New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
In SPDX reports, include licenseInfoFromFiles and file-level information for the scanned project itself as well #8485
Comments
Maybe @fviernau could comment on that?
That would be highly appreciated, than you for the willingness to help! |
Do you consider this to be a sensible change? |
Personally, I believe it makes sense to treat projects and packages consistently here, yes. Note though that SPDX does not explicitly distinguish between what ORT calls projects and packages, but just has (SPDX) packages and relations between them. |
What I recall (long ago, I'm not certain anymore if that's correct) is the following:
Given that I believe (without re-thinking it again more deeply) that if something for projects was implemented,
@tsteenbe do you maybe memorize further things, or have thoughts on this? |
Thank you for the outline. Making it configurable would be fine for me. However, I wonder what exactly should be configured? Currently, the project entries contain copyright statements found by the scanner but they do not contain license statements found by it. This is inconsistent IMO, isn't it? Other report formats like the PDF report contain both for the project. So I tend to all or nothing in that regard. The new configuration option could control if project entities are created at all. On top of that, there could be another option controlling whether file-level details are provided for project entities. I.e. the options Having just one merged entry for the whole root project would be sufficient for me although it would be a bit more difficult to implement and questions would arise like what to put into the attribute |
An ORT scan is applied on downloaded source code of external dependencies and on the scanned project itself. The latter is necessary to also cover OSS code that has been copied to the code base of a project. So far, so good. 馃憤
In an SPDX report, the information of the project itself is converted to an SPDX package entity as it is done for external dependencies as well. However, this project entity does neither contain the attribute
licenseInfoFromFiles
nor does it contain file-level information even though the scanner found (and e.g. the web app report contains) licenses. Only detected copyright statements are included in the fieldcopyrightText
.I suggest to include
licenseInfoFromFiles
and, if the propertyfile.information.enabled
is set, also file-level information for the scanned project as well. Looking at the code, this should not be too difficult to achieve.I don't know if this is a bug or a missing feature. In any case, I would volunteer to implement this change. But before I start I would like to know if you consider this a good idea and if my PR has a chance to be merged.
The text was updated successfully, but these errors were encountered: