Merge branch 'main' into JSON-local-storage

Author: VarshaUN

.github/workflows/generate-sboms.yml

@@ -32,7 +32,7 @@ jobs:
           find scancodeio/ -type f -name "*.ABOUT" -exec cp {} "${{ env.INPUTS_PATH }}/about-files/" \;
 
       - name: Resolve the dependencies using ScanCode-action
-        uses: nexB/scancode-action@main
+        uses: aboutcode-org/scancode-action@main
         with:
           pipelines: "resolve_dependencies:DynamicResolver"
           inputs-path: ${{ env.INPUTS_PATH }}

.github/workflows/publish-docker.yml renamed to .github/workflows/publish-docker-image.yml

@@ -1,4 +1,4 @@
-name: Publish Docker image on GHCR
+name: Publish Docker image on GitHub Container Registry
 # https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions
 
 on:
@@ -15,8 +15,8 @@ env:
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
-  build-and-push-image:
-    runs-on: ubuntu-22.04
+  build-and-publish-image:
+    runs-on: ubuntu-24.04
 
     # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
     permissions:

.github/workflows/pypi-release-aboutcode-pipeline.yml renamed to .github/workflows/publish-pypi-release-aboutcode-pipeline.yml

@@ -3,21 +3,21 @@ name: Build aboutcode.pipeline Python distributions and publish on PyPI
 on:
   workflow_dispatch:
   push:
-   tags:
-     - "aboutcode.pipeline/*"
+    tags:
+      - "aboutcode.pipeline/*"
 
 jobs:
   build-and-publish:
     name: Build and publish library to PyPI
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     steps:
       - uses: actions/checkout@v4
 
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: 3.12
+          python-version: 3.13
 
       - name: Install flot
         run: python -m pip install flot --user

.github/workflows/pypi-release.yml renamed to .github/workflows/publish-pypi-release.yml

@@ -9,15 +9,15 @@ on:
 jobs:
   build-and-publish:
     name: Build and publish library to PyPI
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     steps:
       - uses: actions/checkout@v4
 
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: 3.12
+          python-version: 3.13
 
       - name: Install pypa/build
         run: python -m pip install build --user

.github/workflows/ci-docker.yml renamed to .github/workflows/run-unit-tests-docker.yml

@@ -1,10 +1,18 @@
-name: Test on Docker CI
+name: Run unit tests on Docker container
 
-on: [push, pull_request]
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
 
 jobs:
-  build:
-    runs-on: ubuntu-22.04
+  run-unit-tests:
+    runs-on: ubuntu-24.04
 
     steps:
       - name: Checkout code

.github/workflows/run-unit-tests-macos.yml

@@ -0,0 +1,53 @@
+name: Run unit tests on macOS
+
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+env:
+  POSTGRES_DB: scancodeio
+  POSTGRES_USER: scancodeio
+  POSTGRES_PASSWORD: scancodeio
+
+jobs:
+  run-unit-tests:
+    runs-on: macos-13
+
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: ikalnytskyi/action-setup-postgres@v7
+        id: postgres
+        with:
+          postgres-version: "14"  # 13 is not supported.
+          database: ${{ env.POSTGRES_DB }}
+          username: ${{ env.POSTGRES_USER }}
+          password: ${{ env.POSTGRES_PASSWORD }}
+          port: 5432
+
+      - name: Install Python dependencies
+        run: make dev envfile
+
+      - name: Run Django tests
+        run: .venv/bin/python manage.py test --verbosity=2 --noinput
+        env:
+          SCANCODEIO_DB_NAME: ${{ env.POSTGRES_DB }}
+          SCANCODEIO_DB_USER: ${{ env.POSTGRES_USER }}
+          SCANCODEIO_DB_PASSWORD: ${{ env.POSTGRES_PASSWORD }}

.github/workflows/ci.yml renamed to .github/workflows/run-unit-tests.yml

@@ -1,6 +1,14 @@
-name: Test CI
+name: Run unit tests
 
-on: [push, pull_request]
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
 
 env:
   POSTGRES_DB: scancodeio
@@ -9,8 +17,8 @@ env:
   POSTGRES_INITDB_ARGS: --encoding=UTF-8 --lc-collate=en_US.UTF-8 --lc-ctype=en_US.UTF-8
 
 jobs:
-  build:
-    runs-on: ubuntu-22.04
+  run-unit-tests:
+    runs-on: ubuntu-24.04
 
     services:
       postgres:
@@ -31,7 +39,7 @@ jobs:
     strategy:
       max-parallel: 4
       matrix:
-        python-version: ["3.10", "3.11", "3.12"]
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
 
     steps:
       - name: Checkout code

.github/workflows/sca-integration-anchore.yml

@@ -0,0 +1,51 @@
+name: Generate SBOM with Anchore Grype and load into ScanCode.io
+
+# This workflow:
+#  1. Generates a CycloneDX SBOM for a container image using Anchore Grype.
+#  2. Uploads the SBOM as a GitHub artifact for future inspection.
+#  3. Loads the SBOM into ScanCode.io for further analysis.
+#  4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
+#
+# It runs on demand, and once a week (scheduled).
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run once a week (every 7 days) at 00:00 UTC on Sunday
+    - cron: "0 0 * * 0"
+
+permissions:
+  contents: read
+
+env:
+  IMAGE_REFERENCE: "python:3.13.0-slim"
+
+jobs:
+  generate-and-load-sbom:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Generate CycloneDX SBOM with Anchore Grype scanner
+        uses: anchore/scan-action@v6
+        with:
+          image: ${{ env.IMAGE_REFERENCE }}
+          output-format: cyclonedx-json
+          output-file: "anchore-grype-sbom.cdx.json"
+          fail-build: false
+
+      - name: Upload SBOM as GitHub Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: anchore-sbom-report
+          path: "anchore-grype-sbom.cdx.json"
+          retention-days: 20
+
+      - name: Import SBOM into ScanCode.io
+        uses: aboutcode-org/scancode-action@main
+        with:
+          pipelines: "load_sbom"
+          inputs-path: "anchore-grype-sbom.cdx.json"
+
+      - name: Verify SBOM Analysis Results in ScanCode.io
+        shell: bash
+        run: |
+          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 3200; assert package_manager.vulnerable().count() > 40; assert DiscoveredDependency.objects.count() > 220"

.github/workflows/sca-integration-cdxgen.yml

@@ -0,0 +1,54 @@
+name: Generate SBOM with CycloneDX cdxgen and load into ScanCode.io
+
+# This workflow:
+#  1. Generates a CycloneDX SBOM for a container image using CycloneDX cdxgen.
+#  2. Uploads the SBOM as a GitHub artifact for future inspection.
+#  3. Loads the SBOM into ScanCode.io for further analysis.
+#  4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
+#
+# It runs on demand, and once a week (scheduled).
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run once a week (every 7 days) at 00:00 UTC on Sunday
+    - cron: "0 0 * * 0"
+
+permissions:
+  contents: read
+
+env:
+  IMAGE_REFERENCE: "python:3.13.0-slim"
+
+jobs:
+  generate-and-load-sbom:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Install CycloneDX cdxgen
+        run: npm install @cyclonedx/cdxgen
+
+      - name: Generate SBOM with CycloneDX cdxgen
+        run: |
+          npx cdxgen ${{ env.IMAGE_REFERENCE }} \
+            --type docker \
+            --output cdxgen-sbom.cdx.json \
+            --spec-version 1.6 \
+            --json-pretty
+
+      - name: Upload SBOM as GitHub Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: cdxgen-sbom
+          path: "cdxgen-sbom.cdx.json"
+          retention-days: 20
+
+      - name: Import SBOM into ScanCode.io
+        uses: aboutcode-org/scancode-action@main
+        with:
+          pipelines: "load_sbom"
+          inputs-path: "cdxgen-sbom.cdx.json"
+
+      - name: Verify SBOM Analysis Results in ScanCode.io
+        shell: bash
+        run: |
+          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 340; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() == 0"

.github/workflows/sca-integration-trivy.yml

@@ -0,0 +1,53 @@
+name: Generate SBOM with Trivy and load into ScanCode.io
+
+# This workflow:
+#  1. Generates a CycloneDX SBOM for a container image using Trivy.
+#  2. Uploads the SBOM as a GitHub artifact for future inspection.
+#  3. Loads the SBOM into ScanCode.io for further analysis.
+#  4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
+#
+# It runs on demand, and once a week (scheduled).
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run once a week (every 7 days) at 00:00 UTC on Sunday
+    - cron: "0 0 * * 0"
+
+permissions:
+  contents: read
+
+env:
+  IMAGE_REFERENCE: "python:3.13.0-slim"
+
+jobs:
+  generate-and-load-sbom:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Generate CycloneDX SBOM with Trivy
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: "image"
+          image-ref: ${{ env.IMAGE_REFERENCE }}
+          format: "cyclonedx"
+          output: "trivy-report.sbom.json"
+          scanners: "vuln,license"
+          version: "latest"
+
+      - name: Upload SBOM as GitHub Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-sbom-report
+          path: "trivy-report.sbom.json"
+          retention-days: 20
+
+      - name: Import SBOM into ScanCode.io
+        uses: aboutcode-org/scancode-action@main
+        with:
+          pipelines: "load_sbom"
+          inputs-path: "trivy-report.sbom.json"
+
+      - name: Verify SBOM Analysis Results in ScanCode.io
+        shell: bash
+        run: |
+          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() > 40; assert DiscoveredDependency.objects.count() > 190"