search

siemens / continuous-clearing

The Continuous Clearing Tool scans and collects the 3rd party OSS components used in a NPM/NuGet/Debian/Maven/Python/Conan/Aipine project and uploads it to SW360 and Fossology by accepting respective project ID for license clearing.
MIT License
24 stars 9 forks source link

SW360.'Source Code Download URL' for Debian packages should be the dsc file #208

Open ericbl opened 1 month ago

ericbl commented 1 month ago

For Debian packages, the tool seems to set the .orig.tar.gz file into the 'Source Code Download URL' field of SW360.

It should be the 'dsc' file.

Let's take an example (Siemens internal): https://sw360.siemens.com/group/guest/components/-/component/release/detailRelease/1fa4ed40b7e94fd2a5ffbd778499ca99#/tab-Summary refers to the libssh2 package. According to the author of that release, your tool was used in their workflow to create or upload the component on sw360. You see the orig.tar.gz set at 'Source Code Download URL'

The proper source file for that package is the corresponding dsc Setting the dsc is what Gernot's tool is doing.

Please adapt your tool to set the dsc file and NOT the orig.tar.gz here.

Generally speaking, cross testing should be done between tools to ensure they set the same data. See with Gernot for Debian specific topic, i.e. for Debian packages.

gernot-h commented 1 month ago

Not sure if it's obvious which "Gernot" is meant, so in case of questions, feel free to contact me here or via Siemens channels. ;-)

sumanthkb44 commented 2 weeks ago

@ericbl Thanks for the issue.

Will check with the Clearing team (@WagnerMarco ) and will adopt the changes accordingly.