Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide SPDX file as output #1913

Closed
silverhook opened this issue Oct 29, 2019 · 4 comments
Closed

Provide SPDX file as output #1913

silverhook opened this issue Oct 29, 2019 · 4 comments
Labels
new feature Issues that are considered to be new features reporter About the reporter tool

Comments

@silverhook
Copy link

It would be really useful if ORT would provide an SPDX file as output, so one can import them into other tools.

From what I follow the development of SPDX, it seems like most additional tags that OTR uses are being discussed as being integrated into the new SPDX spec. Also it seems a JSON or YAML version of format is being discussed. So both of those issues should not be blockers any more.

@sschuberth sschuberth added new feature Issues that are considered to be new features reporter About the reporter tool labels Oct 29, 2019
@tsteenbe
Copy link
Member

@silverhook We did not have an issue for it be we have already started the prep work for ORT to produce SPDX output, see for example #1903.

@sschuberth
Copy link
Member

Actually, our original idea was to not have SPDX output from the reporter at all, but only from the documenter (which does not exist yet). The envisioned difference between reporter and documenter was that the reporter is used to visualize "intermediate" / potentially incomplete results (like analysis results without scan results), and the documenter would be used at the end of the pipeline to create "real BOMs" that also include license conclusions / policy waivers.

However, we've softened that strict (and maybe somewhat artificial) distinction already anyway on user demand by adding CycloneDX BOM output to the reporter, so I agree we should also add SPDX (tag-value and RDF) output, probably via https://github.com/spdx/tools.

@tsteenbe
Copy link
Member

tsteenbe commented Jun 4, 2020

Now that SPDX 2.2 has been released work has started on implementing SPDX reporter.

Tasks:

  • Update https://github.com/oss-review-toolkit/ort/tree/spdx-reporter to match v2.2 specification.
  • Generate a basic SPDX document
  • Map packages in OrtResult to packages array in SPDX document
  • Map file findings in OrtResult to files array in SPDX document
  • Render dependency tree as set of relationships
  • Add support hasExtractedLicensingInfos e.g. inclusion in SPDX file output of id and full license text for non SPDX licenses

@sschuberth
Copy link
Member

The SPDX reporter was implemented as part of #2800 and meanwhile improved with several follow-up PRs, so I believe this is good to be closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
new feature Issues that are considered to be new features reporter About the reporter tool
Projects
None yet
Development

No branches or pull requests

3 participants