Comments (5)
I don't know if this is a bug or a missing feature.
Maybe @fviernau could comment on that?
In any case, I would volunteer to implement this change.
That would be highly appreciated, than you for the willingness to help!
from ort.
Do you consider this to be a sensible change?
from ort.
Personally, I believe it makes sense to treat projects and packages consistently here, yes.
Note though that SPDX does not explicitly distinguish between what ORT calls projects and packages, but just has (SPDX) packages and relations between them.
from ort.
I don't know if this is a bug or a missing feature. In any case, I would volunteer to implement this change.
What I recall (long ago, I'm not certain anymore if that's correct) is the following:
- To fulfill the requirement at that time it was sufficient to implement for packages,
so it saved some time to not do it. - The value of adding projects at least to me personally was questionable:
- For the project's, there may be different and maybe more fine grained requirements what information
should / should not be exposed. - If the project is closed source, parts of the information e.g. file paths, submodule structure
can be meaningless as these are just links to the source which cannot be looked up. - exposing multiple projects:
- submodule strucure often is fine grained, and can be considered implementation detail
- for proprietary software, I can imagine where one does not want to expose that structure
- can lead to duplication, e.g. file findings
- For the project's, there may be different and maybe more fine grained requirements what information
- There is a way to turn a projects directory into a dependency entry in the NOTICE_BY_PACKAGE report.
(Nice to have if this worked also for SPDX reports, not sure if it does)
Given that I believe (without re-thinking it again more deeply) that if something for projects was implemented,
- There should be a toggle for enabling / disabling it
- I'd tend to only report a single (merged) project, instead of the submodule structure.
@tsteenbe do you maybe memorize further things, or have thoughts on this?
from ort.
Thank you for the outline.
Making it configurable would be fine for me. However, I wonder what exactly should be configured? Currently, the project entries contain copyright statements found by the scanner but they do not contain license statements found by it. This is inconsistent IMO, isn't it? Other report formats like the PDF report contain both for the project. So I tend to all or nothing in that regard. The new configuration option could control if project entities are created at all. On top of that, there could be another option controlling whether file-level details are provided for project entities. I.e. the options not contain project
, contain project summary
, contain project with file-level details
.
Having just one merged entry for the whole root project would be sufficient for me although it would be a bit more difficult to implement and questions would arise like what to put into the attribute versionInfo
for the merged entry.
from ort.
Related Issues (20)
- FossID: Scanner option `fetchSnippetMatchedLines` should be removed
- Docker image for version 22.3.0 does not contain the `scancode` executable anymore HOT 8
- Invalid expires attribute date on setting Cookies during Analyzer HOT 6
- Gemfile parsing for Bundler (Ruby) doesn't correctly take into account platforms (ruby, java etc.) HOT 9
- Consider using `testcontainers-git` to test authentication with Git servers
- Mention the ORT version the report was created with.
- Generated package configuration path excludes does not respect vcs path curations HOT 1
- Effective license of `BSD-3-Clause AND BSD-3-Clause`
- Support getting Node-related tooling versions from the `frontend-gradle-plugin` HOT 1
- Consolidate Scan Storages HOT 2
- package-curations: Allow adding arbitrary tags to packages HOT 12
- SSLHandshakeException with ClearlyDefined.io HOT 1
- Add "Black Duck" as advisor for known security vulnerabilities HOT 4
- Enable the reporting of known security vulnerabilities as Open VEX document HOT 1
- Document the precedence / behavior in case of multiple package configuration providers
- Automate the creation of how-to-fix hints for vulnerabilities
- Kotlin 2.0 and GradleInspector: Issues with variant selection HOT 7
- Reuse creating SPDX with faulty information
- Reuse emits deprecation warnings HOT 1
- ort --info report -f CycloneDx -i bom.json -o . HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ort.