Merge branch 'main' into multiple-inputs-in-SBOMs

Author: omsuneri

CHANGELOG.rst

@@ -1,6 +1,50 @@
 Changelog
 =========
 
+v35.4.1 (2025-10-24)
+--------------------
+
+- Add ability to download all output results formats as a zipfile for a given project.
+  https://github.com/aboutcode-org/scancode.io/issues/1880
+
+- Add support for tagging inputs in the run management command
+  Add ability to skip the SQLite auto db in combined_run
+  Add documentation to leverage PostgreSQL service
+  https://github.com/aboutcode-org/scancode.io/pull/1916
+
+- Refine d2d pipeline for scala and kotlin.
+  https://github.com/aboutcode-org/scancode.io/issues/1898
+
+- Add utilities to create/init FederatedCode data repo.
+  https://github.com/aboutcode-org/scancode.io/issues/1896
+
+- Add a verify-project CLI management command.
+  https://github.com/aboutcode-org/scancode.io/issues/1903
+
+- Add support for multiple inputs in the run management command.
+  https://github.com/aboutcode-org/scancode.io/issues/1916
+
+- Add the django-htmx app to the stack.
+  https://github.com/aboutcode-org/scancode.io/issues/1917
+
+- Adjust the resource tree view table rendering.
+  https://github.com/aboutcode-org/scancode.io/issues/1840
+
+- Add ".." navigation option in table to navigate to parent resource.
+  https://github.com/aboutcode-org/scancode.io/issues/1869
+
+- Add ability to download all output results formats.
+  https://github.com/aboutcode-org/scancode.io/issues/1880
+
+- Update Java D2D Pipeline to Include Checksum Mapped Sources for Accurate Java Mapping.
+  https://github.com/aboutcode-org/scancode.io/issues/1870
+
+- Auto-detect pipeline from provided input.
+  https://github.com/aboutcode-org/scancode.io/issues/1883
+
+- Migrate SCA workflows verification to new verify-project management command.
+  https://github.com/aboutcode-org/scancode.io/issues/1902
+
 v35.4.0 (2025-09-30)
 --------------------
 

docs/command-line-interface.rst

@@ -419,10 +419,11 @@ Displays status information about the ``PROJECT`` project.
 
 .. _cli_output:
 
-`$ scanpipe output --project PROJECT --format {json,csv,xlsx,spdx,cyclonedx,attribution}`
------------------------------------------------------------------------------------------
+`$ scanpipe output --project PROJECT --format {json,csv,xlsx,spdx,cyclonedx,attribution,...}`
+---------------------------------------------------------------------------------------------
 
-Outputs the ``PROJECT`` results as JSON, XLSX, CSV, SPDX, CycloneDX, and Attribution.
+Outputs the ``PROJECT`` results as JSON, XLSX, CSV, SPDX, CycloneDX,
+ORT package-list.yml, and Attribution.
 The output files are created in the ``PROJECT`` :guilabel:`output/` directory.
 
 Multiple formats can be provided at once::

docs/output-files.rst

@@ -285,7 +285,6 @@ Additional sheets are included **only when relevant** (i.e., when data is availa
 
 SPDX
 ^^^^
-
 ScanCode.io can generate Software Bill of Materials (SBOM) in the **SPDX** format,
 which is an open standard for communicating software component information.
 SPDX is widely used for license compliance, security analysis, and software supply
@@ -309,7 +308,6 @@ The SPDX output includes:
 
 CycloneDX
 ^^^^^^^^^
-
 ScanCode.io can generate **CycloneDX** SBOMs, a lightweight standard designed for
 security and dependency management. CycloneDX is optimized for vulnerability analysis
 and software supply chain risk assessment.

docs/quickstart.rst

@@ -3,8 +3,8 @@
 QuickStart
 ==========
 
-Run a Scan (no installation required!)
---------------------------------------
+Run a Local Directory Scan (no installation required!)
+------------------------------------------------------
 
 The **fastest way** to get started and **scan a codebase** —
 **no installation needed** — is by using the latest
@@ -52,8 +52,120 @@ See the :ref:`RUN command <cli_run>` section for more details on this command.
 .. note::
     Not sure which pipeline to use? Check out :ref:`faq_which_pipeline`.
 
-Next Step: Local Installation
------------------------------
+Run a Remote Package Scan
+-------------------------
+
+Let's look at another example — this time scanning a **remote package archive** by
+providing its **download URL**:
+
+.. code-block:: bash
+
+    docker run --rm \
+      ghcr.io/aboutcode-org/scancode.io:latest \
+      run scan_single_package https://github.com/aboutcode-org/python-inspector/archive/refs/tags/v0.14.4.zip \
+      > results.json
+
+Let's break down what's happening here:
+
+- ``docker run --rm``
+  Runs a temporary container that is automatically removed after the scan completes.
+
+- ``ghcr.io/aboutcode-org/scancode.io:latest``
+  Uses the latest ScanCode.io image from GitHub Container Registry.
+
+- ``run scan_single_package <URL>``
+  Executes the ``scan_single_package`` pipeline, automatically fetching and analyzing
+  the package archive from the provided URL.
+
+- ``> results.json``
+  Writes the scan results to a local ``results.json`` file.
+
+Notice that the ``-v "$(pwd)":/codedrop`` option is **not required** in this case
+because the input is downloaded directly from the provided URL, rather than coming
+from your local filesystem.
+
+The result? A **complete scan of a remote package archive — no setup, one command!**
+
+Use PostgreSQL for Better Performance
+-------------------------------------
+
+By default, ScanCode.io uses a **temporary SQLite database** for simplicity.
+While this works well for quick scans, it has a few limitations — such as
+**no multiprocessing** and slower performance on large codebases.
+
+For improved speed and scalability, you can run your pipelines using a
+**PostgreSQL database** instead.
+
+Start a PostgreSQL Database Service
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+First, start a PostgreSQL container in the background:
+
+.. code-block:: bash
+
+    docker run -d \
+      --name scancodeio-run-db \
+      -e POSTGRES_DB=scancodeio \
+      -e POSTGRES_USER=scancodeio \
+      -e POSTGRES_PASSWORD=scancodeio \
+      -e POSTGRES_INITDB_ARGS="--encoding=UTF-8 --lc-collate=en_US.UTF-8 --lc-ctype=en_US.UTF-8" \
+      -v scancodeio_pgdata:/var/lib/postgresql/data \
+      -p 5432:5432 \
+      postgres:17
+
+This command starts a new PostgreSQL service named ``scancodeio-run-db`` and stores its
+data in a named Docker volume called ``scancodeio_pgdata``.
+
+.. note::
+    You can stop and remove the PostgreSQL service once you are done using:
+
+    .. code-block:: bash
+
+        docker rm -f scancodeio-run-db
+
+.. tip::
+    The named volume ``scancodeio_pgdata`` ensures that your database data
+    **persists across runs**.
+    You can remove it later with ``docker volume rm scancodeio_pgdata`` if needed.
+
+Run a Docker Image Analysis Using PostgreSQL
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Once PostgreSQL is running, you can start a ScanCode.io pipeline
+using the same Docker image, connecting it to the PostgreSQL database container:
+
+.. code-block:: bash
+
+    docker run --rm \
+      --network host \
+      -e SCANCODEIO_NO_AUTO_DB=1 \
+      ghcr.io/aboutcode-org/scancode.io:latest \
+      run analyze_docker_image docker://alpine:3.22.1 \
+      > results.json
+
+Here’s what’s happening:
+
+- ``--network host``
+  Ensures the container can connect to the PostgreSQL service running on your host.
+
+- ``-e SCANCODEIO_NO_AUTO_DB=1``
+  Tells ScanCode.io **not** to create a temporary SQLite database, and instead use
+  the configured PostgreSQL connection defined in its default settings.
+
+- ``ghcr.io/aboutcode-org/scancode.io:latest``
+  Uses the latest ScanCode.io image from GitHub Container Registry.
+
+- ``run analyze_docker_image docker://alpine:3.22.1``
+  Runs the ``analyze_docker_image`` pipeline, scanning the given Docker image.
+
+- ``> results.json``
+  Saves the scan results to a local ``results.json`` file.
+
+The result? A **faster, multiprocessing-enabled scan** backed by PostgreSQL — ideal
+for large or complex analyses.
+
+Next Step: Installation
+-----------------------
 
 Install ScanCode.io, to **unlock all features**:
 

docs/rest-api.rst

@@ -694,10 +694,16 @@ Finally, use this action to download the project results in the provided
 ``output_format`` as an attachment file.
 
 Data:
-    - ``output_format``: ``json``, ``xlsx``, ``spdx``, ``cyclonedx``, ``attribution``
+    - ``output_format``: ``json``, ``xlsx``, ``spdx``, ``cyclonedx``, ``attribution``,
+      ``all_formats``, ``all_outputs``
 
 ``GET /api/projects/d4ed9405-5568-45ad-99f6-782a9b82d1d2/results_download/?output_format=cyclonedx``
 
+.. note::
+   Use ``all_formats`` to generate a zip file containing all output formats for a
+   project, while ``all_outputs`` can be used to obtain a zip file of all existing
+   output files for that project.
+
 .. tip::
   Refer to :ref:`output_files` to learn more about the available output formats.
 

etc/scripts/d2d/README.rst

@@ -0,0 +1,92 @@
+Run ScanCode.io Mapping Script
+================================
+
+This script executes the ``map_deploy_to_develop`` mapping workflow from
+ScanCode.io inside a Docker container. It optionally spins up a temporary
+PostgreSQL instance when needed. The script copies the specified input files to
+a working directory, runs the mapping, writes the output to a file, and cleans
+up afterward.
+
+Usage
+-----
+
+.. code-block:: bash
+
+   ./map-deploy-to-develop.sh <from-path> <to-path> <output-file> [options] <spin-db> [db-port]
+
+Arguments
+---------
+
++-----------------+-------------------------------------------------------------+
+| Argument        | Description                                                 |
++=================+=============================================================+
+| ``from-path``   | Path to the base deployment/scan file                       |
++-----------------+-------------------------------------------------------------+
+| ``to-path``     | Path to the target deployment/scan file                     |
++-----------------+-------------------------------------------------------------+
+| ``options``     | D2D pipeline parameters (can be empty ``""``)               |
++-----------------+-------------------------------------------------------------+
+| ``output-file`` | File where ScanCode.io output will be written               |
++-----------------+-------------------------------------------------------------+
+| ``spin-db``     | ``true`` = spin temp DB container, ``false`` = skip         |
++-----------------+-------------------------------------------------------------+
+| ``db-port``     | Port to bind Postgres (default: ``5432``)                   |
++-----------------+-------------------------------------------------------------+
+
+
+Example
+-------
+
+Run mapping without database:
+
+.. code-block:: bash
+
+   ./map-deploy-to-develop.sh ./from.tar.gz ./to.whl results.json
+
+Run mapping with database on a custom port:
+
+.. code-block:: bash
+
+   ./map-deploy-to-develop.sh ./from.tar.gz ./to.whl output.json --options "Python,Java" --spin-db --port 5433
+
+Script Actions
+--------------
+
+1. Validates required arguments
+2. Starts PostgreSQL in Docker (if ``spin-db=true``)
+3. Creates a temporary working directory: ``./d2d``
+4. Copies input files into working directory
+5. Runs ScanCode.io mapping step:
+
+   .. code-block:: text
+
+      run map_deploy_to_develop:<D2D_OPTIONS> \
+          "/code/<from-file>:from,/code/<to-file>:to"
+
+6. Writes mapping output into ``output-file``
+7. Cleans up temp directory
+8. Stops DB container if it was started
+
+Dependencies
+------------
+
+* Bash
+* Docker
+* Local filesystem permissions for creating ``./d2d`` and writing output
+
+
+Before running the script:
+----------------------------------
+
+Ensure the script has execute permissions:
+
+.. code-block:: bash
+
+      sudo su -
+      chmod +x map-deploy-to-develop.sh
+
+Then execute:
+
+.. code-block:: bash
+
+      ./map-deploy-to-develop.sh ...