• Improves error and warning messages for analysis. (#801, #813, #800, #801, #803, #808, #805, #802, #807, #809, #804, #813, #819)
• Improves scan summary format, and includes fossa-deps analysis. (#819, #813)

v3.1.0

• Fossa API: Uses SSL_CERT_FILE, and SSL_CERT_DIR environment variable for certificates when provided. (#760)
• UX: Uses error messages received from FOSSA api, when reporting API related errors. (#792)
• UX: Adds scan summary tabulating errors, warnings, project directory, and skipped projects. (#790)

The 3.1.x series includes a number of internal changes to make future development easier. The most notable changes are the rewrite of our frontend code, and a rework of our error-handling and error-reporting systems.

The frontend code is the code responsible for processing command-line and config-file options, validation of those options, and delegating those options to a high-level command to do the actual work.

The error-handling system is what allows us to cleanly handle exceptions and fallback code, and the error reporting system monitors the error handling system to decide what to report to the user, and how to report it.

These changes together provide a few user-facing benefits as well:

• We now try to report all invalid configuration to the user, instead of just the first invalid option we find.
• Error/warnings are being reworked (some of which has already happened) to be less noisy, and more informative.
• The formatting of errors and warnings has been reworked as well, to provide a message that helps users intuitively understand what they do to resolve the error.

For the future of the v3.1.x series, we are focused on improving the errors of most (if not all) of the language/build-tool analyzers.

• Fully percent-encode sub-paths in generated URLs. (#789)
• Improve error tracking and outputs. (#774)
• Cabal: Fixed a filter error that treated cabal projects as stack projects. (#787)

• Npm: Fixes an issue where a package-lock.json dep with a boolean 'resolved' key wouldn't parse. (#775)
• Npm: Fixes an issue where analyzing package-lock.json would miss duplicate packages with different versions. (#779)
• Gradle: Projects with only a top-level settings.gradle file will now be detected. (#785)

• Monorepo: Improves scan performance. (#772)
• VSI: Improves the overall performance and progress reporting. (#765)
• Rebar: Fix rebar.config parser failing on unneccessary escapes. (#764)

• Improve archive upload logging #761

• Maven: Updates implementation to delineate classifier, and consequently maven dependencies with classifier can be scanned without failure in FOSSA. (#755)

• Npm: package-lock.json parser ignores name field. (#757)

• Adds fossa log4j command. (#744)

Fossa's log4j command reports, log4j (direct or transitive) dependencies and its vulnerability (if any) in projects.

We look for log4j dependencies in:

• Maven projects
• Gradle projects
• Sbt projects (scala)
• Leiningen projects (clojure)

For more information regarding log4j vulnerability, please refer to: https://fossa.com/blog/log4j-log4shell-zero-day-vulnerability-impact-fixes/

To perform log4j command, use: fossa log4j, target directory can also be passed by: fossa log4j ../some-path/

• Yarn: Fixes an issue, where entry missing resolved attribute in yarn.lock would throw exception. (#741)