-
Notifications
You must be signed in to change notification settings - Fork 314
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does repository_license_choices has an effect on CycloneDXReporter sbom output? #7182
Comments
As a side note, I thought this would be too complicated:
But I indeed just verified that the order of |
IIUC, the ordering issue is a bug which was already on the radar, see #6721. |
I don't think that's related. Creating the DNF does not alter / create a deterministic order of licenses. But I remember that we once discussed whether |
It was almost like at: #4077 |
Yes, I have declared both combinations just to exclude possible "given" order issues. But my first question is, if repository_license_choices would work for CycloneDXReporter or not. So, Just to clarify: is a license choice only important during report phase or should it change the licenses of a dependency even in the evaluation-result.yml? |
Any (general) reporter should take licenses choices into account (unless it's a very special reporter that somehow needs to provide access to "raw" data), and licenses choices are also applied before the evaluation phase (otherwise you'd never be able to fix rule violations by making a license choice). So, your bug report sounds valid, but I haven't verified it yet. |
Fixes #7182. Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
Fixes #7182. Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
Tested and it works. Thanks :) |
Hey,
I wonder if repository_license_choices has an effect on sbom output generated by CycloneDXReporter.
ort/plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt
Line 271 in 9cbcf9f
Here's an example:
analyzer-result.yml
evaluation-result.yml
ORT Scan Report > Tree
Effective SPDX is MIT, license choice works:
bom.cyclonedx.json
Still both licenses in sbom - license choice has no effect.
Or did I miss something?
The text was updated successfully, but these errors were encountered: