v33.2.0 (unreleased)

v33.1.0 (2024-02-02)

  • Rename multiple pipelines for consistency and precision:
    • docker: analyze_docker_image

    • root_filesystems: analyze_root_filesystem_or_vm_image

    • docker_windows: analyze_windows_docker_image

    • inspect_manifest: inspect_packages

    • deploy_to_develop: map_deploy_to_develop

    • scan_package: scan_single_package

    A data migration is included to facilitate the migration of existing data. Only the new names are available in the web UI but the REST API and CLI are backward compatible with the old names.

  • Generate CycloneDX SBOM in 1.5 spec format, migrated from 1.4 previously. The Package vulnerabilities are now included in the CycloneDX SBOM when available.

  • Improve the inspect_manifest pipeline to accept archives as inputs.

  • Add support for “tagging” download URL inputs using the “#<fragment>” section of URLs. This feature is particularly useful in the map_develop_to_deploy pipeline when download URLs are utilized as inputs. Tags such as “from” and “to” can be specified by adding “#from” or “#to” fragments at the end of the download URLs. Using the CLI, the uploaded files can be tagged using the “filename:tag” syntax while using the –input-file arguments. In the UI, tags can be edited from the Project details view “Inputs” panel. On the REST API, a new upload_file_tag field is available to use along the upload_file.

v33.0.0 (2024-01-16)

v32.7.0 (2023-10-25)

v32.6.0 (2023-08-29)

v32.5.2 (2023-08-14)

Security release: This release addresses the security issue detailed below. We encourage all users of to upgrade as soon as possible.

  • GHSA-6xcx-gx7r-rccj: Reflected Cross-Site Scripting (XSS) in license endpoint The license_details_view function was subject to cross-site scripting (XSS) attack due to inadequate validation and sanitization of the key parameter. The license views were migrated class-based views are the inputs are now properly sanitized. Credit to @0xmpij for reporting the vulnerability.

  • Add bandit analyzer and Django “check –deploy” to the check/validation stack. This helps to ensure that we do not introduce know code vulnerabilities and deployment issues to the codebase.

  • Migrate the run_command function into a safer usage of the subprocess module. Also fix various warnings returned by the bandit analyzer.

  • Replace the scancode.run_scancode function by a new run_scan that interact with scancode-toolkit scanners without using subprocess. This new function is used in the scan_package pipeline. The SCANCODE_TOOLKIT_CLI_OPTIONS settings was renamed SCANCODE_TOOLKIT_RUN_SCAN_ARGS. Refer to the documentation for the next “dict” syntax.

v32.5.1 (2023-08-07)

Security release: This release addresses the security issue detailed below. We encourage all users of to upgrade as soon as possible.

v32.5.0 (2023-08-02)

WARNING: After upgrading the codebase to this version, and following the docker compose build, the permissions of the /var/scancodeio/ directory of the Docker volumes require to be updated for the new app user, using: docker compose run -u 0:0 web chown -R app:app /var/scancodeio/

v32.4.0 (2023-07-13)

v32.3.0 (2023-06-12)

v32.2.0 (2023-04-25)

v32.1.0 (2023-03-23)

v32.0.1 (2023-02-20)

v32.0.0 (2022-11-29)

  • Add a new “find vulnerabilities” pipeline to lookup vulnerabilities in the VulnerableCode database for all project discovered packages. Vulnerability data is stored in the extra_data field of each package. More details about VulnerableCode at

  • Add a new “inspect manifest” pipeline to resolve packages from manifest, lockfile, and SBOM. The resolved packages are created as discovered packages. Support PyPI “requirements.txt” files, SPDX document as JSON “.spdx.json”, and AboutCode “.ABOUT” files.

  • Generate SBOM (Software Bill of Materials) compliant with the SPDX 2.3 specification as a new downloadable output.

  • Generate CycloneDX SBOM (Software Bill of Materials) as a new downloadable output.

  • Display Webhook status in the Run modal. The WebhookSubscription model was refined to capture delivery data.

  • Display the current active step of a running pipeline in the “Pipeline” section of the project details view, inside the run status tag.

  • Add proper pagination for API actions: resources, packages, dependencies, and errors.

  • Refine the fields ordering in API Serializers based on the toolkit order.

  • Keep the current filters state when submitting a search in list views.

  • Improve the performances of the project details view to load faster by deferring the the charts rendering. This is especially noticeable on projects with a large amount of codebase resources and discovered packages.

  • Add support for filtering by “Other” values when filtering from the charts in the Project details view.

  • CodebaseResource.for_packages now returns a list of DiscoveredPackage.package_uid or DiscoveredPackage.package_url if DiscoveredPackage.package_uid is not present. This is done to reflect the how scancode-toolkit’s JSON output returns package_uid``s in the ``for_packages field for Resources.

  • Add the model DiscoveredDependency. This represents Package dependencies discovered in a Project. The scan_codebase and scan_packages pipelines have been updated to create DiscoveredDepdendency objects. The Project API has been updated with new fields:

    • dependency_count - The number of DiscoveredDependencies associated with the project.

    • discovered_dependencies_summary - A mapping that contains following fields:

      • total - The number of DiscoveredDependencies associated with the project.

      • is_runtime - The number of runtime dependencies.

      • is_optional - The number of optional dependencies.

      • is_resolved - The number of resolved dependencies.

    These values are also available on the Project view.

  • The dependencies field has been removed from the DiscoveredPackage model.

  • Create directory CodebaseResources in the rootfs pipeline.

  • Add ProjectErrors when the DiscoveredPackage could not be fetched using the provided package_uid during the assemble_package step instead of failing the whole pipeline.

  • Escape paths before using them in regular expressions in CodebaseResource.walk().

  • Disable multiprocessing and threading by default on macOS (“spawn” start method).

v31.0.0 (2022-08-25)

v30.2.0 (2021-12-17)

v30.1.1 (2021-11-23)

v30.1.0 (2021-11-22)

  • Synchronize QUEUED and RUNNING pipeline runs with their related worker jobs during worker maintenance tasks scheduled every 10 minutes. If a container was taken down while a pipeline was running, or if pipeline process was killed unexpectedly, that pipeline run status will be updated to a FAILED state during the next maintenance tasks. QUEUED pipeline will be restored in the queue as the worker redis cache backend data is now persistent and reloaded on starting the image. Note that internaly, a running job emits a “heartbeat” every 60 seconds to let all the workers know that it is properly running. After 90 seconds without any heartbeats, a worker will determine that the job is not active anymore and that job will be moved to the failed registry during the worker maintenance tasks. The pipeline run will be updated as well to reflect this failure in the Web UI, the REST API, and the command line interface.

  • Enable redis data persistence using the “Append Only File” with the default policy of fsync every second in the docker-compose.

  • Add a new tutorial chapter about license policies and compliance alerts.

  • Include layers in docker image data.

  • Fix a server error on resource details view when the compliance alert is “missing”.

  • Migrate the ScanCodebase pipeline from scancode.run_scancode subprocess to scancode.scan_for_application_packages and scancode.scan_for_files.

v30.0.1 (2021-10-11)

v30.0.0 (2021-10-8)





  • Adds a new way to fetch docker images using skopeo provided as a plugin using docker:// reference URL-like pointers to a docker image. The syntax is docker://<docker image> where <docker image> is the string that would be used in a “docker pull <docker image>” command. Also rename to fetch_http()

  • Pipeline status modals are now loaded asynchronously and available from the project list view.

  • Fix an issue accessing codebase resource content using the scan_codebase and load_inventory pipelines.




v1.1.0 (2021-02-16)

v1.0.7 (2021-02-01)

v1.0.6 (2020-12-23)

v1.0.5 (2020-12-07)

v1.0.4 (2020-11-17)

v1.0.3 (2020-09-24)

v1.0.2 (2020-09-18)

v1.0.1 (2020-09-12)

v1.0.0 (2020-09-09)

  • Initial release