85.0.0

What's Changed

🛠 Breaking Changes

• b9398f8 refactor(oss-index)!: Do not require a username with a Sonatype Guide PAT

🐞 Bug Fixes

• 869b055 cyclonedx: Drop external references for project licenses
• 44bb5a2 vcs: Checkout .ort.env.yml when doing sparse checkouts

🎉 New Features

• 81e7deb evaluator: Allow getting the effective license in a package rule
• 5f6b8b4 spdx: Support Zstandard-compressed JSON files

✅ Tests

• eb6bd09 cyclonedx: Improve the wording related to the singleBom option
• 237bc63 cyclonedx: Re-format the JSON expected result files

🐘 Build & ⚙️ CI

• 0a0b548 qodana: Pin to the previous version

📖 Documentation

• 5fc855f cyclonedx: Make a KDoc more compact

🔧 Chores

• 36e25ba cyclonedx: Inline the projects variable
• e7e2971 cyclonedx: Move a function to the top level
• 66adb55 cyclonedx: Move variables a bit closer to their use
• ea4889a c14edfd cyclonedx: Setup the entire Bom inside of the apply block
• 6def433 cyclonedx: Turn getSingleBomMetadataComponent() into a member
• 833e070 oss-index: Update OSS Index links to Sonatype Guide

🚀 Dependency Updates

• 822ce35 Update dependency-analysis-gradle-plugin to v3.10.0
• 7410bd7 update aws-java-sdk-v2 monorepo to v2.43.0
• c60ef5a update aws-java-sdk-v2 monorepo to v2.43.1
• 595a194 update com.fasterxml.jackson:jackson-bom to v2.21.3
• 2dc4ab9 update gradle to v9.5.0
• d0fbb80 update jetbrains/qodana-action action to v2026
• 251d8fa update org.postgresql:postgresql to v42.7.11
• 6336f09 update react monorepo to v19.2.5

🚜 Refactorings

• 614d88a cyclonedx: Avoid accessing packages in else by inlining it
• 923acfe cyclonedx: Factor out CycloneDxModelMapper
• 1a8b894 cyclonedx: Factor out createBomMetadata()
• 55eb31f cyclonedx: Factor out createProjectBom()
• 2d5ba28 cyclonedx: Factor out createSingleBom()
• 45cce20 cyclonedx: Move model mapping to the dedicated file
• 71479a8 cyclonedx: Move remaining Bom extensions to the reporter

84.2.0

What's Changed

🐞 Bug Fixes

• 20c1fd8 evaluator: Fix cycle detection
• 800c14f fossid: Apply an order to license mappings
• 013bee0 reporter/static-html: escape bare '&' in markdown-rendered HTML

🎉 New Features

• b12fb68 conan: Support VCS information in 'conandata.yml'
• 1f524c2 test-utils: Add getResourceAsFileInSourceTree()

🐘 Build & ⚙️ CI

• 1ed668e detekt-rules: Do not add Detekt to the runtime classpath

🔧 Chores

• 0bdb93a mailmap: Prefer Double Open .io addresses
• 025c46a mailmap: Sort entries alphabetically
• 97c84a4 maven: Rewrite a condition to avoid a Detekt false-positive
• 116f4bd Use sealed interfaces instead of classes where possible

🚀 Dependency Updates

• 295eced update com.google.code.gson:gson to v2.14.0
• 5fdcf31 update detektplugin to v2.0.0-alpha.3
• e23be97 update kotlin monorepo to v2.3.21
• d4cdef4 update org.graalvm.buildtools:native-gradle-plugin to v1.1.0

🚜 Refactorings

• 1150f70 conan: Turn parseVcsInfo() into PackageInfo.toVcsInfo()

84.1.0

What's Changed

🐞 Bug Fixes

• d5af7fc cli-helper: Fix loading package manager plugins via service loader
• edcf9c8 cli-helper: Stop resolving scopes when only converting ORT files
• 4e2c890 helper-cli: Fix-up the description of options
• 3877896 node: Fix a mistake in undoDeduplication()

🎉 New Features

• 9de1b62 cli-helper: Add a command for merging scanner runs of ORT files
• 5b0a4d8 scanner: Add basic support for Provenant as a ScanCode drop-in

✅ Tests

• 5e15865 python: Update expected results
• 6af2b23 scanoss: Support both SCANOSS and OSSKB API keys

🐘 Build & ⚙️ CI

• 51c7b00 docker: Bump Rust to version 1.91.0

📖 Documentation

• 76f6d12 gradle: Update the comment about disabled Detekt reports

🔧 Chores

• f1c7ab7 cli-helper: Add a toggle to readOrtResult()
• fa2d170 model: Explicitly order env variables during serialization
• 0c946f0 scancode: Drop the "Scanner" infix from the spec name
• 9e9a8d2 scancode: Move private constants to the top level
• 30460f8 Make Kotest Conditions objects

🚀 Dependency Updates

• 5dc8acb update actions/setup-node action to v6.4.0
• d884a37 update aws-java-sdk-v2 monorepo to v2.42.39
• abd3ef4 update com.autonomousapps:dependency-analysis-gradle-plugin to v3.8.0
• f1323c7 update com.autonomousapps:dependency-analysis-gradle-plugin to v3.9.0
• ef3b694 update com.blackduck.integration:blackduck-common to v68
• f23c6b2 update com.github.jmongard.git-semver-plugin to v0.19.0
• 2a2b4c4 update dependency prettier to v3.8.3
• 16d02e9 update dev.aga.gradle.version-catalog-generator to v4.2.0
• ce48d36 update ksp monorepo to v2.3.7
• a6c2a4f update maven to v3.9.15
• d9ac953 update org.metaeffekt.core:ae-security to v0.154.0
• 31a9148 update org.springframework:spring-core to v7.0.7
• 330f5a1 update umbrelladocs/action-linkspector action to v1.4.2
• f64621b update umbrelladocs/action-linkspector action to v1.5.0
• c098923 update umbrelladocs/action-linkspector action to v1.5.1

84.0.0

What's Changed

🛠 Breaking Changes

• 183e8fd refactor!: Remove the defects model

🐞 Bug Fixes

• 488ec8e cli-helper: Properly delete temporary directories in tests
• 65aa423 flox: Maintain the CI environment variable
• e8647d1 model: Fix the default license fact provider order
• aec718e osv: Omit packages without vulnerabilites from the result
• 98a53ed scancode: Recognize fromFile that match file.path
• 009e252 Convert "Dos" files from DOS to Unix line endings

🎉 New Features

• ab91dc9 dos: Support getting the version from the API
• 8ba0be3 evaluated-model: Set the effective license also for projects
• ff107b9 model: Allow setting package source code origins to empty list
• d7583e5 ort-project-file: Make the source artifact hash optional
• 7ff200d package-configurations: Align version matching with package curations

✅ Tests

• c6de98a conan: Update expected results
• 872518f oss-index: Add a funTest for OssIndex
• 4c12ac7 osv: Narrow down two assertions
• e2f8a24 osv: Turn the test resources from JSON to YAML
• 4f5c8f8 osv: Use a more reliable Hadoop commit for CVE testing
• 65d1071 scanoss: Add a functional test for the different instances
• 3e68aa0 scanoss: Disable the spec when running at cloud providers

🐘 Build & ⚙️ CI

• 2af8e57 gradle: Avoid depending on ORT's test-utils from clients
• bd4ef16 gradle: Make a dependency on test-utils explicit in projects
• 9f154f4 gradle: Use the tapmoc plugin to configure Java / Kotlin versions
• 40854ce ort-config: Explicitly depend on the Git provider for testing
• 73db823 Make the UP-TO-DATE work-around function with IntelliJ 2026.1

📖 Documentation

• dc86b7f advisors: Clarify to only return packages with findings
• 908d94b gradle: Update links about embedding via the Tooling API
• 521ead1 website: Do not mention the detektAll task anymore

🔧 Chores

• 8322e9a dos: Move private / internal properties to the top
• 3b9c843 model: Always use the default port for PostgreSQL connections
• edf3650 oss-index: Strip CVE / CWE from the summary for consistency
• 2ec9ee2 scanner: Drop unnecessary white spaces
• 841934f scanner: Fix a typo
• ae1861b scanoss: Omit blank file_url additional data keys
• 75b7ff2 Move function to utils

🚀 Dependency Updates

• 4feb48f update actions/upload-artifact action to v7.0.1
• 26bff00 update actions/upload-pages-artifact action to v5
• 4763928 update at.yawk.lz4:lz4-java to v1.11.0
• 57f64bc update com.autonomousapps:dependency-analysis-gradle-plugin to v3.7.0
• 54feea8 update docker/build-push-action action to v7.1.0
• 660946f update github/codeql-action action to v4.35.2
• 2ad27e4 update kotlinxserialization to v1.11.0
• 204f8b6 update org.bouncycastle:bcprov-jdk18on to v1.84

🚜 Refactorings

• 09c2152 evaluated-model: Factor out getEffectiveLicenseForId()
• 6767d44 osv: Merge two functions to simplify code
• 35a427a scancode: Rewrite the code to filter file references for clarity

83.1.0

What's Changed

🐞 Bug Fixes

• 43f4ed1 model: Do not generate PURLs for Projects
• 8e08c07 web-app-template: Use correct variable in hasEffectiveLicenses()

🎉 New Features

• 343421f advisor: Take (non-excluded) projects into account
• 6fa71a5 osv: Support querying by commit if PURL is empty

✅ Tests

• 6ac175b python: Update expected results

🐘 Build & ⚙️ CI

• b0db073 renovate: Remove automerge as it is now part of the preset

📖 Documentation

• 8e583a6 osv: Add a link to the (current) data sources
• 7b40375 osv: Document all data properties (in upstream order)
• 2a2f32a osv: Make a KDoc (that can be) a oneliner for compactness
• 54f32fd vulnerable-code: Add a link to the (current) data sources

🔧 Chores

• 9304ab8 advisor: Rename a variable to ortResult
• c1884af bazel: Simplify Conan project code a little bit

🚀 Dependency Updates

• fb2c4e0 update dev.panuszewski.typesafe-conventions to v0.10.1
• 664ee20 update docker/login-action action to v4.1.0
• d5d3f51 update graalvm/setup-graalvm action to v1.5.2
• ff17cd1 update gradle/actions action to v6.1.0
• e15713a update kotest to v6.1.11

💡 Other Changes

• 5210412 style(osv): Trivially arrange variables a bit

83.0.2

What's Changed

🐞 Bug Fixes

• 2c4eef8 bazel: Use ORT's default okHttpClient to access registry services

✅ Tests

• 24f8cc6 conan: Update expected results

🐘 Build & ⚙️ CI

• 6c26ae1 renovate: Use the config preset from the .github repo

📖 Documentation

• 1db04c4 model: Refer to package manager plugin IDs instead of names

🔧 Chores

• d492254 spdx: Log more complete elements count statistics for debugging

🚀 Dependency Updates

• cdb806d update aws-java-sdk-v2 monorepo to v2.42.26
• 313dd0b update exposed to v1.2.0
• e57921f update graalvm/setup-graalvm action to v1.5.1
• b250cf3 update kotest to v6.1.10

83.0.1

What's Changed

🐞 Bug Fixes

• 31a2994 model: Allow the VCS information for SPDX projects to be empty

✅ Tests

• 6b4317c model: Clarify that the Repository, not VcsInfo is relevant

📖 Documentation

• a23ccdc spdx: Explain why the project's VcsInfo is empty

🚀 Dependency Updates

• b75f06b update dev.aga.gradle.version-catalog-generator to v4.1.1
• 31957b1 update github/codeql-action action to v4.35.0
• cc42520 update github/codeql-action action to v4.35.1
• b2d4985 update kotlinpoet to v2.3.0
• c9dab20 update log4j2 monorepo to v2.25.4
• 0270167 update org.graalvm.buildtools:native-gradle-plugin to v1

83.0.0

What's Changed

🛠 Breaking Changes

• 556d5da chore(git)!: Make GitCommand internal
• 0a9a357 chore(go)!: Make runGo() private to not expose ProcessCapture
• 36032f0 chore(node)!: Make dirStash private to not expose DirectoryStash
• 74d687d chore(scanners)!: Make CommandLineTools internal

🐞 Bug Fixes

• 80edb57 DependencyGraphBuilder: Improve cycle detection
• fbdf7cb DependencyHandler: Handle cycles when comparing dependency graphs
• 18a001d ort-project-file: Make the project identifiers more unique
• 38c0380 ort-project-file: Properly set the projet's vcs / vcsProcessed
• f8869db pnpm: Always use the default node-linker

🎉 New Features

• 0873cf0 common-utils: Allow the stash to copy files instead of moving them
• 42dabff cyclonedx: Improve metadata in "singleBom" mode
• ac51bff cyclonedx: Make some metadata properties configurable
• 02789d9 ort-project-file: Add a default value for project dependencies
• 2500a4b spdx: Add a new package manager plugin for SPDX files

✅ Tests

• 315e40d bazel: Update expected results
• 7c5fb5e cli: Correctly determine the expected package managers
• 3e0ab28 cli: Correctly test disabling a single package manager
• b1bc9ca cli: Generalize two test names
• 1e56dbc cli: Generally do not use the "legacy" Gradle package manager
• 47d76a0 common-utils: Rename some Files to make clear they are directories
• 1695cab conan: Update expected results
• a515e52 downloader: Prefer the more commonly used with instead of apply
• 87309fb downloader: Simplify assertions to avoid !!
• 578da71 mercurial: Use a temporary directory for testing
• 403c91c model: Fix the test for cyclic dependencies
• ba0aec7 ort-project-file: Make Identifier construction more compact
• f0b39bf ort-project-file: Make an assertion for scopes more compact
• b824b98 ort-project-file: Make test assets more minimal
• 88ee4c8 ort-project-file: Remove a couple tests mainly targeting KxS
• b36ac29 ort-project-file: Turn some assets from JSON to YAML
• 8a3c9ed ort-utils: Simplify assertions to avoid !!
• 8f9bc4d python: Update expected results
• c20a3ad sbt: Avoid depending on the Git VCS ORT plugin
• 9561b3d Add a "VCS" infix to VCS replacement patterns

🐘 Build & ⚙️ CI

• d3ba655 bazel: Fix Conan to only be a funTest runtime dependency
• 223b0d6 gradle: Avoid rebuilds due to version changes only
• 0133706 gradle: Fix API dependencies caused by CommandLineTool
• 3df2a03 gradle: Only auto-accept Gradle Develocity ToS on CI
• ec7e3a4 node: Fix jackson-databind to be an implementation dependency
• c5ce4d3 pub: Fix GradleInspector to only be a funTest runtime dependency
• 2cf3830 renovate: Enable automerge for non-major updates

📖 Documentation

• 07841b0 model: Update the KDoc for Project.vcsProcessed
• 6e86ad8 Avoid Gradle noise with -q when running the CLI
• 0286a1c Use "absolute syntax" for non-selector Gradle tasks
• 6d578f6 document package configuration provider precedence

🔧 Chores

• ce7d1e0 model: Remove the "additional" logic to break cycles
• 6159d56 ort-project-file: Align the order of constructor arguments
• 218f9ff pnpm: Make use of a constant for ".npmrc"
• 77a6d26 test-utils: Rework VCS-related variables a bit
• 2963b5f Consistently do not log when using getFallbackProjectName()
• b896ca1 Factor out Hash?.orNone()

🚀 Dependency Updates

• ecbdd2e update actions/deploy-pages action to v5
• 694353e update aws-java-sdk-v2 monorepo to v2.42.20
• 420f78a update aws-java-sdk-v2 monorepo to v2.42.21
• f4579f6 update codecov/codecov-action action to v5.5.4
• c4fb3e0 update codecov/codecov-action action to v6
• c2d873c update com.fasterxml.jackson:jackson-bom to v2.21.2
• b88074b update flox/install-flox-action action to v2.4.0
• 5e5e03b update github/codeql-action action to v4.34.0
• 31bad94 update github/codeql-action action to v4.34.1
• 5038f9f update gradle to v9.4.1
• 4340328 update gradle/actions action to v6
• 7035c87 update gradle/actions action to v6.0.1
• 15f25cd update kotest to v6.1.8
• 4cee34b update kotest to v6.1.9
• e59e647 update org.apache.tika:tika-core to v3.3.0
• 0447ad0 update org.jetbrains.dokka:dokka-gradle-plugin to v2.2.0
• b527988 update react monorepo to v19

🚜 Refactorings

• 7f11d2d advisor: Move the API for plugins to a dedicated module

82.2.0

What's Changed

🐞 Bug Fixes

• 47b226e ort-project-file: Simplify reporting dependency parsing issues

🎉 New Features

• e684c11 ort-project-file: Introduce a default scope
• d360295 Support preemptive authentication for non-proxy connections

✅ Tests

• 3396dfe ort-project-file: Drop a redundant assertion
• 869801f ort-project-file: Drop two redundant assertions

🐘 Build & ⚙️ CI

• 0fbf092 gradle: Update Eclipse Maven Repository URLs

🔧 Chores

• bd8c869 ort-project-file: Decompose a variable into id, purl
• 2a48239 ort-project-file: Improve variable names in toScopes()
• 1f7b224 ort-project-file: Make the checks for id and purl consistent
• 35c24d7 ort-project-file: Make the name for OrtProject consistent
• 8f41b00 ort-project-file: Move computing VCS info to the mapper
• f886bdf ort-project-file: Replace toIdentifiers()
• a5ceda1 ort-project-file: Slightly simplify toScopes()
• 23aa177 ort-project-file: Turn the mapper functions into extensions
• 62aca09 ort-project-file: Use sets for the ids
• 295d343 ort-project-file: Use the more readable isNotBlank()

🚀 Dependency Updates

• eadd6b3 update actions/download-artifact action to v8.0.1
• 47d68a4 update aws-java-sdk-v2 monorepo to v2.42.16
• 14d3345 update codecov/codecov-action action to v5.5.3
• c07d18f update github/codeql-action action to v4.33.0
• 44af885 update graalvm/setup-graalvm action to v1.5.0
• 3c62936 update jetbrains/qodana-action action to v2025.3.2
• be3fa2b update kotest to v6.1.7
• 0343931 update kotlin monorepo to v2.3.20
• c2c1c0c update maven to v3.9.14
• 6a23a1c update org.metaeffekt.core:ae-security to v0.153.2
• 5b49e82 update org.springframework:spring-core to v7.0.6
• 6886cfb update umbrelladocs/action-linkspector action to v1.4.1

🚜 Refactorings

• d2771ad Maven: Replace usage of RepositorySystem
• 6d4b112 model: Move all model classes into OrtProject
• 0837ea3 ort-project: Strip the "File" term from the model class
• b005b69 ort-project-file: Drop the "Dto" suffix from model classes
• 137ee28 ort-project-file: Extract parseOrtProject()
• c38ae46 ort-project-file: Move validateIdentifiers() to constructor
• 715b3e8 ort-project-file: Simplify handling parsing exceptions
• 9321907 ort-project-file: Use Identifier as the type for id

82.1.0

What's Changed

🐞 Bug Fixes

• c913239 ortproject: Do not hard-code the issue source
• b11bc50 spdx-utils: Compare SPDX expressions case-insensitively
• 6e80b64 Do not "double-throw" IllegalArgumentExceptions

🎉 New Features

• eb7eae2 model: Sort SpdxExpressions in more places on serialization
• 7d47932 spdx-utils: Make expression sorting case-insensitive

✅ Tests

• c54331d opossum: Do not serialize explicit nulls
• cb70c3c spdx-utils: Add more tests for sorting compound expressions

🐘 Build & ⚙️ CI

• 03c8729 package-managers: Rename the ortproject module
• 70c996b package-managers: Rename the spdx module

📖 Documentation

• a4d92f7 ort-project-file: Use a more readable displayName
• 61be7e1 spdx-document-file: Use a more readable displayName

🔧 Chores

• ed60cff opossum: Consistently take all package properties from PURL
• 883a80a spdx-utils: Remove superfluous case distinctions for equals()

🚀 Dependency Updates

• 86c6b09 update kotest to v6.1.6

💡 Other Changes

• ff6ffc7 style(fossid): Adjust a function call's formatting to the common style