.github/workflows/build-and-test.yml

@@ -28,7 +28,7 @@ jobs:
         distribution: temurin
         java-version: 21
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4
+      uses: gradle/actions/setup-gradle@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4
     - name: Build all classes
       run: ./gradlew classes
   codeql-analysis:
@@ -41,15 +41,15 @@ jobs:
     - name: Checkout Repository
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@5f8171a638ada777af81d42b55959a643bb29017 # v3
+      uses: github/codeql-action/init@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3
       with:
         languages: java
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4
+      uses: gradle/actions/setup-gradle@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4
     - name: Build all classes
       run: ./gradlew -Dorg.gradle.jvmargs=-Xmx1g --no-build-cache classes
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@5f8171a638ada777af81d42b55959a643bb29017 # v3
+      uses: github/codeql-action/analyze@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3
   test:
     strategy:
       matrix:
@@ -65,7 +65,7 @@ jobs:
         distribution: temurin
         java-version: 21
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4
+      uses: gradle/actions/setup-gradle@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4
     - name: Run unit tests
       run: ./gradlew --scan test jacocoTestReport
     - name: Create Test Summary
@@ -114,7 +114,7 @@ jobs:
           curl -Os https://raw.githubusercontent.com/nexB/scancode-toolkit/v$SCANCODE_VERSION/requirements.txt
           pipx install --pip-args="--no-cache-dir --constraint requirements.txt" scancode-toolkit==$SCANCODE_VERSION
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4
+      uses: gradle/actions/setup-gradle@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4
     - name: Run functional tests that do not require external tools
       run: ./gradlew --scan -Ptests.exclude=org.ossreviewtoolkit.plugins.packagemanagers.* funTest jacocoFunTestReport
     - name: Create Test Summary
@@ -147,7 +147,7 @@ jobs:
         target: all-tools
         cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ github.repository_owner }}/ort:cache
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4
+      uses: gradle/actions/setup-gradle@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4
     - name: Run functional tests that do require external tools
       run: |
         # Run the functional tests in the Docker container.

.github/workflows/docker-build.yml

@@ -27,15 +27,15 @@ jobs:
       - name: Free Disk Space
         uses: ./.github/actions/free-disk-space
       - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4
+        uses: gradle/actions/setup-gradle@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4
       - name: Get ORT version
         run: |
           ORT_VERSION=$(./gradlew -q properties --property version | sed -nr "s/version: (.+)/\1/p")
           echo "ORT_VERSION=${ORT_VERSION}" >> $GITHUB_ENV
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}

.github/workflows/native-build.yml

@@ -24,7 +24,7 @@ jobs:
           set-java-home: false
           native-image-job-reports: true
       - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4
+        uses: gradle/actions/setup-gradle@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4
       - name: Build Executable
         run: ./gradlew -P cliAnalyzerOnly=true --no-configuration-cache :cli:nativeCompile
       - name: Compress Executable

.github/workflows/release.yml

@@ -30,7 +30,7 @@ jobs:
           ref: ${{ env.ORT_VERSION }}
           fetch-depth: 0
       - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4
+        uses: gradle/actions/setup-gradle@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4
         with:
           dependency-graph: generate-and-submit
       - name: Publish to OSSRH

.github/workflows/scorecard-analysis.yml

@@ -30,6 +30,6 @@ jobs:
           results_format: sarif
           publish_results: true
       - name: Upload Code Scanning Results
-        uses: github/codeql-action/upload-sarif@5f8171a638ada777af81d42b55959a643bb29017 # v3
+        uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3
         with:
           sarif_file: ossf-results.sarif

.github/workflows/static-analysis.yml

@@ -29,7 +29,7 @@ jobs:
     - name: Checkout Repository
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4
+      uses: gradle/actions/setup-gradle@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4
     - name: Check copyrights, license headers, and .gitattributes
       run: ./gradlew checkCopyrightsInNoticeFile checkLicenseHeaders checkGitAttributes
   completions:
@@ -43,7 +43,7 @@ jobs:
         distribution: temurin
         java-version: 21
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4
+      uses: gradle/actions/setup-gradle@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4
     - name: Generate completions
       run: |
         ./scripts/generate_completion_scripts.sh
@@ -66,11 +66,11 @@ jobs:
     - name: Checkout Repository
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4
+      uses: gradle/actions/setup-gradle@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4
     - name: Check for Detekt Issues
       run: ./gradlew detektAll
     - name: Upload SARIF File
-      uses: github/codeql-action/upload-sarif@5f8171a638ada777af81d42b55959a643bb29017 # v3
+      uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3
       if: always() # Upload even if the previous step failed.
       with:
         sarif_file: build/reports/detekt/merged.sarif
@@ -80,7 +80,7 @@ jobs:
     - name: Checkout Repository
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
     - name: Check Links
-      uses: umbrelladocs/action-linkspector@49cf4f8da82db70e691bb8284053add5028fa244 # v1
+      uses: umbrelladocs/action-linkspector@a0567ce1c7c13de4a2358587492ed43cab5d0102 # v1
       with:
         fail_on_error: true
   markdownlint:
@@ -113,7 +113,7 @@ jobs:
         post-pr-comment: false
         use-caches: false
     - name: Upload Code Scanning Results
-      uses: github/codeql-action/upload-sarif@5f8171a638ada777af81d42b55959a643bb29017 # v3
+      uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3
       with:
         sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json
   reuse-tool:

.github/workflows/website-deploy.yml

@@ -13,7 +13,7 @@ jobs:
       - name: Checkout Repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4
+        uses: gradle/actions/setup-gradle@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4
       - name: Generate plugin docs
         run: ./gradlew generatePluginDocs
       - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4

.github/workflows/website-test.yml

@@ -13,7 +13,7 @@ jobs:
       - name: Checkout Repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4
+        uses: gradle/actions/setup-gradle@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4
       - name: Generate plugin docs
         run: ./gradlew generatePluginDocs
       - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4

Dockerfile

@@ -136,12 +136,13 @@ ARG PYTHON_VERSION
 ARG PYENV_GIT_TAG
 
 ENV PYENV_ROOT=/opt/python
-ENV PATH=$PATH:$PYENV_ROOT/shims:$PYENV_ROOT/bin
+ENV PATH=$PATH:$PYENV_ROOT/shims:$PYENV_ROOT/bin:$PYENV_ROOT/conan2/bin
 RUN curl -kSs https://pyenv.run | bash \
     && pyenv install -v $PYTHON_VERSION \
     && pyenv global $PYTHON_VERSION
 
 ARG CONAN_VERSION
+ARG CONAN2_VERSION
 ARG PYTHON_INSPECTOR_VERSION
 ARG PYTHON_PIPENV_VERSION
 ARG PYTHON_POETRY_VERSION
@@ -175,6 +176,12 @@ RUN pip install --no-cache-dir -U \
     poetry-plugin-export=="$PYTHON_POETRY_PLUGIN_EXPORT_VERSION" \
     python-inspector=="$PYTHON_INSPECTOR_VERSION" \
     setuptools=="$PYTHON_SETUPTOOLS_VERSION"
+RUN mkdir /tmp/conan2 && cd /tmp/conan2 \
+    && wget https://github.com/conan-io/conan/releases/download/$CONAN2_VERSION/conan-$CONAN2_VERSION-linux-x86_64.tgz \
+    && tar -xvf conan-$CONAN2_VERSION-linux-x86_64.tgz\
+    # Rename the Conan 2 executable to "conan2" to be able to call both Conan version from the package manager.
+    && mkdir $PYENV_ROOT/conan2 && mv /tmp/conan2/bin $PYENV_ROOT/conan2/ \
+    && mv $PYENV_ROOT/conan2/bin/conan $PYENV_ROOT/conan2/bin/conan2
 
 FROM scratch AS python
 COPY --from=pythonbuild /opt/python /opt/python
@@ -477,7 +484,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
 
 # Python
 ENV PYENV_ROOT=/opt/python
-ENV PATH=$PATH:$PYENV_ROOT/shims:$PYENV_ROOT/bin
+ENV PATH=$PATH:$PYENV_ROOT/shims:$PYENV_ROOT/bin:$PYENV_ROOT/conan2/bin
 COPY --from=python --chown=$USER:$USER $PYENV_ROOT $PYENV_ROOT
 
 # NodeJS

buildSrc/src/main/kotlin/ort-application-conventions.gradle.kts

@@ -117,7 +117,6 @@ graalvmNative {
 
             buildArgs.addAll(
                 initializeAtBuildTime,
-                "--report-unsupported-elements-at-runtime",
                 "--parallelism=8",
                 "-J-Xmx16g"
             )

cli/src/funTest/kotlin/OrtMainFunTest.kt

@@ -38,10 +38,9 @@ import java.io.File
 import org.ossreviewtoolkit.analyzer.PackageManagerFactory
 import org.ossreviewtoolkit.model.OrtResult
 import org.ossreviewtoolkit.model.config.OrtConfiguration
-import org.ossreviewtoolkit.model.config.OrtConfigurationWrapper
 import org.ossreviewtoolkit.model.config.ProviderPluginConfiguration
+import org.ossreviewtoolkit.model.mapper
 import org.ossreviewtoolkit.model.readValue
-import org.ossreviewtoolkit.model.writeValue
 import org.ossreviewtoolkit.utils.common.EnvironmentVariableFilter
 import org.ossreviewtoolkit.utils.ort.ORT_REFERENCE_CONFIG_FILENAME
 import org.ossreviewtoolkit.utils.test.getAssetFile
@@ -55,18 +54,18 @@ class OrtMainFunTest : StringSpec() {
 
     override suspend fun beforeSpec(spec: Spec) {
         configFile = tempfile(suffix = ".yml")
-        configFile.writeValue(
-            OrtConfigurationWrapper(
-                OrtConfiguration(
-                    packageCurationProviders = listOf(
-                        ProviderPluginConfiguration(
-                            type = "File",
-                            options = mapOf("path" to getAssetFile("gradle-curations.yml").path)
-                        )
-                    )
+
+        val writer = configFile.mapper().writerFor(OrtConfiguration::class.java).withRootName("ort")
+        val config = OrtConfiguration(
+            packageCurationProviders = listOf(
+                ProviderPluginConfiguration(
+                    type = "File",
+                    options = mapOf("path" to getAssetFile("gradle-curations.yml").path)
                 )
             )
         )
+
+        writer.writeValue(configFile, config)
     }
 
     override suspend fun beforeTest(testCase: TestCase) {

cli/src/main/kotlin/OrtMain.kt

@@ -57,12 +57,9 @@ import org.ossreviewtoolkit.utils.common.expandTilde
 import org.ossreviewtoolkit.utils.common.mebibytes
 import org.ossreviewtoolkit.utils.common.replaceCredentialsInUri
 import org.ossreviewtoolkit.utils.ort.Environment
-import org.ossreviewtoolkit.utils.ort.ORT_CONFIG_DIR_ENV_NAME
 import org.ossreviewtoolkit.utils.ort.ORT_CONFIG_FILENAME
-import org.ossreviewtoolkit.utils.ort.ORT_DATA_DIR_ENV_NAME
 import org.ossreviewtoolkit.utils.ort.ORT_NAME
 import org.ossreviewtoolkit.utils.ort.ortConfigDirectory
-import org.ossreviewtoolkit.utils.ort.ortDataDirectory
 import org.ossreviewtoolkit.utils.ort.printStackTrace
 
 import org.slf4j.LoggerFactory
@@ -207,11 +204,7 @@ class OrtMain : CliktCommand(ORT_NAME) {
             row {
                 val content = mutableListOf("Environment variables:")
 
-                listOf(
-                    ORT_CONFIG_DIR_ENV_NAME to ortConfigDirectory.path,
-                    ORT_DATA_DIR_ENV_NAME to ortDataDirectory.path,
-                    *env.variables.toList().toTypedArray()
-                ).mapTo(content) { (key, value) ->
+                env.variables.mapTo(content) { (key, value) ->
                     val safeValue = value.replaceCredentialsInUri(MaskedString.DEFAULT_MASK)
                     "${Theme.Default.info(key)} = ${Theme.Default.warning(safeValue)}"
                 }

docker/versions.dockerfile

@@ -6,6 +6,7 @@ ARG BOYTERLC_VERSION=1.3.1
 ARG COCOAPODS_VERSION=1.16.2
 ARG COMPOSER_VERSION=2.8.4
 ARG CONAN_VERSION=1.66.0
+ARG CONAN2_VERSION=2.14.0
 ARG DART_VERSION=2.18.4
 ARG DOTNET_VERSION=6.0
 ARG GO_VERSION=1.24.0

gradle/libs.versions.toml

@@ -1,14 +1,14 @@
 [versions]
-dependencyAnalysisPlugin = "2.13.0"
+dependencyAnalysisPlugin = "2.13.2"
 detektPlugin = "1.23.8"
 dokkatooPlugin = "2.4.0"
 downloadPlugin = "5.6.0"
 gitSemverPlugin = "0.16.0"
 graalVmNativeImagePlugin = "0.10.6"
 ideaExtPlugin = "1.1.10"
 jakartaMigrationPlugin = "0.24.0"
-kotlinPlugin = "2.1.10"
-ksp = "2.1.10-1.0.31"
+kotlinPlugin = "2.1.20"
+ksp = "2.1.20-1.0.32"
 mavenPublishPlugin = "0.31.0"
 reproducibleBuildsPlugin = "1.0"
 versionsPlugin = "0.52.0"
@@ -29,17 +29,17 @@ flexmark = "0.64.8"
 freemarker = "2.3.34"
 greenmail = "2.1.3"
 gson = "2.12.1"
-hikari = "6.2.1"
+hikari = "6.3.0"
 hoplite = "2.9.0"
 jackson = "2.18.3"
 jakartaMail = "2.0.1"
 jerseyCommon = "3.1.10"
-jgit = "7.1.0.202411261347-r"
+jgit = "7.2.0.202503040940-r"
 jiraRestClient = "6.0.2"
 jruby = "9.4.12.0"
 jslt = "0.1.14"
 jsonSchemaValidator = "1.5.6"
-kaml = "0.72.0"
+kaml = "0.73.0"
 kotest = "5.9.1"
 kotlinPoet = "2.1.0"
 kotlinxCoroutines = "1.10.1"
@@ -59,14 +59,15 @@ postgres = "42.7.5"
 postgresEmbedded = "1.1.0"
 reflections = "0.10.2"
 retrofit = "2.11.0"
-s3 = "2.31.1"
+s3 = "2.31.6"
 saxonHe = "12.5"
 scanoss = "0.10.1"
 semver4j = "5.6.0"
 slf4j = "2.0.17"
 springCore = "6.2.5"
-svnkit = "1.10.11"
+svnkit = "1.10.12"
 sw360Client = "17.0.1-m2"
+wagonHttp = "3.5.3"
 wiremock = "3.12.1"
 xmlutil = "0.90.3"
 xz = "1.10"
@@ -183,8 +184,9 @@ scanoss = { module = "com.scanoss:scanoss", version.ref = "scanoss" }
 semver4j = { module = "org.semver4j:semver4j", version.ref = "semver4j" }
 slf4j = { module = "org.slf4j:slf4j-api ", version.ref = "slf4j" }
 springCore = { module = "org.springframework:spring-core", version.ref = "springCore" }
-svnkit = { module = "org.tmatesoft.svnkit:svnkit", version.ref = "svnkit" }
+svnkit = { module = "com.tmatesoft.svnkit:svnkit", version.ref = "svnkit" }
 sw360Client = { module = "org.eclipse.sw360:client", version.ref = "sw360Client" }
+wagon-http = { module = "org.apache.maven.wagon:wagon-http", version.ref = "wagonHttp" }
 wiremock = { module = "org.wiremock:wiremock", version.ref = "wiremock" }
 xz = { module = "org.tukaani:xz", version.ref = "xz" }
 

helper-cli/src/funTest/assets/create-analyzer-result-from-pkg-list-expected-output.yml

@@ -57,8 +57,11 @@ analyzer:
     packages:
     - id: "NPM::example-dependency-one:1.0.0"
       purl: "pkg:npm/example-dependency-one@1.0.0"
-      declared_licenses: []
-      declared_licenses_processed: {}
+      declared_licenses:
+      - "Apache-2.0 OR LGPL-2.0-only"
+      - "MIT"
+      declared_licenses_processed:
+        spdx_expression: "(Apache-2.0 OR LGPL-2.0-only) AND MIT"
       description: ""
       homepage_url: ""
       binary_artifact:

helper-cli/src/funTest/assets/package-list.yml

@@ -14,6 +14,9 @@ dependencies:
       path: "vcs-path/dependency-one"
     sourceArtifact:
       url: "https://example.org/example-dependency-one.zip"
+    declaredLicenses:
+      - "MIT"
+      - "Apache-2.0 OR LGPL-2.0-only"
     isExcluded: true
     isDynamicallyLinked: true
   - id: "NPM::example-dependency-two:2.0.0"

helper-cli/src/main/kotlin/commands/CreateAnalyzerResultFromPackageListCommand.kt

@@ -150,6 +150,7 @@ private data class Dependency(
     val purl: String? = null,
     val vcs: Vcs? = null,
     val sourceArtifact: SourceArtifact? = null,
+    val declaredLicenses: Set<String> = emptySet(),
     val isExcluded: Boolean = false,
     val isDynamicallyLinked: Boolean = false,
     val labels: Map<String, String> = emptyMap()
@@ -198,7 +199,7 @@ private fun Dependency.toPackage(): Package {
         purl = purl ?: id.toPurl(),
         sourceArtifact = sourceArtifact?.let { RemoteArtifact(url = it.url, it.hash ?: Hash.NONE) }.orEmpty(),
         vcs = vcsInfo,
-        declaredLicenses = emptySet(),
+        declaredLicenses = declaredLicenses,
         description = "",
         homepageUrl = "",
         binaryArtifact = RemoteArtifact.EMPTY,