Sebastian Schuberth
Sebastian Schuberth
Superseded by https://github.com/oss-review-toolkit/ort/pull/5676.
While running a reporter on an ORT result with only a scan result is not forbidden, this is a use-case that is not well tested. The usual (and well tested)...
We should probably drop support for ScanCode < 3 before that to simplify the code. I started working on this in the `drop-sc-before-3` branch.
> We should probably drop support for ScanCode < 3 before that to simplify the code. I started working on this in the `drop-sc-before-3` branch. This has been done in...
I believe this should only ever happen with TAR files, as these by convention contain a top-level directory that is named after the base name of the archive.
> There is, however, a lot of redundancy between the dependencies of the single Maven sub projects. Oh, then I must have misunderstood something about the current new dependency graph...
But would it really be such a big change to support this subtree reuse across projects? Wouldn't we basically just need to take care that identifiers for subtrees are unique...
We probably indeed need a follow-up discussion. What I remember / understood back then is that for vulnerabilities that you *have* to address (e.g. because of their severity) rules should...
Possible solution to the above include @pombredanne's proposal for an ACT-funded "Project-Multi Python-version dependencies resolver", or leveraging / extending existing tools like https://github.com/ddelange/pipgrip.
> or leveraging / extending existing tools like https://github.com/ddelange/pipgrip. See in particular https://github.com/ddelange/pipgrip/issues/40.