ort --info report -f CycloneDx -i bom.json -o . about ort HOT 7 OPEN

Hi @wujunhuge, thanks for the report. Unfortunately, most of the fields in the report were not fill out by you, making it hard for us to reproduce what the root cause of you problem is.

Apparently, the, repository field is missing the ORT result JSON file that you are trying to load. As the ORT analyzer definitely writes this mandatory field, it looks like the ORT result JSON file has been tampered with. Can you share how this is file was created exactly?

from ort.

it looks like the ORT result JSON file has been tampered with.

Or actually, judging from the file name name bom.json in your title, it looks like the input is not an ORT result file at all. Basically, the input to the ort report command is the file that gets written by the ort analyze command. Also see the tutorial.

from ort.

Thank you for your reply. I am trying to use tools to analyze a C++project and convert it into a CycloneDx format BOM. JSON. However, after reading the tutorial, I feel a bit confused. Do I need to add any configurations when analyzing?

from ort.

Do I need to add any configurations when analyzing?

That depends a bit on which, if any, package manager your C++ project is using. Can you share some details on that?

In any case, that does not explain why the repository field seems to be missing in the ORT result file. Can you please also share the exact command line you're using to run ort analyze?

from ort.

Can my C++project be scanned without a package manager like Conan?
The command I am using now is: ort -- info analyze - i- o . -f JSON

from ort.

Can my C++project be scanned without a package manager like Conan?

It can be scanned in the meaning of running ort scan with the analyzer input, but none of its dependencies will be recognized or scanned. Only what's contained in the directory / repository ort analyze was given as the input will be scanned.

from ort.

And please note that ort analyze currently expects the input directory to be under version control. If that's not the case for you, you can trick ORT by creating a temporary Git working tree directory in your input directory by running git init, git add ., git commit -m "Dummy commit for ORT" first.

from ort.