aboutcode-org · AyanSinhaMahapatra · Oct 20, 2024 · Aug 7, 2024 · Aug 7, 2024 · Oct 19, 2024
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -34,6 +34,20 @@ v33.0.0 (next next, roadmap)
   of these in other summary plugins.
   See https://github.com/nexB/scancode-toolkit/issues/1745
 
+Major API/other changes:
+
+- Output Format Version updated to 4.0.0 (major version bump)
+- Dependency attribute rename: ``is_resolved`` renamed to ``is_pinned``
+  See https://github.com/nexB/scancode-toolkit/pull/3888 for more details.
+
+Changes in Output Data Structure:
+
+- The data structure of the JSON output has changed for
+  dependencies at file level package_data, and at top-level.
+  Note that the change is a modification to the JSON output,
+  so we have a major version bump ``3.2.0`` to ``4.0.0``:
+
+  - Dependency attribute ``is_resolved`` renamed to ``is_pinned``
 - Update link references of ownership from nexB to aboutcode-org
   See https://github.com/aboutcode-org/scancode-toolkit/issues/3885
 

diff --git a/docs/source/cli-reference/basic-options.rst b/docs/source/cli-reference/basic-options.rst
@@ -175,7 +175,8 @@
                     "scope": "dependencies",
                     "is_runtime": true,
                     "is_optional": false,
-                    "is_resolved": false,
+                    "is_pinned": false,
+                    "is_direct": true,
                     "resolved_package": {},
                     "extra_data": {},
                     "dependency_uid": "pkg:bower/get-size?uuid=fixed-uid-done-for-testing-5642512d1758",
@@ -341,7 +342,8 @@
                                     "scope": "dependencies",
                                     "is_runtime": true,
                                     "is_optional": false,
-                                    "is_resolved": false,
+                                    "is_pinned": false,
+                                    "is_direct": true,
                                     "resolved_package": {},
                                     "extra_data": {}
                                 }

diff --git a/etc/scripts/sch2js/doc/DependentPackage-json-schema.json b/etc/scripts/sch2js/doc/DependentPackage-json-schema.json
@@ -63,12 +63,12 @@
         }
       ]
     }, 
-    "is_resolved": {
+    "is_pinned": {
       "oneOf": [
         {
           "type": "boolean", 
-          "title": "is resolved flag", 
-          "description": "True if this dependency version requirement has been resolved and this dependency url points to an exact version."
+          "title": "is pinned flag", 
+          "description": "True if this dependency version requirement has been pinned and this dependency points to an exact version."
         }, 
         {
           "type": "null"

diff --git a/etc/scripts/sch2js/doc/Package-json-schema.json b/etc/scripts/sch2js/doc/Package-json-schema.json
@@ -455,7 +455,7 @@
                   }
                 ]
               }, 
-              "is_resolved": {
+              "is_pinned": {
                 "oneOf": [
                   {
                     "type": "boolean", 

diff --git a/src/formattedcode/output_cyclonedx.py b/src/formattedcode/output_cyclonedx.py
@@ -519,7 +519,7 @@ def from_package(cls, package, components_by_purl):
         for dependency in package.get('dependencies', []):
             dpurl = dependency['purl']
 
-            if dependency['is_resolved']:
+            if dependency['is_pinned']:
                 dependencies_by_dependent[purl].add(dpurl)
             else:
                 existing = components_by_purl.get(dpurl)

diff --git a/src/packagedcode/alpine.py b/src/packagedcode/alpine.py
@@ -1014,7 +1014,7 @@ def D_dependencies_handler(value, dependencies=None, **kwargs):
 
         requirement = None
         version = None
-        is_resolved = False
+        is_pinned = False
         segments = split_name_and_requirement(dep)
         if len(segments) == 1:
             # we have no requirement...just a plain name
@@ -1027,7 +1027,7 @@ def D_dependencies_handler(value, dependencies=None, **kwargs):
             operator = ''.join(sorted(operator))
             if operator == '=':
                 version = ver
-                is_resolved = True
+                is_pinned = True
 
             requirement = operator + ver
 
@@ -1042,7 +1042,7 @@ def D_dependencies_handler(value, dependencies=None, **kwargs):
             purl=purl,
             scope=scope,
             extracted_requirement=requirement,
-            is_resolved=is_resolved,
+            is_pinned=is_pinned,
         )
         if dependency not in dependencies:
             dependencies.append(dependency.to_dict())

diff --git a/src/packagedcode/build_gradle.py b/src/packagedcode/build_gradle.py
@@ -360,7 +360,7 @@ def build_package(cls, dependencies, package_only=False):
                 extracted_requirement=version,
                 is_runtime=is_runtime,
                 is_optional=is_optional,
-                is_resolved=bool(version),
+                is_pinned=bool(version),
             )
         )
 

diff --git a/src/packagedcode/cargo.py b/src/packagedcode/cargo.py
@@ -299,7 +299,7 @@ def parse(cls, location, package_only=False):
                     scope='dependencies',
                     is_runtime=True,
                     is_optional=False,
-                    is_resolved=True,
+                    is_pinned=True,
                 )
             )
 
@@ -346,7 +346,7 @@ def dependency_mapper(dependencies, scope='dependencies'):
             scope=scope,
             is_runtime=is_runtime,
             is_optional=is_optional,
-            is_resolved=False,
+            is_pinned=False,
             extra_data=extra_data,
         )
 

diff --git a/src/packagedcode/cocoapods.py b/src/packagedcode/cocoapods.py
@@ -345,7 +345,7 @@ def get_pods_dependency_with_resolved_package(
             extracted_requirement=xreq,
             is_runtime=False,
             is_optional=True,
-            is_resolved=True,
+            is_pinned=True,
             is_direct=is_direct,
             resolved_package=resolved_package,
         )
@@ -377,7 +377,7 @@ def get_dependencies_for_resolved_package(cls, dependency_data, dep_pods):
                 extracted_requirement=dep_xreq,
                 is_runtime=False,
                 is_optional=True,
-                is_resolved=True,
+                is_pinned=True,
                 is_direct=True,
             ).to_dict()
             dependencies_for_resolved.append(dependency_for_resolved)

diff --git a/src/packagedcode/conan.py b/src/packagedcode/conan.py
@@ -270,9 +270,9 @@ def assemble(
         yield resource
 
 
-def is_constraint_resolved(constraint):
+def is_constraint_pinned(constraint):
     """
-    Checks if a constraint is resolved and it specifies an exact version.
+    Checks if a constraint is pinned and it specifies an exact version.
     """
     range_characters = {">", "<", "[", "]", ">=", "<="}
     return not any(char in range_characters for char in constraint)
@@ -282,9 +282,9 @@ def get_dependencies(requires):
     dependent_packages = []
     for req in requires:
         name, constraint = req.split("/", 1)
-        is_resolved = is_constraint_resolved(constraint)
+        is_pinned = is_constraint_pinned(constraint)
         version = None
-        if is_resolved:
+        if is_pinned:
             version = constraint
         purl = PackageURL(type="conan", name=name, version=version)
         dependent_packages.append(
@@ -293,7 +293,7 @@ def get_dependencies(requires):
                 scope="install",
                 is_runtime=True,
                 is_optional=False,
-                is_resolved=is_resolved,
+                is_pinned=is_pinned,
                 extracted_requirement=constraint,
             )
         )

diff --git a/src/packagedcode/godeps.py b/src/packagedcode/godeps.py
@@ -60,7 +60,7 @@ def parse(cls, location, package_only=False):
                     scope='Deps',
                     is_runtime=True,
                     is_optional=False,
-                    is_resolved=False,
+                    is_pinned=False,
                 )
             )
 

diff --git a/src/packagedcode/golang.py b/src/packagedcode/golang.py
@@ -62,7 +62,7 @@ def parse(cls, location, package_only=False):
                     scope='require',
                     is_runtime=True,
                     is_optional=False,
-                    is_resolved=False,
+                    is_pinned=False,
                 )
             )
 
@@ -75,7 +75,7 @@ def parse(cls, location, package_only=False):
                     scope='exclude',
                     is_runtime=True,
                     is_optional=False,
-                    is_resolved=False,
+                    is_pinned=False,
                 )
             )
 
@@ -123,7 +123,7 @@ def parse(cls, location, package_only=False):
                     scope='dependency',
                     is_runtime=True,
                     is_optional=False,
-                    is_resolved=True,
+                    is_pinned=True,
                 )
             )
 

diff --git a/src/packagedcode/haxe.py b/src/packagedcode/haxe.py
@@ -80,13 +80,13 @@ def _parse(cls, json_data, package_only=False):
 
         for dep_name, dep_version in json_data.get('dependencies', {}).items():
             dep_version = dep_version and dep_version.strip()
-            is_resolved = bool(dep_version)
+            is_pinned = bool(dep_version)
             dep_purl = PackageURL(
                 type=cls.default_package_type,
                 name=dep_name,
                 version=dep_version
             ).to_string()
-            dep = models.DependentPackage(purl=dep_purl, is_resolved=is_resolved,)
+            dep = models.DependentPackage(purl=dep_purl, is_pinned=is_pinned)
             package_data.dependencies.append(dep)
 
         return package_data

diff --git a/src/packagedcode/maven.py b/src/packagedcode/maven.py
@@ -1053,7 +1053,7 @@ def get_dependencies(pom):
             if dversion == 'latest.release':
                 dversion = None
 
-            is_resolved = bool(dversion and not any(c in dversion for c in '$[,]'))
+            is_pinned = bool(dversion and not any(c in dversion for c in '$[,]'))
 
             dqualifiers = {}
             # FIXME: this is missing from the original Pom parser
@@ -1065,7 +1065,7 @@ def get_dependencies(pom):
             # if packaging and packaging != 'jar':
             #     qualifiers['packaging'] = packaging
 
-            if is_resolved:
+            if is_pinned:
                 dpurl = models.PackageURL(
                     type='maven',
                     namespace=dgroup_id,
@@ -1091,7 +1091,7 @@ def get_dependencies(pom):
                 scope=scope,
                 is_runtime=is_runtime,
                 is_optional=is_optional,
-                is_resolved=is_resolved,
+                is_pinned=is_pinned,
             )
             dependencies.append(dep_pack)
 

diff --git a/src/packagedcode/models.py b/src/packagedcode/models.py
@@ -364,11 +364,11 @@ class DependentPackage(ModelMixin):
         label='is optional flag',
         help='True if this dependency is an optional dependency')
 
-    is_resolved = Boolean(
+    is_pinned = Boolean(
         default=False,
-        label='is resolved flag',
+        label='is pinned flag',
         help='True if this dependency version requirement has '
-             'been resolved and this dependency url points to an '
+             'been pinned and this dependency points to an '
              'exact version.')
 
     is_direct = Boolean(

diff --git a/src/packagedcode/npm.py b/src/packagedcode/npm.py
@@ -310,7 +310,7 @@ def update_dependencies_by_purl(
         dependencies_by_purl,
         is_runtime=False,
         is_optional=False,
-        is_resolved=False,
+        is_pinned=False,
         is_direct=True,
     ):
         """
@@ -337,7 +337,7 @@ def update_dependencies_by_purl(
                     scope=scope,
                     is_runtime=is_runtime,
                     is_optional=is_optional,
-                    is_resolved=is_resolved,
+                    is_pinned=is_pinned,
                     is_direct=is_direct,
                 )
                 dependencies_by_purl[dep_purl] = dep_package
@@ -361,7 +361,7 @@ def update_dependencies_by_purl(
                             scope=scope,
                             is_runtime=is_runtime,
                             is_optional=metadata.get("optional"),
-                            is_resolved=is_resolved,
+                            is_pinned=is_pinned,
                             is_direct=is_direct,
                         )
                         dependencies_by_purl[dep_purl] = dep_package
@@ -394,7 +394,7 @@ def update_dependencies_by_purl(
                     extracted_requirement=requirement,
                     is_runtime=is_runtime,
                     is_optional=is_optional,
-                    is_resolved=is_resolved,
+                    is_pinned=is_pinned,
                     is_direct=is_direct,
                 )
                 dependencies_by_purl[dep_purl] = dep_package
@@ -723,7 +723,7 @@ def parse(cls, location, package_only=False):
                 scope=scope,
                 is_runtime=is_runtime,
                 is_optional=is_optional,
-                is_resolved=True,
+                is_pinned=True,
                 is_direct=False,
             )
 
@@ -773,7 +773,7 @@ def parse(cls, location, package_only=False):
                 dependencies_by_purl=sub_deps_by_purl,
                 is_runtime=is_runtime,
                 is_optional=is_optional,
-                is_resolved=False,
+                is_pinned=False,
                 is_direct=True,
             )
 
@@ -949,7 +949,7 @@ def parse(cls, location, package_only=False):
             dependency = models.DependentPackage(
                 purl=str(purl),
                 extracted_requirement=version,
-                is_resolved=True,
+                is_pinned=True,
                 resolved_package=resolved_package.to_dict(),
                 scope='dependencies',
                 is_optional=False,
@@ -1124,7 +1124,7 @@ def parse(cls, location, package_only=False):
             dep = models.DependentPackage(
                 purl=dep_purl,
                 extracted_requirement=extracted_requirement,
-                is_resolved=True,
+                is_pinned=True,
                 # FIXME: these are NOT correct
                 scope='dependencies',
                 is_optional=False,
@@ -1228,7 +1228,7 @@ def parse(cls, location, package_only=False):
                 dependencies=dependencies,
                 scope='dependencies',
                 dependencies_by_purl=deps_for_resolved_by_purl,
-                is_resolved=True,
+                is_pinned=True,
                 is_direct=False,
             )
             cls.update_dependencies_by_purl(
@@ -1242,7 +1242,7 @@ def parse(cls, location, package_only=False):
                 dependencies=optional_dependencies,
                 scope='optionalDependencies',
                 dependencies_by_purl=deps_for_resolved_by_purl,
-                is_resolved=True,
+                is_pinned=True,
                 is_optional=True,
                 is_direct=False,
             )
@@ -1291,7 +1291,7 @@ def parse(cls, location, package_only=False):
                 purl=purl,
                 is_optional=is_optional,
                 is_runtime=is_runtime,
-                is_resolved=True,
+                is_pinned=True,
                 is_direct=True,
                 resolved_package=resolved_package.to_dict(),
                 extra_data=extra_data_deps,
@@ -1765,7 +1765,7 @@ def deps_mapper(deps, package, field_name, is_direct=True):
         'devDependencies': dict(is_runtime=False, is_optional=True),
         'peerDependencies': dict(is_runtime=True, is_optional=False),
         'optionalDependencies': dict(is_runtime=True, is_optional=True),
-        'resolutions': dict(is_runtime=True, is_optional=False, is_resolved=True),
+        'resolutions': dict(is_runtime=True, is_optional=False, is_pinned=True),
     }
     dependencies = package.dependencies