ort icon indicating copy to clipboard operation
ort copied to clipboard

Published 20 hours ago verified publisher icon oss-review-toolkit

Support generic `isModified` detection for packages beyond Maven

Open tsteenbe opened this issue 2 years ago • 5 comments

Currenly ORT only supports checking if a Maven package is modified by comparing hashes - this is useful feature to discover if say an R&D team has taken an FOSS package, modified it and uploaded it to say the internal artifactory.

tsteenbe avatar Feb 16 '23 09:02 tsteenbe

FYI, this is the way it's currently implemented for Maven:

https://github.com/oss-review-toolkit/ort/blob/eb34b0dd11ee08ddbb537aa3c7eb54ecb7ff5bd7/analyzer/src/main/kotlin/managers/utils/MavenSupport.kt#L305-L321

sschuberth avatar Feb 16 '23 09:02 sschuberth

pnpm and Yarn both have patching functionality, which at least indicated a modified package.

mmurto avatar Dec 13 '23 08:12 mmurto

pnpm and Yarn both have patching functionality, which at least indicated a modified package.

Now that you mention it, for Conan we have implemented something similar:

https://github.com/oss-review-toolkit/ort/blob/ab808c98ed9abc2aad8e323500edfc24ba4c55aa/plugins/package-managers/conan/src/main/kotlin/Conan.kt#L324

sschuberth avatar Dec 13 '23 09:12 sschuberth