At line 122 of get_upstream_copyrights.py, the releasedOn attribute is copied from the BOM component version. It is later used for comparison at line 127:128 to determine if the other component is newer. However, the releasedOn date for a BOM component version seems to always be the date of the scan that detected the component, rather than the release date of the underlying component version. I don't know if that is the intended behavior of the API, but it sure seems suspicious. Either way, the code written here doesn't work as intended.
At line 122 of
get_upstream_copyrights.py, thereleasedOnattribute is copied from the BOM component version. It is later used for comparison at line 127:128 to determine if the other component is newer. However, thereleasedOndate for a BOM component version seems to always be the date of the scan that detected the component, rather than the release date of the underlying component version. I don't know if that is the intended behavior of the API, but it sure seems suspicious. Either way, the code written here doesn't work as intended.