Closed silverhook closed 4 years ago
tsteenbe
commented
4 years ago @silverhook We did not have an issue for it be we have already started the prep work for ORT to produce SPDX output, see for example https://github.com/heremaps/oss-review-toolkit/pull/1903.
sschuberth
commented
4 years ago Actually, our original idea was to not have SPDX output from the reporter at all, but only from the documenter (which does not exist yet). The envisioned difference between reporter and documenter was that the reporter is used to visualize "intermediate" / potentially incomplete results (like analysis results without scan results), and the documenter would be used at the end of the pipeline to create "real BOMs" that also include license conclusions / policy waivers.
However, we've softened that strict (and maybe somewhat artificial) distinction already anyway on user demand by adding CycloneDX BOM output to the reporter, so I agree we should also add SPDX (tag-value and RDF) output, probably via https://github.com/spdx/tools.
tsteenbe
commented
4 years ago Now that SPDX 2.2 has been released work has started on implementing SPDX reporter.
Tasks:
packages array in SPDX documentfiles array in SPDX documenthasExtractedLicensingInfos e.g. inclusion in SPDX file output of id and full license text for non SPDX licensessschuberth
commented
4 years ago The SPDX reporter was implemented as part of https://github.com/oss-review-toolkit/ort/pull/2800 and meanwhile improved with several follow-up PRs, so I believe this is good to be closed.
It would be really useful if ORT would provide an SPDX file as output, so one can import them into other tools.
From what I follow the development of SPDX, it seems like most additional tags that OTR uses are being discussed as being integrated into the new SPDX spec. Also it seems a JSON or YAML version of format is being discussed. So both of those issues should not be blockers any more.