1.5.8

v1.5.8 - 2025-01-13

Fixed & Redesigned

Critical Bug + Complete Redesign: download_and_scan_package

Two critical issues fixed:

Problem 1 - Tool was completely broken (v1.5.7):
The download_and_scan_package tool returned JSON parsing errors:
"metadata_error": "the JSON object must be str, bytes or bytearray, not CompletedProcess"
"scan_error": "the JSON object must be str, bytes or bytearray, not CompletedProcess"

Root Cause:
The _run_tool() helper returns subprocess.CompletedProcess objects, but the code tried to parse them directly as JSON instead of using .stdout.

Problem 2 - Incorrect workflow (v1.5.7):
Original implementation tried to use upmex and osslili with PURLs directly, but these tools require local file paths.

NEW IMPLEMENTATION - Correct Multi-Method Workflow:

The tool now implements a robust 3-step fallback workflow:

1. Primary: Use purl2notices to download and analyze (fastest, most comprehensive)
2. Deep scan: If incomplete, use purl2src to get download URL → download artifact → run osslili for deep license scanning + upmex for metadata
3. Online fallback: If still incomplete, use upmex --api clearlydefined for online metadata

New Dependencies:

• Added purl2src>=1.2.3 to translate PURLs to download URLs for Step 2

Impact:

• Tool now works correctly with proper multi-method fallback
• Uses the correct workflow: purl2notices → download+osslili+upmex → online APIs
• Returns method_used field showing which method succeeded
• Proper error handling with methods_attempted tracking
• JSON parsing fixed (uses .stdout correctly)

Testing:

• Added 5 comprehensive unit tests covering all workflows
• All 31 tests pass (26 existing + 5 new)
• Test coverage: primary workflow, deep scan, online fallback, error handling, file cleanup

Thanks:
User feedback identified the bugs and clarified the correct workflow design.

Full Changelog: https://github.com/SemClone/mcp-semclone/blob/main/CHANGELOG.md