Sebastian Schuberth

> Docker Image of ORT stored in AWS ECR detected with security vulnerabilities Could you please share which tool was using to identify these vulnerabilities, for reference?

Maybe https://blog.deps.dev/base-container-image/ could become useful here.

Note that while https://github.com/oss-review-toolkit/ort/pull/9697 turned VCS plugins into `TypedConfigurablePluginFactory`(ie)s, the `priority` is not yet configurable.

As a side note, IMO breaking cycles should be an inherent feature of the dependency graph builder, so that not all package managers need to implement such logic separately. Also...

I totally forgot that [I already have a script for this](https://github.com/sschuberth/ort-scripts/blob/main/ort-result-schema-generator.main.kts). Mind giving that a try, @heliocastro?

FYI, [major version 9 of the Shadow plugin](https://github.com/GradleUp/shadow/releases/tag/9.0.0) has been released with many improvements.

> or the probably even more fitting [Gr8 plugin](https://github.com/GradleUp/gr8) could be used. Or use https://github.com/GradleUp/gratatouille, also see [this discussion](https://github.com/GradleUp/gratatouille/issues/38#issuecomment-2930507270).

Good point about a `Project`'s provenance info. If the analysis is not performed on a repository, it also does not make sense to store VCS-related information for the `Project`s, and...

> Would you like me to incorporate those changes to `Project` into #8764 as well before we proceed? I'm not sure. Your PR is already quite involving, so maybe we...

> @sschuberth Is there any news from the core developer meeting? No, because we had to skip it for this week due to appointment conflicts, sorry.