Sebastian Schuberth

> However we are still encountering ann issue that the submodule is duplicated as reported [here](https://github.com/oss-review-toolkit/ort/issues/10427) Ok, but as that's tracked separately, are we good to close this issue?

For reference, at least we already do have https://github.com/heremaps/oss-review-toolkit/blob/master/evaluator/src/main/resources/rules/no_gpl_declared.kts as an example (that is currently used in tests only).

When working on this, also [applying the license choice for the main license should be revisited](https://github.com/oss-review-toolkit/ort/pull/10139#discussion_r2041563023).

There's a change this might have been fixed with https://github.com/oss-review-toolkit/ort/pull/11101. Can anyone retry?

Where does the raw vulnerability data in SCANOSS come from @juliancoccia? It would only really make sense for us to add a SCANOSS advisor if it'd cover sources not already...

@isasmendiagus, would you have any interest in contributing to this?

> Would need to figure out what/how. We could have another short meeting on that next week or so.

https://github.com/scanoss/vulnerabilities looks interesting in this context.

> We would like to, but we need the Gradle team's help. See [gradle/gradle#18028](https://github.com/gradle/gradle/pull/18028) Note that according to @melix's [comment](https://github.com/gradle/gradle/pull/18028#issuecomment-1266657213) "The PR, in itself, is irrelevant though" now that Gradle...

In conjunction with https://github.com/gradle/foojay-toolchains this now basically works as outlined e.g. at https://github.com/oss-review-toolkit/ort/compare/main...graalvm-upgrade.