Thomas Neidhart
Thomas Neidhart
the sbom file can not be patched as it is signed during the build so the signature would not be valid anymore afterwards, thats why I meant it not clear...
There are a couple of things that I still need to fix, but the failing CI runs are unrelated to this PR afaict. They also exist for other PRs and...
ok so there are some unit test failure that I need to address. Most of them are from the fact that python-inspector returned duplicate package entries in its result up...
I could fix most tests (weird thing is that 4 tests fail locally when run in pycharm, but work on the command line so that might be a pycharm problem),...
still need to take a look at etc/scripts if the there also need to be adjustments after the changes.
gradle tests are failing, need to look into that, did mainly test with maven projects so far. Ok, so in case of gradle, we can not rely on the fact...
My idea so far that worked is to let maven resolve all dependencies by itself which it can do best it seems (e.g. running a normal build is also fast,...
The project only has one additional repository setup: repo.eclipse.org for one dependency. The jboss repository probably comes from another dependency's pom and is not used generally. One negative side-effect of...
> ORT only downloads the POM files for dependencies, for other artifacts only the checksums are downloaded. See: I dont think that this is true, looking at https://github.com/oss-review-toolkit/ort/blob/a464678e9f6f9c3fb298ba2be265dbcb28ca4922/plugins/package-managers/maven/src/main/kotlin/utils/MavenSupport.kt#L722-L738 and the...
> > The project only has one additional repository setup: repo.eclipse.org for one dependency. The jboss repository probably comes from another dependency's pom and is not used generally. One negative...