Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/scorecard_integration' into scor…
Browse files Browse the repository at this point in the history
…ecard_integration
  • Loading branch information
404-geek committed Nov 1, 2024
2 parents 3d4d6ea + 7c134c7 commit f4ed4b5
Show file tree
Hide file tree
Showing 29 changed files with 651 additions and 91 deletions.
23 changes: 23 additions & 0 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
@@ -1,6 +1,29 @@
Changelog
=========

v34.8.2 (2024-10-28)
--------------------

- Add ``android_analysis`` to ``extra_requires``. This installs the package
``android_inspector``, which provides a pipeline for Android APK
deploy-to-development analysis.

- Remove the sleep time in the context of testing ``matchcode.poll_run_url_status``
to speed up the test.
https://github.com/aboutcode-org/scancode.io/issues/1411

- Add ability to specify the CycloneDX output spec version using the ``output``
management command and providing the ``cyclonedx:VERSION`` syntax as format value.
https://github.com/aboutcode-org/scancode-action/issues/8

- Add new ``compliance`` REST API action that list all compliance alert for a given
project. The severity level can be provided using the
``?fail_level={ERROR,WARNING,MISSING}`` parameter.
https://github.com/aboutcode-org/scancode.io/issues/1346

- Add new ``Compliance alerts`` panel in the project detail view.
https://github.com/aboutcode-org/scancode.io/issues/1346

v34.8.1 (2024-09-06)
--------------------

Expand Down
179 changes: 179 additions & 0 deletions README.rst
Original file line number Diff line number Diff line change
Expand Up @@ -56,10 +56,189 @@ ScanCode.io should be considered or used as legal advice. Consult an Attorney
for any legal advice.




.. |ci-tests| image:: https://github.com/aboutcode-org/scancode.io/actions/workflows/ci.yml/badge.svg?branch=main
:target: https://github.com/aboutcode-org/scancode.io/actions/workflows/ci.yml
:alt: CI Tests Status

.. |docs-rtd| image:: https://readthedocs.org/projects/scancodeio/badge/?version=latest
:target: https://scancodeio.readthedocs.io/en/latest/?badge=latest
:alt: Documentation Build Status


Acknowledgements, Funding, Support and Sponsoring
--------------------------------------------------------

This project is funded, supported and sponsored by:

- Generous support and contributions from users like you!
- the European Commission NGI programme
- the NLnet Foundation
- the Swiss State Secretariat for Education, Research and Innovation (SERI)
- Google, including the Google Summer of Code and the Google Seasons of Doc programmes
- Mercedes-Benz Group
- Microsoft and Microsoft Azure
- AboutCode ASBL
- nexB Inc.



|europa| |dgconnect|

|ngi| |nlnet|

|aboutcode| |nexb|


This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial
support from the European Commission's Next Generation Internet programme, under the aegis of DG
Communications Networks, Content and Technology under grant agreement No 825322.

|ngidiscovery| https://nlnet.nl/project/vulnerabilitydatabase/


This project is funded through the NGI0 Entrust Fund, a fund established by NLnet with financial
support from the European Commission's Next Generation Internet programme, under the aegis of DG
Communications Networks, Content and Technology under grant agreement No 101069594.

|ngizeroentrust| https://nlnet.nl/project/FederatedSoftwareMetadata/


This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial
support from the European Commission's Next Generation Internet programme, under the aegis of DG
Communications Networks, Content and Technology under grant agreement No 101135429. Additional
funding is made available by the Swiss State Secretariat for Education, Research and Innovation
(SERI).

|ngizerocommons| |swiss| https://nlnet.nl/project/FederatedCodeNext/


This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial
support from the European Commission's Next Generation Internet programme, under the aegis of DG
Communications Networks, Content and Technology under grant agreement No 101069594.

|ngizeroentrust| https://nlnet.nl/project/Back2source/


This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial
support from the European Commission's Next Generation Internet programme, under the aegis of DG
Communications Networks, Content and Technology under grant agreement No 101092990.

|ngizerocore| https://nlnet.nl/project/Back2source-next/


This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial
support from the European Commission's Next Generation Internet programme, under the aegis of DG
Communications Networks, Content and Technology under grant agreement No 101092990.

|ngizerocore| https://nlnet.nl/project/FastScan/


This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial
support from the European Commission's Next Generation Internet programme, under the aegis of DG
Communications Networks, Content and Technology under grant agreement No 101135429. Additional
funding is made available by the Swiss State Secretariat for Education, Research and Innovation
(SERI).

|ngizerocommons| |swiss| https://nlnet.nl/project/MassiveFOSSscan/


This project was funded through the NGI Assure Fund, a fund established by NLnet with financial
support from the European Commission's Next Generation Internet programme, under the aegis of DG
Communications Networks, Content and Technology under grant agreement No 957073.

|ngiassure| https://nlnet.nl/project/FOSS-supplychain/


This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial
support from the European Commission's Next Generation Internet programme, under the aegis of DG
Communications Networks, Content and Technology under grant agreement No 101069594.

|ngizeroentrust| https://nlnet.nl/project/FOSS-supplychain-II/


This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial
support from the European Commission's Next Generation Internet programme, under the aegis of DG
Communications Networks, Content and Technology under grant agreement No 101069594.

|ngizeroentrust| https://nlnet.nl/project/purl2all/


This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial
support from the European Commission's Next Generation Internet programme, under the aegis of DG
Communications Networks, Content and Technology under grant agreement No 101069594.

|ngizeroentrust| https://nlnet.nl/project/purl2sym/


.. |nlnet| image:: https://nlnet.nl/logo/banner.png
:target: https://nlnet.nl
:height: 50
:alt: NLnet foundation logo

.. |ngi| image:: https://ngi.eu/wp-content/uploads/thegem-logos/logo_8269bc6efcf731d34b6385775d76511d_1x.png
:target: https://ngi.eu35
:height: 50
:alt: NGI logo

.. |nexb| image:: https://nexb.com/wp-content/uploads/2022/04/nexB.svg
:target: https://nexb.com
:height: 30
:alt: nexB logo

.. |europa| image:: https://ngi.eu/wp-content/uploads/sites/77/2017/10/bandiera_stelle.png
:target: http://ec.europa.eu/index_en.htm
:height: 40
:alt: Europa logo

.. |aboutcode| image:: https://aboutcode.org/wp-content/uploads/2023/10/AboutCode.svg
:target: https://aboutcode.org/
:height: 30
:alt: AboutCode logo

.. |swiss| image:: https://www.sbfi.admin.ch/sbfi/en/_jcr_content/logo/image.imagespooler.png/1493119032540/logo.png
:target: https://www.sbfi.admin.ch/sbfi/en/home/seri/seri.html
:height: 40
:alt: Swiss logo

.. |dgconnect| image:: https://commission.europa.eu/themes/contrib/oe_theme/dist/ec/images/logo/positive/logo-ec--en.svg
:target: https://commission.europa.eu/about-european-commission/departments-and-executive-agencies/communications-networks-content-and-technology_en
:height: 40
:alt: EC DG Connect logo

.. |ngizerocore| image:: https://nlnet.nl/image/logos/NGI0_tag.svg
:target: https://nlnet.nl/core
:height: 40
:alt: NGI Zero Core Logo

.. |ngizerocommons| image:: https://nlnet.nl/image/logos/NGI0_tag.svg
:target: https://nlnet.nl/commonsfund/
:height: 40
:alt: NGI Zero Commons Logo

.. |ngizeropet| image:: https://nlnet.nl/image/logos/NGI0PET_tag.svg
:target: https://nlnet.nl/PET
:height: 40
:alt: NGI Zero PET logo

.. |ngizeroentrust| image:: https://nlnet.nl/image/logos/NGI0Entrust_tag.svg
:target: https://nlnet.nl/entrust
:height: 38
:alt: NGI Zero Entrust logo

.. |ngiassure| image:: https://nlnet.nl/image/logos/NGIAssure_tag.svg
:target: https://nlnet.nl/image/logos/NGIAssure_tag.svg
:height: 32
:alt: NGI Assure logo

.. |ngidiscovery| image:: https://nlnet.nl/image/logos/NGI0Discovery_tag.svg
:target: https://nlnet.nl/discovery/
:height: 40
:alt: NGI Discovery logo






6 changes: 6 additions & 0 deletions docs/application-settings.rst
Original file line number Diff line number Diff line change
Expand Up @@ -398,6 +398,12 @@ location on disk using::

SCANCODEIO_NETRC_LOCATION="~/.netrc"

If you are deploying ScanCode.io using Docker and you wish to use a netrc file,
you can provide it to the Docker container by moving the netrc file to
``/etc/scancodeio/.netrc`` and then updating the ``.env`` file with the line::

SCANCODEIO_NETRC_LOCATION="/etc/scancodeio/.netrc"

.. _scancodeio_settings_skopeo_credentials:

SCANCODEIO_SKOPEO_CREDENTIALS
Expand Down
3 changes: 3 additions & 0 deletions docs/command-line-interface.rst
Original file line number Diff line number Diff line change
Expand Up @@ -264,6 +264,9 @@ Optional arguments:
Refer to :ref:`Mount projects workspace <mount_projects_workspace_volume>` to access
your outputs on the host machine when running with Docker.

.. tip:: To specify a CycloneDX spec version (default to latest), use the syntax
``cyclonedx:VERSION`` as format value. For example: ``--format cyclonedx:1.5``.

`$ scanpipe check-compliance --project PROJECT`
-----------------------------------------------

Expand Down
4 changes: 2 additions & 2 deletions docs/faq.rst
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ you simply start by creating a :ref:`new project <user_interface_create_new_proj
and run the appropriate pipeline.

ScanCode.io offers several :ref:`built_in_pipelines` depending on your input, see
the :ref:`faq_which_pipeline` bellow.
the :ref:`faq_which_pipeline` below.

As an alternative, I you simply which to run a pipeline without installing ScanCode.io
you may use the Docker image to run pipelines as a single command:
Expand Down Expand Up @@ -271,7 +271,7 @@ data older than 7 days::

@daily scanpipe flush-projects --retain-days 7 --no-input

.. note:: If you are use Docker for running ScanCode.io, you can run the scanpipe
.. note:: If you are using Docker for running ScanCode.io, you can run the scanpipe
``flush-projects`` command using::

docker compose run --rm web scanpipe flush-projects
Expand Down
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
33 changes: 32 additions & 1 deletion docs/rest-api.rst
Original file line number Diff line number Diff line change
Expand Up @@ -320,10 +320,41 @@ Data:
"status": "The project project_name has been archived."
}
.. _rest_api_compliance:

Compliance
^^^^^^^^^^

This action returns a list of compliance alerts for a project,
filtered by severity level.
The severity level can be customized using the ``fail_level`` query parameter.
Defaults to ``ERROR`` if not provided.

``GET /api/projects/6461408c-726c-4b70-aa7a-c9cc9d1c9685/compliance/?fail_level=WARNING``

Data:
- ``fail_level``: ``ERROR``, ``WARNING``, ``MISSING``.

.. code-block:: json
{
"compliance_alerts": {
"packages": {
"warning": [
"pkg:generic/package@1.0",
"pkg:generic/package@2.0"
],
"error": [
"pkg:generic/package@3.0"
]
}
}
}
Reset
^^^^^

This action will delete all related database entrie and all data on disks except for
This action will delete all related database entries and all data on disks except for
the :guilabel:`input/` directory.

``POST /api/projects/6461408c-726c-4b70-aa7a-c9cc9d1c9685/reset/``
Expand Down
23 changes: 19 additions & 4 deletions docs/tutorial_license_policies.rst
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ similar to the following:
such as mit and gpl-3.0, which represents the ScanCode license key to match
against detected licenses in the scan results.
- A policy is defined with a ``label`` and a ``compliance_alert``.
The labels can be customized to your prefered wording.
The labels can be customized to your preferred wording.
- The ``compliance_alert`` accepts 3 values:

- ``''`` (empty string)
Expand All @@ -50,7 +50,7 @@ Policies File Location
----------------------

By default, ScanCode.io will look for a ``policies.yml`` file at the root of its
codebase.
app codebase.

Alternatively, you can configure the location of policies files using the
dedicated :ref:`scancodeio_settings_policies_file` setting in your ``.env`` file.
Expand Down Expand Up @@ -140,6 +140,21 @@ detected licenses, and computed at the codebase resource level, for example:
"[...]": "[...]"
}
The compliance alert are also displayed in the Web UI:
Web UI
------
.. image:: images/tutorial-license-policies-results.png
Compliance alerts are visible directly in the Web user interface through the following:
* A summary panel in the project detail view:
.. image:: images/tutorial-policies-compliance-alerts-panel.png
* A dedicated column within the Packages and Resources list tables:
.. image:: images/tutorial-policies-compliance-alerts-column.png
REST API
--------
For more details on retrieving compliance data via the REST API, refer to the
:ref:`rest_api_compliance` section.
2 changes: 1 addition & 1 deletion docs/tutorial_web_ui_review_scan_results.rst
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ The goal here is to guide you on how to understand and review your scan
results using the ScanCode.io web interface.

.. tip::
As a perquisite, follow the :ref:`tutorial_web_ui_analyze_docker_image` tutorial
As a pre-requisite, follow the :ref:`tutorial_web_ui_analyze_docker_image` tutorial
to have a better understanding of the information included here.

.. image:: images/tutorial-web-ui-project-list.png
Expand Down
Binary file modified etc/thirdparty/virtualenv.pyz
Binary file not shown.
6 changes: 3 additions & 3 deletions etc/thirdparty/virtualenv.pyz.ABOUT
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
about_resource: virtualenv.pyz
name: get-virtualenv
version: 20.26.3
download_url: https://github.com/pypa/get-virtualenv/raw/20.26.3/public/virtualenv.pyz
version: 20.27.0
download_url: https://github.com/pypa/get-virtualenv/raw/20.27.0/public/virtualenv.pyz
description: virtualenv is a tool to create isolated Python environments.
homepage_url: https://github.com/pypa/virtualenv
license_expression: lgpl-2.1-plus AND (bsd-new OR apache-2.0) AND mit AND python AND bsd-new
Expand All @@ -10,4 +10,4 @@ copyright: Copyright (c) The Python Software Foundation and others
redistribute: yes
attribute: yes
track_changes: yes
package_url: pkg:github/pypa/get-virtualenv@20.26.3#public/virtualenv.pyz
package_url: pkg:github/pypa/get-virtualenv@20.27.0#public/virtualenv.pyz
2 changes: 1 addition & 1 deletion scancodeio/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@

import git

VERSION = "34.8.1"
VERSION = "34.8.2"

PROJECT_DIR = Path(__file__).resolve().parent
ROOT_DIR = PROJECT_DIR.parent
Expand Down
Loading

0 comments on commit f4ed4b5

Please sign in to comment.