Open mjherzog opened 3 years ago
This makes a lot of sense. This is also related to nexB/scancode-toolkit#272 The use cases could be reformulated this way:
In the case of dependencies when I do not know the exact versions I may want to further resolve a dependency version constraints to get a concrete version (and this can be very simple such as picking the latest released version).
And to get the extra data I can either:
ScanCode Toolkit identifies dependencies from package manifest files, but in most cases what you really want is the provenance data that can be retrieved from a package repository. The enhancement request is to build a new SCIO pipeline with at least one example of fetching the provenance data from a package rep to use as a template. In a common use case you may want to include fetching package repo provenance data for 2 or 3 package types. This is related to:
I suspect that this enhancement may require Data Model changes.