Merge master into prod branch in preparation for the next release #1063
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Bumps [word-wrap](https://github.com/jonschlinkert/word-wrap) from 1.2.3 to 1.2.5. - [Release notes](https://github.com/jonschlinkert/word-wrap/releases) - [Commits](jonschlinkert/word-wrap@1.2.3...1.2.5) --- updated-dependencies: - dependency-name: word-wrap dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…word-wrap-1.2.5 Bump word-wrap from 1.2.3 to 1.2.5
Bumps [@babel/traverse](https://github.com/babel/babel/tree/HEAD/packages/babel-traverse) from 7.12.9 to 7.23.2. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.23.2/packages/babel-traverse) --- updated-dependencies: - dependency-name: "@babel/traverse" dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Add GitHub Actions workflow
…babel/traverse-7.23.2 Bump @babel/traverse from 7.12.9 to 7.23.2
Use `save-exact` in `.npmrc`
Bumps [cookiejar](https://github.com/bmeck/node-cookiejar) from 2.1.2 to 2.1.4. - [Release notes](https://github.com/bmeck/node-cookiejar/releases) - [Commits](https://github.com/bmeck/node-cookiejar/commits) --- updated-dependencies: - dependency-name: cookiejar dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…ookiejar-2.1.4 Bump cookiejar from 2.1.2 to 2.1.4
Bumps [luxon](https://github.com/moment/luxon) from 2.3.0 to 2.5.2. - [Release notes](https://github.com/moment/luxon/releases) - [Changelog](https://github.com/moment/luxon/blob/master/CHANGELOG.md) - [Commits](moment/luxon@2.3.0...2.5.2) --- updated-dependencies: - dependency-name: luxon dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [pathval](https://github.com/chaijs/pathval) from 1.1.0 to 1.1.1. - [Release notes](https://github.com/chaijs/pathval/releases) - [Changelog](https://github.com/chaijs/pathval/blob/master/CHANGELOG.md) - [Commits](chaijs/pathval@v1.1.0...v1.1.1) --- updated-dependencies: - dependency-name: pathval dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
When processing scancode result, license information is first derived from package level data. When this is not available, ScanCodeSummarizer goes through the root files to look for license. Filtering for root files is based on case sensitive file path matching. In maven packaging, META/INF directory is the standard (see https://issues.apache.org/jira/browse/MJAR-73?attachmentOrder=desc, and https://issues.apache.org/jira/browse/MEAR-30). Change the location for maven to reflect the casing. utils.getLicenseLocations is also used in utils.isLicenseFile. isLicenseFile uses case insensitive matching. Preserve this case insensitive file path matching by converting the result from getLicenseLocations to lowercase there. Test case: https://clearlydefined.io/definitions/maven/mavencentral/org.flywaydb/flyway-core/9.20.0 https://dev.clearlydefined.io/definitions/maven/mavencentral/org.flywaydb/flyway-core/7.7.2 Task: #846
In scancode, packages[0].license_expression contains license information. This later becomes 'declared_license_expression' (see aboutcode-org/scancode-toolkit@ab677c6#diff-47cc909d82dee95ebbb1a3d3a8ed519ae75684072c8f4867b90056d66863f964). Based on documentation, 'declared_license_expression' is the 'primary license expression as determined from the declaration(s) of the authors of the package'. See https://www.nexb.com/scancode-license-clarity-scoring/ When the existing logic fails to normalize, try to derive license information from packages[0].license_expression. Test cases: https://clearlydefined.io/definitions/git/github/jknack/handlebars.java/683c5e885d5dcdf3d17b33e9667f3fb153952016 https://clearlydefined.io/definitions/git/github/jenkinsci/workflow-support-plugin/35e2736cfd5c56799eece176328906d92b6a0dd1 https://clearlydefined.io/definitions/git/github/jenkinsci/durable-task-plugin/e5d4fc08b0be935e03229e23e99a0c92a780da5a https://clearlydefined.io/definitions/git/github/jenkinsci/pipeline-input-step-plugin/d8a957db5be95ddfbf81f41a60b2f034000314b5 https://clearlydefined.io/definitions/git/github/alephium/extension-wallet/d876b08e0c23ba58bcadedcc5b2a1975af386e6b https://clearlydefined.io/definitions/git/github/zonyitoo/conhash-rs/779ed931b07c1a9b643dc14f62db29bf8102fd1b https://clearlydefined.io/definitions/git/github/saleor/saleor-cli/2996c750aafb302cb1edaa1689f2d75fb5372c09 https://clearlydefined.io/definitions/git/github/zowens/crc32c/dea9e9acdbf696dd52e8a62524f0d6a3cb57d105 https://clearlydefined.io/definitions/debsrc/debian/-/python-tenacity/8.0.1-1
Fix NoAssertion cases in maven and sourcearchive typed packages
Recent change utilizes packages[0].license_expression to derive license information. packages[0].license_expression sometimes contains partly unknown license inforamtion, e.g. "bsd-new AND unknown". In these cases, ignore package.license_expression containing NOASSERTION, and resort to the logic of figuring out the license based on root files.
Co-authored-by: E. Lynette Rayle <elrayle@users.noreply.github.com>
use consistent periods
If the action is triggered by a release, `${{ github.event.release.tag_name }}` has the version. If we manually run this action manually, `${{ github.event.release.tag_name }}` is empty.
To always have the version for tagging the created docker image and to pass to the webapp, this PR gets the version directly from the package.json file.
_NOTE: The package.json file must have the correct version when running manually._
Delete azure-pipelines.yml
Update Actions workflow to pull in LicenseDB data
Bumps [ip](https://github.com/indutny/node-ip) from 2.0.0 to 2.0.1. - [Commits](indutny/node-ip@v2.0.0...v2.0.1) --- updated-dependencies: - dependency-name: ip dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.0 to 3.24.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@e8893c5...47b3d88) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
I am currently investigating some notice generation differences. After comparing the notices from Dev against Prod, the results look good. |
In PyPI, '/' is invalid in a package name (see https://peps.python.org/pep-0508/#names). Add a check to restrict the coordinates name prior to querying the PyPI API.
…s/github/codeql-action-3.24.5 Bump github/codeql-action from 3.24.0 to 3.24.5
Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 6.0.0 to 6.0.1. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](peter-evans/create-pull-request@v6.0.0...v6.0.1) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.5 to 3.24.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@47b3d88...8a470fd) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…s/github/codeql-action-3.24.6 Bump github/codeql-action from 3.24.5 to 3.24.6
…s/peter-evans/create-pull-request-6.0.1 Bump peter-evans/create-pull-request from 6.0.0 to 6.0.1
…ip-2.0.1 Bump ip from 2.0.0 to 2.0.1
Restrict PyPI coordinates name in PypiCoordinatesMapper
Use URL object to generate request URL
This is to fix the CodeQL scanning failure and make stubbing network call easier in unit tests.
Use dependency injection in PypiCoordinatesMapper
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
NOTE: Maintainers are going to be unavailable to verify the release is successful for most of March, so the actual release is being delayed to the first week in April.