Sebastian Schuberth

> I'll look into what we can do to improve this. See https://github.com/oss-review-toolkit/ort/pull/4547.

> The downloader still insist in getting a tag to start the scan as I understand in the following log: Correct, we disallow scanning branches by default as doing so...

> Let me see what I can do. See https://github.com/oss-review-toolkit/ort/pull/4553.

> project 'SpdxDocumentFile::proj1:main' cannot be found in Repository Ah, crap, that's a more tricky problem now. Not sure yet how to work around that. > Also, the scan is actually...

Any update here @andrykonchin?

Is there really any technical restriction why this shouldn't be working? The limitation seems to be quite arbitrary...

> but this is not enough to create a correct serializer (for example, to get the default values) I see, thanks.

> * An optional `Identifier` (or a string with package coordinates), which is set if the issue is related to a specific package. This could be done similar to 521640b4f55edfbfb357f65a12db480eb9521474.

This relates to addressing the issue mentioned [here](https://github.com/oss-review-toolkit/ort-config/pull/193#discussion_r1625429429). The idea that I mentioned in a community meeting was to [refactor the CVSS classes into a sealed class hierarchy](https://github.com/oss-review-toolkit/ort/wiki/ORT-Community-Meeting#2024-06-06).

> [@sschuberth](https://github.com/sschuberth) I am still interested to know how you would use these urls I guess you meant @SaberStrat?