Sebastian Schuberth
Sebastian Schuberth
By leveraging the [Action Toolkit](https://github.com/actions/toolkit), we should create a GitHub Action to run ORT as part of PR checks. Some related projects: - https://github.com/boschcrank/ort-scan-test/blob/master/.github/workflows/build.yml - https://github.com/philips-software/spdx-action - https://github.com/alliander-opensource/license-scan-action - https://github.com/mmurto/ort-demo/blob/master/.github/workflows/ort.yml...
Currently, only the Gradle analyzer uses the new dependency graph format introduced in https://github.com/oss-review-toolkit/ort/pull/3502. We should take advantage of the new format for more (ultimately all) package manager implementations. Package...
> adding the Copyright holder statements to the org.ossreviewtoolkit.model.PackageCurationData entity FYI, I just pushed my local [`curate-copyrights` branch](https://github.com/oss-review-toolkit/ort/tree/curate-copyrights) which trivially starts doing that. @rbieniek do you want to take over...
Currently, there are not fixed releases for ORT available, but only dynamically built artifacts via [JitPack](https://jitpack.io/#heremaps/oss-review-toolkit). While this works reasonably well for "early adopters" like [SW360 Antenna](https://github.com/eclipse/antenna/blob/master/pom.xml#L263-L272), it would be...
I just verified that ORT's analyzer suffers from the [same problem as CycloneDX's Maven plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/116): The Maven resolver library might de-duplicated dependencies that have already been reported, resulting in an...
For reference, the original hard-coded values from the ScanOss library's `BlacklistRules` [1] are used. This is a step towards getting rid of the dependency on the deprecated ScanOss Java library...
Currently, for performance reasons the scanner is implemented to scan as few files from a VCS repository as needed (i.e. by taking `VcsInfo.path` into account) to cover the respective package's...
Many NuGet packages only declare license URLs which, in contrast to license names, cannot reliably be mapped to SPDX license expressions as the content the URL refers to might change...
We should investigate whether it's somehow possible to analyze Android projects that depend on the Android NDK either without installing the NDK at all, or by bootstrapping the NDK, so...
Currently, scanning in ORT is package-based, and project-packages are identified by "definition files" (like "pom.xml", "build.gradle", "package.json" etc.) in the directory tree. So all files and directories below a definition...