Merge branch 'main' into fully-qualified-image-names

Author: modelmonster

.github/workflows/generate-sboms.yml

@@ -0,0 +1,39 @@
+name: Generate SBOMS
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - "v*.*.*"
+
+env:
+  INPUTS_PATH: scancode-inputs
+
+jobs:
+  generate-sboms:
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Ensure INPUTS_PATH directory exists
+        run: mkdir -p "${{ env.INPUTS_PATH }}"
+
+      - name: Build the Docker image from local Dockerfile
+        run: docker build -t local-image .
+
+      - name: Run pip freeze inside the built Docker container
+        run: docker run --rm local-image pip freeze --all --exclude scancodeio > "${{ env.INPUTS_PATH }}/requirements.txt"
+
+      - name: Collect all .ABOUT files in the scancodeio/ directory
+        run: |
+          mkdir -p "${{ env.INPUTS_PATH }}/about-files"
+          find scancodeio/ -type f -name "*.ABOUT" -exec cp {} "${{ env.INPUTS_PATH }}/about-files/" \;
+
+      - name: Resolve the dependencies using ScanCode-action
+        uses: nexB/scancode-action@main
+        with:
+          pipelines: "resolve_dependencies:DynamicResolver"
+          inputs-path: ${{ env.INPUTS_PATH }}
+          scancodeio-repo-branch: main

CHANGELOG.rst

@@ -1,6 +1,37 @@
 Changelog
 =========
 
+
+=======
+v34.11.0 (2025-05-02)
+---------------------
+
+- Add a ``UUID`` field on the DiscoveredDependency model.
+  Use the UUID for the DiscoveredDependency spdx_id for better SPDX compatibility.
+  https://github.com/aboutcode-org/scancode.io/issues/1651
+
+- Add MatchCode-specific functions to compute fingerprints from stemmed code
+  files. Update CodebaseResource file content view to display snippet matches,
+  if available, when the codebase has been sent for matching to MatchCode.
+  https://github.com/aboutcode-org/scancode.io/pull/1656
+
+- Add the ability to export filtered QuerySet of a FilterView into the JSON format.
+  https://github.com/aboutcode-org/scancode.io/pull/1572
+
+- Include ``ProjectMessage`` records in the JSON output ``headers`` section.
+  https://github.com/aboutcode-org/scancode.io/issues/1659
+
+v34.10.1 (2025-03-26)
+---------------------
+
+- Convert the ``declared_license`` field value return by ``python-inspector`` in
+  ``resolve_pypi_packages``.
+  Resolving requirements.txt files will now return proper license data.
+  https://github.com/aboutcode-org/scancode.io/issues/1598
+
+- Add support for installing on Apple Silicon (macOS ARM64) in dev mode.
+  https://github.com/aboutcode-org/scancode.io/pull/1646
+
 v34.10.0 (2025-03-21)
 ---------------------
 

Makefile

@@ -26,6 +26,7 @@ VENV_LOCATION=.venv
 ACTIVATE?=. ${VENV_LOCATION}/bin/activate;
 MANAGE=${VENV_LOCATION}/bin/python manage.py
 VIRTUALENV_PYZ=etc/thirdparty/virtualenv.pyz
+PIP_ARGS=--find-links=./etc/thirdparty/dummy_dist
 # Do not depend on Python to generate the SECRET_KEY
 GET_SECRET_KEY=`head -c50 /dev/urandom | base64 | head -c50`
 # Customize with `$ make envfile ENV_FILE=/etc/scancodeio/.env`
@@ -51,11 +52,11 @@ virtualenv:
 
 conf: virtualenv
 	@echo "-> Install dependencies"
-	@${ACTIVATE} pip install -e .
+	@${ACTIVATE} pip install ${PIP_ARGS} --editable .
 
 dev: virtualenv
 	@echo "-> Configure and install development dependencies"
-	@${ACTIVATE} pip install -e .[dev]
+	@${ACTIVATE} pip install ${PIP_ARGS} --editable .[dev]
 
 envfile:
 	@echo "-> Create the .env file and generate a secret key"
@@ -80,6 +81,8 @@ check:
 	@echo "-> Run Ruff format validation"
 	@${ACTIVATE} ruff format --check
 	@$(MAKE) doc8
+	@echo "-> Run ABOUT files validation"
+	@${ACTIVATE} about check --exclude .venv/ --exclude scanpipe/tests/ .
 
 check-deploy:
 	@echo "-> Check Django deployment settings"

etc/thirdparty/dummy_dist/README.txt

@@ -0,0 +1,24 @@
+Dummy Wheel Distributions for Apple Silicon (macOS ARM64)
+=========================================================
+
+Overview
+--------
+This directory provides **empty wheel distributions** designed as a workaround to
+allow the installation of `ScanCode.io` on **Apple Silicon (macOS ARM64)** platforms.
+
+The issue arises because certain required packages, such as `extractcode-7z`, do not
+offer pre-built wheels compatible with Apple Silicon.
+Consequently, `pip` encounters dependency resolution errors during installation.
+
+Purpose
+-------
+The dummy wheels in this project serve as placeholders. These wheels:
+- **Contain no functionality** and are completely empty.
+- Allow `pip` to resolve dependencies correctly by tricking it into treating the
+  required package as already installed.
+
+Caution
+-------
+These dummy wheels **do not provide any actual functionality**.
+They only exist to bypass `pip` dependency resolution issues and allow `ScanCode.io`
+to be installed on Apple Silicon.

etc/thirdparty/dummy_dist/extractcode_7z-16.5.210525-py3-none-macosx_11_0_arm64.whl

@@ -1,7 +1,7 @@
 about_resource: virtualenv.pyz
 name: get-virtualenv
-version: 20.27.1
-download_url: https://github.com/pypa/get-virtualenv/raw/20.27.1/public/virtualenv.pyz
+version: 20.29.3
+download_url: https://github.com/pypa/get-virtualenv/raw/20.29.3/public/virtualenv.pyz
 description: virtualenv is a tool to create isolated Python environments.
 homepage_url: https://github.com/pypa/virtualenv
 license_expression: lgpl-2.1-plus AND (bsd-new OR apache-2.0) AND mit AND python AND bsd-new
@@ -10,4 +10,4 @@ copyright: Copyright (c) The Python Software Foundation and others
 redistribute: yes
 attribute: yes
 track_changes: yes
-package_url: pkg:github/pypa/get-virtualenv@20.27.1#public/virtualenv.pyz
+package_url: pkg:github/pypa/get-virtualenv@20.29.3#public/virtualenv.pyz

etc/thirdparty/dummy_dist/extractcode_libarchive-3.5.1.210525-py3-none-macosx_11_0_arm64.whl

@@ -28,7 +28,7 @@
 
 import git
 
-VERSION = "34.10.0"
+VERSION = "34.11.0"
 
 PROJECT_DIR = Path(__file__).resolve().parent
 ROOT_DIR = PROJECT_DIR.parent