Sebastian Schuberth

> Moving this to an external dependency like LicenseLynx will make it harder for ORT users to set up ORT with their own set of license mappings. Why? How? ORT's...

> Alternative solution could be: Extend declared license mapping to allow specifying a content hash. Isn't that exactly what's being done with e.g. https://github.com/oss-review-toolkit/ort/pull/5259/files#diff-4e93601aa35e18daab883e47b59f0e54cc0614a6b0d76e3f60acb78f8965f57aR321? Or do you mean a simpler...

> I meant a solution which works without creating new generated license identifiers per distinct `(url, hash)`. IMO that's the case already for the current proposal. New entries are only...

> I believe using the content hash from `time = now()` is wrong anyway, because the content at the point in time the artifact has been created is relevant but...

> From the PR desccription (following excerpt), I got that this is beeing proposed in order to support a reliable mapping. I see how this can be misleading based on...

Hi @mr-zepol, the issue originally occurred with data from CVE-2020-15250 as found in `pkg:maven/junit/[email protected]`. I'll try to reproduce it again and report back.

The problem is still present, see [this CycloneDX 1.5 BOM](https://github.com/user-attachments/files/20071115/bom.cyclonedx.zip), which was generated with cyclonedx-core-java version 10.2.1. When uploading this to https://cyclonedx.github.io/cyclonedx-web-tool/validate I get the error > Validation failed at...

For Conan, this is being work on in https://github.com/oss-review-toolkit/ort/pull/10126.

Here's the link to the migration guide: https://blog.jetbrains.com/platform/2024/09/migrating-your-kotlin-plugin-to-k2-mode/

> This to me seems purely a UI requirement in ORT server, and may change. While triggered by ORT Server related UI questions, I also see value for the ORT...