oss-review-toolkit
diff --git a/‎.detekt.yml‎
Lines changed: 19 additions & 12 deletions b/‎.detekt.yml‎
Lines changed: 19 additions & 12 deletions
diff --git a/‎.env.versions‎
Lines changed: 3 additions & 1 deletion b/‎.env.versions‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎.github/workflows/build-and-test.yml‎
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/build-and-test.yml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎.github/workflows/scorecard-analysis.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/scorecard-analysis.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/static-analysis.yml‎
Lines changed: 7 additions & 5 deletions b/‎.github/workflows/static-analysis.yml‎
Lines changed: 7 additions & 5 deletions
diff --git a/‎.github/workflows/website-deploy.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/website-deploy.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/website-test.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/website-test.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.linkspector.yml‎
Lines changed: 1 addition & 1 deletion b/‎.linkspector.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎Dockerfile‎
Lines changed: 38 additions & 0 deletions b/‎Dockerfile‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎analyzer/src/main/kotlin/Extensions.kt‎
Lines changed: 1 addition & 0 deletions b/‎analyzer/src/main/kotlin/Extensions.kt‎
Lines changed: 1 addition & 0 deletions
@@ -1,34 +1,38 @@
-# Configuration of detekt rule sets, see https://arturbosch.github.io/detekt/comments.html.
+# Configuration of detekt rule sets, see https://detekt.dev/docs/intro.
 # This file only lists the differences to the default configuration at
-# https://github.com/arturbosch/detekt/blob/master/detekt-cli/src/main/resources/default-detekt-config.yml.
+# https://github.com/detekt/detekt/blob/main/detekt-core/src/main/resources/default-detekt-config.yml.
 
 complexity:
   CyclomaticComplexMethod:
-    threshold: 25
+    allowedComplexity: 25
   LongMethod:
-    threshold: 158
+    allowedLines: 158
   LongParameterList:
-    constructorThreshold: 11
-    functionThreshold: 8
+    allowedConstructorParameters: 11
+    allowedFunctionParameters: 8
   NestedBlockDepth:
-    threshold: 10
+    allowedDepth: 10
   TooManyFunctions:
-    thresholdInClasses: 19
-    thresholdInObjects: 14
+    allowedFunctionsPerClass: 19
+    allowedFunctionsPerObject: 14
 
 coroutines:
   InjectDispatcher:
     active: false
 
 # Formatting rules are implemented via the ktlint plugin and are the only rules that support auto-formatting. However,
 # as ktlint does not allow to configure exceptions, some rules need to be disabled completely.
-formatting:
+ktlint:
   AnnotationOnSeparateLine:
     active: false
   ArgumentListWrapping:
     active: false
+  ChainMethodContinuation:
+    active: false
   ChainWrapping:
     active: false
+  ClassSignature:
+    active: false
   CommentWrapping:
     active: false
   FinalNewline:
@@ -40,12 +44,16 @@ formatting:
     active: false
   MaximumLineLength:
     active: false
+  NoBlankLineInList:
+    active: false
   NoWildcardImports:
     active: false
   ParameterListWrapping:
     active: false
   SpacingBetweenDeclarationsWithAnnotations:
     active: false
+  StringTemplateIndent:
+    active: false
   TrailingCommaOnCallSite:
     active: true
     useTrailingCommaOnCallSite: false
@@ -79,12 +87,11 @@ style:
     excludes: ["**/clients/github-graphql/build/generated/**"]
   ReturnCount:
     active: false
-  SpacingBetweenPackageAndImports:
+  SpacingAfterPackageDeclaration:
     active: true
   ThrowsCount:
     max: 5
   WildcardImport:
-    excludes: ''
     excludeImports:
       - org.ossreviewtoolkit.helper.commands.*
       - org.ossreviewtoolkit.utils.spdx.SpdxLicense.*
 
@@ -3,19 +3,21 @@ ASKALONO_VERSION=0.5.0
 BAZELISK_VERSION=1.20.0
 BOWER_VERSION=1.8.14
 COCOAPODS_VERSION=1.16.2
+COSIGN_VERSION=3.0.3
 COMPOSER_VERSION=2.8.12
 CONAN_VERSION=1.66.0
 CONAN2_VERSION=2.21.0
 DART_VERSION=2.18.4
 DOTNET_VERSION=6.0
+GLEAM_VERSION=1.13.0
 GO_VERSION=1.25.0
 HASKELL_STACK_VERSION=2.13.1
 JAVA_VERSION=21
 LICENSEE_VERSION=9.18.0
 NODEJS_VERSION=24.10.0
 NUGET_INSPECTOR_VERSION=0.9.12
 PHP_VERSION=8.3
-PIP_VERSION=25.2.0
+PIP_VERSION=25.3.0
 PYENV_GIT_TAG=v2.6.11
 PYTHON_INSPECTOR_VERSION=0.15.0
 PYTHON_PIPENV_VERSION=2023.12.1
 
@@ -41,15 +41,15 @@ jobs:
     - name: Checkout Repository
       uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4
+      uses: github/codeql-action/init@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4
       with:
         languages: java
     - name: Setup Gradle
       uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5
     - name: Build all classes
       run: ./gradlew -Dorg.gradle.jvmargs=-Xmx1g --no-build-cache classes
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4
+      uses: github/codeql-action/analyze@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4
   test:
     strategy:
       matrix:
@@ -68,7 +68,7 @@ jobs:
     - name: Setup Gradle
       uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5
     - name: Install Flox
-      uses: flox/install-flox-action@ba0eb4eb776f1d3b47279d7980f6643caffd8c41 # v2
+      uses: flox/install-flox-action@e3e10c1a9c83c2caa23418edfbb3cee2cbece59f # v2
       with:
         disable-metrics: true
       if: runner.os != 'Windows'
@@ -97,7 +97,7 @@ jobs:
     - name: Setup Gradle
       uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5
     - name: Install Flox
-      uses: flox/install-flox-action@ba0eb4eb776f1d3b47279d7980f6643caffd8c41 # v2
+      uses: flox/install-flox-action@e3e10c1a9c83c2caa23418edfbb3cee2cbece59f # v2
       with:
         disable-metrics: true
     - name: Run functional tests that do not require external tools
 
@@ -30,6 +30,6 @@ jobs:
           results_format: sarif
           publish_results: true
       - name: Upload Code Scanning Results
-        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4
+        uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4
         with:
           sarif_file: ossf-results.sarif
@@ -68,9 +68,11 @@ jobs:
     - name: Setup Gradle
       uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5
     - name: Check for Detekt Issues
-      run: ./gradlew detektAll
+      run: ./gradlew detekt
+    - name: Check for Detekt Issues with type resolution
+      run: ./gradlew detektMain detektTestFixtures detektTest detektFunTest
     - name: Upload SARIF File
-      uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4
+      uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4
       if: always() # Upload even if the previous step failed.
       with:
         sarif_file: build/reports/detekt/merged.sarif
@@ -91,7 +93,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Setup Node
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
       - name: Check for Markdown issues
         run: |
           npm install -g markdownlint-rule-max-one-sentence-per-line@0.0.2
@@ -101,7 +103,7 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
         with:
           node-version: 24
           cache: npm
@@ -129,7 +131,7 @@ jobs:
         post-pr-comment: false
         use-caches: false
     - name: Upload Code Scanning Results
-      uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4
+      uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4
       with:
         sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json
   renovate-validation:
 
@@ -16,7 +16,7 @@ jobs:
         uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5
       - name: Generate plugin docs
         run: ./gradlew generatePluginDocs
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
         with:
           node-version: 24
           cache: npm
 
@@ -16,7 +16,7 @@ jobs:
         uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5
       - name: Generate plugin docs
         run: ./gradlew generatePluginDocs
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
         with:
           node-version: 24
           cache: npm
 
@@ -6,6 +6,6 @@ excludedDirs:
   - website
 ignorePatterns:
   # Ignore localhost links that usually point to a local development server.
-  - pattern: '^http://localhost(:[0-9]+)?/.*$'
+  - pattern: '^http://localhost(:[0-9]+)?(/.*)?$'
   # The link is valid but linkspector gets a 403 response when running on GitHub Actions.
   - pattern: '^https://www.epam.com/services/engineering/open-source$'
@@ -469,6 +469,39 @@ RUN --mount=type=cache,target=/var/tmp/gradle \
 FROM scratch AS ortbin
 COPY --from=ortbuild /opt/ort /opt/ort
 
+#------------------------------------------------------------------------
+# Gleam
+FROM base AS gleambuild
+
+ARG COSIGN_VERSION
+ARG GLEAM_VERSION
+
+ENV GLEAM_HOME=/opt/gleam
+
+# Download cosign binary, verify Gleam binary signature, then clean up
+RUN COSIGN_ARCH=$(arch | sed s/aarch64/arm64/ | sed s/x86_64/amd64/) \
+    && curl -L "https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-${COSIGN_ARCH}" \
+       -o /tmp/cosign \
+    && chmod +x /tmp/cosign \
+    && mkdir -p $GLEAM_HOME/bin \
+    && ARCH=$(arch) \
+    && curl -L "https://github.com/gleam-lang/gleam/releases/download/v${GLEAM_VERSION}/gleam-v${GLEAM_VERSION}-${ARCH}-unknown-linux-musl.tar.gz" \
+       -o /tmp/gleam.tar.gz \
+    && curl -L "https://github.com/gleam-lang/gleam/releases/download/v${GLEAM_VERSION}/gleam-v${GLEAM_VERSION}-${ARCH}-unknown-linux-musl.tar.gz.sigstore" \
+       -o /tmp/gleam.sigstore \
+    && /tmp/cosign verify-blob \
+       --bundle /tmp/gleam.sigstore \
+       --certificate-identity-regexp "^https://github.com/gleam-lang/gleam/.*@refs/tags/v${GLEAM_VERSION}$" \
+       --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+       /tmp/gleam.tar.gz \
+    && tar -xzf /tmp/gleam.tar.gz -C $GLEAM_HOME/bin \
+    && chmod a+x $GLEAM_HOME/bin/gleam \
+    && rm /tmp/gleam.tar.gz /tmp/gleam.sigstore /tmp/cosign \
+    && $GLEAM_HOME/bin/gleam --version
+
+FROM scratch AS gleam
+COPY --from=gleambuild /opt/gleam /opt/gleam
+
 #------------------------------------------------------------------------
 # Container with minimal selection of supported package managers.
 FROM base AS minimal-tools
@@ -595,6 +628,11 @@ RUN mkdir /opt/askalono && \
 
 ENV PATH=$PATH:/opt/askalono
 
+# Gleam
+ENV GLEAM_HOME=/opt/gleam
+ENV PATH=$PATH:$GLEAM_HOME/bin
+COPY --from=gleam --chown=$USER:$USER $GLEAM_HOME $GLEAM_HOME
+
 #------------------------------------------------------------------------
 # Runtime container with minimal selection of supported package managers pre-installed.
 FROM minimal-tools AS minimal
 
@@ -38,6 +38,7 @@ import org.ossreviewtoolkit.utils.common.alsoIfNull
 private const val TYPE = "PackageManagerDependency"
 
 private fun String.encodeColon() = replace(':', '\u0000')
+
 private fun String.decodeColon() = replace('\u0000', ':')
 
 /**