Infrastructure for scanning a complete ORTResult

[porsche-rbieniek]

We are curently integrating the commercial Blackduck engine as a remote scanner into ORT.

We have built a client layer for interface with the Blackduck ReST API which allows us to create a container structure ("project group") in the remote Blackduck system. This container serves as an outer bracing for all projects in an ORT result. For each project in an ORT result, we create a matching project in the container project group, upload the dependency information to Blackduck and let Blackduck process the individual porjects.

Once Blackduck is done, we consume the scan results from Blackduck, convert them into the internal format used by ORT and pass them on as a standard ORT scan result.

During the integration efforts, we learned that ORT relies on the abstraction of package scannner eniges, e.g. each dependency can be seperately scanned as an isolated work item. The way how Blackduck operates, it requires an all-or-nothing approach where we need to upload all packages at once as belonging to a project and let Blackduck process the whole dependency set (per project) in one operation.

IMHO there is currently no "official" way to process a full ORT result structure by a scanner because that infrastructure impliclitly relies on the idea that a scanner is operating on the package level.

We would like to propose the idea of a more powerful scanner integration with the required capabilities to the community and will raise a pull request how we got this working so far

[porsche-rbieniek]

The current implementation by Porsche has been submitted as a pull request https://github.com/oss-review-toolkit/ort/pull/5325