Closed lucasgonze closed 4 months ago
Hey @lucasgonze, thank for you feedback. I'm coming back with my pending issues. Sorry the delay.
I understand the situation but I can't figure out how the SBOM should reflect this. Do you have an SBOM example of this?
I think an annotation field with type OTHER would work.
https://spdx.github.io/spdx-spec/v2.2.2/annotations/#123-annotation-type-field
SCANOSS does a good job of identifying snippets for examination. However, there is no trace of this fact in the final SBOM. This is essential information because it may make the file in which a snippet was included a derivative work. Per Apache 2.0 4b: "You must cause any modified files to carry prominent notices stating that You changed the files".
Ideally the SBOM would identify the original source file and files containing modifications.