v32.2.0

Major API changes/output data structure changes:

• Output Format Version updated to 3.2.0 (minor version bump)
• SPDX License List support for 3.24.0
• New attribute in top level packages and resource level package_data:
  • is_direct
• New attribute in top level dependencies and resource package_data level dependencies:
  • is_virtual
  • is_private

New changes:

• New and improved package/dependency data:

  • Added new attribute in DependentPackage is_direct to aid
    package resolution and dependency graph creation.
  • Added new attributes in PackageData: is_private and
    is_virtual. #3102 #3811
    #3779

• Improved javascript package detection:

  • Add support for pnpm manifests and lockfiles #3766
  • Add support for npm, pnpm and yarn workspaces #3746
  • Improve resolved package and dependencies support in lockfiles for
    yarn.lock, package-lock.json, and pnpm. #3780
  • Add support for private packages. #3120
  • Add support for new dependency scopes across javascript
  • Lots of misc bugfixes in yarn and npm parsers.
    #3779

• Improve cargo package detection support with various improvements
  and bugfixes:

  • Fix for parser crashing on cargo workspaces
  • Fix a bug in dependency parsing (we were not returning any dependencies)
  • Also support getting dependency versions from workspace
  • Support more attributes from cargo
  • Better handle workspace data thorugh extra_data attribute
    See #3783

• We now support parsing the Swift manifest JSON dump and the
  Package.resolved file #2657.
  Run the command below on your local Swift project before running the scan:
  `swift package dump-package > Package.swift.json && swift package resolve``

• New and updated licenses, including support for newly released
  SPDX license list versions:

  • SPDX License List 3.24:
    This release of the SPDX license list had 25 new licenses
    and exceptions, and out of them 12 were present as licenses
    and 5 were present as rules already. There were 3 new
    license/exception texts added, and the rest 5 were either
    texts with small variations, additions to texts or several
    rule texts together. And the rest have been added as new licenses.
    For more details see #3795

  • More new licenses and rules:

    • 23 new licenses in #3778

What's Changed

• Improve debian package detection by @AyanSinhaMahapatra in #3723
• Add RPM mariner package detection support by @AyanSinhaMahapatra in #3734
• Fix yarn lock v1 parser to handle aliases better by @AyanSinhaMahapatra in #3751
• Add support for Swift package manager by @keshav-space in #3788
• Improve cargo package detection support by @AyanSinhaMahapatra in #3783
• Add new Apache or MIT license rule #3738 by @vasily-pozdnyakov in #3750
• Update documentation for errors in Mac M1 by @swastkk in #3749
• Update to SPDX license list 3.24.0 by @AyanSinhaMahapatra in #3795
• Add new licenses by @AyanSinhaMahapatra in #3778
• Add new LGPL3.0 or later rule by @leslielazzarino in #3805
• Resolve dependencies and improve JS support by @AyanSinhaMahapatra in #3779
• Bump version to v32.2.0 by @AyanSinhaMahapatra in #3812
• Bump version in setup.cfg by @AyanSinhaMahapatra in #3815

New Contributors

• @vasily-pozdnyakov made their first contribution in #3750
• @swastkk made their first contribution in #3749
• @leslielazzarino made their first contribution in #3805

Full Changelog: v32.1.0...v32.2.0