Michael Wellendorf
Michael Wellendorf
I re-tested this behavior with one of our internal projects. From my point of view this could be related with the merge strategy (hierarchical vs. flat). Unfortunately I can't provide...
Finally, I think I found the cause for this. The CycloneDX BOM that is imported into DependencyTrack has for example these two components: ``` [ { "type": "library", "name": "alpine-baselayout-data",...
:disappointed: This feature is much awaited by our dev teams. Especially in combination with https://github.com/DependencyTrack/dependency-track/issues/1732 it would be a huge improvement regarding OSS license clearing. Sadly I can't support the...
We are using Dependency-Track mainly for OSS license clearing. And currently we are also facing this issue. Components are showing any (single!) of the detected licenses, if there are more...
Hello @stevespringett. Thank you for your quick response. And for the clarification regarding CycloneDX. A component in the CycloneDX BOM (created with ORT) looks like this. ``` { "group": "ch.qos.logback",...
Besides, if i generate the CycloneDX as XML, it does at least distinguish between declared and detected licenses. ``` librarych.qos.logbacklogback-classic1.2.11logback-classic modulerequired EPL-1.0 declared license LGPL-2.1-or-later declared license Apache-2.0 detected license...
In addition, the described feature would also be valuable for parent-child-project relationships. So if a policy violation would have been closed in a child project, this decision could be reflected...
@sschuberth Sorry for that. I found a code comment here: https://github.com/oss-review-toolkit/ort/blob/aa942fa62dd7f055e2f27f51831dc66cf77e55c8/analyzer/src/main/kotlin/managers/Gradle.kt#L230 ` // TODO: Also handle authentication and snapshot policy.` This led me to the assumption that something related to...
@sschuberth Sorry, I'm a bit late with my answer. ;-) I also tried to use ORT natively. With same results. Normally I use the ORT Docker image and mount all...
@sschuberth Yes, I'll be able to try that next week from Wednesday on. :+1: