Sebastian Schuberth
Sebastian Schuberth
> This test is currently expected to fail due to a bug in the cyclonedx-core-java [1](https://github.com/CycloneDX/cyclonedx-core-java). Maybe first file the issue there, in order to link it here?
@MarcelBochtler how do we proceed here? I believe the test now proves that there is a problem. So are we good to report this bug upstream?
> I reported it upstream already: [CycloneDX/cyclonedx-core-java#638](https://github.com/CycloneDX/cyclonedx-core-java/issues/638) 👍🏻 > I also mentioned this in the commit message. Sorry, I was looking the inital post only, which just generally links to...
@oheger-bosch, could you please check whether this work for you as well?
> As inclusion of licenses is a bit critical area, we can consider even renaming the function, so that existing templates fail hard. What do you think @oss-review-toolkit/core-devs ? Maybe...
I've just checked, and the topic of the PR still seems releveant: > The `readFromStorage(pkg: Package, scannerDetails: ScannerDetails)` function now returns only scan results produced by a scanner compatible with...
> I am not sure whether it makes sense to base on the code in this PR - it must be terribly outdated. I agree we should probably not reuse...
Did you see https://github.com/oss-review-toolkit/ort/pull/10020, @wkl3nk?
Also, please see [this comment](https://github.com/oss-review-toolkit/ort/issues/10997#issuecomment-3452629863), which refers to PDM mainly, but the new `pylock.toml` file format is supposed to be [used by UV](https://snarky.ca/why-it-took-4-years-to-get-a-lock-files-specification/#2025), too. So we should consider to generically...
Also somewhat related to "lockfile-only analyzers" is [this issue](https://github.com/oss-review-toolkit/ort/issues/8361).