All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Upcoming changes...
1.19.3 - 2025-01-07
- Add Jira Markdown output on inspect command ç
- This is useful for calls from integrations (i.e. Jenkins)
1.19.2 - 2025-01-06
- Add second container image
scanoss-py-base
with noENTRYPOINT
- This is useful for calls from container pipelines (i.e. Jenkins)
1.19.1 - 2025-01-06
- Fixed undeclared components inspection
1.19.0 - 2024-11-20
- Check if legacy sbom file before post processing
- Use scanoss.json as default settings file if no argument is supplied
- Add —skip-settings-file flag
- Update scanoss settings schema to allow skipping specific folders, files, and extensions
- Add FileFilters class to handle filtering of files and folders based on settings
1.18.1 - 2024-11-19
- Added 'component' field in CycloneDX output
1.18.0 - 2024-11-11
- Fixed post processor being accesed if not set
- Added support for replace action when specifying a settings file
- Added replaced files as context to scan request
- Added sbom format flag to define status output for undeclared policy
1.17.5 - 2024-11-12
- Fix dependencies scan result structure
1.17.4 - 2024-11-08
- Fix backslashes in file paths on Windows
1.17.3 - 2024-11-05
- Fixed undeclared policy
1.17.2 - 2024-11-01
- Fixed parsing of dependencies in Policy Checks
- Fixed legacy SBOM.json support
- Added supplier to SPDX packages
- Changed undeclared summary output
1.17.1 - 2024-10-24
- Fixed policy summary output
1.17.0 - 2024-10-23
- Added inspect subcommand
- Inspect for copyleft licenses (
scanoss-py inspect copyleft -i scanoss-results.json
) - Inspect for undeclared components (
scanoss-py inspect undeclared -i scanoss-results.json
)
- Fixed SPDX date format
1.16.0 - 2024-10-08
- Added the
metadata
field to the output in CycloneDX format, now including the fieldstimestamp
,tool vendor
,tool
andtool version
1.15.0 - 2024-09-17
- Added Results sub-command:
- Get all results (
scanoss-py results /path/to/file
) - Get filtered results (
scanoss-py results /path/to/file --match-type=file,snippet status=pending
) - Get pending declarations (
scanoss-py results /path/to/file --has-pending
) - Added
--settings
option toscan
command to specify a settings file - Specify settings file (
scanoss-py scan --settings /path/to/settings.json /path/to/file
) - Added support for filtering dependencies based on development or production dependency scopes
- Added support for defining custom scopes to include or exclude dependencies with specified scope criteria
1.14.0 - 2024-08-09
- Added support for Python3.12
- Module
pkg_resources
has been replaced withimportlib_resources
- Added support for UTF-16 filenames
1.13.0 - 2024-06-05
- Added
scan
command option to specify a list of files (--files
) to analyse
1.12.3 - 2024-05-13
- Fixed export issue when license details are missing (SPDX/CycloneDX)
1.12.2 - 2024-04-15
- Added tagging workflow to aid release generation
1.12.1 - 2024-04-12
- Removed '.whl' file extension from filtered extensions
1.12.0 - 2024-03-26
- Updated free default URL to now point to
https://api.osskb.org
- Updated premium default URL to now point to
https://api.scanoss.com
1.11.1 - 2024-03-18
- Integrate CURL and jq
- Includes CURL and jq within the Docker image to facilitate seamless interactions with third-party integrations.
1.11.0 - 2024-03-13
- Added scan/wfp file filtering options
- Exclude files matching MD5
--skip-md5
(repeat as needed) - Strip code fragments using HPSM
--strip-hpsm
(repeat as needed) - Strip code fragments using snippet IDs
--strip-snippet
(repeat as needed)
- Exclude files matching MD5
1.10.0 - 2024-02-09
- Added scan/wfp file filtering options
- Exclude file extensions
--skip-extension
(repeat as needed) - Exclude folder
--skip-folder
(repeat as needed) - Exclude files smaller than specified
--skip-size
- Exclude file extensions
- Added
scan_files_with_options
SDK capability- Enables a programmer to supply a specific list of files to scan
1.9.0 - 2023-12-29
- Added dependency file decoration option to scanning (
scan
) using--dep
- More details can be found in CLIENT_HELP.md
1.8.0 - 2023-11-13
- Added Component Decoration sub-command:
- Semgrep (
scanoss-py comp semgrep
)
- Semgrep (
1.7.0 - 2023-09-15
- Added Component Decoration sub-commands:
- Search (
scanoss-py comp search
) - Versions (
scanoss-py comp versions
) - Vulnerabilities (
scanoss-py comp vulns
)
- Search (
1.6.3 - 2023-08-22
- Changed default scan POST size to 32k
- Changed default scanning threads to 5 (and timeout to 180 seconds)
- Improved HPSM generation performance
1.6.2 - 2023-08-11
- Added
.woff2
to the list of file type to skip while scanning
1.6.1 - 2023-07-06
- Fixed issue with CSV dependency generation
- Increased
scanoss-winnowing
minimum requirement to match HPSM support
1.6.0 - 2023-06-16
- Added support for High Precision Snippet Matching (
--hpsm
or-H
) while scanningscanoss-py scan --hpsm ...
1.5.2 - 2023-06-13
- Added retry limit option (
--retry
) while scanning--retry 0
will fail immediately
1.5.1 - 2023-04-21
- Added support scanning/fingeprinting file contents from STDIN
cat test.py | scanoss-py scan --stdin test.py -o results.json
cat test.py | scanoss-py wfp --stdin test.py -o fingers.wfp
1.5.0 - 2023-03-21
- Added support for component cryptographic reporting
scanoss-py component crypto ...
1.4.2 - 2023-03-09
- Fixed issue with custom certificate when scanning (--ca-cert)
- Added support to download full certificate chain with:
cert_download.sh
scanoss-py utils cdl
1.4.0 - 2023-03-01
- Added support for fast winnowing (15x improvement) thanks to a contribution from tardyp
- This is enabled by a supporting package; scanoss_winnowing.
- It can be installed using:
pip3 install scanoss_winnowing
- Or using:
pip3 install --upgrade scanoss[fast_winnowing]
1.3.7 - 2023-02-07
- Upgrade to the latest protobuf and grpcio packages
- Added GH Actions for building
1.3.6 - 2023-02-02
- Added support for Proxy Auto-Config (--pac) and GRPC proxy (--grpc-proxy)
1.3.5 - 2023-01-31
- Added extra fields to CSV output (detected_url, detected_path)
1.3.4 - 2023-01-16
- Added User-Agent client/version to requests
1.3.3 - 2023-01-06
- Added support for handling 503 service unavailable responses
- Added latest SPDX license definitions (2.2.7)
1.3.2 - 2022-12-28
- Added
x-request-id
to all scanning requests - Added bad_request error log file to aid debug
- Fixed issue when fingerprinting large files with a small POST (
--post-size
)
1.3.1 - 2022-12-07
- Added
utils cert-download
sub-command to help with the use of custom certificates- Included a local certificate download script leveraging openssl too: cert_download.sh
- Added documentation to help with certificate and proxy configuration
1.3.0 - 2022-12-02
- Added support for proxy (--proxy) and certificates (--ca-certs) while scanning
- Certificates can also be supplied using environment variables: REQUESTS_CA_BUNDLE & GRPC_DEFAULT_SSL_ROOTS_FILE_PATH
- Proxies can be supplied using: grpc_proxy, https_proxy, http_proxy, HTTPS_PROXY, HTTP_PROXY
- Added snippet match fields to CSV output
- Added
convert
command to convert raw JSON reports into CSV, CycloneDX and SPDXLite - Added
utils certloc
sub-command to print the location of Python's CA Cert file- This is useful to know where to append custom certificates to if needed
1.2.3 - 2022-11-22
- Added Max Threaded scanning override env var (SCANOSS_MAX_ALLOWED_THREADS)
If the backend system can handle more than the current maximum (30), then set this env to that number
export SCANOSS_MAX_ALLOWED_THREADS=40
1.2.2 - 2022-11-18
- Added SSL cert error ignore option (--ignore-cert-errors) for REST calls Custom certificates can be supplied using environment variables
- Added multi-platform Docker images (AMD64 & ARM64)
1.2.1 - 2022-11-11
- Added sub-command (file_count)to produce a file summary (extensions & size) into a CSV
1.2.0 - 2022-11-08
- Added vulnerability reporting to CycloneDX output
- Added obfuscation to fingerprinting (--obfuscate)
- Added obfuscation to scanning (--obfuscate)
1.1.1 - 2022-10-19
- Fixed issue with dependency parsing of yarn.lock files
1.1.0 - 2022-10-12
- Added LicenseRef info to SPDX Lite output
- Updated CycloneDX output format to support version 1.4
- Added request id to gRPC requests
1.0.6 - 2022-09-19
- Added support for scancode 2.0 output format
1.0.4 - 2022-09-07
- Fixed spelling mistake in SPDX output
- Adjusted protobuf module requirements
1.0.0 - 2022-07-22
- Added support for CSV output (--format csv)
- Added documentDescribes to SPDXLite output
0.9.0 - 2022-06-09
- Added support for dependency scanning (--dependencies)
- This depends on scancode to search for dependency files
- Added dependency data to output reports
0.7.4 - 2021-12-15
- Updated SPDX Lite report output data (--format spdxlite)
0.7.3 - 2021-12-11
- Added support for SPDX Lite report output (--format spdxlite)
0.7.2 - 2021-12-10
- Added option to process all file extensions while scanning (--all-extensions)
- Added option to process all folders while scanning (--all-folders)
- Added option to process all hidden files/folders while scanning (--all-hidden)
0.7.1 - 2021-11-12
- Added option to skip WFP file generation while scanning (--no-wfp-output)
0.7.0 - 2021-11-08
- Added option to change default REST timeout (--timeout)
- Added threaded scanning to WFP file processing
- Changed from GPL license to MIT
- Changed minimum Python version to 3.7
0.6.11 - 2021-10-18
- Added option to skip snippet generation in the client (--skip-snippets)
- Added option to tune the scan packet post size (--post-size)
- Added Docker/Container support for running the client
- Fixed threading issue while scanning
0.6.6 - 2021-08-20
- Fixed broken call for scanning WFP file only
0.6.5 - 2021-07-15
- Added support to start scanning while fingerprinting to further increase scan performance
- Ignoring broken symlink files
0.6.0 - 2021-07-14
- Added threading to speed up fingerprint scanning
0.5.6 - 2021-07-12
- Added changelog
0.5.5 - 2021-07-09
- Added input SBOM JSON validation
- Added REST POST retry logic
0.5.4 - 2021-07-08
- Added --ignore option to scan command
- Fixed filtering bug