Merge branch 'develop' into improve-npm-support

Signed-off-by: Ayan Sinha Mahapatra <[email protected]>

CHANGELOG.rst

@@ -34,8 +34,37 @@ v33.0.0 (next next, roadmap)
   of these in other summary plugins.
   See https://github.com/nexB/scancode-toolkit/issues/1745
 
-v32.1.0 (next, roadmap)
-----------------------------
+- Improve cargo package detection support with various improvements
+  and bugfixes:
+  - Fix for parser crashing on cargo workspaces
+  - Fix a bug in dependency parsing (we were not returning any dependencies)
+  - Also support getting dependency versions from workspace
+  - Support more attributes from cargo
+  - Better handle workspace data thorugh extra_data attribute
+  See https://github.com/nexB/scancode-toolkit/pull/3783
+
+- We now support parsing the Swift manifest JSON dump and the ``Package.resolved`` file https://github.com/nexB/scancode-toolkit/issues/2657.
+  - Run the commands below on your local Swift project before running the scan.
+    - ::
+
+        swift package dump-package > Package.swift.json
+    - ::
+
+        swift package resolve
+
+- New and updated licenses, including support for newly released
+  SPDX license list versions:
+  - SPDX License List 3.24:
+    This release of the SPDX license list had 25 new licenses
+    and exceptions, and out of them 12 were present as licenses
+    and 5 were present as rules already. There were 3 new
+    license/exception texts added, and the rest 5 were either
+    texts with small variations, additions to texts or several
+    rule texts together. And the rest have been added as new licenses.
+    For more details see https://github.com/nexB/scancode-toolkit/pull/3795
+
+v32.1.0 - 2024-03-23
+---------------------
 
 New CLI options:
 

docs/source/getting-started/install.rst

@@ -160,6 +160,32 @@ in the extracted directory and run::
 
 This will configure ScanCode and display the command line :ref:`cli_help_text`.
 
+.. note::
+   If you encounter a "No matching distribution" error while running the ``./configure`` command on a Mac M1, it may indicate compatibility issues with the current architecture. Here's a step-by-step guide to address this:
+
+   - **Change Mac M1 Architecture to x86_64:**
+     Switch the architecture from amd64 to x86_64 using the command:
+     ::
+
+         env /usr/bin/arch -x86_64 /bin/zsh --login
+   - **Use Rosetta Translation:**
+     Enable Rosetta translation in Terminal by executing:
+     ::
+
+         softwareupdate --install-rosetta
+   - **Transition Homebrew from arm64 to Intel:**
+     Change Homebrew from the arm64 architecture to the Intel (x86) architecture by running:
+     ::
+
+         /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
+   - **Install Intel-Specific Python:**
+     Use Homebrew to install Python specifically optimized for Intel architecture with:
+     ::
+
+         /usr/local/Homebrew/bin/brew install python3
+
+   Then rerun the ``./configure`` command. This sets up the project according to the new architecture and ensures proper configuration.
+   Following these steps should help resolve compatibility issues and allow smooth operation of the project on Mac M1 devices.
 
 .. _windows_app_install:
 

docs/source/reference/available_package_parsers.rst

@@ -233,6 +233,7 @@ parsers in scancode-toolkit during documentation builds.
      - https://r-pkgs.org/description.html
    * - Debian control file - extracted layout
      - ``*/control.tar.gz-extract/control``
+       ``*/control.tar.xz-extract/control``
      - ``deb``
      - ``debian_control_extracted_deb``
      - None
@@ -716,6 +717,19 @@ parsers in scancode-toolkit during documentation builds.
      - ``rpm_installed_database_sqlite``
      - None
      - https://fedoraproject.org/wiki/Changes/Sqlite_Rpmdb
+   * - RPM mariner distroless package manifest
+     - ``*var/lib/rpmmanifest/container-manifest-2``
+     - ``rpm``
+     - ``rpm_mariner_manifest``
+     - None
+     - https://github.com/microsoft/marinara/
+   * - RPM mariner distroless package license files
+     - ``*usr/share/licenses/*/COPYING*``
+       ``*usr/share/licenses/*/LICENSE*``
+     - ``rpm``
+     - ``rpm_package_licenses``
+     - None
+     - https://github.com/microsoft/marinara/
    * - RPM specfile
      - ``*.spec``
      - ``rpm``
@@ -734,6 +748,19 @@ parsers in scancode-toolkit during documentation builds.
      - ``squashfs_disk_image``
      - None
      - https://en.wikipedia.org/wiki/SquashFS
+   * - JSON dump of Package.swift created with ``swift package dump-package > Package.swift.json``
+     - ``*/Package.swift.json``
+     - ``swift``
+     - ``swift_package_manifest_json``
+     - Swift
+     - https://docs.swift.org/package-manager/PackageDescription/PackageDescription.html
+   * - Resolved full dependency lockfile for Package.swift created with ``swift package resolve``
+     - ``*/Package.resolved``
+       ``*/.package.resolved``
+     - ``swift``
+     - ``swift_package_resolved``
+     - swift
+     - https://docs.swift.org/package-manager/PackageDescription/PackageDescription.html#package-dependency
    * - Java Web Application Archive
      - ``*.war``
      - ``war``

src/licensedcode/data/licenses/3dslicer-1.0.LICENSE

@@ -5,11 +5,15 @@ name: 3D Slicer Contribution and Software License Agreement v1.0
 category: Permissive
 owner: Slicer Project
 homepage_url: https://www.slicer.org/wiki/License
-spdx_license_key: LicenseRef-scancode-3dslicer-1.0
+spdx_license_key: 3D-Slicer-1.0
+other_spdx_license_keys:
+    - LicenseRef-scancode-3dslicer-1.0
 text_urls:
     - https://github.com/Slicer/Slicer/blob/v4.6.2/COPYRIGHT.txt
 faq_url: https://www.slicer.org/wiki/CommercialUse
 other_urls:
+    - https://slicer.readthedocs.io/en/latest/user_guide/about.html#license
+    - https://github.com/Slicer/Slicer/blob/main/License.txt
     - http://www.slicer.org
     - http://wiki.na-mic.org/Wiki/index.php/Slicer3
 ignorable_authors:

src/licensedcode/data/licenses/amd-historical.LICENSE

@@ -5,7 +5,11 @@ name: AMD Historical License
 category: Permissive
 owner: Advanced Micro Devices
 notes: this is a short historical permissive license seen in the newlib C library
-spdx_license_key: LicenseRef-scancode-amd-historical
+spdx_license_key: AMD-newlib
+other_spdx_license_keys:
+    - LicenseRef-scancode-amd-historical
+other_urls:
+    - https://sourceware.org/git/?p=newlib-cygwin.git;a=blob;f=newlib/libc/sys/a29khif/_close.S;h=04f52ae00de1dafbd9055ad8d73c5c697a3aae7f;hb=HEAD
 ---
 
 This software is the property of Advanced Micro Devices, Inc  (AMD)  which

src/licensedcode/data/licenses/any-osi.LICENSE

@@ -0,0 +1,18 @@
+---
+key: any-osi
+short_name: Any OSI License
+name: Any OSI License
+category: Unstated License
+owner: Unspecified
+spdx_license_key: any-OSI
+minimum_coverage: 100
+other_urls:
+    - http://www.opensource.org/licenses/alphabetical
+    - https://metacpan.org/pod/Exporter::Tidy#LICENSE
+ignorable_urls:
+    - http://www.opensource.org/licenses/alphabetical
+---
+
+Pick your favourite OSI approved license :)
+
+http://www.opensource.org/licenses/alphabetical

src/licensedcode/data/licenses/asterisk-linking-protocols-exception.LICENSE

@@ -0,0 +1,25 @@
+---
+key: asterisk-linking-protocols-exception
+short_name: Asterisk linking protocols exception
+name: Asterisk linking protocols exception
+owner: Asterisk
+category: Copyleft Limited
+is_exception: yes
+spdx_license_key: Asterisk-linking-protocols-exception
+other_urls:
+    - https://github.com/asterisk/asterisk/blob/115d7c01e32ccf4566a99e9d74e2b88830985a0b/LICENSE#L27
+---
+
+Specific permission is also granted to link Asterisk with OpenSSL, OpenH323
+UniMRCP, and/or the UW IMAP Toolkit and distribute the resulting binary files.
+
+In addition, Asterisk implements several management/control protocols.
+This includes the Asterisk Manager Interface (AMI), the Asterisk Gateway
+Interface (AGI), and the Asterisk REST Interface (ARI). It is our belief
+that applications using these protocols to manage or control an Asterisk
+instance do not have to be licensed under the GPL or a compatible license,
+as we believe these protocols do not create a 'derivative work' as referred
+to in the GPL. However, should any court or other judiciary body find that
+these protocols do fall under the terms of the GPL, then we hereby grant you a
+license to use these protocols in combination with Asterisk in external
+applications licensed under any license you wish.

src/licensedcode/data/licenses/bsd-2-clause-first-lines.LICENSE

@@ -0,0 +1,39 @@
+---
+key: bsd-2-clause-first-lines
+short_name: BSD 2-Clause first lines
+name: BSD 2-Clause - first lines requirement
+owner: Nippon Telegraph and Telephone Corporation
+category: Permissive
+notes: |
+    Added in SPDX license list 3.24
+    This was previously the license rule: freebsd-doc_5.RULE
+spdx_license_key: BSD-2-Clause-first-lines
+other_urls:
+    - https://github.com/krb5/krb5/blob/krb5-1.21.2-final/NOTICE#L664-L690
+    - https://web.mit.edu/kerberos/krb5-1.21/doc/mitK5license.html
+---
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above
+   copyright notice, this list of conditions and the following
+   disclaimer as the first lines of this file unmodified.
+
+2. Redistributions in binary form must reproduce the above
+   copyright notice, this list of conditions and the following
+   disclaimer in the documentation and/or other materials provided
+   with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY NTT "AS IS" AND ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+OF THE POSSIBILITY OF SUCH DAMAGE.

src/licensedcode/data/licenses/catharon-osl.LICENSE

@@ -5,7 +5,9 @@ name: Catharon Open Source License
 category: Permissive
 owner: Catharon
 homepage_url: https://github.com/scummvm/scummvm/blob/master/LICENSES/CatharonLicense.txt
-spdx_license_key: LicenseRef-scancode-catharon-osl
+spdx_license_key: Catharon
+other_spdx_license_keys:
+    - LicenseRef-scancode-catharon-osl
 text_urls:
     - https://github.com/scummvm/scummvm/tree/master/engines/ags/lib/freetype-2.1.3/autohint
     - https://www.copperspice.com/docs/cs_overview/legal-3rdparty.html

src/licensedcode/data/licenses/codesourcery-2004.LICENSE

@@ -5,7 +5,11 @@ name: CodeSourcery 2004
 category: Permissive
 owner: CodeSourcery
 homepage_url: https://git.linaro.org/toolchain/newlib.git/tree/newlib/libc/misc/init.c
-spdx_license_key: LicenseRef-scancode-codesourcery-2004
+spdx_license_key: HPND-merchantability-variant
+other_spdx_license_keys:
+    - LicenseRef-scancode-codesourcery-2004
+other_urls:
+    - https://sourceware.org/git/?p=newlib-cygwin.git;a=blob;f=newlib/libc/misc/fini.c;hb=HEAD
 ---
 
 Permission to use, copy, modify, and distribute this file

src/licensedcode/data/licenses/cve-tou.LICENSE

@@ -5,7 +5,11 @@ name: Common Vulnerability Enumeration ToU License
 category: Permissive
 owner: Mitre
 homepage_url: https://cve.mitre.org/about/termsofuse.html
-spdx_license_key: LicenseRef-scancode-cve-tou
+spdx_license_key: cve-tou
+other_spdx_license_keys:
+    - LicenseRef-scancode-cve-tou
+other_urls:
+    - https://www.cve.org/Legal/TermsOfUse
 ---
 
 CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive,

src/licensedcode/data/licenses/fftpack-2004.LICENSE

@@ -5,11 +5,14 @@ name: FFTPACK License 2004
 category: Permissive
 owner: NCAR
 homepage_url: https://github.com/marton78/pffft/blob/master/pffft.c
-spdx_license_key: LicenseRef-scancode-fftpack-2004
+spdx_license_key: NCL
+other_spdx_license_keys:
+    - LicenseRef-scancode-fftpack-2004
 text_urls:
     - https://bitbucket.org/jpommier/pffft/src/master/pffft.c
 other_urls:
     - https://github.com/nexB/scancode-toolkit/issues/1978
+    - https://gitlab.freedesktop.org/pipewire/pipewire/-/blob/master/src/modules/module-filter-chain/pffft.c?ref_type=heads#L1-52
 standard_notice: |
     http://www.cisl.ucar.edu/css/software/fftpack5/ftpk.html
     Copyright (c) 2004 the University Corporation for Atmospheric

src/licensedcode/data/licenses/gutmann.LICENSE

@@ -0,0 +1,16 @@
+---
+key: gutmann
+short_name: Gutmann License
+name: Gutmann License
+owner: Peter Gutmann
+category: Permissive
+notes: |
+    Added in SPDX license list 3.24
+    This was previously the license rule: other-permissive_bsdish_1.RULE
+spdx_license_key: Gutmann
+other_urls:
+    - https://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c
+---
+
+You can use this code in whatever way you want, as long as you don't try
+to claim you wrote it.

src/licensedcode/data/licenses/hpnd-export-us-acknowledgement.LICENSE

@@ -0,0 +1,37 @@
+---
+key: hpnd-export-us-acknowledgement
+short_name: HPND US export acknowledgment
+name: HPND with US Government export control warning and acknowledgment
+owner: Regents of the University of California
+category: Free Restricted
+notes: |
+    Added in SPDX license list 3.24
+    This was previously mit-no-advert-export-control_and_proprietary-license_1.RULE
+spdx_license_key: HPND-export-US-acknowledgement
+other_urls:
+    - https://github.com/krb5/krb5/blob/krb5-1.21.2-final/NOTICE#L831-L852
+    - https://web.mit.edu/kerberos/krb5-1.21/doc/mitK5license.html
+ignorable_authors:
+    - the University of Southern California
+---
+
+EXPORT OF THIS SOFTWARE from the United States of America may
+require a specific license from the United States Government. It
+is the responsibility of any person or organization
+contemplating export to obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to copy, modify, and distribute
+this software and its documentation in source and binary forms is
+hereby granted, provided that any documentation or other materials
+related to such distribution or use acknowledge that the software
+was developed by the University of Southern California.
+
+DISCLAIMER OF WARRANTY.  THIS SOFTWARE IS PROVIDED "AS IS".  The
+University of Southern California MAKES NO REPRESENTATIONS OR
+WARRANTIES, EXPRESS OR IMPLIED.  By way of example, but not
+limitation, the University of Southern California MAKES NO
+REPRESENTATIONS OR WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY
+PARTICULAR PURPOSE. The University of Southern California shall not
+be held liable for any liability nor for any direct, indirect, or
+consequential damages with respect to any claim by the user or
+distributor of the ksu software.

src/licensedcode/data/licenses/hpnd-sell-variant-mit-disclaimer-rev.LICENSE

@@ -0,0 +1,27 @@
+---
+key: hpnd-sell-variant-mit-disclaimer-rev
+short_name: HPND sell variant with MIT disclaimer reverse
+name: HPND sell variant with MIT disclaimer - reverse
+owner: Ian Stapleton Cordasco
+category: Permissive
+notes: Added in SPDX license list 3.24
+spdx_license_key: HPND-sell-variant-MIT-disclaimer-rev
+other_urls:
+    - https://github.com/sigmavirus24/x11-ssh-askpass/blob/master/dynlist.c
+---
+
+Disclaimer:
+
+The software is provided "as is", without warranty of any kind,
+express or implied, including but not limited to the warranties
+of merchantability, fitness for a particular purpose and
+noninfringement. In no event shall the author(s) be liable for
+any claim, damages or other liability, whether in an action of
+contract, tort or otherwise, arising from, out of or in connection
+with the software or the use or other dealings in the software.
+
+Permission to use, copy, modify, distribute, and sell this
+software and its documentation for any purpose is hereby
+granted without fee, provided that the above copyright notice
+appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation.

src/licensedcode/data/licenses/hpnd-uc-export-us.LICENSE

@@ -0,0 +1,20 @@
+---
+key: hpnd-uc-export-us
+short_name: HPND UC US export warning
+name: Historical Permission Notice and Disclaimer - University of California, US export warning
+owner: Regents of the University of California
+category: Free Restricted
+spdx_license_key: HPND-UC-export-US
+notes: Added in SPDX license list 3.24
+other_urls:
+    - https://github.com/RTimothyEdwards/magic/blob/master/LICENSE
+---
+
+Permission to use, copy, modify, and distribute this
+software and its documentation for any purpose and without
+fee is hereby granted, provided that the above copyright
+notice appear in all copies.  The University of California
+makes no representations about the suitability of this
+software for any purpose.  It is provided "as is" without
+express or implied warranty.  Export of this software outside
+of the United States of America may require an export license.