Sebastian Schuberth

> What do you think? Please have a look how this is done in other package managers that support the concept of "lockfiles", like in NPM. By default ORT refuses...

> So it could also be bootstrapped or included in the Docker image. Then I'd prefer to have it added to the Docker image as part of this PR (if...

> Related project: https://github.com/philips-software/spdx-action However, I believe a GitHub action should not create SPDX, but [SARIF](https://github.com/oss-review-toolkit/ort/issues/1029), and use the [GitHub API to upload](https://docs.github.com/en/rest/reference/code-scanning#upload-an-analysis-as-sarif-data) it.

> I only knew of SPDX and never heard of SARIF. But if I understand you correctly, by adopting SARIF for GitHub Actions, GitHub will be able to interpret and...

Good news for sharing such a GitHub Action in your enterprise: https://github.blog/changelog/2022-03-04-sharing-github-actions-within-your-enterprise-is-now-ga/

This PR probably is related https://github.com/oss-review-toolkit/ort/pull/4277.

Maybe also semi-related: https://github.com/oss-review-toolkit/ort/pull/4606.

This is basically caused by the `tools.jar` property not being set when processing one of the POMs of a transitive dependency, I guess. I thought the code at https://github.com/oss-review-toolkit/ort/blob/184f3b8725d511adbdf3f3f884c3130961135572/analyzer/src/main/kotlin/managers/utils/MavenDependencyHandler.kt#L65-L75 should...

Thanks for the report @AJDurant. While not a solution to the root cause, you should be able to work around the issue by simplifying the regex, as messages are "sanitized"...

> you should be able to work around the issue by simplifying the regex Did that actually work @AJDurant to avoid the hanging?