkit[packages]==32.5.0",
   "extractcode[full]==31.0.0",
-  "commoncode==32.3.0",
+  "commoncode==32.4.2",
   "Beautifulsoup4[chardet]==4.13.4",
   "packageurl-python==0.17.6",
-  # Workaround issue https://github.com/aboutcode-org/scancode.io/issues/1795
-  "fingerprints==1.2.3",
-  "normality==2.6.1",
   # FetchCode
   "fetchcode==0.8.0",
   "fetchcode-container==1.2.3.210512; sys_platform == 'linux'",
   # Inspectors
   "elf-inspector==0.0.3",
   "go-inspector==0.5.0",
-  "rust-inspector==0.1.0",
-  "binary-inspector==0.1.2",
+  "rust-inspector==0.2.1",
+  "binary-inspector==0.2.0",
   "python-inspector==0.15.0",
-  "source-inspector==0.7.0; sys_platform != 'darwin' and platform_machine != 'arm64'",
+  "source-inspector==0.7.1; sys_platform != 'darwin' and platform_machine != 'arm64'",
   "aboutcode-toolkit==11.1.1",
   # Utilities
   "XlsxWriter==3.2.9",
@@ -101,9 +99,7 @@ dependencies = [
   # AboutCode pipeline
   "aboutcode.pipeline==0.2.1",
   # ScoreCode
-  "scorecode==0.0.4",
-  # Workaround issue https://github.com/aboutcode-org/scancode.io/issues/1885
-  "click==8.2.1"
+  "scorecode==0.0.4"
 ]
 
 [project.optional-dependencies]

scancodeio/__init__.py

@@ -28,7 +28,7 @@
 
 import git
 
-VERSION = "36.0.1"
+VERSION = "36.1.0"
 
 PROJECT_DIR = Path(__file__).resolve().parent
 ROOT_DIR = PROJECT_DIR.parent

scanpipe/pipelines/analyze_root_filesystem.py

@@ -94,7 +94,11 @@ def flag_uninteresting_codebase_resources(self):
 
     def scan_for_application_packages(self):
         """Scan unknown resources for packages information."""
-        scancode.scan_for_application_packages(self.project, progress_logger=self.log)
+        scancode.scan_for_application_packages(
+            project=self.project,
+            compiled=True,
+            progress_logger=self.log,
+        )
 
     def match_not_analyzed_to_system_packages(self):
         """

scanpipe/pipelines/inspect_packages.py

@@ -41,6 +41,8 @@ class InspectPackages(ScanCodebase):
     https://scancode-toolkit.readthedocs.io/en/stable/reference/available_package_parsers.html
     """
 
+    scan_binaries = False
+
     @classmethod
     def steps(cls):
         return (
@@ -49,10 +51,19 @@ def steps(cls):
             cls.collect_and_create_codebase_resources,
             cls.flag_empty_files,
             cls.flag_ignored_resources,
+            cls.scan_binaries_for_package,
             cls.scan_for_application_packages,
             cls.resolve_dependencies,
         )
 
+    @optional_step("Compiled")
+    def scan_binaries_for_package(self):
+        """
+        Scan compiled binaries for package and dependency related data'
+        Currently supported compiled binaries: Go, Rust.
+        """
+        self.scan_binaries = True
+
     def scan_for_application_packages(self):
         """
         Scan resources for package information to add DiscoveredPackage
@@ -61,6 +72,7 @@ def scan_for_application_packages(self):
         scancode.scan_for_application_packages(
             project=self.project,
             assemble=True,
+            compiled=self.scan_binaries,
             package_only=True,
             progress_logger=self.log,
         )

scanpipe/pipes/docker.py

@@ -82,6 +82,7 @@ def extract_image_from_tarball(input_tarball, extract_target, verify=False):
         target_dir=extract_target,
         skip_symlinks=False,
         as_events=False,
+        tar_filter="tar",
     )
     images = Image.get_images_from_dir(
         extracted_location=str(extract_target),
@@ -126,6 +127,7 @@ def extract_layers_from_images_to_base_path(base_path, images):
                 target_dir=extract_target,
                 skip_symlinks=False,
                 as_events=False,
+                tar_filter="tar",
             )
             errors.extend(extract_errors)
             layer.extracted_location = str(extract_target)