ort icon indicating copy to clipboard operation
ort copied to clipboard

Published 20 hours ago verified publisher icon oss-review-toolkit

Support downloading source for packages defined in SPDX documents

Open mmurto opened this issue 3 years ago • 1 comments

For packages defined in SPDX documents and analyzed by SPDX Document File analyzer, the scanner scans the source from the repository that the SPDX document is analyzed in. For dependencies that are, for example, packaged with the product at build time with a custom script, it would be useful to be able to define these in an SPDX file, based on which the scanner could then scan the source declared in the SPDX document's downloadLocation.

As an example, this SPDX document in the analyzed repository could lead the scanner to scan the source from https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.56/src/apache-tomcat-9.0.56-src.tar.gz:

SPDXID: "SPDXRef-DOCUMENT"
spdxVersion: "SPDX-2.2"
creationInfo:
  created: "2021-12-16T07:23:19Z"
  creators:
  - "Organization: HH Partners, Attorneys-at-law, Ltd"
name: "apache-tomcat-9.0.52"
dataLicense: "CC0-1.0"
documentNamespace: "http://spdx.org/spdxdocs/spdx-document-apache-tomcat"
documentDescribes:
- "SPDXRef-Package-apache-tomcat"
packages:
- SPDXID: "SPDXRef-Package-apache-tomcat"
  description: "The Apache Tomcat® software is an open source implementation of the Jakarta \
    Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta \
    Annotations and Jakarta Authentication specifications."
  copyrightText: "Copyright 1999-2021 The Apache Software Foundation"
  downloadLocation: "https://dlcdn.apache.org/tomcat/tomcat-9/v9.0.56/src/apache-tomcat-9.0.56-src.tar.gz"
  filesAnalyzed: false
  homepage: "https://tomcat.apache.org/"
  licenseConcluded: "NOASSERTION"
  licenseDeclared: "Apache-2.0"
  name: "Apache Tomcat"
  versionInfo: "9.0.56"

mmurto avatar Dec 16 '21 10:12 mmurto

This should actually already work (independently of the change proposed in https://github.com/oss-review-toolkit/ort/pull/6007) if you configure to prefer source artifacts over VCS locations in config.yml like sourceCodeOrigins: [ARTIFACT, VCS].

Can you confirm @mmurto?

sschuberth avatar Oct 27 '22 14:10 sschuberth

Can you confirm @mmurto?

Any update here @mmurto?

sschuberth avatar Jun 24 '24 08:06 sschuberth

Can you confirm @mmurto?

Any update here @mmurto?

Nope. I have no current need to inspect this further, so from my side this can be closed.

mmurto avatar Jun 24 '24 08:06 mmurto

Closed as part of backlog grooming. Feel free to comment if you would like to contribute to this.

sschuberth avatar Jun 24 '24 09:06 sschuberth