Sebastian Schuberth

> Would a system property like `sbt.boot.exit=false` work? For my use-case, yes. Though I believe that introducing conditional code for this could be more complex and introduce pitfalls (like users...

Hmm, I'm starting to get confused about launcher-related artifacts now... what's the difference between - https://mvnrepository.com/artifact/org.scala-sbt/sbt-launch - https://mvnrepository.com/artifact/org.scala-sbt/launcher - https://mvnrepository.com/artifact/org.scala-sbt/launcher-interface

Thanks. And where does Coursier now come into play? IIUC Coursier is "just" a dependency resolver, but not a launcher. So maybe `launcher` at some point started to use Coursier...

> So think that would be probably the easiest regardless of the programming language you're currently on. Right, but the whole point was to take advantage of SBT being implemented...

> we could be opening up a can of worm that is never compatible with the real `sbt` CLI Agreed, that's why all I was asking for was to be...

> Considering JSON Schema is not extensible, it's likely not possible. It's one of the reasons why the vulnerability extension only exists for XML. Isn't there a (somewhat hacky) way...

> The dependency graph extension is only applicable to CycloneDX v1.1. Which is the version of the spec ORT is using right now. I'm in the process of doing the...

Any updates to this? I'd like to record where a particular license entry comes from, i.e. from package metadata, or from a license scanner. As said, in XML we can...

You might also want to consider ORT's SPDX expression library at https://github.com/oss-review-toolkit/ort/tree/master/spdx-utils. Currently, no separate binary artifacts are published for this, but if you're interested we could do that.

> Currently, no separate binary artifacts are published for this, but if you're interested we could do that. By now the library is published at https://mvnrepository.com/artifact/org.ossreviewtoolkit.utils/spdx-utils.