Skip to content

chore(deps): Update dependency scanoss to v1.54.1#377

Merged
haksungjang merged 1 commit into
mainfrom
renovate/scanoss-1.x
Jul 13, 2026
Merged

chore(deps): Update dependency scanoss to v1.54.1#377
haksungjang merged 1 commit into
mainfrom
renovate/scanoss-1.x

Conversation

@haksungjang

Copy link
Copy Markdown
Member

This PR contains the following updates:

Package Change Age Confidence
scanoss (source) 1.25.21.54.1 age confidence

Release Notes

scanoss/scanoss.py (scanoss)

v1.54.1

Compare Source

Fixed
  • settings.skip.patterns.fingerprinting (and settings.skip.sizes.fingerprinting) are now applied to the fingerprinting operation (wfp command). Previously the fingerprinting code path always read the scanning section, so fingerprinting-specific skip rules were silently ignored.
  • Fixed gitignore-style negation (!) skip patterns being ignored when combined with a broad root pattern. A pattern such as ["/*", "!/game"] matched the scan root itself and pruned the entire tree before the negation could re-include anything, so nothing was ever kept. The scan root is no longer treated as a candidate for exclusion.

v1.54.0

Compare Source

Added
  • Added --scan-root to specify the scan root to load scanoss.json from (Commands: scan, wfp, dependencies, folder-scan, folder-hash)
  • Added a priority list for loading scanoss.json (1. --settings 2. Scan directory (--scan-root if specified) 3. CWD)

v1.53.2

Compare Source

Fixed
  • No longer reports every HTTP 503 as "service limits being exceeded", which misled users into thinking they had hit a rate limit during unrelated service outages. Rate limits (HTTP 429) are now distinguished from generic service unavailability (HTTP 503), and the actual server response body is surfaced in the error message.
Changed
  • Honour the Retry-After header on HTTP 429/503 responses, retrying with backoff (capped at 60s) instead of aborting immediately on the first 503

v1.53.1

Compare Source

Added
  • Added --apiurl option to the folder-scan command to configure a custom SCANOSS API base URL (consistent with the scan command)
Changed
  • Changed the default --rank-threshold for the folder-scan/fs command from 5 to 9, so valid components with ranks 6-9 are no longer filtered out by default

v1.53.0

Compare Source

Added
  • Added the ability to scan a file-based list of files (--files-from)

v1.52.1

Compare Source

Fixed
  • Fixed CPE identifiers missing from SPDX Lite output (--format spdxlite)
    • CPEs are now emitted as SPDX 2.2 externalRefs with referenceCategory: SECURITY
    • CPE 2.3 strings use referenceType: cpe23Type; legacy cpe:/... and cpe:2.2:... use cpe22Type
    • Multiple CPEs per component are preserved and deduplicated

v1.52.0

Compare Source

Added
  • Added status subcommand query to component command to retrieve development life-cycle status:
    • Component and version-specific for a single component
    • Component and version-specific for a list of components

v1.51.1

Compare Source

Fixed
  • Fixed vulnerabilities not appearing in CycloneDX output for folder-scan (fs) command
  • Fixed CycloneDX output without vulnerabilities being printed to stdout when using --output with folder-scan

v1.51.0

Compare Source

Added
  • Added --format raw option to folder-scan command to export HFH results in snippet-scanner JSON format
    • Expands directory-level HFH results into per-file entries keyed by relative file path
    • Assigns each file to the most specific matching path_id (deepest directory match wins)
  • Added license decoration to folder hash scan results via dependency service
    • Each component version in HFH results is now decorated with license information
    • CycloneDX output uses pre-decorated licenses instead of making a separate dependency API call

v1.50.1

Compare Source

Fixed
  • Fixed bom.replace rules with a license field: the license is now applied to the replaced result instead of being silently dropped

v1.50.0

Compare Source

Fixed
  • Fixed requirement field being lost during dependency decoration in scan command
  • Sanitized scancode extracted_requirement to strip redundant package name prefix (e.g., gtest==1.17.01.17.0)

v1.49.1

Compare Source

Fixed
  • When an error occurs during the scan, do not write a partial scan result file. Leave it empty.

v1.49.0

Compare Source

Fixed
  • Fixed --skip-headers incorrectly identifying continuation lines inside multi-line import blocks
Changed
  • Added error handling for is_binary check to catch RuntimeError and default to treating the file as binary

v1.48.0

Compare Source

Added
  • Added --apiurl option to all component subcommands (comp vulns, comp licenses, comp semgrep, comp provenance, comp search, comp versions) to allow overriding the default API base URL

v1.47.0

Compare Source

Added
  • Added support for skipping dependency files, configurable via settings.skip.patterns.dependencies
Changed
  • All API communication now uses REST by default
  • The --grpc, --rest, --api2url, and --grpc-proxy CLI flags now cause an error if used (gRPC is no longer supported)

v1.46.0

Compare Source

Added
  • Added folder-level (path-scoped) BOM filtering for include, exclude, remove, and replace rules
    • BOM rules can now target specific folders (e.g., "path": "src/vendor/") in addition to individual files
    • Priority-based matching: path+purl (highest) > purl-only > path-only (lowest); longer paths win ties
    • Path-scoped include entries are sent as identify context only for files under the matching folder
    • Path-scoped exclude entries are sent as blacklist context only for files under the matching folder
  • Replace rules now contribute their replace_with PURL to the scan context, improving server-side matching
  • BOM path matching is agnostic to trailing slashes (src/vendor/ and src/vendor are equivalent)
Changed
  • Refactored SBOM handling: replaced global SBOM context with per-file SbomContext resolution via ScanossSettings.get_sbom_context()
  • Refactored BomEntry from TypedDict to dataclass hierarchy with matches_path(), matches_purl(), and priority support
  • Extracted _iter_wfp_files generator to simplify WFP parsing in scan_wfp_file_threaded

v1.45.1

Compare Source

Fixed
  • Fixed --input argument validation for inspect subcommands (copyleft, undeclared, license-summary, component-summary) by making it required at the argparse level instead of manual runtime checks

v1.45.0

Compare Source

Added
  • Added scan engine tuning parameters for snippet matching:
    • --min-snippet-hits - Minimum snippet hits required (0 defers to server config)
    • --min-snippet-lines - Minimum snippet lines required (0 defers to server config)
    • --ranking - Enable/disable result ranking (unset/true/false)
    • --ranking-threshold - Ranking threshold value (-1 to 10, -1 defers to server config)
    • --honour-file-exts - Honour file extensions during matching (unset/true/false)
  • Added file_snippet section to scanoss.json settings schema for configuring tuning parameters
  • Added ScanSettingsBuilder class for merging CLI and settings file configurations with priority: CLI > file_snippet > root settings

v1.44.0

Compare Source

Changed
  • Refactored --apiurl parameter to accept base URLs instead of full endpoint URLs
    • Now accepts https://api.scanoss.com instead of https://api.scanoss.com/scan/direct
    • Automatically appends /scan/direct endpoint path
    • Backward compatible: detects and warns when full endpoint URLs are provided
    • Uses urllib.parse for robust URL handling (ports, IPv6, encoded characters)
    • Updated CLI help text and documentation to reflect base URL format
    • Applies to both CLI arguments and SCANOSS_SCAN_URL environment variable

v1.43.1

Compare Source

Changed
  • Restored --no-wfp-output flag for backwards compatibility (deprecated, no effect)

v1.43.0

Compare Source

Changed
  • Scan command no longer generates scanner_output.wfp file
  • Removed --no-wfp-output flag (no longer needed)

v1.42.0

Compare Source

Added
  • Added support for filtering uninteresting data from the beginning of source files.
    • When using --skip-headers it will skip over copyright notices, import statements, comments, etc.
    • The --skip-headers-limit option specifies the maximum number of lines to skip if required.

v1.41.1

Compare Source

  • Use components instead of purls for vulnerability detection when converting to CycloneDX format in Folder Scan

v1.41.0

Compare Source

Added
  • Added --license-sources (-ls) option to copyleft inspection
    • Filter which license sources to check (component_declared, license_file, file_header, file_spdx_tag, scancode)
    • Supports both -ls source1 source2 and -ls source1 -ls source2 syntax
Changed
  • Switched to OSADL authoritative copyleft license data

    • Copyleft detection now uses OSADL (Open Source Automation Development Lab) checklist data
    • Adds missing -or-later license variants (GPL-2.0-or-later, GPL-3.0-or-later, LGPL-2.1-or-later, etc.)
    • Expands copyleft coverage from 21 to 32 licenses
    • Custom include/exclude/explicit filters still use legacy behavior for backward compatibility
    • Dataset attribution added to README (CC-BY-4.0 license)
  • Copyleft inspection now defaults to component-level licenses only (component_declared, license_file)

    • Reduces noise from file-level license detections (file_header, scancode)
    • Use -ls to override and check specific sources
Fixed
  • Fixed the terminal cursor disappearing after aborting scan with Ctrl+C

v1.40.1

Compare Source

Changed
  • Refactored inspect module structure for better organization
    • Reorganized inspection modules into policy_check and summary subdirectories
    • Moved copyleft and undeclared component checks to policy_check/scanoss/
    • Moved component, license, and match summaries to summary/
    • Moved Dependency Track policy checks to policy_check/dependency_track/
    • Extracted common scan result processing logic into ScanResultProcessor utility class
    • Improved type safety with PolicyOutput named tuple for policy check results
    • Made PolicyCheck class explicitly abstract with ABC
Added
  • Added Makefile targets for running ruff linter (linter, linter-fix, linter-docker, linter-docker-fix)

v1.40.0

Compare Source

Added
  • Add support for --rest to folder-scan command

v1.39.0

Compare Source

Added
  • Added glc-codequality format to convert subcommand
  • Added inspect gitlab matches subcommand to generate GitLab-compatible Markdown match summary from SCANOSS scan results
  • Added utility modules for shared functionality (markdown_utils.py and file_utils.py)
Changed
  • Refactored table generation utilities into shared markdown_utils module
  • Refactored JSON file loading into shared file_utils module

v1.38.0

Compare Source

Added
  • Add support for settings debug mode via SCANOSS_DEBUG environment variable

v1.37.1

Compare Source

Added
  • Added source filtering to cyclonedx conversion
Fixed
  • Fixed dependencies being skipped during spdx conversion

v1.37.0

Compare Source

Added
  • Added delta folder and file copy command

v1.36.0

Compare Source

Added
  • Add --recursive-threshold argument to folder scan command
  • Add --depth argument to folder-scan and folder-hash commands

v1.35.0

Compare Source

Modified
  • Use gRPC instead of REST for API calls

v1.34.0

Compare Source

Added
  • Add REST API support for decoration commands

v1.32.0

Compare Source

Added
  • Switched vulnerability and dependency APIs to use REST by default

v1.31.5

Compare Source

Added
  • Added jira markdown option for DT
  • Added Dependency Track project link to markdown summary
  • Updated protobuf client definitions
  • Added date field to scanoss-py comp versions response

v1.31.4

Compare Source

Added
  • Added support for empty dependency track project policy checks

v1.31.3

Compare Source

Fixed
  • Added handling for empty results files

v1.31.2

Compare Source

Fixed
  • Removed an unnecessary print statement from the policy checker

v1.31.1

Compare Source

Fixed
  • Fixed purl formatting bug in dependency track output

v1.31.0

Compare Source

Added
  • Add inspect dependency-track project-violations subcommand to retrieve Dependency Track project violations in Markdown and JSON formats
Changed
  • Renamed inspect copyleft to inspect raw copyleft
  • Renamed inspect undeclared to inspect raw undeclared
  • Renamed inspect component-summary to inspect raw component-summary
  • Renamed inspect license-summary to inspect raw license-summary
  • Updated Policy return codes. 0 → Success, 2 → Fail, 1 → Error
Fixed
  • Fixed incorrect folder filtering configurations for fingerprinting and scanning

v1.30.0

Compare Source

Added
  • Add export dt subcommand to export SBOM files to Dependency Track
  • Add CycloneDX file validation

v1.29.0

Compare Source

Changed
  • Updated minimum Python version to 3.9

v1.28.3

Compare Source

Fixed
  • Fixed scanoss.json ingestion
Added
  • Added support for exclude parameter from scanoss.json file during scanning

v1.28.2

Compare Source

Fixed
  • Fix CycloneDX format when license id is None

v1.28.1

Compare Source

Added
  • Fix purls parsing on crypto subcommand

v1.28.0

Compare Source

Added
  • Add vulnerabilities response to folder-scan CycloneDX output

v1.27.1

Compare Source

Fixed
  • Fixed when running folder-scan with --format cyclonedx the output was not writing to file
  • Fixed when running container-scan with --format cyclonedx the output was not writing to file

v1.27.0

Compare Source

Added
  • Add directory hash calculation to folder hasher
  • Add rank-threshold option to folder scan command

v1.26.3

Compare Source

Fixed
  • Fixed crash in inspect subcommand when processing components that lack license information
  • Set the default trace value to false for inspect command

v1.26.2

Compare Source

Fixed
  • Fixed inspection of undeclared components with empty licenses

v1.26.1

Compare Source

Added
  • Added component count to inspect license summary
Changed
  • Modified summaries for inspect subcommand

v1.26.0

Compare Source

Added
  • New inspect license-summary subcommand to generate license summaries from scan results
  • New inspect component-summary subcommand to generate component summaries from scan results
  • Added examples for inspect summary commands in CLIENT_HELP.md
Fixed
  • Fixed inspect undeclared bug where pending status now takes precedence over identified status for the same component
Changed
  • Modified inspect undeclared view for md format to remove version information

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@haksungjang haksungjang added dependencies Pull requests that update a dependency file tool-upgrade labels Jul 13, 2026
@haksungjang
haksungjang merged commit 73b362d into main Jul 13, 2026
91 checks passed
@haksungjang
haksungjang deleted the renovate/scanoss-1.x branch July 13, 2026 09:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file tool-upgrade

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant