-
Notifications
You must be signed in to change notification settings - Fork 314
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide SPDX file as output #1913
Comments
@silverhook We did not have an issue for it be we have already started the prep work for ORT to produce SPDX output, see for example #1903. |
Actually, our original idea was to not have SPDX output from the reporter at all, but only from the documenter (which does not exist yet). The envisioned difference between reporter and documenter was that the reporter is used to visualize "intermediate" / potentially incomplete results (like analysis results without scan results), and the documenter would be used at the end of the pipeline to create "real BOMs" that also include license conclusions / policy waivers. However, we've softened that strict (and maybe somewhat artificial) distinction already anyway on user demand by adding CycloneDX BOM output to the reporter, so I agree we should also add SPDX (tag-value and RDF) output, probably via https://github.com/spdx/tools. |
Now that SPDX 2.2 has been released work has started on implementing SPDX reporter. Tasks:
|
The SPDX reporter was implemented as part of #2800 and meanwhile improved with several follow-up PRs, so I believe this is good to be closed. |
It would be really useful if ORT would provide an SPDX file as output, so one can import them into other tools.
From what I follow the development of SPDX, it seems like most additional tags that OTR uses are being discussed as being integrated into the new SPDX spec. Also it seems a JSON or YAML version of format is being discussed. So both of those issues should not be blockers any more.
The text was updated successfully, but these errors were encountered: