Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
Scancode v31.0.0 includes changes[1] to JSON output attribute names which was causing processing KeyErrors when Tern would run with Scancode. Scancode v32.0.0 also includes changes[2] to license_detection output which was similarly causing parsing KeyErrors when Tern ran with Scancode. This commit adds code that can accomodate the new attribute property names in the newer versions of Scancode, as well as the older value names (in case we have users still using older Scancode versions). At some point in the future, it probably makes sense to re-visit some of these changes and see if we want to continue to support older versions of scancode.
This commit also has small changes that updated the README instructions for how to install newer Scancode versions on M1/ARM hardware and also fixes a small bug that was causing purl generation to fail when Scancode doesn't detect a package format.
Scancode v31.0.0 includes changes[1] to JSON output attribute names which was causing processing KeyErrors when Tern would run with Scancode. Scancode v32.0.0 also includes changes[2] to license_detection output which was similarly causing parsing KeyErrors when Tern ran with Scancode. This commit adds code that can accomodate the new attribute property names in the newer versions of Scancode, as well as the older value names (in case we have users still using older Scancode versions). At some point in the future, it probably makes sense to re-visit some of these changes and see if we want to continue to support older versions of scancode.
This commit also has small changes that updated the README instructions for how to install newer Scancode versions on M1/ARM hardware and also fixes a small bug that was causing purl generation to fail when Scancode doesn't detect a package format.
[1]https://github.com/nexB/scancode-toolkit/blob/e3099637b195daca54942df9f695f58990097896/CHANGELOG.rst#v3100---2022-08-17
[2]https://github.com/nexB/scancode-toolkit/blob/e3099637b195daca54942df9f695f58990097896/CHANGELOG.rst#license-detection
Resolves #1202