Merge branch 'develop' into improve-npm-support

Signed-off-by: Ayan Sinha Mahapatra <[email protected]>

CHANGELOG.rst

@@ -34,8 +34,40 @@ v33.0.0 (next next, roadmap)
   of these in other summary plugins.
   See https://github.com/nexB/scancode-toolkit/issues/1745
 
-v32.1.0 (next, roadmap)
-----------------------------
+- Improve cargo package detection support with various improvements
+  and bugfixes:
+  - Fix for parser crashing on cargo workspaces
+  - Fix a bug in dependency parsing (we were not returning any dependencies)
+  - Also support getting dependency versions from workspace
+  - Support more attributes from cargo
+  - Better handle workspace data thorugh extra_data attribute
+  See https://github.com/nexB/scancode-toolkit/pull/3783
+
+- We now support parsing the Swift manifest JSON dump and the ``Package.resolved`` file https://github.com/nexB/scancode-toolkit/issues/2657.
+  - Run the commands below on your local Swift project before running the scan.
+    - ::
+
+        swift package dump-package > Package.swift.json
+    - ::
+
+        swift package resolve
+
+- New and updated licenses, including support for newly released
+  SPDX license list versions:
+  - SPDX License List 3.24:
+    This release of the SPDX license list had 25 new licenses
+    and exceptions, and out of them 12 were present as licenses
+    and 5 were present as rules already. There were 3 new
+    license/exception texts added, and the rest 5 were either
+    texts with small variations, additions to texts or several
+    rule texts together. And the rest have been added as new licenses.
+    For more details see https://github.com/nexB/scancode-toolkit/pull/3795
+
+  - More new licenses and rules:
+    - 23 new licenses in https://github.com/nexB/scancode-toolkit/pull/3778
+
+v32.1.0 - 2024-03-23
+---------------------
 
 New CLI options:
 

docs/source/getting-started/install.rst

@@ -160,6 +160,32 @@ in the extracted directory and run::
 
 This will configure ScanCode and display the command line :ref:`cli_help_text`.
 
+.. note::
+   If you encounter a "No matching distribution" error while running the ``./configure`` command on a Mac M1, it may indicate compatibility issues with the current architecture. Here's a step-by-step guide to address this:
+
+   - **Change Mac M1 Architecture to x86_64:**
+     Switch the architecture from amd64 to x86_64 using the command:
+     ::
+
+         env /usr/bin/arch -x86_64 /bin/zsh --login
+   - **Use Rosetta Translation:**
+     Enable Rosetta translation in Terminal by executing:
+     ::
+
+         softwareupdate --install-rosetta
+   - **Transition Homebrew from arm64 to Intel:**
+     Change Homebrew from the arm64 architecture to the Intel (x86) architecture by running:
+     ::
+
+         /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
+   - **Install Intel-Specific Python:**
+     Use Homebrew to install Python specifically optimized for Intel architecture with:
+     ::
+
+         /usr/local/Homebrew/bin/brew install python3
+
+   Then rerun the ``./configure`` command. This sets up the project according to the new architecture and ensures proper configuration.
+   Following these steps should help resolve compatibility issues and allow smooth operation of the project on Mac M1 devices.
 
 .. _windows_app_install:
 

docs/source/reference/available_package_parsers.rst

@@ -233,6 +233,7 @@ parsers in scancode-toolkit during documentation builds.
      - https://r-pkgs.org/description.html
    * - Debian control file - extracted layout
      - ``*/control.tar.gz-extract/control``
+       ``*/control.tar.xz-extract/control``
      - ``deb``
      - ``debian_control_extracted_deb``
      - None
@@ -716,6 +717,19 @@ parsers in scancode-toolkit during documentation builds.
      - ``rpm_installed_database_sqlite``
      - None
      - https://fedoraproject.org/wiki/Changes/Sqlite_Rpmdb
+   * - RPM mariner distroless package manifest
+     - ``*var/lib/rpmmanifest/container-manifest-2``
+     - ``rpm``
+     - ``rpm_mariner_manifest``
+     - None
+     - https://github.com/microsoft/marinara/
+   * - RPM mariner distroless package license files
+     - ``*usr/share/licenses/*/COPYING*``
+       ``*usr/share/licenses/*/LICENSE*``
+     - ``rpm``
+     - ``rpm_package_licenses``
+     - None
+     - https://github.com/microsoft/marinara/
    * - RPM specfile
      - ``*.spec``
      - ``rpm``
@@ -734,6 +748,19 @@ parsers in scancode-toolkit during documentation builds.
      - ``squashfs_disk_image``
      - None
      - https://en.wikipedia.org/wiki/SquashFS
+   * - JSON dump of Package.swift created with ``swift package dump-package > Package.swift.json``
+     - ``*/Package.swift.json``
+     - ``swift``
+     - ``swift_package_manifest_json``
+     - Swift
+     - https://docs.swift.org/package-manager/PackageDescription/PackageDescription.html
+   * - Resolved full dependency lockfile for Package.swift created with ``swift package resolve``
+     - ``*/Package.resolved``
+       ``*/.package.resolved``
+     - ``swift``
+     - ``swift_package_resolved``
+     - swift
+     - https://docs.swift.org/package-manager/PackageDescription/PackageDescription.html#package-dependency
    * - Java Web Application Archive
      - ``*.war``
      - ``war``

src/licensedcode/data/licenses/3dslicer-1.0.LICENSE

@@ -5,11 +5,15 @@ name: 3D Slicer Contribution and Software License Agreement v1.0
 category: Permissive
 owner: Slicer Project
 homepage_url: https://www.slicer.org/wiki/License
-spdx_license_key: LicenseRef-scancode-3dslicer-1.0
+spdx_license_key: 3D-Slicer-1.0
+other_spdx_license_keys:
+    - LicenseRef-scancode-3dslicer-1.0
 text_urls:
     - https://github.com/Slicer/Slicer/blob/v4.6.2/COPYRIGHT.txt
 faq_url: https://www.slicer.org/wiki/CommercialUse
 other_urls:
+    - https://slicer.readthedocs.io/en/latest/user_guide/about.html#license
+    - https://github.com/Slicer/Slicer/blob/main/License.txt
     - http://www.slicer.org
     - http://wiki.na-mic.org/Wiki/index.php/Slicer3
 ignorable_authors:

src/licensedcode/data/licenses/amd-historical.LICENSE

@@ -5,7 +5,11 @@ name: AMD Historical License
 category: Permissive
 owner: Advanced Micro Devices
 notes: this is a short historical permissive license seen in the newlib C library
-spdx_license_key: LicenseRef-scancode-amd-historical
+spdx_license_key: AMD-newlib
+other_spdx_license_keys:
+    - LicenseRef-scancode-amd-historical
+other_urls:
+    - https://sourceware.org/git/?p=newlib-cygwin.git;a=blob;f=newlib/libc/sys/a29khif/_close.S;h=04f52ae00de1dafbd9055ad8d73c5c697a3aae7f;hb=HEAD
 ---
 
 This software is the property of Advanced Micro Devices, Inc  (AMD)  which

src/licensedcode/data/licenses/any-osi.LICENSE

@@ -0,0 +1,18 @@
+---
+key: any-osi
+short_name: Any OSI License
+name: Any OSI License
+category: Unstated License
+owner: Unspecified
+spdx_license_key: any-OSI
+minimum_coverage: 100
+other_urls:
+    - http://www.opensource.org/licenses/alphabetical
+    - https://metacpan.org/pod/Exporter::Tidy#LICENSE
+ignorable_urls:
+    - http://www.opensource.org/licenses/alphabetical
+---
+
+Pick your favourite OSI approved license :)
+
+http://www.opensource.org/licenses/alphabetical

src/licensedcode/data/licenses/asterisk-linking-protocols-exception.LICENSE

@@ -0,0 +1,25 @@
+---
+key: asterisk-linking-protocols-exception
+short_name: Asterisk linking protocols exception
+name: Asterisk linking protocols exception
+owner: Asterisk
+category: Copyleft Limited
+is_exception: yes
+spdx_license_key: Asterisk-linking-protocols-exception
+other_urls:
+    - https://github.com/asterisk/asterisk/blob/115d7c01e32ccf4566a99e9d74e2b88830985a0b/LICENSE#L27
+---
+
+Specific permission is also granted to link Asterisk with OpenSSL, OpenH323
+UniMRCP, and/or the UW IMAP Toolkit and distribute the resulting binary files.
+
+In addition, Asterisk implements several management/control protocols.
+This includes the Asterisk Manager Interface (AMI), the Asterisk Gateway
+Interface (AGI), and the Asterisk REST Interface (ARI). It is our belief
+that applications using these protocols to manage or control an Asterisk
+instance do not have to be licensed under the GPL or a compatible license,
+as we believe these protocols do not create a 'derivative work' as referred
+to in the GPL. However, should any court or other judiciary body find that
+these protocols do fall under the terms of the GPL, then we hereby grant you a
+license to use these protocols in combination with Asterisk in external
+applications licensed under any license you wish.

src/licensedcode/data/licenses/bsd-2-clause-first-lines.LICENSE

@@ -0,0 +1,39 @@
+---
+key: bsd-2-clause-first-lines
+short_name: BSD 2-Clause first lines
+name: BSD 2-Clause - first lines requirement
+owner: Nippon Telegraph and Telephone Corporation
+category: Permissive
+notes: |
+    Added in SPDX license list 3.24
+    This was previously the license rule: freebsd-doc_5.RULE
+spdx_license_key: BSD-2-Clause-first-lines
+other_urls:
+    - https://github.com/krb5/krb5/blob/krb5-1.21.2-final/NOTICE#L664-L690
+    - https://web.mit.edu/kerberos/krb5-1.21/doc/mitK5license.html
+---
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above
+   copyright notice, this list of conditions and the following
+   disclaimer as the first lines of this file unmodified.
+
+2. Redistributions in binary form must reproduce the above
+   copyright notice, this list of conditions and the following
+   disclaimer in the documentation and/or other materials provided
+   with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY NTT "AS IS" AND ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+OF THE POSSIBILITY OF SUCH DAMAGE.

src/licensedcode/data/licenses/catharon-osl.LICENSE

@@ -5,7 +5,9 @@ name: Catharon Open Source License
 category: Permissive
 owner: Catharon
 homepage_url: https://github.com/scummvm/scummvm/blob/master/LICENSES/CatharonLicense.txt
-spdx_license_key: LicenseRef-scancode-catharon-osl
+spdx_license_key: Catharon
+other_spdx_license_keys:
+    - LicenseRef-scancode-catharon-osl
 text_urls:
     - https://github.com/scummvm/scummvm/tree/master/engines/ags/lib/freetype-2.1.3/autohint
     - https://www.copperspice.com/docs/cs_overview/legal-3rdparty.html

src/licensedcode/data/licenses/cexcept-2008.LICENSE

@@ -0,0 +1,20 @@
+---
+key: cexcept-2008
+short_name: cexcept License 2008
+name: cexcept License 2008
+category: Permissive
+owner: nicemice
+spdx_license_key: LicenseRef-scancode-cexcept-2008
+text_urls:
+    - https://github.com/cloudflare/pngcrush/blob/deflate.gcc.amd64/cexcept.h
+other_urls:
+    - http://www.nicemice.net/cexcept/
+---
+
+This software may be modified only if its author and version
+information is updated accurately, and may be redistributed
+only if accompanied by this unaltered notice.  Subject to those
+restrictions, permission is granted to anyone to do anything
+with this software.  The copyright holders make no guarantees
+regarding this software, and are not responsible for any damage
+resulting from its use.

src/licensedcode/data/licenses/chillicream-1.0.LICENSE

@@ -0,0 +1,59 @@
+---
+key: chillicream-1.0
+short_name: ChilliCream License 1.0
+name: ChilliCream License 1.0
+category: Copyleft Limited
+owner: ChilliCream
+homepage_url: https://chillicream.com/licensing/chillicream-license
+spdx_license_key: LicenseRef-scancode-chillicream-1.0
+other_urls:
+    - https://www.nuget.org/packages/BananaCakePop.Middleware/15.0.4/License
+---
+
+ChilliCream License 1.0
+
+Copyright License
+
+The licensor grants you a non-exclusive, royalty-free, worldwide, non-sublicensable, non-transferable license to use, copy, distribute, make available, and prepare derivative works of the software, in each case subject to the limitations and conditions below.
+
+Limitations
+
+You may not move, change, disable, or circumvent the license key functionality in the software, and you may not remove or obscure any functionality in the software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other notices of the licensor in the software. Any use of the licensor’s trademarks is subject to applicable law.
+
+Patents
+
+The licensor grants you a license, under any patent claims the licensor can license, or becomes able to license, to make, have made, use, sell, offer for sale, import and have imported the software, in each case subject to the limitations and conditions in this license. This license does not cover any patent claims that you cause to be infringed by modifications or additions to the software. If you or your company make any written claim that the software infringes or contributes to infringement of any patent, your patent license for the software granted under these terms ends immediately. If your company makes such a claim, your patent license ends immediately for work on behalf of your company.
+
+Notices
+
+You must ensure that anyone who gets a copy of any part of the software from you also gets a copy of these terms.
+
+If you modify the software, you must include in any modified copies of the software prominent notices stating that you have modified the software.
+
+No Other Rights
+
+These terms do not imply any licenses other than those expressly granted in these terms.
+
+Termination
+
+If you use the software in violation of these terms, such use is not licensed, and your licenses will automatically terminate. If the licensor provides you with a notice of your violation, and you cease all violation of this license no later than 30 days after you receive that notice, your licenses will be reinstated retroactively. However, if you violate these terms after such reinstatement, any additional violation of these terms will cause your licenses to terminate automatically and permanently.
+
+No Liability
+
+As far as the law allows, the software comes as is, without any warranty or condition, and the licensor will not be liable to you for any damages arising out of these terms or the use or nature of the software, under any kind of legal claim.
+
+Definitions
+
+The licensor is the entity offering these terms, and the software is the software the licensor makes available under these terms, including any portion of it.
+
+you refers to the individual or entity agreeing to these terms.
+
+your company is any legal entity, sole proprietorship, or other kind of organization that you work for, plus all organizations that have control over, are under the control of, or are under common control with that organization. control means ownership of substantially all the assets of an entity, or the power to direct its management and policies by vote, contract, or otherwise. Control can be direct or indirect.
+
+your licenses are all the licenses granted to you for the software under these terms.
+
+use means anything you do with the software requiring one of your licenses.
+
+trademark means trademarks, service marks, and similar rights.

src/licensedcode/data/licenses/codesourcery-2004.LICENSE

@@ -5,7 +5,11 @@ name: CodeSourcery 2004
 category: Permissive
 owner: CodeSourcery
 homepage_url: https://git.linaro.org/toolchain/newlib.git/tree/newlib/libc/misc/init.c
-spdx_license_key: LicenseRef-scancode-codesourcery-2004
+spdx_license_key: HPND-merchantability-variant
+other_spdx_license_keys:
+    - LicenseRef-scancode-codesourcery-2004
+other_urls:
+    - https://sourceware.org/git/?p=newlib-cygwin.git;a=blob;f=newlib/libc/misc/fini.c;hb=HEAD
 ---
 
 Permission to use, copy, modify, and distribute this file

src/licensedcode/data/licenses/cve-tou.LICENSE

@@ -5,7 +5,11 @@ name: Common Vulnerability Enumeration ToU License
 category: Permissive
 owner: Mitre
 homepage_url: https://cve.mitre.org/about/termsofuse.html
-spdx_license_key: LicenseRef-scancode-cve-tou
+spdx_license_key: cve-tou
+other_spdx_license_keys:
+    - LicenseRef-scancode-cve-tou
+other_urls:
+    - https://www.cve.org/Legal/TermsOfUse
 ---
 
 CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive,