40.0.1

What's Changed

Chores 🔧

• 45b40d8 vulnerable-code: Make the API version part of the base URL

Dependency Updates 🚀

• 8da4a06 update codecov/codecov-action action to v5
• 8407d2b update github/codeql-action digest to ea9e4e3

Tests ✅

• 315123d python: Update expected results

Other Changes 💡

• a974802 Revert "fix(vulnerable-code): Still get vulnerabilities for which a fix exists"

40.0.0

What's Changed

Breaking Changes 🛠

• bd82abb refactor(asciidoc)!: Make AsciiDocTemplateReporter abstract
• 88aa4a0 refactor(asciidoc)!: Use a plugin config class
• 61e9dd0 refactor(cyclonedx)!: Use a plugin config class
• 2f1032a refactor(evaluatedmodel)!: Use a plugin config class
• 80b28c7 refactor(fossid)!: Use a plugin config class
• 27f0dae refactor(freemarker)!: Use a plugin config class
• 6fd7098 refactor(freemarker)!: Use dedicated arguments instead of options
• 553f50e refactor(gitlab)!: Use a plugin config class
• 94ebf3d refactor(maven)!: Make previously public parsing functions internal
• 15fdd7b refactor(maven)!: Move stand-alone parsing functions
• 03560a5 refactor(node)!: Make Npm separate from Yarn
• fd736f3 refactor(opossum)!: Use a plugin config class
• 5d5ea5c refactor(package-managers)!: Make explicit which project type gets managed
• fac5bf3 refactor(reporter)!: Migrate to new plugin API
• 4596888 refactor(reporter)!: Remove the unused config argument
• ff6ca62 refactor(spdx)!: Use a plugin config class
• 740436f refactor(web-app)!: Use a plugin config class

Bug Fixes 🐞

• 4a41869 clearly-defined: Consistently use ORT's OkHttp client for requests
• 2e70da8 conan: Correct the error handling when listing remotes
• affb9fe plugins-api: Fix handling of default values for string list options
• a00353f vulnerable-code: Still get vulnerabilities for which a fix exists

New Features 🎉

• 4cda010 analyzer: Support email and homepage in parseAuthorString()
• d6c8fad analyzer: Support multiple authors per author string
• 41b46fc node: Parse author email and URL from string primitives
• f236cba plugins-api: Add a way to configure plugin option aliases
• 95ea9a5 plugins-api: Make OrtPluginOption.defaultValue optional

Build 🐘 & CI ⚙️

• 254dbf9 Gradle: Enable parallel configuration cache access
• bf63013 Gradle: Remove an unneeded libs definition
• d61e927 github: Disable the build cache for CodeQL analysis

Chores 🔧

• c13dda6 analyzer: Use permalinks in the error for duplicate projects
• 0d455cd clearly-defined: Simplify a test asserting facets
• 08939a3 detekt: Remove unneeded @Suppress annotations
• 660d54d freemarker: Remove unused constants
• d2e6ae6 maven: Avoid unsafe non-null assertions via destructions
• 1850024 node: Remove an unneeded else case
• ec23aec node: Rename a field to plural as it is a set
• 15dcd7b npm: Remove an unneeded Suppress annotation
• 0f14d8d tests: Simplify shouldNotBeNull calls
• 92fdfa2 yarn2: Map directly to a set

Dependency Updates 🚀

• e841910 update dependency com.charleskorn.kaml:kaml to v0.63.0
• 2b7f063 update dependency com.charleskorn.kaml:kaml to v0.65.0
• 978a71f update dependency gradle to v8.11
• 2ff9f5f update docusaurus monorepo to v3.6.1
• 29183a4 update github/codeql-action digest to 396bb3e
• a5adf08 update github/codeql-action digest to 4f3212b
• a07baac update github/codeql-action digest to 9278e42
• 2bf483c update gradle/actions digest to 473878a
• 04772cd update ksp to v2.0.21-1.0.27

Documentation 📖

• 283689b asciidoc: Slightly improve docs of PdfTemplateReporter
• aee88f2 clearly-defined: Add (links to) rate limit documentation
• 41622d0 model: Trivially improve wording of a TODO statement
• 6fa4cb2 node: Remove a comment which does not provide much info
• 5a063c4 node: Remove a couple of comments

Refactorings 🚜

• 2487cfc AnalyzerResultBuilder: Introduce an addProject() function
• e13d2d6 conan: Split the function to configure remote authentication
• d192310 maven: Make a workspace reader's delegate property private
• 2034b29 maven: Move Maven support classes to separate files
• e5d0526 maven: Move non-public static functions to the top level
• dcc97a0 model: Introduce a function to add dependencies to the graph
• 617ccd9 node: Extract extractNpmIssues()
• 9a2cbc4 node: Extract code to wrap a primitive into an object
• 982580f node: Inline a function again
• 716420b node: Move NpmModuleInfo into a separate file
• 151858e node: Reduce the number of map conversions
• b86e0ae spdx: Inline the MANAGER_NAME constant
• b80ec20 swiftpm: Inline the PROJECT_TYPE constant

Tests ✅

• 156b371 node: Add missing toYaml() calls for textual result comparison
• 0d06faa node: Parse a Yarn instead of a Npm instance
• d562e97 package-managers: Remove all Windows-specific expected results
• 893f7f0 python: Update expected results
• 8d70428 stack: Update the .cabal file

Other Changes 💡

• 959b3af style(maven): Slightly reformat code to match similar code

39.0.0

What's Changed

Breaking Changes 🛠

• 31592d4 refactor(node)!: Also move Npm into its own dedicated directory
• 743fd64 refactor(node)!: Invert the inheritance between Yarn and Npm
• 96ded74 refactor(node)!: Limit visibility of NpmDetection code to internal
• 5e1d04e refactor(node)!: Move Yarn into its own dedicated directory
• 5f8ee66 refactor(node)!: Move all files from utils one level up
• 9d63529 refactor(yarn)!: Make loadWorkspaceSubmodules() private

Bug Fixes 🐞

• 06059dd cli: Guard against foreign classpath items with a pathing JAR
• 4a7d58a freemarker: Apply license choices for NOTICE_DEFAULT
• 78fa878 jenkins: Do not use deprecated config key names
• 9c22891 node: Deserialize repository: {} in package.json to null
• bfcfe62 spdx-report: Apply license choices

New Features 🎉

• 0b2b2af osv: Support parsing CVSS v4 vectors
• 70c5179 spdx-reporter: Report detected root licenses for packages
• f1da1cf spdx-utils: Add a function to simplify SPDX expressions
• 31b9be8 spdx-utils: Simplify and / or operators for equal operands

Chores 🔧

• 1de3e08 freemarker: Trivially improve formatting of a comment
• ec77849 npm: Add a missing import
• 390a055 spdx-reporter: Simplify licenseDeclared expressions
• fb6e648 vulnerable-code: Sort tests alphabetically

Dependency Updates 🚀

• f8a0c39 Update the dependency-analysis-gradle-plugin to version 2.4.2
• 95cec36 update actions/attest-build-provenance digest to ef24412
• 151437d update dependency com.charleskorn.kaml:kaml to v0.62.2
• 0690c94 update dependency com.networknt:json-schema-validator to v1.5.3
• 757d38d update dependency com.zaxxer:hikaricp to v6.1.0
• ea8470f update dependency io.github.pdvrieze.xmlutil:serialization to v0.90.3
• fe80e46 update dependency org.jruby:jruby to v9.4.9.0
• f2f45c0 update mordant to v3.0.1

Documentation 📖

• 1f45fda integrations: Add note on running Jenkins as a docker container
• b43a41a integrations: Add required plugin for Jenkins >=2.462.3 to list

Refactorings 🚜

• c702648 dos: Add error message from DOS in issue
• 241da93 dos: Log id for scan job
• 8478040 node: Move the logger variable to the top
• f566a2d node: Move two model mapping functions to NpmSupport
• ccdcad4 node: Remove a dependency on Npm
• 7f61de7 spdx: Move nullOrBlankToSpdxNoassertionOrNone()
• d44917c spdx-reporter: Extract a variable for later reuse
• 94a8708 spdx-utils: Split the large SpdxExpressionTest

Tests ✅

• 5cf22e6 node: Re-align test class name and location
• f100ed0 753d72d 482a499 python: Update expected results
• 254ae3b spdx-reporter: Add a test for a Go project
• 52d1ce0 vulnerable-code: Add a test for an NPM package

Other Changes 💡

• 8e196ab Revert "refactor(script): Migrate from deprecated constructorArgs to properties"

38.0.0

What's Changed

Breaking Changes 🛠

• e01a1f2 refactor(node)!: Move Pnpm into its own dedicated package

Bug Fixes 🐞

• a1652ea dos: Edit downloading the source to be scanned
• 3a8812d model: Correctly map Identifier namespaces to purl namespaces
• b1740ef model: Rework purl conversion according to the specs
• 42f0f33 spdx-reporter: Also check LicenseRef exceptions of snippets
• fe7d1ef spdx-reporter: Remove a conflicting license validity check
• f1a49b5 utils: Support deleting read-only files on Windows
• 41d1c6f yarn: Fix up the error handling in getRemotePackageDetails()

New Features 🎉

• c9d2a49 spdx: Deal with cycles in dependency relations
• 2161ffd yarn: Also log warnings output by yarn info

Chores 🔧

• d2dd061 model: Nest purl tests in preparation for adding more tests
• 2c79d17 model: Remove a few redundant purl tests
• 24f44d8 osv: Remove the work-around for Swift
• 51f5ec6 spdx-reporter: Map to a Set for distinct entries
• 7cd95a4 spdx-reporter: Remove a default strictness argument
• 4814301 Align on "purl" spelling for Package URLs

Dependency Updates 🚀

• e39a48c Update the dependency-analysis-gradle-plugin to version 2.3.0
• b3c1124 Update the dependency-analysis-gradle-plugin to version 2.4.0
• d2cfce1 update actions/checkout digest to 11bd719
• bc94e33 update actions/setup-java digest to 8df1039
• 17767fb update actions/setup-node digest to 39370e3
• d0cf5be update dependency ch.qos.logback:logback-classic to v1.5.12
• f38c1f4 update dependency com.charleskorn.kaml:kaml to v0.62.0
• 2b4e7fb update dependency com.charleskorn.kaml:kaml to v0.62.1
• 52162c5 update dependency software.amazon.awssdk:s3 to v2.29.0
• 01340ed update exposed to v0.56.0
• cee8a78 update github/codeql-action digest to 6624720
• 69fcc36 update jackson to v2.18.1
• 31edf71 update jetbrains/qodana-action action to v2024.2.5
• 8f00ece update jetbrains/qodana-action action to v2024.2.6

Documentation 📖

• 1219605 model: Clarify in a test what a "clean" purl is supposed to be
• b4d9313 spdx-utils: Clarify that licenseInfoFromFiles contains license IDs
• 6f3aaa5 spdx-utils: Document each main class with a link to the spec
• 0460948 yarn: Add information about the mentioned network issue
• 02192a3 yarn: Re-align the docs with the function

Refactorings 🚜

• 7f07648 model: Move purl-related tests to PurlExtensionsTest
• 49c654a model: Turn purl test data assertions into sanity checks
• 771a6a5 npm: Allow getRemotePackageDetails() to return null
• 6f802f8 npm: Make getRemotePackageDetails() handle unsuccessful runs
• 1394274 npm: Move parsePackage() outside of the Npm class
• 5bff7a2 npm: Move parseProject() out of the class
• 6999a12 npm: Remove a now unnecessary runCatching()
• 0223e40 osv: Simplify queries with purls
• 0eb1eea pnpm: Make Pnpm separate from Npm
• 26703f9 yarn: Extract extractDataNodes()
• 8e90a79 yarn: Use a more speaking name for output

Tests ✅

• a265d38 model: Add name(space) specific purl tests
• 419b42b model: Test against the official purl test suite data
• bfa893b npm: Re-create the lockfile for the babel project
• f63b068 osv: Update expected results
• 61c4721 pnpm: Add some more functional test coverage
• db0ec55 python: Update expected results
• b688a9c python: Update expected results
• c535f61 vulnerable-code: Test lookup for a Go package
• 507ee30 yarn: Add some more functional test coverage
• d59b609 yarn2: Move the functional test into the yarn2 package

37.0.0

What's Changed

Breaking Changes 🛠

• e4e8396 chore(model)!: Remove old plugin config aliases
• d1fa585 refactor(model)!: Rename a LicenseFilePatterns property
• 131c130 refactor(model)!: Rename a class to PathLicenseMatcher

Bug Fixes 🐞

• 9ccccf6 gradle-inspector: Optimize memory by caching dependency subtrees
• 1b83831 jenkins: Allow to select DOS as a project and package scanner
• 950624a pub: Support deserializing hosted deps without version constraint
• ad9a363 yarn: Deal with retries when parsing the command output

Chores 🔧

• 7b1c5b9 pub: Handle dependency types in the same order as documented
• 9b9d996 pub: Order dependency classes as in the linked documentation
• 5c27750 pub: Simplify deserializing dependencies
• e612c50 scanner: Give a variable in a test a better name
• d743b8a Align custom kotlinx-serializers to be objects, part 2

Dependency Updates 🚀

• e65ff6b docker: Upgrade Askalono to version 0.5.0
• 622655e Update the dependency-analysis-gradle-plugin to version 2.2.0
• 1106470 update dependency @mdx-js/react to v3.1.0
• ed4bccf update dependency com.github.jmongard.git-semver-plugin to v0.12.11
• 8885a75 update dependency com.squareup:kotlinpoet to v2
• f24b2b3 update dependency org.asciidoctor:asciidoctorj-pdf to v2.3.19
• 65df485 update dependency org.semver4j:semver4j to v5.4.1
• 606c475 update dependency org.wiremock:wiremock to v3.9.2
• 3101aa8 update github/codeql-action digest to f779452
• d169fae update ksp to v2.0.21-1.0.26

Documentation 📖

• 786aba4 model: Improve LicenseFilePatterns docs
• 89f8422 pub: Add links to dependency types
• 36418b6 pub: Move a comment to the data class docs

Refactorings 🚜

• 6c7a4b1 model: Make LicenseFilePatterns properties sets
• 1151e95 model: Move RootLicenseMatcherTest to the correct package
• 7143c32 npm: Drop a slightly misleading log output
• cbdb228 npm: Remove unused parallelization constructs
• 19aaa1c pub: Add a default value for version for consistency
• 201e0de pub: Only use a single shared YAML instance
• bd745c1 pub: Reduce code by delegating to the default serializer
• 0efd79b pub: Reorder classes into packages

Tests ✅

• 6bb98df osv: Update expected results
• 8808d0c c1c7907 pub: Update expected results
• 56c1e8a python: Update expected results

36.0.0

What's Changed

Breaking Changes 🛠

• 4470675 chore(clearly-defined)!: Make CoordinatesSerializer internal

Bug Fixes 🐞

• 03b4ed9 cli: Remove credentials from environment variables
• 47f73b4 gradle-plugin: Guard dependencyResolutionManagement usage
• acfb440 maven: Correctly convert repositories
• 0d99de2 pub: Properly end the input structure when parsing specs
• 9d0873c spdx-utils: Accept the "no patent" exception

New Features 🎉

• e5c6e0c fossid: Make FossID sensitivity configurable

Build 🐘 & CI ⚙️

• 1d9c188 gradle: Update transitive commons-io versions
• bac154a release: Increase the timeout for creating the staging repository

Chores 🔧

• 9607cd0 Align custom kotlinx-serializers to be objects

Dependency Updates 🚀

• b4523c9 Update the gradle-maven-publish-plugin to version 0.30.0
• d67369d update dependency ch.qos.logback:logback-classic to v1.5.10
• b54962b update dependency ch.qos.logback:logback-classic to v1.5.11
• 06537b2 update dependency io.github.pdvrieze.xmlutil:serialization to v0.90.2
• 8c103c4 update dependency org.cyclonedx:cyclonedx-core-java to v9.1.0
• 89af4ed update kotlin monorepo to v2.0.21
• 0b82618 update ksp to v2.0.21-1.0.25

Refactorings 🚜

• 831b113 pub: Port the lockfile parsing to KxS

Tests ✅

• 79ea2e6 pnpm: Drop the unsupported workspaces property
• bb336f0 64dc2c1 pub: Update expected results

35.0.0

What's Changed

Breaking Changes 🛠

• ab39b4d build(gradle)!: Build with Java 21

Bug Fixes 🐞

• 0092efa Npm: Stop creating dangling packages for non-workspace projects
• 1965e25 bazel: Disable the wrapper script only for the --version call
• bca9748 gradle: Also check for non-empty resolution alternatives
• c9d114c gradle: Be specific about using Adoptium / Temurin as the JDK
• f272825 gradle-plugin: Build with the lowest supported Java version
• 864d19f node: Represent workspace submodules as Projects
• b9e6b8d Tolerate LicenseRef-* exceptions in declared license mappings

New Features 🎉

• 9b9beac bazel: Support github in the module metadata JSON file

Build 🐘 & CI ⚙️

• 9e26438 gradle: Make the Java version used for KSP configurable
• 085020f gradle: Remove unused Ktor version catalog entries

Chores 🔧

• c48533b bazel: Output the registry's URL with each error message
• 901aa9d gradle: Omit a default argument when publishing
• 6ab1310 model: Rename "components" variables in Identifier
• e47d5c8 npm: Move a TODO comment above the function signature
• 23f425c pub: Align the Gradle check with DependencyGraphNavigator
• 796cd27 scanner: Remove an unused label

Dependency Updates 🚀

• 953a4b6 Update the dependency-analysis-gradle-plugin to version 2.1.3
• 7509ece Update the dependency-analysis-gradle-plugin to version 2.1.4
• 2097810 update actions/checkout digest to eef6144
• c4c2177 update actions/setup-java digest to b36c23c
• 546550e update dependency ch.qos.logback:logback-classic to v1.5.9
• 3087efe update dependency com.github.ajalt.clikt:clikt to v5.0.1
• 58e3c6f update dependency com.icegreen:greenmail to v2.1.0
• 32f0263 update dependency io.foojay.api:discoclient to v21
• 86606ff update dependency io.mockk:mockk to v1.13.13
• 46afc3a update docker/setup-buildx-action digest to c47758b
• 8b030ab update github/codeql-action digest to 6db8d63
• f9ddacb update github/codeql-action digest to c36620d
• a8031bf update jgit to v7

Documentation 📖

• 8369f2a gradle: Add links to the Gradle Java-compatibility matrix
• 175f03a model: Clarify an Identifier's project vs. package use

Refactorings 🚜

• 28dce9a node: Use Set<File> as the type for submodule directories
• dc5fc90 npm: Reduce the amount of filterTo()s
• 01eaf8f npm: Replace two !! with checkNotNull()
• e4b37aa npm: Use named arguments in a constructor call

Tests ✅

• 1d71126 bazel: Add a missing test for when there is no lockfile
• 6a8a46c cli: Remove a Gradle project analysis
• 973bc59 common-utils: Remove a test that relies on the Security Manager
• 70e0f81 osv: Update expected results
• c6003b8 python: Update expected results
• 8b07534 python: Update expected results
• e34734a Ensure to use a compatible Java version for Gradle projects
• 118fab7 Ensure to use a compatible Java version for Gradle projects

34.0.0

What's Changed

Breaking Changes 🛠

• 1f4d723 chore(advisor)!: Remove the NexusIQ advisor
• baa1fd4 refactor(common-utils)!: Clarify the use of resolveExecutable()

Bug Fixes 🐞

• 6d576c3 analyzer: Maintain package manager names as keys in the graph
• 83a4465 gradle-inspector: Properly pass through the managerName for issues
• a3460f3 node: Support deserializing PackageJson.author from an array

New Features 🎉

• 6b896c3 common-utils: Stricten a check in resolveExecutable()
• c180727 gradle: Allow to configure the Java version and / or home
• e18b08e helper-cli: Add an option to override the repository configuration
• e642295 model: Add Git-only VCS host names as Git aliases
• 789f15b ort-utils: Improve the JDK check to not accept a JRE
• 2673ccb ort-utils: Support file URLs in downloads

Build 🐘 & CI ⚙️

• 7d48df1 github: Associate the dependency graph to the main branch
• f92ad12 Simplify the reuse check

Chores 🔧

• 6311935 .ort.yml: Trim trailing whitespace
• 062221e analyzer: Avoid unnecessary mutable maps
• 1e7ec04 analyzer: Slightly optimize a check
• 8b7d02c gradle: Make managerName in GradleDependencyHandler private
• 20d7898 gradle-inspector: Improve a log message
• 38d88ab helper-cli: Drop the obsolete command to create analyzer results
• 720a23c node: Remove the unused parseNpmLicenses() function
• f9a91f9 package-managers: Simplify code to get javaHome a bit
• 95c604b Simplify mapping of non-empty strings

Dependency Updates 🚀

• ae10e2f Update the dependency-analysis-gradle-plugin to version 2.1.1
• 7bdbcd1 update codecov/codecov-action digest to b9fd7d1
• 90c8fb0 update dependency ubuntu to v24
• fcb93d8 update docker/build-push-action digest to 32945a3
• 7625dae update docker/build-push-action digest to 4f58ea7
• 1811b5f update github/codeql-action digest to e2b3eaf
• a03471c update hoplite to v2.8.2
• cd61f12 update jackson to v2.18.0
• a8bff04 update log4j2 monorepo to v2.24.1

Documentation 📖

• 2c8b259 analyzer: Remove a comma to fix grammar
• d200260 dos: Fix a typo
• 3b0c858 model: Fix a typo in documentation for addDependency()
• c363749 ort-utils: Align wording of Environment property docs
• ef8b61c ort.yml: Improve code block titles for examples
• b4922ec scanoss: Fix a typo
• b3e9ddb website: Fix a typo
• e309c3b website: Use the correct property for the description header

Refactorings 🚜

• b5dd8d7 go: Combine getProjectName() into getModuleInfo()
• c03ecf3 model: Extract a dependenciesAccessor() function for reuse
• 7b4177d model: Inline a referenceFor() overload function
• ed4a537 model: Inline the graphForManager() function
• d347153 model: Make DependencyGraph.edges non-nullable
• e815570 model: Make DependencyGraph.nodes non-nullable
• 407d287 ort-utils: Introduce a helper to check the JDK version
• 988dd17 ort-utils: Introduce a static Java version property

Tests ✅

• 2b08e9e conan: Update expected results
• d26e12f pub: Update expected results

Other Changes 💡

• b5723d6 style(analyzer): Use parentheses after functions in test names

33.1.0

What's Changed

Bug Fixes 🐞

• a980b5d bazel: Force the generation of a MODULE.bazel.lock file
• 3e1a8c4 scanner: Create intermediate nested provenance directories
• 7a1c59d scanner: Properly handle scanPath() exceptions

New Features 🎉

• 7f3764e bazel: Add support for the git_repository source info type
• 0430090 bazel: Add support for the local_path source info type
• 573b86f bazel: Prepare for other types of module source info
• 0e2a943 sbt: Add back checking the global SBT version as well
• b5efe6f sbt: Allow to configure the SBT version, and Java version / home
• cd70325 scancode: Try to to get more information on failures
• 165b3e6 yarn: Fail in case an update of the lockfile is needed

Build 🐘 & CI ⚙️

• 12d16ab github: Submit the Gradle dependency graph for releases

Chores 🔧

• 9fa1666 scanner: Get the time for a failure summary only once

Dependency Updates 🚀

• 211890e docker: Pin setuptools version to 74.1.3
• 5b9da04 docker: Upgrade Python to 3.11.10
• a58ac50 docker: Upgrade pyenv to 2.4.13
• f17d292 docker: Upgrade the INCLUDE-syntax extension
• bc92f57 Update the dependency-analysis-gradle-plugin to version 2.1.0
• 93fe4f9 update actions/setup-node digest to 0a44ba7
• 426c04b update dependency com.networknt:json-schema-validator to v1.5.2
• 442b553 update dependency com.zaxxer:hikaricp to v6
• bfe97b1 update dependency gradle to v8.10.2
• f883120 update dependency org.jetbrains.exposed:exposed-java-time to v0.55.0
• 7512eeb update dependency org.jetbrains.gradle.plugin.idea-ext to v1.1.9
• e63a244 update github/codeql-action digest to 294a9d9
• 9e30e9d update github/codeql-action digest to 461ef6c
• ad3b9fb update jetbrains/qodana-action action to v2024.2.3
• 12efc26 update kotlinxserialization to v1.7.3

Documentation 📖

• 062f517 scancode: Move a comment to a more relevant location

Refactorings 🚜

• 047efd1 sbt: Factor code out of checkConfiguredSbtVersions()
• 922e42f sbt: Only check SBT versions configured in the build
• d9b30a6 sbt: Simplify the definition of default options
• bff2ac8 yarn2: Improve a constant name

Tests ✅

• 837d588 node: Make the naming of expected result files more consistent
• 412a010 node: Move Pnpm test projects into a dedicated pnpm directory
• 563ce35 node: Move Yarn2 test projects into a dedicated yarn2 directory
• 9860496 node: Move the expected result files into each respective dir
• 9198c5b npm: Stop using npm-expected-output.yml for multiple test cases
• d346925 c44408f 2308b11 ac771e4 osv: Update expected results
• 10618d5 pnpm: Slightly improve a project name and metadata
• ad1329b pub: Update expected results
• adeb51e python: Update expected results
• 8f4b542 yarn2: Slighly improve a project name and metadata

33.0.0

What's Changed

Breaking Changes 🛠

• 60ef7c9 feat(advisor)!: Rework VulnerabilityReference semantics
• 01ca824 refactor(model)!: Generalize the scoring system mapping
• 6015cc9 refactor(yarn2)!: Inline YARN_PATH_PROPERTY_NAME
• 630a8db refactor(yarn2)!: Move some vals and funs outside of the companion

Bug Fixes 🐞

• 2ac103a bazel: MODULE.bazel files from a local registry should be ignored
• cb7c914 model: sslmode typo in reference.yml
• e8e9b83 osv: Improve error handling a bit
• 508dbfc spdx-utils: Support reading dashed reference category names

New Features 🎉

• 24656e2 model: Add underscore variants to CVSS names
• 95cba40 vulnerable-code: Add scoring elements to the data model

Build 🐘 & CI ⚙️

• e833172 gradle: Do not set a global duplicatesStrategy anymore
• 9928629 gradle: Replace custom code with the reproducible-builds plugin
• c6523c4 github: Do not configure a custom linter version anymore
• 9f7b625 renovate: Disable NuGet package manager updates

Chores 🔧

• 61eb5c1 evaluator: Remove a few named lambda variables to simplify code
• d29db08 gradle-plugin: Explicitly set a duplicatesStrategy
• ce409f9 helper-cli: Consistently make commands internal
• a577470 helper-cli: Consistently name the help parameter explicitly
• bb0654c node: Add a couple of links to upstream documentation
• c725523 node: Slightly simplify Yarn code to get package details
• f675a32 osv: Improve mapping from OSV to ORT vulnerability references
• 275c2c1 yarn2: Drop an obsolote TODO comment

Dependency Updates 🚀

• a488e05 Update clikt to version 5.0.0 and Mordant to version 3.0.0
• 0b24c91 Update dependency-analysis-gradle-plugin to version 2.0.2
• 0c10c2f Update kotlinx-coroutines to version 1.9.0
• 280d8fb update dependency org.semver4j:semver4j to v5.4.0
• 521bd69 update dependency software.amazon.awssdk:s3 to v2.28.0
• fd28fcf update github/codeql-action digest to 8214744
• 21a3289 update gradle/actions digest to d156388
• 12c8019 update jetbrains/qodana-action action to v2024.1.10
• c750cfd update jetbrains/qodana-action action to v2024.1.11
• 0c540bd update jetbrains/qodana-action action to v2024.2.2

Documentation 📖

• 8a1e42a gradle: Improve the wording of a code comment
• 1b15bfa yarn2: Fix-up a couple of broken KDoc references

Refactorings 🚜

• 5a303ad helper-cli: Introduce an abstract OrtHelperCommand base
• d1fa1f2 model: Extract vulnerability rating code to a function
• 8b45010 npm: Use a simpler return type for two functions
• 5bc030e yarn2: Extract isCorepackEnabled()
• e2bca6b yarn2: Inline DEFAULT_EXECUTABLE_NAME
• da6cc49 yarn2: Move a couple of functions / classes to the file level
• 12c99e1 yarn2: Move some sanity logic into getYarnExecutable()
• 5d0f002 yarn2: Reduce the scope of the version variable
• 098ef99 yarn2: Simplify cleanYarn2VersionString()
• 9db096c yarn2: Use a shorter name for versionFromLocator

Tests ✅

• c17e5c3 bazel: Update expected results
• 52cb0e0 conan: Split out the lockfile case into a dedicated test
• a9e964e conan: Update expected results
• 6123c13 node: Consistently place Npm projects in the npm directory
• 06fe673 node: Drop the README.md for Npm test assets
• c67d544 node: Improve a test case name
• b0bd418 node: Merge NpmVersionUrlFunTest into NpmFunTest
• 8cbbb57 node: Move Yarn test projects into a dedicated yarn directory
• 254a64a node: Slightly improve a project name and metadata
• 49b65dd osv: Update expected results
• 6e181ef bc819cc osv: Update expected results